End of Support

IP Address Locking Configuration

This section describes IP Locking configuration tasks. Topics in this section include:

Enabling a DHCP Server for IPv4 Address Locking
Adding a Local Layer 3 Interface
Enabling IP Address Locking
Disabling IP Address Locking
Enabling IP Address Locking on Ports
Enabling IP Address Locking on All Ports of a VLAN
Blocking IPv4 and ARP Packets
Configuring IP Locking Static Leases

IP Address Locking Overview

EOS provides IP Address Locking capabilities when configured on an Ethernet Layer 2 port.

After enabling IP Address Locking on a Layer 2 (L2) port, the port only permits IP and ARP packets with authorized IP source addresses. Configure IP Address Locking in one of two modes:

IPv4
IPv6

IP Address Locking prevents a host on a different interface from claiming ownership of an IP address through ARP spoofing. IPv6 Locking extends this behavior to IPv6 packets, including ICMPv6 Neighbor Discovery Router Advertisement and Redirect and DHCP server-to-client packets.

On an IPv4 Locked Port, the ARP protocol performs the following actions on the network:

Probing with the IPv4 address 0.0.0.0 as the Sender Protocol Address (SPA).
Permit Duplicate Address Detection (DAD).
Drop incoming DHCP server response packets to avoid any rogue devices acting as DHCP servers.
Permit incoming DHCP client request packets on devices to complete the DHCP handshake and obtain a DHCP lease.

On an IPv6 Locked Port, the ARP protocol performs the following actions on the network:

Drop incoming DHCPv6 server response packets.
Permit incoming DHCPv6 client request packets.
On an incoming ICMPv6 network device, perform the following actions:
- Drop Router Advertisement packets since only routers should send these packets.
- Permit Router Solicitation packets.
- Drop redirect packets as only routers should send these packets.
Figure 1. IP Address Locking

IP Address Locking relies on DHCP LeaseQuery and MAC address learning to determine if an IP address is authorized on a particular port. Ensure that DHCP servers used in the network allow LeaseQuery messages.

Release Updates

Refer to the release updates for IP Locking.

EOS Release 4.25.1F:

Added support for disabling address filtering for IPv6 packets while still keeping all packet type specific drop rules such as ICMPv6 ND:RA, and ICMPv6 ND:Redirect and DHCPv6 (server-to-client) packets, using the locked-address ipv6 enforcement disabled command.

EOS Release 4.24.0F:

Added support for expiration modes of locked addresses, using the locked-address expiration mac disabled command.
Added support for counters, using the show address locking counters and clear address locking counters commands.

EOS Release 4.23.2F:

Added support for static lease command, lease <V4ADDR> mac <MACADDR>.

EOS Release 4.23.1F:

Added support for clear address locking lease command.

EOS Release 4.23.0F:

Initial release.
Supports IPv4 address locking.

Preparing a Switch for IP Address Locking

Before enabling IPv4 Address Locking, you must configure a DHCP Server and a Local Layer 3 interface.

Enabling a DHCP Server for IPv4 Address Locking

Add the DHCP servers used by hosts to acquire leases. IPv4 Address Locking communicates with the DHCP servers to learn the authorized IP addresses on the switch.

Example

The following commandsenable DHCP servers with an IPv4 address of 10.1.1.1, and another DHCP server with the IP address, 10.30.1.3:

switch(config-address-locking)#dhcp server ipv4 10.1.1.1
switch(config-address-locking)#dhcp server ipv4 10.30.1.3

Adding a Local Layer 3 Interface

Add a local L3 interface to communicate with the DHCP server. This could be the management interface, a routed interface, or a Switch Virtual Interface (SVI). This interface requires an assigned valid IP address, routable to the configured DHCP server, and can reside in a non-default VRF. The switch packets sent to the DHCP Server use the interface IP address as the source IP address.

Example

The following commandsconfigure an interface with a valid IP address, 10.10.1.2/16, on VLAN2160:

switch#configure
switch(config)#interface Vlan2160
switch(config-if-Vl2160)#ip address 10.10.1.2/16

The following commands add the interface to the IP Address Locking configuration:

switch#configure 
switch(config)#address locking
switch(config-address-locking)#local-interface Vlan2160

Clearing Leases

The clear address locking lease command removes the lease from hardware. The command removes lease bindings at different granularities.

The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
The clear address locking lease intf ethernet slot command removes all leases associated with the specified interface.
The clear address locking lease all removes all leases on the switch.

Configuring IP Locking Static Leases

The lease mac command within address locking configuration mode installs a lease into hardware for the configured IP address on the interface with the configured associated MAC address. If the MAC address does not appear in the MAC table or the MAC address on an interface without a configured IP Locking feature, the lease does not install until the interface adds the MAC address to an interface configured with IP Locking.

Note: IP Locking removesfrom the switch any lease from the DHCP server that matches either the same IP or MAC as a statically configured lease.

Example

Use the following commands to configure an IP address, 172.21.13.11, and MAC Address, a0:ce:c8:b1:78:d3, with a static lease:

switch#configure
switch(config)#address locking
switch(config-address-locking)#lease 172.21.13.11 mac a0:ce:c8:b1:78:d3

Configuring Locked Address Expiration

The IP addresses remain authorized and installed after the corresponding MAC addresses age out. IP Address Locking, by default, removes authorized leases after the corresponding MAC addresses age out. The locked-address expiration mac disabled command configures IP Address Locking to keep leases installed, after the corresponding MAC addresses age out.

Example

The following commands keep leases installed on the IP address:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address expiration mac disabled

Displaying IP Address Locking Counters

The show address locking counters command displays DHCP lease query messages sent, received, and dropped. The output provides two sets of counters:

The number of packets sent and received from each DHCP server.
The number of packets sent and received for each locked interface.

The output displays separate counters for the different types of messages communicated between the switch and the DHCP server.

Example

switch#show address locking counters
Lease Active Lease Unknown Lease Unassigned    	 
DHCP Server Query  Rcvd   Drop   Rcvd   Drop Rcvd     Drop    Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860  8002 34     8001   32     13423     134    3234
            
            
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2  1747 1234         189           324

The clear address locking counters command resets all the counters associated with IP Locking to zero.

Enabling IP Address Locking

Configure IP Address Locking for either IPv4 or IPv6 addresses, and both types of IP addresses can be enabled for IP Address Locking. IPv6 Address Locking requires a different approach outlined in this section.

Enabling IP Address Locking

Configure IPv4 Address Locking commands in the configuration mode.

Example

Use the following commands to enter IP Address Locking configuration mode and add IPv4 Address Locking:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv4

Enabling IPv6 Address Locking

To enable IPv6 locking, disable the enforcement of IPv6 Address Locking.

Example

Use the following commands to disable IPv6 Address Locking enforcement, and then enable IPv6 for IP Address Locking:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled
switch(config-address-locking)#locked-address ipv6

Disabling IP Address Locking

Disable IP Address Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port.

Example

switch#configure
switch(config)#address locking
switch(config-address-locking)#disabled

Enabling IP Address Locking on Ports

To enable IPv4 Address Locking on ports connected to clients, IP Address Locking must be enabled in the interface configuration mode. Running this command only enables IPv4 Locking and overrides the previous configuration for the interface.

Example

Use the following commands to enable IP Address Locking for the interface, Ethernet27/1:

switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv4

Use the following commands to enable IPv6 Address Locking on ports connected to clients, use the address-family ipv6 parameter.

Example

To activate IPv6 Address Locking on interface Ethernet53 and port 4, use the following syntax:

switch(config)#interface Ethernet53/4
switch(config-if-Et53/4)#address locking
switch(config-if-Et53/4-address-locking)#address-family ipv6

Enabling IP Address Locking on All Ports of a VLAN

To activate IP Address Locking on all VLAN port members, use the VLAN address locking configuration submode.

Examples

The following commands activate IPv4 Address Locking on VLAN 20:

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv4

To exclude a VLAN port member, disable IP Address Locking on that port using the interface configuration submode.

The following commands exclude port 25 on Ethernet2:

switch(config)#interface Ethernet2/25
switch(config-if-Et2/25)#address locking
switch(config-if-Et2/25)#address-family ipv4 disabled

To configure IPv6 Address Locking on all ports, use the same commands, but designate the address-family as ipv6.

The following commands enable IPv6 Address Locking and override the previous configuration for the interface.

switch(config)#interface Ethernet 27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv6

To enable IPv6 Address Locking on all members of a port for VLAN 20, use the IPv6 Locking commands in the VLAN address locking configuration sub-mode.

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv6

Use the following command to enable both IPv4 and IPv6 Address Locking on a port:

switch(config)#interface Ethernet 27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#address-family ipv4 
switch(config-if-Et27/1-address-locking)#address-family ipv6

Blocking IPv4 and ARP Packets

Use the deny ip_address on IPv4 Address Locking ports to block all IPv4 and ARP packets with a specific source IPv4 address. The port denies the packet and affects only IPv4 enforcement modes. This action deauthorizes the addresses on the port and can be configured with multiple IPv4 addresses. You must configure this on an interface already configured with IPv4 Address Locking.

Note: Use only IPv4 addresses with this configuration.

Example

switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-addr-lock)#deny 172.21.16.25

IPv6 Locking

Configuring IPv6 Address Locking

Example

To activate IPv6 Address Locking on all members of a port for VLAN 20, enable IPv6 Locking on the VLAN address locking configuration sub-mode.

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#address-family ipv6

Disable IPv6 Address Locking using the disabled command in address-locking mode. This turns off the feature and allows a host to use any IP address, authorized or unauthorized, on any port. This also disables IPv4 Address Locking as well.

Example

Use the following syntax to disable IP Address Locking on the switch:

switch# configure
switch(config)# address locking
switch(config-address-locking)# disabled

Enforcing Locked IP Addresses

The locked-address ipv4 enforcement disabled command disables address filtering for all ports with IPv4 Address Locking enabled. This permits IPv4 packets while still keeping all other drop rules. When configured, IP Address Locking does not drop IP or ARP packets, and does not send out lease queries to configured DHCP servers.

Examples

The following commands disable IPv4 Address Locking globally:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv4 enforcement disabled

The following commands configure locked address enforcement for an interface:

switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#locked-address ipv4 enforcement disabled

The following commands configure locked address enforcement for a VLAN:

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#locked-address ipv4 enforcement disabled

The locked-address ipv6 enforcement disabled command disables address filtering for all ports with IPv6 Locking enabled. This permits IPv6 packets while still keeping all other drop rules.

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled

To configure locked address enforcement for an interface, use the following commands:

switch(config)#interface Ethernet27/1
switch(config-if-Et27/1)#address locking
switch(config-if-Et27/1-address-locking)#locked-address ipv6 enforcement disabled

To configure locked address enforcement for VLAN 20, use the following commands:

switch(config)#vlan 20
switch(config-vlan-20)#address locking
switch(config-vlan-20-addr-lock)#locked-address ipv6 enforcement disabled

Displaying IP Address Locking

Use the show address locking command to display the status of IPv4 and IPv6 locking.

Example

switch# show address locking
IP Locking is active
Interface        IPv4	                 IPv6
--------------- -------------------   ---------------------------
Ethernet27/1     yes 	                 no (not configured) 
Ethernet31/1     no (not configured)   no (not a layer 2 interface)

The show address locking command also displays interfaces with the reason IP Address Locking may not be enabled. For an interface without IP Address Locking enabled, the following priority (highest at top) imposes on the output:

Unconfigured.
Not a Layer 2 interface.
No local interface configured.
No DHCP server configured.

The show address locking table ipv4 command displays all the DHCP leases that IP Address Locking knows about, current status of installed leases, and the authorized interfaces for these IP addresses.

Example

switch# show address locking table ipv4
IP Address     MAC Address      Interface  Installed    Expiration Time
-------------- ---------------- ---------- ------------ --------------- 
10.30.4.4      ba76.a467.7ff8   Et27/1     installed     in 0:01:57

Limitations

The IP Locking feature contains the following limitations:

IP Locking supports IPv4 but with limited functionality for IPv6.
IP Locking works only with DHCP servers that support RFC 4388 (LeaseQuery) and configured to allow lease queries. ISC DHCPD and BlueCat are currently known servers that support LeaseQuery.
IP Locking can only be configured on Ethernet interfaces, excluding sub-interfaces.
IP Locking and DHCP relay cannot be configured on the same switch. When both are configured, IP Locking is disabled.
IP Locking and DHCP snooping cannot be configured on the same switch. When both are configured, IP Locking is disabled.
IP Locking and DHCP server cannot be configured on the same switch. When both are configured, IP Locking is disabled.
Do not configure IP Locking and the ARP inspection feature on the same switch.
Do not configure IP Locking and the IP source guard feature on the same switch.
IP Locking may not immediately invalidate a lease on an access port if the host moves to another port on a different access switch.
IP Locking supports up to 3400 hosts on the DCS-7050X3 platform, and up to 3800 hosts on the CCS-720XP platform. This scale may reduce further with other features using TCAM resources.
IPv6 Locking currently only allows disabling address filtering for IPv6 packets while keeping all packet type specific drop rules such as ND:RA, ND:RD, and DHCP Server-to-Client.
Some DHCP server implementations (such as ISC DHCPD) do not respond to lease query if the fixed-address configuration is used. Use reserved leases instead.
CVP Endpoint Identification is not able to identify hosts connected to an IP Locking enabled switch.

IP Address Locking Commands

IP Address Locking Global Configuration Commands

address locking

IP Address Locking Configuration Commands

address locking deny
address locking dhcp
address locking lease query
address locking local-interface

IP Address Locking Clear Commands

clear address locking lease

IPv4 Static Lease Commands

address locking lease
lease me

IP Address Locking Address Expiration Commands

locked-address expiration mac disabled

IP Address Locking Address Enforcement Commands

locked-address ipv4 enforcement disabled
locked-address ipv6 enforcement disabled

IP Address Locking Show Commands

show address locking
show address locking counters
show address locking table ipv4

address locking

Use the address locking command to enter the IP Address Locking configuration submode and then use any of the following commands:

dhcp - Configuration options related to DHCP.
disabled - Disable IP Address Locking on configured ports.
lease - Configuration options related to leases.
local-interface - Configure a local interface for IP Address Locking
locked-address - Configuration options for locked addresses.

Command Mode

Global Configuration

Command Syntax

address locking

Parameters

address locking

Example

To enter the IP Address Locking mode, use the following command:

switch(config)# address locking
switch(config-address-locking)#

address locking deny

Use the address locking command to block IPv4 and ARP packets with specific IPv4 addresses on the switch. You must perform this command from an interface configured for IP Address Locking on the switch.

Command Mode

Interface Configuration

Address Locking Configuration

Command Syntax

address locking deny ip_address

Parameters

deny ip_address - Specify the IPv4 address to block packets.

Example

Use the following command to deny IPv4 and ARP packets from IPv4 address, 172.16.21.131, from Ethernet interface, Ethernet53/4:

switch(config)#interface Ethernet53/4
switch(config-if-Et53/4)#address locking 
switch(config-address-locking)#deny 172.16.21.131

address locking dhcp

Use the address locking command to enter address locking mode and then dhcp to configure the DHCP server.

Command Mode

Address Locking Configuration

Command Syntax

address locking dhcp server ipv4 ip_address

Parameters

dhcp server - configure a DHCP server to assign IP addresses and assign static addresses using a MAC address.
- ipv4 ip_address - Specify the IP address for the DHCP server.
- mac mac_address - Specify the MAC address of the DHCP server.

Example

To configure a DHCP server with an IPv4 address. 172.13.21.3, use the following command:

switch(config)#address locking 
switch(config-address-locking)#dhcp server ipv4 172.13.21.3

address locking lease

Use the address locking command to enter the IPv4 and IPv6 locking mode and then on the switch, use the lease to configure DHCP leases.

The lease mac command within the address locking configuration mode installs a lease onto hardware for the configured IP address on the interface with the associated configured MAC address. If the MAC address does not exist in the MAC table or the MAC address appears on an interface with an IP Locking configuration feature, the lease does not install until you add the MAC address to an interface configured with IP Locking.

Command Mode

Address Locking Configuration

Command Syntax

switch(config-address-locking)#lease ip_address mac ip_address

Parameters

lease
- V4ADDR - Specify the IPv4 address to assign the lease.
- mac MACADDR - Configure the MAC address for a static lease.
no lease V4ADDR mac MACADDR - Removes the retry and timeout configuration.
default lease V4ADDR mac MACADDR - Configures the lease with the default IPv4 address and MAC address.

Example

To configure a lease with the IPv4 address, 1.1.1.1, and the MAC address, a.b.c, use the following command:

switch(config)#address locking 
switch(config-address-locking)#lease 1.1.1.1 mac a.b.c

address locking lease query

Use the address locking command to enter the IPv4 and IPv6 locking mode and then use the lease query retry interval to configure DHCP leases.

The no lease query retry command removes the retry interval and timeout configuration.

Command Mode

Address Locking Configuration

Command Syntax

switch(config-address-locking)#lease query retry interval interval-time

Parameters

lease query retry interval interval - Configure thequery retry interval and timeout. The interval can be from 1 - 4294967295 seconds.

Example

To configure a lease with the retry interval, 5 seconds, and a timeout, 100, use the following command:

switch(config)#address locking
switch(config-address-locking)#lease query retry interval 5 timeout 100

address locking local-interface

Use the address locking local-interface command to configure a local interface for IPv4 and IPv6 locking IP addresses on the switch.

Command Mode

Address Locking Configuration

Command Syntax

address locking local-interface [Ethernet | Loopback | Management | Port Channel | Tunnel | Vlan]

Parameters

local-interface
- Ethernet slot_number - Configure an Ethernet subinterface for IPv4 and IPv6 locking IP addresses on the switch.
- Loopback loopback_interface_number - Configure a Loopback interface for IPv4 and IPv6 locking IP addresses on the switch.
- Management management_interface slot_number - for IPv4 and IPv6 locking IP addresses on the switch.
- Port-Channel lag_group port_channel_subinterface - Configure a Port-Channel interface for IPv4 and IPv6 locking IP addresses on the switch.
- Tunnel tunnel_interface - Configure a Tunnel interface for IPv4 and IPv6 locking IP addresses on the switch.
- Vlan vlan_interface_number - Configure a VLAN interface for IPv4 and IPv6 locking IP addresses on the switch.

Example

To configure an Ethernet interface, Ethernet53/4, use the following command:

switch(config)#address locking
switch(config-address-locking)#local-interface Ethernet53/4

clear address locking lease

Use the clear address locking lease command to remove lease bindings at different granularities.

The clear address locking lease ipv4 V4ADDR command removes a single lease associated with an IPv4 address.
The clear address locking lease ipv6 V6ADDR command removes a single lease associated with an IPv6 address.
The clear address locking lease intf ethernet slot commandremoves all leases associated with the specified interface.
The clear address locking lease all command remove all leases on the switch.

Command Mode

Address Locking mode

Command Syntax

clear address locking lease [ all | interface [ ethernet slot ] | ipv4 V4ADDR | ipv6 V6ADDR ]

Parameters

all- View the entire lease table.
interface- interface to clear the lease.
- ethernet slot- Ethernet interface slot number.
ipv4 V4ADDR- IPv4 address of the lease
ipv6 V6ADDR - IPv6 address of the lease

Example

Use the following command to clear all IP Address Locking leases from the switch:

switch(config-address-locking)#clear address locking lease all

lease mac

The lease mac command within the address locking configuration mode installs a lease into hardware for the configured IP address on the interface the configured MAC address is associated with. If the MAC address is not in the MAC table or the MAC address is on an interface that is not configured with IP Locking feature, the lease is not installed until the MAC address is added to an interface that is configured with IP Locking. The no and default forms of the command removes the lease into hardware for the configured IP address on the interface the configured MAC address is associated with.

Command Mode

Address locking configuration mode

Command Syntax

lease V4ADDR mac MACADDR

no lease V4ADDR mac MACADDR

default lease V4ADDR mac MACADDR

Parameters

lease V4ADDRThe lease IP address.
mac MACADDRThe configured mac address for static lease.

Example

Arista# config t
Arista(config)# address locking
Arista(config-address-locking)# lease 1.1.1.1 mac a.b.c

locked-address expiration mac disabled

IP Address Locking, by default, removes authorization from leases after the corresponding MAC addresses age out. Use the locked-address expiration mac disabled command to configure IP Address Locking to keep the leases installed, even after the corresponding MAC addresses age out.

Command Mode

Address Locking Configuration

Command Syntax

locked-address expiration mac disabled

no locked-address expiration mac disabled

default locked-address expiration mac disabled

Parameters

expiration - Configures expiration mode for locked addresses.
mac - Configures deauthorizing locked addresses when MAC addresses age out.
disabled - Disables deauthorizing locked address when MAC addresses age out.

Example

Use this command to disable locked address expiration:

switch#configure
switch(config)#address locking
switch(config-address-locking)#locked-address expiration mac disabled

locked-address ipv4 enforcement disabled

The locked-address ipv4 enforcement disabled command disables address filtering for all ports with IPv4 Locking enabled. This permits IPv4 packets while still keeping all other drop rules.

Command Mode

Address Locking Configuration

Command Syntax

locked-address ipv4 enforcement disabled

no locked-address ipv4 enforcement disabled

default locked-address ipv4 enforcement disabled

Parameters

ipv4 - Configure the IP address family.
enforcement - Configure enforcement for locked addresses.
disabled - Disable enforcement for locked addresses.

Example

Use the following command to disable locking address enforcement for IPv4 addresses:

switch# configure
switch(config)# address locking
switch(config-address-locking)# locked-address ipv4 enforcement disabled

locked-address ipv6 enforcement disabled

The locked-address ipv6 enforcement disabled command disables address filtering for all ports with IPv6 Locking enabled. This permits IPv6 packets while retaining all other drop rules.

Command Mode

Address Locking Configuration

Command Syntax

locked-address - IPv6 enforcement disabled.

no locked-address - IPv6 enforcement disabled.

default locked-address - IPv6 enforcement disabled.

Parameters

ipv6 - IPv6 address configuration.
enforcement - Configure enforcement for locked addresses.
disabled - Disable enforcement for locked addresses.

Example

Use the following command to disable locking address enforcement for IPv6 addresses:

switch# configure
switch(config)#address locking
switch(config-address-locking)#locked-address ipv6 enforcement disabled

show address locking

Use the show address locking command to display the status of IP and IPv6 locking.

The show address locking command also displays the reason as to why IP Locking is not enabled for an interface. For an interface without IP Locking enabled, the following priority (highest at top) apply to the output:

Interface not configured.
Interface is not a Layer 2 interface.
No local interface configured.
No DHCP server configured.

Command Mode

EXEC

Command Syntax

show address locking

Example

To display information about IP locking, use the show address locking command:

switch# show address locking
         
IP Locking is active
Interface        IPv4	                 IPv6
--------------- -------------------   ---------------------------
Ethernet27/1     yes 	                 no (not configured) 
Ethernet31/1     no (not configured)    no (not a layer 2 interface)

show address locking counters

The show address locking counters command displays DHCP lease query messages sent, received, and dropped. Two sets of counters display in the output:

Number of packets sent and received from each DHCP server.
Number of packets sent and received for each locked interface.

IP Locking uses separate counters for different kinds of messages communicated between the switch and the DHCP server.

Command Mode

EXEC

Command Syntax

show address locking counters

Related Commands

The clear address locking counters command resets all the counters associated with IP Locking to zero.

Example

The following command displays IP Address Locking Counters:

switch#show address locking counters
Lease Active Lease Unknown Lease Unassigned    	 
DHCP Server Query  Rcvd   Drop   Rcvd   Drop Rcvd     Drop    Unknown
----------- ----- ----- ------ ------ ------ -------- ------- -------
80.80.80.80 32860  8002 34     8001   32     13423     134    3234
            
            
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet2  1747 1234         189           324

show address locking table ipv4

Use the show address locking table ipv4 command to display all DHCP leases with IP Locking, and the interfaces with authorized the IP addresses.

Command Mode

EXEC

Command Syntax

Parameters

dynamic - Display the dynamic leases.
- installed-Display the leases installed on the hardware.
- interface - Display the leases on a specified interface.
installed - Display installed leases.
interface - Display the leases on a specified interface.
- Ethernet slot Specified Ethernet sub-interface.
static - Display static leases.
- installed - Display the leases on the hardware.
- interface - Display the leases on a specified interface.
  - Ethernetslot Specified Ethernet sub-interface.

Example

switch#show address locking table ipv4
IP Address     MAC Address      Interface  Installed    Expiration Time
-------------- ---------------- ---------- ------------ --------------- 
AC 10.30.4.4   ba76.a467.7ff8   Et27/1     installed     in 0:01:57 

  IP Address       Action
---------------   --------
10.30.4.4         permit

Data Plane Security

This section contains the following topics:

IP NAT
Media Access Control Security
Internet Protocol Security (IPsec)
Macro-Segmentation Service (CVX)

IP NAT

Network Address Translation (NAT) is a router process that modifies address information of IP packets in transit. NAT is typically used to correlate address spaces between a local network and a remote, often public, network. Static NAT defines a one-to-one map between local and remote IP addresses. Static maps are configured manually through CLI commands. An interface can support multiple NAT commands, but each command must specify a unique local IP address-port location.

NAT is configured on routers that have interfaces connecting to the local networks and interfaces connecting to a remote network.

Inside and Outside Addresses

In NAT configurations, IP addresses are placed into one of two categories: inside or outside. Inside refers to IP addresses used within the organizational network. Outside refers to addresses on an external network outside the organizational network.

Static IP NAT

Static NAT configurations create a one-to-one mapping and translate a particular address to another address. This type of configuration creates a permanent entry in the NAT table as long as the configuration is present, and it enables both inside and outside hosts to initiate a connection.

Static NAT options include source NAT, destination NAT, and twice NAT.

Source NAT modifies the source address in the IP header of a packet exiting the interface, and can optionally change the source port referenced in the TCP/UDP headers.
Destination NAT modifies the destination address in the IP header of a packet entering the interface, and can optionally change the destination port referenced in the TCP/UDP headers.
Twice NAT modifies both the source and destination address of packets entering and exiting the interface, and can optionally change the L4 port information in the TCP/UDP headers. Twice NAT is generally used when inside network addresses overlap or otherwise conflict with outside network addresses. When a packet exits the interface, local source and destination addresses are translated to global source and destination addresses. When a packet enters the interface, global source and destination addresses are translated to local source and destination addresses.

Configuring Static NAT

Configuring Source NAT

Network address translation of a source address (source NAT) is enabled by the ip nat source static command for the configuration mode interface. Applying source NAT to interfaces that connect to local hosts shields the IP address of the host when sending IP packets to remote destinations.

This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

Note: The switch uses a common NAT table for the entire switch, not a per interface one. For example, if a customer has the same inside local address translated to different inside global addresses depending on which interface it exits. It might be translated to exit interface B’s inside global address even though it exits through interface A. A way to avoid this is to use an access list that differentiates based on the destination IP address.

Example

These commands configure VLAN 201 to translate source address 10.24.1.10 to 168.32.14.15.

switch(config)# interface vlan 201
switch(config-if-Vl201)# ip nat source static 10.24.1.10 168.32.14.15
switch(config-if-Vl201)#

The ip nat source static command may include an ACL to limit packet translation. Only packets whose source IP address matches the ACL are cleared. ACLs configured for source NAT must specify a source IP address of any. Source port or protocol matching is not permitted. The destination may be an IP subnet. Commands referencing nonexistent ACLs are accepted by the CLI but not installed in hardware until the ACL is created. Modifying a referenced ACL causes the corresponding hardware entries to be replaced by entries that match the new command.

Example

These commands configure VLAN 101 to translate the source address 10.24.1.10 to 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/24 subnet.

switch(config)# ip access-list ACL1
switch(config-acl-ACL1)# permit ip any 168.10.1.0/24
switch(config-acl-ACL1)# exit
switch(config)# interface vlan 101
switch(config-if-Vl101)# ip nat source static 10.24.1.10 access-list ACL1 168.32.14.15
switch(config-if-Vl101)#

Configuring Destination NAT

Network address translation of a destination address (destination NAT) is enabled by the ip nat destination static command for the configuration mode interface. Applying destination NAT to interfaces that connect to remote hosts shields the IP address of the recipient host when receiving IP packets from remote destinations.

Example

These commands configure VLAN 201 to translate destination address 168.32.14.15 to 10.24.1.10.

switch(config)# interface vlan 201
switch(config-if-Vl201)# ip nat destination static 168.32.14.15 10.24.1.10
switch(config-if-Vl201)#

The ip nat destination static command may include an ACL to limit packet translation. Only packets whose source IP address matches the ACL are cleared. ACLs configured for destination NAT must specify a destination IP address of any. Destination port or protocol matching is not permitted. The source may be an IP subnet. Commands referencing nonexistent ACLs are accepted by the CLI but not installed in hardware until the ACL is created. Modifying a referenced ACL causes the corresponding hardware entries to be replaced by entries that match the new command.

Example

These commands configure VLAN 201 to translate the destination address 168.32.14.15 to 10.24.1.10 for all packets with the source of host 168.10.1.4.

switch(config)# ip access-list ACL2
switch(config-acl-ACL2)# permit ip 168.10.1.4/32 any
switch(config-acl-ACL2)# exit
switch(config)# interface vlan 201
switch(config-if-Vl201)# ip nat destination static 168.32.14.15 access-list ACL2 
10.24.1.10
switch(config-if-Vl201)#

Configuring Twice NAT

Network address translation of both source and destination addresses on the same interface (twice NAT) is enabled by creating one source NAT rule and one destination NAT rule on the same interface and associating them through a NAT group using the ip nat source static and ip nat destination static commands.

The ip nat source static command translates the actual local source address to a source address which can be used outside the local network to reference the source. The ip nat destination static command translates an internally used destination address to the actual IP address that is the destination of the packet.

The source and destination NAT rules must reference the same NAT group, and both should either specify only IP addresses or specify both IP addresses and L4 port information. If L4 port information is configured in one rule but not in the other, an error message will be displayed.

Each NAT rule installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. Twice NAT does not support the use of access control lists to filter packets for translation.

Example

These commands configure interface ethernet 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.

switch(config)# interface ethernet 2
switch(config-if-Et2)# ip nat source static 10.24.1.10 168.32.14.15 group 3
switch(config-if-Et2)# ip nat destination static 10.68.104.3 168.25.10.7 group 3

Static NAT Configuration Considerations

Egress VLAN Filter for Static NAT

When a static source NAT is configured on an interface, the source IP translation happens only for those packets that is going 'out' of this interface. If a packet is egressing on an interface which does not have NAT configured, then the source IP is not translated.

When there are two interfaces on which static SNAT is configured then the translation specified for one interface can be applied to a packet going out on the other interface.

Examples

In this example, the packets with source IP 20.1.1.1 going out of E1 will still have the source IP translated to 172.1.1.1 even though the rule is configured in E2 and not on E1.

switch(config)# interface ethernet 1
switch(config-if-Et1)# ip nat source static 10.1.1.1 171.1.1.1
switch(config)# interface ethernet 2
switch(config-if-Et2)# ip nat source static 20.1.1.1 172.1.1.1

To prevent this, use an ACL to filter the traffic that needs NAT on the interfaces.

switch(config)# ip access-list acl1
switch(config-acl-acl1)# permit ip any 171.1.1.0/24
switch(config)# ip access-list acl2
switch(config-acl-acl2)# permit ip any 172.1.1.0/24
switch(config)# interface ethernet 1
switch(config-if-Et1)# ip nat source static 10.1.1.1 access-list acl1 171.1.1.1
switch(config)# interface ethernet 2
switch(config-if-Et2)# ip nat source static 20.1.1.1 access-list acl2 172.1.1.1

ACL filtering is not supported when using twice NAT.

Dynamic NAT

Dynamic NAT can be used when fewer addresses are accessible than the number of hosts to be translated. A NAT table entry is created when the host starts a connection and establishes a one-to-one mapping between addresses. The mapping can vary and is dependent upon the registered addresses in the pool at the time of the communication. Dynamic NAT sessions are only allowed to be initiated only from inside networks. NAT should be configured on a Layer 3 interface, either a routed port or Switch Virtual Interface (SVI). If the host doesn't communicate for a specific period, dynamic NAT entries are removed from the translation table. The address will then returned to the pool for use by another host

Dynamic NAT options:

Many-to-Many NAT
Maps local addresses to a global address that is selected from a pool of global addresses. After pool is configured, the first available address from the pool is picked dynamically on receiving the first packet.
Many-to-One NAT (PAT)
PAT is a form of dynamic NAT where multiple local addresses are mapped to a single global address (many-to-one) using different source ports. This method is also called NAT Overloading, Network and Port address translation (NAPT), and Masquerade. The global address can be the IP address configured on the outside interface.

Hardware entries that translate packets are created when the CLI command is processed. Entries for forward and reverse traffic are created for unicast traffic. The hardware entry for reverse traffic is not created for multicast traffic.

Commands may include ACLs to filter packets that are cleared. Source NAT use ACLs to filter packets based on destination IP address. Destination NAT use ACLs to filter packets based on source IP address. Upon using NAT, inside usually refers to a private network while outside usually refers to a public network.

A switch with NAT configured translates forwarded traffic between inside and outside interfaces, and the flow that matches the criteria specified for translation.

The same IP address can't be used for the NAT static configuration and in the pool for dynamic NAT configurations. Public IP addresses must be unique. The global addresses used in static translations aren't excluded with dynamic pools containing the same global addresses.

Hardware entries that translate packets are created when the CLI command is processed. Entries for forward and reverse traffic are created for unicast traffic. The hardware entry for reverse traffic is not created for multicast traffic.

Commands may include ACLs to filter packets that are cleared. Source NAT use ACLs to filter packets based on destination IP address. Destination NAT use ACLs to filter packets based on source IP address. When using NAT, inside usually refers to a private network while outside usually refers to a public network.

A switch with NAT configured translates forwarded traffic between inside and outside interfaces, and the flow that matches the criteria specified for translation.

Note: The same IP address can't be used for the NAT static configuration and in the pool for dynamic NAT configurations. Public IP addresses must be unique. The global addresses used in static translations aren't excluded with dynamic pools containing the same global addresses.

Note: Dynamic NAT with ACL destination port is not supported on 7050SX3.

Configuring Dynamic NAT

Prerequisites

Configure an ACL to specify IP addresses allowed to be translated.
Determine if you should use an IP address as the translated source address.
Decide on a public IP address pool for address translation.

Configure the Address Pool

The addresses used for translation are configured by issuing the ip nat pool command in global configuration mode.

Example

This command configures the pool of addresses using start address, and end address.

switch(config)# ip nat pool p1 10.15.15.15 10.15.15.25 
switch(config)#

Set the IP Address

The ip address command configures VLAN 201 with an IP address.

Examples

This command configures an IPv4 address for VLAN 201.

switch(config)# interface vlan 201
switch(config-if-Vl201)# ip address 10.0.0.1/24
switch(config-if-Vl201)#

This command configures the dynamic NAT source address and sets the NAT overload for pool P2.

switch(config-if-Vl201)# ip nat source dynamic access-list ACL2 pool p2
switch(config-if-Vl201)#

Configuring Dynamic NAT Priority

For each Dynamic NAT configuration, you can specify the priority from lowest to highest in an interface mode. The ip nat source dynamic command allows you to configure dynamic NAT priority from the source IP address. Multiple dynamic NAT configurations have the same priority irrespective of the order. If priority is not specified in NAT rule, by default the priority is 0 (lowest priority).

Service FTP dynamic NAT rules with a single IP in the pool are considered to be of highest priority.

Note: Priorities in address-only and non-address-only NAT rules are independent of each other.

Example

This command configures the dynamic NAT priority of the access-list in the pool with the order a5 > a4 > a3 > a2 > a1 > a0.

switch(config)# interface vlan 201
switch(config-if-Vl201)# ip address 10.0.0.1/24
switch(config-if-Vl201)# ip nat source dynamic access-list a0 pool p0
switch(config-if-Vl201)# ip nat source dynamic access-list a1 pool p1 priority 1
switch(config-if-Vl201)# ip nat source dynamic access-list a2 pool p2 priority 2
switch(config-if-Vl201)# ip nat source dynamic access-list a3 pool p3 priority 3
switch(config-if-Vl201)# ip nat source dynamic access-list a4 pool p4 priority 4
switch(config-if-Vl201)# ip nat source dynamic access-list a5 pool p5 priority 5
switch(config-if-Vl201)#

Configuring Dynamic NAT with Overload

The following configures a dynamic NAT profile with overload.

Example

This command configures the dynamic NAT for overload.

ip nat profile patName
   ip nat source dynamic access-list accessList1 overload
!

ip access-list accessList1
   20 permit ip host 1.1.1.2 any log

Define the NAT Source Address for Translation

The ip nat source dynamic command specifies a dynamic translation from the source IP address to the pool and to overload the pool address (or addresses).

Example

This command configures the dynamic NAT source address and sets the pool P2 NAT overload.

switch(config)# interface ethernet 3/1
switch(config-if-Et3/1)# ip nat source dynamic access-list ACL2 pool p2
switch(config-if-Et3/1)#

Specify the Timeout Values

The ip nat translation tcp-timeout or ip nat translation udp-timeout commands alter the translation timeout period for NAT translation table entries.

Examples

This command globally sets the timeout for TCP to 600 seconds.

switch(config)# ip nat translation tcp-timeout 600
 switch(config)#

This command globally sets the timeout for UDP to 800 seconds.

switch(config)# ip nat translation udp-timeout 800
 switch(config)#

Verify the NAT Configuration

Display the Address Pools

The show ip nat pool command displays the configuration of the address pool.

Example

This command displays all the address pools configured on the switch.

switch# show ip nat pool

Pool      StartIp           EndIp           Prefix
p1        10.15.15.15       10.15.15.25     24
p2        10.10.15.15       10.10.15.25     22
p3        10.12.15.15       10.12.15.25     12

switch#

Clearing IP NAT Table Entries

Use the clear ip nat flow translation command to remove all or the specified NAT table entries.

Example

This command clears all dynamic entries from the NAT table.

switch# clear ip nat flow translation
switch#

Dynamic NAT Configuration Considerations

Configuring Dynamic NAT Using Pools in a L2 Adjacent Network

When many-to-one dynamic NAT is configured using a NAT pool, and the next hop router for the NAT device is on the same network (L2 adjacent), then you must configure the IP addresses in the NAT pool as a secondary address on the interface.

Example:

The IP addresses in the NAT pool are configured as the secondary address on the interface.

switch(config)# ip nat pool p1 10.1.1.1 10.1.1.4 prefix-length 24
switch(config)# interface ethernet 1
switch(config-if-Et1)# ip nat source dynamic access-list a1 pool p1
switch(config-if-Et1)# ip address 10.1.1.1/24 secondary
switch(config-if-Et1)# ip address 10.1.1.2/24 secondary
switch(config-if-Et1)# ip address 10.1.1.3/24 secondary
switch(config-if-Et1)# ip address 10.1.1.4/24 secondary

Configuring Dynamic NAT Using Pool in a L3 Network

If the next hop of the NAT device is on a different subnet, then you should configure a static Null route for the IP addresses in the NAT pool. Redistribute the static route using BGP/OSPF.

Examples

Outside Interface

switch(config)# interface port-channel 319
switch(config-if-Po319)# ip nat source dynamic access-list dynamic-nat-m2m pool 
natpl-dynamic-nat-m2m
switch(config)# ip access-list dynamic-nat-m2m
switch(config-acl-dynamic-nat-m2m)# 10 permit ip 192.168.93.0/24 any
switch(config)# ip nat pool natpl-dynamic-nat-m2m prefix-length 24
switch(config-natpool-p1)# range 11.3.3.2 11.3.3.10

Static Null Route for Virtual IP

switch(config)# ip route 11.0.0.0/8 Null0
switch(config)# router ospf 1
switch(config-router-ospf)# redistribute static

Configuring Dynamic NAT Using Overload with ECMP Routes

Dynamic many-to-one NAT using overload (PAT) should not be configured on interfaces that form an ECMP group. When one interface in the group goes down, the return packet for connections that are already established will continue to go to the IP address of the interface that went down and will not be forwarded to the inside host. For this type of scenario, use Dynamic NAT with pool configurations.

Dynamic NAT Peer State Synchronization

The NAT peer state synchronization provides redundancy and resiliency for dynamic NAT across a pair of devices to avoid single NAT device failure. Both devices in redundant pair are active and they track new sessions and create or delete NAT entries dynamically. Essentially, an active NAT entry is maintained on both devices irrespective of who created the NAT entry.

Configuring Dynamic NAT Peer State Synchronization

The following prerequisites should be fulfilled before configuring NAT peer state synchronization on devices in a redundant pair.

Both devices in redundant pair must be reachable across an IP address within the same subnet.
NAT version on both devices in redundant pair must be compatible.
Dynamic NAT configuration must be identical across both devices in redundant pair.

The following configuration output indicates a valid running configuration of the NAT peer state synchronization on one device.

ip nat pool POOL61 prefix-length 24
  range 170.24.0.2 170.24.0.200


ip access-list NatACL61
  10 permit ip 61.0.0.0/16 any


interface Port-Channel5
  mtu 9214
  no switchport
  ip address 10.0.0.1/31
  ip nat source dynamic access-list NatACL61 pool POOL61


ip nat synchronization
  peer-address 11.11.11.1
  local-interface Vlan1111
  port-range 1024 2048

The following limitations are applicable during NAT peer state synchronization.

While configuring dynamic NAT peer state synchronization across peer switches, the port range values of the switches should always be disjoint to avoid virtual IP conflict.
NAT peer state synchronization does not support asymmetrical TCP setup (SYN - SYNACK - ACK should always be hashed to the same peer.)
The connection is only synchronized with a peer if the TCP state is established.

The following command specifies the description of the device itself.

switch(config)#ip nat synchronization
switch(config-nat-synchronization)#description <description>

The following command specifies seconds the switch needs to wait before timing out existing connections.

switch(config)#ip nat synchronization
switch(config-nat-synchronization)#expiry-interval 6

The following command specifies seconds the IP address of the peer device from where the synchronization is coming.

switch(config)#ip nat synchronization
switch(config-nat-synchronization)#peer address 202.1.1.2

The following command displays the details of connections, whichare advertised to peer device.

switch(config)#show ip nat synchronization advertised-translations
Source IP  Destination IP  Translated IP  TGT  Type  Interface/Profile
--------------------------------------------------------------------------------------------
10.1.3.10:21800  191.1.1.10:80  139.1.1.1:21800  SRC  DYN  Port-Channel100
10.1.2.10:13750  191.1.1.10:80  139.1.1.1:13750  SRC  DYN  Port-Channel100
10.1.2.10:33757  191.1.1.10:80  139.1.1.1:5951   SRC  DYN  Port-Channel100
10.1.5.10:37111  191.1.1.10:80  139.1.1.1:7561   SRC  DYN  Port-Channel100

The following command displays the details of connections, whichhas been advertised by the peer device.

switch(config)#show ip nat synchronization discovered-translations
Source IP  Destination IP  Translated IP  TGT  Type  Interface/Profile
--------------------------------------------------------------------------------------------
10.1.3.10:28606  191.1.1.10:80  139.1.1.1:28606  SRC  DYN  Port-Channel100
10.1.6.10:39697  191.1.1.10:80  139.1.1.1:39697  SRC  DYN  Port-Channel100
10.1.6.10:20583  191.1.1.10:80  139.1.1.1:31683  SRC  DYN  Port-Channel100
10.1.6.10:28419  191.1.1.10:80  139.1.1.1:28419  SRC  DYN  Port-Channel100

Applying NAT profile on a Tunnel Interface

The following commands apply the configured NAT profile on a tunnel interface.

Example

This command applies the NAT configuration profile natNameProfile to the tunnel Tunnel0.

interface Tunnel0
   ip address 10.1.1.1/24
   tunnel source 2.1.1.1
   tunnel destination 2.1.1.2
   ip nat service-profile <natNameProfile>

IP NAT Commands

clear ip nat flow translation
ip address
ip nat destination static
ip nat pool
ip nat source dynamic
ip nat source static
ip nat translation counters
ip nat translation low-mark
ip nat translation max-entries
ip nat translation tcp-timeout
ip nat translation udp-timeout
show ip nat access-list interface
show ip nat pool
show ip nat synchronization advertised-translations
show ip nat synchronization discovered-translations
show ip nat synchronization peer
show ip nat translation

clear ip nat flow translation

The clear ip nat flow translation command clears all or the specified NAT table entries.

Command Mode

Privileged EXEC

Command Syntax

clear ip nat flow translation [HOST_ADDR [DEST_ADDR]][INTF][PROT_TYPE]

Parameters

DEST_ADDR must immediately follow HOST_ADDR. All other parameters, including HOST_ADDR may be placed in any order.

HOST_ADDR Host address to be modified. Options include:
- no parameter All packets with specified destination address are cleared.
- address local_ipv4 IPv4 address.
- address local_ipv4 local_port IPv4 address and port (port value ranges from 1 to 65535).
DEST_ADDR Destination address of translated packet. Destination address can be entered only when the HOST_ADDR is specified. Options include:
- no parameter All packets with specified destination address are cleared.
- global_ipv4 IPv4 address.
- global_ipv4 global_port IPv4 address and port (port value ranges from 1 to 65535).
INTF Route source. Options include:
- no parameter All packets with specified destination address are cleared.
- interface ethernet e_num Ethernet interface specified by e_num.
- interface loopback l_num Loopback interface specified by l_num.
- interface management m_num Management interface specified by m_num.
- interface port-channel p_num Port-channel interface specified by p_num.
- interface vlan v_num VLAN interface specified by v_num.
PROT_TYPEFilters packets based on protocol type. Options include:
- no parameter All packets with specified destination address are cleared.
- tcp TCP packets with specified destination address are cleared.
- udp UDP packets with specified destination address are cleared.

Examples

This command clears all dynamic entries from the NAT translation table.
```
switch# clear ip nat flow translation
switch#
```

This command clears a specific NAT IP address 172.22.30.52.

switch# clear ip nat flow translation address 172.22.30.52
switch#

This command clears the inside entry that maps the private address 10.10.10.3 to Internet address 172.22.30.52.
```
switch# clear ip nat flow translation address 172.22.30.52 10.10.10.3
switch#
```

ip address

The ip address command configures the IPv4 address and connected subnet on the configuration mode interface. Each interface can have one primary address and multiple secondary addresses.

The no ip address and default ip address commands remove the IPv4 address assignment from the configuration mode interface. Entering the command without specifying an address removes the primary and all secondary addresses from the interface. The primary address cannot be deleted until all secondary addresses are removed from the interface.

Removing all IPv4 address assignments from an interface disables IPv4 processing on that port.

Command Mode

Interface-Ethernet Configuration

Interface-Loopback Configuration

Interface-Management Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip address [ipv4_subnet][PRIORITY]

no ip address [ipv4_subnet][PRIORITY]

default ip address [ipv4_subnet][PRIORITY]

Parameters

ipv4_subnet IPv4 and subnet address (CIDR or address-mask notation). Running-config stores value in CIDR notation.
PRIORITY interface priority. Options include:
- no parameter The address is the primary IPv4 address for the interface.
- secondary The address is the secondary IPv4 address for the interface.

Guidelines

The ip address command is supported on routable interfaces.

Example

This command configures an IPv4 address for VLAN 200.

switch(config)# interface vlan 200
switch(config-if-Vl200)# ip address 10.0.0.1/24
switch(config-if-Vl200)#

ip nat destination static

The ip nat destination static command enables NAT of a specified destination address for the configuration mode interface. This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

When configuring twice NAT, an arbitrary NAT group number is used to associate the source NAT and destination NAT rules. This number must be the same in both rules.

The no ip nat destination static and default ip nat destination static commands disables NAT translation of the specified destination address by removing the corresponding ip nat destination static command from running_config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE][group group_number]

no ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]

default ip nat destination static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE][group group_number]

Parameters

ORIGINAL Destination address to be modified. Options include:
- local_ipv4 IPv4 address.
- local_ipv4 local_port IPv4 address and port (port value ranges from 1 to 65535)
FILTER Access control list that filters packets. Options include:
- no parameter All packets with specified destination address are cleared.
- access-list list_name List that specifies the packets that are cleared. Not supported when configuring twice NAT.
TRANSLATED Destination address of translated packet. Options include:
- global_ipv4 IPv4 address.
- global_ipv4 global_port IPv4 address and port (port value ranges from 1 to 65535). When configuring twice NAT, source and destination NAT rules must either both specify a port translation or both not specify a port translation.
PROT_TYPE Filters packets based on protocol type. Options include:
- no parameter All packets with specified destination address are cleared.
- protocol tcp TCP packets with specified destination address are cleared.
- protocol udp UDP packets with specified destination address are cleared.
groupgroup_number Used only when configuring twice NAT, the NAT group number associates a source NAT rule with a destination NAT rule on the same interface. The group number (values range from 1 to 255) is arbitrary, but must be the same in both rules.

Examples

These commands configure VLAN 201 to translate destination address 10.24.1.10 to 168.32.14.15.

switch(config)# interface vlan 201
switch(config-if-Vl201)# ip nat destination static 10.24.1.10 168.32.14.15
switch(config-if-Vl201)#

These commands configure VLAN 201 to translate the source address 10.24.1.10 to 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.

switch(config)# ip access-list ACL2
switch(config-acl-ACL2)# permit ip 168.10.1.1/32 any
switch(config-acl-ACL2)# exit
switch(config)# interface vlan 201
switch(config-if-Vl201)#
switch(config-if-Vl201)#

These commands configure interface Ethernet 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
```
switch(config)# interface ethernet 2
switch(config-if-Et2)# ip nat source static 10.24.1.10 168.32.14.15 group 3
switch(config-if-Et2)# ip nat destination static 10.68.104.3 168.25.10.7 group 3
```

ip nat pool

The ip nat pool command identifies a pool of addresses using start address, end address, and either netmask or prefix length. If its starting IP address and ending IP address are the same, there is only one address in the address pool.

The no ip nat pool removes the ip nat poolcommand from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat pool pool_name [ADDRESS_SPAN] SUBNET_SIZE

no ip nat pool pool_name

default ip nat pool pool_name

Parameters

pool_name Name of the IP address pool.
ADDRESS_SPAN Options include:
- start_addr The first IP address in the address pool (IPv4 addresses in dotted decimal notation).
- end_addr The last IP address in the address pool. (IPv4 addresses in dotted decimal notation).
SUBNET_SIZE This functions as a sanity check to ensure it is not a network or broadcast network. Options include:
- netmask ipv4_addr The netmask of the address pool’s network (dotted decimal notation).
- prefix-length 0 to 32 The number of bits of the netmask (of the address pool’s network) that are ones (how many bits of the address indicate network).

Examples

This command configures the pool of addresses using start address, end address, and prefix length of 24.
```
switch(config)# ip nat pool poo1 10.15.15.15 10.15.15.25 prefix-length 24
switch(config)
```

This command removes the pool of addresses.

switch(config)# no ip nat pool poo1 10.15.15.15 10.15.15.25 prefix-length 24
 switch(config)

ip nat source dynamic

The ip nat source dynamic command enables NAT of a specified source address for packets sent and received on the configuration mode interface. This command installs hardware translation entries for forward and reverse traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

The no ip nat source dynamic and default ip nat source dynamic commands disables NAT translation of the specified destination address by removing the corresponding ip nat source dynamic command from running_config .

Note: Ethernet and Port-channel interfaces should be configured as routed ports.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip nat source dynamic access-list acl_name POOL_TYPE

no ip nat source dynamic access-list acl_name

default ip nat source dynamic access-list acl_name

Parameters

acl_name Access control list that controls the internal network addresses eligible for NAT.
POOL_TYPE Options include:
- overload Translates multiple local addresses to a single global address. When overloading is enabled, conversations using the same IP address are distinguished by their TCP or UDP port number.
- pool pool_name The name of the IP address pool. The pool is defined using the ip nat pool command.
  The pool option is required even if the pool has just one address. NAT uses that one address for all of the translations.
pool_fullcone Enables full cone NAT where all requests from the same internal IP address and port are mapped to the same external IP address and port.

Examples

This command configures the dynamic NAT source address and sets the NAT overload for pool P2.

switch(config)# interface ethernet 3/1
switch(config-if-Et3/1)# ip nat source dynamic access-list ACL2 pool p2
switch(config-if-Et3/1)#

This command disables the NAT source translation on interface Ethernet 3/1.

switch(config)# interface ethernet 3/1
switch(config-if-Et3/1)# no ip nat source dynamic access-list ACL2 
switch(config-if-Et3/1)#

ip nat source static

The ip nat source static command enables NAT of a specified source address for the configuration mode interface. This command installs hardware translation entries for forward and reverse unicast traffic. When the rule specifies a multicast group, the command does not install the reverse path in hardware. The command may include an access control list to filter packets for translation.

When configuring twice NAT, an arbitrary NAT group number is used to associate the source NAT and destination NAT rules. This number must be the same in both rules.

The no ip nat source static and default ip nat source static commands disables NAT translation of the specified source address by removing the corresponding ip nat source command from running_config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-channel Configuration

Interface-VLAN Configuration

Command Syntax

ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]

no ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]

default ip nat source static ORIGINAL [FILTER] TRANSLATED [PROT_TYPE] [group group_number]

Parameters

ORIGINAL Source address to be modified. Options include:
- original_ipv4 IPv4 address.
- original_ipv4 original_port IPv4 address and port (port value ranges from 1 to 65535).
FILTER Access control list that filters packets. Options include:
- no parameter All packets with specified source address are cleared.
- access-list list_name List that specifies the packets that are cleared. Not supported when configuring twice NAT.
TRANSLATED Source address of translated packet. Options include:
- translated_ipv4 IPv4 address.
- translated_ipv4 translated_port IPv4 address and port (port value ranges from 1 to 65535). When configuring twice NAT, source and destination NAT rules must either both specify a port translation or both not specify a port translation.
PROT_TYPE Filters packets based on protocol type. Options include:
- no parameter All packets with specified source address are cleared.
- protocol tcp TCP packets with specified source address are cleared.
- protocol udp UDP packets with specified source address are cleared.
group group_number Used only when configuring twice NAT, the NAT group number associates a source NAT rule with a destination NAT rule on the same interface. The group number (values range from 1 to 255) is arbitrary, but must be the same in both rules.

Restrictions

If ORIGINAL includes a port, TRANSLATED must also include a port.
If ORIGINAL does not include a port, TRANSLATED cannot include a port.

Examples

These commands configure VLAN 101 to translate source address 10.24.1.10 to 168.32.14.15.

switch(config)# interface vlan 101
switch(config-if-Vl101)# ip nat source static 10.24.1.10 168.32.14.15
switch(config-if-Vl101)#

These commands configure VLAN 101 to translate the source address 10.24.1.10 to access-list ACL1 168.32.14.15 for all packets with IP destination addresses in the 168.10.1.1/32 subnet.

switch(config)# ip access-list ACL1
switch(config-acl-ACL1)# permit ip any 168.10.1.1/24
switch(config-acl-ACL1)# exit
switch(config)# interface vlan 101
switch(config-if-Vl101)# ip nat source static 10.24.1.10 access-list ACL1 
168.32.14.15
switch(config-if-Vl101)#

These commands configure Ethernet interface 2 to translate the local source address 10.24.1.10 to the global source address 168.32.14.15, and to translate the local destination address 10.68.104.3 to the global destination address 168.25.10.7 for all packets moving through the interface. The use of NAT group 3 is arbitrary, but must be the same in both rules.
```
switch(config)# interface ethernet 2 
switch(config-if-Et2)# ip nat source static 10.24.1.10 168.32.14.15 group 3
switch(config-if-Et2)# ip nat destination static 10.68.104.3 168.25.10.7 group 3
```

ip nat translation counters

The ip nat translation counters command enables the feature to count packets that are translated by static and twice NAT rules in hardware. Once this feature is enabled, all current rules in hardware and new rules that are configured after running this command receive policers for counting packets.

The no ip nat translation counters and default ip nat translation counters commands disable the packet counter feature for static and twice NAT connections.

Command Mode

Global Configuration

Command Syntax

ip nat translation counters

no ip nat translation counters

default ip nat translation counters

Guidelines

The ip nat translation counters command is supported on the DCS-7150 series switches only. This command is solely intended to debug static and twice NAT translation failures in hardware. Disable this feature after completing troubleshooting. If this feature remains enabled even when the count of static connections exceed 275, it can cause unpredictable behavior including restart of FocalPointV2 agent. The restart of FocalPointV2 agent results in traffic disruption.

Example

The ip nat translation counters command enables the packet counter feature for static and twice NAT connections. Using the show ip nat translation hardware detail and the show ip nat translation twice hardware detail commands, you can verify the packet count.

switch(config)# ip nat translation counters
switch(config)# show ip nat translation hardware detail

Source IP        Destination IP  Translated IP  TGT Type Intf   Proto  Packets  Packets Reply
----------------------------------------------------------------------------------------------
192.168.10.2:0    -               20.1.10.2:0    SRC STAT Vl2640 -      2         1
192.168.110.2:0   -               20.1.110.2:0   SRC STAT Vl2640 -      2         1

switch(config)# show ip nat translation twice hardware detail
Source IP     Destination IP  Translated     Translated    Intf   Group   Packets  Packets 
                               Src IP         Dst IP               Proto           Reply
---------------------------------------------------------------------------------------------
192.16.50.2:0  10.1.50.2:0     20.1.50.2:0    10.1.60.2:0   Vl2922 2  -    2        1
19.16.150.2:0  10.1.150.2:0    20.1.150.2:0   10.1.160.2:0  Vl2922 12 -    2

ip nat translation low-mark

The ip nat translation low-mark command configures the minimum threshold that triggers the resumption of programming new NAT translation connections.

The ip nat translation max-entries command specifies the maximum number of NAT translation connections that can be stored. When this limit is reached, new connections are dropped instead of being programmed in hardware or software. At this point no new connections will be programmed until the number of stored entries drop below the configured low-mark, expressed as a percentage of the max-entries value. The default low mark value is 90%.

The no ip nat translation low-mark and default ip nat translation low-mark commands restores the default low-mark value by removing the ip nat translation low-mark command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat translation low-mark threshold

no ip nat translation low-mark

default ip nat translation low-mark

Parameters

threshold Percentage of maximum connection entries. Value ranges from 1 to 99. Default is 90.

Example

This command globally sets the translation low mark of 93%.

switch(config)# ip nat translation low-mark 93
switch(config)#

ip nat translation max-entries

The ip nat translation max-entries command specifies maximum number of NAT translation connections. After this threshold is reached, new connections are dropped until the number of programmed connections is reduced below the level specified by the ip nat translation low-mark command.

The no ip nat translation max-entries and default ip nat translation max-entries commands removes the maximum connection limit and resets the parameter value to zero by removing the ip nat translation max-entries command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat translation max-entries connections

no ip nat translation max-entries

default ip nat translation max-entries

Parameters

connections The maximum number of NAT translation connections. Value ranges from 0 to 4294967295. Default value is 0, which removes the connection limit.

Example

This command limits the number of NAT translation connections the switch can store to 3000.

switch(config)# ip nat translation max-entries 3000
switch(config)#

ip nat translation tcp-timeout

The ip nat translation tcp-timeout command specifies the translation timeout period for translation table entries. The timeout period specifies the interval during which the switch will attempt to reuse an existing TCP translation for devices specified by table entries.

The no ip nat translation tcp-timeout and default ip nat translation tcp-timeout commands reset the timeout to its default by removing the corresponding ip nat translation tcp-timeout command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat translation tcp-timeout period

no ip nat translation tcp-timeout

default ip nat translation tcp-timeout

Parameters

period Time-out period in seconds for port translations. Value ranges from 0 to 4294967295. Default value is 86400 (24 hours).

Examples

This command sets the TCP timeout for translations to 600 seconds.

switch(config)# ip nat translation tcp-timeout 600
switch(config)#

This command removes the TCP translation timeout.

switch(config)# no ip nat translation tcp-timeout 
switch(config)#

ip nat translation udp-timeout

The ip nat translation udp-timeout command specifies the translation timeout period for translation table entries. The timeout period specifies the interval the switch attempts to establish a UDP connection with devices specified by table entries.

The no ip nat translation udp-timeout and default ip nat translation udp-timeout commands disables NAT translation of the specified destination address by removing the corresponding ip nat translation udp-timeout command from running_config.

Command Mode

Global Configuration

Command Syntax

ip nat translation udp-timeout period

no ip nat translation udp-timeout

default ip nat translation udp-timeout

Parameters

period Value ranges from 0 to 4294967295. Default value is 300 (5 minutes).

Examples

This command globally sets the timeout for UDP to 800 seconds.
```
switch(config)# ip nat translation udp-timeout 800
```

This command removes the timeout for UDP.

switch(config)# no ip nat translation udp-timeout

show ip nat access-list interface

The show ip nat acl interface command displays the access control lists (ACLs) that are configured as source NAT or destination NAT filters. The display indicates ACL rules that do not comply with these NAT requirements:

Source IP address is any.
Destination IP address may use any mask size.
Source port matching is not allowed.
Protocol matching is not allowed.

Command Mode

EXEC

Command Syntax

show ip nat access-list [INTF][LISTS]

Parameters

INTF Filters NAT statements by interface. Options include:
- no parameter Includes all statements on all interfaces.
- interface ethernet e_num Statements on specified Ethernet interface.
- interface loopback l_num Statements on specified Loopback interface.
- interface management m_num Statements on specified Management interface.
- interface port-channel p_num Statements on specified Port-Channel Interface.
- interface vlan v_num Statements on specified VLAN interface.
- interface VXLAN vx_num Statements on specified VXLAN interface.
LISTS ACLs displayed by command. Options include:
- no parameter All ACLs.
- acl_name Specifies individual ACL.

Example:

These commands display the NAT command usage of the ACL1 and ACL2 access control lists.

switch> show ip nat acl ACL1

acl ACL1
        (0.0.0.0/0, 168.10.1.1/32)
Interfaces using this ACL for Nat:
        Vlan100

switch> show ip nat acl ACL2
acl ACL2
        (168.10.1.1/32, 0.0.0.0/0)
Interfaces using this ACL for Nat:
        Vlan201
switch>

show ip nat pool

The show ip nat pool command displays the configuration of the address pool.

Command Mode

EXEC

Command Syntax

show ip nat pool POOL_SET

Parameters

pool_name The name of the pool.
POOL_SET Options include:
- no parameter All configured port channels.
- pool_name The name of the pool.

Examples

This command displays all the address pools configured on the switch.

switch# show ip nat pool
Pool                 StartIp               EndIp                 Prefix
p1                   10.15.15.15           10.15.15.25           24
p2                   10.10.15.15           10.10.15.25           22
p3                   10.12.15.15           10.12.15.25           12
switch#

These commands display specific information for the address pools configured on the switch.

switch# show ip nat pool p1
Pool                 StartIp               EndIp                 Prefix
p1                   4.1.1.1               4.1.1.2               24
                     1.1.1.1               1.1.1.2               24
                     3.1.1.1               3.1.1.2               24
switch# show ip nat pool p2
Pool                 StartIp               EndIp                 Prefix
p2                   10.1.1.1              10.1.1.2              16
switch#

show ip nat synchronization advertised-translations

The show ip nat synchronization advertised-translations command displays the detailed status of devices that are advertised to a peer device.

Command Mode

EXEC

Command Syntax

show ip nat synchronization advertised-translations

Example

This command displays details of devices that are advertised to a peer device.

switch# show ip nat synchronization advertised-translations

Source IP         Destination IP   Translated IP          TGT  Type Intf
------------------------------------------------------------------------
61.0.0.15:6661    100.0.0.2:80     192.170.230.171:6661    SRC  DYN  Et5
61.0.0.41:2245    100.0.0.2:80     192.170.230.170:2245    SRC  DYN  Et5
61.0.0.48:22626   100.0.0.2:80     192.170.230.169:22626   SRC  DYN  Et5
61.0.0.41:22601   100.0.0.2:80     192.170.230.170:22601   SRC  DYN  Et5
61.0.0.41:16798   100.0.0.2:80     192.170.230.170:16798   SRC  DYN  Et5
61.0.0.18:22605   100.0.0.2:80     192.170.230.177:22605   SRC  DYN  Et5
61.0.0.16:2256    100.0.0.2:80     192.170.230.166:2256    SRC  DYN  Et5

show ip nat synchronization discovered-translations

The show ip nat synchronization discovered-translations command displays details of what has been advertised from a peer device.

Command Mode

EXEC

Command Syntax

show ip nat synchronization discovered-translations

Example

This command displays details of devices that are advertised to a peer device.

switch# show ip nat synchronization discovered-translations

Source IP         Destination IP    Translated IP          TGT  Type Intf
-------------------------------------------------------------------------
61.0.2.229:63     100.0.0.2:63     170.24.86.180:63        SRC  DYN  Et5
61.0.15.51:63     100.0.0.2:63     170.24.73.90:63         SRC  DYN  Et5
61.0.6.68:63      100.0.0.2:63     170.24.110.128:63       SRC  DYN  Et5
61.0.7.163:63     100.0.0.2:63     170.24.104.35:63        SRC  DYN  Et5

show ip nat synchronization peer

The show ip nat synchronization peer command displays the detailed status of a peer device.

Command Mode

EXEC

Command Syntax

show ip nat synchronization peer

Example:

This command displays details of a peer device with an IP address of 11.11.11.0 and interface VLAN 1111 that is used to connect to the peer device.

switch# show ip nat synchronization peer
Description : Value
Peer : 11.11.11.0
Connection Port : 4532
Connection Source : 0.0.0.0
Kernel Interface : vlan1111
Local Interface : Vlan1111
Established Time : 1969-12-31 16:00:00
Connection Attempts : 0
Oldest Supported Version : 1
Newest Supported Version : 1
Version Compatible : True
Connection State : connected
Shutdown State : False
Status Mount State : mountMounted
Version Mount State : mountMounted
Recover Mount State : mountMounted
Reboot Mount State : mountMounted

show ip nat translation

The show ip nat translation command displays configured NAT statements in the switch hardware.

Command Mode

EXEC

Command Syntax

Command position of all parameters are interchangeable.

Parameters

no parameter Displays all NAT connections installed in software.
address ipv4_addr Displays NAT connections of the specified IPv4 host address.
address-only ipv4_addr Displays address-only NAT connections of the specified IPv4 host address.
destination Displays destination NAT connections installed in software.
detail Displays detailed output of all NAT connections.
dynamic Displays dynamic NAT connections.
hardware Displays NAT connections installed in hardware.
interface Filters NAT connections by interface. Options include:
- interface ethernet e_num Displays NAT connections of the specified ethernet interface.
- interface port-channel p_num Displays NAT connections of the specified port-channel interface.
- interface vlan v_num Displays NAT connections of the specified VLAN interface.
kernel Displays NAT connections installed in kernel.
max-entries Displays the configured NAT connection limits of a hardware.
source Displays source NAT connections installed in software.
static Displays static NAT connections.
summary Displays summary of all NAT connections.
twice Displays twice NAT connections.

Examples

This command displays all configured NAT translations.

switch> show ip nat translation

Source IP          Destination IP   Translated IP         TGT Type Intf
---------------------------------------------------------------------------
192.168.1.10:62822 172.22.22.40:53  172.17.254.161:62822  SRC DYN  Vl3925
192.152.1.10:20342 172.22.22.40:80  172.17.254.161:22222  SRC STAT Vl3945
switch#

This command displays NAT connections of the specified ethernet interface.

switch> show ip nat translation dynamic interface Ethernet 26

Source IP          Destination IP    Translated IP       TGT Type Intf
-------------------------------------------------------------------------
192.168.1.2:8080   10.1.1.5:600      20.1.1.5:8080       SRC DYN  Et26

This command displays the configured NAT connection limits of a hardware.

switch> show ip nat translation max-entries

Global connection limit                           100
Global connection limit low mark                  90(90%)
Hosts connection limit                            20
Hosts connection limit low mark                   18(90%)
Total number of connections                        1

Host           Max-Entries           Low-Mark              Connections
-----------------------------------------------------------------------
10.1.1.1       10                    9(90%)                0

Media Access Control Security

This section explains the basic concepts about Media Access Control Security (MACsec) including overview, configuration, and the different MACsec commands that are used.

MACsec Overview
Configuring MACsec
Displaying MACsec Information
MACsec Key Retirement Immediate
MACsec EAP-FAST Support
MACsec Proxy For VXLAN
MACsec Fallback to Unprotected Traffic
MACsec Commands

MACsec Overview

Media Access Control Security (MACsec) is an industry standard encryption mechanism that protects all traffic flowing on the Ethernet links. MACsec is based on IEEE 802.1X and IEEE 802.1AE standards.

The major benefits of MACsec are:

MACsec supports packet authentication by providing integrity checking so that packet data is not altered during a packet flow.
MACsec provides secure encryption at Layer 2 level by ensuring complete data confidentiality.
A high density MACsec solution for Cloud Data Centers is integrated with 7500R for highest density and performance in a modular platform.
Cost and performance is optimized for Data Center Interconnect to transport massive volumes of traffic through metro or long haul networks.
Secure transport of data over distance is made possible with MACsec encryption eliminating additional intermediate devices.

MACsec Terminology

MACsec Key Agreement Protocol (MKA) is the key agreement protocol for discovering MACsec peers and negotiating keys between MACsec peers (IEEE 802.1X-REV).

A Connectivity Association (CA) is a security relationship between MACsec-capable devices (endpoints). Endpoints in the same CA share a Connectivity Association Key (CAK). Arista implementation allows 2 endpoints.

A Connectivity Association Key (CAK) is a master key that is used to generate all other keys that are used for MACsec. Endpoints in the same secure Connectivity Association (CA) share a CAK. This key can either be a static pre-shared key, or dynamically derived with the use of 802.1X authentication.

Primary Key- It is ideally the CAK for the MKA session in progress. The Primary key is a combination of key name and the actual key. For example, when a configuration uses 0abcd1 0 1234abcd as a primary key, in this the 0abcd1 is the hex key name, while 1234abcd is the actual key. Note, a key name must be in hex format too.

Note: That the operator 0 means the key being entered here is unencrypted (or unhashed), vs. 7 meaning the hashed version of this key is being entered (in cases where the configuration is being replayed onto the switch).

Fallback Key- In case the primary configured key does not establish its connection, the fallback key is used, so as to ensure no loss of traffic.

Secure Association Key (SAK) - The SAK is derived from the CAK and is the key used by the network device ports to encrypt traffic for a given session.

Key Server - One of the MACsec peers in the CA becomes the Key Server. The main role of the Key Server is to create and distribute Secure Association Keys (SAKs), which are used in actual data encryption.

A Static Secure Association Key (SAK) is an SAK configured directly on a switch and used with unidirectional links, in situations where the MKA protocol is not feasible. Static SAKs require the use of eXtended Packet Numbering (XPN) cipher suites.

MACsec Limitations

The limitations of MACsec are:

MACsec is supported only on point-to-point links, unless static SAK is enabled.
When MACsec is enabled on an interface for the first time, interface flapping occurs for MACsec to take effect.
If static SAK is not enabled, the port does not forward any traffic until the MKA protocol converges and negotiates encryption keys. This occurs initially when MACsec is configured on a port.

MACsec Licensing

MACsec encryption is a EOS licensed feature. A valid MACsec license must be configured on a switch. MACsec licenses are tied to a switch serial number and the licensee. Every switch running MACsec requires a separate license of its own.

There are two ways of configuring MACsec license:

Use the command license licensee_name license_value in MACsec mode. The license value is an 8 digit hexadecimal number. This method of license configuration is no longer being used except for backward compatibility.
Use the command license import license_file_path in Global configuration mode. All new licenses generated on the license portal are JSON-based.

Contact your system engineer to acquire the required license codes before attempting to configure MACsec.

MACsec in FIPS mode

Federal Information Processing Standards (FIPS) are a set of standards defined by the United States federal government related to the processing of data in computer systems by non-military government agencies and government contractors. These standards define specific requirements for various purposes such as ensuring computer security and interoperability within and across the computer networking industry.

Arista devices are compliant with FIPS 140. The FIPS 140 enforces the use of a "FIPS Crypto Module". This both ensures that the algorithms are correct and restricts the set of allowed algorithms to those approved by the FIPS standard. These are the FIPS supported algorithms AES-128/256, SHA-256/512, RSA with 2048 bit keys, a subset of EcDSA. MACsec has both the AES-128-GCM and AES-256-GCM algorithms certified for the data plane. The FIPS mode is enabled using the fips restrictions command which when enabled filters out any unapproved algorithms and warns you if you try to set them.

VLAN Tagged MACsec

Media Access Control Security (MACsec) is configured on subinterfaces using the mac security profile command. Since subinterfaces are logical interfaces that send and receive VLAN tagged traffic, encryption/decryption is applied per VLAN tag.

MACsec Using Static Secure Association Key

MAC security uses the MACsec Key Agreement (MKA) protocol to negotiate between peers using keys (CAKs and CKNs) which are either pre-shared or derived from an 802.1X session, and derives a Secure Association Key (SAK) based on the MKA negotiation. This SAK is then programmed in hardware and used for encrypting and decrypting data traffic. In cases where MKA negotiation is not feasible but encryption and decryption of traffic is required (such as unidirectional links), MACsec can instead be configured to use static Secure Association Keys (SAK) configured separately on transmitting and receiving peers. Each peer can have up to four receiving secure keys and one transmitting key.

Configuring MACsec

These sections describe basic MACsec configuration steps:

Enabling MACsec
Configuring MACsec for MKA
Configuring the FIPS mode
Configuring MACsec Profile on a Subinterface
Configuring MACsec Using Static SAK
Configuring MACsec Proxy For VXLAN
Configuring MAC Security Dynamic Key Derivation
Configuring MACsec Fallback to Unprotected Traffic

Enabling MACsec

MACsec requires a configuration profile. Use the mac security command to enable MACsec and enter MAC Security Configuration Mode, then use the profile command to create a profile and enter MAC Security Profile Configuration Mode, where the following commands are available for detailed configuration:

cipher
key (MACsec)
mka key-server
mka session
replay
sci
traffic unprotected allow

Example

These commands enable MACsec and enter MAC Security Configuration Mode, then create a profile named "MACsec_test" and enter MAC Security Profile Configuration Mode.

switch(config)# mac security
switch(config-mac-security)# profile MACsec_test
switch(config-mac-security-profile-MACsec_test)#

Configuring MACsec for MKA

By default, MAC security (MACsec) uses the MACsec Key Agreement (MKA) protocol to negotiate and exchange encryption keys among peers. To complete a typical MACsec configuration, use the cipher command to select a valid encryption standard. Then use the key command to enter a Connectivity Association Key (CAK). You can use the fallback option to add a fallback CAK to be used if the primary CAK fails.

The key server is responsible for generating and distributing encryption keys. Run the mka key-server priority command on a peer to change its priority. The peer with the lowest priority is elected as the key server. If multiple peers have the same priority, the one with the lowest MAC address is chosen. Priority values range from 0 to 255 and the default priority is 16.

Configure the period at which the Secure Association Key (SAK) is refreshed with the mka session rekey-period command. MACsec uses an SAK for encrypting data traffic, and this SAK is derived from the CAK. Rekey-period values range from 30 to 100000 seconds. By default, there is no session rekey period, and the SAK will not be refreshed periodically.

To improve the randomness of the numbers used to generate MACsec's cryptographic keys, add a source of entropy with the entropy source command in Management Security Configuration Mode.

Examples

These commands configure MACsec to use the AES256-GCM-XPN cipher and add a key and fallback key. For MKA with pre shared key configuration, keys with any length are allowed to work. However, we should have keys with 64 hexadecimal digits in length for a 256-bit cipher.

switch(config-mac-security-profile-test)# cipher aes256-gcm-xpn
switch(config-mac-security-profile-test)# key 0abc12340def56780abc12340def5678 7 06070E234E4D0A48544540585F507E
switch(config-mac-security-profile-test)# key 0def56780abc12340def56780abc1234 7 09484A0C1C0311475E5A527D7C7C70 fallback

These commands give the switch a key-server priority of 10 and an MKA session rekey period of 600 seconds.

switch(config-mac-security-profile-test)# mka key-server priority 10
switch(config-mac-security-profile-test)# mka session rekey-period 600

These commands add an entropy source for more random cryptographic keys.

switch(config-mac-security-profile-test)# management security
switch(config-mgmt-security)# entropy source hardware

These commands apply the "test" profile to Ethernet interface 5/3/1.

switch(config-mgmt-security)# interface ethernet 5/3/1
switch(config-if-Et5/3/1)# mac security profile test
switch(config-if-Et5/3/1)#

Configuring the FIPS mode

To configure the FIPS mode on the MACsec protocol, use the FIPS command.

Example

This command configures the FIPS mode on the MACsec protocol.

switch(config)# mac security 
switch(config-mac-security) fips restrictions

Configuring MACsec Profile on a Subinterface

Following are the commands used to configure a MACsec profile on a subinterface.

Example

The following example enables MAC security on a subinterface with a predefined MACsec profile test-profile.

switch(config)# interface ethernet1
switch(config-if-Et1)# no switchport
switch(config-if-Et1)# interface ethernet1.10
switch(config-if-Et1.10)# encapsulation dot1q vlan 20
switch(config-if-Et1.10)# mac security profile test-profile

Configuring MACsec Using Static SAK

Static SAK is configured for receive (Rx) and transmit (Tx) directions separately. In the Rx direction, multiple SAKs can be configured. For the Tx direction, only one SAK is allowed at a time. An SAK configured for Rx on the local peer should match the SAK configured for Tx on the connected peer, and vice versa. The Rx direction should be configured first on all the MACsec peers, and then the Tx direction should be configured. Use the cipher command to select a cipher suite. You must choose an eXtended Packet Number (XPN) cipher suite, such as AES128-GCM-XPN or AES256-GCM-XPN. Static SAK will not work with a non-XPN cipher.

Examples

These commands select the AES256-GCM-XPN cipher suite for the MACsec profile rx_test on the receiving peer (Rx).

switch(config)# mac security
switch(config-mac-security)# profile rx_test
switch(config-mac-security-profile-rx_test)# cipher aes128gcm-xpn
switch(config-mac-security-profile-rx_test)#

This command configures the key source as static SAK.

switch(config-mac-security-profile-rx_test)# key source sak static
switch(config-mac-security-profile-rx_test-sak-static)#

These commands configure a secure channel identifier (SCI) on the receiving peer. The SCI is a MAC address with six hexadecimal octets and a decimal port number.

switch(config-mac-security-profile-rx_test-sak-static)# secure channel rx
switch(config-mac-security-profile-rx_test-sak-static-rx)# identifier 01:02:03:04:05:06::1234
switch(config-mac-security-profile-rx_test-sak-static-rx)#

This command configures an SAK and assigns it an association number (AN) of 0.

switch(config-mac-security-profile-rx_test-sak-static-rx)# an 0 key 0 11112222333344445555666677778888
switch(config-mac-security-profile-rx_test-sak-static-rx)#

This command configures another SAK and its association number. Up to four associations can be configured.

switch(config-mac-security-profile-rx_test-sak-static-rx)# an 1 key 0 9999aaaabbbbccccddddeeeeffff0000
switch(config-mac-security-profile-rx_test-sak-static-rx)#

These commands configure the secure channel on a transmitting peer using the profile tx_test. Only one SAK can be configured per transmitting peer. This will encrypt traffic in the Tx direction, so the receiving peer must be configured with a matching SAK to decrypt this traffic.

switch(config-mac-security-profile-tx_test-sak-static)# secure channel tx
switch(config-mac-security-profile-tx_test-sak-static-tx)# identifier 01:02:03:04:05:07::1235
switch(config-mac-security-profile-tx_test-sak-static-tx)# an 0 key 0 22223333444455556666777788889999
switch(config-mac-security-profile-tx_test-sak-static-tx)#

Configuring MACsec Proxy For VXLAN

The switch platforms which use this feature are:

7280SRAM-48C6
7280CR2M-30
7500R2M-36CQ-LC

The mandatory steps to configure a MACsec proxy sub-interface on an Arista switch are:

Configure the parent interface to be a routed port.
Create a L3 sub-interface on the parent interface. This is the MACsec proxy sub-interface.
Create a L2 sub-interface on the parent interface. This is the MACsec patch sub-interface.
Configure and enable the MACsec proxy port on a sub-interface.
Configure the VXLAN tunnel.

Assign the forwarding VLAN ID for the MACsec patch sub-interface and VXLAN tunnel.

Example Configurations

Configure a 100g MACsec interface as a routed port.

switch(config)# interface et49/1
switch(config-if-Et49/1)# no switchport

Create a new L3 sub-interface - et49/1.1.

switch(config-if-Et49/1)# interface et49/1.1

Create a new L2 sub-interface - et49/1.2.

switch(config-if-Et49/1)# interface et49/1.2

Configure the MACsec proxy port, and enable MACsec on the proxy port.

switch(config)# interface et49/1.1
switch(config-if-Et49/1.1)# mac security proxy patch Ethernet49/1.2
switch(config-if-Et49/1.1)# mac security profile test1
switch(config-if-Et49/1.1)# ip address 2.2.2.1/24

Configure the VXLAN tunnel. The remote VTEP is provided as the flood VTEP.

switch(config)# interface VXLAN 1
switch(config-if-Vx1)# VXLAN source-interface Loopback0
switch(config-if-Vx1)# VXLAN udp-port 4789
switch(config-if-Vx1)# VXLAN vlan 20 vni 20
switch(config-if-Vx1)# VXLAN vlan 20 flood vtep 100.100.100.2

Configure the L2 MACsec patch interface to be in the same VLAN as VXLAN.

switch(config)# interface et49/1.2
switch(config-if-Et49/1.2)# vlan id 20

Configuring MAC Security Dynamic Key Derivation

802.1X Authenticator Configuration

A new option is added to 802.1X authenticator configuration to make the authenticator more strong to unreliable authentication servers. By default, when an authentication server is unreachable, the authenticator blocks all traffic on the port and keeps the port as Unauthorized until it gets replies from the authentication server. The following option changes the behavior and maintains the port in its current state if the authentication server is not reachable:

Example

switch(config-if-Et1)# dot1x timeout reauth-timeout-ignore always

802.1X Supplicant Configuration

The 802.1X supplicant configurations are done through MACsec profiles. MACsec profile contain all the credentials necessary for 802.1X authentication to succeed.

Following are the steps to configure an 802.1X supplicant profile:

Use dot1x command to enter the dot1x mode to configure a supplicant profile.
```
switch(config)# dot1x
switch(config-dot1x)#
```
Use supplicant profile command to configure a 802.1X supplicant profile.
```
switch(config)# supplicant profile <profileName>
```
The following mandatory commands must be configured for a supplicant profile to be operational:
1. Configure the Extensible Authentication Protocol (EAP) method for the profile. The only method supported by Arista supplicants is EAP-FAST.
```
switch(config-dot1x-supp-profile-test)# eap-method fast
```
2. Configure EAP Identity which is used to authenticate the supplicant with the Radius server:
```
switch(config-dot1x-supp-profile-test)# identity <user-identity>
```
3. Configure EAP pass-phrase the password used to authenticate the supplicant with the Radius server:
```
switch(config-dot1x-supp-profile-test)# passphrase <options>
```
Example
This is an sample 802.1X supplicant profile:
```
switch(config-dot1x-supp-profile-test)# show active 
dot1x
   supplicant profile test
      identity arista
      passphrase 7 070E334D5D1D0B04
```
Apply the supplicant profile by enabling it on the Mac Security interface:
```
switch(config-if-Et6/1)# dot1x pae supplicant test
```
Mac Security
Mac Security configuration remains the same as described in the configuration guide with a single important difference. Instead of configuring manual keys, a Mac security profile must instead be configured to use dynamic keys:
```
switch(config-mac-security-profile-test)# key source dot1x
```

Displaying 802.1X Supplicant Status

The show dot1x supplicant command displays the 802.1X supplicant status.

switch #show dot1x supplicant 
Interface: Ethernet6/1
    Identity: arastra
    EAP method: fast
    Status: success
    Supplicant MAC: 44:4c:a8:34:bf:20
    Authenticator MAC: 00:1c:73:e0:d3:76

About the Output

Interface: The port on which the supplicant is running.
Identity: Configured supplicant identity.
EAP method: Configured EAP method (Currently just EAP-FAST).
Status: Supplicant Status. Can be one of the following:
- Success Authentication has been successful.
- Down Authentication sequence has not begun.
- Failed Authentication has failed.
- Connecting Authentication is in progress.
- Unused Supplicant is uninitialized.
Supplicant MAC: MAC address of the supplicant.
Authenticator MAC: MAC address of the authenticator (peer).
Existing Mac Security: Show commands can be used to look at Mac Security status.

Configuring MACsec Fallback to Unprotected Traffic

This feature is supported on all MACsec capable cards except for 7500E-6CFPX-LC.

The MACsec Fallback to Unprotected Traffic feature is configured under MACsec profile mode using the traffic unprotected allow command. The no form of the command removes the configuration from the switch. This configuration must be present in both the peers for the unprotected traffic to flow between them successfully.

Example

switch(config-mac-security-profile-sampleProfile)# no traffic unprotected allow

Displaying MACsec Information

The following sections provide information about MACsec on a switch.

This section contains the following topics:

Displaying MACsec Information
Displaying MACsec detailed information
Displaying MACsec participants
Displaying MACsec participants detailed information
Displaying MACsec MKA Counters
Displaying MACsec Security Counters Detailed Information
Displaying MACsec Security Counters
Displaying MACsec MKA Counters detailed information
Displaying MACsec FIPS Status
Displaying Information for MACsec Using Static Secure Association Key

Displaying MACsec Information

The show mac security interface command shows information about the MACsec on the interface.

Example

switch# show mac security interface
Interface SCI Controlled Port Key in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605 True 9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613 True 9d5bc0d3076ea4a08b99b9d9:1

Displaying MACsec detailed information

Use the show mac security interface detail command to display detailed information about MACsec.

Example

switch# show mac security interface detail 
Interface: Ethernet4/1/1
    SCI: 28:99:3a:82:6f:82::605
    SSCI: 00000002
    Controlled port: True
    Key server priority: 16
    Session rekey period: 0
    Traffic: Protected
    Key in use: 9d5bc0d3076ea4a08b99b9d9:1
    Latest key: None
    Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

Interface: Ethernet4/3/1
    SCI: 28:99:3a:82:6f:85::613
    SSCI: 00000001
    Controlled port: True
    Key server priority: 16
    Session rekey period: 0
    Traffic: Protected
    Key in use: 9d5bc0d3076ea4a08b99b9d9:1
    Latest key: None
    Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

About the Output:

Interface: Name of the interface.
Secure Channel Identifier (SCI): Combination of MAC address and port number. Used to uniquely identify a Mac Security port.
Controlled Port: Indicates if Mac Security is enabled on the port. A value of True indicates that encryption is enabled on the port.
Key In Use: The SAK identifier currently in use. Combination of Key Servers message identifier (see below) and key number.
Key Server Priority: Configured key server priority.
Session Rekey Period: Configured session rekey period.
Latest Key: Latest SAK being negotiated by Mac Security Key Agreement Protocol (MKA)
Old Key: The last SAK negotiated by Mac Security Key Agreement Protocol (MKA)

Note: Latest and Old key are MKA protocol specific terminology and are used to refer to the last two keys in use. For all practical purposes, Key In Use field is used to identify the current key.

Displaying MACsec participants

Use the show mac security participants command to display information about the MACsec participants.

Example

switch# show mac security participants 
Interface: Ethernet4/1/1
    CKN: abcd
      Message ID: 9d5bc0d3076ea4a08b99b9d9
      Elected self: True
      Success: True
      Principal: True
      Default: False

    CKN: dead
      Message ID: 4ef4cf009161bd551b5e7434
      Elected self: True
      Success: True
      Principal: False
      Default: True

Interface: Ethernet4/3/1
    CKN: abcd
      Message ID: c79ad8882c2dd3a8e838a691
      Elected self: False
      Success: True
      Principal: True
      Default: False

    CKN: dead
      Message ID: 3dfd4486b5f68a81014a37ec
      Elected self: False
      Success: True
      Principal: False
      Default: True

Displaying MACsec participants detailed information

Use the show mac security participants detail command to display detailed information about the MACsec participants.

Example

switch# show mac security participants detail
Interface: Ethernet4/1/1
    CKN: abcd
      Message ID: 9d5bc0d3076ea4a08b99b9d9
      Elected self: True
      Success: True
      Principal: True
      Default: False
      KeyServer SCI: 28:99:3a:82:6f:82::605
      SAK transmit: True
      LLPN exhaustion: 0
      Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
      Live peer list: ['c79ad8882c2dd3a8e838a691']
      Potential peer list: []

    CKN: dead
      Message ID: 4ef4cf009161bd551b5e7434
      Elected self: True
      Success: True
      Principal: False
      Default: True
      KeyServer SCI: 28:99:3a:82:6f:82::605
      SAK transmit: False
      LLPN exhaustion: 0
      Distributed key identifier: None
      Live peer list: ['3dfd4486b5f68a81014a37ec']
      Potential peer list: []

Interface: Ethernet4/3/1
    CKN: abcd
      Message ID: c79ad8882c2dd3a8e838a691
      Elected self: False
      Success: True
      Principal: True
      Default: False
      KeyServer SCI: 28:99:3a:82:6f:82::605
      SAK transmit: True
      LLPN exhaustion: 0
      Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
      Live peer list: ['9d5bc0d3076ea4a08b99b9d9']
      Potential peer list: []

    CKN: dead
      Message ID: 3dfd4486b5f68a81014a37ec
      Elected self: False
      Success: True
      Principal: False
      Default: True
      KeyServer SCI: 28:99:3a:82:6f:82::605
      SAK transmit: False
      LLPN exhaustion: 0
      Distributed key identifier: None
      Live peer list: ['4ef4cf009161bd551b5e7434']
      Potential peer list:

About the Output

Connectivity Association Key Name (CKN): Configured name of the key in use.
Message ID: A random 92 bit string used as an identifier for an MKA participant.
Elected Self: True if this participant is the elected key server.
Success: True if this participant is live and has at least one live peer.
Principal: True if this participant is the principal participant elected to distribute SAKs or if participant receives SAKs from key server.
Default: True if this participant is a fallback/backup participant (spawned when a fallback key is configured in a Mac Security profile).
Key Server SCI: The SCI of the key server.
SAK Transmit: True if the participant is ready to use the negotiated key for transmit.
LLPN Exhaustion: Increments if the number of data packets sent using the current key exceeds a certain threshold.
Distributed Key Identifier: Message ID + key number of the most recently generated SAK.
Live Peer List: Message IDs of all the live peers of the participant.
Potential Peer List: Message IDs of all the potential peers of the participant. These are peers which havent yet established mutual liveness but have sent out at least one control packet.

Displaying MACsec MKA Counters

Use the show mac security mka counters command to display information about the MACsec MKA counters.

Example

switch# show mac security mka counters 
Interface       Rx Success      Rx Failure      Tx Success      Tx Failure
Ethernet4/1/1   287             0               288             0
Ethernet4/3/1   288             0               287             0

Displaying MACsec Security Counters Detailed Information

Use the show mac security counters detail command to display detailed information about the MACsec security counters.

Example

switch# show mac security counters detail 
Ethernet4/1/1     Counter Name        Count
-------------------------------------------------------
                  outPktsEncrypted    112
                  outOctetsEncrypted  11984
                  outPktsUntagged     0
                  outPktsTooLong      0
                  outPktCtrl          224
                  inPktsDecrypted     2
                  inOctetsDecrypted   214
                  inPktsUnchecked     0
                  inPktsOK            2
                  inPktsNotValid      0
                  inPktsNotUsingSA    0
                  inPktsCtrl          223
                  inPktsNoTag         8
                  inPktsTagged        0
                  inPktsBadTag        0
                  inPktsNoSCI         0
                  inPktsLate          0

Ethernet4/3/1     Counter Name        Count
-------------------------------------------------------
                  outPktsEncrypted    2
                  outOctetsEncrypted  214
                  outPktsUntagged     0
                  outPktsTooLong      0
                  outPktCtrl          223
                  inPktsDecrypted     111
                  inOctetsDecrypted   11877
                  inPktsUnchecked     0
                  inPktsOK            111
                  inPktsNotValid      0
                  inPktsNotUsingSA    0
                  inPktsCtrl          224
                  inPktsNoTag         9
                  inPktsTagged        0
                  inPktsBadTag        0
                  inPktsNoSCI         0
                  inPktsLate          0

Displaying MACsec Security Counters

Use the show mac security counters command to display information about the MACsec security counters.

Example

switch# show mac security counters 
Port     InPktsDecrypted  InOctetsDecrypted  OutPktsEncrypted OutOctetsEncrypted
Et4/1/1                2                214               109              11663
Et4/3/1              109              11663                 2                214

Displaying MACsec MKA Counters detailed information

Use the show mac security mka counters detail command to display detailed information about the MACsec MKA counters.

Example

switch# show mac security mka counters detail 
Interface: Ethernet4/1/1
    Tx packet success: 290
    Tx packet failure: 0
        Tx invalid: 0
    Rx packet success: 289
    Rx packet failure: 0
        Rx invalid: 0
        Rx eapol error: 0
        Rx basic parameter set error: 0
        Rx unrecognized CKN error: 0
        Rx ICV validation error: 0
        Rx live peer list error: 0
        Rx potential peer list error: 0
        Rx SAK use set error: 0
        Rx distributed SAK set error: 0
        Rx distributed CAK set error: 0
        Rx ICV Indicator error: 0
        Rx unrecognized parameter set error: 0

Interface: Ethernet4/3/1
    Tx packet success: 289
    Tx packet failure: 0
        Tx invalid: 0
    Rx packet success: 290
    Rx packet failure: 0
        Rx invalid: 0
        Rx eapol error: 0
        Rx basic parameter set error: 0
        Rx unrecognized CKN error: 0
        Rx ICV validation error: 0
        Rx live peer list error: 0
        Rx potential peer list error: 0
        Rx SAK use set error: 0
        Rx distributed SAK set error: 0
        Rx distributed CAK set error: 0
        Rx ICV Indicator error: 0
        Rx unrecognized parameter set error: 0

Displaying MACsec FIPS Status

Use the show mac sec status command to display information about the MACsec FIPS status.

Example

switch(config)# mac security 
switch(config-mac-security)# show mac sec status
Active Profiles:          1
FIPS Mode:                Yes
Secured Interfaces:       2

Displaying Information for MACsec Using Static Secure Association Key

If MACsec is configured to use static SAKs, these commands will show additional information related to static SAKs:

show active
In MAC Security configuration mode, the show active command displays the MAC security key source. If one or more static SAKs are configured, this key source will be shown as "key source sak static."
show mac security interface
With a static SAK configured, the show mac security interface command shows the association numbers for SAKs which are programmed for Rx and Tx. Show commands never display actual SAK values.

If a unidirectional link is configured with a static SAK, the Rx side will show the SCI as "00:00:00:00:00:00::0," and only the Rx AN will be shown. On the Tx side, the configured SCI and Tx AN will be shown.

show mac security sak
If one or more SAKs are configured in the switch, the show mac security sak command will show SAK-related details.

MACsec Key Retirement Immediate

The MACsec uses the concept of configuring two keys for MKA negotiation: Primary and Fallback (as a backup). Given a mac security profile configured on an interface, there is an actor created per key which is responsible for MKA negotiation with the other peer. When a new primary key is configured, old primary keys actor is retained in the system till the time MKA session becomes successful with the configured new primary key. Same holds good for fallback key as well. When key retirement immediate command is used it removes the actor corresponding to old key, be it primary or fallback, from the system immediately.

MACsec Key Retirement Immediate Operations

If a new primary key is configured in a mac security profile, old primary keys actor is deleted from the system immediately.
If a new fallback key is configured in a mac security profile, old fallback keys actor is deleted from the system immediately.
Removing the feature configuration from mac security profile will just prevent cleaning up of old keys immediately when new keys are configured. It will not create old actor again.
Note: The key retirement immediate command only deletes the actor corresponding to old key. It does not clean up the SAK programmed in the hardware until a new SAK is available to be programmed. However, as a side effect of deletion of actor, a new principal actor will be chosen (if an eligible actor is available) over which a new SAK will be distributed subsequently.

MACsec Key Retirement Immediate Feature Interactions

MACsec EAP-FAST Support

If Dynamic MAC Security keys is used with key retirement immediate, then on every new primary key derived from 802.1X, old primary keys actor will be deleted from the system. This will usually happen based on the reauth time interval configuration for 802.1X.

MACsec Fallback to Unprotected Traffic Support

The key retirement immediate is configured with Fallback to Unprotected Traffic feature, transition between unprotected traffic and protected traffic may become more frequent. This is because with Key Retirement Immediate feature, whenever a new key is configured, existing successful MKA session corresponding to the old key are not maintained, which might bring down the number of successful MKA sessions to zero, which eventually moves the interface to unprotected traffic state as per Fallback to Unprotected Traffic feature functionality.

MACsec Key Retirement Immediate Configuration

The show dot1x supplicant command is configured in mac security profile mode, the configuration needs to be present on both key server and non key server peers. Since key server decides the principal actor for SAK distribution, it is recommended that this configuration is present in key server for triggering the re-election of principal actor immediately.

If key retirement immediate is configured only on key server, non key server will still try to negotiate MKA over old primary key unnecessarily utilizing some system resources and some time even when not required.

If key retirement immediate is configured only on non key server, it will take 6 seconds (MKA Lifetime) for triggering any re-election on key server as a result of session failure.

switch(config-mac-security-profile-sampleProfile)# [no] key retirement immediate

Configuration Scenarios

When both Primary Key and Fallback Key configured: without configuring key retirement immediate, when a new primary is configured, the actor corresponding to the old actor will stay active till MKA session on the new primary becomes successful. With key retirement immediate, the actor corresponding to the old primary is deleted immediately. Since fallback is also configured, key server will choose it as the new principal actor, if eligible. Once a new principal actor is chosen, new SAK is distributed which will eventually get programmed and used for encryption & decryption.

When only Primary Key is configured: the behavior is same as above except the fact that no other actor will become principal until the new primary becomes successful. Till then hardware will continue to use SAK generated with old primary.

When Fallback is Principal actor: without key retirement immediate, when a new fallback key is configured, old fallback will stay in the system till the time new fallback becomes active or primary becomes active. With key retirement immediate, old fallback actor is deleted immediately. Till the time a new principal actor is elected, hardware will continue to use SAK generated with old fallback.

The show mac security participants command shows all the participants present in the system. When key retirement immediate is configured, the actor corresponding to old keys will no longer list up in the output of the above show command.

MACsec EAP-FAST Support

The Media Access Control Security (MACsec) with static keys feature brings support for dynamic Mac Security keys. To derive Mac Security keys dynamically, both peers must be configured for 802.1X authentication. One peer must be configured to be the Authenticator and the other peer to be the Supplicant. Upon a successful 802.1X authentication sequence between the peers, keying material is generated by both the authenticator and the supplicant. This keying material is then used to derive Mac Security keys to establish a MACsec Key Agreement (MKA) protocol session. This feature brings in support for Arista devices to act as the supplicant to derive Mac Security keys in a bidirectional fashion.

The following diagram illustrates a typical Mac Security + 802.1X topology:

MACsec Proxy For VXLAN

The MACsec Proxy for VXLAN feature enables the MACsec service over VXLAN. MACsec over VXLAN is provided by mapping a Visual Networking Index (VNI), Remote VXLAN Tunnel Endpoint (VTEP) IP to a MACsec proxy sub interface.

Any packets routed to the MACsec proxy sub interface is encrypted and tunneled to the remote VTEP. On the receiving path the packets are decrypted, then decapsulated and forwarded. MKA negotiates and renews the encryption keys, for this purpose a MACsec capable front panel port has to be dedicated and cannot be plugged in as it will be used to recycle packets being encrypted and decrypted.

Configuring MACsec Proxy For VXLAN

The switch platforms which use this feature are:

7280SRAM-48C6
7280CR2M-30
7500R2M-36CQ-LC

The mandatory steps to configure a MACsec proxy sub-interface on an Arista switch are:

Configure the parent interface to be a routed port.
Create a L3 sub-interface on the parent interface. This is the MACsec proxy sub-interface.
Create a L2 sub-interface on the parent interface. This is the MACsec patch sub-interface.
Configure and enable the MACsec proxy port on a sub-interface.
Configure the VXLAN tunnel.

Assign the forwarding VLAN ID for the MACsec patch sub-interface and VXLAN tunnel.

Example Configurations

Configure a 100g MACsec interface as a routed port.

switch(config)# interface et49/1
switch(config-if-Et49/1)# no switchport

Create a new L3 sub-interface - et49/1.1.

switch(config-if-Et49/1)# interface et49/1.1

Create a new L2 sub-interface - et49/1.2.

switch(config-if-Et49/1)# interface et49/1.2

Configure the MACsec proxy port, and enable MACsec on the proxy port.

switch(config)# interface et49/1.1
switch(config-if-Et49/1.1)# mac security proxy patch Ethernet49/1.2
switch(config-if-Et49/1.1)# mac security profile test1
switch(config-if-Et49/1.1)# ip address 2.2.2.1/24

Configure the VXLAN tunnel. The remote VTEP is provided as the flood VTEP.

switch(config)# interface VXLAN 1
switch(config-if-Vx1)# VXLAN source-interface Loopback0
switch(config-if-Vx1)# VXLAN udp-port 4789
switch(config-if-Vx1)# VXLAN vlan 20 vni 20
switch(config-if-Vx1)# VXLAN vlan 20 flood vtep 100.100.100.2

Configure the L2 MACsec patch interface to be in the same VLAN as VXLAN.

switch(config)# interface et49/1.2
switch(config-if-Et49/1.2)# vlan id 20

Displaying MACsec Proxy For VXLAN Information

Use show mac security interface command to display the proxy sub-interface information.

Examples

Use show mac security mka counters command to display the MACsec counters and detailed values.

switch(config)# show mac security interface
Interface     SCI                     Controlled Port  Key in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605  True             9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613  True             9d5bc0d3076ea4a08b99b9d9:1

switch(config)# show mac security mka counters
Interface      Rx Success  Rx Failure  Tx Success   Tx Failure
Ethernet4/1/1  287         0            288          0
Ethernet4/3/1  288         0            287          0

switch(config)# show mac security mka counters ethernet 49/1.1 detail
Interface: Ethernet49/1.1
    Tx packet success: 84
    Tx packet failure: 0
        Tx invalid: 0
    Rx packet success: 82
    Rx packet failure: 0
        Rx invalid: 0
        Rx eapol error: 0
        Rx basic parameter set error: 0
        Rx unrecognized CKN error: 0
        Rx ICV validation error: 0
        Rx live peer list error: 0
        Rx potential peer list error: 0
        Rx SAK use set error: 0
        Rx distributed SAK set error: 0
        Rx distributed CAK set error: 0
        Rx ICV Indicator error: 0
        Rx unrecognized parameter set error: 0

Limitations

When this feature is in use, following limitations can be noticed:

An interface while moving from allowing unprotected traffic to allowing only protected traffic can experience a traffic disruption of up to 4 seconds.
If the key server interface manages to establish a MKA session with its old credentials (CKN/CAK pair) while unprotected traffic was allowed, then traffic disruption for a duration of up to 6 seconds can be noticed in addition to the duration mentioned in the above point.

MACsec Fallback to Unprotected Traffic

When MACsec is enabled on an interface, it tries to establish MACsec Key Agreement ( MKA ) session(s) with its peer. If no MKA sessions is successfully established, then the interface can continue to protect the traffic with the last known negotiated key, and if such a key does not exist then it blocks the traffic. The MACsec Fallback to Unprotected Traffic feature introduces an optional configuration which, if provided, allows unprotected traffic whenever there is no successful MKA session with the peer in the following scenarios:

If MACsec is enabled on an interface with this feature configured, then the interface allows unprotected traffic immediately without waiting for MKA session establishment.
If a MACsec enabled interface was blocking traffic as no MKA sessions were established and its corresponding MACsec profile is changed to enable this feature, the interface will start allowing unprotected traffic immediately.
If a MACsec enabled interface was allowing unprotected traffic and its corresponding MACsec profile is changed to disable this feature, the interface will block traffic immediately.
While an interface is allowing unprotected traffic, it will stop doing so when a new Secure Association Key (SAK) is generated (if this interface is key server) or when a SAK is received from the key-server (if this interface is not the key server).
If MACsec Fallback to Unprotected Traffic is configured and all MKA sessions between the peers fail, the peers will switch to unprotected traffic. If not configured, protected traffic could have continued with last known negotiated key.

To protect traffic between pairs, primary MKA session derived keys are given priority over Fallback MKA session. With this feature enabled, the priority order of traffic between peers is -

1. Protected using derived keys from primary MKA sessions.

2. Protected using derived keys from Fallback MKA sessions.

3. Unprotected traffic.

Note: Arista allows a primary and a Fallback Connectivity Association Key (CAK) and Connectivity Association Key Name (CKN) pair to be configured on an interface. And interfaces tries to establish a MKA session with its peer corresponding to each CAK/CKN pair.

MACsec Fallback to Unprotected Traffic Feature Interaction

This feature interacts with other related features in following way:

MACsec EAP-FAST Support:If dynamic MAC Security keys (derived from 802.1X authentication) are used, then the feature configuration has no effect.
MACsec Proxy Interfaces: This feature does not work with MACsec proxy sub interfaces.
Key Retirement Immediate: If this feature is configured with Key Retirement Immediate feature on an interface, transition between unprotected traffic and protected traffic may become more frequent. This is because with Key Retirement Immediate feature, whenever a new key is configured, existing successful MKA session corresponding to the old key is not maintained.

Limitations

When this feature is in use, following limitations can be noticed:

An interface while moving from allowing unprotected traffic to allowing only protected traffic can experience a traffic disruption of up to 4 seconds.
If the key server interface manages to establish a MKA session with its old credentials (CKN/CAK pair) while unprotected traffic was allowed, then traffic disruption for a duration of up to 6 seconds can be noticed in addition to the duration mentioned in the above point.

Configuring MACsec Fallback to Unprotected Traffic

This feature is supported on all MACsec capable cards except for 7500E-6CFPX-LC.

Example

switch(config-mac-security-profile-sampleProfile)# no traffic unprotected allow

Displaying MACsec Fallback to Unprotected Traffic Information

The show mac security interface detail command can be used to verify if the interface is currently allowing unprotected traffic.

switch# show mac security interface Ethernet 6/1/1 detail
Interface: Ethernet4/1/1
    SCI: 28:99:3a:82:6f:82::605
    SSCI: 00000002
    Controlled port: True
    Key server priority: 16
    Session rekey period: 0
    Traffic: Unprotected
    Key in use: 9d5bc0d3076ea4a08b99b9d9:1
    Latest key: None
    Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

Interface: Ethernet4/3/1
    SCI: 28:99:3a:82:6f:85::613
    SSCI: 00000001
    Controlled port: True
    Key server priority: 16
    Session rekey period: 0
    Traffic: Protected
    Key in use: 9d5bc0d3076ea4a08b99b9d9:1
    Latest key: None
    Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

MACsec Commands

an (MACsec)

The an command defines an Association Number (AN) and a Secure Association Key (SAK) for use in the selected channel in MACsec. Up to 4 SAKs can be configured in the Rx direction, with ANs ranging from 0 to 3. The Tx channel can only have one AN and one SAK. The no an and default an commands remove the specified AN and its SAK from running-config.

Command Mode

MAC Security Profile SAK Static Secure Channel Configuration

Command Syntax

an an_number key key_type key_string

no an an_number

default an an_number

Parameters

an_number The Association Number. For the Rx channel, values range from 0 to 3. For the Tx channel, the only allowed value is 0. There is no default value.
key_type The type of string specifying the SAK. There are three valid key types:
- 0 indicates that the key string which follows is not encrypted.
- 7 indicates that the key string which follows is hidden or obfuscated.
- 8a The following key is encrypted with AES-256-GCM.
key_string The Secure Association Key itself, in hexadecimal octets.

Example

These commands add a static SAK with AN 1 to the Rx channel for profile test.

switch(config)# mac security
switch(config-mac-security)# profile test
switch(config-mac-security-profile-test)# key source sak static
switch(config-mac-security-profile-test-sak-static)# secure channel rx
switch(config-mac-security-profile-test-sak-static-rx)# an 1 key 0 11112222333344445555666677778888
switch(config-mac-security-profile-test-sak-static-rx)#

cipher

The cipher command configures the cipher authentication for MAC security on the switch.

Command Mode

MACsec Profile

Command Syntax

cipher encryption_standard

Parameters

encryption_standard The cipher authentication options.

aes128-gcm-xpn Advanced Encryption Standard (128 bit, Galois/Counter mode, Extended Packet Numbering).
aes256-gcm-xpn Advanced Encryption Standard (256 bit, Galois/Counter mode, Extended Packet Numbering).

Example

The following command configures the cipher aes128-gcm-xpn for MAC security on the switch for the MACsec profile called test.

switch(config-mac-security-profile-test)# cipher aes128-gcm-xpn
switch(config-mac-security-profile-test)#

dot1x pae supplicant

The dot1x pae supplicant command applies the supplicant profile by enabling it on the Mac Security interface.

Command Mode

Interface Configuration

Command Syntax

dot1x pae supplicant

Example

The following command applies the supplicant profile test on the MACsec interface 6/1.

switch(config-if-Et6/1)# dot1x pae supplicant test

dot1x timeout reauth-timeout-ignore always

The dot1x timeout reauth-timeout-ignore always command retains the current port state without blocking it irrespective of when the authentication server is unreachable or in-case of supplicant time outs.

Command Mode

Interface Configuration

Command Syntax

dot1x timeout reauth-timeout-ignore always

Example

The following command retains the current port status of interface Ethernet 6/1 when there is authentication server timeout.

switch(config-if-Et6/1)# dot1x timeout reauth-timeout-ignore always

dot1x

The dot1x command places the switch in the dot1x mode. In this mode user is allowed to configure various MACsec configurations.

Command Mode

Global Configuration

Command Syntax

dot1x

Example

The following command places the switch in the dot1x mode.

switch(config)# dot1x
switch(config-dot1x)#

entropy source hardware

The entropy source hardware command generates the cryptographic keys to strengthen the random number generator used by MACsec.

Command Mode

Management Configuration

Command Syntax

entropy source hardware

Example

The following command configures the entropy source hardware and generates the cryptographic keys.

switch(config)# management security
switch(config-mgmt-security)# entropy source hardware

identifier (MACsec)

The identifier command defines a Secure Channel Identifier (SCI) for the Rx or Tx secure channel for use with MACsec static SAKs. The SCI is a MAC address in the format H:H:H:H:H:H::P, where H is a hexadecimal octet and P is a decimal integer. The no identifier and default identifier commands remove the channel's SCI from running-config.

Command Mode

MAC Security Profile SAK Static Secure Channel Configuration

Command Syntax

identifier MAC_address

no identifier

default identifier

Parameters

MAC_address The MAC address identifying the secure channel.

Example

These commands add the SCI 01:02:03:04:05:06::1234 to the Rx channel for profile "test".

switch(config)# mac security
switch(config-mac-security)# profile test
switch(config-mac-security-profile-test)# key source sak static
switch(config-mac-security-profile-test-sak-static)# secure channel rx
switch(config-mac-security-profile-test-sak-static-rx)# identifier 01:02:03:04:05:06::1234
switch(config-mac-security-profile-test-sak-static-rx)#

key (MACsec)

The key command configures the primary key so that the MACsec profile is activated.

Note: Optionally a fallback CAK can also be configured on a profile. This CAK is picked up by MACsec to negotiate keys if the primary CAK fails. A CAK can be configured as a backup key using the fallback keyword with the key command.

Command Mode

MACsec Profile Configuration

Command Syntax

key <options>

Parameters

CKN Connectivity association key name in hex octets. Options include:
- 0Specifies that an UNENCRYPTED key will follow.
- 7Specifies that an HIDDEN key will follow.
- CAKConnectivity association key in hex octets.
- fallback Configure the key as a fallback.
retirement Retire the key. Options include:
- immediate Retire the key immediately.
source List of sources to derive MAC security keys. Options include:
- dot1xDerive MAC security keys from IEEE 802.1X based port authentication
- group-cak Derive MAC security keys from Group CAK Distribution.
- sak static Enter

Examples

The following example configures the primary key for the profile called sample profile for MAC security on the switch.

switch(config)# mac security
switch(config-mac-security)# profile sample_Profile
switch(config-mac-security-profile-sample_Profile)# key 0abcd1 0 1234abcd

The following example configures the fallback CAK on a profile.

switch(config)# mac security
switch(config-mac-security)# profile sample_Profile
switch(config-mac-security-profile-sample_Profile)# key 0abcd1 0 1234abcd fallback

key retirement immediate

The key retirement immediate command configures the key retirement feature on the key server and assists the key server to decide the principal actor for SAK distribution by triggering the re-election of principal actor immediately. It is recommended that the key retirement is configured on both key server and non key server peers.

The no key retirement immediate command disable the key retirement function by removing the key retirement immediate command from the running-config.

Command Mode

MACsec Profile

Command Syntax

key retirement immediate

Example

The following commands configures the key retirement immediate feature on a switch for a MACsec profile called sample.

switch(config)# mac security
switch(config-mac-security)# profile sample
switch(config-mac-security-profile-sample)# key retirement immediate

license (Global Mode)

The license command configures EOS licenses on the switch under the global configuration mode. These licenses include the MACsec license.

Note: Contact your system engineer to acquire the required license codes before attempting to configure MACsec.

Command Mode

Global Configuration

Command Syntax

license {import URL | update}

Parameters

import Import license from a URL.
URL The URL from which to import a license.
update Trigger a check for licenses.

Example

The following example configures the MACsec license on the switch using a JSON file as shown.

switch# license import flash:EOSLic-1.json
switch#

license (MACsec)

The license command configures the MACsec license on the switch under the MAC Security configuration mode using a hex key.

The no license and default license commands delete the current license from running-config.

Note: This method of license configuration is no longer being used except for backward compatibility.

Command Mode

MAC Security

Command Syntax

license licensee_name license_value

Parameters

licensee_name Name of the licensee.
license_value 8 digit hexadecimal key to authorize MAC security.

Example

The following example configures the MACsec license on the switch using an 8 digit hexadecimal key.

switch(config)# mac security
switch(config-mac-security)# license Test-LICNC AABBCCDD
switch(config-mac-security)#

mac security

The mac security command enables MAC security provision on the switch.

The no mac security and default mac security commands restore the switch to its default state by removing the corresponding mac security command from running-config.

Command Mode

Global Configuration

Command Syntax

mac security

no mac security

default mac security

Example

The following command places the switch in MAC security mode.

Switch(config)# mac security
Switch(config-mac-security)#

mac security profile

The mac security profile command applies a MACsec profile to an interface or subinterface.

The no mac security profile and default mac security profile commands remove the MACsec profile, disabling MACsec on the configuration-mode interface.

Command Mode

Interface Ethernet Configuration Mode

Command Syntax

mac security profile profile-name

no mac security profile profile-name

default mac security profile profile-name

Parameter

profile-name the MACsec profile name.

Example

The following commands enable MACsec on Ethernet subinterface 1.10 by applying the MACsec profile called test-profile.

switch(config)# interface ethernet1
switch(config-if-Et1)# no switchport
switch(config-if-Et1)# interface ethernet1.10
switch(config-if-Et1.10)# encapsulation dot1q vlan 20
switch(config-if-Et1.10)# mac security profile test-profile

mka key-server

The mka key-server command configures key server among the MACsec peers.

Command Mode

MACsec Profile Configuration

Command Syntax

mka key-server priority value

Parameters

priority MKA key server priority.
value Key server priority value. Value ranges from 0 to 255.

Example

The following example configures the key server value of 10 among the MACsec peers.

Switch(config)# mac security
Switch(config-mac-security)# profile sample_Profile
Switch(config-mac-security-sample_Profile)# mka key-server priority 10

mka session

The mka session command configures period at which the SAK is refreshed .

Command Mode

MACsec Profile Configuration

Command Syntax

mka session rekey-period value

Parameter

rekey-period Sets MKA session re-key period.
value Session re-key period in seconds. Value ranges from 30 to 100000.

Example

The following example configures the mka session rekey-period time of 10 seconds at which the SAK is refreshed.

Switch(config)# mac security
Switch(config-mac-security)# profile sample_Profile
Switch(config-mac-security-sample_Profile)# mka session rekey-period 10

profile (MACsec)

The profile command places the switch in MAC Security Profile configuration mode and creates a MACsec profile if a profile of the specified name does not already exist. MACsec profiles contain the configuration information needed to establish a MACsec connection, and are applied to interfaces using the mac security profile command.

Command Mode

MAC Security Configuration

Command Syntax

profile profile-name

Parameter

profile-name Name of the MACsec profile.

Commands Available in MAC Security Profile Configuration Mode

cipher
key (MACsec)
mka key-server
mka session
replay
sci
traffic unprotected allow

Example

The following commands create a MACsec profile called test and place the switch in MAC Security Profile configuration mode for that profile.

switch(config)# mac security
switch(config-mac-security)# profile test
switch(config-mac-security-profile-test)#

replay

The replay command configures the action to be taken when packets received are not in order, based on their packet numbers. The window size in replay protection specifies the window size within which out-of-order packets are allowed. This command is configured under the MACsec Profile configuration mode.

The no and default form of the command removes all the configurations related to replay command from the running configuration on the switch.

Command Mode

MACsec Profile

Command Syntax

replay protection {disabled | window window_size}

no replay protection {disabled | window window_size}

default replay protection {disabled | window window_size}

Parameters

protection Specifies the action to be taken when packets received are not in order, based on their packet numbers..
disabled Disables replay protection.
window Specifies the allowable window within which an out-of-order packet can be received.
- window_size The allowable value ranges from 0 tthrough 4294967295.

Example

The following commands configures a MACsec profile called TEST and a replay protection with a window size of 100 is configured on the switch.

switch(config)# mac security
switch(config-mac-security)# profile TEST
switch(config-mac-security-profile-TEST)# replay protection window 100

sci

The sci command add a Secure Channel Identifier (SCI) in data packets for MACsec on the switch. Each MACsec device has a Secure Channel (SC) used to send traffic to other device. Each channel has an 8-byte Secure Channel Identifier (SCI). The first 6 bytes match the MAC address of the device transmitting through that channel. The remaining 2 bytes are a Port Identifier used to distinguish between multiple channels from the same device. The command is configured under the MACsec profile configuration mode.

Command Mode

MACsec Profile

Command Syntax

sci

Example

The following commands place the switch on MACsec profile configuration mode and add a SCI for the MACsec profile called TEST.

switch(config)# mac security
switch(config-mac-security)# profile TEST
switch(config-mac-security-profile-TEST)# sci

secure channel (MACsec)

The secure channel command enters MAC Security Profile Static SAK Secure Channel configuration mode. In this mode, you can add Association Numbers (AN) and Secure Channel Identifiers (SCI) for the specified channel. The available channels are Rx (receive) and Tx (transmit).

Command Mode

MAC Security Profile Static SAK Configuration Mode

Command Syntax

secure channel {Rx|Tx}

Parameters

Rx Enter the configuration mode for the Rx channel.
Tx Enter the configuration mode for the Tx channel.

Available Commands

an
identifier

Example

These commands enter MAC Security Profile Static SAK Secure Channel configuration mode for the Tx channel.

switch(config)# mac security
switch(config-mac-security)# profile test
switch(config-mac-security-profile-test)# key source sak static
switch(config-mac-security-profile-test-sak-static)# secure channel tx
switch(config-mac-security-profile-test-sak-static-sc-tx)#

show dot1x supplicant

The show dot1x supplicant command displays the 802.1X supplicant status.

Command Mode

EXEC

Command Syntax

show dot1x supplicant

Example

The following example displays information about 802.1X supplicant status.

switcb# show dot1x supplicant 

Interface: Ethernet6/1
    Identity: arastra
    EAP method: fast
    Status: success
    Supplicant MAC: 44:4c:a8:34:bf:20
    Authenticator MAC: 00:1c:73:e0:d3:76

About the Output

Interface: The port on which the supplicant is running.
Identity: Configured supplicant identity.
EAP method: Configured EAP method (Currently just EAP-FAST).
Status: Supplicant Status. Can be one of the following:
- Success Authentication has been successful.
- Down Authentication sequence has not begun.
- Failed Authentication has failed.
- Connecting Authentication is in progress.
- Unused Supplicant is uninitialized.
Supplicant MAC: MAC address of the supplicant.
Authenticator MAC: MAC address of the authenticator (peer). Existing Mac Security show commands can be used to look at Mac Security status.

show mac security counters detail

The show mac security counters detail command to displays the detail information about the MACsec security counters.

Command Mode

EXEC

Command Syntax

show mac security counters detail

Example

The following example displays detail information about MACsec security counters.

switch# show mac security counters detail
Ethernet4/1/1     Counter Name        Count
-------------------------------------------------------
                  outPktsEncrypted    112
                  outOctetsEncrypted  11984
                  outPktsUntagged     0
                  outPktsTooLong      0
                  outPktCtrl          224
                  inPktsDecrypted     2
                  inOctetsDecrypted   214
                  inPktsUnchecked     0
                  inPktsOK            2
                  inPktsNotValid      0
                  inPktsNotUsingSA    0
                  inPktsCtrl          223
                  inPktsNoTag         8
                  inPktsTagged        0
                  inPktsBadTag        0
                  inPktsNoSCI         0
                  inPktsLate          0

Ethernet4/3/1     Counter Name        Count
-------------------------------------------------------
                  outPktsEncrypted    2
                  outOctetsEncrypted  214
                  outPktsUntagged     0
                  outPktsTooLong      0
                  outPktCtrl          223
                  inPktsDecrypted     111
                  inOctetsDecrypted   11877
                  inPktsUnchecked     0
                  inPktsOK            111
                  inPktsNotValid      0
                  inPktsNotUsingSA    0
                  inPktsCtrl          224
                  inPktsNoTag         9
                  inPktsTagged        0
                  inPktsBadTag        0
                  inPktsNoSCI         0
                  inPktsLate          0

show mac security counters

The show mac security counters command to displays information about the MACsec security counters.

Command Mode

EXEC

Command Syntax

show mac security counters

Example

The following example displays information about MACsec security counters.

switch# show mac security counters
Port       InPktsDecrypted  InOctetsDecrypted  OutPktsEncrypted OutOctetsEncrypted
Et4/1/1                  2                214               109              11663
Et4/3/1                109              11663                 2                214

show mac security interface detail

The show mac security interface detail command displays the detail information about the MACsec on the interface.

Command Mode

EXEC

Command Syntax

show mac security interface detail

Example

The following example displays detail information about MACsec on the interface.

switch# show mac security interface detail
Interface: Ethernet4/1/1
    SCI: 28:99:3a:82:6f:82::605
    SSCI: 00000002
    Controlled port: True
    Key server priority: 16
    Session rekey period: 0
    Traffic: Protected
    Key in use: 9d5bc0d3076ea4a08b99b9d9:1
    Latest key: None
    Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

Interface: Ethernet4/3/1
    SCI: 28:99:3a:82:6f:85::613
    SSCI: 00000001
    Controlled port: True
    Key server priority: 16
    Session rekey period: 0
    Traffic: Protected
    Key in use: 9d5bc0d3076ea4a08b99b9d9:1
    Latest key: None
    Old key: 9d5bc0d3076ea4a08b99b9d9:1(RT)

About the Output

Interface: Name of the interface.
Secure Channel Identifier (SCI): Combination of MAC address and port number. Used to uniquely identify a Mac Security port.
Controlled Port: Indicates if Mac Security is enabled on the port. A value of True indicates that encryption is enabled on the port.
Key In Use: The SAK identifier currently in use. Combination of Key Servers message identifier (see below) and key number.
Key Server priority: Configured key server priority.
Session Rekey Period: Configured session rekey period.
Latest Key: Latest SAK being negotiated by Mac Security Key Agreement Protocol (MKA)
Old Key: The last SAK negotiated by Mac Security Key Agreement Protocol (MKA)

Note: Latest and Old key are MKA protocol specific terminology and are used to refer to the last two keys in use. For all practical purposes, Key In Use field is used to identify the current key.

show mac security interface

The show mac security interface command shows information aboutMACsec on the interface.

Command Mode

EXEC

Command Syntax

show mac security interface

Example

The following example displays information about MACsec on the interface.

switch# show mac security interface
Interface     SCI                     Controlled Port Key in Use
Ethernet4/1/1 28:99:3a:82:6f:82::605  True            9d5bc0d3076ea4a08b99b9d9:1
Ethernet4/3/1 28:99:3a:82:6f:85::613  True            9d5bc0d3076ea4a08b99b9d9:1
switch#

The following example displays the association numbers (ANs) of SAKs for both Rx and Tx on the interface Ethernet9/1. Actual SAK values are never displayed in show command output.

switch# show mac security interface
Interface       SCI                       Controlled Port      Key in Use
Ethernet9/1     01:02:03:04:05:06::1235   True                 static SAK: Rx AN: 0,1 Tx AN: 0
switch#

The following example displays MACsec information for a unidirectional link. On the Rx side, the SCI is shown as 00:00:00:00:00:00::0, and only the Rx AN is shown.

switch# show mac security interface
Interface       SCI                       Controlled Port      Key in Use
Ethernet9/1     00:00:00:00:00:00::0000   True                 static SAK: Rx AN: 0
switch#

The following example displays MACsec information on the Tx side of a unidirectional link. In this case, the configured SCI is shown, along with the Tx AN.

switch(config)# show mac security interface
Interface       SCI                       Controlled Port      Key in Use
Ethernet9/1     01:02:03:04:05:06::1235   True                 static SAK: Tx AN: 0

show mac security mka counters

The show mac security mka counters command to display information about the MACsec MKA counters.

Command Mode

EXEC

Command Syntax

show mac security mka counters

Example

The following example displays information about MACsec MKA counters.

switch# show mac security mka counters
Interface       Rx Success      Rx Failure      Tx Success      Tx Failure
Ethernet4/1/1   287             0               288             0
Ethernet4/3/1   288             0               287             00

show mac security participants detail

The show mac security participants detail command displays detail information about the MACsec participants.

Command Mode

EXEC

Command Syntax

show mac security participants detail

Example

The following example displays information about MACsec participants details.

switch# show mac security participants detail
Interface: Ethernet4/1/1
    CKN: abcd
      Message ID: 9d5bc0d3076ea4a08b99b9d9
      Elected self: True
      Success: True
      Principal: True
      Default: False
      KeyServer SCI: 28:99:3a:82:6f:82::605
      SAK transmit: True
      LLPN exhaustion: 0
      Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
      Live peer list: ['c79ad8882c2dd3a8e838a691']
      Potential peer list: []

    CKN: dead
      Message ID: 4ef4cf009161bd551b5e7434
      Elected self: True
      Success: True
      Principal: False
      Default: True
      KeyServer SCI: 28:99:3a:82:6f:82::605
      SAK transmit: False
      LLPN exhaustion: 0
      Distributed key identifier: None
      Live peer list: ['3dfd4486b5f68a81014a37ec']
      Potential peer list: []

Interface: Ethernet4/3/1
    CKN: abcd
      Message ID: c79ad8882c2dd3a8e838a691
      Elected self: False
      Success: True
      Principal: True
      Default: False
      KeyServer SCI: 28:99:3a:82:6f:82::605
      SAK transmit: True
      LLPN exhaustion: 0
      Distributed key identifier: 9d5bc0d3076ea4a08b99b9d9:1
      Live peer list: ['9d5bc0d3076ea4a08b99b9d9']
      Potential peer list: []

    CKN: dead
      Message ID: 3dfd4486b5f68a81014a37ec
      Elected self: False
      Success: True
      Principal: False
      Default: True
      KeyServer SCI: 28:99:3a:82:6f:82::605
      SAK transmit: False
      LLPN exhaustion: 0
      Distributed key identifier: None
      Live peer list: ['4ef4cf009161bd551b5e7434']
      Potential peer list:

About the Output

Connectivity Association Key Name (CKN): Configured name of the key in use.
Message ID: A random 92 bit string used as an identifier for an MKA participant.
Elected Self: True if this participant is the elected key server.
Success: True if this participant is live and has at least one live peer.
Principal: True if this participant is the principal participant elected to distribute SAKs.
Default: True if this participant is a fallback/backup participant (spawned when a fallback key is configured in a Mac Security profile).
Key Server SCI: The SCI of the key server.
SAK Transmit: True if the participant is ready to use the negotiated key for transmit.
LLPN Exhaustion: Increments if the number of data packets sent using the current key exceeds a certain threshold. Because we use a 64 bit packet number cipher suite, this should never increment.
Distributed Key Identifier: Message ID + key number of the most recently generated SAK.

show mac security participants

The show mac security participants interface command displays information about the MACsec participants.

Command Mode

EXEC

Command Syntax

show mac security interface

Example

The following example displays information about MACsec participants.

switch# show mac security participants
Interface: Ethernet4/1/1
    CKN: abcd
      Message ID: 9d5bc0d3076ea4a08b99b9d9
      Elected self: True
      Success: True
      Principal: True
      Default: False

    CKN: dead
      Message ID: 4ef4cf009161bd551b5e7434
      Elected self: True
      Success: True
      Principal: False
      Default: True

Interface: Ethernet4/3/1
    CKN: abcd
      Message ID: c79ad8882c2dd3a8e838a691
      Elected self: False
      Success: True
      Principal: True
      Default: False

    CKN: dead
      Message ID: 3dfd4486b5f68a81014a37ec
      Elected self: False
      Success: True
      Principal: False
      Default: True

show mac security profile

The show mac security profile command displays information about the specified MACsec profile. If no profile is specified, information about all profiles is shown.

Command Mode

EXEC

Command Syntax

show mac security profile [profile_name]

Parameters

profile_name The MACsec profile to show information about.

Example

The following command shows information for the MACsec profile test.

switch# show mac security profile
Profile: test
    Cipher: aes256-gcm-xpn
    Primary CKN:
    Primary CAK SHA-256 hash:
    Fallback CKN:
    Fallback CAK SHA-256 hash:
    Source: cli
    Priority: 100
    SCI Inclusion: disabled
    Key retirement policy: delayed
    Unprotected traffic policy: allow active-sak
    MKA lifetime: 6 seconds
    MKA key server priority: 16
    Session rekey period: 0
    Bypassed protocols:
    Max AN value of SAK: 3
    Configured on:
switch#

show mac security sak

The show mac security sak command displays information about MACsec static secure association key (SAK) status for the specified Ethernet interface. If no interface is specified, all interfaces are shown. The following information is shown for each Ethernet interface.

The name of the Ethernet interface.
The installed SAK IDs.
The SAK profile name.
The total number of SAKs generated.
The number of SAKs generated due to a new live peer.
The number of SAKs generated due to a rekey timer.
The number of SAKs generated due to packet number exhaustion.
The SAK installation time in seconds in each direction.
The number of forced new Tx SAK installations.

Command Mode

EXEC

Command Syntax

show mac security sak [interface ethernet Ethernet_interface]

Parameters

interface ethernet Show SAK status information about the specified Ethernet interface. If this option is omitted, information for all Ethernet interfaces is shown.

Ethernet_interface The Ethernet interface to show SAK status for.

Example

The following command displays the MACsec SAK status for the Ethernet interface Ethernet9/1.

switch(config-mac-security-profile-test)# show mac security sak
Interface: Ethernet9/1
Installed SAK ID: static SAK: Rx AN: 0,1 Tx AN: 0
Installed SAK from: static-SA
Total SAK generated: 0
SAK generated due to new live peer: 0
SAK generated due to rekey timer: 0
SAK generated due to packet number exhaustion: 0
SAK installation time( in seconds ):
Direction    0-1   1-2   2-3    3+
---------- ----- ----- ----- -----
Rx             1     0     0     0
Tx             1     0     0     0

Maximum Rx installation time: 0.0884998080001 seconds
Maximum Tx installation time: 0.0884941590002 seconds
Forced new Tx SAK installation count: 0

show mac security status

The show mac security status command displays the MACsec status information on a switch.

Command Mode

EXEC

Command Syntax

show mac security status

Example

The following command displays the MACsec status information.

switch# show mac security status
Active Profiles:                1
Data Delay Protection:         No
FIPS Mode:                     No
Secured Interfaces:             2
License:                       Enabled

supplicant profile

The supplicant profile command configures the supplicant profile containing all the credentials necessary for 802.1X authentication to succeed.

Command Mode

dot1x Configuration

Command Syntax

supplicant profile profile_name options

Parameters

profile_name Name of the supplicant profile.
The following parameters can be included after entering the profile mode:
- eap-method Extensible Authentication Protocol (EAP) method. Option include:
  - fastEAP Flexible Authentication via Secure Tunneling (FAST).
- identity Extensible Authentication Protocol (EAP) user identity. Option include:
  - WORD User identity name.
- passphrase Extensible Authentication Protocol (EAP) password. Options include:
  - 0 Specifies that an UNENCRYPTED key will follow.
  - 7 Specifies that an HIDDEN key will follow.
  - LINE The UNENCRYPTED (clear-text) shared key.

Examples

The following commands place the switch in the supplicant profile mode.

Switch(config)# dot1x
Switch(config-dot1x)# supplicant profile test
Switch(config-dot1x-supp-profile-test)#

The following commands configures the EAP FAST method for the supplicant profile called test profile for MAC security on the switch.
```
Switch(config)# dot1x
Switch(config-dot1x)# supplicant profile test
Switch(config-dot1x-supp-profile-test)#eap-method fast
```

The following commands configures the Identity for the supplicant profile called test profile for MAC security on the switch.

Switch(config)# dot1x
Switch(config-dot1x)# supplicant profile test
Switch(config-dot1x-supp-profile-test)# identity New_User

The following commands configures the passphrase for the supplicant profile called test profile for MAC security on the switch.

Switch(config)# dot1x
Switch(config-dot1x)# supplicant profile test
Switch(config-dot1x-supp-profile-test)# passphrase 7 070E334D5D1D0B04

traffic unprotected allow

The traffic unprotected allow command configures the switch to allow the unprotected traffic whenever there is no successful MKA session established with the peer.

The no traffic unprotected allow command disable the MACsec Fallback to Unprotected Traffic function by removing the traffic unprotected allow command from running-config.

Command Mode

MACsec Profile

Command Syntax

traffic unprotected allow

no traffic unprotected allow

Example

The following commands configures the MACsec Fallback traffic unprotected allow feature on a switch for a MACsec profile called sample.

Switch(config)# mac security
Switch(config-mac-security)# profile sample
Switch(config-mac-security-profile-sample)# no traffic unprotected allow

Internet Protocol Security (IPsec)

This section describes Aristas IPsec implementation. Topics in this section include:

IPsec Introduction
IPsec Overview
Configuring IPsec
IPsec Commands

IPsec Introduction

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents periodically during the session and negotiation of cryptographic keys to be used during the session. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

IPsec is used to protect data traffic between sites for example between Branch, HQ and Data center sites in an enterprise.

IPsec uses the following protocols to perform various functions:

Authentication Headers (AH): provides the connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.
Encapsulating Security Payloads (ESP): provides the confidentiality, data-origin authentication, connectionless integrity and an anti-replay service (a form of partial sequence integrity).
Internet Key Exchange (IKE): is a key management protocol which provides security for virtual private networks' (VPNs) negotiations and network access to random hosts. It is also described as a method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.

IPsec Overview

Security Associations

Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2) and other mechanisms. In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.

Full bidirectional communication requires at least two SAs, one for each direction. SA is defined by the following parameters:

Security Algorithms (AH) or Encapsulating Security Payloads (ESP) and keys.
Mode: Tunnel or Transport.
Key Management Method: Manual or IKE.
Lifetime: Expressed in hours.

Mode of Operation

IPsec on Arista switches operates in tunnel mode. In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header.

Tunnel mode is used to create virtual private networks for network-to-network communications (for example, between routers to link sites). Tunnel mode is used for most network-to-network IPsec.

Key Management

Key management on Arista switches uses the Internet Key Exchange (IKE) method. Internet Key Exchange (IKE) supports automated generation and renegotiation of SAs (includes keys) between the devices at a configured interval so it is much more scalable and secure.

IPsec needs SAs to define the algorithms and keys to use for protecting traffic. IKE establishes the SA so IPsec can protect traffic.

There are two IKE versions, IKEv1 and IKEv2. IKEv2 builds on IKEv1 but both are still widely used today.

IKEv1

IKEv1 has two phases.

IKEv1 Phase 1
IKEv1 Phase 2

IKEv1 Phase 1

Uses main or aggressive mode exchange
Negotiates IKE SA
Used for control plane
Peer authentication

IKEv1 Phase 2

Uses quick mode exchange
Negotiates IPsec SAs

Note that there are two different SAs that are established. The IKE SA protects only the IKE key management session using the IKE policy defined. The policy should include the following parameters:

- Encryption algorithm
- Hash MAC (HMAC) algorithm
- Peer authentication procedure
- Diffie-Hellman group for initial key exchange
- SA lifetime

IKE initially performs a Diffie-Hellman (DH) exchange at the start of the IKE session. A Diffie-Hellman (DH) exchange allows participants to produce a shared secret value. The strength of the technique is that it allows participants to create the secret value over an unsecured medium without passing the secret value through the wire. From that exchange, peers get shared keying material, which is then used for IKE encryption and integrity functions. The strength of that keying material can be used for faster performance, by choosing lower key sizes for Diffie-Hellman exchanges. The key length (strength) of Diffie-Hellman exchanges can be changed with the use of different DH groups.

When an IKE session's lifetime expires, a new Diffie-Hellman exchange is performed between peers and the IKE SA is re-established.

The IPsec protection policy resulting in IPsec SAs, defines the protection of network traffic. These IPsec SAs are usually negotiated over IKE sessions. The parameters that define the IPsec protection policy are:

Encryption Algorithm
Hash MAC (HMAC) Algorithm

Note that the key material for IPsec SA (also called Child SA) is derived from keying material from IKEv1 phase 1.

There are two different modes for phase 1:

Main Mode
6 packet exchange
Full identity protection and better anti-DoS protection
Aggressive Mode
3 packet faster session establishment
Identities are exchanged in clear
Weak DoS protection

Authentication

Pre-Shared Keys (PSK): As the name suggests, a shared secret is distributed out-of-band to the peers. The peers use this information and nonce parameters to create a hash that is used to authenticate messages.
PKI Certificates: Here, certificates of the peers are exchanged and hashes are calculated over these certificates to authenticate each other.

IKEv2

IKEv2 differs from IKEv1 in the following ways:

Faster setup because of reduced number of messages.
More secure.
ESP is reused for all IKEv2 messages.
Suite-B support.
There is no aggressive mode, so IKEv2 always provides identity protection.
Additional authentication methods.
Local and remote can use different authentication methods and use different pre-shared keys.
Authentication is done unidirectionally in IKEv2.

Route-based VPN

A route-based VPN employs routed tunnel interfaces as the endpoints of the virtual network. All traffic passing through a tunnel interface is placed into the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static and/or dynamic IP routes are formed to direct the desired traffic through the VPN tunnel interface.

Since route-based VPNs support dynamic routing information through VPN tunnels. EOS supports only route based VPN for dynamic routing support and for easier configuration and management.

In route-based VPN, features like NAT, ACL, QoS is applied to packets before they are encrypted by applying these features to tunnel interface and can be applied to encrypted packets to applying these features on the physical interface carrying the tunnel traffic.

Virtual Template Interface (VTI)

A new tunnel interface type vti is introduced to represent the VPN tunnel. This tunnel interface will participate in the routing and any packets forwarded to it will be encrypted and forwarded to the other end of the tunnel. Note, that this does not add a new header to the packet.

Configuring IPsec

Complete the following steps to configure IPsec tunnels over the switch.

This configuration will use the default IKE version 2 procedure.

Use ip security command to enter IP security mode.
```
switch(config)# ip security
```

To use IKE version 1, complete the following before completing the default IKE version the steps below.

switch(config)# ip security
switch(config-ipsec)# ike policy ike-peerRtr  
switch(config-ipsec-ike)# version 1

Create an IKE Policy to be used to communicate with the peer to establish IKE. You have the option of configuring multiple IKE policies.
The default IKE Policy values are:
- Encryption: AES256 / AES128
- Integrity: SHA256 / SHA128
- DH group: Group 14
- IKE lifetime: 8 hours
```
switch(config-ipsec)# ike policy ike-router  
switch(config-ipsec-ike)# encryption aes256  
switch(config-ipsec-ike)# integrity sha256  
switch(config-ipsec-ike)# dh-group 24  
switch(config-ipsec-ike)# version 2
```
If the router is behind a NAT, configure the local-id with the local public IP address. The public IP corresponds to the underlying interface over which the IKE communications are done with the peer.
```
switch(config-ipsec-ike)# local-id <public ip address>
```
Create an IPsec Security Association policy to be used in the data path for encryption and integrity. Use the option of enabling Perfect Forward Secrecy by configuring a DH group to the SA. In this example, AES256 is used for encryption, SHA 256 is used for integrity, and Perfect Forward Secrecy is enabled (the DH group is 14).
```
switch(config-ipsec)# sa policy sa-vrouter  
switch(config-ipsec-sa)# esp encryption aes256  
switch(config-ipsec-sa)# esp integrity sha256  
switch(config-ipsec-sa)# pfs dh-group 14  
switch(config-ipsec-sa)# sa lifetime 2  
switch(config-ipsec-sa)# exit
```

Bind or associate the IKE and SA policies together using an IPsec profile. Provide a shared-key, which must be common on both peers. The default profile assigns default values for all parameters that are not explicitly configured in the other profiles. In this example, the IKE Policy ike-peerRtr and SA Policy sa-peerRtr are applied to profile peer-Rtr. Dead Peer Detection is enabled and configured to delete the connection when the peer is down for more than 50 seconds. The peer peer-Rtr is set to be the responder.

switch(config-ipsec)# profile default  
switch(config-ipsec-profile)# ike-policy ikedefault  
switch(config-ipsec-profile)# sa-policy sadefault  
switch(config-ipsec-profile)# shared-key arista  
switch(config-ipsec-profile)# connection start  
switch(config-ipsec)# profile vrouter  
switch(config-ipsec-profile)# ike-policy ike-vrouter  
switch(config-ipsec-profile)# sa-policy sa-vrouter  
switch(config-ipsec-profile)# dpd 10 50 clear  
switch(config-ipsec-profile)# connection add

Configure the WAN interface to be the underlying interface for the tunnel. You must specify an L3 address for the tunnel. If you do not, the switch cannot route packets using the tunnel.
```
switch(config)# interface Et1  
switch(config-if-Et1)# no switchport  
switch(config-if-Et1)# ip address 1.0.0.1/24  
switch(config-if-Et1)# mtu 1500
```

Apply the IPsec profile to a new tunnel interface. You create the new tunnel interface as part of this step. You can configure the tunnel as a VTI IPsec tunnel. In this example, the new tunnel interface is Tunnel0. The new tunnel interface is configured to use IPsec. The other end of the tunnel also needs to be configured as a GRE-over-IPsec tunnel.

switch(config)# interface tunnel0  
switch(config-if-Tu0)# ip address 1.0.3.1/24  
switch(config-if-Tu0)# mtu 1394  
switch(config-if-Tu0)# tunnel source 1.0.0.1  
switch(config-if-Tu0)# tunnel destination 1.0.0.2  
switch(config-if-Tu0)# tunnel ipsec profile vrouter

Example Configuration

ip security
ike policy ikebranch1
integrity sha256
dh-group 15
!
sa policy sabranch1
sa lifetime 2
pfs dh-group 14
!
profile hq
mode tunnel
ike-policy ikebranch1
sa-policy sabranch1
connection add
shared-key keyAristaHq
dpd 10 50 clear
!
interface Tunnel1
mtu 1404
ip address 1.0.3.1/24
tunnel source 1.0.0.1
tunnel destination 1.0.0.2
tunnel ipsec profile hq
!
interface Ethernet1
no switchport
ip address 1.0.0.1/24
!

Displaying IPsec Information

Use the show ip security policy command to display the IPsec policy information.

switch# show ip security policy
Policy Name   Authentication   Encryption   Integrity    Lifetime  Rekey  DH Group         
ike-policy    Pre-shared       256-bit AES  256bit Hash  8 hours   False  3072 bit

Use the show ip security profile command to display the IP security profile information.

switch# show ip security profile 
Profile name      IKE Policy Name      SA                          
ipsec-profile     ike-policy           sa-policy

ike policy

The ike policy command configures the Internet Security Association and Key Mgmt Protocol on the switch and related policies. The IKE policy is configured in IP security configuration mode.

The no ike policy command deletes the IKE policy configuration from the switch.

The exit command returns the switch to the global configuration mode.

Command Mode

IP Security Configuration

Command Syntax

ike policy policy-name

no ike policy policy-name

Parameters

policy-name Specifies the IKE policy name.

The following parameters are allowed to configure when the switch is placed in IKE policy configuration mode:

authentication specifies the authentication type.
dh-group specifies Diffie-Hellman Group value.
encryption specifies the encryption type.
ike-lifetime sets the ikeLifetime for ISAKMP security association. Expressed in hours.
integrity specifies the Integrity algorithm.
local-id specifies the local IKE identification.
remote-id remote peer IKE identification.
version specifies the IKE version.

Example

This command configures the IKE policy test for IP security configuration.

switch(config)# ike policy test
switch(config-ipsec-ike)#

interface tunnel (IPsec)

The interface tunnel command places the switch in the interface tunnel configuration mode.

Interface tunnel configuration mode is not a group change mode; running-config is changed immediately after commands are executed.

The no interface tunnel command deletes the interface tunnel configuration.

The exit command returns the switch to the global configuration mode.

Command Mode

Global Configuration

Command Syntax

interface tunnel value

no interface tunnel value

Parameter

value Tunnel interface number. The value ranges from 0 to 255.

Example

This command places the switch in interface tunnel configuration mode with a tunnel value 10.

switch(config)# interface tunnel 10
switch(config-if-Tu10)#

ip security

The ip security command places the switch in the IP security configuration mode.

IP security configuration mode is not a group change mode; running-config is changed immediately after commands are executed.

The no ip security command deletes the IP security configuration.

The exit command returns the switch to the global configuration mode.

Command Mode

Global Configuration

Command Syntax

ip security

no ip security

Example

This command places the switch in IP security configuration mode.

switch(config)# ip security
switch(config-ipsec)# ike policy IKE1
switch(config-ipsec-IKE1)# exit
switch(config-ipsec)# sa policy SA1
switch(config-SA1)#

profile (IPsec)

The profile command configures the IP security profile on the switch. The profile is configured in IP security configuration mode.

The no profile command deletes the IP security profile configuration from the switch.

The exit command returns the switch to the global configuration mode.

Command Mode

IP Security Configuration

Command Syntax

profile profile-name

no profile profile-name

Parameter

profile-name Specifies the IP security profile name.

The following parameters can be configured in SA policy configuration mode:

connection IPsec Connection (Initiator/Responder/Dynamic).
dpd Dead Peer Detection.
flow sets the flow.
ike-policy ISAKMP policy.
mode IP security mode type.
sa-policy security association name.
shared-key specifies key value.

Example

This command configures the IP security profile test for IP security configuration.

switch(config)# profile test
switch(config-ipsec-profile)#

sa policy

The sa policy command specifies a Security Association (SA) policy to be used for IPsec configuration, and enters IP security SA policy configuration mode to configure the named policy.

The no sa policy command deletes the specified SA policy configuration from the switch.

The exit command returns the switch to the global configuration mode.

Note: Arista EOS 4.22.0F release supports two combinations of encapsulations only: "esp encryption aes128" with "esp integrity sha1" and "esp encryption aes256" with "esp integrity sha256".

Command Mode

IP Security Configuration

Command Syntax

sa policy policy_name

no sa policy policy_name

Parameter

policy_name Specifies the SA policy name.

The following parameters are configured in IP security SA policy configuration mode:

anti-replay IPsec duplicate IP datagram detection.
esp Encapsulation Security Payload.
pfs Perfect Forward Secrecy.
sa Security Association.

Example

This command applies the SA policy called test for IP security and enters IP security SA policy configuration mode for the test policy.

switch(config)# sa policy test
switch(config-ipsec-sa)#

show ip security applied-profile

Theshow ip security applied-profile command displays the IP security profile names and the interfaces on which they are applied.

Command Mode

EXEC

Command Syntax

show ip security applied-profile

Example

This command displays the IP security profile-1 and the interfaces on which it is applied.

switch# show ip sec applied-profile 
Profile Name                 Interface
ipsec-profile-1              Tunnel1,
                             Tunnel2,
                             Tunnel3,
                             Tunnel4,
                             Tunnel5,
                             Tunnel6,
                             Tunnel7,
                             Tunnel8,
                             Tunnel9,
                             Tunnel10,
                             Tunnel11,
                             Tunnel12,
                             Tunnel13,
                             Tunnel14,
                             Tunnel15,
                             Tunnel16,
                             Tunnel17,
                             Tunnel18,
                             Tunnel19,
                             Tunnel20,
                             Tunnel21,
                             Tunnel22,
                             Tunnel23,
                             Tunnel24,
                             Tunnel25,
                             Tunnel26,

show ip security connection

The show ip security connection command displays the IP security connection status information.

Command Mode

EXEC

Command Syntax

show ip security connection

Example

These commands display the IP security connection status information.

switch# show ip sec conn tunnel 1
Tunnel   Source     Dest     Status       Uptime     Input    Output        Rekey Time  
Tunnel1  11.1.1.1   11.2.1.1 Established  19 hours   0 bytes  0 bytes       4 hours      
                                                     0 pkts   62937679 pkts       

switch# show ip sec conn tunnel 1 detail
Tunnel1:
   source address 11.1.1.1, dest address 11.2.1.1
   state: Established
   uptime: 19 hours, 7 minutes, 23 seconds
   Inbound SPI 0xca5560f4:
      request id 193, mode tunnel replay-window 16384, seq 0x0
      stats errors:
         replay-window 0, replay 0, integrity_failed 0
      lifetime config:
         softlimit 4534352933249 bytes, hardlimit 6442450944000 bytes
         softlimit 2077499095 pkts, hardlimit 4000000000 pkts
         expire add soft 85619 secs, hard 86400 secs
      lifetime current:
         0 bytes, 0 pkts
         add time Mon May 13 17:33:54 2019, use time Mon May 13 17:33:54 2019
   Outbound SPI 0xc60da749:
      request id 193, mode tunnel replay-window 16384, seq 0x0
      stats errors:
         replay-window 0, replay 0, integrity_failed 0
      lifetime config:
         softlimit 3286021368749 bytes, hardlimit 6442450944000 bytes
         softlimit 2480571031 pkts, hardlimit 4000000000 pkts
         expire add soft 85418 secs, hard 86400 secs
      lifetime current:
         0 bytes, 62937679 pkts
         add time Mon May 13 17:33:54 2019, use time Mon May 13 18:06:42 2019

show ip security policy

The show ip security policy command displays the IP security policy information.

Command Mode

EXEC

Command Syntax

show ip security policy

Example

This command displays IP security policy configuration information.

switch# show ip security policy 
Policy Name   Authentication  Encryption   Integrity    Lifetime  Rekey  DH Group                    
ike-policy    Pre-shared      256-bit AES  256bit Hash  8 hours   False  3072 bit

show ip security profile

The show ip security profile command displays the IP security profile information.

Command Mode

EXEC

Command Syntax

show ip security profile

Example

This command displays IP security profile configuration information.

switch# show ip security profile 
Profile name            IKE Policy Name        SA                          
ipsec-profile           ike-policy             sa-policy

show ip security security-association

The show ip security security-association command displays the IP security SA information.

Command Mode

EXEC

Command Syntax

show ip security security-association

Example

This command displays the IP security SA information.

switch# show ip sec security-association 
SA Name      ESP Encryption   ESP Integrity    Lifetime  PFS Group                   
sa-policy-1  256-bit AES      256bit Hash      24 hours  2k bit

Macro-Segmentation Service (CVX)

Arista MSS is designed as a service in CloudVision that provides the point of integration between individual vendor firewalls or a firewall manager and the Arista network fabric. MSS provides flexibility on where to place the service devices and workloads. It is specifically aimed at Physical-to-Physical (P-to-P) and Physical-to-Virtual (P-to-V) workloads.

Topics in this section include:

Overview
How MSS Works
Configuration
MSS Integration with Check Point
MSS for Layer 3 Firewall Enhancements
MSS Commands

Overview

The advent of contemporary networking features such as mobile applications and the Internet of Things (IoT) bring in additional security challenges that are unprotected by legacy infrastructure. These security breaches cannot be handled by installing a firewall at the Internet edge. Arista Macro-Segmentation Service (MSS) addresses the security breach issue, besides securing access, protecting critical data and end-user privacy.

Arista MSS is designed as a service in CloudVision that provides the point of integration between a vendor firewall or a firewall manager and the Arista network fabric. MSS provides flexibility on where to place the service devices and workloads. It is specifically aimed at Physical-to-Physical (P-to-P) and Physical-to-Virtual (P-to-V) workloads.

MSS components include:

Arista leaf-spine switch fabric
Arista CloudVision
Vendor firewall attached to a spine or service leaf switches. Different vendor firewalls can be attached to different switches to enhance scalability.

The above component topology allows for consistency in application deployment, scale, manageability, and easier scalability of the network and service layers.

Benefits
Terminology
Usage Scenarios

Benefits

MSS provides the following key benefits:

Enhanced security between any physical and virtual workloads in the data center.
The automatic and seamless service insertion ability of MSS eliminates manual steering of traffic for a workload or a tenant.
Security policies are applied to the host and application throughout the network.
MSS is flexible since there are no proprietary frame formats, tagging, or encapsulation.

Terminology

The following terms related to MSS are used to describe the MSS feature:

Intercept Switch/VTEP: TOR switch and VXLAN tunnel end-point connected to host from which traffic is intercepted. In the topology diagram, Intercept-1 and Intercept-2 are intercept switches.
Service Switch/VTEP: TOR switch and VXLAN tunnel end-point connected to a firewall. In the topology diagram, Service-1 is the service switch.
VXLAN: Virtual eXtensible LAN - a standards-based method of encapsulating Layer 2 traffic across a Layer 3 fabric.
CVX: Arista CloudVision eXchange (CVX) is a part of CloudVision and is a virtualized instance of the same Extensible Operating System (EOS) that runs on physical switches. It functions as a point of integration between customer firewalls or firewall policy managers and the Arista network in order to steer traffic to the firewall.

Usage Scenarios

The following usage scenarios describe a few major security challenges in today’s data center that are successfully handled by MSS.

Securing server-to-server traffic.
This scenario provides information about the role of MSS in securing network traffic between physical-to-physical (P-to-P) and physical to virtual (P-to-V) servers. Prior to MSS, network infrastructure devices followed the firewall sandwich setup where firewalls were placed in line between the security zones. This setup would impact scalability and performance of the servers.

Using MSS, this restriction on firewall placement is reduced. Firewalls are now attached to a service leaf switch in the network fabric and they still protect hosts without concern about their physical location. The following topology demonstrates the usage scenario.

Figure 4. Securing server-server traffic
Monitoring and securing management traffic.
This usage scenario demonstrates how MSS successfully monitors and secures management interfaces in the data center.

The modern data center caters to managing the application, storage, virtualization, network, analytics and other layers. With virtualization, the hypervisor management also needs to be secured to prevent unwanted access to a hypervisor management interface. In the event of a rogue access, Aristas MSS protects management interfaces. The explicitly allowed hosts can gain access through a jump host or administrator end-user computing instances. The following topology diagram illustrates the role of MSS in a data center.

Figure 5. Monitoring and Securing management traffic

How MSS Works

The following steps provide information about how MSS works as a service in the data center.

MSS is enabled on the CloudVision eXchange (CVX) and the Arista switches are configured to stream their active state to CVX. This allows CVX to build a database of hosts and firewalls attached to the network and also to identify physical ports and IP addresses. CVX is also configured to communicate and synchronize policies from a vendor's firewall.
CVX sends a request to the firewall or firewall manager to provide information about the security policies which are tagged for MSS usage.
The MSS service on CVX determines the flow based forwarding rules to be pushed to the switches in the network.

Figure 6. CVX intercept
The leaf switch starts sending intercepted traffic to the service leaf when the intercept has been applied to the leaf switch.

Figure 7. Leaf switches intercept
Traffic is forwarded completely unmodified to the firewall after it enters the service leaf where the firewall is attached. Based on the configuration policy, the firewall applies the required actions such as inspection, log, allow, or deny.
The service leaf switch sends the inspected traffic to its final destination or to the destination based on the firewall policy.

Configuration

The following sections provide detailed information about MSS configuration, system requirements, recommendations, and limitations.

The traffic flow below is an example of a typical MSS deployment with a 3-tiered application. The goal of this design is to limit access between hosts in the following zones: web-untrust, app-untrust, db-untrust, web-trust, app-trust, and db-trust.

Figure 8. Traffic flow in an MSS deployment

End users in the untrust zone access the web server through the TCP/443 port. Traffic flows through the active firewall to the web server interface in the web-untrust security zone. The web server interface in the web-trust security zone accesses the application server interface in the app-untrust security zone through port TCP/80 after traversing the firewall. From there, the application server interface in the app-trust security zone accesses the database through TCP/1433 in the db-untrust zone.

The following physical topology indicates the MSS setup.

The hosts are attached to a pair of intercept leaf switches. A firewall is connected to a service leaf switch using a pair of physical interfaces with a subinterface per zone or vWire.

System Requirements
Recommendations and Limitations
Configuring MSS

System Requirements

The system requirements to effectively run MSS are listed below.

Arista CloudVision eXchange (CVX).
Arista 7280SR, 7280TR, 7280CR, 7020SR, 7020TR series switches; 7050X, 7050X2, 7060X, and 7060X2 series top of rack (TOR) switches.
Connected to the hosts to intercept traffic from the firewall devices.
The network must be a VXLAN-enabled fabric with CVX running the VXLAN Control Service (VCS) or EVPN.

Recommendations and Limitations

Firewall

The firewall policy name must not have any whitespace character in the name. As an example, PCI policy is an unacceptable policy name. An acceptable name would be PCI_policy.

Configuring MSS

These sections describe steps to configure MSS.

Deploying CVX
Enabling the VXLAN Control Service on CVX
Configuring the Access Switches and the Service Switch Ports
Enabling DirectFlow on Access Switches and Service Switches
Enabling VXLAN routing on the TOR switches
Configuring MSS on CVX
Configuring the Firewall

Deploying CVX

Deploy CloudVision and configure the Arista TOR switches to connect to it. A CVX cluster of three instances with host names of cvx01, cvx02, and cvx03 are configured as an example.

Note: As a best practice, always deploy the CV in a HA cluster with a minimum of three instances.

Enabling the VXLAN Control Service on CVX

Enable the VXLAN Control Service (VCS) on every CVX instance after the three Arista CVX instances have been deployed and the TOR switches are configured to be managed by them.

VCS allows hardware VXLAN Tunnel End Points (VTEPs) to share state with each other in order to establish VXLAN tunnels without the need for a multicast control plane.

Example

CVX instance cvx01

cvx01(config-cvx)# service VXLAN 
cvx01(config-cvx-VXLAN)# no shutdown

Similarly, VCS is enabled on the cvx02 and cvx03 devices.

Configuring the Access Switches and the Service Switch Ports

Configure the switch ports that are connected to the hosts, whose traffic should be steered to the firewalls and the service switch ports which are connected to the firewalls.

Access Switch Configuration

The switch ports connected to the hosts, whose traffic needs to be intercepted, need to be configured as 802.1q trunks with the VLAN that is mapped to the VNI requiring interception. Unique VLAN IDs are configured for each tier of the application.

Access Switch (Intercept-1)

intercept-1# configure
intercept-1(config)# interface et10
intercept-1(config-if-Et10)# description web server
intercept-1(config-if-Et10)# switchport mode trunk 
intercept-1(config-if-Et10)# switchport trunk allowed vlan 100

intercept-1(config)# interface et16
intercept-1(config-if-Et16)# description app server
intercept-1(config-if-Et16)# switchport mode trunk
intercept-1(config-if-Et16)# switchport trunk allowed vlan 200

Access Switch (Intercept-2)

intercept-2# configure
intercept-2(config)# interface et10
intercept-2(config-if-Et1)# description db server
intercept-2(config-if-Et1)# switchport mode trunk
intercept-2(config-if-Et1)# switchport trunk allowed vlan 300

Note: For untagged traffic, configure a native VLAN on the port using the switchport trunk native vlan command.

Service Switch (Service-1)

service-1# configure
service-1(config)# interface port-channel 10
service-1(config-if-Po10)# description Far Interface
service-1(config-if-Po10)# switchport mode trunk
service-1(config-if-Po10)# switchport trunk allowed vlan none
service-1(config-if-Po10)# spanning-tree bpdufilter enable

service-1(config)# interface port-channel 20
service-1(config-if-Po20)# description Near Interface
service-1(config-if-Po20)# switchport mode trunk
service-1(config-if-Po20)# switchport trunk allowed vlan none
service-1(config-if-Po20)# spanning-tree bpdufilter enable

Note: Dynamically mapped VLANs are not shown in the switch port configuration. You can view them by running the show vlan command on the switch once a policy is applied.

Enabling DirectFlow on Access Switches and Service Switches

Arista MSS uses DirectFlow to intercept traffic while the VXLAN is used to carry tunnel traffic from the intercepted host to the firewall and back. DirectFlow should be enabled on every intercept switch as well as the service switches.

Switch Service-1

service-1# configure
service-1(config)# directflow
service-1(config-directflow)# no shutdown

Switch Intercept-1

intercept-1# configure
intercept-1(config)# directflow
intercept-1(config-directflow)# no shutdown

Switch Intercept-2

intercept-2# configure
intercept-2(config)# directflow
intercept-2(config-directflow)# no shutdown

Enabling VXLAN routing on the TOR switches

CVX uses Address Resolution Protocol (ARP) to determine where intercept hosts are physically located in the network. VXLAN routing should be configured on every TOR switch that will be intercepting traffic to ensure that CVX is aware of every host ARP entry.

The following configuration shows the routing configuration for each tier of the application, but not the entire VXLAN configuration. For more information on how to configure VXLAN and VXLAN routing, refer to the VXLAN section of the Arista EOS Configuration Guide.

Switch Intercept-1

intercept-1# configure
intercept-1(config)# ip routing
intercept-1(cofig)# interface vlan100
intercept-1(config-if-Vl100)# ip address virtual 10.0.10.254/24
intercept-1(config)# interface vlan200
intercept-1(config-if-Vl200)# ip address virtual 10.0.20.254/24
intercept-1(config)# interface vlan300
intercept-1(config-if-Vl300)# ip address virtual 10.0.30.254/24

Switch Intercept-2

intercept-2# configure 
intercept-2(config)# ip routing 
intercept-2(cofig)# interface vlan100
intercept-2(config-if-Vl100)# ip address virtual 10.0.10.254/24
intercept-2(config)# interface vlan200
intercept-2(config-if-Vl200)# ip address virtual 10.0.20.254/24
intercept-2(config)# interface vlan300
intercept-2(config-if-Vl300)# ip address virtual 10.0.30.254/24

Switch Service-1

service-1# configure
service-1(config)# ip routing
service-1(cofig)# interface vlan100
service-1(config-if-Vl100)# ip address virtual 10.0.10.254/24 
service-1(config)# interface vlan200
service-1(config-if-Vl200)# ip address virtual 10.0.20.254/24
service-1(config)# interface vlan300
service-1(config-if-Vl300)# ip address virtual 10.0.30.254/24

Configuring MSS on CVX

This step enables configuring Arista MSS on CVX. The topology diagram depicts three CVX instances in a cluster and the configuration is the same for every instance. The active and standby vendor firewalls are configured. If Panorama is used, only Panorama should be configured.

Example

In the example, the primary vendor firewall has a DNS name of fw-ha-node-1. The standby firewall has a DNS name of fw-ha-node-2. The username and password are set as admin.

CVX instance cvx01

cvx01# configure
cvx01(config)# cvx
cvx01(config-cvx)# no shutdown
cvx01(config-cvx)# service mss
cvx01(config-cvx-mss)# no shutdown
cvx01(config-cvx-mss)# vni range 20000-30000
cvx01(config-cvx-mss)# dynamic device-set panfw1
cvx01(config-cvx-mss-panfw1)# tag Arista_MSS
cvx01(config-cvx-mss-panfw1)# type palo-alto firewall
cvx01(config-cvx-mss-panfw1)# state active
cvx01(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx01(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin

CVX instance cvx02

cvx02# configure
cvx02(config)# cvx 
cvx02(config-cvx)# no shutdown
cvx02(config-cvx)# service mss
cvx02(config-cvx-mss)# no shutdown
cvx02(config-cvx-mss)# vni range 20000-30000
cvx02(config-cvx-mss)# dynamic device-set panfw1
cvx02(config-cvx-mss-panfw1)# tag Arista_MSS
cvx02(config-cvx-mss-panfw1)# type palo-alto firewall
cvx02(config-cvx-mss-panfw1)# state active
cvx02(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx02(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin

CVX instance cvx03

cvx03# configure
cvx03(config)# cvx
cvx03(config-cvx)# no shutdown 
cvx03(config-cvx)# service mss 
cvx03(config-cvx-mss)# no shutdown
cvx03(config-cvx-mss)# vni range 20000-30000
cvx03(config-cvx-mss)# dynamic device-set panfw1
cvx03(config-cvx-mss-panfw1)# tag Arista_MSS
cvx03(config-cvx-mss-panfw1)# type palo-alto firewall
cvx03(config-cvx-mss-panfw1)# state active
cvx03(config-cvx-mss-panfw1)# device fw-ha-node-1
cvx03(config-cvx-mss-panfw1-fw-ha-node-1)# username admin password 0 admin

Configuring the Firewall

Three policies are created in addition to the default implicit deny policy for inter-zone traffic. The implicit deny ensures that the inter-zone traffic is not allowed unless a policy explicitly allows for it.

The first policy untrust_to_web1 is from the untrust zone to the web1 zone, that allows HTTPS traffic from anywhere to the web server web.

The third policy web2_to_app1 is from the web2 zone to the app1 zone that allows HTTP traffic between the web server web and the application server app.

The fifth policy app2_to_db1 is from the app2 zone to the db1 zone that allows database traffic on port TCP/1433 between the application server app and the database server db.

The second, fourth, and sixth policies prevent the firewall to drop a session for which does not see the initial connection to the protected resource. This could happen if the protected resource has not sent any traffic previous to this point.

Refer to the following images for more clarity about the above policies and interface configuration.

Figure 10. Firewall Policy configuration

Figure 11. Firewall Interface Configuration

Create a rule that Arista MSS will use to intercept and redirect traffic and add a firewall policy with the default Arista_MSS tag as shown in the example above. MSS intercepts all traffic from endpoints identified in policies that match the tag values configured in CVX. The firewall will apply all rules (tagged or untagged) to all traffic.

Note: LLDP should always be enabled on the firewall interfaces attached to the service switches. To minimize reconvergence time on the network changes, reduce the LLDP transmit interval and hold time multiples on the firewall, while keeping the LLDP hold time above the LLDP timer configured on the connected Arista switches.

Alternatively, the device interface map command can be used on CVX to manually map a device to Arista switch interfaces. To map multiple devices, add a mapping entry for each device.

dynamic device-set fw1
device dc-firewall-1
map device-interface ethernet1/1 switch 00:1c:73:7e:21:bb interface Ethernet1
map device-interface ethernet1/2 switch 00:1c:73:7e:21:bb interface Ethernet9

The first policy untrust_to_web1 is from the untrust zone to the web1 zone, that allows HTTPS traffic from anywhere to the web server web.

The third policy web2_to_app1 is from the web2 zone to the app1 zone that allows HTTP traffic between the web server web and the application server app.

The fifth policy app2_to_db1 is from the app2 zone to the db1 zone that allows database traffic on port TCP/1433 between the application server app and the database server db.

Refer to the following images for more clarity about the above policies and interface configuration.

Figure 12. Firewall Policy Configuration

Figure 13. Firewall Interface Configuration

Create a rule that Arista MSS will use to intercept and redirect traffic and add a firewall policy with the default Arista_MSS tag as shown in the example above. MSS intercepts all traffic from endpoints identified in policies that match the tag values configured in CVX. The firewall will apply all rules (tagged or untagged) to all traffic.

Alternatively, the device interface map command can be used on CVX to manually map a device to Arista switch interfaces. To map multiple devices, add a mapping entry for each device.

dynamic device-set fw1
device dc-firewall-1
map device-interface ethernet1/1 switch 00:1c:73:7e:21:bb interface Ethernet1
map device-interface ethernet1/2 switch 00:1c:73:7e:21:bb interface Ethernet9

MSS Integration with Check Point

Macro Segmentation Service (MSS) is configurable for Check Point Software Technologies (Check Point) Firewalls. The configuration and deployment requires the use of Check Point Management Server (Gaia), a security management platform which allows central management of Check Point gateway security devices.

Requirements

The following requirements apply to the deployment.

MSS version R80.30 version 1.5 and above and a special URL access on the Management Server using a Gateway API provided by Check Point.
Gateway version R80.30 with API version 1.2 and above.
Check Point Management Server release R31 and above.

Configuration and Deployment

The following components of the solution require configuration:

Check Point Gateway firewalls
Check Point Management Server
Arista leaf switches
CVX

Check Point Firewalls (Gateways)

Interface Configuration

Configure IPv4 addresses on the routed L3 interfaces on the firewall interfaces connected to the Arista TORs.

IPv4 Static Routes Configuration

Configure IPv4 static routes to include routes to all subnets of the hosts which MSS will be intercepting either using a WebUI or CLI as shown below. The nexthop gateway addresses are the gateway of the subnet to which the firewall interfaces. The static route information is used by MSS to identify which firewall interface is connected to the subnet to which the intercepted traffic needs to be forwarded.

set static-route 192.0.2.0/24 nexthop gateway address 192.0.2.155 on

The following displays the configuration.

gateway1>show route static
Codes: C - Connect ed, S - Static, R - RIP, B - BGP (D - Default),
       O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
       A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
       U - Unreachable, i - Inactive

S               0.0.0.0/0           via 172.2.18.12, Mgmt, cost 0, age 3134690
S               10.6.10.0/24        via 10.6.100.2, eth1, cost 0, age 3134690
S               10.6.20.0/24        via 10.6.200.2, eth2, cost 0, age 3134690

Check Point Management Server Configuration

The Check Point firewall devices intended to be used with Arista MSS must be registered and fully manageable via a Check Point Management Server.

Identify or define a new security policy network layer to be considered by MSS where 'TestPolicy' is the security policy network layer that is referenced in the CVX configuration.
Create firewall access rules (to be used by Arista MSS).
In the access rule, the supported source and destination object types are Host, Network, and Security Zone.
In the “Services & Applications,” the following services are supported: 1: ICMP, IGMP, IPv4, TCP, EGP, UDP, IPv6, RSVP, GRE, OSPFIGP, SCTP.
Add tags in the policy comments/description field in this format: "tags( <tag1>, <tag2>, ... )", e.g. “tags( Arista_MSS1, Arista_MSS2 )”
- Arista MSS inspects management server access rules that have an embedded "tags( )" string in the comments field. Individual tags are extracted from within the enclosing parentheses and compared with the tags configured in the Arista MSS device-set on CVX.

1-to-1 HA Cluster Configuration

The following figure shows the 1-to-1 HA cluster. The HA interface pairs connected to the Arista switches should have Virtual IP addresses where the intercepted traffic will be forwarded. The active firewall sends out a GARP with its own MAC to indicate where traffic sent to the VIP should be forwarded.

Arista Leaf Switches Configuration

The following configures the switch interfaces connected to the firewall.

switchport trunk native vlan <interface vlan>
switchport mode trunk
spanning-tree portfast
spanning-tree bpdufilter enable

interface Vlan<interface vlan>
   ip address virtual <interface IPv4 address>/<mask>

CVX Configuration

The following displays the CVX configuration with Standalone Check Point firewall.

!! Standalone firewall
cvx
   no shutdown
   service mss
      no shutdown
      !
      dynamic device-set chkpt
         device <management-server-ip-or-dnsName>
            username admin password 7 PKigsm//o3IcnW5rqoZXWQ==
            protocol https 4434   (or the configured https port like 443)
            group <management-server-network-layer>
         !
         device member <checkpoint-device-name>
            map device-interface eth1 switch 00:1c:73:7e:28:11 interface Ethernet39
            map device-interface eth2 switch 00:1c:73:7e:28:11 interface Ethernet40
         type check-point management-server
         policy tag offload Arista_MSS_offload
         policy tag redirect Arista_MSS
         state active

The checkpoint-device-name used in the device member command is the name used in the Management Server to identify that firewall. A sample CVX configuration with Check Point firewalls in 1-to-1 High Availability cluster configuration will include more than one device member as follows:

!! HA Active/Passive firewall pair
cvx
   no shutdown
   service mss
      no shutdown
      !
      dynamic device-set chkpt
         device <management-server-ip-or-dnsName>
            username admin password 7 PKigsm//o3IcnW5rqoZXWQ==
            protocol https 4434   (or the configured https port like 443)
            group <management-server-network-layer>
         !
         device member <checkpoint-device1-name>
            map device-interface eth1 switch 00:1c:73:7e:28:11 interface Ethernet39
            map device-interface eth2 switch 00:1c:73:7e:28:11 interface Ethernet40
         device member <checkpoint-device2-name>
            map device-interface eth1 switch 00:1c:73:7e:28:11 interface Ethernet41
            map device-interface eth2 switch 00:1c:73:7e:28:11 interface Ethernet42
         type check-point management-server
         policy tag offload Arista_MSS_offload
         policy tag redirect Arista_MSS
         state active

MSS for Layer 3 Firewall Enhancements

The verbatim qualifier enhances the Macro Segmentation Service (MSS) with two policy actions: redirect and offload. For firewall policies tagged with the redirect tag, MSS extracts IP addresses from the policy and forwards all traffic destined to or generated from that set of IP addresses to the firewall. The additional verbatim tag, redirecting bidirectional traffic is restricted to the subset that matches the additional qualifiers of a firewall policy to a firewall (such as the source, destination IP addresses or subnets, protocol, L4 ports).

The verbatim tag can also be paired with the offload tag for a policy which installs necessary DirectFlow rules at the TORs to drop or allow the traffic matching the exact qualifiers in the policy definition. If the verbatim tag is not used with the offload tag, the behavior is to offload enforcement for all traffic matching the specific policy rule, while redirecting the remainder of the (non-matching) traffic to the firewall to ensure the security policy for the protected host remains in compliance. The addition of the verbatim tag removes this implicit redirection

Configuring for Verbatim Use

Firewall Configuration

The verbatim is a modifier of the original policy enforcement scheme and works with multiple firewalls such as those from Palo Alto Networks and Fortinet.

Policy Semantics

IP address extraction for redirect or redirect tag:

If IP addresses are specified in source or destination field, Mss extracts those for redirection.
If no IP addresses are specified, then Mss extracts the subnets corresponding to the source and destination zone for redirection.
If no zones are specified, then Mss extracts all subnets in the default virtual-router for redirection.

Constraints on offload tag policies:

Must have IP address specified in source or destination field if the corresponding zone is an external zone (zone towards default route).

Constraints on redirect verbatim tag policies:

Must have IP address specified in source or destination field if the corresponding zone is an external zone (zone towards default route).
Must have either zone or IP specified in both source and destination field. ‘Any’, ‘All’, or similar constructs are not supported for source or destination fields.

Policies with broadcast or multicast destination:

Only offload and offloadverbatim tags are supported for policies with IPv4 broadcast or IPv4 multicast destination.

CVX Configuration

The following configuration commands set 'tag-list' as the verbatim modifier on a per device basis for the redirect and offload tags.

cvx
   service mss
      dynamic device-set <device-set-name>
         device <device-name>
           [no | default] policy tag redirect <tag-list>
           [no | default] policy tag offload <tag-list>
           [no | default] policy tag modifier verbatim <tag-list>

TCAM Profile Configuration

The following depicts a recommended TCAM profile to be used with MSS.

Note: This is an example for some of the devices that are currently supported.

hardware tcam
   profile direct-flow-mssl3-VXLAN
      feature acl port ip
         sequence 50
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tcp-control ttl
         action count drop
         packet ipv4 forwarding bridged
         packet ipv4 forwarding routed
         packet ipv4 forwarding routed multicast
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet ipv4 non-VXLAN forwarding routed decap
         packet ipv4 VXLAN eth ipv4 forwarding routed decap
         packet ipv4 VXLAN eth ipv6 forwarding routed decap
         packet ipv4 VXLAN forwarding bridged decap
      feature acl port ip egress mpls-tunnelled-match
         sequence 100
      feature acl port ipv6
         sequence 30
         key field dst-ipv6 ipv6-next-header ipv6-traffic-class l4-dst-port l4-ops-3b l4-src-port 
         src-ipv6-high src-ipv6-low tcp-control
         action count drop
         packet ipv6 forwarding bridged
         packet ipv6 forwarding routed
         packet ipv6 forwarding routed multicast
         packet ipv6 ipv6 forwarding routed decap
      feature acl port mac
         sequence 60
         key size limit 160
         key field dst-mac ether-type src-mac
         action count drop
         packet ipv4 forwarding bridged
         packet ipv4 forwarding routed
         packet ipv4 forwarding routed multicast
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet ipv4 non-VXLAN forwarding routed decap
         packet ipv4 VXLAN eth ipv4 forwarding routed decap
         packet ipv4 VXLAN forwarding bridged decap
         packet ipv6 forwarding bridged
         packet ipv6 forwarding routed
         packet ipv6 forwarding routed decap
         packet ipv6 forwarding routed multicast
         packet ipv6 ipv6 forwarding routed decap
         packet mpls forwarding bridged decap
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding mpls
         packet mpls non-ip forwarding mpls
         packet non-ip forwarding bridged
      feature acl subintf ip
         sequence 45
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops-18b l4-src-port src-ip tcp-control ttl
         action count drop
         packet ipv4 forwarding routed
      feature acl subintf ipv6
         sequence 20
         key field dst-ipv6 ipv6-next-header l4-dst-port l4-src-port src-ipv6-high src-ipv6-low tcp-control
         action count drop
         packet ipv6 forwarding routed
      feature acl vlan ip
         sequence 40
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops-18b l4-src-port src-ip tcp-control ttl
         action count drop
         packet ipv4 forwarding routed
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet ipv4 non-VXLAN forwarding routed decap
         packet ipv4 VXLAN eth ipv4 forwarding routed decap
         packet ipv4 VXLAN eth ipv6 forwarding routed decap
      feature acl vlan ipv6
         sequence 15
         key field dst-ipv6 ipv6-next-header l4-dst-port l4-src-port src-ipv6-high src-ipv6-low tcp-control
         action count drop
         packet ipv6 forwarding routed
         packet ipv6 ipv6 forwarding routed decap
      feature acl vlan ipv6 egress
         sequence 25
key field dst-ipv6 ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-high src-ipv6-low 
tcp-control
         action count drop
         packet ipv6 forwarding routed
      feature flow
         key size limit 160
         key field dst-ip ether-type in-port ip-protocol l4-dst-port l4-src-port src-ip
         action drop redirect set-fwd-header
         packet ipv4 forwarding bridged
         packet ipv4 forwarding routed
      feature forwarding-destination mpls
         sequence 105
      feature mpls
         sequence 5
         key size limit 160
         action drop redirect set-ecn
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding mpls
         packet mpls non-ip forwarding mpls
      feature mpls pop ingress
         sequence 95
      feature pbr mpls
         sequence 70
         key size limit 160
         key field mpls-inner-ip-tos
         action count drop redirect
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding mpls
         packet mpls non-ip forwarding mpls
      feature tunnel VXLAN
         sequence 55
         key size limit 160
         key field in-port VXLAN-inner-etype VXLAN-inner-ip-options VXLAN-inner-ip-ttl
         packet ipv4 VXLAN eth ipv4 forwarding routed decap
         packet ipv4 VXLAN eth ipv6 forwarding routed decap
         packet ipv4 VXLAN forwarding bridged decap
      feature tunnel VXLAN routing
         sequence 10
         packet ipv4 forwarding routed
         packet ipv4 non-VXLAN forwarding routed decap
         packet ipv4 VXLAN eth ipv4 forwarding routed decap
         packet ipv4 VXLAN eth ipv6 forwarding routed decap

The following displays the profile. The platform does not support any arbitrarily created PMF profile. If the PMF profile cannot be programmed, the show command will print ‘ERROR’ in the status column.

switch# show hardware tcam profile
                     Configuration            Status
FixedSystem          direct-flow-mssl3-VXLAN  direct-flow-mssl3-VXLAN

Limitations

DirectFlow needs to be enabled at the TOR so that the policies enforced by MSS are correctly programmed.
Group option is available only for some switches.

Deployments with a mix of switches require special considerations. The following table summarizes supported configurations in different deployment models.

Table 1. Configuration Summary
Both compute and service TORs: DCS-7050X, DCS-7050X2, DCS-7050X3, DCS-7060X, DCS-7060X2	group, verbatim	redirect offload redirect, verbatim offload, verbatim
Both compute and service TORs: DCS-7020R, DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2	verbatim	redirect, verbatim offload, verbatim
Both compute and service TORs: DCS-7050X, DCS-7050X2, DCS-7050X3, DCS-7060X, DCS-7060X2, DCS-7020R, DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2	verbatim	redirect, verbatim offload, verbatim
DCS-7050X, DCS-7050X2, DCS-7050X3, DCS-7060X, DCS-7060X2 as compute TOR and other series as service TOR (with no intercepted hosts connected).	group, verbatim	redirect offload redirect, verbatim offload, verbatim

Backward Compatibility and Other Considerations

For existing deployments, (where any of DCS-7020R, DCS-7280R, DCS-7280R2, DCS-7500R, DCS-7500R2 switch platforms are used in the service rack), in order to upgrade hitlessly, upgrade the CVX cluster first and execute the following command prior to upgrading EOS on any switch:

cvx
   service mss
      policy enforcement rules group verbatim

The command [no|default] policy enforcement rules {group verbatim | verbatim} disables / enables policy enforcement.

Displaying CVX Status

The following displays the status of the mss policy.

switch#show service mss policy

<--snip-->

                Macro-Segmentation L3 Policy Table
-------------------------------------------------------------------------------
Source            Device      Policy        Offload      Redirect     Unconverged
                                            status       status       IPs
----------------  ---------   ----------    ----------   -----------  ----------
PaloAltoFirewall   fwpan1     policy1       N/A          Active      N/A
PaloAltoFirewall   fwpan1     policy2       Active       N/A         N/A
PaloAltoFirewall   fwpan1     policy3       Active       Active      0 of 2
PaloAltoFirewall   fwpan1     policy4       N/A          Active      0 of 2

The following displays the status of the mss policy in more detail.

switch#show service mss policy detail
-------------------------------------------------------------------
Source: PaloAltoFirewall
-------------------------------------------------------------------
  Device: fwpan1
   Policy (L3): policy1
      Offload Status: N/A
      Redirect Status: Active
      Tags: MSS_redirect, MSS_verbatim
      Policy Modifier: Verbatim
      VRF: default
   Policy (L3): policy2
      Offload Status: Active
      Redirect Status: N/A
      Tags: MSS_offload, MSS_verbatim
      Policy Modifier: Verbatim
      VRF: default
   Policy (L3): policy3
      Offload Status: Active
      Redirect Status: Active
      Tags: MSS_offload
      VRF: default
      IP Addresses:
        Active: 10.10.10.1
        Active: 10.10.20.1
   Policy (L3): policy4
      Offload Status: N/A
      Redirect Status: Active
      Tags: MSS_redirect
      VRF: default
      IP Addresses:
        Active: 10.10.10.1
        Active: 10.10.10.2

Displaying Flow Information Details on TOR Switch

switch#show directflow detail
Flow default:spm:fwpan1:30000::10.10.20.2/32::10.10.20.3/32::::nh-1.100.0.2:(Flow programmed)
  persistent: False
  priority: 30000
  priorityGroupType: default
  hard timeout: 0
  idle timeout: 0
  match:
    Ethernet type: IPv4
    source IPv4 address: 10.10.20.2/255.255.255.255
    destination IPv4 address: 10.10.20.3/255.255.255.255
    IPv4 protocol: TCP
    destination TCP/UDP port: 22
  actions:
    output nexthop: 1.10.100.2
  source: mssl3
  matched: 0 packets, 0 bytes

Flow default:spm:fwpan1:30000::10.10.20.3/32::10.10.20.2/32::::nh-1.100.0.2:(Flow programmed)
  persistent: False
  priority: 30000
  priorityGroupType: default
  hard timeout: 0
  idle timeout: 0
  match:
    Ethernet type: IPv4
    source IPv4 address: 10.10.20.3/255.255.255.255
    destination IPv4 address: 10.10.20.2/255.255.255.255
    IPv4 protocol: TCP
    source TCP/UDP port: 22
  actions:
    output nexthop: 1.10.100.2
  source: mssl3
  matched: 0 packets, 0 bytes
<--snip-->

MSS Commands

Configuration Commands

dynamic device-set
exception device
group
name-resolution interval (CVX-OpenStack)
service mss
state
tag
type palo-alto

CVX Show Commands

show service mss dynamic device-set
show service mss policy
show service mss status
show service mss zone

dynamic device-set

The dynamic device-set command configures a device such as a firewall to communicate with the MSS in the MSS configuration mode.

The no dynamic device-set command removes a previously configured device from the MSS configuration and returns to the CVX mode.

Command Mode

MSS Configuration

Command Syntax

dynamic device-set device-set_name

no dynamic device-set device-set_name

Parameters

device-set_name a unique name for the device set.

Example

This example creates a set of firewalls with the name panfw1.

cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1  
cvx(config-cvx-mss-panfw1)#

Note: The vni range command configures a range of VXLAN Network Identifiers (VNI) that MSS uses to tunnel traffic to the firewall. If VNI range is not configured, the default VNIs in the range of 1 to 16777214 are used.

exception device

The exception device command bypasses or continues redirecting traffic to service device such as a firewall if the service device control-plane API is unreachable after initial policies have been processed.

The no exception device command.

Command Mode

MSS Configuration

Command Syntax

exception device unreachable [bypass | redirect]

no exception device unreachable [bypass | redirect]

default exception device unreachable bypass

Parameters

device: service device in the device set.
unreachable: service device control-plane API is unreachable.
bypass: bypass the service device.
redirect: continue redirecting traffic to the service device.

Example

This example redirects traffic to the service device.

cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set fw
cvx(config-cvx-mss-fw)#device firewall-dc7
cvx(config-cvx-mss-fw)#username admin password 7 PKigsmo3IcnW5rqoZXWQ
cvx(config-cvx-mss-fw)#state active
cvx(config-cvx-mss-fw)#type palo-alto firewall
cvx(config-cvx-mss-fw)#exception device unreachable redirect

group

The group command configures the Panorama device group name to be used with MSS.

The no group command removes the group from the MSS configuration when the Panorama firewall manager is used.

See the type palo-altocommand for more information about the firewall manager.

Command Mode

Device-set mode

Command Syntax

group group_name

no group group_name

Parameters

group_name the name of the group.

Example

This command configures the group name as mssDevices.

cvx(config)#cvx
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#dynamic device-set pano2
cvx(config-cvx-mss-pano2)#type palo-alto panorama
cvx(config-cvx-mss-pano2)#device myPanorama
cvx(config-cvx-mss-pano2-myPanorama)#group mssDevices

name-resolution interval (CVX-OpenStack)

The name-resolution interval command specifies the period between consecutive requests that the OpenStack controller sends to the Keystone service for VM and tenant name updates. Keystone is OpenStack's authentication and authorization service.

The default period is 21600 seconds (6 hours).

The name-resolution force (CVX-OpenStack) command performs an immediate update, as opposed to waiting for the periodic update.

Command Mode

CVX-OpenStack Configuration

Command Syntax

name-resolution interval period

Parameters

period: Keystone identity service polling interval (seconds).

Comment

service openstack places the switch in CVX-OpenStack configuration mode.

Example

These commands set the name resolution interval period at five hours.

switch(config)#cvx
switch(config-cvx)#service openstack
switch(config-cvx-openstack)#name-resolution interval 18000
switch(config-cvx-openstack)#

service mss

The service mss command enters the MSS configuration sub-mode.

The no service mss command exits the MSS configuration mode and returns to the CVX mode.

Command Mode

CVX Configuration

Command Syntax

service mss

no service mss

default service mss

Example

This example enables MSS on CVX and enters the MSS config mode.

Note: The no shutdown command enables MSS on the CloudVision eXchange (CVX).

cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown

show service mss dynamic device-set

The show service mss dynamic device-set command displays detailed information about a specific service device set. Information such as device group members, high availability, network, resource details are displayed.

Note: Interfaces from multiple switches can be placed in the same zone by the device.

Command Mode

EXEC

CVX Configuration

Command Syntax

Parameters

device_set_name defines the device set name.
device device name defines the service device properties such as the DNS hostname or IP address of the service device.
group members lists device-group members for an aggregation manager.
high-availability displays service device high availability information.
neighbors displays the service devices ethernet interface neighbor information.
network displays the service devices network interface information.
policies displays the list of policies read from service device that have the MSS tag.
resources displays the service devices system resource information.

Related Commands

show service mss status
show service mss policy

Examples

This command displays information about interfaces that are placed in a zone by the device1.

switch#show service mss zone
Source: static
------------------------------------------------
Device: device1

This command displays information about interfaces that are placed in a zone by the device1.

switch#show service mss zone
Source: static
----------------------------------------------
Device: device1
Zone: zone1
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet1/1
Allowed VLAN: 1000-1010
Port-Channel2/1:
Allowed VLAN: 1000-2000
Switch: 00:00:00:00:00:02
Hostname: switch2.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Zone: zone2
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Ethernet 20/1
Allowed VLAN: 1000-2000

show service mss policy

The show service mss policy command displays generic information about the configuration and operational state of the macro-segmentation service (MSS) policies on a device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss policy [[device device_name][name policy-name][source (static | plugin_name)]]

Parameters

device device name defines the service device name.
name policy-name the filter policy name.
source the source of the policy.
static the policy configured using the command line interface.
plugin_name the service device type.

Related Commands

show service mss status
show service mss zone

Example

This command displays information about the MSS policy policy1 enabled on the device.

cvx#show service mss policy name policy1
Source  Device    Policy  Config   Status 
------  --------  ------  -------  -------------  ------------- 
vendor  Firewall  pan100  policy1  Enabled        Initialized

The Config column indicates the configuration state of a policy. The different states are: Enabled, dry run, and disabled states.

The Status column indicates the operational state of a policy. The different status types are initialized, pending, initializing, active, reinitializing, dry-run Complete, and deactivating.

show service mss status

The show service mss status command displays the status of a macro-segmentation service (MSS) on the device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss status

Related Commands

show service mss policy
show service mss zone

Examples

This command displays the MSS status on the device as Enabled.

switch#show service mss status
State: Enabled
Service VNIs: 1500-1600,1800,1900-2000

This command displays the MSS status on the device as Disabled.

switch#show service mss status
State: Disabled
Service VNIs: 1-16777214

show service mss zone

The show service mss zone command displays information about the interfaces that are placed in a single zone by the service device. Along with the show service mss policy command, we can use this command to identify issues with the policy configuration.

Interfaces from multiple switches can be placed in the same zone by the device.

Command Mode

EXEC

CVX Configuration

Command Syntax

show service mss zone [[device device_name]|[name zone_name]|[source (static | dynamic_source)]]

Parameters

device device name defines the service device properties.
name policy-name the filter zone name.
source the source of the zone.
static the zone configured using the command line interface.
dynamic_source the service device type.

Related Commands

show service mss status
show service mss policy

Example

This command displays information about interfaces that are placed in a zone by the device1.

switch#show service mss zone
Source: static
---------------------------------------
Device: device1
Zone: zone1
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet1/1
Allowed VLAN: 1000-1010
Port-Channel2/1:
Allowed VLAN: 1000-2000
Switch: 00:00:00:00:00:02
Hostname: switch2.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Zone: zone2
Switch: 00:00:00:00:00:01
Hostname: switch1.arista.com
Interfaces:
Ethernet10/1
Allowed VLAN: 1000-1010
Ethernet 20/1
Allowed VLAN: 1000-2000

state

The state command configures device set as active or disabled or suspended state.

The no state command disables the previously configured state of the device set.

Command Mode

MSS Configuration

Command Syntax

state [active | shutdown | suspend]

no state

Parameters

active: the active state of the device set. Policy monitoring and network traffic redirection are enabled.
shutdown: the disabled state of the device set. Policy monitoring and network traffic redirection is stopped.
suspend: the suspended state of the device set. Policy monitoring is suspended but there is no change in the existing traffic redirection.

Example

This output example configures the device set state as active.

cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag Arista_MSS
cvx(config-cvx-mss-panfw1)#type palo-alto firewall
cvx(config-cvx-mss-panfw1)#state active

tag

The tag command specifies the tag or tags that MSS searches when it is reading the security policy from the firewall or firewall manager in the dynamic device-set configuration mode. You can specify more than one tag as well.

The no tag command removes the tag from the MSS configuration.

Note: The tag specified should always match with the firewall policy tags in the vendor firewall policy for the MSS to read the policy and set up the intercept.

Command Mode

MSS Configuration

Command Syntax

tag tag_name

no tag

default tag Arista_MSS

Parameters

tag_name: a unique name for the tag.

Examples

This command specifies the tag with the name Arista_MSS.

cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag Arista_MSS

This command specifies multiple tags with names mss1, mss2, and mss3.

cvx#configure
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#no shutdown
cvx(config-cvx-mss)#vni range 30000-40000
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#tag mss1 mss2 mss3

type palo-alto

The type palo-alto command configures the firewall type to be used in the MSS configuration.

The no type palo-alto command disables the firewall type from the MSS configuration.

Command Mode

MSS Configuration

Command Syntax

type palo-alto [firewall | panorama]

no type palo-alto

Parameters

firewall: the Palo Alto Networks firewall.
panorama: the Palo Alto Networks Panorama firewall manager.

Example

This command configures the Palo Alto Networks firewall type.

cvx#configure
cvx(config)#cvx
cvx(config-cvx)#service mss
cvx(config-cvx-mss)#dynamic device-set panfw1
cvx(config-cvx-mss-panfw1)#type palo-alto firewall

Quality of Service and Traffic Management

This chapter describes Arista’s Quality of Service (QoS) implementation and Traffic Management, including configuration instructions and command descriptions. Topics covered by this chapter include:

Quality of Service

This chapter describes Arista’s Quality of Service (QoS) implementation, including configuration instructions and command descriptions. Topics covered by this chapter include:

Quality of Service Conceptual Overview
QoS Configuration: Platform-Independent Features
QoS Configuration: Arad Platform Switches
QoS Configuration: Jericho Platform Switches
QoS Configuration: FM6000 Platform Switches
QoS Configuration: Petra Platform Switches
QoS Configuration: Trident and Tomahawk Platform Switches
QoS Configuration: Trident II and Helix Platform Switches
Support for Configuring Color Extended Communities
ACL based QoS Configuration
Configuring IPv6 Flow Label Matches for QoS
Differentiated MMU Discard Counters
txQueue Percentage-based Shaping
Quality of Service Configuration Commands
Chipset Mapping for QoS

Quality of Service Conceptual Overview

QoS processes apply to traffic that flows through Ethernet ports and control planes. These processes can modify data fields (CoS or DSCP) or assign data streams to traffic classes for prioritized handling. Transmission queues are configurable for individual Ethernet ports to shape traffic based on its traffic class. Many switches also support traffic policies that apply to data that is filtered by access control lists.

The following sections describe QoS features:

Identifying the Switch Platform
QoS Data Fields and Traffic Classes
Transmit Queues and Port Shaping
Explicit Congestion Notification (ECN)
ACL Policing
Quality of Service (QoS) Profiles

Identifying the Switch Platform

QoS configuration varies significantly by switch platform. A list of Arista switch model numbers and their corresponding switch platforms (chipsets) can be found in the Chipset Mapping for QoS.

On some switches, the platform can also be determined by entering platform ? in the CLI.

Example

This command shows that the example switch is running on the Trident platform.

switch(config)#platform ?
  trident  Trident chip
switch(config)#

QoS Data Fields and Traffic Classes

Quality of Service (QoS) defines a method of differentiating data streams to provide varying levels of service to the different streams.

Criteria determining a packet’s priority level include packet field contents and the port where data packets are received. QoS settings are translated into traffic classes, which are then used by switches to manage all traffic flows. Traffic flow management varies with each switch platform.

QoS Data Fields

Quality of service decisions are based on the contents of the following packet fields:

CoS (three bits): Class of service (CoS) is a 3-bit field in Ethernet frame headers using VLAN tagging. The field specifies a priority value between zero and seven. Class of service operates at Layer 2.
DSCP (six bits): Differentiated Service Code Point (DSCP) is a 6-bit field in the Type Of Service (TOS) field of IP packet headers.

Port Settings – Trust Mode and Traffic Class

Ethernet and port channel interfaces support three QoS trust modes:

CoS Trust: Ports use inbound packet CoS field contents to derive the traffic class.
DSCP Trust: Ports use inbound packets DSCP field contents to derive the traffic class.
Untrusted: Ports use their default values to derive the traffic class, ignoring packet contents.

The default mode setting is CoS trust for switched ports and DSCP trust for routed ports.

Ports are associated with default CoS, DSCP, and traffic class settings; defaults vary by platform.

These sections describe procedures for configuring port settings:

CoS and DSCP Port Settings – Arad Platform Switches
CoS and DSCP Port Settings – FM6000 Platform Switches
CoS and DSCP Port Settings – Petra Platform Switches
CoS and DSCP Port Settings – Trident and Tomahawk Platform Switches
CoS and DSCP Port Settings – Trident II and Helix Platform Switches

Rewriting CoS and DSCP

CoS Rewrite

Switches can rewrite the CoS field for outbound tagged packets. The new CoS value is configurable, and is derived from a data stream’s traffic class as specified by the traffic class-to-CoS rewrite map. CoS rewrite is disabled on all the traffic received on CoS trusted ports.

On Arad, Jericho, FM6000, Trident and Tomahawk, Trident II, and Helix platform switches, CoS rewrite can be enabled or disabled on DSCP trusted ports and untrusted ports.

CoS rewrite is globally enabled by default for packets received on untrusted ports and DSCP trusted ports if at least one port is explicitly configured in DSCP trust or untrusted mode.
CoS rewrite is globally disabled by default for packets received on untrusted ports and DSCP trusted ports if there are no ports explicitly configured in DSCP trust or untrusted mode.

On Petra platform switches, CoS rewrite is always enabled on DSCP trusted ports and untrusted ports.

DSCP Rewrite

Switches can rewrite the DSCP field for outbound IP packets. On FM6000, Trident and Tomahawk, Trident II, and Helix platform switches, DSCP rewrite is disabled by default on all ports and always disabled for traffic received on DSCP trusted ports. On Petra, Arad, and Jericho platform switches, DSCP rewrite is always disabled.

FM6000, Trident and Tomahawk, Trident II, and Helix platform switches provide a command that enables or disables DSCP rewrite for packets received on CoS trusted ports and untrusted ports. The new DSCP value is configurable, based on the data stream’s traffic class, as specified by the traffic class-to-DSCP rewrite map.

These sections describe procedures for rewriting CoS and DSCP fields:

CoS Rewrite – Arad Platform Switches
CoS and DSCP Rewrite – FM6000 Platform Switches
CoS Rewrite – Petra Platform Switches
CoS and DSCP Rewrite – Trident and Tomahawk Platform Switches
CoS and DSCP Rewrite – Trident II and Helix Platform Switches

Traffic Classes

Data stream distribution is based on their traffic classes. Data stream management varies by switch platform. Traffic classes are derived from these data stream, inbound port, and switch attributes:

CoS field contents.
DSCP field contents.
Inbound port trust setting.
CoS default setting (Arad, Jericho, FM6000, Trident and Tomahawk, Trident II, and Helix platform switches).
DSCP default setting (Arad, Jericho, FM6000, Trident and Tomahawk, and Trident II platform switches).
Traffic class default setting (Petra platform switches).

When a port is configured to derive a data stream’s traffic class from the CoS or DSCP value associated with the stream, the traffic class is determined from a conversion map.

A CoS-to-traffic class map derives a traffic class from a CoS value.
A DSCP-to-traffic class map derives a traffic class from a DSCP value.

Map entries are configurable through CLI commands. Default maps determine the traffic class value when CLI map entry commands are not configured. Default maps vary by switch platform.

These sections describe traffic class configuration procedures:

Traffic Class Derivations – Arad Platform Switches
Traffic Class Derivations – Jericho Platform Switches
Traffic Class Derivations – FM6000 Platform Switches
Traffic Class Derivations – Petra Platform Switches
Traffic Class Derivations – Trident and Tomahawk Platform Switches
Traffic Class Derivations – Trident II and Helix Platform Switches

Transmit Queues and Port Shaping

Transmit queues are logical partitions of an Ethernet port’s egress bandwidth. Data streams are assigned to queues based on their traffic class, then sent as scheduled by port and transmit settings. Support varies by switch platform. A queue’s label determines its priority: queues with the suffix 0 have the lowest priority.

Parameters that determine transmission schedules include:

Traffic class-to-transmit queue mapping determines the transmit queue for transmitting data streams based on traffic class. The set of available transmit maps vary by switch platforms:
- Arad, Jericho, FM6000, Trident II, and Helix platforms: one map for all unicast and multicast traffic.
- Trident and Tomahawk platform: one map for unicast traffic and one map for multicast traffic.
- Petra platform: one map for unicast traffic. Queue shaping is not available for multicast traffic.
Port shaping specifies a port’s maximum egress bandwidth.
Queue shaping specifies a transmit queue’s maximum egress bandwidth, and implementation varies by platform.
- Trident and Tomahawk platform: queue shaping is configurable separately for unicast and multicast queues.
- Trident II platform: queue shaping is configurable for transmit queues. Port shaping and queue shaping are supported only in store-and-forward switching mode.
- Petra platform: queue shaping is not available for multicast traffic.
- Helix platform: queue shaping is configurable for transmit queues.
- FM6000 platform: switches do not support simultaneous port shaping and queue shaping. Enabling port shaping on an FM6000 switch disables queue shaping, regardless of the previous configuration.
Guaranteed bandwidth guarantees the allocation of a specified bandwidth for a transmit queue. Guaranteed bandwidth is supported only on Trident II platforms.
Queue priority specifies the priority at which a transmit queue is serviced. The switch defines two queue priority types:
- Strict priority queues are serviced in the order of their priority rank - subject to each queue’s configured maximum bandwidth. Data is not handled for a queue until all queues with higher priority are emptied or their transmission limit is reached. These queues typically carry low latency real time traffic and require highest available priority.
- Round robin queues are serviced simultaneously subject to assigned bandwidth percentage and configured maximum bandwidth. All round robin queues have lower priority than strict priority queues. Round robin queues can be starved by strict priority queues.
Queue scheduling determines how packets from different transmit queues are serviced to be sent out on the port.
Queue bandwidth allocation specifies the time slice (percentage) assigned to a round robin queue, relative to all other round robin queues.

These sections describe transmit queue and port shaping configuration procedures:

Transmit Queues and Port Shaping – Arad Platform Switches
Transmit Queues and Port Shaping – Jericho Platform Switches
Transmit Queues and Port Shaping – FM6000 Platform Switches
Transmit Queues and Port Shaping – Petra Platform Switches
Transmit Queues and Port Shaping – Trident and Tomahawk Platform
Transmit Queues and Port Shaping – Trident II and Helix Platform Switches

Explicit Congestion Notification (ECN)

Explicit Congestion Notification (ECN) is an IP and TCP extension that facilitates end-to-end network congestion notification without dropping packets. ECN recognizes early congestion and sets flags that signal affected hosts. Trident and Tomahawk, Trident II, and Helix platform switches extend ECN support to non-TCP packets.

ECN usage requires that it is supported and enabled by both endpoints. Although only unicast flows are modified by ECN markers, the multicast, broadcast, and unmarked unicast flows can affect network congestion and influence the indication of unicast packet congestion.

ECN Conceptual Overview

The ECN field in the IP header (bits 6 and 7 in the IPv4 TOS or IPv6 traffic class octet) advertises ECN capabilities:

00: Router does not support ECN.
10: Router supports ECN.
01: Router supports ECN.
11: Congestion encountered.

Networks typically signal congestion by dropping packets. After an ECN-capable host negotiates ECN, it signals impending congestion by marking the IP header of packets encountering the congestion instead of dropping the packets. The recipient echoes the congestion indication back to the sender, which reduces its transmission rate as if it had detected a dropped packet.

Switches support ECN for unicast queues through Weighted Random Early Detection (WRED), an Active Queue Management (AQM) algorithm that extends Random Early Detection (RED) to define multiple thresholds for an individual queue. WRED determines congestion by comparing average queue size with queue thresholds. Average queue size depends on the previous average and current queue size:

average queue size = (old_avg * (1-2^(-weight))) + (current_queue_size * 2^(-weight))
where weight is the exponential weight factor used for averaging the queue size.
Packets are marked based on WRED as follows:

If average queue size is below the minimum threshold, packets are queued as in normal operation without ECN.
If average queue size is greater than the maximum threshold, packets are marked for congestion.
If average queue size is between minimum and maximum queue threshold, packets are either queued or marked. The proportion of packets that are marked increases linearly from 0% at the minimum threshold to 100% at the maximum threshold.

Treatment of packets marked as not ECN capable varies by platform.

These sections describe ECN configuration procedures:

ECN Configuration – Arad Platform Switches
ECN Configuration – Trident and Tomahawk Platform Switches

ACL Policing

ACL policing monitors the ingress data rates for a particular class of traffic and performs the action configured when the traffic exceeds the user configured value. Therefore, it allows the user to control ingress bandwidth based on packet classification. The incoming traffic is metered and marked by the policing, and based on the metering results the actions are performed.

ACL policing uses a token bucket shaping algorithm for packet transmission. Packets are eligible for transmission when token count is positive, and when token count is negative the next packet will have to wait until the token count turns positive again. The tokens are renewed at 96ns time interval (Tc). The tokens are collected in the policer bucket up to a max burst size of 16KB, and any traffic beyond this shape rate and burst size is buffered in the shared memory. The packets are dropped if there is a memory overflow.

Note: The policer bucket is refilled at a sweeper period of 0.333 millisecond. This is applicable for all the platforms.

For example, let us assume that shaping is not enabled, and the link is at 10 Gbps, that is 1.25 bytes/nsec. In such case a each refill cycle will add tokens worth 120 bytes. For a shape rate of 500 Mbps, each refill cycle will add 6 bytes. And for 64 byte worth of tokens we need around 11 refill cycles = 1us. A 64 byte packet coming immediately after a jumbo frame will have to wait longer compared to a jumbo frame coming after 64 byte packet.

Token size depends on the interface speed, following the last example:

For 10 Gbps, each refill cycle will add tokens worth 120 bytes.
For 1 Gbps, each refill cycle will add tokens worth 12 bytes.

At lower shaping rates (less than 10 Mbps), granularity and rounding errors may alter the actual shaping rate by 20% from the specified rate, and the rounding errors are much less at higher speeds. For example, At 100 Mbps you will see 98.9Mbps configured in hardware. User can use the show qos interfaces command to verify the interface speed.

The policing uses three types of traffic metering and coloring mechanisms.

Single Rate Two Color Marker
Single Rate Three Color Marker
Two Rate Three Color Marker

Single Rate Two Color Marker

It meters the packet stream and marks packets based on committed burst size (bc) and excess burst size (be).

Single Rate Three Color Marker

It meters the packet stream and marks packets based on single rate committed information rate (cir), and committed burst size (bc) and excess burst size (be). The packets are marked in green if it does not exceed the set burst size, and marked in yellow if it does exceed the burst size but not the excess burst size, and marked red otherwise. The packets are marked in two color modes.

Color-blind Mode: In color-blind mode the incoming packet color is ignored.
Color-aware Mode: In color-aware mode it is assumed that incoming packet is colored by preceding entity. And, in color-aware mode, a packet never get better than it was. If the input color of the packet is green, it can be marked as green, yellow, or red. But if the input color is yellow, then it can be marked only yellow or red.

Two Rate Three Color Marker

It meters the packet stream and marks its packets based on two rates, peak information rate (pir) and committed information rate (cir), and associated burst sizes (bc and be).The packet is marked red if rate exceeds ‘pir’, and yellow if it exceeds ‘cir’ but not 'pir' and marked green if rate is lower than 'cir'. The two rate mode is configured by setting four parameters pir, cir, bc, and be.

The ACL policing is supported on platforms specified in the table below.

ACL Policing Support Matrix


Platform Supported	ACL Policing	ACL Policing on LAG Interface
Trident	Yes	Yes
Trident II	Yes	Yes
Trident+	Yes	Yes
FM6000	Yes	Yes
Arad	Yes	Only Per-Port
Jericho	Yes	Yes
Helix	Yes	Yes
XP	Yes	Yes
Trident 3	Yes	Yes
Tomahawk	Yes	Yes
Tomahawk 2	Yes	Yes
Tofino	No	No

Configuring ACL Policing

The policer is applied to the class inside the policy map. Policy maps can contain one or more policy map classes, each with different match criteria and policers. The following is the default behavior on conditions and available policing actions:

Police command creates a per-interface policer. If you attach per-interface policers to multiple ingress ports, each one polices the matched traffic on each ingress port separately. Per interface statistics gathered for conformed/allowed traffic and exceeded/dropped traffic.
When there is no policer configured within a class, all traffic is transmitted without any policing. If there are any actions configured, the configured actions are applied.
- conform-action (green): transmit (default).
- exceed-action (yellow): drop (default).
- violate-action (red): drop (default).
The policer bucket is refilled at a sweeper period of 0.333 milliseconds, and the tokens in the policer bucket are renewed at 96ns time interval (Tc). This is applicable for all the platforms.

Steps to Configure ACL Policing

These commands set the CIR, burst size, and creates a class and applies the policing to the policy map:

Create a policy map.
Create a class-map.
Apply the policer to the policy map created.

Examples

These commands configure the ACL policing for a policy map.

switch#configure terminal
switch(config)#policy-map [type qos] policy-name
switch(config-pmap)#class { class-name }
switch(config-pmap-c)#[no] police cir cir [{bps|kbps|mbps}] bc 
committed-burst-size [{bytes|kbytes|mbytes}]

These commands configure ACL policing in single-rate, two-color mode.

switch(config)#class-map type qos match-any class1   
switch(config-cmap-class1)#match ip access-group acl1    
switch(config-cmap-class1)#exit    

switch(config)#policy-map type quality-of-service policy1    
switch(config-pmap)#class class1     
switch(config-pmap-c)#police cir 512000 bc 96000     
switch(config-pmap-c)#exit     
switch(config-pmap)#

Displaying ACL Policing Information

Examples

This command shows the contents of all policy maps on the switch.

switch(config)#show policy-map 
Service-policy p

 Class-map: c (match-any)
    Match: ip access-group name a
       police rate 1000 mbps burst-size 100 bytes
 Class-map: class-default (match-any)
Service-policy p
 Class-map: c (match-any)
    Match: ip access-group name a
       police rate 1000 mbps burst-size 100 bytes
 Class-map: class-default (match-any)

This command shows the interface-specific police counters for interface Ethernet 1.

switch(config)#show policy-map interface Ethernet 1 input counters
Service-policy input: policy1
Hardware programming status: Successful

Class-map: class1 (match-any) Match: ip access-group name acl1
Police cir 512000 bps bc 96000 bytes Conformed 4351 packets, 1857386 bytes
Conformed 2536 packets, 3384260 bytes

Class-map: class-default (match-any) matched packets: 0

This command shows the counters associated with the policy map called p1.

switch(config)#show policy-map type qos p1 input counters
Service-policy input: p1 Class-map: c1 (match-any)
Match: ip access-group name a1
Police cir 512000 bps bc 96000 bytes Interface: Ethernet1
Conformed 4351 packets, 1857386 bytes
Exceeded 2536 packets, 3384260 bytes
Interface: Ethernet2
Conformed 2351 packets, 957386 bytes
Exceeded 1536 packets, 1384260 bytes
Class-map: class-default (match-any)
Matched packets : 3229

This command shows the QoS policy map for interface Ethernet 1.

switch(config)#show policy-map interface Ethernet 1 input type qos
Interface: Ethernet 1 Service-policy input: policy1
Hardware programming status: Successful Class-map: class1 (match-any)
Match: ip access-group name acl1
Police cir 512000 bps bc 9000 bytes
Class-map: class2 (match-any)
Match: ip access-group name acl2 set dscp 2
Class-map: class3 (match-any) Match: ip access-group name acl3
Police cir 1280000 bps bc 9000 bytes
Class-map: class-default (match-any)

Quality of Service (QoS) Profiles

QoS profiles are sets of QoS configuration instructions defined and applied at the interface level. A QoS profile serves the traffic better by reducing disorder in the running configuration. QoS profiles can modify all interface-level QoS configurations, and are supported on fabric, Ethernet, and port-channel interfaces. Control-plane policies cannot be applied using QoS profiles. Because configuration can be applied through QoS profiles or directly at the interface level, multiple configurations can be applied to the same interface. In such cases, QoS configurations with non-default values, whether configured through the CLI at the interface level or through a QoS profile, are given priority. In the case of multiple non-default values being configured, the interface-level CLI configuration is given priority.

Policy maps incorporating traffic resolution commands can also be applied by a QoS profile. If two policy maps are applied to the same interface (one through a QoS profile and another directly to the CLI).

Policy maps cannot be used on fabric interfaces. If a QoS profile which includes a policy map is applied to a fabric interface, a warning message will be displayed and the policy map will not be applied to the interface, but any additional supported configurations in the QoS profile will be applied. On SVIs and subinterfaces, QoS profiles are not supported, so policy maps must be applied directly through the CLI for these interfaces.

Note: For tx-queue configuration, conflicts between QoS profiles and configuration entered via the CLI are resolved at the tx-queue level and not at the tx-queue attribute level. If any non-default configuration has been entered for the tx-queue through the CLI, all tx-queue configuration included in the QoS profile is ignored.

IPv6 Flow Label Matches for QoS

Certain packets may include a flow label in their IPv6 headers when the source requests special handling by routers, such as for a media stream or other “real-time” service, among others. A flow consists of packets which share a single flow label, which is preserved throughout their passage from source to destination.

QoS policy map rules can match IPv6 traffic based on their flow labels. This requires a special TCAM profile (qos-match-ipv6-flow-label). These rules require either an exact match, using the “eq” operator, or both a label and a mask.

QoS Configuration: Platform-Independent Features

Creating QoS Profiles

QoS profiles are created by using the qos profile command. This also places the switch in QoS profile configuration mode, where the QoS parameters applied to interfaces are configured. To delete a QoS profile from the running configuration, use the no form of the command.

Example

This command creates a QoS profile named Test-Profile and places the switch in QoS profile configuration mode for the profile.

switch(config)# qos profile Test-Profile 
switch(config-qos-profile-Test-Profile)#

Configuring QoS Profiles

The parameters that a QoS profile applies to interfaces are configured in QoS profile configuration mode by issuing the same QoS configuration commands that are available in interface configuration mode. QoS profile configuration mode is a group change mode, and changes made in the mode are not saved until the mode is exited. To abandon all changes made while in the mode, use the abort command.

Example

These commands enter QoS profile configuration mode for a QoS profile named Test Profile, configure the CoS value and transmit queue, and save the changes to the profile.

switch(config)# qos profile Test-Profile
switch(config-qos-profile-Test-Profile)# qos cos 3
switch(config-qos-profile-Test-Profile)# priority-flow-control on
switch(config-qos-profile-Test-Profile)# exit
switch(config)#

These commands enter QoS profile configuration mode for a QoS profile named Latency, configure the maximum latency value for VOQ tail-drop threshold, and save the changes to the profile. The latency value can be specified to a maximum of 50 ms. Both milliseconds and microseconds may be used.

switch(config)# qos profile Latency
switch(config-qos-profile-Latency)# tx-queue 3
switch(config-qos-profile-Latency)# latency maximum <1-50000> microseconds
switch(config-qos-profile-Latency)# latency maximum <1-50> milliseconds
switch(config-qos-profile-Latency)# exit
switch(config)#

Attaching Policy-Map to a QoS Profile

The qos profile command places the switch in QoS profile configuration mode. The profile applies the QoS configurations to Ethernet and Port-Channel, and even to the Fabric interfaces, if it exists. A profile specifies the policy-map and other QoS supported configurations. The policy-map is then attached to the QoS profile using service-policy command.

Profiles are created in QoS-profile configuration mode, then applied to an interface in interface configuration mode.

Examples

This command places the switch in QoS profile configuration mode, the policy-map is then attached to the profile using service-policy command in this mode.
```
switch(config)# qos profile TP
switch(config-qos-profile-TP)#
```

This command applies the policy-map to the QoS profile.

switch(config-qos-profile-TP)# service-policy type qos input PM-1

Applying a QoS profile on an Interface

The service-profile command applies a QoS profile to the configuration mode interface.

Example

This command applies the QoS profile TP to interface ethernet 13.

switch(config)# interface ethernet 13
switch(config-if-Et13)# service-profile TP

Displaying the QoS Profile Information

The show qos profile command displays information about the QoS profiles configured and their parameters. To display the attribute of a specific profile, add the name of the profile. To display a list of configured QoS profiles and the interfaces on which they are configured, add the summary keyword.

Examples

This command displays the configured profiles and their configuration.

switch# show qos profile
qos profile p
 qos cos 1
no priority-flow-control pause watchdog
priority-flow-control priority 1 no-drop
priority-flow-control priority 2 no-drop
qos profile p2
qos cos 3
priority-flow-control priority 0 no-drop

This command displays the contents of a specific profile.

switch# show qos profile p2
qos profile p2
qos cos 3
priority-flow-control priority 0 no-drop

This command displays the interfaces on which each profile is applied.

switch# show qos profile summary
Qos Profile: p
Configured on: Et13,7
Fabric
Po12
Qos Profile: p2
Configured on: Et56

QoS Configuration: Arad Platform Switches

Implementing QoS on an Arad platform switch consists of configuring port trust settings, default port settings, default traffic classes, conversion maps, and transmit queues.

CoS and DSCP Port Settings – Arad Platform Switche
Traffic Class Derivations – Arad Platform Switches
CoS Rewrite – Arad Platform Switches
Transmit Queues and Port Shaping – Arad Platform Switches
ECN Configuration – Arad Platform Switches
ACL Policing – Arad Platform Switches

Note: QoS traffic policy is supported on Trident and Tomahawk, Trident II, FM6000, Arad, and Jericho.

CoS and DSCP Port Settings – Arad Platform Switches

Port Settings – Trust Mode and Traffic Class describes port trust and default port CoS and DSCP values.

Configuring Port Trust Settings

The qos trust command configures the QoS port trust mode for the configuration mode interface. Trust enabled ports use packet CoS or DSCP values to classify traffic. The port-trust default for switched ports is CoS. The port-trust default for routed ports is DSCP.

qos trust cos specifies CoS as the port’s port-trust mode.
qos trust dscp specifies DSCP as the port’s port-trust mode.
no qos trust specifies untrusted as the port’s port-trust mode.

The show qos interfaces trust command displays the trust mode of specified interfaces.

Example

These commands configure and display the following trust modes:

Ethernet 3/5/1: dscp
Ethernet 3/5/2: untrusted
Ethernet 3/5/3: cos
Ethernet 3/5/4: default as a switched port

Ethernet 3/6/1: default as a routed port

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# qos trust dscp
switch(config-if-Et3/5/1)# interface ethernet 3/5/2
switch(config-if-Et3/5/2)# no qos trust
switch(config-if-Et3/5/2)# interface ethernet 3/5/3
switch(config-if-Et3/5/3)# qos trust cos
switch(config-if-Et3/5/3)# interface ethernet 3/5/4
switch(config-if-Et3/5/4)# switchport
switch(config-if-Et3/5/4)# default qos trust
switch(config-if-Et3/5/4)# interface ethernet 3/6/1
switch(config-if-Et3/6/1)# no switchport
switch(config-if-Et3/6/1)# default qos trust
switch(config-if-Et3/6/1) #show qos interface ethernet 3/5/1 - 3/6/1 trust
Port                                       Trust Mode
                               Operational           Configured
---------------------------------------------------------------
Ethernet3/5/1                  DSCP                  DSCP
Ethernet3/5/2                  UNTRUSTED             UNTRUSTED
Ethernet3/5/3                  COS                   COS
Ethernet3/5/4                  COS                   DEFAULT
Ethernet3/6/1                  DSCP                  DEFAULT

switch(config-if-Et3/6/1)#

Configuring Default Port Settings

Default CoS and DSCP values are assigned to each Ethernet and port channel interface. These commands specify the configuration mode interface commands specify the port’s default CoS and DSCP values.

qos cos configures a port’s default CoS value.
qos dscp configures a port’s default DSCP value.

Example

These commands configure default CoS (4) and DSCP (44) values on Ethernet interface 3/6/2.


switch(config)# interface ethernet 3/6/2
switch(config-if-Et3/6/2)# qos cos 4
switch(config-if-Et3/6/2)# qos dscp 44
switch(config-if-Et3/6/2)# show active
interface Ethernet3/6/2
   qos cos 4
   qos dscp 44
switch(config-if-Et3/6/2)# show qos interfaces ethernet 3/6/2
Ethernet3/6/2:
   Trust Mode: COS
   Default COS: 4
   Default DSCP: 44

switch(config-if-Et3/6/2)#

Traffic Class Derivations – Arad Platform Switches

Traffic Classes describes traffic classes.

Traffic Class Derivation Source

The following table displays the source for deriving a data stream’s traffic class.

Table 1. Traffic Class Derivation Source: Arad Platform Switches
	Untrusted	CoS Trusted	DSCP Trusted
Untagged Non-IP	Default CoS (port)	Default CoS (port)	Default DSCP (port)
Untagged IP	Default CoS (port)	Default CoS (port)	DSCP (packet)
Tagged Non-IP	Default CoS (port)	CoS (packet)	Default DSCP (port)
Tagged IP	Default CoS (port)	CoS (packet)	DSCP (packet)

CoS and DSCP Port Settings – Arad Platform Switches describes the default CoS and DSCP settings for each port.

Mapping CoS to Traffic Class

The qos map cos command assigns a traffic class to a list of CoS values. Multiple commands create a complete CoS to traffic class map. The switch uses this map to assign a traffic class to data packets on the basis of the packet’s CoS field or the chip upon which it is received.

Example

This command assigns the traffic class of 5 to the classes of service 1, 3, 5, and 7.

switch(config)# qos map cos 1 3 5 7 to traffic-class 5
switch(config)# show qos maps
   Number of Traffic Classes supported: 8


   Cos-tc map:
     cos:  0  1  2  3  4  5  6  7
     ----------------------------
     tc:   1  5  2  5  4  5  6  5


switch(config)#

The following table displays the default CoS to Traffic Class map on Arad platform switches.

Table 2. Default CoS to Traffic Class Map: Arad Platform Switches
Inbound CoS	Untagged	0	1	2	3	4	5	6	7
Traffic Class	Derived: use default CoS as inbound	1	0	2	3	4	5	6	7

Mapping DSCP to Traffic Class

The qos map dscp command assigns a traffic class to a set of DSCP values. Multiple commands create a complete DSCP to traffic class map. The switch uses this map to assign a traffic class to data packets on the basis of the packet’s DSCP field or the chip upon which it is received.

Example

This command assigns the traffic class of 0 to DSCP values of 12, 24, 41, and 44-47.

switch(config)# qos map dscp 12 24 41 44 45 46 47 to traffic-class 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8

   Dscp-tc map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     --------------------------------------
      0 :     1  1  1  1  1  1  1  1  0  0
      1 :     0  0  0  0  0  0  2  2  2  2
      2 :     2  2  2  2  0  3  3  3  3  3
      3 :     3  3  4  4  4  4  4  4  4  4
      4 :     5  0  5  5  0  0  0  0  6  6
      5 :     6  6  6  6  6  6  7  7  7  7
      6 :     7  7  7  7

switch(config)#

The following table displays the default DSCP to traffic class map on Arad platform switches.

Table 3. Default DSCP to Traffic Class Map: Arad Platform Switches
Inbound DSCP	0-7	8-15	16-23	24-31	32-39	40-47	48-55	56-63
Traffic Class	1	0	2	3	4	5	6	7

CoS Rewrite – Arad Platform Switches

Rewriting CoS and DSCP describes the CoS rewrite functions.

Traffic Class to CoS Rewrite Map

The CoS rewrite value is configurable and based on a data stream’s traffic class, as specified by the traffic class-CoS rewrite map. The qos map traffic-class to cos command assigns a CoS rewrite value to a list of traffic classes. Multiple commands create the complete traffic class–CoS rewrite map.

Example

This command assigns the CoS of two to traffic classes 1, 3, and 5.

switch(config)# qos map traffic-class 1 3 5 to cos 2
switch(config)# show qos map
   Number of Traffic Classes supported: 8

   Tc-cos map:
     tc:   0  1  2  3  4  5  6  7
     ----------------------------
     cos:  1  2  2  2  4  2  6  7

switch(config)#

The following table displays the default Traffic Class to CoS rewrite value map on Arad platform switches.

Table 4. Default Traffic Class to CoS Rewrite Value Map: Arad Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
CoS Rewrite Value	1	0	2	3	4	5	6	7

Traffic Class to DSCP Rewrite Map

DSCP rewrite is always disabled on Arad platform switches.

Transmit Queues and Port Shaping – Arad Platform Switches

Transmit Queues and Port Shaping describes transmit queues and port shaping.

Arad platform switches provide 16 physical queues for each egress port: eight unicast and eight multicast queues. Data is scheduled to the physical queues based on transmit queue assignments.

Multicast queue capacity that remains after multicast traffic is serviced is available for unicast traffic of a corresponding priority. Similarly, unicast queue capacity that remains after unicast traffic is serviced is available for overflow multicast traffic. Under conditions of unicast and multicast congestion, egress traffic is evenly split between unicast and multicast traffic.

A data stream’s traffic class determines the transmit queue it uses. The switch defines a single traffic class–transmit queue map for unicast and multicast traffic on all Ethernet and port channel interfaces. The show qos maps command displays the traffic class–transmit queue map.

The following tabledisplays the default traffic class to transmit queue map on Arad platform switches.

Table 5. Default Traffic Class to Transmit Queue Map: Arad Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
Transmit Queue	0	1	2	3	4	5	6	7

Transmit queue parameters are configured in tx-queue configuration command mode, which is entered from interface-ethernet configuration mode.

Mapping Traffic Classes to a Transmit Queue

The qos map traffic-class to tx-queue command assigns traffic classes to a transmit queue. Multiple commands complete the traffic class-transmit queue map. Traffic class 7 and transmit queue 7 are always mapped to each other. This association is not editable.

Example

These commands assign traffic classes of 1, 3, and 5 to transmit queue 1, traffic classes 2, 4, and 6 to transmit queue 2, and traffic class 0 to transmit queue 0, then display the resultant map.

switch(config)# qos map traffic-class 1 3 5 to tx-queue 1
switch(config)# qos map traffic-class 2 4 6 to tx-queue 2
switch(config)# qos map traffic-class 0 to tx-queue 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8
   Number of Transmit Queues supported: 8

   Tc - tx-queue map:
     tc:        0  1  2  3  4  5  6  7
     ---------------------------------
     tx-queue:  0  1  2  1  2  1  2  7

switch(config)#

Entering Tx-Queue Configuration Mode

The tx-queue (Arad/Jericho) command places the switch in tx-queue configuration mode to configure a transmit queue on the configuration mode interface. Tx-queue 7 is not configurable. The show qos interfaces displays the transmit queue configuration for a specified port.

Example

This command enters Tx-queue configuration mode for transmit queue 4 of interface Ethernet 3/3/3.

switch(config)# interface ethernet 3/3/3
switch(config-if-Et3/3/3)# tx-queue 4
switch(config-if-Et3/3/3-txq-4)#

Configuring the Shape Rate – Port and Transmit Queues

A port’s shape rate specifies its maximum outbound traffic bandwidth. A transmit queue’s shape rate specifies the queue’s maximum outbound bandwidth. Shape rate commands specify data rates in kbps.

To configure a port’s shape rate, enter shape rate (Interface – Arad/Jericho) from the port’s interface configuration mode.
To configure a transmit queue’s shape rate, enter shape rate (Tx-queue – Arad/Jericho) from the queue’s tx-queue configuration mode.

Examples

This command configures a port shape rate of 5 Gbps on interface Ethernet 3/5/1.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# shape rate 5000000
switch(config-if-Et3/5/1)# show qos interfaces ethernet 3/5/1 
Ethernet3/5/1:

   Port shaping rate: 5000012 / 5000000 kbps

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D

switch(config-if-Et3/5/1)#

These commands configure a shape rate of 1 Gbps on transmit queues 3 and 4 of interface Ethernet 3/4/1.

switch(config)# interface ethernet 3/4/1
switch(config-if-Et3/4/1)# tx-queue 4
switch(config-if-Et3/4/1-txq-4)# shape rate 1000000 kbps
switch(config-if-Et3/4/1-txq-4)# tx-queue 3
switch(config-if-Et3/4/1-txq-3)# shape rate 1000000 kbps
switch(config-if-Et3/4/1-txq-3)# show qos interface ethernet 3/4/1
Ethernet3/4/1:

   Port shaping rate: disabled

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -      999 / 1000 ( Mbps )   SP / SP    D
   3      - / -      999 / 1000 ( Mbps )   SP / SP    D
   2      - / -        - / -    (  -  )    SP / SP    D
   1      - / -        - / -    (  -  )    SP / SP    D
   0      - / -        - / -    (  -  )    SP / SP    D

switch(config-if-Et3/4/1-txq-3)#

Configuring Queue Priority

The priority (Arad/Jericho) command configures a transmit queue’s priority type:

The priority strict command configures the queue as a strict priority queue.
The no priority command configures the queue as a round robin queue.

A queue’s configuration as round robin also applies to all lower priority queues regardless of other configuration statements.

The bandwidth percent (Arad/Jericho) command configures a round robin queue’s bandwidth share. The cumulative operational bandwidth of all round robin queues is always less than or equal to 100%. If the cumulative configured bandwidth is greater than 100%, each port’s operational bandwidth is its configured bandwidth divided by the cumulative configured bandwidth.

Examples

These commands configure queues 0 through 3 (interface Ethernet 3/5/1) as round robin, then allocate bandwidth for three queues at 30% and one queue at 10%.

The no priority statement for queue 3 also configures queues 0, 1, and 2 as round robin queues. Removing this statement reverts the other queues to strict priority type unless running-config contains a no priority statement for one of these queues.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# tx-queue 3
switch(config-if-Et3/5/1-txq-3)# no priority
switch(config-if-Et3/5/1-txq-3)# bandwidth percent 10
switch(config-if-Et3/5/1-txq-3)# tx-queue 2
switch(config-if-Et3/5/1-txq-2)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-2)# tx-queue 1
switch(config-if-Et3/5/1-txq-1)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-1)# tx-queue 0
switch(config-if-Et3/5/1-txq-0)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-0)# show qos interfaces ethernet 3/5/1
Ethernet3/5/1:

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -        - / -    (  -  )    SP / SP    D
   3     10 / 10       - / -    (  -  )    RR / RR    D
   2     30 / 30       - / -    (  -  )    RR / SP    D
   1     30 / 30       - / -    (  -  )    RR / SP    D
   0     30 / 30       - / -    (  -  )    RR / SP    D

switch(config-if-Et3/5/1-txq-0)#

Changing the bandwidth percentage for queue 3 to 30 changes the operational bandwidth of each queue to its configured bandwidth divided by 120% (10%+20%+30%+60%).

switch(config-if-Et3/5/1-txq-0)# tx-queue 3
switch(config-if-Et3/5/1-txq-3)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-3)# show qos interfaces ethernet 3/5/1
Ethernet3/5/1:

   Port shaping rate: disabled

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -        - / -    (  -  )    SP / SP    D
   3     24 / 30       - / -    (  -  )    RR / RR    D
   2     24 / 30       - / -    (  -  )    RR / SP    D
   1     24 / 30       - / -    (  -  )    RR / SP    D
   0     24 / 30       - / -    (  -  )    RR / SP    D

Note: Values are displayed as Operational/Configured

switch(config-if-Et3/5/1-txq-3)#

ECN Configuration – Arad Platform Switches

Explicit Congestion Notification (ECN) describes Explicit Congestion Notification (ECN).

Although the switch does not limit the number of queues that can be configured for ECN, hardware table limitations restrict the number of queues that can simultaneously implement ECN.

The random-detect ecn (Arad/Jericho) command enables ECN marking for the configuration mode unicast transmit queue and specifies threshold queue sizes.

Example

These commands enable ECN marking of unicast packets from unicast transmit queue 4 of interface Ethernet 3/5/1, setting thresholds at 128 kbytes and 1280 kbytes.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# tx-queue 4
switch(config-if-Et3/5/1-txq-4)# random-detect ecn minimum-threshold 128 kbytes maximum-threshold 1280 kbyte 
switch(config-if-Et3/5/1-txq-4)# show active
interface Ethernet3/5/1
   tx-queue 4
      random-detect ecn minimum-threshold 128 kbytes maximum-threshold 1280 kbytes
switch(config-if-Et3/5/1-txq-4)#

ACL Policing – Arad Platform Switches

ACL Policing describes ACL policing.

Implementing ACL policing consists of configuring the following:

policy-map settings.
class-name.
committed information rate (CIR) the data speed committed to any given circuit regardless of the number of users.
burst size the maximum burst size in bytes the network commits to moving under normal conditions.

The default unit for the metering rate CIR is bits per second; the default unit for the burst size is bytes.

The policer is applied to the class inside the policy map. Policy maps can contain one or more policy map classes, each with different match criteria and policer.

Default behavior and available policing actions are as follows:

Policy map can be applied on multiple interfaces. Interfaces on the same chip will share the policer. (Applicable for Arad only.)
If there is no policer configured within a class, all traffic is transmitted without any policing.
If there are any actions configured, the configured actions are applied:
- Conform-action (green): transmit (default).
- Violate-action (red): drop (default).

Example

These commands configure ACL policing in single-rate, two-color mode.

switch(config)# class-map type qos match-any class1
switch(config-cmap-class1)# match ip access-group acl1
switch(config-cmap-class1)# exit
switch(config)# policy-map type quality-of-service policy1
switch(config-policy1)# class class1
switch(config-policy1-class1)# police cir 512000 bc 96000
switch(config-policy1-class1)# exit
switch(config-policy1)# exit
switch(config)#

Displaying ACL Policing Information

Examples

This command shows the contents of all policy maps on the switch.

switch(config)# show policy-map
Service-policy policy1

Class-map: class1 (match-any)
Match: ip access-group name acl1
Police cir 512000 bps bc 96000 bytes

Class-map: class-default (match-any)
switch(config)#

This command shows the interface-specific police counters for interface Ethernet 1.

switch(config)# show policy-map interface Ethernet 1 input counters
Service-policy input: policy1
Hardware programming status: Successful

Class-map: class1 (match-any) Match: ip access-group name acl1
Police cir 512000 bps bc 96000 bytes Conformed 4351 packets, 1857386 bytes
Conformed 2536 packets, 3384260 bytes

Class-map: class-default (match-any) matched packets: 0

switch(config)#

This command shows the counters associated with the policy map called p1.

switch(config)# show policy-map type qos p1 input counters
Service-policy input: p1 Class-map: c1 (match-any)
Match: ip access-group name a1
Police cir 512000 bps bc 96000 bytes Interface: Ethernet1
Conformed 4351 packets, 1857386 bytes
Exceeded 2536 packets, 3384260 bytes
Interface: Ethernet2
Conformed 2351 packets, 957386 bytes
Exceeded 1536 packets, 1384260 bytes
Class-map: class-default (match-any)
Matched packets : 3229

switch(config)#

This command shows the QoS policy map for interface Ethernet 1.

switch(config)# show policy-map interface Ethernet 1 input type qos
Interface: Ethernet 1 Service-policy input: policy1
Hardware programming status: Successful Class-map: class1 (match-any)
Match: ip access-group name acl1
Police cir 512000 bps bc 9000 bytes
Class-map: class2 (match-any)
Match: ip access-group name acl2 set dscp 2
Class-map: class3 (match-any) Match: ip access-group name acl3
Police cir 1280000 bps bc 9000 bytes
Class-map: class-default (match-any)

switch(config)#

QoS Configuration: Jericho Platform Switches

Implementing QoS on an Jericho platform switch consists of configuring port trust settings, default port settings, default traffic classes, conversion maps, and transmit queues.

CoS and DSCP Port Settings – Jericho Platform Switches
Traffic Class Derivations – Jericho Platform Switches
CoS Rewrite – Jericho Platform Switches
Transmit Queues and Port Shaping – Jericho Platform Switches
ACL Policing – Jericho Platform Switches
Note: QoS traffic policy is supported on Trident and Tomahawk, Trident II, FM6000, Arad. and Jericho.

CoS and DSCP Port Settings – Jericho Platform Switches

Port Settings – Trust Mode and Traffic Class describes port trust and default port CoS and DSCP values.

Configuring Port Trust Settings

The qos trust command configures the QoS port trust mode for the configuration mode interface. Trust enabled ports use packet CoS or DSCP values to classify traffic. The port-trust default for switched ports is CoS. The port-trust default for routed ports is DSCP.

qos trust cos specifies CoS as the port’s port-trust mode.
qos trust dscp specifies DSCP as the port’s port-trust mode.
no qos trust specifies untrusted as the port’s port-trust mode.

The show qos interfaces trust command displays the trust mode of specified interfaces.

Example

These commands configure and display the following trust modes:

Ethernet 3/5/2: untrusted.
Ethernet 3/5/3: cos.
Ethernet 3/5/4: default as a switched port.
Ethernet 3/6/1: default as a routed port.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# qos trust dscp
switch(config-if-Et3/5/1)# interface ethernet 3/5/2
switch(config-if-Et3/5/2)# no qos trust
switch(config-if-Et3/5/2)# interface ethernet 3/5/3
switch(config-if-Et3/5/3)# qos trust cos
switch(config-if-Et3/5/3)# interface ethernet 3/5/4
switch(config-if-Et3/5/4)# switchport
switch(config-if-Et3/5/4)# default qos trust
switch(config-if-Et3/5/4)# interface ethernet 3/6/1
switch(config-if-Et3/6/1)# no switchport
switch(config-if-Et3/6/1)# default qos trust
switch(config-if-Et3/6/1)# show qos interface ethernet 3/5/1 - 3/6/1 trust
Port                                       Trust Mode
                               Operational           Configured
---------------------------------------------------------------
Ethernet3/5/1                  DSCP                  DSCP
Ethernet3/5/2                  UNTRUSTED             UNTRUSTED
Ethernet3/5/3                  COS                   COS
Ethernet3/5/4                  COS                   DEFAULT
Ethernet3/6/1                  DSCP                  DEFAULT

switch(config-if-Et3/6/1)#

Configuring Default Port Settings

Default CoS and DSCP values are assigned to each Ethernet and port channel interface. These commands specify the configuration mode interface commands specify the port’s default CoS and DSCP values.

qos cos configures a port’s default CoS value.
qos dscp configures a port’s default DSCP value.

Example

These commands configure default CoS (4) and DSCP (44) values on interface Ethernet 3/6/2.

switch(config)# interface ethernet 3/6/2
switch(config-if-Et3/6/2)# qos cos 4
switch(config-if-Et3/6/2)# qos dscp 44
switch(config-if-Et3/6/2)# show active
interface Ethernet3/6/2
   qos cos 4
   qos dscp 44
switch(config-if-Et3/6/2)# show qos interfaces ethernet 3/6/2
Ethernet3/6/2:
   Trust Mode: COS
   Default COS: 4
   Default DSCP: 44

switch(config-if-Et3/6/2)#

Traffic Class Derivations – Jericho Platform Switches

Traffic Classes describes traffic classes.

Traffic Class Derivation Source

The following table displays the source for deriving a data stream’s traffic class on Jericho platform switches.

Table 6. Traffic Class Derivation Source: Jericho Platform Switches
	Untrusted	CoS Trusted	DSCP Trusted
Untagged Non-IP	Default CoS (port)	Default CoS (port)	Default DSCP (port)
Untagged IP	Default CoS (port)	Default CoS (port)	DSCP (packet)
Tagged Non-IP	Default CoS (port)	CoS (packet)	Default DSCP (port)
Tagged IP	Default CoS (port)	CoS (packet)	DSCP (packet)

CoS and DSCP Port Settings – Arad Platform Switches describes the default CoS and DSCP settings for each port.

Mapping CoS to Traffic Class

The qos map cos command assigns a traffic class to a list of CoS values. Multiple commands create a complete CoS to traffic class map. The switch uses this map to assign a traffic class to data packets on the basis of the packet’s CoS field or the chip upon which it is received.

ExampleThis command assigns the traffic class of 5 to the classes of service 1, 3, 5, and 7.

switch(config)# qos map cos 1 3 5 7 to traffic-class 5
switch(config)# show qos maps
   Number of Traffic Classes supported: 8

   Cos-tc map:
     cos:  0  1  2  3  4  5  6  7
     ----------------------------
     tc:   1  5  2  5  4  5  6  5

switch(config)#

The following table displays the default CoS to Traffic Class map on Jericho platform switches.

Table 7. Default CoS to Traffic Class Map: Jericho Platform Switches
Inbound CoS	Untagged	0	1	2	3	4	5	6	7
Traffic Class	Derived: use default CoS as inbound	1	0	2	3	4	5	6	7

Mapping DSCP to Traffic Class

The qos map dscp command assigns a traffic class to a set of DSCP values. Multiple commands create a complete DSCP to traffic class map. The switch uses this map to assign a traffic class to data packets on the basis of the packet’s DSCP field or the chip upon which it is received.

ExampleThis command assigns the traffic class of 0 to DSCP values of 12, 24, 41, and 44-47.

switch(config)# qos map dscp 12 24 41 44 45 46 47 to traffic-class 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8


   Dscp-tc map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     --------------------------------------
      0 :     1  1  1  1  1  1  1  1  0  0
      1 :     0  0  0  0  0  0  2  2  2  2
      2 :     2  2  2  2  0  3  3  3  3  3
      3 :     3  3  4  4  4  4  4  4  4  4
      4 :     5  0  5  5  0  0  0  0  6  6
      5 :     6  6  6  6  6  6  7  7  7  7
      6 :     7  7  7  7


switch(config)#

The following table displays the default DSCP to traffic class map on Jericho platform switches.

Table 8. Default DSCP to Traffic Class Map: Jericho Platform Switches
Inbound DSCP	0-7	8-15	16-23	24-31	32-39	40-47	48-55	56-63
Traffic Class	1	0	2	3	4	5	6	7

CoS Rewrite – Jericho Platform Switches

Rewriting CoS and DSCP describes the CoS rewrite functions.

Traffic Class to CoS Rewrite Map

The CoS rewrite value is configurable and based on a data stream’s traffic class, as specified by the traffic class-CoS rewrite map. The qos map traffic-class to cos command assigns a CoS rewrite value to a list of traffic classes. Multiple commands create the complete traffic class–CoS rewrite map.

ExampleThis command assigns the CoS of two to traffic classes 1, 3, and 5.

switch(config)# qos map traffic-class 1 3 5 to cos 2
switch(config)# show qos map
   Number of Traffic Classes supported: 8

   Tc-cos map:
     tc:   0  1  2  3  4  5  6  7
     ----------------------------
     cos:  1  2  2  2  4  2  6  7

switch(config)#

The following table displays the default Traffic Class to CoS rewrite value map on Jericho platform switches.

Table 9. Default Traffic Class to CoS Rewrite Value Map: Jericho Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
CoS Rewrite Value	1	0	2	3	4	5	6	7

Traffic Class to DSCP Rewrite Map

DSCP rewrite is always disabled on Jericho platform switches.

Transmit Queues and Port Shaping – Jericho Platform Switches

Transmit Queues and Port Shaping describes transmit queues and port shaping.

Jericho platform switches provide 16 physical queues for each egress port: eight unicast and eight multicast queues. Data is scheduled to the physical queues based on transmit queue assignments.

A data stream’s traffic class determines the transmit queue it uses. The switch defines a single traffic class–transmit queue map for unicast and multicast traffic on all Ethernet and port channel interfaces. The show qos maps command displays the traffic class–transmit queue map.

The following table displays the default traffic class to transmit queue map on Jericho platform switches.

Table 10. Default Traffic Class to Transmit Queue Map: Jericho Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
Transmit Queue	0	1	2	3	4	5	6	7

Transmit queue parameters are configured in tx-queue configuration command mode, which is entered from interface-ethernet configuration mode.

Mapping Traffic Classes to a Transmit Queue

The qos map traffic-class to tx-queue command assigns traffic classes to a transmit queue. Multiple commands complete the traffic class-transmit queue map. Traffic class 7 and transmit queue 7 are always mapped to each other. This association is not editable.

ExampleThese commands assign traffic classes of 1, 3, and 5 to transmit queue 1, traffic classes 2, 4, and 6 to transmit queue 2, and traffic class 0 to transmit queue 0, then display the resultant map.

switch(config)# qos map traffic-class 1 3 5 to tx-queue 1
switch(config)# qos map traffic-class 2 4 6 to tx-queue 2
switch(config)# qos map traffic-class 0 to tx-queue 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8
   Number of Transmit Queues supported: 8


   Tc - tx-queue map:
     tc:        0  1  2  3  4  5  6  7
     ---------------------------------
     tx-queue:  0  1  2  1  2  1  2  7

switch(config)#

Entering Tx-Queue Configuration Mode

The tx-queue (Arad/Jericho) command places the switch in tx-queue configuration mode to configure a transmit queue on the configuration mode interface. Tx-queue 7 is not configurable. The show qos interfaces displays the transmit queue configuration for a specified port.

ExampleThis command enters Tx-queue configuration mode for transmit queue 4 of interface ethernet 3/3/3.

switch(config)# interface ethernet 3/3/3
switch(config-if-Et3/3/3)# tx-queue 4
switch(config-if-Et3/3/3-txq-4)#

Configuring the Shape Rate – Port and Transmit Queues

To configure a port’s shape rate, enter shape rate (Interface – Arad/Jericho) from the port’s interface configuration mode.
To configure a transmit queue’s shape rate, enter shape rate (Tx-queue – Arad/Jericho) from the queue’s tx-queue configuration mode.

Examples

This command configures a port shape rate of 5 Gbps on interface ethernet 3/5/1.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# shape rate 5000000
switch(config-if-Et3/5/1)# show qos interfaces ethernet 3/5/1
Ethernet3/5/1:

   Port shaping rate: 5000012 / 5000000 kbps

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D

switch(config-if-Et3/5/1)#

These commands configure a shape rate of 1 Gbps on transmit queues 3 and 4 on interface ethernet 3/4/1.

switch(config)# interface ethernet 3/4/1
switch(config-if-Et3/4/1)# tx-queue 4
switch(config-if-Et3/4/1-txq-4)# shape rate 1000000 kbps
switch(config-if-Et3/4/1-txq-4)# tx-queue 3
switch(config-if-Et3/4/1-txq-3)# shape rate 1000000 kbps
switch(config-if-Et3/4/1-txq-3)# show qos interface ethernet 3/4/1
Ethernet3/4/1:

   Port shaping rate: disabled

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -      999 / 1000 ( Mbps )   SP / SP    D
   3      - / -      999 / 1000 ( Mbps )   SP / SP    D
   2      - / -        - / -    (  -  )    SP / SP    D
   1      - / -        - / -    (  -  )    SP / SP    D
   0      - / -        - / -    (  -  )    SP / SP    D

switch(config-if-Et3/4/1-txq-3)#

Configuring Queue Priority

The priority (Arad/Jericho) command configures a transmit queue’s priority type:

The priority strict command configures the queue as a strict priority queue.
The no priority command configures the queue as a round robin queue.

A queue’s configuration as round robin also applies to all lower priority queues regardless of other configuration statements.

The bandwidth percent (Arad/Jericho) command configures a round robin queue’s bandwidth share. The cumulative operational bandwidth of all round robin queues is always less than or equal to 100%. If the cumulative configured bandwidth is greater than 100%, each port’s operational bandwidth is its configured bandwidth divided by the cumulative configured bandwidth.

Examples

These commands configure queues 0 through 3 (interface ethernet 3/5/1) as round robin, then allocate bandwidth for three queues at 30% and one queue at 10%.

The no priority statement for queue 3 also configures queues 0, 1, and 2 as round robin queues. Removing this statement reverts the other queues to strict priority type unless running-config contains a no priority statement for one of these queues.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# tx-queue 3
switch(config-if-Et3/5/1-txq-3)# no priority
switch(config-if-Et3/5/1-txq-3)# bandwidth percent 10
switch(config-if-Et3/5/1-txq-3)# tx-queue 2
switch(config-if-Et3/5/1-txq-2)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-2)# tx-queue 1
switch(config-if-Et3/5/1-txq-1)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-1)# tx-queue 0
switch(config-if-Et3/5/1-txq-0)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-0)# show qos interfaces ethernet 3/5/1
Ethernet3/5/1:

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -        - / -    (  -  )    SP / SP    D
   3     10 / 10       - / -    (  -  )    RR / RR    D
   2     30 / 30       - / -    (  -  )    RR / SP    D
   1     30 / 30       - / -    (  -  )    RR / SP    D
   0     30 / 30       - / -    (  -  )    RR / SP    D

switch(config-if-Et3/5/1-txq-0)#

Changing the bandwidth percentage for queue 3 to 30 changes the operational bandwidth of each queue to its configured bandwidth divided by 120% (10%+20%+30%+60%).

switch(config-if-Et3/5/1-txq-0)# tx-queue 3
switch(config-if-Et3/5/1-txq-3)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-3)# show qos interfaces ethernet 3/5/1
Ethernet3/5/1:

   Port shaping rate: disabled

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -        - / -    (  -  )    SP / SP    D
   3     24 / 30       - / -    (  -  )    RR / RR    D
   2     24 / 30       - / -    (  -  )    RR / SP    D
   1     24 / 30       - / -    (  -  )    RR / SP    D
   0     24 / 30       - / -    (  -  )    RR / SP    D

Note: Values are displayed as Operational/Configured

switch(config-if-Et3/5/1-txq-3)#

ACL Policing – Jericho Platform Switches

ACL Policing describes ACL policing.

Implementing ACL policing consists of configuring the following:

policy-map settings.
class-name.
committed information rate (CIR) the data speed committed to any given circuit regardless of the number of users.
burst size the maximum burst size in bytes the network commits to moving under normal conditions.

The default unit for the metering rate CIR is bits per second; the default unit for the burst size is bytes.

The policer is applied to the class inside the policy map. Policy maps can contain one or more policy map classes, each with different match criteria and policer.

Default behavior and available policing actions are as follows:

Policy map can be applied on multiple interfaces. Interfaces on the same chip will share the policer. (Applicable for Arad and Jericho only.)
If there is no policer configured within a class, all traffic is transmitted without any policing.
If there are any actions configured, the configured actions are applied:
- Conform-action (green): transmit (default).
- Violate-action (red): drop (default).

Example

These commands configure ACL policing in single-rate, two-color mode.

switch(config)# class-map type qos match-any class1
switch(config-cmap-class1)# match ip access-group acl1
switch(config-cmap-class1)# exit
switch(config)# policy-map type quality-of-service policy1
switch(config-policy1)# class class1
switch(config-policy1-class1)# police cir 512000 bc 96000
switch(config-policy1-class1)# exit
switch(config-policy1)# exit
switch(config)#

Displaying ACL Policing Information

Examples

This command shows the contents of all policy maps on the switch.

switch(config)# show policy-map
Service-policy policy1

Class-map: class1 (match-any)
Match: ip access-group name acl1
Police cir 512000 bps bc 96000 bytes

Class-map: class-default (match-any)
switch(config)#

This command shows the interface-specific police counters for interface ethernet 1.

switch(config)# show policy-map interface Ethernet 1 input counters
Service-policy input: policy1
Hardware programming status: Successful

Class-map: class1 (match-any) Match: ip access-group name acl1
Police cir 512000 bps bc 96000 bytes Conformed 4351 packets, 1857386 bytes
Conformed 2536 packets, 3384260 bytes

Class-map: class-default (match-any) matched packets: 0

switch(config)#

This command shows the counters associated with the policy map called p1.

switch(config)# show policy-map type qos p1 input counters
Service-policy input: p1 Class-map: c1 (match-any)
Match: ip access-group name a1
Police cir 512000 bps bc 96000 bytes Interface: Ethernet1
Conformed 4351 packets, 1857386 bytes
Exceeded 2536 packets, 3384260 bytes
Interface: Ethernet2
Conformed 2351 packets, 957386 bytes
Exceeded 1536 packets, 1384260 bytes
Class-map: class-default (match-any)
Matched packets : 3229

switch(config)#

This command shows the QoS policy map for interface ethernet 1.

switch(config)# show policy-map interface Ethernet 1 input type qos
Interface: Ethernet 1 Service-policy input: policy1
Hardware programming status: Successful Class-map: class1 (match-any)
Match: ip access-group name acl1
Police cir 512000 bps bc 9000 bytes
Class-map: class2 (match-any)
Match: ip access-group name acl2 set dscp 2
Class-map: class3 (match-any) Match: ip access-group name acl3
Police cir 1280000 bps bc 9000 bytes
Class-map: class-default (match-any)

switch(config)#

QoS Configuration: FM6000 Platform Switches

Implementing QoS on an FM6000 platform switch consists of configuring port trust settings, default port settings, default traffic classes, conversion maps, and transmit queues.

CoS and DSCP Port Settings – FM6000 Platform Switches
Traffic Class Derivations – FM6000 Platform Switches
CoS and DSCP Rewrite – FM6000 Platform Switches
Transmit Queues and Port Shaping – FM6000 Platform Switches

CoS and DSCP Port Settings – FM6000 Platform Switches

Port Settings – Trust Mode and Traffic Class describes port trust and default port CoS and DSCP values.

Configuring Port Trust Settings

The qos trust command configures the QoS port trust mode for the configuration mode interface. Trust enabled ports use packet CoS or DSCP values to classify traffic. The port-trust default for switched ports is cos. The port-trust default for routed ports is dscp.

qos trust cos specifies cos as the port’s port-trust mode.
qos trust dscp specifies dscp as the port’s port-trust mode.
no qos trust specifies untrusted as the port’s port-trust mode.

The show qos interfaces trust command displays the trust mode of specified interfaces.

Example

These commands configure and display the following trust modes:

Ethernet 15: dscp.
Ethernet 16: untrusted.
Ethernet 17: cos.
Ethernet 18: default as a switched port.

Ethernet 19: default as a routed port.

switch(config)# interface ethernet 15
switch(config-if-Et15)# qos trust dscp
switch(config-if-Et15)# interface ethernet 16
switch(config-if-Et16)# no qos trust
switch(config-if-Et16)# interface ethernet 17
switch(config-if-Et17)# qos trust cos
switch(config-if-Et17)# interface ethernet 18
switch(config-if-Et18)# switchport
switch(config-if-Et18)# default qos trust
switch(config-if-Et19)# interface ethernet 19
switch(config-if-Et19)# no switchport
switch(config-if-Et19)# default qos trust
switch(config-if-Et19)# show qos interface ethernet 15 - 19 trust
Port                                       Trust Mode
                               Operational           Configured
---------------------------------------------------------------
Ethernet15                     DSCP                  DSCP
Ethernet16                     UNTRUSTED             UNTRUSTED
Ethernet17                     COS                   COS
Ethernet18                     COS                   DEFAULT
Ethernet19                     DSCP                  DEFAULT

switch(config-if-Et19)#

Configuring Default Port Settings

Default CoS and DSCP settings are assigned to individual port channel and Ethernet interfaces. These configuration mode interface commands specify the port’s default CoS and DSCP values.

qos cos configures a port’s default CoS value.
qos dscp configures a port’s default DSCP value.

Example

These commands configure default CoS (4) and DSCP (44) settings on interface ethernet 19.

switch(config)# interface ethernet 19
switch(config-if-Et19)# qos cos 4
switch(config-if-Et19)# qos dscp 44
switch(config-if-Et19)# show active
interface Ethernet19
   qos cos 4
   qos dscp 44
switch(config-if-Et19)# show qos interfaces ethernet 19
Ethernet19:
   Trust Mode: COS
   Default COS: 4
   Default DSCP: 44

switch(config-if-Et19)#

Traffic Class Derivations – FM6000 Platform Switches

Traffic Classes describes traffic classes.

Traffic Class Derivation Source

The following table displays the source for deriving a data stream’s traffic class.

Table 11. Traffic Class Derivation Source: FM6000 Platform Switches
	Untrusted	CoS Trusted	DSCP Trusted
Untagged Non-IP	Default CoS (port)	Default CoS (port)	Default DSCP (port)
Untagged IP	Default CoS (port)	Default CoS (port)	DSCP (packet)
Tagged Non-IP	Default CoS (port)	CoS (packet)	Default DSCP (port)
Tagged IP	Default CoS (port)	CoS (packet)	DSCP (packet)

CoS and DSCP Port Settings – FM6000 Platform Switches describes the default CoS and DSCP settings for each port.

Mapping CoS to Traffic Class

The qos map cos command assigns a traffic class to a list of CoS settings. Multiple commands create a complete CoS to traffic class map. The switch uses this map to assign a traffic class to data packets on the basis of the packet’s CoS field or the port upon which it is received.

Example

This command assigns the traffic class of 5 to the classes of service 1, 3, 5, and 7.

switch(config)# qos map cos 1 3 5 7 to traffic-class 5
switch(config)# show qos maps
   Number of Traffic Classes supported: 8
   Number of Transmit Queues supported: 8


   Cos-tc map:
     cos:  0  1  2  3  4  5  6  7
     ----------------------------
     tc:   1  5  2  5  4  5  6  5


switch(config)#

The following table displays the default CoS to Traffic Class map on FM6000 platform switches.

Table 12. Default CoS to Traffic Class Map: FM6000 Platform Switches
Inbound CoS	Untagged	0	1	2	3	4	5	6	7
Traffic Class	Derived: use default CoS as inbound CoS	1	0	2	3	4	5	6	7

Mapping DSCP to Traffic Class

Example

This command assigns the traffic class of three to the DSCP values of 12, 13, 25, and 37.

switch(config)# qos map dscp 12 13 25 37 to traffic-class 3
switch(config)# show qos map
   Number of Traffic Classes supported: 8

   Dscp-tc map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     --------------------------------------
      0 :     1  1  1  1  1  1  1  1  0  0
      1 :     0  0  3  3  0  0  2  2  2  2
      2 :     2  2  2  2  3  3  3  3  3  3
      3 :     3  3  4  4  4  4  4  3  4  4
      4 :     5  5  5  5  5  5  5  5  6  6
      5 :     6  6  6  6  6  6  7  7  7  7
      6 :     7  7  7  7

switch(config)#

The following displays the default DSCP to Traffic Class map on FM6000 platform switches.

Table 13. Default DSCP to Traffic Class Map: FM6000 Platform Switches
Inbound DSCP	0-7	8-15	16-23	24-31	32-39	40-47	48-55	56-63
Traffic Class	1	0	2	3	4	5	6	7

CoS and DSCP Rewrite – FM6000 Platform Switches

Rewriting CoS and DSCP describes the CoS and DSCP rewrite functions.

Traffic Class to CoS Rewrite Map

Example

This command assigns the CoS rewrite value of two to traffic classes 1, 3, and 5.

switch(config)# qos map traffic-class 1 3 5 to cos 2
switch(config)# show qos map
   Number of Traffic Classes supported: 8

   Tc - tx-queue map:
     tc:        0  1  2  3  4  5  6  7
     ---------------------------------
     tx-queue:  0  1  2  3  4  5  6  7

switch(config)#

The following table displays the default traffic class–CoS rewrite map on FM6000 platform switches.

Table 14. Default Traffic Class to CoS Rewrite Map: FM6000 Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
CoS Rewrite Value	1	0	2	3	4	5	6	7

Traffic Class to DSCP Rewrite Map

The DSCP rewrite value is configurable and based on a data stream’s traffic class, as specified by the traffic class-DSCP rewrite map. The qos map traffic-class to dscp command assigns a DSCP rewrite value to a list of traffic classes. Multiple commands create the complete traffic class-DSCP rewrite map.

Example

This command assigns the DSCP rewrite value of 37 to traffic classes 2, 4, and 6.

switch(config)# qos map traffic-class 2 4 6 to dscp 37
switch(config)# show qos map
   Number of Traffic Classes supported: 8

   Tc-dscp map:
     tc:    0  1  2  3  4  5  6  7
     -----------------------------
     dscp:  8  0 37 24 37 40 37 56

switch(config)#

The following table displays the default traffic class–DSCP rewrite map on on FM6000 platform switches.

Table 15. Default Traffic Class to DSCP Rewrite Map: FM6000 Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
DSCP Rewrite Value	8	0	16	24	32	40	48	56

Transmit Queues and Port Shaping – FM6000 Platform Switches

Transmit Queues and Port Shaping describes transmit queues and port shaping.

A data stream’s traffic class determines the transmit queue it uses. The switch defines a single traffic class-transmit queue map for all Ethernet and port channel interfaces and is used for unicast and multicast traffic. The show qos maps command displays the traffic class to transmit queue map.

The following table displays the default traffic class to transmit queue map on FM6000 platform switches.

Table 16. Default Traffic Class to Transmit Queue Map: FM6000 Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
Transmit Queue	0	1	2	3	4	5	6	7

Mapping Traffic Classes to a Transmit Queue

The qos map traffic-class to tx-queue command assigns traffic classes to a transmit queue. Multiple commands create the complete map.

Example

These commands assign traffic classes of 1, 3, and 5 to transmit queue 1, traffic classes 2, 4, and 6 to transmit queue 2, and traffic class 0 to transmit queue 0, then display the resultant map.

switch(config)# qos map traffic-class 1 3 5 to tx-queue 1
switch(config)# qos map traffic-class 2 4 6 to tx-queue 2
switch(config)# qos map traffic-class 0 to tx-queue 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8
   Number of Transmit Queues supported: 8


   Tc - tx-queue map:
     tc:        0  1  2  3  4  5  6  7
     ---------------------------------
     tx-queue:  0  1  2  1  2  1  2  7

switch(config)#

Entering TX-Queue Configuration Mode

Transmit queues are configurable on Ethernet ports and port channels. Queue parameters are configured in tx-queue configuration command mode, which is entered from interface ethernet configuration mode. The tx-queue (FM6000) command places the switch in tx-queue configuration mode. The show qos interfaces displays the transmit queue configuration for a specified port.

Example

This command enters tx-queue configuration mode for transmit queue 3 of interface Ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# tx-queue 3   
switch(config-if-Et5-txq-3)#

Configuring the Shape Rate – Port and Transmit Queues

Note: Enabling port shaping on an FM6000 interface disables queue shaping internally. Disabling port shaping restores queue shaping as specified in running-config.

To configure a port’s shape rate, enter shape rate (Interface – FM6000) from the port’s interface configuration mode.
To configure a transmit queue’s shape rate, enter shape rate (Tx-queue – FM6000) from the queue’s tx-queue configuration mode.

Example

These commands configure a shape rate of 5 Gbs on interface Ethernet 3, then configure the shape rate for the following transmit queues:

transmit queues 0, 1, and 2: 500 Mbps.

transmit queues 3, 4, and 5: 400 Mbps.

switch(config)# interface ethernet 3
switch(config-if-Et3)# shape rate 5000000
switch(config-if-Et3)# tx-queue 0
switch(config-if-Et3-txq-0)# shape rate 500000
switch(config-if-Et3-txq-0)# tx-queue 1
switch(config-if-Et3-txq-1)# shape rate 500000
switch(config-if-Et3-txq-1)# tx-queue 3
switch(config-if-Et3-txq-3)# shape rate 400000
switch(config-if-Et3-txq-3)# tx-queue 4
switch(config-if-Et3-txq-4)# shape rate 400000
switch(config-if-Et3-txq-4)# tx-queue 5
switch(config-if-Et3-txq-5)# shape rate 400000
switch(config-if-Et3-txq-5)# exit
switch(config-if-Et3)# show qos interface ethernet 3
Ethernet3:

   Port shaping rate: 5000000Kbps

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A       400000        strict
          4         N/A       400000        strict
          3         N/A       400000        strict
          2         N/A     disabled        strict
          1         N/A       500000        strict
          0         N/A       500000        strict

switch(config-if-Et3)#

Configuring Queue Priority

Queue priority rank is denoted by the queue number; transmit queues with higher numbers have higher priority. The priority (FM6000) command configures a transmit queue’s priority type:

priority strict configures the queue as a strict priority queue.
no priority configures the queue as a round robin queue.

A queue’s configuration as round robin also applies to all lower priority queues regardless of other configuration statements.

The bandwidth percent (FM6000) command configures a round robin queue’s bandwidth share. The cumulative operational bandwidth of all round robin queues is always less than or equal to 100%. If the cumulative configured bandwidth is greater than 100%, each port’s operational bandwidth is its configured bandwidth divided by the cumulative configured bandwidth.

Examples

These commands configure transmit queue 3 (on interface Ethernet 19) as a round robin queue, then allocates 10%, 20%, 30%, and 40% bandwidth to queues 0 through 3.

The no priority statement for queue 3 also configures queues 0, 1, and 2 as round robin queues. Removing this statement reverts the other queues to strict priority type unless running-config contains a no priority statement for one of these queues.

switch(config)# interface ethernet 19
switch(config-if-Et19)# tx-queue 3
switch(config-if-Et19-txq-3)# no priority
switch(config-if-Et19-txq-3)# bandwidth percent 40
switch(config-if-Et19-txq-3)# tx-queue 2
switch(config-if-Et19-txq-2)# bandwidth percent 30
switch(config-if-Et19-txq-2)# tx-queue 1
switch(config-if-Et19-txq-1)# bandwidth percent 20
switch(config-if-Et19-txq-1)# tx-queue 0
switch(config-if-Et19-txq-0)# bandwidth percent 10
switch(config-if-Et19-txq-0)# show qos interface ethernet 19
Ethernet19:

   Port shaping rate: disabled

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3          40     disabled   round-robin
          2          30     disabled   round-robin
          1          20     disabled   round-robin
          0          10     disabled   round-robin

switch(config-if-Et19-txq-0)#

Changing the bandwidth percentage for queue 3 to 60 changes the operational bandwidth of each queue to its configured bandwidth divided by 120% (10%+20%+30%+60%).

switch(config-if-Et19-txq-0) #tx-queue 3
switch(config-if-Et19-txq-3)# bandwidth percent 60
switch(config-if-Et19-txq-3)# show qos interface ethernet 19
Ethernet19:

   Port shaping rate: disabled

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3          49     disabled   round-robin
          2          24     disabled   round-robin
          1          16     disabled   round-robin
          0           8     disabled   round-robin

switch(config-if-Et19-txq-3)#

QoS Configuration: Petra Platform Switches

Implementing QoS on a Petra platform switch consists of configuring port trust settings, default port settings, default traffic classes, conversion maps, and transmit queues.

CoS and DSCP Port Settings – Petra Platform Switches
Traffic Class Derivations – Petra Platform Switches
CoS Rewrite – Petra Platform Switches
Transmit Queues and Port Shaping – Petra Platform Switches

CoS and DSCP Port Settings – Petra Platform Switches

Port Settings – Trust Mode and Traffic Classdescribes port trust and default port CoS and DSCP values.

Configuring Port Trust Settings

The qos trust command configures the QoS port trust mode for the configuration mode interface. Trust enabled ports use packet CoS or DSCP values to classify traffic. The port-trust default for switched ports is cos. The port-trust default for routed ports is dscp.

qos trust cos specifies cos as the port’s port-trust mode.
qos trust dscp specifies dscp as the port’s port-trust mode.
no qos trust specifies untrusted as the port’s port-trust mode.

The show qos interfaces trust command displays the trust mode of specified interfaces.

Example

These commands configure and display the following trust modes:

Ethernet 3/25: dscp.
Ethernet 3/26: untrusted.
Ethernet 3/27: cos.
Ethernet 3/28: default as a switched port.

Ethernet 3/29: default as a routed port.

switch(config)# interface ethernet 3/25
switch(config-if-Et3/25)# qos trust dscp
switch(config-if-Et3/25)# interface ethernet 3/26
switch(config-if-Et3/26)# no qos trust
switch(config-if-Et3/26)# interface ethernet 3/27
switch(config-if-Et3/27)# qos trust cos
switch(config-if-Et3/27)# interface ethernet 3/28
switch(config-if-Et3/28)# switchport
switch(config-if-Et3/28)# default qos trust
switch(config-if-Et3/28)# interface ethernet 3/29
switch(config-if-Et3/29)# no switchport
switch(config-if-Et3/29)# default qos trust
switch(config-if-Et3/29)# show qos interface ethernet 3/25 - 3/29 trust
Port                                       Trust Mode
                               Operational           Configured
---------------------------------------------------------------
Ethernet3/25                   DSCP                  DSCP
Ethernet3/26                   UNTRUSTED             UNTRUSTED
Ethernet3/27                   COS                   COS
Ethernet3/28                   COS                   DEFAULT
Ethernet3/29                   DSCP                  DEFAULT

switch(config-if-Et3/29)#

Configuring Default Port Settings

Port channel and Ethernet interfaces are not assigned default CoS or DSCP settings.

Traffic Class Derivations – Petra Platform Switches

Traffic Classes describes traffic classes.

Traffic Class Derivation Source

The following table displays the source for deriving a data stream’s default traffic class.

Table 17. Traffic Class Derivation Source: Petra Platform Switches
	Untrusted	CoS Trusted	DSCP Trusted
Untagged Non-IP	Default TC (chip)	Default TC (chip)	Default TC (chip)
Untagged IP	Default TC (chip)	Default TC (chip)	DSCP (packet)
Tagged Non-I	Default TC (chip)	CoS (packet)	Default TC (chip)
Tagged IP	Default TC (chip)	CoS (packet)	DSCP (packet)

Configuring Default Traffic Class

Petra platform switches assign a default traffic class to the set of Ethernet interfaces controlled by individual PetraA chips. Default traffic class values are configurable for each PetraA chip, not individual interfaces.

The platform petraA traffic-class command specifies the default traffic class used by all ports controlled by a specified chip. The show platform petraA traffic-class command displays traffic class assignments.

Examples

This command configures the default traffic class to five for the ports 32-39 on linecard 3 (7500 Series).

switch(config)# platform petraA petra3/4 traffic-class 5
switch(config)# show platform petraA module 3 traffic-class
Petra3/0 traffic-class: 1
Petra3/1 traffic-class: 1
Petra3/2 traffic-class: 1
Petra3/3 traffic-class: 1
Petra3/4 traffic-class: 5
Petra3/5 traffic-class: 1
switch(config)#

This command configures the default traffic class to three for all ports on linecard 6 (7500 Series).

switch(config)# platform petraA module 6 traffic-class 6
switch(config)# show platform petraA module 6 traffic-class
Petra6/0 traffic-class: 6
Petra6/1 traffic-class: 6
Petra6/2 traffic-class: 6
Petra6/3 traffic-class: 6
Petra6/4 traffic-class: 6
Petra6/5 traffic-class: 6
switch(config)#

Mapping CoS to Traffic Class

The qos map cos command assigns a traffic class to a list of CoS settings. Multiple commands create a complete CoS–traffic class map. The switch uses this map to assign a traffic class to data packets on the basis of the packet’s CoS field or the port upon which it is received.

Example

This command assigns traffic class 4 to the classes of service 1, 3, 5, and 7.

switch(config)#qos map cos 1 3 5 7 to traffic-class 4
switch(config)#show qos maps
   Number of Traffic Classes supported: 8

   Cos-tc map:
     cos:  0  1  2  3  4  5  6  7
     ----------------------------
     tc:   1  4  2  4  4  4  6  4

switch(config)#

The following table displays the default CoS to traffic class map on Petra platform switches.

Table 18. Default CoS to Traffic Class Map: Petra Platform Switches
Inbound CoS	untagged	0	1	2	3	4	5	6	7
Traffic Class	Derived: use default CoS as inbound CoS	1	0	2	3	4	5	6	7

Mapping DSCP to Traffic Class

Example

This command assigns traffic class 3 to the DSCP values of 12, 13, 25, and 37.

switch(config)# qos map dscp 12 13 14 25 48 to traffic-class 3
switch(config)# show qos maps
   Number of Traffic Classes supported: 8

   Dscp-tc map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     --------------------------------------
      0 :     1  1  1  1  1  1  1  1  0  0
      1 :     0  0  3  3  3  0  2  2  2  2
      2 :     2  2  2  2  3  3  3  3  3  3
      3 :     3  3  4  4  4  4  4  4  4  4
      4 :     5  5  5  5  5  5  5  5  3  6
      5 :     6  6  6  6  6  6  7  7  7  7
      6 :     7  7  7  7

switch(config)#

The following table displays the default DSCP to Traffic Class map on Petra platform switches.

Table 19. Default DSCP to Traffic Class Map: Petra Platform Switches
Inbound DSCP	0-7	8-15	16-23	24-31	32-39	40-47	48-55	56-63
Traffic Class	1	0	2	3	4	5	6	7

CoS Rewrite – Petra Platform Switches

Rewriting CoS and DSCP describes the CoS rewrite function.

Traffic Class to CoS Rewrite Map

Example

This command assigns the CoS of two to traffic classes 1, 3, and 5.

switch(config)# qos map traffic-class 1 3 5 to cos 2
switch(config)# show qos map
   Number of Traffic Classes supported: 8

   Tc-cos map:
     tc:   0  1  2  3  4  5  6  7
     ----------------------------
     cos:  1  2  2  2  4  2  6  7

switch(config)#

The following table displays the default Traffic Class to CoS rewrite value map on Petra platform switches.

Table 20. Default Traffic Class to CoS Rewrite Value Map: Petra Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
CoS Rewrite Value	1	0	2	3	4	5	6	7

Traffic Class to DSCP Rewrite Map

DSCP rewrite is always disabled on Petra platform switches.

Transmit Queues and Port Shaping – Petra Platform Switches

Transmit Queues and Port Shaping describes transmit queues and port shaping.

Petra platform switches provide four physical queues for each egress port: Unicast High, Unicast Low, Multicast High, and Multicast Low. Data is scheduled for the high or low queue based on its priority as defined by its transmit queue assignment (unicast traffic) or traffic class (multicast traffic), as shown in the table below. A Petra transmit queue is a data structure that defines scheduling of unicast traffic among phyical egress queues.

Table 21. Traffic Distribution to Egress Port Queues
	High Priority Queue	Low Priority Queue
Unicast Traffic	Transmit Queues 5 – 7	Transmit Queues 0 – 4
Multicast Traffic	Traffic Classes 5 – 7	Traffic Classes 0 – 4

Multicast queue capacity that is available after multicast traffic is serviced is used for unicast traffic of a corresponding priority. Similarly, unicast queue capacity that is available after unicast traffic is serviced is used for overflow multicast traffic. Under conditions of unicast and multicast congestion, egress traffic is evenly split between unicast and multicast traffic.

Unicast Transmit Queues and Port Shaping describes unicast transmit queues and shaping. Multicast Egress Scheduling describes multicast priority and traffic classes.

Unicast Transmit Queues and Port Shaping

A data stream’s traffic class determines the transmit queue it uses. The switch defines a single traffic class–transmit queue map for unicast traffic on all Ethernet interfaces. The show qos maps command displays the traffic class–transmit queue map. The following table displays the default traffic class to transmit queue map on Petra platform switches.

Table 22. Default Traffic Class to Transmit Queue Map: Petra Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
Transmit Queue	0	1	2	3	4	5	6	7

Transmit queue parameters are configured in tx-queue configuration command mode.

Mapping Traffic Classes to a Transmit Queue

The qos map traffic-class to tx-queue command assigns traffic classes to a transmit queue. Multiple commands complete the traffic class-transmit queue map. Traffic class 7 and transmit queue 7 are always mapped to each other. This association is not editable.

Example

switch(config)# qos map traffic-class 1 3 5 to tx-queue 1
switch(config)# qos map traffic-class 2 4 6 to tx-queue 2
switch(config)# qos map traffic-class 0 to tx-queue 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8
   Number of Transmit Queues supported: 8

   Tc - tx-queue map:
     tc:        0  1  2  3  4  5  6  7
     ---------------------------------
     tx-queue:  0  1  2  1  2  1  2  7

switch(config)#

Entering Tx-Queue Configuration Mode

The tx-queue (Petra) command places the switch in tx-queue configuration mode to configure a transmit queue on the configuration mode interface. Tx-queue 7not configurable. The show qos interfaces displays the transmit queue configuration for a specified port.

Example

This command enters tx-queue configuration mode for transmit queue 3 of interface ethernet 3/28.

switch(config)# interface ethernet 3/28
switch(config-if-Et3/28)# tx-queue 3
switch(config-if-Et3/28-txq-3)#

Configuring the Shape Rate – Port and Transmit Queues

To configure a port’s shape rate, enter shape rate (Interface – Petra) from the port’s interface configuration mode.
To configure a transmit queue’s shape rate, enter shape rate (Tx-queue – Petra) from the queue’s tx-queue configuration mode.

Example

These commands configure a shape rate of 5 Gbs on interface Ethernet 3, then configure the shape rate for the following transmit queues:

transmit queues 0, 1, and 2: 500 Mbps

transmit queues 3, 4, and 5: 400 Mbps

switch(config)# interface ethernet 3/28
switch(config-if-Et3/28)# shape rate 5000000
switch(config-if-Et3/28)# tx-queue 0
switch(config-if-Et3/28-txq-0)# shape rate 500000
switch(config-if-Et3/28-txq-0)# tx-queue 1
switch(config-if-Et3/28-txq-1)# shape rate 500000
switch(config-if-Et3/28-txq-1)# tx-queue 2
switch(config-if-Et3/28-txq-2)# shape rate 500000
switch(config-if-Et3/28-txq-5)# tx-queue 3
switch(config-if-Et3/28-txq-3)# shape rate 400000
switch(config-if-Et3/28-txq-3)# tx-queue 4
switch(config-if-Et3/28-txq-4)# shape rate 400000
switch(config-if-Et3/28-txq-4)# tx-queue 5
switch(config-if-Et3/28-txq-5)# shape rate 400000
switch(config-if-Et3/28-txq-5)# show qos interface ethernet 3/28
Ethernet3/28:

   Port shaping rate: 5000000Kbps

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A       400000        strict
          4         N/A       400000        strict
          3         N/A       400000        strict
          2         N/A       500000        strict
          1         N/A       500000        strict
          0         N/A       500000        strict

switch(config-if-Et3/28-txq-5)#

Configuring Queue Priority

The priority (Petra) command configures a transmit queue’s priority type:

The priority strict command configures the queue as a strict priority queue.
The no priority command configures the queue as a round robin queue.

A queue’s configuration as round robin also applies to all lower priority queues regardless of other configuration statements.

The bandwidth percent (Petra) command configures a round robin queue’s bandwidth share. The cumulative operational bandwidth of all round robin queues is always less than or equal to 100%. If the cumulative configured bandwidth is greater than 100%, each port’s operational bandwidth is its configured bandwidth divided by the cumulative configured bandwidth.

Examples

These commands configure transmit queue 3 (on interface Ethernet 3/28) as a round robin queue, then allocates 10%, 20%, 30%, and 40% bandwidth to queues 0 through 3.

switch(config-if-Et3/28)# tx-queue 3
switch(config-if-Et3/28-txq-3)# no priority
switch(config-if-Et3/28-txq-3)# bandwidth percent 40
switch(config-if-Et3/28-txq-3)# tx-queue 2
switch(config-if-Et3/28-txq-2)# bandwidth percent 30
switch(config-if-Et3/28-txq-2)# tx-queue 1
switch(config-if-Et3/28-txq-1)# bandwidth percent 20
switch(config-if-Et3/28-txq-1)# tx-queue 0
switch(config-if-Et3/28-txq-0)# bandwidth percent 10
switch(config-if-Et3/28-txq-0)# show qos interface ethernet 3/28
Ethernet3/28:

   Port shaping rate: 5000000Kbps

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A       400000        strict
          4         N/A       400000        strict
          3          40       400000   round-robin
          2          30       500000   round-robin
          1          20       500000   round-robin
          0          10       500000   round-robin

switch(config-if-Et3/28-txq-0)#

Changing the bandwidth percentage for queue 3 to 60 changes the operational bandwidth of each queue to its configured bandwidth divided by 120% (10%+20%+30%+60%).

switch(config-if-Et3/28-txq-0)# tx-queue 3
switch(config-if-Et3/28-txq-3)# bandwidth percent 60
switch(config-if-Et3/28-txq-3)# show qos interface ethernet 3/28
Ethernet3/28:

   Port shaping rate: 5000000Kbps

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A       400000        strict
          4         N/A       400000        strict
          3          49       400000   round-robin
          2          24       500000   round-robin
          1          16       500000   round-robin
          0           8       500000   round-robin
switch(config-if-Et3/28-txq-3)#

Multicast Egress Scheduling

Multiclass traffic is not affected by traffic class assignment or port shaping statements. Multicast traffic is assigned to port egress queues based on traffic class and uses strict priority to schedule egress between the high and low queues.

QoS Configuration: Trident and Tomahawk Platform Switches

Implementing QoS on a Trident and Tomahawk platform switch consists of configuring port trust settings, default port settings, default traffic classes, conversion maps, and transmit queues.

CoS and DSCP Port Settings – Trident and Tomahawk Platform Switches
Traffic Class Derivations – Trident and Tomahawk Platform Switches
CoS and DSCP Rewrite – Trident and Tomahawk Platform Switches
Transmit Queues and Port Shaping – Trident and Tomahawk Platform Switches
ECN Configuration – Trident and Tomahawk Platform Switches

CoS and DSCP Port Settings – Trident and Tomahawk Platform Switches

Configuring Port Trust Settings

The qos trust command configures the QoS port trust mode for the configuration mode interface. Trust-enabled ports use packet CoS or DSCP values to classify traffic. The port-trust default for switched ports is CoS. The port-trust default for routed ports is DSCP.

qos trust cos specifies CoS as the port’s trust mode.
qos trust dscp specifies DSCP as the port’s trust mode.
no qos trust specifies untrusted as the port’s trust mode.

The show qos interfaces trust command displays the trust mode of specified interfaces.

Example

These commands configure and display the following trust modes:

Ethernet 15: dscp
Ethernet 16: untrusted
Ethernet 17: cos
Ethernet 18: default as a switched port

interface ethernet 19: default as a routed port

switch(config)# interface ethernet 15
switch(config-if-Et15)# qos trust dscp
switch(config-if-Et15)# interface ethernet 16
switch(config-if-Et16)# no qos trust
switch(config-if-Et16)# interface ethernet 17
switch(config-if-Et17)# qos trust cos
switch(config-if-Et17)# interface ethernet 18
switch(config-if-Et18)# switchport
switch(config-if-Et18)# default qos trust
switch(config-if-Et18)# interface ethernet 19
switch(config-if-Et19)# no switchport
switch(config-if-Et19)# default qos trust
switch(config-if-Et19)# show qos interface ethernet 15 - 19 trust
Port                                       Trust Mode
                               Operational           Configured
---------------------------------------------------------------
Ethernet15                     DSCP                  DSCP
Ethernet16                     UNTRUSTED             UNTRUSTED
Ethernet17                     COS                   COS
Ethernet18                     COS                   DEFAULT
Ethernet19                     DSCP                  DEFAULT

switch(config-if-Et19)#

Configuring Default Port Settings

Default CoS and DSCP settings are assigned to individual port channel and Ethernet interfaces. These configuration mode interface commands specify the port’s default CoS and DSCP values.

qos cos configures a port’s default CoS value.
qos dscp configures a port’s default DSCP value.

Example

These commands configure default CoS (4) and DSCP (44) values on interface ethernet 7.

switch(config)# interface ethernet 7
switch(config-if-Et7)# qos cos 4
switch(config-if-Et7)# qos dscp 44
switch(config-if-Et7)# show active
interface Ethernet7
   qos cos 4
   qos dscp 44
switch(config-if-Et7)# show qos interfaces ethernet 7
Ethernet7:
   Trust Mode: COS
   Default COS: 4
   Default DSCP: 44

switch(config-if-Et7)#

Traffic Class Derivations – Trident and Tomahawk Platform Switches

Traffic Classesdescribes traffic classes.

Traffic Class Derivation Source

The following table displays the source for deriving a data stream’s traffic class.

Table 23. Traffic Class Derivation Source: Trident and Tomahawk Platform Switches
	Untrusted	CoS Trusted	DSCP Trusted
Untagged Non-IP	Default CoS (port)	Default CoS (port)	Default DSCP (port)
Untagged IP	Default CoS (port)	Default CoS (port)	DSCP (packet)
Tagged Non-IP	Default CoS (port)	CoS (packet)	Default DSCP (port)
Tagged IP	Default CoS (port)	CoS (packet)	DSCP (packet)

CoS and DSCP Port Settings – Trident and Tomahawk Platform Switches describes the default CoS and DSCP settings for each port.

Mapping CoS to Traffic Class

Example

This command assigns the traffic class 5 to the classes of service 1, 3, 5, and 7.

switch(config)# qos map cos 1 3 5 7 to traffic-class 5
switch(config)# show qos maps
   Number of Traffic Classes supported: 8

   Cos-tc map:
     cos:  0  1  2  3  4  5  6  7
     ----------------------------
     tc:   1  5  2  5  4  5  6  5

switch(config)#

The following table displays the default CoS–traffic class map on Trident and Tomahawk platform switches.

Table 24. Default CoS to Traffic Class Map: Trident II Platform Switches
Inboun CoS	0	1	2	3	4	5	6	7
Traffic Class	1	0	2	3	4	5	6	7

Mapping DSCP to Traffic Class

Example

This command assigns the traffic class 0 to DSCP values of 12, 24, 41, and 44-47.

switch(config)# qos map dscp 12 24 41 44 45 46 47 to traffic-class 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8

   Dscp-tc map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     --------------------------------------
      0 :     1  1  1  1  1  1  1  1  0  0
      1 :     0  0  0  0  0  0  2  2  2  2
      2 :     2  2  2  2  0  3  3  3  3  3
      3 :     3  3  4  4  4  4  4  4  4  4
      4 :     5  0  5  5  0  0  0  0  6  6
      5 :     6  6  6  6  6  6  7  7  7  7
      6 :     7  7  7  7

switch(config)#

The following table displays the default DSCP–traffic class map on Trident and Tomahawk platform switches.

Table 25. Default DSCP to Traffic Class Map: Trident and Tomahawk Platform Switches
Inbound DSCP	0-7	8-15	16-23	24-31	32-39	40-47	48-55	56-63
Traffic Class	1	0	2	3	4	5	6	7

CoS and DSCP Rewrite – Trident and Tomahawk Platform Switches

Rewriting CoS and DSCP describes the CoS and DSCP rewrite functions.

Traffic Class to CoS Rewrite Map

Example

This command assigns the CoS 2 to traffic classes 1, 3, and 5.

switch(config)# qos map traffic-class 1 3 5 to cos 2
switch(config)# show qos map
   Number of Traffic Classes supported: 8

   Tc-cos map:
     tc:   0  1  2  3  4  5  6  7
     ----------------------------
     cos:  1  2  2  2  4  2  6  7

switch(config)#

The following table displays the default Traffic Class to CoS rewrite value map on Trident and Tomahawk platform switches.

Table 26. Default Traffic Class to CoS Rewrite Value Map: Trident and Tomahawk Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
CoS Rewrite Value	1	0	2	3	4	5	6	7

Traffic Class to DSCP Rewrite Map

Example

This command assigns the DSCP value of 29 to traffic classes 2, 4, and 6.

switch(config)#qos map traffic-class 2 4 6 to dscp 29
switch(config)#show qos map
   Number of Traffic Classes supported: 8

   Tc-dscp map:
     tc:    0  1  2  3  4  5  6  7
     -----------------------------
     dscp:  8  0 29 24 29 40 29 56

switch(config)#

The following displays the default traffic class to DSCP rewrite map on Trident and Tomahawk platform switches.

Table 27. Traffic Class to DSCP Rewrite Value Map: Trident and Tomahawk Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
DSCP	8	0	16	24	32	40	48	56

Transmit Queues and Port Shaping – Trident and Tomahawk Platform Switches

Transmit Queues and Port Shaping describes transmit queues and port shaping.

Trident and Tomahawk platform switches define 12 transmit queues: eight unicast (UC0 – UC7) and four multicast (MC0 – MC03). The traffic class–transmit queue maps are configured globally and apply to all Ethernet interfaces. The show qos maps command displays the traffic class–transmit queue maps.

The following table displays the default traffic class–transmit queue maps.

Table 28. Default Traffic Class to Transmit Queue Map: Trident and Tomahawk Platform Switches
Traffic Class	1	2	3	4	5	6	7
Unicast Transmit Queue	1	2	3	4	5	6	7
Multicast Transmit Queue	0	1	1	2	2	3	3

Mapping Traffic Classes to a Transmit Queue

These commands assign traffic classes to a transmit queue:

qos map traffic-class to uc-tx-queue associates a unicast queue to a traffic class set.
qos map traffic-class to mc-tx-queue associates a multicast queue to a traffic class set.

Multiple commands create the complete maps.

Example

These commands assign the following on interface ethernet 7:

traffic classes 1, 3, and 5 to unicast queue 1
traffic classes 2, 4, and 6 to unicast queue 5
traffic classes 1, 2, and 3 to multicast queue 1
traffic classes 4, 5, and 6 to multicast queue 3

traffic class 0 to unicast queue 0 and multicast queue 0

switch(config)# default interface ethernet 7
switch(config)# qos map traffic-class 1 3 5 to uc-tx-queue 1
switch(config)# qos map traffic-class 2 4 6 to uc-tx-queue 5
switch(config)# qos map traffic-class 1 2 3 to mc-tx-queue 1
switch(config)# qos map traffic-class 4 5 6 to mc-tx-queue 3
switch(config)# qos map traffic-class 0 to uc-tx-queue 0
switch(config)# qos map traffic-class 0 to mc-tx-queue 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8
   Number of Transmit Queues supported: 12

   Tc - uc-tx-queue map:
     tc:           0  1  2  3  4  5  6  7
     ------------------------------------
     uc-tx-queue:  0  1  5  1  5  1  5  7

   Tc - mc-tx-queue map:
     tc:           0  1  2  3  4  5  6  7
     ------------------------------------
     mc-tx-queue:  0  1  1  1  3  3  3  3

switch(config)#

Entering a Transmit Queue Configuration Mode

Transmit queues are configurable on individual Ethernet ports. Parameters for individual transmit queues are configured in one of two transmit queue configuration modes. Transmit queue modes are accessed from an interface-ethernet configuration mode.

uc-tx-queue places the switch in uc-tx-queue mode to configure a unicast transmit queue.
mc-tx-queue places the switch in mc-tx-queue mode to configure a multicast transmit queue.

The show qos interfaces displays the transmit queue configuration for a specified port.

Examples

This command enters the mode that configures unicast transmit queue 3 of interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# uc-tx-queue 3
switch(config-if-Et5-uc-txq-3)#

This command enters the mode to configure multicast transmit queue 3 of interface ethernet 5.
```
switch(config-if-Et5)# mc-tx-queue 2
switch(config-if-Et5-mc-txq-2)#
```

Configuring the Shape Rate – Port and Transmit Queues

A port’s shape rate specifies the port’s maximum outbound traffic bandwidth. A shape rate can also be configured for all transmit queues on each port. All shape rate commands use kbps to specify data rates.

To configure a port’s shape rate, enter shape rate (Interface – Trident and Tomahawk) from the port’s interface configuration mode.
To configure a transmit queue’s shape rate, enter shape rate (Tx-queue – Trident and Tomahawk) from the queue’s tx-queue configuration mode.

Example

These commands configure a shape rate of 5 Gbs on interface Ethernet 7, then configure the shape rate for the following transmit queues:

unicast transmit queues 0 and 1: 500 Mbps.
unicast transmit queues 3 and 4: 400 Mbps.

multicast transmit queues 0 and 2: 300 Mbps.

switch(config)# interface ethernet 7
switch(config-if-Et7)# shape rate 5000000
switch(config-if-Et7)# uc-tx-queue 0
switch(config-if-Et7-uc-txq-0)# shape rate 500000
switch(config-if-Et7-uc-txq-0)# uc-tx-queue 1
switch(config-if-Et7-uc-txq-1)# shape rate 500000
switch(config-if-Et7-uc-txq-1)# uc-tx-queue 3
switch(config-if-Et7-uc-txq-3)# shape rate 400000
switch(config-if-Et7-uc-txq-3)# uc-tx-queue 5
switch(config-if-Et7-uc-txq-5)# shape rate 400000
switch(config-if-Et7-uc-txq-5)# mc-tx-queue 0
switch(config-if-Et7-mc-txq-0)# shape rate 300000
switch(config-if-Et7-mc-txq-0)# mc-tx-queue 2
switch(config-if-Et7-mc-txq-2)# shape rate 300000
switch(config-if-Et7-mc-txq-2)# exit
switch(config-if-Et7)# show qos interface ethernet 7
Ethernet7:

   Port shaping rate: 5000000Kbps

   Tx-Queue   Bandwidth    Shape Rate     Priority   Priority Group
              (percent)       (Kbps)
   ----------------------------------------------------------------
        UC7         N/A     disabled        strict                1
        UC6         N/A     disabled        strict                1
        MC3         N/A     disabled        strict                1
        UC5         N/A       400000        strict                0
        UC4         N/A     disabled        strict                0
        MC2         N/A       300000        strict                0
        UC3         N/A       400000        strict                0
        UC2         N/A     disabled        strict                0
        MC1         N/A     disabled        strict                0
        UC1         N/A       500000        strict                0
        UC0         N/A       500000        strict                0
        MC0         N/A       300000        strict                0

switch(config-if-Et7)#

Configuring Queue Priority

Trident and Tomahawk platform switch queues are categorized into two priority groups. Priority group 1 queues have priority over priority 0 queues. The following lists display the priority group queues in order from higher priority to lower priority.

Priority Group 1: UC7, UC6, MC3
Priority Group 0: UC5, UC4, MC2, UC3, UC2, MC1, UC1, UC0, MC0

The priority (Trident and Tomahawk) command configures a transmit queue’s priority type:

The priority strict command configures the queue as a strict priority queue.
The no priority command configures the queue as a round robin queue.

A queue’s configuration as round robin also applies to all lower priority queues regardless of other configuration statements.

The bandwidth percent (Trident and Tomahawk) command configures a round robin queue’s bandwidth share. The cumulative operational bandwidth of all round robin queues is always 100%. If the cumulative configured bandwidth is greater than 100%, each port’s operational bandwidth is its configured bandwidth divided by the cumulative configured bandwidth.

Priority Group 1 queues (UC7, UC6, MC3) are not configurable as round robin queues. The bandwidth percent command is not available for these queues.

Examples

These commands configure unicast transmit queue 3 as a round robin queue, then allocates 5%, 15%, 25%, 35%, 8%, and 12% bandwidth to unicast transmit queues 0 through 3 and multicast transmit queues 0 and 1, respectively.

The no priority statement for queue 3 also configures priority for all lower priority queues. Removing the statement reverts the other queues to strict priority type unless running-config contains a no priority statement for one of these queues.

switch(config)# interface ethernet 7
switch(config-if-Et7)# uc-tx-queue 3
switch(config-if-Et7-uc-txq-3)# no priority
switch(config-if-Et7-uc-txq-3)# bandwidth percent 5
switch(config-if-Et7-uc-txq-3)# uc-tx-queue 2
switch(config-if-Et7-uc-txq-2)# bandwidth percent 15
switch(config-if-Et7-uc-txq-2)# uc-tx-queue 1
switch(config-if-Et7-uc-txq-1)# bandwidth percent 25
switch(config-if-Et7-uc-txq-1)# uc-tx-queue 0
switch(config-if-Et7-uc-txq-0)# bandwidth percent 35
switch(config-if-Et7-uc-txq-0)# mc-tx-queue 1
switch(config-if-Et7-mc-txq-1)# bandwidth percent 12
switch(config-if-Et7-mc-txq-1)# mc-tx-queue 0
switch(config-if-Et7-mc-txq-0)# bandwidth percent 8
switch(config-if-Et7-mc-txq-0)# show qos interface ethernet 7
Ethernet7:

   Port shaping rate: disabled

   Tx-Queue   Bandwidth    Shape Rate     Priority   Priority Group
              (percent)       (Kbps)
   ----------------------------------------------------------------
        UC7         N/A     disabled        strict                1
        UC6         N/A     disabled        strict                1
        MC3         N/A     disabled        strict                1
        UC5         N/A     disabled        strict                0
        UC4         N/A     disabled        strict                0
        MC2         N/A     disabled        strict                0
        UC3           5     disabled   round-robin                0
        UC2          15     disabled   round-robin                0
        MC1          12     disabled   round-robin                0
        UC1          25     disabled   round-robin                0
        UC0          35     disabled   round-robin                0
        MC0           8     disabled   round-robin                0

switch(config-if-Et7-mc-txq-0)#

Changing the bandwidth percentage for unicast queue 3 to 30 changes the operational bandwidth of each queue to its configured bandwidth divided by 125% (8%+12%+30%+15%+25%+35%).

switch(config-if-Et7-uc-txq-0)# uc-tx-queue 3
switch(config-if-Et7-uc-txq-3)# bandwidth percent 30
switch(config-if-Et7-uc-txq-3)# show qos interface ethernet 7
Ethernet7:

   Port shaping rate: disabled

   Tx-Queue   Bandwidth    Shape Rate     Priority   Priority Group
              (percent)       (Kbps)
   ----------------------------------------------------------------
        UC7         N/A     disabled        strict                1
        UC6         N/A     disabled        strict                1
        MC3         N/A     disabled        strict                1
        UC5         N/A     disabled        strict                0
        UC4         N/A     disabled        strict                0
        MC2         N/A     disabled        strict                0
        UC3          24     disabled   round-robin                0
        UC2          12     disabled   round-robin                0
        MC1           9     disabled   round-robin                0
        UC1          20     disabled   round-robin                0
        UC0          28     disabled   round-robin                0
        MC0           6     disabled   round-robin                0

switch(config-if-Et7-uc-txq-3)#

ECN Configuration – Trident and Tomahawk Platform Switches

ECN is independently configurable on all egress queues of each Ethernet interface. ECN settings for Port-Channels are applied on each of the channel’s member Ethernet interfaces. ECN is also globally configurable to mark packets from the shared pool used for dynamically allocating memory to the queues. Multicast packets contribute to the globally shared pool and can contribute to global level congestion that result in ECN marking of unicast packets queued after the multicast packets.

Average queue length is tracked for transmit queues and the global pool independently. When either entity reaches its maximum threshold, all subsequent packets are marked.

Although the switch does not limit the number of queues that can be configured for ECN, hardware table limitations restrict the number of queues (including the global shared pool) that can simultaneously implement ECN.

The qos random-detect ecn global-buffer (Trident and Tomahawk) command enables ECN marking for globally shared packet memory and specifies minimum and maximum queue threshold sizes.

Examples

This command enables ECN marking of unicast packets from the global data pool and sets the minimum and maximum thresholds at 20 and 500 segments.
```
switch(config)# qos random-detect ecn global-buffer minimum-threshold 20 segments 
maximum-threshold 500 segments
switch(config)#
```
This command disables ECN marking of unicast packets from the global data pool.
```
switch(config)# no qos random-detect ecn global-buffer
switch(config)#
```
The random-detect ecn (Trident and Tomahawk) command enables ECN marking for the configuration mode unicast transmit queue and specifies threshold queue sizes.

These commands enable ECN marking of unicast packets from transmit queue 4 of interface Ethernet 15, setting thresholds at 10 and 100 segments.

switch(config)# interface ethernet 15
switch(config-if-Et15)# uc-tx-queue 4
switch(config-if-Et15-uc-txq-4)# random-detect ecn minimum-threshold 10 segments 
maximum-threshold 100 segments
switch(config-if-Et15-uc-txq-4)# show active
interface Ethernet15
   uc-tx-queue 4
      random-detect ecn minimum-threshold 10 segments maximum-threshold 100 
segments
switch(config-if-Et15-uc-txq-4)# exit
switch(config-if-Et15)#

This command disables ECN marking of unicast packets from transmit queue 4 of interface Ethernet 15.

switch(config-if-Et15-uc-txq-4)# no random-detect ecn
switch(config-if-Et15-uc-txq-4)# show active
interface Ethernet15
switch(config-if-Et15-uc-txq-4)# exit
switch(config-if-Et15)#

QoS Configuration: Trident II and Helix Platform Switches

Implementing QoS on a Trident platform switch consists of configuring port trust settings, default port settings, default traffic classes, conversion maps, and transmit queues.

CoS and DSCP Port Settings – Trident II and Helix Platform Switches
Traffic Class Derivations – Trident II and Helix Platform Switches
CoS and DSCP Rewrite – Trident II and Helix Platform Switches
Transmit Queues and Port Shaping – Trident II and Helix Platform Switches
Ingress Policing on LAG
Fabric QoS -- – Trident II Platform Switches

CoS and DSCP Port Settings – Trident II and Helix Platform Switches

Configuring Port Trust Settings

The qos trust command configures the QoS port trust mode for the configuration mode interface. Trust enabled ports use packet CoS or DSCP values to classify traffic. The port-trust default for switched ports is cos. The port-trust default for routed ports is dscp.

qos trust cos specifies cos as the port’s port-trust mode.
qos trust dscp specifies dscp as the port’s port-trust mode.
no qos trust specifies untrusted as the port’s port-trust mode.

The show qos interfaces trust command displays the trust mode of specified interfaces.

Example

These commands configure and display the following trust modes:

Ethernet 7/1: dscp.
Ethernet 7/2: untrusted.
Ethernet 7/3: cos.
Ethernet 7/4: default as a switched port.
Ethernet 8/1: default as a routed port.

switch(config)# interface ethernet 7/1
switch(config-if-Et7/1)# qos trust dscp
switch(config-if-Et7/1)# interface ethernet 7/2
switch(config-if-Et7/2)# no qos trust
switch(config-if-Et7/2)# interface ethernet 7/3
switch(config-if-Et7/3)# qos trust cos
switch(config-if-Et7/3)# interface ethernet 7/4
switch(config-if-Et7/4)# switchport
switch(config-if-Et7/4)# default qos trust
switch(config-if-Et7/4)# interface ethernet 8/1
switch(config-if-Et8/1)# no switchport
switch(config-if-Et8/1)# default qos trust
switch(config-if-Et8/1)# show qos interface ethernet 7/1 - 8/1 trust

Port                                       Trust Mode
                               Operational           Configured
---------------------------------------------------------------
Ethernet7/1                    DSCP                  DSCP
Ethernet7/2                    UNTRUSTED             UNTRUSTED
Ethernet7/3                    COS                   COS
Ethernet7/4                    COS                   DEFAULT
Ethernet8/1                    DSCP                  DEFAULT

switch(config-if-Et8/1)#

Configuring Default Port Settings

Default CoS and DSCP settings are assigned to individual port channel and Ethernet interfaces. These configuration mode interface commands specify the port’s default CoS and DSCP values.

qos cos configures a port’s default CoS value.
qos dscp configures a port’s default DSCP value.

Example

These commands configure default CoS 4 and DSCP 44 values on interface ethernet 7/3.

switch(config)# interface ethernet 7/3
switch(config-if-Et7/3)# qos cos 4
switch(config-if-Et7/3)# qos dscp 44
switch(config-if-Et7/3)# show active

interface Ethernet7/3
   qos cos 4
   qos dscp 44

switch(config-if-Et7/3)# show qos interfaces ethernet 7/3

Ethernet7/3:
   Trust Mode: COS
   Default COS: 4
   Default DSCP: 44

switch(config-if-Et7/3)#

Traffic Class Derivations – Trident II and Helix Platform Switches

Traffic Classes describes traffic classes.

Note: Qos traffic policy is supported on Trident II platform switches.

Traffic Class Derivation Source

The following table displays the source for deriving a data stream’s traffic class.

Table 29. Traffic Class Derivation Source: Trident II Platform Switches
	Untrusted	CoS Trusted	DSCP Trusted
Untagged Non-IP	Default CoS (port)	Default CoS (port)	Default DSCP (port)
Untagged IP	Default CoS (port)	Default CoS (port)	DSCP (packet)
Tagged Non-IP	Default CoS (port)	CoS (packet)	Default DSCP (port)
Tagged IP	Default CoS (port)	CoS (packet)	DSCP (packet)

CoS and DSCP Port Settings – Trident II and Helix Platform Switches describes the default CoS and DSCP settings for each port.

Mapping CoS to Traffic Class

Example

This command assigns the traffic class 5 to the classes of service 1, 3, 5, and 7.

switch(config)# qos map cos 1 3 5 7 to traffic-class 5
switch(config)# show qos maps
   Number of Traffic Classes supported: 8

   Cos-tc map:
     cos:  0  1  2  3  4  5  6  7
     ----------------------------
     tc:   1  5  2  5  4  5  6  5

switch(config)#

The following table displays the default CoS–traffic class map on Trident II platform switches.

Table 30. Default CoS to Traffic Class Map: Trident II Platform Switches
Inbound CoS	0	1	2	3	4	5	6	7
Traffic Class	1	0	2	3	4	5	6	7

Mapping DSCP to Traffic Class

Example

This command assigns the traffic class 0 to DSCP values of 12, 24, 41, and 44-47.

switch(config)# qos map dscp 12 24 41 44 45 46 47 to traffic-class 0
switch(config)# show qos maps                 
   Number of Traffic Classes supported: 8

   Dscp-tc map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     --------------------------------------
      0 :     1  1  1  1  1  1  1  1  0  0
      1 :     0  0  0  0  0  0  2  2  2  2
      2 :     2  2  2  2  0  3  3  3  3  3
      3 :     3  3  4  4  4  4  4  4  4  4
      4 :     5  0  5  5  0  0  0  0  6  6
      5 :     6  6  6  6  6  6  7  7  7  7
      6 :     7  7  7  7

switch(config)#

The following table displays the default DSCP–traffic class map on Trident II platform switches.

Table 31. Default DSCP to Traffic Class Map: Trident II Platform Switches
Inbound DSCP	0-7	8-15	16-23	24-31	32-39	40-47	48-55	56-63
Traffic Class	1	0	2	3	4	5	6	7

CoS and DSCP Rewrite – Trident II and Helix Platform Switches

Rewriting CoS and DSCP describes the CoS and DSCP rewrite functions.

Traffic Class to CoS Rewrite Map

Example

This command assigns the CoS of two to traffic classes 1, 3, and 5.

switch(config)# qos map traffic-class 1 3 5 to cos 2
switch(config)#show qos map

   Number of Traffic Classes supported: 8

   Tc-cos map:
     tc:   0  1  2  3  4  5  6  7
     ----------------------------
     cos:  1  2  2  2  4  2  6  7

switch(config)#

The following tabledisplays the default Traffic Class to CoS rewrite value map on Trident II platform switches.

Table 32. Default Traffic Class to CoS Rewrite Value Map: Trident II Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
CoS Rewrite Value	1	0	2	3	4	5	6	7

Traffic Class to DSCP Rewrite Map

Example

This command assigns the DSCP value of 29 to traffic classes 2, 4, and 6.

switch(config)# qos map traffic-class 2 4 6 to dscp 29
switch(config)# show qos map

   Number of Traffic Classes supported: 8

   Tc-dscp map:
     tc:    0  1  2  3  4  5  6  7
     -----------------------------
     dscp:  8  0 29 24 29 40 29 56

switch(config)#

The following table displays the default traffic class to DSCP rewrite map on Trident II platform switches.

Table 33. Traffic Class to DSCP Rewrite Value Map: Trident II Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
DSCP	8	0	16	24	32	40	48	56

Transmit Queues and Port Shaping – Trident II and Helix Platform Switches

Transmit Queues and Port Shaping describes transmit queues and port shaping.

A data stream’s traffic class determines the transmit queue it uses. The switch defines a single traffic class-transmit queue map for all Ethernet interfaces and is used for unicast and multicast traffic. The traffic class to transmit queue maps are configured globally and apply to all Ethernet and port channel interfaces. The show qos maps command displays the traffic class to transmit queue map.

Trident II platform switches have eight unicast (UC0 – UC7) and eight multicast (MC0 – MC7) queues. Each UCx-MCx queue set is combined into a single queue group (L1.x), which is exposed to the CLI through this command.

The following table displays the default traffic class to transmit queue maps.

Table 34. Default Traffic Class to Transmit Queue Map: Trident II Platform Switches
Traffic Class	0	1	2	3	4	5	6	7
Transmit Queue Group	0	1	2	3	4	5	6	7

Mapping Traffic Classes to a Transmit Queue

The qos map traffic-class to tx-queue command assigns traffic classes to a transmit queue. Multiple commands create the complete map.

Example

switch(config)# qos map traffic-class 1 3 5 to tx-queue 1
switch(config)# qos map traffic-class 2 4 6 to tx-queue 2
switch(config)# qos map traffic-class 0 to tx-queue 0
switch(config)# show qos maps
   Number of Traffic Classes supported: 8
   Number of Transmit Queues supported: 8

   Tc - tx-queue map:
     tc:        0  1  2  3  4  5  6  7
     ---------------------------------
     tx-queue:  0  1  2  1  2  1  2  7

switch(config)#

Entering a Transmit Queue Configuration Mode

Transmit queues are configurable on Ethernet ports and port channels. Queue parameters are configured in tx-queue configuration command mode, which is entered from the appropriate interface configuration mode. The tx-queue (Trident II) command places the switch in tx-queue configuration mode. The show qos interfaces displays the transmit queue configuration for a specified port.

Example

This command enters tx-queue configuration mode for transmit queue 3 of interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# tx-queue 3
switch(config-if-Et5-txq-3)#

Configuring the Shape Rate – Port and Transmit Queues

To configure a port’s shape rate, enter shape rate (Interface – Trident II) from the port’s interface configuration mode.
To configure a transmit queue’s shape rate, enter shape rate (Tx-queue – Trident II) from the queue’s tx-queue configuration mode.

Example

These commands configure a shape rate of 5 Gbs on interface Ethernet 3, then configure the shape rate for the following transmit queues:

transmit queues 0, 1, and 2: 500 Mbps

transmit queues 3, 4, and 5: 400 Mbps

switch(config)# interface ethernet 17/3
switch(config-if-Et17/3)# shape rate 5000000
switch(config-if-Et17/3)# tx-queue 0
switch(config-if-Et17/3-txq-0)# shape rate 500000
switch(config-if-Et17/3-txq-0)# tx-queue 1
switch(config-if-Et17/3-txq-1)# shape rate 500000
switch(config-if-Et17/3-txq-1)# tx-queue 3
switch(config-if-Et17/3-txq-3)# shape rate 400000
switch(config-if-Et17/3-txq-3)# tx-queue 4
switch(config-if-Et17/3-txq-4)# shape rate 400000
switch(config-if-Et17/3-txq-4)# tx-queue 5
switch(config-if-Et17/3-txq-5)# shape rate 400000
switch(config-if-Et17/3-txq-5)# exit
switch(config-if-Et17/3)# show qos interface ethernet 17/3
Ethernet17/3:

  Tx       Bandwidth                 Shape Rate        Priority
 Queue     Guaranteed (units)         (units)
   ------------------------------------------------------------
   7        - / -    (  -  )       - / -    (  -  )    SP / SP
   6        - / -    (  -  )       - / -    (  -  )    SP / SP
   5        - / -    (  -  )     400 / 400  ( Mbps )   SP / SP
   4        - / -    (  -  )     400 / 400  ( Mbps )   SP / SP
   3        - / -    (  -  )     400 / 400  ( Mbps )   SP / SP
   2        - / -    (  -  )       - / -    (  -  )    SP / SP
   1        - / -    (  -  )     500 / 500  ( Mbps )   SP / SP
   0        - / -    (  -  )     500 / 500  ( Mbps )   SP / SP

switch(config-if-Et17/3)#

Configuring Queue Priority

Queue priority rank is denoted by the queue number; transmit queues with higher numbers have higher priority. Trident II supports strict priority queues; round robin queues are not supported.

The bandwidth guaranteed (Trident II) command configures specifies the minimum bandwidth for outbound traffic on the transmit queue.

Example

These commands configure a minimum egress bandwidth of 1 Mbps for transmit queue 4 on interface ethernet 17/3.

switch(config-if-Et17/3)# tx-queue 4
switch(config-if-Et17/3-txq-4)# show qos interface ethernet 17/3

  Tx       Bandwidth                 Shape Rate        Priority
 Queue     Guaranteed (units)         (units)
   ------------------------------------------------------------
   7        - / -    (  -  )       - / -    (  -  )    SP / SP
   6        - / -    (  -  )       - / -    (  -  )    SP / SP
   5        - / -    (  -  )     400 / 400  ( Mbps )   SP / SP
   4        1 / 1    ( Mbps )    400 / 400  ( Mbps )   SP / SP
   3        - / -    (  -  )     400 / 400  ( Mbps )   SP / SP
   2        - / -    (  -  )       - / -    (  -  )    SP / SP
   1        - / -    (  -  )     500 / 500  ( Mbps )   SP / SP
   0        - / -    (  -  )     500 / 500  ( Mbps )   SP / SP

switch(config-if-Et17/3-txq-4)#

Ingress Policing on LAG

Ingress policing on a port-channel polices the matched traffic from all member interfaces combined, i.e. it provides aggregate policing and statistics (DCS-7050X, DCS-7010T, DCS-7250X, and DCS-7300X series). When a per-interface policer is attached to a port-channel, one set of TCAM entries is created for all member interfaces. The associated interface bitmap is updated, and aggregate policing is performed on all member interfaces.

Examples

These commands configure a service-policy (with policer action) on LAG by creating the service-policy and applying the service-policy on a port-channel.

switch(config)# policy-map policy-1
switch(config-pmap-qos-policy-1)# class class-1
switch(config-pmap-c-qos-policy-1-class-1)# police cir 512000 bps bc 96000
switch(config-pmap-c-qos-policy-1-class-1)# exit
switch(config-pmap-qos-policy-1)# exit
switch(config)# interface Et 4 / 5 / 4
switch(config-if-Et4/5/4)# channel-group 2 mode active
switch(config-if-Et4/5/4)# exit
switch(config)# interface po2
switch(config-if-Po2)# service-policy type qos input policy-1
switch(config-if-Po2)# exit
switch(config)#

These commands configure ACL policing in single-rate, two-color mode.

switch(config)# class-map type qos match-any class1
switch(config-cmap-qos-class1)# match ip access-group acl1
switch(config-cmap-qos-class1)# exit
switch(config)# policy-map type quality-of-service policy1
switch(config-pmap-qos-policy1)# class class1
switch(config-pmap-c-qos-policy1-class1)# police cir 512000 bc 96000
switch(config-pmap-c-qos-policy1-class1)# exit
switch(config-pmap-qos-policy1)# exit
switch(config)# show policy-map
Service-policy policy1

  Class-map: class1 (match-any)
    Match: ip access-group name acl1
       police rate 512000 bps burst-size 96000 bytes

  Class-map: class-default (match-any)

switch(config)#

Fabric QoS -- – Trident II Platform Switches

EOS is optimized to support QoS configuration on the Fabric interfaces on 7250x and 7300 series switches. Configuring QoS on the Fabric interfaces in addition to front panel ports allows user to have end-to-end control and helps to manage traffic better over these switches. By default, tx queues are configured as strict priority on 7250X and 7300X series.

The following QoS configuration options are supported on Fabric interfaces on 7250x and 7300 series switches.

Guaranteed Bandwidth: In order to prevent queue starvation on fabric ports EOS supports minimum bandwidth configuration on per queue basis across all fabric ports.
Explicit Congestion Notification (ECN): EOS supports enabling ECN on a per queue basis across all fabric ports.
Priority Flow Control (PFC): Queue back-pressure propagates across the backplane such that flow control messages can be generated to the upstream devices. This is done by enabling PFC for the desired backplane traffic-classes.
Weight Round Robin (WRR): EOS supports configuring Weighted Round Robin (WRR) on a per queue basis across all fabric ports.

Configuring Fabric QoS on 7250X and 7300X Series

Fabric QoS is configured using a QoS profiles which is then applied on fabric interfaces on 7250x and 7300x series. Following are the steps to configure Fabric QoS.

Use qos profile command to create a QoS profile.
Use tx-queue (Trident II) command to configure a transmit queue on the configuration mode interface.
Use bandwidth guaranteed (Trident II) command to specifie the minimum bandwidth for outbound traffic on the transmit queue.
Use random-detect ecn (Trident) command to enable the ECN marking for the configuration mode unicast transmit queue and specifies threshold queue sizes.
Use priority-flow-control priority command to configure the packet resolution setting on the configuration mode interface.
Use interface fabric command to configure Fabric interface.

Use service-profile command to apply the QoS profile to the Fabric interface.

Examples

These commands create a QoS profile named fabricProfile with tx queue, bandwidth, ECN, PFC and DLB values defined in it and then the profile is attached to Fabric interface of the switch.

Note: To support PFC on a particular priority, DLB is disabled for that priority.

switch(config)# qos profile fabricProfile
switch(config-qos-profile-fabricProfile)# tx-queue 0
switch(config-qos-profile-fabricProfile-txq-0)# bandwidth guaranteed 10000 kbps
switch(config-qos-profile-fabricProfile-txq-0)# random-detect ecn 
minimum-threshold 10 mbytes maximum-threshold 10 mbytes
switch(config-qos-profile-fabricProfile)# priority-flow-control priority 1 
no-drop
switch(config-qos-profile-fabricProfile)# priority-flow-control priority 6 
no-drop dlb

Applying the QoS profile on interface fabric of the switch.

switch# configure terminal
switch(config)# interface fabric
switch(config-if-fabric)# service-profile fabricProfile

Displaying Fabric QoS Information

These show commands display the configured Fabric QoS information on the switch.

show qos profile [profile Name]: Displays the list of QoS profiles configured on the switch.
show qos interfaces fabric: Displays the profile applied on the fabric interface on the switch.

Examples

This command displays the fabricProfile profile information.

switch# show qos profile fabricProfile
  qos profile fabricProfile
     priority-flow-control priority 1 no-drop
     priority-flow-control priority 6 no-drop dlb
     tx-queue 0
         bandwidth guaranteed 10000 kbps
         random-detect ecn minimum-threshold 10 mbytes maximum-threshold 10 mbytes

This command displays the profile applied on the fabric interface.

switch# show qos interfaces fabric
   qos profile fabricProfile

Support for Configuring Color Extended Communities

EOS Release 4.23.1F introduces the ability to configure the color extended community in route-map set clauses and in an extcommunity-list for inbound and outbound policy application.

Use the color extended community for per-destination steering into Segment-Routing Traffic-Engineered (SR-TE) policies. If the next-hop and color of a BGP route match a particular policy (composed of an endpoint and color), any traffic bound to the destination can be steered according to the policy instead of forwarded via an IGP path or tunnel.

This section describes support for configuring color extended communities, including configuration instructions and command descriptions. Topics covered by this section include:

Platform Compatibility
Configuration
Limitations

Platform Compatibility

Configuring color extended communities is supported on all platforms.

Configuration

Use the following command for color extended community expressions:

color COLOR-VALUE [color-only (exact-match | (endpoint-match (any | null)))]

Use this command in route-maps and extcommunity-lists to apply inbound and outbound policy.


Configuring Color Extended Community in route-map mode
Command(config-route-map mode)	[no \| default] set extcommunity COLOR-EXPRESSION [additive \| delete]
Action	Adds a color extended community to be applied to routes affected by the route-map. Multiple set clauses can be applied to a single route-map to configure multiple colors for routes. Additive adds the extended communities to those received, while delete deletes any matching extended color communities. Negating the command removes the entry from the route-map.
Default	None
Example	`switch(config)# route-map foo switch(config-route-map foo)# set extcommunity color 1 switch(config-route-map foo)# set extcommunity color 2 color-only exact-match switch(config-route-map foo)# set extcommunity color 3 color-only endpoint-match null switch(config-route-map foo)# set extcommunity color 4 color-only endpoint-match any`


Configuring Color Extended Community in extcommunity-list
Command(config mode)	`[(no\|default)] ip extcommunity-list WORD (permit\|deny){COLOR-EXPRESSION}`
Action	Adds a color extended community to an extcommunity-list. Multiple color extended communities can be added to the list. Negating the command removes the corresponding color extended community from the list.
Default	None
Example	`switch(config)# ip extcommunity-list foo permit color 1 color 2 switch(config)# ip extcommunity-list bar permit color 3 color-only endpoint-match null color 4 color-only endpoint-match any`

Limitations

The color extended community is only supported in multi-agent mode. Enable Multi-agent mode via the following command:

service routing protocols mode multi-agent

ACL based QoS Configuration

ACL Based QoS (DCS-7160)

The IPv4 ACL based QoS is enabled on switches through policy-map configuration. The ACL based QoS can be configured on front panel ports, port-channel interfaces on DCS-7160 series switches.

ACL based QoS on SVIs

The ACL based QoS policy applied on SVIs modify the QoS parameters for SVI traffic (L3 VLAN) based on ACL classification. The ACL based QoS on Switched Virtual Interface (SVI) ports is supported on DCS-7500E, DCS-7280E, DCS-7010, DCS-7050, DCS-7050X, DCS-7250X, DCS-7300X, DCS-7020TR.

ACL Sharing on QoS

The ACLs applied on QoS shares the hardware resources (TCAM) when potentially large QoS policy-maps are applied to multiple SVIs. For ACL based QoS on SVIs in sharing mode we share TCAM for class-maps without policer action and replicate entries for policer class-maps. The ACL Sharing on QoS is supported only on selected platforms.

The QoS actions is applicable only to the routed traffic flowing through the members of the corresponding VLAN.

The steps to configure ACL based QoS is as follows:

Create a access list using ip access-list command.
Create a class map and attach it to the access list using class-map command.
Create a policy and attach the class map to the policy created, using the policy-map command.
Apply the policy to the interface using the service-policy input command.
Examples
- These command configure the access list acl1.
```
switch(config)# ip access-list acl1
switch(config-acl-acl1)# permit ip 10.1.1.1/24 any
switch(config-acl-acl1)# exit
```
- These commands configure the class map class1.
```
switch(config)# class-map match-any class1
switch(config-cmap-qos-class1)# match ip access-group acl1
switch(config-cmap-qos-class1)# exit
```
- These commands configure the policy map policy1.
```
switch(config)# policy-map policy1 
switch(config-pmap-qos-policy1)# class class1
switch(config-pmap-c-qos-policy1-class1)# set dscp 20
switch(config-pmap-c-qos-policy1-class1)# set traffic-class 2
switch(config-pmap-c-qos-policy1-class1)# exit 
switch(config-pmap-c-qos-policy1)# exit
```
- These commands apply the policy1 to the interface ethernet 1/1.
```
switch(config)# interface Et1/1
switch(config-if-Et1/1)# service-policy input policy1 
switch(config-if-Et1/1)# exit
```
- These commands configure a ACL based QoS on the SVI interface VLAN10.
```
switch(config)# interface vlan 10
switch(config-if-Vl10)# service-policy [type qos] input policy1
```
- This command enables the resource (hardware) sharing when a ACL based QoS is attached to VLAN interface. The no form of the command disables it.
```
switch(config)# hardware access-list qos resource sharing vlan in
```
- This command allows inbound broadcast IP packets with source IP address as one of the permitted hosts and denies the rest of the directed broadcast traffic.
```
switch(config)# ip directed-broadcast
 switch(config-ip-directed-broadcast)# field-set ipv4 prefix ALLOWED1
 switch(config-ipdb-field-set-ipv4-prefix-ALLOWED)# 10.1.1.1/32 20.1.1.1/32 30.1.1.1/32
 switch(config-ipdb-field-set-ipv4-prefix-ALLOWED)# commit
 
 switch(config-ip-directed-broadcast)# field-set ipv4 prefix ALLOWED2
 switch(config-ipdb-field-set-ipv4-prefix-ALLOWED)# 10.2.1.1/32 20.2.1.1/32 30.2.1.1/32
 switch(config-ipdb-field-set-ipv4-prefix-ALLOWED)# commit
```
Show Commands
The following show commands display the status of policy-maps programmed on the interface, for more information on these commands refer Quality of Service Commands.
- show policy-map [policy-name]: Displays the policy-map programming status.
- show policy-map interface interface id: Displays the policy-map that is currently programmed on the interface.
- show policy-map [policy-name] counters: Displays the policy-map traffic hits.
- show platform xp qos tcam [hits]: Displays the TCAM entries programmed for each policy-map as well as the traffic hits. The hits option is used to see the TCAM entries with nonzero traffic hits.
- show run | grep sharing: Displays if whether the ACL based QoS is enabled or disabled.
- show platform trident tcam shared vlan interface-class-id: Displays what SVIs are currently sharing the QoS policy-map.
- show platform trident tcam directed-broadcast: Displays the permitted hosts via field-set.
- show platform trident tcam qos detail: Displays the list of all the SVIs that are sharing the TCAM entries.

Limitations

Maximum number of TCAM entries that can be programmed in hardware for all QoS policy-maps on the box is 1024.
Layer 4 port ranges are not supported for ACL based QoS. The ranges will be expanded into multiple TCAM rules and programmed in the hardware.
Configured policer rate should be above 1mbps and recommended burst value is 2000 bytes.
Policer action cannot be associated with policy-maps applied to Port-Channels.

The following are the limitations specific to DCS-7500E, DCS-7280E and DCS-7020TR:

UThe user cannot apply more than 31 QoS service policies per chip on L3 interfaces.

When different QoS service policies are applied to the SVI and its member interfaces, the behavior is indeterministic.
When QoS service policies are applied on SVIs with partial failures due to limited hardware resources, any event that triggers a forwarding agent restart will lead to indeterministic behavior.
When QoS service policies are applied on 2 SVIs, any event that triggers the VLAN membership change of a member interface may result in a policy-map programming failure. To change the VLAN membership, remove the interface from the first VLAN and then add it to the other.
Outgoing COS rewrite is not supported.
QoS policy-map counters are not supported.

The following are the limitations specific to DCS-7010, DCS-7050, DCS-7050X, DCS-7250X, DCS-7300X:

TCAM resources will not be shared for the same policy-map applied to multiple SVIs.
Policy-map applied to a SVI will result in TCAM allocation on all chips irrespective of whether the SVI members are present or not.

When QoS service policies are applied to both SVI and its member interfaces and packets hit both policies, the behavior is indeterministic.

Configuring IPv6 Flow Label Matches for QoS

In addition to criteria like COS and DSCP, QoS decisions can be based on the IPv6 flow labels of packets. To use IPv6 flow labels as a criterion for QoS decisions, use the permit command to create ACL rules to select packets based on their IPv6 flow labels using an exact match and an optional mask, and then apply the access list to a class map in a QoS policy map, which can then be applied to individual interfaces. This requires a TCAM profile which must be installed explicitly.

Install the QoS Flow Label TCAM Profile

Open the QoS flow label TCAM profile Web page at https://www.arista.com/en/support/toi/tcam-profile?pn=qos-match-ipv6-flow-label. Copy the entire contents of the file which starts with the following commands:

hardware tcam
system profile qos-match-ipv6-flow-label

There are approximately 130 lines.

Paste this into the CLI of the switch. Each command in the file will be executed in turn when you paste the file contents. When the paste completes, if the cursor is at the end of the last command, type enter to execute it.

Confirm the QoS Flow Label TCAM Profile Installation

Configure the TCAM with the hardware tcam command, and use the system profile command to confirm that the “qos-match-ipv6-flow-label” profile has been installed. If the profile is installed, the ? operator will show “qos-match-ipv6-flow-label” as an available profile.

Example

The following commands confirm whether the “qos-match-ipv6-flow-label” profile is installed and available to be applied.

switch(config)#hardware tcam
switch(config-tcam)#system profile qos-match?
WORD  qos-match-ipv6-flow-label

switch(config-tcam)#exit
switch(config)#

Apply the QoS Flow Label TCAM Profile

If the profile "qos-match-ipv6-flow-label" is listed, use the system profile command to apply it. Confirm that the profile has been successfully applied with the show hardware tcam profile command.

Example

The following commands apply the profile “qos-match-ipv6-flow-label” to the TCAM configuration, then confirm that the profile has been applied. The warning is normal, as the restart of forwarding agents is part of the procedure.

switch(config)#hardware tcam
switch(config-tcam)#system profile qos-match-ipv6-flow-label
!
WARNING!
Changing TCAM profile will cause forwarding agent(s) to exit and restart.
All traffic through the forwarding chip managed by the restarting
forwarding agent will be dropped.

Proceed [y/n]y
switch(config-tcam)#exit
switch(config)#show hardware tcam profile
                     Configuration            Status
FixedSystem          qos-match-ipv6-flow-label qos-match-ipv6-flow-label
switch(config)#

Create IPv6 ACL Rules

Configure an access list with the ipv6 access-list command. Then create rules with the permit ipv6 command.

Example

The following commands create an IPv6 ACL rule which matches the flow label 23 in the access list L1.

switch(config)#ipv6 access-list L1
switch(config-ipv6-acl-L1)#permit ipv6 any any flow-label eq 23
switch(config-ipv6-acl-L1)#exit
switch(config)#

Add Access List to QoS Class Map

Configure a QoS class map with the class-map command. Then add an access list to the class map with the match command.

Example

The following commands create a QoS class map called C1, and then add the access list L1.

switch(config)#class-map type qos match-any C1
switch(config-cmap-qos-C1)#match ipv6 access-group L1
switch(config-cmap-qos-C1)#exit
switch(config)#

Add Class Map to Policy Map

Configure a QoS policy map, creating it if necessary, with the policy-map command. Then add a class map to the policy map and define the traffic class.

Example

The following commands configure the QoS policy map P1 and add the class map C1, and then assign the class to traffic class 4.

switch(config)#policy-map type quality-of-service P1
switch(config-pmap-quality-of-service-P1)#class C1
switch(config-pmap-c-quality-of-service-P1-C1)#set traffic-class 4
switch(config-pmap-c-quality-of-service-P1-C1)#exit
switch(config-pmap-quality-of-service-P1)#exit
switch(config)#

Configure An Interface with QoS Policy

Configure an interface with the interface command. Apply the QoS policy to the interface with the service-policy command.

Example

The following commands configure the Ethernet interface 1/1, and apply the QoS policy P1 to the interface.

switch(config)#interface Ethernet 1/1
switch(config-if-Et1/1)#service-policy type qos input P1
switch(config-if-Et1/1)#exit
switch(config)#

Example

The following commands confirm that the policy map P1 has been programmed successfully.

switch(config)#show policy-map P1
Service-policy input: P1
  Hardware programming status: Successful

  Class-map: C1 (match-any)
    Match: ipv6 access-group name L1
       set traffic-class 4

  Class-map: class-default (match-any)

switch(config)#show ipv6 access-lists L1
IPV6 Access List L1
        10 permit ipv6 any any flow-label eq 23
switch(config)#

Differentiated MMU Discard Counters

To count discarded packets through tagging, assign drop-precendes for a certain class of packets on platforms that support such tagging.

Configuring Differentiated MMU Discard Counters

The following steps configure the Differentiated MMU Discard Counters.

Configure an IP access-lists to match traffic

switch(config)# ip access-list acl1
switch(config-acl-acl1)# permit 41 any any !!41 = 0x29 = IPv6

Add the access-list to a class-map

switch(config)# class-map type qos match-any class1
switch(config-cmap-qos-class1)# match ip access-group acl1

Add the class-map to a policy-map

switch(config)# policy-map type quality-of-service policy1
switch(config-pmap-quality-of-service-policy1)# class class1

Add drop-precedence action to the policy-map

switch(config-pmap-c-quality-of-service-policy1-class1)# set drop-precedence 2

Create qos profile with the policy map assigned

switch(config)# qos profile qos1
switch(config-qos-profile-qos1)# service-policy input policy1

Apply the policy-map to the interface

switch(config)# int et3/1
switch(config-if-Et3/1)# service-profile qos1

Repeat step 6 on all interfaces that receive traffic to be counted. Packets are tagged on ingress. If the same packet gets dropped on egress as an MMU discard, the corresponding counter gets incremented.

Displaying Differentiated MMU Discard Counters

The show interface counters queue drop-precedence command displays the drop-precedence counters. Based on the above configuration, drop-precedence 2 counts IPv6 packets.

switch# show interface counters queue drop-precedence
intf        0          1          2
Et1/1     100          0        200
Et1/2     200          0        300
…

txQueue Percentage-based Shaping

When you enable this feature using the qos tx-queue shape rate percent percentage adaptive command, QoS calculates the txQueue shape rate based the available bandwidth and not the link speed. For instance, if the interface has a link speed of 100Gbps, and the subinterface configured to 50%, then the subinterface has a link speed of 50Gbps.

Configuring txQueue Percentage-based Shaping

Use the following command to configure traffic for a 50Gps interface for adaptive shaping on interfaces.

switch(config)#qos tx-queue shape rate percentage adaptive
! Change will take effect only after switch reboot.

Reboot the switch.

Displaying txQueue Adaptive Information

Use the show qos tx-queue to display the status of the configuration. One of the following messages displays after entering the command:

No Configuration

switch#show qos tx-queue
Shape rate percent : Non-Adaptive

Configuration Successful After Switch Reboot

switch#show qos tx-queue
Shape rate percent : Adaptive

Configuration Successful but No Switch Reboot

switch#show qos tx-queue
Shape rate percent : Non-Adaptive (reboot required for Adaptive)

Quality of Service Commands

QoS and ECN Display Commands

show interface counters queue drop-precedence
show platform petraA traffic-class
show platform trident tcam shared vlan interface-class-id
show platform trident tcam qos detail
show platform xp qos tcam hit
show policy-map
show policy-map interface
show qos interfaces
show qos interfaces latency maximum
show qos interfaces trust
show qos interfaces random-detect ecn
show qos maps
show qos map dscp to traffic-class
show qos profile
show run|grep sharing
show qos profile summary
show qos random-detect ecn

ECN Configuration Commands

qos random-detect ecn allow non-ect chip-based (Tomahawk and Trident)
qos random-detect ecn global-buffer (Helix)
qos random-detect ecn global-buffer (Trident and Tomahawk)
random-detect ecn (Arad/Jericho)
random-detect ecn (Helix)
random-detect ecn (Trident and Tomahawk)

Transmit Queue and Port Shaping Commands – Arad and Jericho Platforms

bandwidth percent (Arad/Jericho)
priority (Arad/Jericho)
shape rate (Interface – Arad/Jericho)
shape rate (Tx-queue – Arad/Jericho)
tx-queue (Arad/Jericho)

Transmit Queue and Port Shaping Commands – FM6000 Platform

bandwidth percent (FM6000)
priority (FM6000)
shape rate (Interface – FM6000)
shape rate (Tx-queue – FM6000)
tx-queue (FM6000)

Transmit Queue and Port Shaping Commands – Helix Platform

bandwidth guaranteed (Helix)
shape rate (Interface – Helix)
shape rate (Tx-queue – Helix)
tx-queue (Helix)

Transmit Queue and Port Shaping Commands – Petra Platform

bandwidth percent (Petra)
priority (Petra)
shape rate (Interface – Petra)
shape rate (Tx-queue – Petra)
tx-queue (Petra)

Transmit Queue and Port Shaping Commands – Trident and Tomahawk Platform

bandwidth percent (Trident and Tomahawk)
mc-tx-queue
priority (Trident and Tomahawk)
shape rate (Interface – Trident and Tomahawk)
shape rate (Tx-queue – Trident and Tomahawk)
uc-tx-queue

Transmit Queue and Port Shaping Commands – Trident II Platform

bandwidth guaranteed (Trident II)
shape rate (Tx-queue – Trident II)
shape rate (Interface – Trident II)
tx-queue (Trident II)
interface fabric (Trident II)

bandwidth guaranteed (Helix)

The bandwidth guaranteed command specifies the minimum bandwidth for outbound traffic on the transmit queue. By default, no bandwidth is guaranteed to any transmit queue.

The no bandwidth guaranteed and default bandwidth guaranteed commands remove the minimum bandwidth guarantee on the transmit queue by deleting the corresponding bandwidth guaranteed command from running-config.

Command Mode

Tx-Queue Configuration

Command Syntax

bandwidth guaranteed rate DATA_MIN

no bandwidth guaranteed

default bandwidth guaranteed

Parameters

DATA_MIN Minimum bandwidth. Value range varies with data unit:

8 to 40000000 8 to 40000000 kbytes per second.
8 to 40000000 kbps 8 to 40000000 kbytes per second.
1 to 60000000 pps 1 to 60000000 packets per second.

Related Command

tx-queue (Helix) places the switch in tx-queue configuration mode.

Example

These commands configure a minimum egress bandwidth of 1 Mbps for transmit queue 4 of interface ethernet 17/3.

switch(config)# interface ethernet 17
switch(config-if-Et17)# tx-queue 4
switch(config-if-Et17-txq-4)# bandwidth guaranteed 1000 kbps
switch(config-if-Et17-txq-4)# show qos interfaces ethernet 17

Ethernet17/3:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: disabled

  Tx       Bandwidth                 Shape Rate        Priority
 Queue     Guaranteed (units)         (units)
   ------------------------------------------------------------
   7        - / -    (  -  )       - / -    (  -  )    SP / SP
   6        - / -    (  -  )       - / -    (  -  )    SP / SP
   5        - / -    (  -  )       - / -    (  -  )    SP / SP
   4        1 / 1    ( Mbps )      - / -    (  -  )    SP / SP
   3        - / -    (  -  )       - / -    (  -  )    SP / SP
   2        - / -    (  -  )       - / -    (  -  )    SP / SP
   1        - / -    (  -  )       - / -    (  -  )    SP / SP
   0        - / -    (  -  )       - / -    (  -  )    SP / SP

Note: Values are displayed as Operational/Configured

switch(config-if-Et17-txq-4)#

bandwidth guaranteed (Trident II)

The bandwidth guaranteed command specifies the minimum bandwidth for outbound traffic on the transmit queue. By default, no bandwidth is guaranteed to any transmit queue.

Command Mode

Tx-Queue Configuration

Command Syntax

bandwidth guaranteed rate DATA_MIN

no bandwidth guaranteed

default bandwidth guaranteed

Parameters

DATA_MIN minimum bandwidth. Value range varies with data unit:

8 to 40000000 kbytes per second.
8 to 40000000 kbps kbytes per second.
1 to 60000000pps packets per second.

Related Command

tx-queue (Trident II) places the switch in tx-queue configuration mode.

Example

These commands configure a minimum egress bandwidth of 1 Mbps for transmit queue 4 of interface ethernet 17/3.

switch(config)# interface ethernet 17/3
switch(config-if-Et17/3)# tx-queue 4
switch(config-if-Et17/3-txq-4)# bandwidth guaranteed 1000 kbps
switch(config-if-Et17/3-txq-4)# show qos interfaces ethernet 17/3

Ethernet17/3:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: disabled

  Tx       Bandwidth                 Shape Rate        Priority
 Queue     Guaranteed (units)         (units)
   ------------------------------------------------------------
   7        - / -    (  -  )       - / -    (  -  )    SP / SP
   6        - / -    (  -  )       - / -    (  -  )    SP / SP
   5        - / -    (  -  )       - / -    (  -  )    SP / SP
   4        1 / 1    ( Mbps )      - / -    (  -  )    SP / SP
   3        - / -    (  -  )       - / -    (  -  )    SP / SP
   2        - / -    (  -  )       - / -    (  -  )    SP / SP
   1        - / -    (  -  )       - / -    (  -  )    SP / SP
   0        - / -    (  -  )       - / -    (  -  )    SP / SP

Note: Values are displayed as Operational/Configured

switch(config-if-Et17/3-txq-4)#

bandwidth percent (Arad/Jericho)

The bandwidth percent command configures the bandwidth share of the transmit queue when configured for round robin priority. Bandwidth is allocated to all queues based on the cumulative configured bandwidth of all the port’s round robin queues.

The cumulative operational bandwidth of all round robin queues is always less than or equal to 100%. If the cumulative configured bandwidth is greater than 100%, each port’s operational bandwidth is its configured bandwidth divided by the cumulative configured bandwidth.

The no bandwidth percent and default bandwidth percent commands restore the default bandwidth share of the transmit queue by removing the corresponding bandwidth percent command from running-config.

Command Mode

Tx-Queue Configuration

Command Syntax

bandwidth percent proportion

no bandwidth percent

default bandwidth percent

Parameters

proportion Bandwidth percentage assigned to queues. Values range from 1 to 100.

Related Command

tx-queue (Arad/Jericho) places the switch in tx-queue configuration mode.

Examples

These commands configure queues 0 through 3 (interface ethernet 3/5/1) as round robin, then allocate bandwidth for three queues at 30% and one queue at 10%.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# tx-queue 3
switch(config-if-Et3/5/1-txq-3)# no priority
switch(config-if-Et3/5/1-txq-3)# bandwidth percent 10
switch(config-if-Et3/5/1-txq-3)# tx-queue 2
switch(config-if-Et3/5/1-txq-2)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-2)# tx-queue 1
switch(config-if-Et3/5/1-txq-1)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-1)# tx-queue 0
switch(config-if-Et3/5/1-txq-0)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-0)# show qos interfaces ethernet 3/5/1

Ethernet3/5/1:

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -        - / -    (  -  )    SP / SP    D
   3     10 / 10       - / -    (  -  )    RR / RR    D
   2     30 / 30       - / -    (  -  )    RR / SP    D
   1     30 / 30       - / -    (  -  )    RR / SP    D
   0     30 / 30       - / -    (  -  )    RR / SP    D

switch(config-if-Et3/5/1-txq-0)#

These commands re-configure the bandwidth share of the fourth queue at 30%.

switch(config-if-Et3/5/1-txq-0)# tx-queue 3
switch(config-if-Et3/5/1-txq-3)# bandwidth percent 30
switch(config-if-Et3/5/1-txq-3)# show qos interfaces ethernet 3/5/1

Ethernet3/5/1:

   Port shaping rate: disabled

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -        - / -    (  -  )    SP / SP    D
   3     24 / 30       - / -    (  -  )    RR / RR    D
   2     24 / 30       - / -    (  -  )    RR / SP    D
   1     24 / 30       - / -    (  -  )    RR / SP    D
   0     24 / 30       - / -    (  -  )    RR / SP    D

Note: Values are displayed as Operational/Configured

switch(config-if-Et3/5/1-txq-3)#

These commands configure the bandwidth share of the fourth queue at 2%.

switch(config-if-Et3/5/1-txq-3)# bandwidth percent 2
switch(config-if-Et3/5/1-txq-3)# show qos interfaces ethernet 3/5/1

Ethernet3/5/1:

   Port shaping rate: disabled

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -        - / -    (  -  )    SP / SP    D
   3      2 / 2        - / -    (  -  )    RR / RR    D
   2     30 / 30       - / -    (  -  )    RR / SP    D
   1     30 / 30       - / -    (  -  )    RR / SP    D
   0     30 / 30       - / -    (  -  )    RR / SP    D

Note: Values are displayed as Operational/Configured

switch(config-if-Et3/5/1-txq-3)#

bandwidth percent (FM6000)

Command Mode

Tx-Queue Configuration

Command Syntax

bandwidth percent proportion

no bandwidth percent

default bandwidth percent

Parameters

proportion Configured bandwidth percentage. Value ranges from 1 to 100. Default value is 0.

Related Command

tx-queue (FM6000) places the switch in tx-queue configuration mode.

Examples

These commands configure queues 0 through 3 (interface Ethernet 19) as round robin, then allocate bandwidth for three queues at 30% and one queue at 10%.

switch(config)# interface Ethernet 19
switch(config-if-Et19)# tx-queue 3
switch(config-if-Et19-txq-3)# no priority
switch(config-if-Et19-txq-3)# bandwidth percent 10
switch(config-if-Et19-txq-3)# tx-queue 2
switch(config-if-Et19-txq-2)# bandwidth percent 30
switch(config-if-Et19-txq-2)# tx-queue 1
switch(config-if-Et19-txq-1)# bandwidth percent 30
switch(config-if-Et19-txq-1)# tx-queue 0
switch(config-if-Et19-txq-0)# bandwidth percent 30
switch(config-if-Et19-txq-0)# show qos interface ethernet 19

Ethernet19:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: disabled

 Tx    Bandwidth  Bandwidth          Shape Rate     Priority  ECN/WRED
 Queue (percent)  Guaranteed (units)  units)
 
-----------------------------------------------------------------------
  7     - / -      - / -     ( - )     - / -  ( - )  SP / SP    D
  6     - / -      - / -     ( - )     - / -  ( - )  SP / SP    D
  5     - / -      - / -     ( - )     - / -  ( - )  SP / SP    D
  4     - / -      - / -     ( - )     - / -  ( - )  SP / SP    D
  3    10 / 10     - / -     ( - )     - / -  ( - )  RR / RR    D
  2    30 / 30     - / -     ( - )     - / -  ( - )  RR / SP    D
  1    30 / 30     - / -     ( - )     - / -  ( - )  RR / SP    D
  0    30 / 30     - / -     ( - )     - / -  ( - )  RR / SP    D

Note: Values are displayed as Operational/Configured

Legend:
RR -> Round Robin
SP -> Strict Priority
 -  -> Not Applicable / Not Configured
ECN/WRED: L -> Queue Length ECN Enabled     W -> WRED Enabled     D -> Disabled

These commands re-configure the bandwidth share of transmit queue 3 at 30%.

cp118.14:04:20# config
cp118.14:04:23(config)# interface ethernet 19
cp118.14:04:47(config-if-Et19-txq-0)# tx-queue 3
cp118.14:04:59(config-if-Et19-txq-3)# bandwidth percent 30
cp118.14:05:16(config-if-Et19-txq-3)# show qos interface ethernet 19

Ethernet19:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: disabled

 Tx   Bandwidth   Bandwidth          Shape Rate      Priority  ECN/WRED
Queue (percent)   Guaranteed (units)  (units)
 
------------------------------------------------------------------------
  7     - / -      - / -     ( - )     - / -  ( - )   SP / SP    D
  6     - / -      - / -     ( - )     - / -  ( - )   SP / SP    D
  5     - / -      - / -     ( - )     - / -  ( - )   SP / SP    D
  4     - / -      - / -     ( - )     - / -  ( - )   SP / SP    D
  3    24 / 30     - / -     ( - )     - / -  ( - )   RR / RR    D
  2    24 / 30     - / -     ( - )     - / -  ( - )   RR / SP    D
  1    24 / 30     - / -     ( - )     - / -  ( - )   RR / SP    D
  0    24 / 30     - / -     ( - )     - / -  ( - )   RR / SP    D

Note: Values are displayed as Operational/Configured

Legend:
RR -> Round Robin
SP -> Strict Priority
 -  -> Not Applicable / Not Configured
ECN/WRED: L -> Queue Length ECN Enabled     W -> WRED Enabled     D -> Disabled

These commands re-configure the bandwidth share of transmit queue 3 at 2%.

cp118.14:09:37(config-if-Et19-txq-3)# bandwidth percent 2
cp118.14:12:56(config-if-Et19-txq-3)# show qos interface ethernet 19

Ethernet19:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: disabled

 Tx   Bandwidth  Bandwidth           Shape Rate    Priority  ECN/WRED
Queue (percent)  Guaranteed (units)  (units)
 
----------------------------------------------------------------------
  7     - / -      - / -     ( - )   - / -  ( - )   SP / SP   D
  6     - / -      - / -     ( - )   - / -  ( - )   SP / SP   D
  5     - / -      - / -     ( - )   - / -  ( - )   SP / SP   D
  4     - / -      - / -     ( - )   - / -  ( - )   SP / SP   D
  3     2 / 2      - / -     ( - )   - / -  ( - )   RR / RR   D
  2    30 / 30     - / -     ( - )   - / -  ( - )   RR / SP   D
  1    30 / 30     - / -     ( - )   - / -  ( - )   RR / SP   D
  0    30 / 30     - / -     ( - )   - / -  ( - )   RR / SP   D

Note: Values are displayed as Operational/Configured

Legend:
RR -> Round Robin
SP -> Strict Priority
 -  -> Not Applicable / Not Configured
ECN/WRED: L -> Queue Length ECN Enabled     W -> WRED Enabled     D -> Disabled

bandwidth percent (Petra)

Command Mode

Tx-Queue Configuration

Command Syntax

bandwidth percent proportion

no bandwidth percent

default bandwidth percent

Parameters

proportionBandwidth percentage assigned to queues. Values range from 1 to 100.

Related Command

tx-queue (Petra)places the switch in tx-queue configuration mode.

Examples

These commands configure queues 0 through 3 (interface ethernet 3/28) as round robin, then allocate bandwidth for three queues at 30% and one queue at 10%.

switch(config)# interface ethernet 3/28
switch(config-if-Et3/28)# tx-queue 3
switch(config-if-Et3/28-txq-3)# no priority
switch(config-if-Et3/28-txq-3)# bandwidth percent 10
switch(config-if-Et3/28-txq-3)# tx-queue 2
switch(config-if-Et3/28-txq-2)# bandwidth percent 30
switch(config-if-Et3/28-txq-2)# tx-queue 1
switch(config-if-Et3/28-txq-1)# bandwidth percent 30
switch(config-if-Et3/28-txq-1)# tx-queue 0
switch(config-if-Et3/28-txq-0)# bandwidth percent 30
switch(config-if-Et3/28-txq-0)# show qos interface ethernet 3/28

Ethernet3/28:

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3          10     disabled   round-robin
          2          30     disabled   round-robin
          1          30     disabled   round-robin
          0          30     disabled   round-robin

switch(config-if-Et3/28-txq-0)#

These commands re-configure the bandwidth share of the fourth queue at 30%.

switch(config-if-Et3/28-txq-0)# tx-queue 3
switch(config-if-Et3/28-txq-3)# bandwidth percent 30
switch(config-if-Et3/28-txq-3)# show qos interface ethernet 3/28

Ethernet3/28:
   Trust Mode: COS

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
-----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3          24     disabled   round-robin
          2          24     disabled   round-robin
          1          24     disabled   round-robin
          0          24     disabled   round-robin

switch(config-if-Et3/28-txq-3)#

These commands configure the bandwidth share of the fourth queue at 2%.

switch(config-if-Et3/28)# tx-queue 3
switch(config-if-Et3/28-txq-3)# bandwidth percent 2
switch(config-if-Et3/28-txq-3)# show qos interface ethernet 3/28

Ethernet3/28:
   Trust Mode: COS


   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3           2     disabled   round-robin
          2          30     disabled   round-robin
          1          30     disabled   round-robin
          0          30     disabled   round-robin

switch(config-if-Et3/28-txq-3)#

bandwidth percent (Trident and Tomahawk)

Command Mode

Mc-Tx-Queue configuration

Uc-Tx-Queue configuration

Command Syntax

bandwidth percent proportion

no bandwidth percent

default bandwidth percent

Parameters

proportion Bandwidth percentage assigned to queues. Values range from 1 to 100.

Related Commands

mc-tx-queue places the switch in mc-tx-queue configuration mode.
uc-tx-queue places the switch in uc-tx-queue configuration mode.

Examples

These commands configure unicast transmit queue 3 (and all other queues of lower priority) as round robin, then allocate bandwidth for unicast transmit queues 1, 2, and 3 at 30% and multicast transmit queue 1 at 10%.

switch(config)# interface ethernet 7
switch(config-if-Et7)# uc-tx-queue 3
switch(config-if-Et7-uc-txq-3)# no priority
switch(config-if-Et7-uc-txq-3)# bandwidth percent 30
switch(config-if-Et7-uc-txq-3)# uc-tx-queue 2
switch(config-if-Et7-uc-txq-2)# bandwidth percent 30
switch(config-if-Et7-uc-txq-2)# uc-tx-queue 1
switch(config-if-Et7-uc-txq-1)# bandwidth percent 30
switch(config-if-Et7-uc-txq-1)# mc-tx-queue 1
switch(config-if-Et7-mc-txq-1)# bandwidth percent 10
switch(config-if-Et7-mc-txq-1)# show qos interfaces ethernet 7

Ethernet7:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: disabled

   Tx-Queue   Bandwidth    Shape Rate     Priority   Priority Group
              (percent)       (Kbps)
   ----------------------------------------------------------------
        UC7         N/A     disabled        strict                1
        UC6         N/A     disabled        strict                1
        MC3         N/A     disabled        strict                1
        UC5         N/A     disabled        strict                0
        UC4         N/A     disabled        strict                0
        MC2         N/A     disabled        strict                0
        UC3          30     disabled   round-robin                0
        UC2          30     disabled   round-robin                0
        MC1          10     disabled   round-robin                0
        UC1          30     disabled   round-robin                0
        UC0           0     disabled   round-robin                0
        MC0           0     disabled   round-robin                0

switch(config-if-Et7-mc-txq-1)#

These commands re-configure the bandwidth share of unicast queue 3 at 55%.

switch(config-if-Et7-mc-txq-1)# uc-tx-queue 3
switch(config-if-Et7-uc-txq-3)# bandwidth percent 55
switch(config-if-Et7-uc-txq-3)# show qos interface ethernet 7

Ethernet7:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: disabled

   Tx-Queue   Bandwidth    Shape Rate     Priority   Priority Group
              (percent)       (Kbps)
   ----------------------------------------------------------------
        UC7         N/A     disabled        strict                1
        UC6         N/A     disabled        strict                1
        MC3         N/A     disabled        strict                1
        UC5         N/A     disabled        strict                0
        UC4         N/A     disabled        strict                0
        MC2         N/A     disabled        strict                0
        UC3          44     disabled   round-robin                0
        UC2          24     disabled   round-robin                0
        MC1           8     disabled   round-robin                0
        UC1          24     disabled   round-robin                0
        UC0           0     disabled   round-robin                0
        MC0           0     disabled   round-robin                0

switch(config-if-Et7-uc-txq-3)#

color

Use the color command for the ability to configure the color extended community in route-map set clauses and in an extcommunity-list for inbound and outbound policy application.

Command Mode

Route-maps and extcommunity-lists

Command Syntax

color COLOR-VALUE [color-only [exact-match | [endpoint-match [any | null]]]]

Parameters

COLOR-VALUE A single policy color value, range 0 to 4294967295.
color-onlyAllows configuration of color-only bits.
exact-matchExplicitly sets the color-only bits of the extended community to 00 (optional).
endpoint-match anySets the color-only bits of the extended community to 10.
endpoint-match null Sets the color-only bits of the extended community to 01.

Example

switch(config)# route-map foo
switch(config0route-map-foo)# set community color 2 color-only endpoint-match any

dscp to traffic-class (DSCP map)

The dscp to traffic-class command configures the specified QoS map to map one or more DSCP classes to a traffic class. Only one traffic class may be specified per command. The command can be repeated to configure additional traffic classes. The configuration is modified immediately. Each dscp to traffic-class command overwrites the existing entries in the map.

The default dscp to traffic-class and no dscp to traffic-class commands restore the global map values for the given DSCP classes.

Command Mode

DSCP Map Configuration

Command Syntax

dscp dscp_classes to traffic-class traffic_class

default dscp dscp_classes to traffic-class

no dscp dscp_classes to traffic-class

Parameters

dscp_classesThe DSCP class or classes to map to a new traffic-class value.These can be provided as a single value, a range given with a hyphen (such as 20-25), a comma separated list (such as 1,4,9), or a combination (such as 20-25, 35). The range for each value is 0-63.
traffic_classThe traffic class to map the specified DSCP class or classes to.

Example

These commands configure the DSCP-to-traffic-class map map1 to map DSCP class 35 to traffic class 7, and DSCP classes 20-25 to traffic class 6.

switch(config)#qos map dscp to traffic-class name map1
switch(config-dscp-map-map1)#dscp 35 to traffic-class 7
switch(config-dscp-map-map1)#dscp 20-25 to traffic-class 6

hardware access-list qos resource sharing vlan in

The hardware access-list qos resource sharing vlan in command enables the ACL based QoS resources sharing on a VLAN interface.

The no hardware access-list qos resource sharing vlan in disables the ACL based QoS resources sharing on a VLAN interface. By default this function is disabled.

Command Mode

Global Configuration

Command Syntax

hardware access-list qos resource sharing vlan in

no hardware access-list qos resource sharing vlan in

Example

This commands enables the ACL based QoS resources sharing on a VLAN interface.

switch(config)# hardware access-list qos resource sharing vlan in

interface fabric (Trident II)

The interface fabric command places the switch in Fabric-interface configuration mode and allows the user to attach the QoS profile to the fabric interface of the switch.

Command Mode

Global Configuration

Command Syntax

interface fabric

Example

This command places the switch in Fabric-interface configuration mode.

switch(config)# interface fabric
switch(config-if-fabric)#

ip extcommunity-list

The ip extcommunity-list command adds a color extended community to an extcommunity-list. Multiple color extended communities can be added to the list. Negating the command removes the corresponding color extended community from the list.

Command Mode

Configuration mode

Command Syntax

ip extcommunity-list WORD [permit | deny][COLOR-EXPRESSION]

no ip extcommunity-list WORD [permit | deny] COLOR-EXPRESSION]

default ip extcommunity-list WORD [permit | deny][COLOR-EXPRESSION]

Parameters

WORDCommunity list name.
permitSpecifies community to accept.
denySpecifies comminity to reject.
COLOR-EXPRESSIONColor extended community.

Example

arista(config)# ip extcommunity-list foo permit color 1 color 2
arista(config)# ip extcommunity-list bar permit color 3 color-only endpoint-match null color 4 color-only endpoint-match any

mc-tx-queue

The mc-tx-queue command places the switch in mc-tx-queue configuration mode to configure a multicast transmit queue on the configuration mode interface. Mc-tx-queue configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.

Trident and Tomahawk switches have four multicast queues (MC0 – MC03) and eight unicast queues (UC0 – UC7), categorized into two priority groups. All queues are exposed through the CLI and are user configurable.

Priority Group 1: UC7, UC6, MC3
Priority Group 0: UC5, UC4, MC2, UC3, UC2, MC1, UC1, UC0, MC0

The exit command returns the switch to the configuration mode for the base Ethernet or port channel interface.

The no mc-tx-queue and default mc-tx-queue commands remove the configuration for the specified transmit queue by deleting the all corresponding mc-tx-queue mode commands from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

mc-tx-queue queue_level

Parameters

queue_level The multicast transmit queue number. Values range from 0 to 3.

Commands Available in tx-queue Configuration Mode

bandwidth percent (Trident and Tomahawk)
priority (Trident and Tomahawk)
shape rate (Tx-queue – Trident and Tomahawk)

Related Command

uc-tx-queue Configures unicast transmit queues on Trident and Tomahawk platform switches.

Example

This command enters mc-tx-queue configuration mode for multicast transmit queue 3 of interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# mc-tx-queue 3
switch(config-if-Et5-mc-txq-3)#

platform petraA traffic-class

The platform petraA traffic-class command configures the default traffic class used by all ports on a specified chip. The default traffic class is implemented by Petra platform switches to replace qos cos and qos dscp commands. Traffic class values range from 0 to 7. The default traffic class is 1.

When platform ? returns Petra:

CoS trusted ports: inbound untagged packets are assigned to the default traffic class. Tagged packets are assigned to the traffic class that corresponds to the contents of its CoS field.
DSCP trusted ports: inbound non-IP packets are assigned to the default traffic class. IP packets are assigned to the traffic class that corresponds to the contents of its DSCP field.
Untrusted ports: all inbound packets are assigned to the default traffic class.

The no platform petraA traffic-class and default platform petraA traffic-class commands restore the default traffic class of one for all ports on the specified chips by deleting the corresponding platform petraA traffic-class command from running-config.

Command Mode

Global Configuration

Command Syntax

platform petraA [CHIP_NAME] traffic-class tc_value

no platform petraA [CHIP_NAME] traffic-class

default platform petraA [CHIP_NAME] traffic-class

Parameters

CHIP_NAME Trust mode assigned to the specified ports. Port designation options include:

- no parameter All ports on the switch.
- module cardX All ports on specified linecard (7500 Series).
- petra cardX / chipY All ports on PetraA chip chipY on linecard cardX (7500 Series).
- petra -chipZ All ports on PetraA chip chipZ (7048 Series)

7500 Series

Switches can contain up to eight linecards. CardX varies from 3 to 10.

Each linecard contains six PetraA chips. Each chip controls eight ports. ChipY varies from 0 to 5:

0 controls ports 1 through 8:
- 1 controls ports 9 through 16.
- 2 controls ports 17 through 24.
- 3 controls ports 25 through 32.
- 4 controls ports 33 through 40.
- 5 controls ports 41 through 48.

7048 Series

Each switch contains two PetraA chips. ChipZ varies from 0 to 1:

0 controls ports 1 through 32.
- 1 controls ports 33 through 52.
tc_value Traffic class value. Values range from 0 to 7. Default value is 1.

Related Command

show platform petraA traffic-class displays the traffic class assignment on all specified Petra chips.

Example

This command configures the default traffic class 6 for ports 25-32 on linecard 5.

switch(config)# platform petraA petra5/3 traffic-class 6
switch(config)#

priority (Arad/Jericho)

The priority command specifies the priority of the transmit queue. The switch supports two queue priorities:

strict priority: contents are removed from the queue - subject to maximum bandwidth limits, before data from lower priority queues. The default setting on all queues is strict priority.
round robin priority: contents are removed proportionately from all round robin queues - subject to maximum bandwidth limits assigned to the strict priority queues.

Tx-queue 7 is set to strict priority and is not configurable.

When a queue is configured as a round robin queue, all lower priority queues also function as round robin queues. A queue’s numerical label denotes its priority: higher labels denote higher priority. Tx-queue 6 has higher priority than Tx-queue 5, and Tx-queue 0 has the lowest priority.

The priority strict and default priority commands configure a transmit queue to function as a strict priority queue unless a higher priority queue is configured as a round robin queue.

The no priority command configures a transmit queue as a round robin queue. All lower priority queues also function as round robin queues regardless of their configuration.

Command Mode

Tx-Queue Configuration

Command Syntax

priority strict

no priority

default priority

Related Command

tx-queue (Arad/Jericho) places the switch in tx-queue configuration mode.

Example

These commands perform the following on interface ethernet 3/4/1:

Displays the default state of all transmit queues.
Configures transmit queue 3 as a round robin queue.
Displays the effect of the no priority command on all transmit queues on the interface.

switch(config)# interface ethernet 3/4/1
switch(config-if-Et3/4/1)# show qos interfaces ethernet 3/4/1

Ethernet3/4/1:

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -      999 / 1000 ( Mbps )   SP / SP    D
   3      - / -      999 / 1000 ( Mbps )   SP / SP    D
   2      - / -        - / -    (  -  )    SP / SP    D
   1      - / -        - / -    (  -  )    SP / SP    D
   0      - / -        - / -    (  -  )    SP / SP    D

Note: Values are displayed as Operational/Configured

switch(config-if-Et3/4/1)# tx-queue 3
switch(config-if-Et3/4/1-txq-3)# no priority
switch(config-if-Et3/4/1-txq-3)# show qos interfaces ethernet 3/4/1

Ethernet3/4/1:

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -      999 / 1000 ( Mbps )   SP / SP    D
   3     25 / -      999 / 1000 ( Mbps )   RR / RR    D
   2     25 / -        - / -    (  -  )    RR / SP    D
   1     25 / -        - / -    (  -  )    RR / SP    D
   0     25 / -        - / -    (  -  )    RR / SP    D

Note: Values are displayed as Operational/Configured

switch(config-if-Et3/4/1-txq-3)#

priority (FM6000)

The priority command specifies the priority of the transmit queue. The switch supports two queue priorities:

strict priority: contents are removed from the queue - subject to maximum bandwidth limits, before data from lower priority queues. The default setting on all queues is strict priority.
round robin priority: contents are removed proportionately from all round robin queues - subject to maximum bandwidth limits assigned to the strict priority queues.

The priority strict and default priority commands configure a transmit queue to function as a strict priority queue unless a higher priority queue is configured as a round robin queue.

The no priority command configures a transmit queue as a round robin queue. All lower priority queues also function as round robin queues regardless of their configuration.

Command Mode

Tx-Queue Configuration

Command Syntax

priority strict

no priority

default priority

Related Command

tx-queue (FM6000) places the switch in tx-queue configuration mode.

Example

These commands perform the following on interface ethernet 19:

Displays the default state of all transmit queues.
Configures transmit queue 3 as a round robin queue.

Displays the effect of the no priority command on all transmit queues on the interface.

switch(config)# interface ethernet 19
switch(config-if-Et19)# show qos interface ethernet 19

Ethernet19:
   Trust Mode: COS

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3         N/A     disabled        strict
          2         N/A     disabled        strict
          1         N/A     disabled        strict
          0         N/A     disabled        strict

switch(config-if-Et19)# tx-queue 3
switch(config-if-Et19-txq-3)# no priority
switch(config-if-Et19-txq-3)# show qos interface ethernet 19

Ethernet19:
   Trust Mode: COS

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3          25     disabled   round-robin
          2          25     disabled   round-robin
          1          25     disabled   round-robin
          0          25     disabled   round-robin

switch(config-if-Et19-txq-3)#

priority (Petra)

The priority command specifies the priority of the transmit queue. The switch supports two queue priorities:

strict priority: contents are removed from the queue - subject to maximum bandwidth limits, before data from lower priority queues. The default setting on all queues is strict priority.
round robin priority: contents are removed proportionately from all round robin queues - subject to maximum bandwidth limits assigned to the strict priority queues.

Tx-queue 7 is set to strict priority and is not configurable.

The priority strict and default priority commands configure a transmit queue to function as a strict priority queue unless a higher priority queue is configured as a round robin queue.

The no priority command configures a transmit queue as a round robin queue. All lower priority queues also function as round robin queues regardless of their configuration.

Command Mode

Tx-Queue Configuration

Command Syntax

priority strict

no priority

default priority

Related Command

tx-queue (Petra) places the switch in tx-queue configuration mode.

Example

These commands perform the following on Ethernet interface 3/28:

Displays the default state of all transmit queues.
Configures transmit queue 3 as a round robin queue.

Displays the effect of the no priority command on all transmit queues on the interface.

switch(config)# interface ethernet 3/28
switch(config-if-Et3/28)# show qos interface ethernet 3/28

Ethernet3/28:
   Trust Mode: COS

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3         N/A     disabled        strict
          2         N/A     disabled        strict
          1         N/A     disabled        strict
          0         N/A     disabled        strict

switch(config-if-Et3/28)# tx-queue 3
switch(config-if-Et3/28-txq-3)# no priority
switch(config-if-Et3/28-txq-3)# show qos interface ethernet 3/28

Ethernet3/28:
   Trust Mode: COS

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A     disabled        strict
          3          25     disabled   round-robin
          2          25     disabled   round-robin
          1          25     disabled   round-robin
          0          25     disabled   round-robin

switch(config-if-Et3/28-txq-3)#

priority (Trident and Tomahawk)

The priority command specifies the priority of the transmit queue. The switch supports two queue priorities:

strict priority: contents are removed from the queue - subject to maximum bandwidth limits, before data from lower priority queues. The default setting on all other queues is strict priority.
round robin priority: contents are removed proportionately from all round robin queues - subject to maximum bandwidth limits assigned to the strict priority queues.

Trident and Tomahawk switches have eight unicast queues (UC0 – UC7) and four multicast queues (MC0 – MC03), categorized into two priority groups. Priority group 1 queues have priority over priority 0 queues. The following lists display the priority group queues in order from higher priority to lower priority.

Priority Group 1: UC7, UC6, MC3
Priority Group 0: UC5, UC4, MC2, UC3, UC2, MC1, UC1, UC0, MC0

Priority group 1 queues are strict priority queues and are not configurable as round robin. Priority 0 queues are strict priority by default and are configurable as round robin. When a queue is configured as a round robin queue, all lower priority queues automatically function as round robin queues.

The priority strict and default priority commands configure a transmit queue to function as a strict priority queue unless a higher priority queue is configured as a round robin queue.

The no priority command configures a transmit queue as a round robin queue. All lower priority queues also function as round robin queues regardless of their configuration.

Command Mode

Mc-Tx-Queue configuration

Uc-Tx-Queue configuration

Command Syntax

priority strict

no priority

default priority

Related Commands

mc-tx-queue places the switch in mc-tx-queue configuration mode.
uc-tx-queue places the switch in uc-tx-queue configuration mode.

Example

These commands perform the following on interface ethernet 7:

Displays the default state of all transmit queues.
Configures transmit queue 3 as a round robin queue.

Displays the effect of the no priority command on all transmit queues on the interface.

switch(config) #interface ethernet 7
switch(config-if-Et7)# show qos interface ethernet 7

Ethernet7:
   Trust Mode: COS

   Tx-Queue   Bandwidth    Shape Rate     Priority   Priority Group
              (percent)       (Kbps)
   ----------------------------------------------------------------
        UC7         N/A     disabled        strict                1
        UC6         N/A     disabled        strict                1
        MC3         N/A     disabled        strict                1
        UC5         N/A     disabled        strict                0
        UC4         N/A     disabled        strict                0
        MC2         N/A     disabled        strict                0
        UC3         N/A     disabled        strict                0
        UC2         N/A     disabled        strict                0
        MC1         N/A     disabled        strict                0
        UC1         N/A     disabled        strict                0
        UC0         N/A     disabled        strict                0
        MC0         N/A     disabled        strict                0

switch(config-if-Et7)# uc-tx-queue 3
switch(config-if-Et7-uc-txq-3)# no priority
switch(config-if-Et7-uc-txq-3)# show qos interface ethernet 7

Ethernet7:
   Trust Mode: COS

   Tx-Queue   Bandwidth    Shape Rate     Priority   Priority Group
              (percent)       (Kbps)
   ----------------------------------------------------------------
        UC7         N/A     disabled        strict                1
        UC6         N/A     disabled        strict                1
        MC3         N/A     disabled        strict                1
        UC5         N/A     disabled        strict                0
        UC4         N/A     disabled        strict                0
        MC2         N/A     disabled        strict                0
        UC3          20     disabled   round-robin                0
        UC2          16     disabled   round-robin                0
        MC1          16     disabled   round-robin                0
        UC1          16     disabled   round-robin                0
        UC0          16     disabled   round-robin                0
        MC0          16     disabled   round-robin                0

switch(config-if-Et7-uc-txq-3)#

qos cos

The qos cos command specifies the default class of service (CoS) value of the configuration mode interface. CoS values range from 0 to 7. Default value is 0.

Arad, Jericho, fm6000, Trident, Tomahawk, and Trident II platform switches:

CoS trusted ports: the default CoS value determines the traffic class for inbound untagged packets. Tagged packets are assigned to the traffic class that corresponds to the contents of its CoS field.
Untrusted ports: the default CoS value determines the traffic class for all inbound packets.

Petra platform switches:

CoS trusted ports: inbound untagged packets are assigned to the default traffic class, as configured by platform petraA traffic-class. Tagged packets are assigned to the traffic class that corresponds to the contents of its CoS field.
Untrusted ports: all inbound packets are assigned to the default traffic class.

The no qos cos and default qos cos commands restore the port’s default CoS value to zero by deleting the corresponding qos cos command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

qos cos cos_value

no qos cos

default qos cos

Parameters

cos_valueCoS value assigned to port. Value ranges from 0 to 7. Default value is 0.

Example

This command configures the default CoS 4 on interface ethernet 8.

switch(config-if-Et8)# qos cos 4
switch(config-if-Et8)#

qos dscp

The qos dscp command specifies the default Differentiated Services Code Point (DSCP) value of the configuration mode interface. The default DSCP determines the traffic class for non-IP packets that are inbound on DSCP trusted ports. DSCP trusted ports determine the traffic class for inbound packets as follows:

Arad, Jericho, fm6000, Trident, Tomahawk, and Trident II platform switches:
- non-IP packets: default DSCP value specified by qos dscp determines the traffic class.
- IP packets: assigned to the traffic class corresponding to its DSCP field contents.
Petra platform switches:
- non-IP packets: assigned to default traffic class configured by platform petraA traffic-class.
- IP packets: assigned to the traffic class corresponding to its DSCP field contents.

The no qos dscp and default qos dscp commands restore the port’s default DSCP value to zero by deleting the corresponding qos dscp command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

qos dscp dscp_value

no qos dscp

default qos dscp

Parameters

dscp_value DSCP value assigned to the port. Value ranges from 0 to 63. Default value is 0.

Example

This command sets the default DSCP of 44 on interfacee thernet 7.

switch(config)# interface ethernet 7
switch(config-if-Et7)# qos dscp 44
switch(config-if-Et7)

qos map cos

The qos map cos command associates a traffic class to a list of class of service (CoS) settings. Multiple commands create a complete CoS to traffic class map. The switch uses this map to assign a traffic class to data packets on the basis of the packet’s CoS field or the port upon which it is received.

The no qos map cos and default qos map cos commands restore the specified CoS values to their default traffic class setting by deleting the corresponding qos map cos statements from running-config.

Command Mode

Global Configuration

Command Syntax

qos map cos cos_value_1 [cos_value_2 ... cos_value_n] to traffic-class tc_value

no qos map cos cos_value_1 [cos_value_2 ... cos_value_n]

default qos map cos cos_value_1 [cos_value_2 ... cos_value_n]

Parameters

cos_value_x Class of Service (CoS) value. Value ranges from 0 to 7.
tc_value Traffic class value. Value range varies by platform.

Default CoS to traffic class map varies by platform (Table 35).

Default Inbound CoS to Traffic Class Map

Table 35 displays the default CoS to traffic class map for each platform.

Table 35. Default CoS to Traffic Class Map
Inbound CoS	untagged	0	1	2	3	4	5	6	7
Traffic Class (Arad /Jericho)	Derived: use default CoS as inbound CoS	1	0	2	3	4	5	6	7
Traffic Class (FM6000)	Derived: use default CoS as inbound CoS	1	0	2	3	4	5	6	7
Traffic Class (Helix)	Derived: use default CoS as inbound CoS	1	0	2	3	4	5	6	7
Traffic Class (Petra)	Assigned default traffic class	1	0	2	3	4	5	6	7
Traffic Class (Trident and Tomahawk)	Derived: use default CoS as inbound CoS	1	0	2	3	4	5	6	7
Traffic Class (Trident II)	Derived: use default CoS as inbound CoS	1	0	2	3	4	5	6	7

Related Commands

qos cos specifies the default CoS.
platform petraA traffic-class specifies the default traffic class.

Example

This command assigns the traffic class 5 to the classes of service 1, 3, 5, and 7.

switch(config)# qos map cos 1 3 5 7 to traffic-class 5
switch(config)#

qos map dscp

The qos map dscp command associates a traffic class to a set of Differentiated Services Code Point (DSCP) values. Multiple commands create a complete DSCP to traffic class map. The switch uses this map to assign a traffic class to data packets on the basis of the packet’s DSCP field or the chip upon which it is received.

This command configures the global DSCP to traffic-class map. To create additional named maps that can be attached to specific VRFs, use the qos map dscp to traffic-class command with the name option.

The no qos map dscp and default qos map dscp commands restore the specified DSCP values to their default traffic class settings by deleting corresponding qos map dscp statements from running-config.

Command Mode

Global Configuration

Command Syntax

qos map dscp dscpv_1 [dscpv_2...dscpv_n] to traffic-class tc_value

no qos map dscp dscpv_1 [dscpv_2...dscpv_n]

default qos map dscp dscpv_1 [dscpv_2...dscpv_n]

Parameters

dscpv_x Differentiated Services Code Point (DSCP) value. Value ranges from 0 to 63.
tc_value Traffic class value. Value range varies by platform.

Default map varies by platform (Table 36).

Default Inbound DSCP to Traffic Class Map

Table 36 displays the default DSCP to traffic class map for each platform.

Table 36. Default DSCP to Traffic Class Map
Inbound DSCP	0-7	8-15	16-23	24-31	32-39	40-47	48-55	56-63
Traffic Class (Arad /Jericho)	1	0	2	3	4	5	6	7
Traffic Class (FM6000)	1	0	2	3	4	5	6	7
Traffic Class (Helix)	1	0	2	3	4	5	6	7
Traffic Class (Petra)	1	0	2	3	4	5	6	7
Traffic Class (Trident and Tomahawk)	1	0	2	3	4	5	6	7
Traffic Class (Trident II)	1	0	2	3	4	5	6	7

Example

This command assigns the traffic class 3 to the DSCP values of 12, 13, 25, and 37.

switch(config)# qos map dscp 12 13 25 37 to traffic-class 3
switch(config)#

qos map dscp to traffic-class

The qos map dscp to traffic-class command puts the switch in DSCP Map Configuration mode for the specified QoS map. If the map does not already exist, it is created as a copy of the global DSCP-to-traffic-class map. In DSCP Map Configuration mode, the dscp to traffic-class command is available to make changes to the map.

The no and default forms of the command remove the specified custom map.

Command Mode

Global Configuration

Command Syntax

qos map dscp to traffic-class name map_name

no qos map dscp to traffic-class name map_name

default qos map dscp to traffic-class name map_name

Parameters

map_name The name of the map to configure. If the map does not exist, it is created as a copy of the global DSCP-to-traffic-class map.

Example

This command creates the map map1 and places the switch in DSCP Map Configuration mode.

switch(config)#qos map dscp to traffic-class name map1
switch(config-dscp-map-map1)#

qos map dscp to traffic-class (MPLS tunnel termination VRF)

The qos map dscp to traffic-class command assigns a DSCP-to-traffic-class map to a VRF, replacing the global map or previous custom map. The switch uses this map to assign a traffic class to data packets routed to this VRF on the basis of the DSCP fields of these packets.

The no qos map dscp to traffic-class and default qos map dscp to traffic-map commands remove the assignment of a custom map from the VRF, restoring the global map. default traffic class settings by deleting corresponding qos map dscp statements from running-config.

Command Mode

MPLS Tunnel Termination VRF Configuration

Command Syntax

qos map dscp to traffic-class map_name

no qos map dscp to traffic-class map_name

default qos map dscp to traffic-class map_name

Parameter

map_name DSCP to traffic-class map name.

Example

These commands assign the map1 QoS DSCP-to-traffic-class map to the newVRF1 and newVRF2 VRFs.

switch(config)#mpls tunnel termination
switch(config-mpls-tunnel-termination)#vrf newVRF1
switch(config-tunnel-termination-vrf-newVRF1)#qos map dscp to traffic-class map1
switch(config-tunnel-termination-vrf-newVRF1)#exit
switch(config-mpls-tunnel-termination)#vrf newVRF2
switch(config-tunnel-termination-vrf-newVRF2)#qos map dscp to traffic-class map1
switch(config-tunnel-termination-vrf-newVRF2)#exit
switch(config-tunnel-termination)#

qos map traffic-class to cos

The qos map traffic-class to cos command associates a class of service (CoS) to a list of traffic classes. Multiple commands create a complete traffic class to CoS map. The switch uses this map in CoS rewrite operations to fill the CoS field in outbound packets. This map is applicable to DSCP trusted ports and untrusted ports. CoS rewrite is disabled on CoS trusted ports. The show qos maps command displays the CoS to traffic class map.

The no qos traffic-class to cos and default qos traffic-class to cos commands restore the specified traffic class values to their default CoS settings by removing the corresponding qos map traffic-class to cos command from running-config.

Command Mode

Global Configuration

Command Syntax

qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to cos cos_value

no qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to cos

default qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to cos

Parameters

tc_num_x Traffic class value. Value range varies by switch platform.
cos_value Class of Service (CoS) value. Value ranges from 0 to 7.

Default Inbound Traffic Class to CoS Map

Table 37 displays the default traffic class to CoS map for each platform.

Table 37. Default Traffic Class to CoS Rewrite Value Map
Traffic Class	0	1	2	3	4	5	6	7
CoS Rewrite Value (Arad and /Jericho)	1	0	2	3	4	5	6	7
CoS Rewrite Value (FM6000)	1	0	2	3	4	5	6	7
CoS Rewrite Value (Helix)	1	0	2	3	4	5	6	7
CoS Rewrite Value (Petra)	1	0	2	3	4	5	6	7
CoS Rewrite Value (Trident and Tomahawk)	1	0	2	3	4	5	6	7
CoS Rewrite Value (Trident II)	1	0	2	3	4	5	6	7

Example

This command assigns the CoS 2 to traffic classes 1, 3, and 5.

switch(config)# qos map traffic-class 1 3 5 to cos 2
switch(config)#

qos map traffic-class to dscp

The qos map traffic-class to dscp command associates a Differentiated Services Code Point (DSCP) value to a list of traffic classes. Multiple commands create a complete traffic class to DSCP map. The switch uses this map in DSCP rewrite operations to fill the DSCP field in outbound packets. This map is applicable to CoS trusted ports and untrusted ports but disabled by default on these ports. DSCP rewrite is disabled on DSCP trusted ports. The show qos maps command displays the traffic class to DSCP map.

The no qos traffic-class to dscp and default qos traffic-class to dscp commands restore the specified traffic class values to their default DSCP settings by removing the corresponding qos map traffic-class to dscp command from running-config.

Command Mode

Global Configuration

Command Syntax

qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to dscp dscp_value

no qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to dscp

default qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to dscp

Parameters

tc_num_x Traffic class value. Value range varies by switch platform.
dscp_value Differentiated Services Code Point (DSCP) value. Value ranges from 0 to 63.

Default Inbound Traffic Class to DSCP Map

Table 38 displays the default traffic class to DSCP map for each platform.

Table 38. Default Traffic Class to DSCP Rewrite Value Map
Traffic Class	0	1	2	3	4	5	6	7
DSCP Rewrite Value (FM6000)	8	0	16	24	32	40	48	56
DSCP Rewrite Value (Helix)	8	0	16	24	32	40	48	56
DSCP Rewrite Value (Trident and Tomahawk)	8	0	16	24	32	40	48	56
DSCP Rewrite Value (Trident II)	8	0	16	24	32	40	48	56

Example

This command assigns the DSCP value of 17 to traffic classes 1, 2, and 4.

switch(config)# qos map traffic-class 1 2 4 to dscp 17
switch(config)#

qos map traffic-class to mc-tx-queue

The qos map traffic-class to mc-tx-queue command associates a multicast transmit queue to a list of traffic classes. Multiple commands create a complete traffic class to mc-tx-queue map. The switch uses this map to route outbound packets to transmit queues, which in turn schedules their transmission from the switch. The show qos maps command displays the traffic class to multicast transmit queue map.

The no qos traffic-class to mc-tx-queue and default qos traffic-class to mc-tx-queue commands restore the default traffic class to multicast transmit queue map for the specified traffic class values by removing the corresponding qos map traffic-class to mc-tx-queue command from running-config.

Command Mode

Global Configuration

Command Syntax

qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to mc-tx-queue mtq_value

no qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to mc-tx-queue

default qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to mc-tx-queue

Parameters

tc_num_x Traffic class value. Value ranges from 0 to 7.
mtq_value Multicast transmit queue number. Value ranges from 0 to 3.

Default Inbound Traffic Class to Multicast Transmit Queue Map

Table 39 displays the default traffic class to multicast transmit queue map for Trident and Tomahawk platform switches.

Table 39. Default Traffic Class to Multicast Transmit Queue Map
Traffic Class	0	1	2	3	4	5	6	7
Multicast Transmit Queue (Trident and Tomahawk)	0	0	1	1	2	2	3	3

Related Commands

qos map traffic-class to uc-tx-queue (Trident and Tomahawk) associates traffic classes to a multicast transmit queue.
qos map traffic-class to tx-queue (all other platforms) associates traffic classes to a transmit queue.

Example

This command maps traffic classes 0, 4, and 5 to mc-tx-queue 2.

switch(config)# qos map traffic-class 0 4 5 to mc-tx-queue 2
switch(config)#

qos map traffic-class to tx-queue

The qos map traffic-class to tx-queue command associates a transmit queue (tx-queue) to a list of traffic classes. Multiple commands create a complete traffic to tx-queue map. The switch uses this map to route outbound packets to transmit queues, which in turn schedules their transmission from the switch. The show qos maps command displays the transmit queue to traffic class map.

The no qos traffic-class to tx-queue and default qos traffic-class to tx-queue commands restore the specified traffic class values to their default transmit queue settings by removing the corresponding qos map traffic-class to tx-queue command from running-config.

Command Mode

Global Configuration

Command Syntax

qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to tx-queue txq_value

no qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to tx-queue

default qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to tx-queue

Parameters

tc_num_x Traffic class value. Value range varies by platform.
txq_value Transmit queue value. Value range varies by platform.

Restrictions

FM6000: When Priority Flow Control (PFC) is enabled, traffic classes are mapped to their corresponding transmit queues, regardless of existing qos map traffic-class to tx-queue statements.

Arad, Jericho, and Petra: Traffic class 7 always maps to transmit queue 7. This association is not editable.

Default Inbound Traffic Class to Transmit Queue Map

Table 40 displays the transmit queue to traffic class map.

Table 40. Default Traffic Class to Transmit Queue Map
Traffic Class	1	2	3	4	5	6	7
Transmit Queue (Arad /Jericho)	1	2	3	4	5	6	7
Transmit Queue (FM6000)	1	2	3	4	5	6	7
Transmit Queue (Helix)	1	2	3	4	5	6	7
Transmit Queue (Petra)	1	2	3	4	5	6	7
Transmit Queue (Trident II)	1	2	3	4	5	6	7

Related Commands

qos map traffic-class to mc-tx-queue (Trident and Tomahawk) associates traffic classes to a unicast transmit queue.
qos map traffic-class to uc-tx-queue (Trident and Tomahawk) associates traffic classes to a multicast transmit queue.

Example

This command maps traffic classes 0, 4, and 5 to tx-queue 4.

switch(config)# qos map traffic-class 0 4 5 to tx-queue 4
switch(config)#

qos map traffic-class to uc-tx-queue

The qos map traffic-class to uc-tx-queue command associates a unicast transmit queue to a list of traffic classes. Multiple commands create a complete traffic class to unicast transmit queue map. The switch uses this map to route outbound packets to transmit queues, which in turn schedules their transmission from the switch. The show qos maps command displays the traffic class to unicast transmit queue map.

The no qos traffic-class to uc-tx-queue and default qos traffic-class to uc-tx-queue commands restore the default traffic class to unicast transmit queue map for the specified traffic class values by removing the corresponding qos map traffic-class to uc-tx-queue command from running-config.

Command Mode

Global Configuration

Command Syntax

qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to uc-tx-queue utq_value

no qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to uc-tx-queue

default qos map traffic-class tc_num_1 [tc_num_2 ... tc_num_n] to uc-tx-queue

Parameters

tc_num_x Traffic class value. Value ranges from 0 to 7.
utq_value Unicast transmit queue number. Value ranges from 0 to 7.

Default Inbound Traffic Class to Unicast Transmit Queue Map

Table 41 displays the default traffic class to Unicast transmit queue map for Trident and Tomahawk platform switches.

Table 41. Default Traffic Class to Unicast Transmit Queue Map
Traffic Class	0	1	2	3	4	5	6	7
Unicast Transmit Queue (Trident and Tomahawk)	0	1	2	3	4	5	6	7

Related Commands

qos map traffic-class to mc-tx-queue (Trident and Tomahawk) associates traffic classes to a unicast transmit queue.
qos map traffic-class to tx-queue (all other platforms) associates traffic classes to a transmit queue.

Example

This command maps traffic classes 0, 4, and 5 to unicast transmit queue 4.

switch(config)# qos map traffic-class 0 4 5 to uc-tx-queue 4
switch(config)#

qos profile

The qos profile command places the switch in QoS profile configuration mode and for the specified profile and creates the profile if it does not already exist. QoS profiles are used to apply the same QoS configuration to multiple interfaces.

The no qos profile and default qos profile command deletes the QoS profile from the running configuration.

The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

qos profile profile_name

no qos profile profile_name

default qos profile profile_name

Parameter

profile_name QoS profile name.

Note: Commands use a subset of the listed fields. Available subset depends on the specified parameter. Use CLI syntax assistance to view options for specific parameter when creating a QoS profile.

Example

This command places the switch in QoS profile configuration mode for policy map policy map TP and creates the policy map if it does not already exist.

switch(config)# qos profile TP
switch(config-qos-profile-TP)#

qos random-detect ecn allow non-ect chip-based (Tomahawk and Trident)

The qos random-detect ecn allow non-ect chip-based enables per color queue thresholds using color based queue thresholds and drop-precedence values along with drop of non-ect traffic by allowing non-ect and set drop-precedence 1 in a policy map simultaneously.

The no qos random-detect ecn allow non-ect chip-based and default qos random-detect ecn allow non-ect chip-based commands disbales the use of non-ect and set drop-precedence 1 simultaneously in a policy map in the running-config.

Command Mode

Global Configuration

Command Syntax

qos random-detect ecn allow non-ect chip-based

no qos random-detect ecn allow non-ect chip-based

default qos random-detect ecn allow non-ect chip-based

Example

The following command enables the use of non-ect and set drop-precedence 1 simultaneously in a policy map.

switch(config)# qos random-detect ecn allow non-ect chip-based

qos random-detect ecn global-buffer (Helix)

The qos random-detect ecn global-buffer command enables ECN marking for globally shared packet memory and specifies minimum and maximum queue threshold sizes. Hosts can advertise their ECN capabilities in the ToS DiffServ field’s two least significant bits:

00 Non ECN Capable transport.
10 ECN Capable transport.
01 ECN Capable transport.
11 Congestion encountered.

Congestion is determined by comparing average queue size with queue thresholds. Average queue size is calculated through a formula based on the previous average and current queue size. Packets are marked based on this average size and the specified thresholds:

Average queue size below minimum threshold: Packets are queued normally.
Average queue size above maximum threshold: Packets are marked congestion encountered.
Average queue size between minimum and maximum thresholds. Packets are queued or marked congestion encountered. The proportion of marked packets varies linearly with average queue size:
- 0% are marked when average queue size is less than or equal to minimum threshold.
- 100% are marked when average queue size is greater than or equal to maximum threshold.
When transmitted packets are marked Non ECN Capable, congestion packets are dropped, not marked.

The no qos random-detect ecn global-buffer and default qos random-detect ecn global-buffer commands disables ECN marking for the shared buffer by removing the qos random-detect ecn global-buffer command from running-config.

Command Mode

Global Configuration

Command Syntax

qos random-detect ecn global-buffer minimum-threshold MIN maximum-threshold MAX

no qos random-detect ecn global-buffer

default qos random-detect ecn global-buffer

Guidelines

Packet memory is divided into 46080 208-byte cells, whose allocation is managed by the memory management unit (MMU). The MMU tracks the cells that each entity uses and determines the number of cells that can be allocated to an entity.

Parameters

MIN and MAX parameters must use the same data unit.

MINMinimum threshold. Options include:
- 1 to 19456 segments 208-byte segments units.
- 1 to 4 mbytes Megabyte units.
- 1 to 4046 kbytes Kilobyte units.
- 1 to 4046848 bytes Byte units.
MAXMaximum threshold. Options include:
- 1 to 19456 segments 208-byte segments units.
- 1 to 4 mbytes Megabyte units.
- 1 to 4046 kbytes Kilobyte units.
- 1 to 4046848 bytes Byte units.

Related Command

random-detect ecn (Helix) enables ECN marking for a unicast transmit queue.

Examples

This command enables ECN marking of unicast packets from the global data pool and sets the minimum and maximum thresholds at 20 and 500 segments.
```
switch(config)# qos random-detect ecn global-buffer minimum-threshold 20 segments 
maximum-threshold 500 segments
switch(config)#
```
This command disables ECN marking of unicast packets from the global data pool.
```
switch(config)# no qos random-detect ecn global-buffer
switch(config)#
```

qos random-detect ecn global-buffer (Trident and Tomahawk)

00 Non ECN Capable transport.
10 ECN Capable transport.
01 ECN Capable transport.
11 Congestion encountered.

Average queue size below minimum threshold: Packets are queued normally.
Average queue size above maximum threshold: Packets are marked congestion encountered.
Average queue size between minimum and maximum thresholds. Packets are queued or marked congestion encountered. The proportion of marked packets varies linearly with average queue size:
- 0% are marked when average queue size is less than or equal to minimum threshold.
- 100% are marked when average queue size is greater than or equal to maximum threshold.
When transmitted packets are marked Non ECN Capable, congestion packets are dropped, not marked.

Command Mode

Global Configuration

Command Syntax

qos random-detect ecn global-buffer minimum-threshold MIN maximum-threshold MAX

no qos random-detect ecn global-buffer

default qos random-detect ecn global-buffer

Guidelines

Parameters

MIN and MAX parameters must use the same data unit.

MINMinimum threshold. Options include:
- 1 to 46080 segments 208-byte segments units.
- 1 to 9 mbytes Megabyte units.
- 1 to 9584 kbytes Kilobyte units.
- 1 to 9584640 bytes Byte units.
MAXMaximum threshold. Options include:
- 1 to 46080 segments 208-byte segments units.
- 1 to 9 mbytes Megabyte units.
- 1 to 9584 kbytes Kilobyte units.
- 1 to 9584640 bytes Byte units.

Related Command

random-detect ecn (Trident and Tomahawk) enables ECN marking for a unicast transmit queue.

Examples

This command enables ECN marking of unicast packets from the global data pool and sets the minimum and maximum thresholds at 20 and 500 segments.
```
switch(config)# qos random-detect ecn global-buffer minimum-threshold 20 segments maximum-threshold 500 segments
switch(config)#
```
This command disables ECN marking of unicast packets from the global data pool.
```
switch(config)# no qos random-detect ecn global-buffer
switch(config)#
```

qos rewrite cos

The qos rewrite cos command enables the rewriting of the CoS field for outbound tagged packets that were received on DSCP trusted ports and untrusted ports. CoS rewrite is always disabled on CoS trusted ports. The CoS value that is written into the packet is based on the data stream’s traffic class. CoS rewriting is active by default.

The no qos rewrite cos command disables CoS rewriting on the switch. The default qos rewrite cos command restores the default setting of enabling CoS rewriting by removing the no qos rewrite cos command from running-config.

Command Mode

Global Configuration

Command Syntax

qos rewrite cos

no qos rewrite cos

default qos rewrite cos

Related Command

qos map traffic-class to cos configures the traffic class to CoS rewrite map.

Example

This command enables CoS rewrite.

switch(config)# qos rewrite cos
switch(config)#

qos rewrite dscp

The qos rewrite dscp command enables the rewriting of the DSCP field for outbound tagged packets that were received on CoS trusted ports and untrusted ports. DSCP rewrite is always disabled on DSCP trusted ports. The DSCP value that is written into the packet is based on the data stream’s traffic class. DSCP rewriting is disabled by default.

The no qos rewrite dscp and default qos rewrite dscp commands disable DSCP rewriting on the switch by removing the no qos rewrite dscp command from running-config.

Command Mode

Global Configuration

Command Syntax

qos rewrite dscp

no qos rewrite dscp

default qos rewrite dscp

Related Command

qos map traffic-class to dscp configures the traffic class to DSCP rewrite map.

Example

This command enables DSCP rewrite.

switch(config)# qos rewrite dscp
switch(config)#

qos trust

The qos trust command configures the quality of service port trust mode for the configuration mode interface. Trust-enabled ports classify traffic by examining the traffic’s CoS or DSCP value. Port trust mode default setting is cos for switched interfaces and dscp for routed interfaces.

The default qos trust command restores the default trust mode on the configuration mode interface by removing the corresponding qos trust or no qos trust statement from running-config.

The no qos trust command performs the following:

no qos trust places the port in untrusted mode.
no qos trust cos removes the corresponding qos trust cos statement.
no qos trust dscp removes the corresponding qos trust dscp statement.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

qos trust [MODE]

no qos trust [MODE]

default qos trust

Parameters

MODETrust mode assigned to the port. Options include:
- cos Enables cos trust mode.
- dscp Enables dscp trust mode.
no qos trust Enables untrusted mode on the port.

Examples

This command configures trust mode of dscp for interface ethernet 7.

switch(config)# interface ethernet 7
switch(config-if-Et7)# qos trust dscp
switch(config-if-Et7)# show active
interface Ethernet7
   qos trust dscp
switch(config-if-Et7)#

This command configures trust mode of untrusted for Port Channel interface 23.

switch(config)# interface port-channel 23
switch(config-if-Po23)# no qos trust
switch(config-if-Po23)# show active
interface Port-Channel23
   no qos trust
switch(config-if-Po23)#

random-detect ecn (Arad/Jericho)

The random-detect ecn command enables ECN marking for the configuration mode unicast transmit queue and specifies threshold queue sizes. Hosts can advertise their ECN capabilities in the ToS DiffServ field’s two least significant bits:

00 Non ECN Capable transport.
10 ECN Capable transport.
01 ECN Capable transport.
11 Congestion encountered.

Average queue size below minimum threshold: Packets are queued normally.
Average queue size above maximum threshold: Packets are marked congestion encountered.
Average queue size between minimum and maximum thresholds. Packets are queued or marked congestion encountered. The proportion of marked packets varies linearly with average queue size:
- 0% are marked when average queue size is less than or equal to minimum threshold.
- 100% are marked when average queue size is greater than or equal to maximum threshold.
When transmitted packets are marked Non ECN Capable, congestion packets are dropped, not marked.

The no random-detect ecn and default qos random-detect ecn commands disables ECN marking for the shared buffer by removing the qos random-detect ecn command from running-config.

Command Mode

Tx-Queue configuration

Command Syntax

random-detect ecn minimum-threshold MIN maximum-threshold MAX

no random-detect ecn

default random-detect ecn

Parameters

MIN and MAX parameters must use the same data unit.

MINMinimum threshold. Options include:
- 1 to 256 mbytes Megabyte units.
- 1 to 256000 kbytes Kilobyte units.
- 1 to 256000000 bytes Byte units.
MAXMaximum threshold. Options include:
- 1 to 256 mbytes Megabyte units.
- 1 to 256000 kbytes Kilobyte units.
- 1 to 256000000 bytes Byte units.

Related Command

tx-queue (Arad/Jericho) places the switch in tx-queue configuration mode.

Example

These commands enable ECN marking of unicast packets from unicast transmit queue 4 of interface Ethernet 3/5/1, setting thresholds at 128 kbytes and 1280 kbytes.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# tx-queue 4
switch(config-if-Et3/5/1-txq-4)# random-detect ecn minimum-threshold 128 kbytes 
maximum-threshold 1280 kbyte
switch(config-if-Et3/5/1-txq-4)# show active
interface Ethernet3/5/1
   tx-queue 4
      random-detect ecn minimum-threshold 128 kbytes maximum-threshold 1280 kbytes
switch(config-if-Et3/5/1-txq-4)#

random-detect ecn (Helix)

00 Non ECN Capable transport.
10 ECN Capable transport.
01 ECN Capable transport.
11 Congestion encountered.

Average queue size below minimum threshold: Packets are queued normally.
Average queue size above maximum threshold: Packets are marked congestion encountered.
Average queue size between minimum and maximum thresholds. Packets are queued or marked congestion encountered. The proportion of marked packets varies linearly with average queue size:
- 0% are marked when average queue size is less than or equal to minimum threshold.
- 100% are marked when average queue size is greater than or equal to maximum threshold.
When transmitted packets are marked Non ECN Capable, congestion packets are dropped, not marked.

Average queue length is tracked for transmit queues and the global pool independently. When either entity reaches its maximum threshold, all subsequent packets are marked.

The no random-detect ecn and default random-detect ecn commands disable ECN marking on the configuration mode queue, deleting the corresponding random-detect ecn command from running-config.

Command Mode

Tx-Queue configuration

Command Syntax

random-detect ecn minimum-threshold MIN maximum-threshold MAX

no random-detect ecn

default random-detect ecn

Parameters

MIN and MAX parameters must use the same data unit.

MINMinimum threshold. Options include:
- 1 to 46080 segments 208-byte segments units.
- 1 to 9 mbytes Megabyte units.
- 1 to 9584 kbytes Kilobyte units.
- 1 to 9584640 bytes Byte units.
MAX Maximum threshold. Options include:
- 1 to 46080 segments 208-byte segments units.
- 1 to 9 mbytes Megabyte units.
- 1 to 9584 kbytes Kilobyte units.
- 1 to 9584640 bytes Byte units.

Related Commands

tx-queue (Helix) places the switch in tx-queue configuration mode.
qos random-detect ecn global-buffer (Helix) enables ECN marking for globally shared packet memory.

Examples

These commands enable ECN marking of unicast packets from transmit queue 4 of interface ethernet 15, setting thresholds at 10 and 100 segments.

switch(config)# interface ethernet 15
switch(config-if-Et15)# uc-tx-queue 4
switch(config-if-Et15-txq-4)# random-detect ecn minimum-threshold 10 segments 
maximum-threshold 100 segments
switch(config-if-Et15-txq-4)# show active
interface Ethernet15
   tx-queue 4
      random-detect ecn minimum-threshold 10 segments maximum-threshold 100 
segments
switch(config-if-Et15-txq-4)# exit
switch(config-if-Et15)

This command disables ECN marking of unicast packets from transmit queue 4 of interface ethernet 15.

switch(config-if-Et15-txq-4)# no random-detect ecn
switch(config-if-Et15-txq-4)# show active
interface Ethernet15
switch(config-if-Et15-txq-4)# exit
switch(config-if-Et15)#

random-detect ecn (Trident and Tomahawk)

00 Non ECN Capable transport.
10 ECN Capable transport.
01 ECN Capable transport.
11 Congestion encountered.

Average queue size below minimum threshold: Packets are queued normally.
Average queue size above maximum threshold: Packets are marked congestion encountered.
Average queue size between minimum and maximum thresholds. Packets are queued or marked congestion encountered. The proportion of marked packets varies linearly with average queue size:
- 0% are marked when average queue size is less than or equal to minimum threshold.
- 100% are marked when average queue size is greater than or equal to maximum threshold.
When transmitted packets are marked Non ECN Capable, congestion packets are dropped, not marked.

Average queue length is tracked for transmit queues and the global pool independently. When either entity reaches its maximum threshold, all subsequent packets are marked.

Command Mode

Uc-Tx-Queue configuration

Command Syntax

random-detect ecn minimum-threshold MIN maximum-threshold MAX

no random-detect ecn

default random-detect ecn

Parameters

MIN and MAX parameters must use the same data unit.

MINMinimum threshold. Options include:
- 1 to 46080 segments 208-byte segments units.
- 1 to 9 mbytes Megabyte units.
- 1 to 9584 kbytes Kilobyte units.
- 1 to 9584640 bytes Byte units.
MAX Maximum threshold. Options include:
- 1 to 46080 segments 208-byte segments units.
- 1 to 9 mbytes Megabyte units.
- 1 to 9584 kbytes Kilobyte units.
- 1 to 9584640 bytes Byte units.

Related Commands

uc-tx-queue places the switch in the uc-tx-queue configuration mode.
qos random-detect ecn global-buffer (Trident and Tomahawk) enables ECN marking for globally shared packet memory.

Examples

These commands enable ECN marking of unicast packets from unicast transmit queue 4 of interface ethernet 15, setting thresholds at 10 and 100 segments.

switch(config)# interface ethernet 15
switch(config-if-Et15)# uc-tx-queue 4
switch(config-if-Et15-uc-txq-4)# random-detect ecn minimum-threshold 10 segments 
maximum-threshold 100 segments 
switch(config-if-Et15-uc-txq-4)#show active
interface Ethernet15
   uc-tx-queue 4
      random-detect ecn minimum-threshold 10 segments maximum-threshold 100 
segments
switch(config-if-Et15-uc-txq-4)# exit
switch(config-if-Et15)#

This command disables ECN marking of unicast packets from unicast transmit queue 4 of interface ethernet 15.

switch(config-if-Et15-uc-txq-4)# no random-detect ecn
switch(config-if-Et15-uc-txq-4)# show active
interface Ethernet15
switch(config-if-Et15-uc-txq-4)# exit
switch(config-if-Et15)#

service-policy type qos input

The service-policy type qos input command applies the specified policy map to a QoS profile. The profile is then applied to an interface in interface configuration mode using the service-profile command.

The no service-policy type qos and default service-policy type qos command deletes the policy map from the profile.

The exit command returns the switch to global configuration mode.

Command Mode

QoS Profile Configuration

Command Syntax

service-policy type qos input policy_map_name

no service-policy type qos input policy_map_name

default service-policy type qos input policy_map_name

Parameter

policy_map_name QoS policy map name.

Example

This command applies the policy map PM-1 to the QoS profile TP.

switch(config-qos-profile-TP)# service-policy type qos input PM-1
switch(config-qos-profile-TP)#

service-profile

The command applies the QoS profile to the configuration mode interface.

The no service-profile and the default service-profile command removes the QoS profile from the interface.

The exit command returns the switch to global configuration mode.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

service-profile profile_name

no service-profile profile_name

default service-profile profile_name

Parameter

profile_name QoS profile name.

Example

This commands applies the QoS profile TP to interfaceethernet 13.

switch(config)# interface ethernet 13
switch(config-if-Et13)# service-profile TP

set extcommunity

The set extcommunity command adds a color extended community to be applied to routes affected by the route-map. Multiple set clauses can be applied to a single route-map to configure multiple colors for routes.Negating the command removes the entry from the route-map.

Command Mode

Config-route-map mode

Command Syntax

set extcommunity COLOR-EXPRESSION [additive | delete]

no set extcommunity COLOR-EXPRESSION [additive | delete]

default set extcommunity COLOR-EXPRESSION [additive | delete]

Parameters

COLOR-EXPRESSION The color extended community to be applied to routes affected by the route-map.
additiveAdds the extended communities to those received.
deleteDeletes any matching extended color communities.

Example

arista(config)# route-map foo
arista(config-route-map foo)# set extcommunity color 1
arista(config-route-map foo)# set extcommunity color 2 color-only exact-match
arista(config-route-map foo)# set extcommunity color 3 color-only endpoint-match null
arista(config-route-map foo)# set extcommunity color 4 color-only endpoint-match any

shape rate (Interface – Arad/Jericho)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode interface, also known as queue shaping. The shape rate for individual transmit queues is configured by theshape rate (Tx-queue – Arad/Jericho) command. By default, outbound transmission rate is not bounded by a shape rate.

The no shape rate and default shape rate commands remove the shape rate bandwidth limit on the configuration mode interface by deleting the corresponding shape rate command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

shape rate byte_limit [kbps]

no shape rate

default shape rate

Parameters

byte_limit Shape rate applied to interface (Kbps). Value ranges from 162 to 100000000.

Example

This command configures a port shape rate of 5 Gbps on interface ethernet 3/5/1.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# shape rate 5000000
switch(config-if-Et3/5/1)# show qos interfaces ethernet 3/5/1

Ethernet3/5/1:

   Port shaping rate: 5000012 / 5000000 kbps

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -        - / -    (  -  )    SP / SP    D
   3      - / -        - / -    (  -  )    SP / SP    D
   2      - / -        - / -    (  -  )    SP / SP    D
   1      - / -        - / -    (  -  )    SP / SP    D
   0      - / -        - / -    (  -  )    SP / SP    D

switch(config-if-Et3/5/1)#

shape rate (Interface – FM6000)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode interface, also known as queue shaping. The shape rate for individual transmit queues is configured by the shape rate (Tx-queue – FM6000)command. By default, outbound transmission rate is not bounded by a shape rate.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

shape rate byte_limit [kbps]

no shape rate

default shape rate

Parameters

byte_limit Shape rate applied to interface (Kbps). Value ranges from 7000 to 10000000.

Guidelines

Enabling port shaping on an FM6000 interface disables queue shaping internally. Disabling port shaping restores queue shaping as specified in running-config.

Example

This command configures a port shape rate of 5 Gbps on interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# shape rate 5000000
switch(config-if-Et5)#

shape rate (Interface – Helix)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode interface, also known as queue shaping. The shape rate for individual transmit queues is configured by the shape rate (Interface – Helix)command. By default, outbound transmission rate is not bounded by a shape rate.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

shape rate DATA_LIMIT

no shape rate

default shape rate

Parameters

DATA_LIMIT Shape rate applied to interface. Value range varies with data unit:
- 8 to 40000000 8 to 40000000 kbytes per second.
- 8 to 40000000kbps 8 to 40000000 kbytes per second.
- 8 to 60000000pps 8 to 60000000 packets per second.

Guidelines

Shaping rates of at least 8 kbps are supported. At shaping rates smaller than 1 Mbps, granularity and rounding errors may skew the actual shaping rate by 20% from the specified rate.

Example

This command configures a port shape rate of 5 Gbps on interface ethernet 17.

switch(config)# interface ethernet 17
switch(config-if-Et17)# shape rate 5000000 kbps
switch(config-if-Et17)# show qos interface ethernet 17/3

Ethernet17:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: 5000000 / 5000000 kbps

  Tx       Bandwidth                 Shape Rate        Priority
 Queue     Guaranteed (units)         (units)
   ------------------------------------------------------------
   7        - / -    (  -  )       - / -    (  -  )    SP / SP
   6        - / -    (  -  )       - / -    (  -  )    SP / SP

switch(config-if-Et17)#

shape rate (Interface – Petra)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode interface, also known as queue shaping. The shape rate for individual transmit queues is configured by the shape rate (Tx-queue – Petra) command. By default, outbound transmission rate is not bounded by a shape rate.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

shape rate data_limit [kbps]

no shape rate

default shape rate

Parameters

data_limit Shape rate applied to interface (Kbps). Value ranges from 100 to 10000000.

Guidelines

The following port shaping rates are supported:

1G ports: above 100 kbps.
10G ports: above 7900 kbps.

Commands that specify a smaller shape rate disable port shaping on the interface.

Example

This command configures a port shape rate of 5 Gbps on interface ethernet 3/3.

switch(config)# interface ethernet 3/3
switch(config-if-Et3/3)# shape rate 5000000
switch(config-if-Et3/3)# show active
interface Ethernet3/3
   shape rate 5000000
switch(config-if-Et3/3)#

shape rate (Interface – Trident and Tomahawk)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode interface, also known as queue shaping. The shape rate for individual transmit queues is configured by the shape rate (Tx-queue – Trident and Tomahawk) command. By default, outbound transmission rate is not bounded by a shape rate.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

shape rate DATA_LIMIT

no shape rate

default shape rate

Parameters

DATA_LIMITShape rate applied to interface. Value range varies with data unit:
- 8 to 40000000 8 to 40000000 kbytes per second.
- 8 to 40000000kbps 8 to 40000000 kbytes per second.
- 8 to 60000000pps 8 to 60000000 packets per second.

Guidelines

Example

This command configures a port shape rate of 5 Gbps on interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# shape rate 5000000
switch(config-if-Et5)#

shape rate (Interface – Trident II)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode interface, also known as queue shaping. The shape rate for individual transmit queues is configured by the shape rate (Tx-queue – Trident II)command. By default, outbound transmission rate is not bounded by a shape rate.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

shape rate DATA_LIMIT

no shape rate

default shape rate

Parameters

DATA_LIMIT Shape rate applied to interface. Value range varies with data unit:

- 8 to 40000000 kbps 8 to 40000000 kbytes per second.
- 8 to 40000000 kbps 8 to 40000000 kbytes per second.
- 8 to 60000000 pps 8 to 60000000 packets per second.

Guidelines

Shaping rates of at least 8 kbps are supported. At shaping rates smaller than 1 Mbps, granularity and rounding errors may skew the actual shaping rate by 20% from the specified rate.

Example

This command configures a port shape rate of 5 Gbps on interface ethernet 17/3.

switch(config)# interface ethernet 17/3
switch(config-if-Et17/3)# shape rate 5000000 kbps
switch(config-if-Et17/3)# show qos interface ethernet 17/3

Ethernet17/3:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: 5000000 / 5000000 kbps

  Tx       Bandwidth                 Shape Rate        Priority
 Queue     Guaranteed (units)         (units)
   ------------------------------------------------------------
   7        - / -    (  -  )       - / -    (  -  )    SP / SP
   6        - / -    (  -  )       - / -    (  -  )    SP / SP

switch(config-if-Et17/3)#

shape rate (Tx-queue – Arad/Jericho)

The shape rate command specifies the maximum bandwidth for outbound traffic on the transmit queue, also known as queue shaping. The shape rate for interfaces is configured by the shape rate (Interface – Arad/Jericho)command. By default, the configured outbound transmission rate is not bounded by a transmit queue shape rate.

Shaping rates greater than 50000 kbps are supported. At lower shaping rates (less than 10 Mbps), granularity and rounding errors may skew the actual shaping rate by 20% from the specified rate.

The no shape rate and default shape rate commands remove the shape rate bandwidth limit on the configuration mode queue by deleting the corresponding shape rate command from running-config.

Command Mode

Tx-Queue Configuration

Command Syntax

shape rate byte_limit [kbps]

no shape rate

default shape rate

Parameters

byte_limit Shape rate applied to interface (Kbps). Value ranges from 50000 to 100000000.

Related Command

tx-queue (Arad/Jericho) places the switch in tx-queue configuration mode.

Related Information

shape rate (Interface – Arad/Jericho)

Example

These commands configure a shape rate of 1 Gbps on transmit queues 3 and 4 of interface ethernet 3/4/1.

switch(config)# interface ethernet 3/4/1
switch(config-if-Et3/4/1)# tx-queue 4
switch(config-if-Et3/4/1-txq-4)# shape rate 1000000 kbps
switch(config-if-Et3/4/1-txq-4)# tx-queue 3
switch(config-if-Et3/4/1-txq-3)# shape rate 1000000 kbps
switch(config-if-Et3/4/1-txq-3)# show qos interface ethernet 3/4/1

Ethernet3/4/1:

   Port shaping rate: disabled

  Tx    Bandwidth       Shape Rate        Priority  ECN
 Queue  (percent)        (units)
   -----------------------------------------------------
   7      - / -        - / -    (  -  )    SP / SP    D
   6      - / -        - / -    (  -  )    SP / SP    D
   5      - / -        - / -    (  -  )    SP / SP    D
   4      - / -      999 / 1000 ( Mbps )   SP / SP    D
   3      - / -      999 / 1000 ( Mbps )   SP / SP    D
   2      - / -        - / -    (  -  )    SP / SP    D
   1      - / -        - / -    (  -  )    SP / SP    D
   0      - / -        - / -    (  -  )    SP / SP    D

switch(config-if-Et3/4/1-txq-3)#

shape rate (Tx-queue – FM6000)

The shape ratecommand specifies the maximum bandwidth for outbound traffic on the transmit queue, also known as queue shaping. The shape rate for interfaces is configured by the shape rate (Interface – FM6000) command. By default, the configured outbound transmission rate is not bounded by a transmit queue shape rate.

Queue shaping on an FM6000 port is supported only when port shaping is not enabled on the interface. Enabling port shaping on a port disables queue shaping internally. Disabling port shaping restores queue shaping as specified by running-config.

Shaping rates greater than 460 kbps are supported. At lower shaping rates (less than 10 Mbps), granularity and rounding errors may skew the actual shaping rate by 20% from the specified rate.

The no shape rate and default shape rate commands remove the shape rate bandwidth limit on the transmit queue by deleting the corresponding shape rate command from running-config.

Command Mode

Tx-Queue Configuration

Command Syntax

shape rate byte_limit [kbps]

no shape rate

default shape rate

Parameters

byte_limit Shape rate applied to interface (Kbps). Value ranges from 464 to 10000000.

Related Commands

tx-queue (FM6000) places the switch in tx-queue configuration mode.
shape rate (Interface – FM6000) configures the shape rate for a configuration mode interface.

Example

These commands configure a shape rate of 1 Gbps (1,000,000 Kbps) on transmit queues 3 and 4 of interface ethernet 19.

switch(config)# interface ethernet 19
switch(config-if-Et19)# tx-queue 4
switch(config-if-Et19-txq-4)# shape rate 1000000
switch(config-if-Et19-txq-4)# tx-queue 3
switch(config-if-Et19-txq-3)# shape rate 1000000
switch(config-if-Et19-txq-3)# show qos interface ethernet 19

Ethernet19:
   Trust Mode: COS

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A      1000000        strict
          3          25      1000000   round-robin
          2          25     disabled   round-robin
          1          25     disabled   round-robin
          0          25     disabled   round-robin

switch(config-if-Et19-txq-3)#

shape rate (Tx-queue – Helix)

The shape rate command specifies the maximum bandwidth for outbound traffic on the transmit queue, also known as queue shaping. The shape rate for interfaces is configured by the shape rate (Interface – Helix) command. By default, the configured outbound transmission rate is not bounded by a transmit queue shape rate.

The no shape rate and default shape rate commands remove the shape rate bandwidth limit on the configuration mode transmit queue by deleting the corresponding shape rate command from running-config.

Command Mode

Tx-Queue Configuration

Command Syntax

shape rate byte_limit [kbps]

no shape rate

default shape rate

Parameters

DATA_LIMIT Shape rate applied to the queue. Value range varies with data unit:

- 8 to 40000000 8 to 40,000,000 kbytes per second.
- 8 to 40000000 kbps 8 to 40000000 kbytes per second.
- 8 to 60000000 pps 8 to 60000000 packets per second.

Restrictions

Queue shaping is not supported in cut-through mode.

Related Commands

tx-queue (Helix) places the switch in tx-queue configuration mode.
shape rate (Interface – Helix) configures the shape rate for a configuration mode interface.

Example

These commands configure a shape rate of 1 Gbps (1,000,000 Kbps) on transmit queues 3 and 4 of interface Eethernet 17/3.

switch(config)# interface ethernet 17/3
switch(config-if-Et17/3)# tx-queue 4
switch(config-if-Et17/3-txq-4)# shape rate 1000000 kbps
switch(config-if-Et17/3-txq-4)# tx-queue 3
switch(config-if-Et17/3-txq-3)# shape rate 1000000 kbps
switch(config-if-Et17/3-txq-3)# show qos interface ethernet 17/3

Ethernet17/3:

  Tx       Bandwidth                 Shape Rate        Priority
 Queue     Guaranteed (units)         (units)
   ------------------------------------------------------------
   7        - / -    (  -  )       - / -    (  -  )    SP / SP
   6        - / -    (  -  )       - / -    (  -  )    SP / SP
   5        - / -    (  -  )       - / -    (  -  )    SP / SP
   4        - / -    (  -  )       1 / 1    ( Gbps )   SP / SP
   3        - / -    (  -  )       1 / 1    ( Gbps )   SP / SP
   2        - / -    (  -  )       - / -    (  -  )    SP / SP
   1        - / -    (  -  )       - / -    (  -  )    SP / SP
   0        - / -    (  -  )       - / -    (  -  )    SP / SP

switch(config-if-Et17/3-txq-3)#

shape rate (Tx-queue – Petra)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode transmit queue, also known as queue shaping. The shape rate for interfaces is configured by the shape rate (Interface – Petra) command. By default, the configured outbound transmission rate is not bounded by a transmit queue shape rate.

Queue shaping applies only to unicast traffic. Shaping rates of at least 162 Kbps are supported.

Command Mode

Tx-Queue Configuration

Command Syntax

shape rate DATA_LIMIT

no shape rate

default shape rate

Parameters

DATA_LIMITShape rate applied to the queue. Value range varies with data unit:

- 8 to 40000000 kbps Range is from 8 to 40000000 kbytes per second.
- 8to 60000000pps Range is from 8 to 60000000 packets per second.
Shaping rates greater than 460 kbps are supported. At lower shaping rates (less than 10 Mbps), granularity and rounding errors may skew the actual shaping rate by 20% from the specified rate.

Related Commands

tx-queue (Petra) places the switch in tx-queue configuration mode.
shape rate (Interface – Petra) configures the shape rate for a configuration mode interface.

Example

These commands configure a shape rate of 1 Gbps (1,000,000 Kbps) on transmit queues 3 and 4 of interface ethernet 3/28.

switch(config)# interface ethernet 3/28
switch(config-if-Et3/28)# tx-queue 4
switch(config-if-Et3/28-txq-4)# shape rate 1000000
switch(config-if-Et3/28-txq-4)# tx-queue 3
switch(config-if-Et3/28-txq-3)# shape rate 1000000
switch(config-if-Et3/28-txq-3)# show qos interface ethernet 3/28

Ethernet3/28:

   Tx-Queue   Bandwidth    Shape Rate     Priority
              (percent)       (Kbps)
   -----------------------------------------------
          7         N/A     disabled        strict
          6         N/A     disabled        strict
          5         N/A     disabled        strict
          4         N/A      1000000        strict
          3          25      1000000   round-robin
          2          25     disabled   round-robin
          1          25     disabled   round-robin
          0          25     disabled   round-robin

switch(config-if-Et3/28-txq-3)#

shape rate (Tx-queue – Trident and Tomahawk)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode transmit queue, also known as queue shaping. The shape rate for interfaces is configured by the shape rate (Interface – Trident and Tomahawk) command. By default, the configured outbound transmission rate is not bounded by a transmit queue shape rate.

The no shape rate and default shape rate commands remove the shape rate limit from the configuration mode transmit queue by deleting the corresponding shape rate command from running-config.

Command Mode

Mc-Tx-Queue configuration

Uc-Tx-Queue configuration

Command Syntax

shape rate DATA_LIMIT

no shape rate

default shape rate

Parameters

DATA_LIMIT Shape rate applied to the queue. Value range varies with data unit:
- 8 to 40000000 kbps Range is from 8 to 40000000 kbytes per second.
- 8 to 60000000 pps Range is from 8 to 60000000 packets per second.

Related Commands

mc-tx-queue places the switch in mc-tx-queue configuration mode.
uc-tx-queue places the switch in uc-tx-queue configuration mode.
shape rate (Interface – Trident and Tomahawk) configures the shape rate for a configuration mode interface.

Guidelines

When two queues source traffic from the same traffic class and the higher priority queue is shaped, that queue consumes all internal buffers, starving the lower priority queue even if bandwidth is available.

Example

These commands configure a shape rate of 1 Gbps (1,000,000 Kbps) on unicast transmit queues 3 and multicast transmit 4 of interface ethernet 7.

switch(config)# interface ethernet 7
switch(config-if-Et7)# uc-tx-queue 3
switch(config-if-Et7-uc-txq-3)# shape rate 1000000
switch(config-if-Et7-uc-txq-3)# mc-tx-queue 2
switch(config-if-Et7-mc-txq-2)# shape rate 1000000
switch(config-if-Et7-mc-txq-2)# show qos interface ethernet 7

Ethernet7:

   Tx-Queue   Bandwidth    Shape Rate     Priority   Priority Group
              (percent)       (Kbps)
   ----------------------------------------------------------------
        UC7         N/A     disabled        strict                1
        UC6         N/A     disabled        strict                1
        MC3         N/A     disabled        strict                1
        UC5         N/A     disabled        strict                0
        UC4         N/A     disabled        strict                0
        MC2         N/A      1000000        strict                0
        UC3          20      1000000   round-robin                0
        UC2          16     disabled   round-robin                0
        MC1          16     disabled   round-robin                0
        UC1          16     disabled   round-robin                0
        UC0          16     disabled   round-robin                0
        MC0          16     disabled   round-robin                0

switch(config-if-Et7-mc-txq-2)#

shape rate (Tx-queue – Trident II)

The shape rate command specifies the maximum bandwidth for outbound traffic on the configuration mode transmit queue, also known as queue shaping. The shape rate for interfaces is configured by the shape rate (Interface – Trident II)command. By default, the configured outbound transmission rate is not bounded by a transmit queue shape rate.

Command Mode

Tx-Queue Configuration

Command Syntax

shape rate byte_limit [kbps]

no shape rate

default shape rate

Parameters

DATA_LIMIT Shape rate applied to the queue. Value range varies with data unit:

- 8 to 40000000 kbps Range is from 8 to 40000000 kbytes per second.
- 8 to 60000000 pps Range is from 8 to 60000000 packets per second.

Restrictions

Queue shaping is not supported in cut-through mode

Related Commands

tx-queue (Trident II) places the switch in tx-queue configuration mode.
shape rate (Interface – Trident II) configures the shape rate for a configuration mode interface.

Example

These commands configure a shape rate of 1 Gbps (1,000,000 Kbps) on transmit queues 3 and 4 of interface ethernet 17/3.

switch(config)# interface ethernet 17/3
switch(config-if-Et17/3)# tx-queue 4
switch(config-if-Et17/3-txq-4)# shape rate 1000000 kbps
switch(config-if-Et17/3-txq-4)# tx-queue 3
switch(config-if-Et17/3-txq-3)# shape rate 1000000 kbps
switch(config-if-Et17/3-txq-3)# show qos interface ethernet 17/3

Ethernet17/3:

  Tx       Bandwidth                 Shape Rate        Priority
 Queue     Guaranteed (units)         (units)
   ------------------------------------------------------------
   7        - / -    (  -  )       - / -    (  -  )    SP / SP
   6        - / -    (  -  )       - / -    (  -  )    SP / SP
   5        - / -    (  -  )       - / -    (  -  )    SP / SP
   4        - / -    (  -  )       1 / 1    ( Gbps )   SP / SP
   3        - / -    (  -  )       1 / 1    ( Gbps )   SP / SP
   2        - / -    (  -  )       - / -    (  -  )    SP / SP
   1        - / -    (  -  )       - / -    (  -  )    SP / SP
   0        - / -    (  -  )       - / -    (  -  )    SP / SP

switch(config-if-Et17/3-txq-3)#

show interface counters queue drop-precedence

The show interface counters queue drop-precedence command displays the drop-precedence counters.

Command Mode

EXEC

Command Syntax

show interface counters queue drop-precedence

Example

This command displays the drop precedence counts on two interfaces.

switch# show interface counters queue drop-precedence
intf        0          1          2
Et1/1     100          0        200
Et1/2     200          0        300
switch#

show platform petraA traffic-class

The show platform petraA traffic-class command displays the traffic class assignment on all specified Petra chips. Each chip controls eight Ethernet interfaces. The default traffic class of an interface is specified by the traffic class assigned to the chip that controls the interface.

Traffic class assignments are configured with the platform petraA traffic-class command.

Valid command options include:

show platform petraA traffic-class Traffic class of all chips on all linecard.
show platform petraA CHIP_NAME traffic-class Traffic class of specified chip.
show platform petraA MODULE_NAME traffic-class Traffic class of all chips on specified linecard.

Command Mode

EXEC

Command Syntax

show platform petraA traffic-class

show platform petraA CHIP_NAME traffic-class

show platform petraA MODULE_NAME traffic-class

Parameters

CHIP_NAMEName of Petra chip on linecard that control Ethernet ports. Options include:
- petra cardX / chipY All ports on PetraA chip chipY on linecard cardX (7500 Series).
- petra chipZ All ports on PetraA chip chipZ (7048 Series).
7500 Series

Switches can contain up to eight linecards. cardX varies from 3 to 10.
Each linecard contains six PetraA chips. Each chip controls eight ports. chipY varies from 0 to 5:
- 0 controls ports 1 through 8
- 1 controls ports 9 through 16
- 2 controls ports 17 through 24
- 3 controls ports 25 through 32
- 4 controls ports 33 through 40
- 5 controls ports 41 through 48
7048 Series
Each switch contains two PetraA chips. chipZ varies from 0 to 1:
- 0 controls ports 1 through 32
- 1 controls ports 33 through 52
MODULE_NAME Name and number of linecard (7500 Series). Options include:
- module linecard mod_num Linecard number (3 to 10).
- module mod_num Linecard number (3 to 10).

Related Command

platform petraA traffic-class configures the default traffic class used by all ports on a specified chip.

Example

This command displays the traffic class of all chips on linecard 3.

switch# show platform petraA module linecard 3 traffic-class
Petra3/0 traffic-class: 1
Petra3/1 traffic-class: 1
Petra3/2 traffic-class: 1
Petra3/3 traffic-class: 1
Petra3/4 traffic-class: 5
Petra3/5 traffic-class: 1
switch#

show platform trident tcam qos detail

The show platform trident tcam qos detail command displays the list of all the SVIs that are sharing the TCAM entries.

Command Mode

EXEC

Command Syntax

show platform trident tcam qos detail

Example

This command displays the list of all the SVIs that are sharing the TCAM entries.

switch(config)# show platform trident tcam qos detail

=== Policy-map p01 type qos on switch Linecard0/0 ===
Interfaces : Vlan2 Vlan1
=-= Interface BitMap =-=
0x000000000000000001FFFFFE

show platform trident tcam shared vlan interface-class-id

The show platform trident tcam shared vlan interface-class-id command displays what SVIs are currently sharing the QoS policy-map in the below output under QoS PMAP Data.

Command Mode

EXEC

Command Syntax

show platform trident tcam shared vlan interface-class-id

Example

This command displays what SVIs are currently sharing the QoS policy-map in the below output under QoS PMAP Data.

switch(config)# show platform trident tcam shared vlan interface-class-id

=== Shared RACL Data on switch Linecard0/0 ===
=== Shared QoS Policy-map Data on switch Linecard0/0 ===
Interface Class Id             VLANs
1                               1 2

show platform xp qos tcam hit

The show platform xp qos tcam hit command displays the TCAM entries programmed for each policy-map as well as the traffic hits. The hits option is used to see the TCAM entries with nonzero traffic hits.

Command Mode

EXEC

Command Syntax

show platform xp qos tcam hit

Example

This command displays the QoS TCAM hits on interface ethernet 10/1.

switch# show platform xp qos tcam hit

=== Policy-map test type qos on switch 0 ===
Assigned to ports: Ethernet10/1
=-= Class-map test type qos =-=
=== ACL test
=========================================================================================
|Seq|AclId|Prot|Port|SPort|Ecn|FFlg|DPort|Vlan|Action|Hits|Src Ip|Dest Ip|hwId    | | |     |      | | | |dscp|cos  |tc|PolId| | | |
=========================================================================================
| 10| 0x01|    |    |     |   |0x04|     |    | 4    |-   | -    | -     |91852787| | | | 0 | 0x00 | | | |     |0xfb|  |     |  | | |  
-----------------------------------------------------------------------------------------

show policy-map interface

The show policy-map interface command displays contents of the policy map applied to specified the interface.

Command Mode

EXEC

Command Syntax

show policy-map interface interface_name

Parameters

interface_name Interface for which command returns data. Options include:

no parameter Returns data for all interfaces.
ethernet e_range Ethernet interfaces specified by e_range.
port-channel p_range Port channel interfaces specified by p_range.

Example

This command displays the name and contents of the policy map applied to interface Ethernet 1.

switch# show policy-map interface ethernet 1
Service-policy input: p1
 Hardware programming status: Successful

 Class-map: c2001 (match-any)
    Match: vlan 2001 0xfff
       set dscp 4

 Class-map: c2002 (match-any)
    Match: vlan 2002 0xfff
       set dscp 8

 Class-map: c2003 (match-any)
    Match: vlan 2003 0xfff
       set dscp 12

show policy-map

The show policy-map command displays the policy map information for the configured policy map.

Command Mode

EXEC

Command Syntax

show policy-map policy_map_name [counters][interface | summary]

Parameters

policy_map_name QoS policy map name.
counters Specifies the policy map traffic match count (This parameter is applicable only on DCS-7010, DCS-7050X, DCS7250X, DCS-7300X and DCS-7280(E/R), DCS-7500(E/R) series switches.)
interface Specifies the service policy on an interface.
summary Policy map summary.

Examples

The show policy-map command displays the information for the policy map policy1.

switch# show policy-map policy1
Service-policy policy1
Class-map: class1 (match-any)
Match: ip access-group name acl1
Police cir 512000 bps bc 96000 bytes
Class-map: class-default (match-any)

The show policy-map counters command displays the policy map traffic match count for the policy map configured.

switch# show policy-map policy1 counters

Service-policy input: policy1
 Hardware programming status: Successful
 Class-map: class1 (match-any)
    Match: vlan 20-40,1000-1250
       police rate 100 mbps burst-size 100 kbytes
        Interface: Ethernet16/1
          Conformed 28621 packets, 7098008 bytes -------------- packet match count
 
Class-map: class-default (match-any)
      Matched Packets: 19 -------------- packet match count

show qos interfaces random-detect ecn

The show qos interfaces random-detect ecn command displays the Explicit Congestion Notification (ECN) configuration for each transmit queue on the specified interfaces.

Command Mode

EXEC

Command Syntax

show qos interfaces [INTERFACE_NAME] random-detect ecn

Parameters

INTERFACE_NAME Interface for which command returns data. Options include:

no parameter Returns data for all interfaces.
ethernet e_range Ethernet interfaces specified by e_range.
port-channel p_range Port-Channel Interfaces specified by p_range.

Example

This command configures ECN parameters for transmit queues 0 through 3 on interface ethernet 3/5/1, then displays that configuration.

switch(config)# interface ethernet 3/5/1
switch(config-if-Et3/5/1)# tx-queue 0
switch(config-if-Et3/5/1-txq-0)# random-detect ecn minimum-threshold 2560 kbytes 
maximum-threshold 256000 kbytes
switch(config-if-Et3/5/1-txq-0)# tx-queue 1
switch(config-if-Et3/5/1-txq-1)# random-detect ecn minimum-threshold 25600 kbytes 
maximum-threshold 128000 kbytes
switch(config-if-Et3/5/1-txq-1)# tx-queue 2
switch(config-if-Et3/5/1-txq-2)# random-detect ecn minimum-threshold 25600 bytes 
maximum-threshold 128000 bytes
switch(config-if-Et3/5/1-txq-2)# tx-queue 3
switch(config-if-Et3/5/1-txq-3)# random-detect ecn minimum-threshold 25 mbytes 
maximum-threshold 128 mbytes
switch(config-if-Et3/5/1-txq-3)# show qos interfaces ethernet 3/5/1 random-detect 
ecn

Ethernet3/5/1:

   Tx-Queue   Mininimum Threshold    Maximum Threshold    Threshold Unit
   ---------------------------------------------------------------------
          7                     -                    -                 -
          6                     -                    -                 -
          5                     -                    -                 -
          4                     -                    -                 -
          3                    25                  128             mbytes
          2                 25600               128000              bytes
          1                 25600               128000             kbytes
          0                  2560               256000             kbytes

switch(config-if-Et3/5/1-txq-3)#

show qos interfaces trust

The show qos interfaces trust command displays the configured and operational QoS trust mode of all specified interfaces.

Command Mode

EXEC

Command Syntax

show qos interfaces [INTERFACE_NAME] trust

Parameters

INTERFACE_NAME Interface for which command returns data. Options include:

no parameter Returns data for all interfaces.
ethernet e_range Ethernet interfaces specified by e_range.
port-channel p_range Port-Channel Interfaces specified by p_range.

Example

These commands configure a variety of QoS trust settings on a set of interfaces, then displays the QoS trust mode on these interfaces.

switch(config)# interface ethernet 1/1
switch(config-if-Et1/1)# qos trust cos
switch(config-if-Et1/1)# interface ethernet 1/2
switch(config-if-Et1/2)# qos trust dscp
switch(config-if-Et1/2)# interface ethernet 1/3
switch(config-if-Et1/3)# no qos trust
switch(config-if-Et1/3)# interface ethernet 1/4
switch(config-if-Et1/4)# default qos trust
switch(config-if-Et1/4)# interface ethernet 2/1
switch(config-if-Et2/1)# no switchport
switch(config-if-Et2/1)# default qos trust
switch(config-if-Et2/1)# show qos interface ethernet 1/1 - 2/4 trust

Port                                       Trust Mode
                               Operational           Configured
---------------------------------------------------------------
Ethernet1/1                    COS                   COS
Ethernet1/2                    DSCP                  DSCP
Ethernet1/3                    UNTRUSTED             UNTRUSTED
Ethernet1/4                    COS                   DEFAULT
Ethernet2/1                    DSCP                  DEFAULT
Ethernet2/2                    COS                   DEFAULT
Ethernet2/3                    COS                   DEFAULT
Ethernet2/4                    COS                   DEFAULT

switch(config-if-Et2/1)#

show qos interfaces

The show qos interfaces command displays the QoS, DSCP, and transmit queue configuration on a specified interface. Information provided by this command includes the ports trust setting, the default CoS value, and the DSCP value.

Command Mode

EXEC

Command Syntax

show qos interfaces INTERFACE_NAME

Parameters

INTERFACE_NAME Interface For which command returns data. Options include:

no parameter Returns data for all interfaces.
ethernet e_num Ethernet interface specified by e_num.
port-channel p_num Port-Channel Interface specified by p_num.

Example

This command lists the QoS configuration for interface ethernet 4.

switch> show qos interfaces ethernet 4

Ethernet4:
   Trust Mode: COS
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: 5000000Kbps

   Tx-Queue   Bandwidth    ShapeRate      Priority
              (percent)       (Kbps)
   -----------------------------------------------
          0          50     disabled   round-robin
          1          50     disabled   round-robin
          2         N/A     disabled        strict
          3         N/A      1000000        strict
          4         N/A      1000000        strict
          5         N/A      1500000        strict
          6         N/A      2000000        strict

switch>

show qos interfaces latency maximum

The show qos interfaces latency maximum command displays the maximum latency tail-drop threshold active on each Tx queue for a specified interface.

Command Mode

EXEC

Command Syntax

show qos interfaces INTERFACE_NAME latency maximum

Parameters

INTERFACE_NAME: Name of the interface.

This command lists the maximum latency for VOQ tail drop on interface ethernet 23/1.

switch# show qos interfaces ethernet 23/1 latency maximum

Ethernet23/1:
Tx Queue            Maximum Latency
--------            ---------------
       7                          -         
       6                          -         
       5                          -         
       4                          -         
       3                      10 ms
       2                          -         
       1                          -         
       0                          -         

switch# show qos profile
qos profile latency
    tx-queue 3
        latency maximum 4000 microseconds
    Tx-queue 4
        latency maximum 30 milliseconds

switch#

show qos maps

The show qos maps command lists the number of traffic classes that the switch supports and displays the CoS-Traffic Class, DSCP-Traffic Class, Traffic Class-CoS, and Traffic Class-Transmit Queue maps.

Command Mode

EXEC

Command Syntax

show qos maps

Example

This command displays the QoS maps that are configured on the switch.

switch> show qos maps
Number of Traffic Classes supported: 8
   Number of Transmit Queues supported: 8
   Cos Rewrite:  Disabled
   Dscp Rewrite:  Disabled

   Cos-tc map:
     cos:  0  1  2  3  4  5  6  7
     ----------------------------
     tc:   1  0  2  3  4  5  6  7

   Dscp-tc map:
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     --------------------------------------
      0 :     1  1  1  1  1  1  1  1  0  0
      1 :     0  0  0  0  0  0  2  2  2  2
      2 :     2  2  2  2  3  3  3  3  3  3
      3 :     3  3  4  4  4  4  4  4  4  4
      4 :     5  5  5  5  5  5  5  5  6  6
      5 :     6  6  6  6  6  6  7  7  7  7
      6 :     7  7  7  7

   Tc-cos map:
     tc:   0  1  2  3  4  5  6  7
     ----------------------------
     cos:  1  0  2  3  4  5  6  7

   Tc-dscp map:
     tc:    0  1  2  3  4  5  6  7
     -----------------------------
     dscp:  8  0 16 24 32 40 48 56

   Tc - tx-queue map:
     tc:        0  1  2  3  4  5  6  7
     ---------------------------------
     tx-queue:  0  1  2  3  4  5  6  7

switch>

show qos map dscp to traffic-class

The show qos map dscp to traffic-class command shows all DSCP to traffic-class maps, or one specified DSCP to TC map.

Command Mode

Privileged EXEC mode

Command Syntax

show qos map dscp to traffic-class [ map_name ]

Parameters

map_name The name of the DSCP to traffic-class map. If this is not specified, all DSCP to TC maps are shown.

Example

This command shows the DSCP to TC map named map1.

switch#show qos map dscp to traffic-class map1
   DSCP to TC map: map1
     d1 :  d2 0  1  2  3  4  5  6  7  8  9
     --------------------------------------
      0 :     1  1  1  1  1  1  1  1  0  0
      1 :     0  0  0  0  0  0  2  2  2  2
      2 :     6  6  6  6  6  6  3  3  3  3
      3 :     3  3  4  4  4  7  4  4  4  4
      4 :     5  5  5  5  5  5  5  5  6  6
      5 :     6  6  6  6  6  6  7  7  7  7
      6 :     7  7  7  7
switch#

show qos profile summary

The show qos profile summary command displays the QoS profile summary of those which are part of the running configuration.

Command Mode

EXEC

Command Syntax

show qos profile summary

Example

This command shows a summary of all QoS profiles configured on the switch.

switch(config)# show qos profile summary
Qos Profile: p
Configured on: Et13,7
Fabric
Po12
Qos Profile: p2
Configured on: Et56

show qos profile

The show qos profile command displays the contents of the specified QoS profile or of all QoS profiles in the running configuration.

Command Mode

EXEC

Command Syntax

show qos profile profile_name

Parameter

profile_name QoS profile name.

Examples

This command displays the contents of all QoS profiles configured on the switch.

switch(config)# show qos profile
qos profile p
qos cos 1
no priority-flow-control pause watchdog
priority-flow-control priority 1 no-drop
priority-flow-control priority 2 no-drop
qos profile p2
qos cos 3
priority-flow-control priority 0 no-drop

This command displays the configuration attached and information specific to QoS profile p2.

switch# show qos profile p2
qos profile p2
qos cos 3
priority-flow-control priority 0 no-drop

show qos random-detect ecn

The command displays the global Explicit Congestion Notification (ECN) configuration.

Command Mode

EXEC

Command Syntax

show qos random-detect ecn

Example

These commands configure global ECN parameters, then displays that configuration.

switch(config)# qos random-detect ecn global-buffer minimum-threshold 2 mbytes 
maximum-threshold 5 mbytes
switch(config)# show qos random-detect ecn                                                                            
   Minimum Threshold:  2
   Maximum Threshold:  5
   Threshold Unit:  mbytes

switch(config)#

show run|grep sharing

Theshow run|grep sharing command displays whether the QoS policy-map sharing on SVIs is enabled or disabled.

Command Mode

EXEC

Command Syntax

show run|grep sharing

Example

This command displays whether the QoS policy-map sharing on SVIs is enabled or disabled.

switch# show run|grep sharing
hardware access-list qos resource sharing vlan in ----

If this message is displayed then QoS policy-map sharing on SVIs is enabled.

tx-queue (Arad/Jericho)

The tx-queue command places the switch in Tx-queue configuration mode to configure a transmit queue on the configuration mode interface. Tx-queue configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.

Arad and Jericho platform switches have eight queues, 0 through 7, and all queues are exposed through the CLI. However, queue 7 is not user-configurable. Queue 7 is always mapped to traffic class 7, which is reserved for control traffic.

The exit command returns the switch to the configuration mode for the base Ethernet or port channel interface.

The no tx-queue and default tx-queue commands remove the configuration for the specified transmit queue by deleting all corresponding tx-queue mode statements from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

tx-queue queue_level

Parameters

queue_level The transmit queue. Values range from 0 to 7.

Commands Available in tx-queue Configuration Mode

bandwidth percent (Arad/Jericho)
priority (Arad/Jericho)
shape rate (Tx-queue – Arad/Jericho)

Guidelines

Arad and Jericho platform switch queues handle unicast traffic. Queues for multicast traffic are not supported.

Example

This command enters Tx-queue configuration mode for transmit queue 4 of interface ethernet 3/3/3.

switch(config)# interface ethernet 3/3/3
switch(config-if-Et3/3/3)# tx-queue 4
switch(config-if-Et3/3/3-txq-4)#

tx-queue (FM6000)

FM6000 platform switches have eight queues, 0 through 7. All queues are exposed through the CLI and are user configurable.

The exit command returns the switch to the configuration mode for the base Ethernet or port channel interface.

The no tx-queue and default tx-queue commands remove the configuration for the specified transmit queue by deleting the all corresponding tx-queue mode commands from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

tx-queue queue_level

Parameters

queue_level The transmit queue. Values range from 0 to 7.

Commands Available in tx-queue Configuration Mode

bandwidth percent (FM6000)
priority (FM6000)
shape rate (Tx-queue – FM6000)

Guidelines

FM6000 platform switch queues handle unicast and multicast traffic.

Example

This command enters Tx-queue configuration mode for transmit queue 3 of interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# tx-queue 3
switch(config-if-Et5-txq-3)#

tx-queue (Helix)

The tx-queue command places the switch in tx-queue configuration mode to configure a transmit queue on the configuration mode interface. The tx-queue configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.

Helix platform switches have eight unicast (UC0 – UC7) and eight multicast (MC0 – MC7) queues. Each UCx-MCx queue set is combined into a single queue group (L1.x), which is exposed to the CLI through this command.

The exit command returns the switch to the configuration mode for the base Ethernet or port channel interface.

The no tx-queue and default tx-queue commands remove the configuration for the specified transmit queue by deleting the all corresponding tx-queue mode commands from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

tx-queue queue_level

Parameters

queue_level Transmit queue group number. Values range from 0 to 7.

Commands Available in tx-queue Configuration Mode

bandwidth guaranteed (Helix)
shape rate (Tx-queue – Helix)

Guidelines

Helix platform switch queues handle unicast and multicast traffic.

Example

This command enters Tx-queue configuration mode for transmit queue 4 of interface ethernet 17/3.

switch(config)# interface ethernet 17/3
switch(config-if-Et17/3)# tx-queue 4
switch(config-if-Et17/3-txq-4)#

tx-queue (Petra)

The tx-queue command places the switch in tx-queue configuration mode to configure a transmit queue on the configuration mode interface. The tx-queue configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.

Petra platform switches have eight queues, 0 through 7, and all queues are exposed through the CLI. However, queue 7 is not user-configurable. Queue 7 is always mapped to traffic class 7, which is reserved for control traffic.

The exit command returns the switch to the configuration mode for the base Ethernet or port channel interface.

The no tx-queue and default tx-queue commands remove the configuration for the specified transmit queue by deleting the all corresponding tx-queue mode commands from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

tx-queue queue_level

Parameters

queue_level The transmit queue. Values range from 0 to 7.

Commands Available in tx-queue Configuration Mode

bandwidth percent (Petra)
priority (Petra)
shape rate (Tx-queue – Petra)

Guidelines

Petra platform switch queues handle unicast traffic. Queues for multicast traffic are not supported.

Example

This command enters the tx-queue configuration mode for transmit queue 3 of interface ethernet 3/3.

switch(config)# interface ethernet 3/3
switch(config-if-Et3/3)# tx-queue 3
switch(config-if-Et3/3-txq-3)#

tx-queue (Trident II)

Trident II platform switches have eight unicast (UC0 – UC7) and eight multicast (MC0 – MC7) queues. Each UCx-MCx queue set is combined into a single queue group (L1.x), which is exposed to the CLI through this command.

The exit command returns the switch to the configuration mode for the base Ethernet or port channel interface.

The no tx-queue and default tx-queue commands remove the configuration for the specified transmit queue by deleting the all corresponding tx-queue mode commands from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

tx-queue queue_level

Parameters

queue_level Transmit queue group number. Values range from 0 to 7.

Commands Available in tx-queue Configuration Mode

bandwidth guaranteed (Trident II)
shape rate (Tx-queue – Trident II)

Trident II platform switch queues handle unicast and multicast traffic.

Example

This command enters the tx-queue configuration mode for transmit queue 4 of interface ethernet 17/3.

switch(config)# interface ethernet 17/3
switch(config-if-Et17/3)# tx-queue 4
switch(config-if-Et17/3-txq-4)#

uc-tx-queue

The uc-tx-queue command places the switch in the uc-tx-queue configuration mode to configure a unicast transmit queue on the configuration mode interface. The uc-tx-queue configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.

Trident and Tomahawk switches have eight unicast queues (UC0 – UC7) and four multicast queues (MC0 – MC03), categorized into two priority groups. All queues are exposed through the CLI and are user-configurable.

Priority Group 1: UC7, UC6, MC3
Priority Group 0: UC5, UC4, MC2, UC3, UC2, MC1, UC1, UC0, MC0

The exit command returns the switch to the configuration mode for the base Ethernet or port channel interface.

The no uc-tx-queue and default uc-tx-queue commands remove the configuration for the specified transmit queue by deleting the all corresponding uc-tx-queue mode commands from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

uc-tx-queue queue_level

Parameters

queue_level The multicast transmit queue number. Values range from 0 to 7.

Commands Available in uc-tx-queue Configuration Mode

bandwidth percent (Trident and Tomahawk)
priority (Trident and Tomahawk)
shape rate (Tx-queue – Trident and Tomahawk)

Related Command

mc-tx-queue: Configures multicast transmit queues on Trident and Tomahawk platform switches.

Example

This command enters the mc-tx-queue configuration mode for multicast transmit queue 4 of interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# uc-tx-queue 4
switch(config-if-Et5-mc-txq-4)#

Chipset Mapping for QoS

Table 42. Chipset Names by Model Number
Model Number	Chipset Name
7010T-48	Helix4
7010T-48-DC	Helix4
7020SR-24C2	QumranAX
7020SR-32C2	QumranAX
7020SRG-24C2	QumranAX
7020TR-48	QumranAX
7020TRA-48	QumranAX
7048T-4S	Petra
7048T-A	Petra
7050CX3-32S	Trident3X7
7050CX3M-32S	Trident3X7
7050Q-16	Trident+
7050QX2-32S	Trident2+
7050QX-32	Trident2
7050QX-32S	Trident2
7050S-52	Trident+
7050S-64	Trident+
7050SX-128	Trident2
7050SX2-128	Trident2+
7050SX2-72Q	Trident2+
7050SX3-48C8	Trident3X5
7050SX3-48YC	Trident3X5
7050SX3-48YC12	Trident3X7
7050SX3-96YC8	Trident3X7
7050SX-64	Trident2
7050SX-72	Trident2
7050SX-72Q	Trident2
7050SX-96	Trident2
7050T-36	Trident+
7050T-36 (HwRev4)	Trident+
7050T-52	Trident+
7050T-52 (HwRev4)	Trident+
7050T-64	Trident+
7050T-64 (HwRev4)	Trident+
7050TX-128	Trident2
7050TX2-128	Trident2+
7050TX3-48C8	Trident3X5
7050TX-48	Trident2
7050TX-64	Trident2
7050TX-72	Trident2
7050TX-72Q	Trident2
7050TX-96	Trident2
7060CX2-32S	Tomahawk+
7060CX-32S	Tomahawk
7060DX4-32	Tomahawk3
7060PX4-32	Tomahawk3
7060SX2-48YC6	Tomahawk+
7120T-4S	Bali
7124FX	Bali
7124S	Bali
7124SX	Bali
7140T-8S	Bali
7148S	Bali
7148SX	Bali
7150S-24	Alta
7150S-24-CL	Alta
7150S-52-CL	Alta
7150S-64-CL	Alta
7150SC-24-CLD	Alta
7150SC-64-CLD	Alta
7170-32C	Tofino
7170-32CD	Tofino
7170-64C	Tofino
720XP-24Y6	Trident3X3
720XP-24ZY4	Trident3X3
720XP-48Y6	Trident3X3
720XP-48ZC2	Trident3X3
720XP-96ZC2	Trident3X3
7250QX-64	Trident2
7260CX3-64	Tomahawk2
7260CX3-64E	Tomahawk2
7260CX-64	Tomahawk
7260QX-64	Tomahawk
7280CR2-60	Jericho+
7280CR2A-60	Jericho+
7280CR2AK-30	Jericho+
7280CR2K-30	Jericho+
7280CR2K-60	Jericho+
7280CR2M-30	Jericho+
7280CR3-32D4	Jericho2
7280CR3-32P4	Jericho2
7280CR3-96	Jericho2
7280CR3K-32D4	Jericho2
7280CR3K-32P4	Jericho2
7280CR3K-96	Jericho2
7280CR3MK-32D4	Jericho2
7280CR3MK-32P4	Jericho2
7280CR-48	Jericho
7280DR3-24	Jericho2
7280DR3K-24	Jericho2
7280PR3-24	Jericho2
7280PR3K-24	Jericho2
7280QRA-C36S	Jericho
7280QR-C36	QumranMX
7280QR-C72	Jericho
7280SE-64	Arad+
7280SE-68	Arad+
7280SE-72	Arad+
7280SR2-48YC6	Jericho+
7280SR2A-48YC6	Jericho+
7280SR2K-48C6	Jericho+
7280SR3-40YC6	Jericho2C Q2A
7280SR-48C6	QumranMX
7280SRA-48C6	QumranMX
7280SRAM-48C6	QumranMX
7280SRM-40CX2	QumranMX
7280TR3-40C6	Jericho2C Q2A
7280TR-48C6	QumranMX
7280TRA-48C6	QumranMX
DCS-7304	Trident3
DCS-7304	Tomahawk
DCS-7304	Trident2
DCS-7308	Trident3
DCS-7308	Tomahawk
DCS-7308	Trident2
DCS-7316	Trident2
DCS-7368X4	Tomahawk3
DCS-7504	Petra
DCS-7504E	Arad/Arad+
DCS-7504N	Jericho 2
DCS-7504N	Jericho/Jericho+
DCS-7508	Petra
DCS-7508E	Arad/Arad+
DCS-7508N	Jericho 2
DCS-7508N	Jericho/Jericho+
DCS-7512N	Jericho 2
DCS-7512N	Jericho/Jericho+
DCS-7516N	Jericho/Jericho+
DCS-7804-CH	Jericho 2
DCS-7808-CH	Jericho 2

Traffic Management

This chapter describes Arista’s Traffic Management, including configuration instructions and command descriptions. Topics covered by this chapter include:

Traffic Management Conceptual Overview
Traffic Management Configuration Arad Platform Switches
Traffic Management Configuration FM6000 Platform Switches
Traffic Management Configuration Petra Platform Switches
Traffic Management Configuration Trident Platform Switches
Traffic Management Configuration Trident II Platform Switches
Traffic Management Configuration Commands

Traffic Management Conceptual Overview

Traffic is managed through policy maps that apply data shaping methods to specific data streams. A policy map is a data structure that identifies specific data streams and then defines shaping parameters that modify packets within the streams. The switch defines four types of policies:

Control Plane Policies: Control plane policy maps are applied to the control plane.
QoS Policies: QoS policy maps are applied to Ethernet and port channel interfaces.
Segment Routing Traffic Engineering Policy (SR-TE).
PBR Policies: PBR policy maps are applied to Ethernet interfaces, port channel interfaces and switch virtual interfaces (SVIs).

A policy map consists of classes. Each class contains an eponymous class map and traffic resolution commands.

A class map is a data structure that defines a data stream by specifying characteristics of data packets that comprise that stream. Each class map is typed as either QoS, control plane, or PBR and is available only to identically typed policy maps.
Traffic resolution commands specify data handling methods for traffic that matches a class map. Traffic resolution options vary by policy map type.

Data packets that enter an entity to which a policy map is assigned are managed with traffic resolution commands of the first class that matches the packets.

Control Plane Policies

The switch defines one control plane policy map named copp-system-policy. The copp-system-policy policy map is always applied to the control plane and cannot be removed from the switch. Other control plane policy maps cannot be added. Copp-system-policy consists of preconfigured classes, each containing a static class map and traffic resolution commands. Preconfigured classes cannot be removed from copp-system-policy.

Static class maps are provided by the switch and cannot be modified or deleted. The naming convention of static class maps is copp-system- name, where name differentiates the class maps. Static class maps have pre-defined internal conditions, are not based on ACLs, and are only listed in running-config as components of copp-system-policy. The sequence of static class maps in the policy map is not significant. Traffic resolution commands define minimum (bandwidth) and maximum (shape) transmission rates for data streams matching the corresponding class map.

Copp-system-policy can be modified through the following steps:

Add classes consisting of an eponymous dynamic class map and traffic resolution commands.
Dynamic class maps are user created, can be edited or deleted, filter traffic with a single IPv4 ACL, and are listed in running-config.
Change traffic resolution commands for a preconfigured class.

These sections describe control plane traffic policy configuration procedures:

Configuring Control Plane Traffic Policies Arad Platform Switches
Configuring Control Plane Traffic Policies FM6000 Platform Switches
Configuring Control Plane Traffic Policies Petra Platform Switches
Configuring Control Plane Traffic Policies Trident Platform Switches

QoS Policies

QoS policy maps are user defined. The switch does not provide preconfigured QoS policy maps and in the default configuration, policy maps are not applied to any Ethernet or port channel interface. Policy maps and class maps are created and applied to interfaces through configuration commands.

A QoS policy map is composed of one or more classes. Each class contains an eponymous dynamic class map and traffic resolution commands. Dynamic class maps are user created, can be edited or deleted, filter traffic with a single IPv4 ACL, and are listed in running-config.

QoS traffic resolution commands perform one of the following:

Set the Layer 2 CoS field
Set the DSCP value in the ToS byte
Specify a traffic class queue

The last class in all QoS policy maps is class-default, which is composed as follows:

The class-default class map matches all traffic except IPv4 or IPv6 traffic and is not editable.
By default, class-default class contains no traffic resolution commands. Traffic resolution commands can be added through configuration commands.

Data packets that enter an interface to which a policy map is assigned are managed with traffic resolution commands that correspond to the first class that matches the packet.

These sections describe QoS traffic policy configuration procedures:

Configuring QoS Traffic Policies Arad Platform Switches
Configuring QoS Traffic Policies FM6000 Platform Switches
Configuring QoS Traffic Policies Petra Platform Switches
Configuring QoS Traffic Policies Trident Platform Switches

Segment Routing Traffic Engineering Policy (SR-TE)

Segment Routing Traffic Engineering Policy (SR-TE) policy uses Segment Routing (SR) to enable a headend to steer traffic along any path without maintaining per flow state in every node based on the policy. Configuring SR policy for the MPLS dataplane (SR-MPLS) for Type-1 SR policy segments with BGP and locally configured policies as sources of SR policy is available on DCS-7500 and DCS-7280 family of switches.

SR Policy Overview

SR Policy Identification

The following identifies an SR policy.

Endpoint: an IPv4 or IPv6 address which refers to the destination of the policy. (0/0, 0:: are allowed and called “null endpoints”)
Color: an unsigned 32-bit opaque numerical quantity. The semantic of a color is up to the operator. It can refer to, for instance, an application or a type of traffic (low latency) or a geographical location, etc.

SR Policy Constituents

The SR policy consists of candidate paths. Each candidate path has the following.

SID-lists (SLs): an ordered list of Segment Identifiers. (Each SID is a MPLS label in the MPLS instantiation of SR). An SL encodes one path from the headend to the destination. Each SL has an optional weight attached to it for the purpose of Unequal Cost Multipath (UCMP) traffic distribution. The default value for SL weight is 1.
Preference: an optional, unsigned 32-bit integer used in the candidate path selection algorithm to select the “active” candidate path. The default value for preference is 100.
Binding SID (BSID): an optional, SID.
Note: In EOS, a BSID is mandatory for each candidate path.

SR Policy Sources

A headend learns SR policies using the following.

BGP
- Single agent routing model (Ribd)
- Multi-agent routing model
Local configuration using CLI
- Single agent routing model (Ribd)
- Multi-agent routing model
- Openconfig YANG models
PCEP
Note: PCEP is not supported in EOS.

Identity of a Candidate Path

A candidate path within an SR policy is identified by a 3-tuple of {Protocol-Origin, Originator, Discriminator}. In EOS, for locally configured policies:

the ASN in the Originator is set to 0.
the node address in the Originator is set to 0.0.0.0.
discriminator is set to the Preference configured.
Note: EOS CLI allows configuring only one candidate path at a given preference and does not allow configuring the discriminator for a candidate path.

State of an SID List (SL)

The following describes the state of an SL.

Valid: the top label of the SL is resolvable within the LFIB to outgoing next hop(s), interface(s) and a label action.
Invalid: top label of the SL is not resolvable to outgoing next hop(s), interface(s) and a label action. An SL is also marked as invalid when the SL is resolvable, but the resolved labeled stack exceeds the platform’s maximum SID depth (SID), that is, exceeds the maximum number of labels the platform can push in to the outgoing packet.
Note: The state is either valid or invalid.

State of a Candidate Path

The following describes the states of a candidate path.

Invalid: not eligible to participate in the best/active candidate path selection algorithm because of one of the reasons below.
- all constituent SLs are invalid
- Binding SID is not present
- Binding SID is present but outside SRLB range
Valid: At least one SL is valid and has lost out to some other candidate path in the best / active candidate path selection algorithm.
Active: The candidate path is valid and is the winner in the best / active candidate path selection algorithm. The active candidate path is installed in the switch hardware and used for forwarding traffic.

State of an SR Policy

An SR policy is “valid” when at least one of its candidate paths is valid as described above. Otherwise, the SR policy is said to be “invalid”.

Resolution of an SL

An SL is resolved if the top label (first SID) can be resolved in the system Labeled FIB (LFIB) to yield a nexthop and outgoing interface(s). The other labels in the SID-List do not play a part in resolution.

Best Candidate Path (Active Candidate Path) Selection Algorithm

EOS overrides selection based on discriminator by retaining the current active candidate path even when current active path has a lower discriminator value. This reduces the active path flap when a new path is learnt of the same significance. The following is a summary of valid candidate paths ordering for a given policy.

Candidate path with higher preference is chosen.
Locally configured candidate path is chosen over BGP learnt path
Lower originator is chosen.
1. Lower AS number of Originator field is chosen
2. Lower Node address of Originator field is chosen
Current active candidate path is chosen

The following displays the reason for a path not getting selected as an active path for a specified policy.

switch# show traffic-engineering segment-routing policy endpoint <endpoint> color <color>

Binding SID

The use cases for Binding SID are the following.

Stitch together multiple domains
Stitch together different traffic tunnels
Overcome label stack imposition limitation in hardware.

BSID Conflict Handling

Examples

(Between Policies): If the policy (E1, C1) becomes eligible to be active first then it would be installed in the LFIB and the policy (E2,C2) whose best path(CP1) is in conflict with the Policy (E1, C1) and will not become active.
- Policy(E1, C1): CP1: Binding-SID 965536 (wins best path)
- Policy(E2, C2): CP1: Binding-SID 965536 (wins best path)
- CP2: Binding-SID 965537
(with other Application): The SR-TE policies have the lowest preference when there is a conflict with any other application in EOS using the SRLB range. The candidate paths which have the binding-SID as that of an LFIB entry by another application (for example, static adjacency segment) will be kept as “invalid”.

In both the cases, when the conflict no longer exists, the candidate paths are re-evaluated and may become active.

BGP as a Source of Policies

SR Policies from a BGP peer (a controller, route reflector) is received for installation at the headend by EOS. It does not propagate the received policies to BGP peers nor does it originate SR Policies for transmission to BGP peers.

The following are supported over IPv4 or IPv6 peers which can be single hop or multi-hop iBGP or eBGP peers.

SAFI 73 for AFI 1 and AFI 2: IPv4 and IPv6 policy endpoints, with the encoding defined in section 2.1 of Advertising Segment Routing Policies in BGP.
Note: The nexthop address-family must match the AFI of the NLRI.
Sub-TLVs of Tunnel Encapsulation TLV of type 15 (SR-TE Policy Type) of the Tunnel Encapsulation Path Attribute:
1. Preference (Sub-TLV Type 12)
2. Binding SID (Sub-TLV Type 13) of length 2 or 6 bytes
3. Segment List (Sub-TLV Type 128). The following Segment List sub-TLVs are supported:
  1. Type 1 Segment (Sub-TLV type 1)
  2. Weight (Sub-TLV type 9)
4. Explicit NULL Label Policy (Sub-TLV Type 14)

Note: All other sub-TLVs of the Tunnel Encapsulation TLV and Segment List sub-TLVs are ignored.

Route-Target and NO_ADVERTISE Community in SR-TE SAFI Updates

EOS implements the Acceptance and Usability checks as defined in sections 4.2.1 and 4.2.2 of the IETF draft Advertising Segment Routing Policies in BGP. However EOS skips matching the Route-Target with the router-ID of the headend if the SR-TE NLRI is tagged with NO_ADVERTISE community.

ECMP is not supported for SR-TE SAFI Paths

EOS does not support ECMP for BGP SR-TE SAFI. Only one best candidate path is chosen by BGP path selection and published to SR-TE Policy Agent for candidate path selection.

Note: ECMP of BGP next hops where each next hop resolves to an SR-TE policy is supported.

Path Selection within BGP

The IETF draft Advertising Segment Routing Policies in BGP supports passing multiple candidate paths from a single protocol source for an SR-TE policy path selection. Hence it includes a field distinguisher in the NLRI which can be unique for each controller to make BGP pass through the policies. However when multiple sources use the same distinguisher, BGP performs a path selection for the tuple: Endpoint, Color and Distinguisher. The best path for that tuple is published to the SR-TE Policy Agent for selecting an Active path. The best bgp-best-path selection applies to SR-TE SAFI as well.

Error Handling / Edge Cases

Weight 0: The IETF draft does not limit the range of SL weight to exclude weight 0. A SID-List with weight 0 is not used for forwarding so BGP module in EOS does not pass on SID-Lists with weight 0 to the SR-TE policy agent. Such SID-Lists will be visible in show bgp sr-te commands but not in show traffic-engineering segment-routing policy commands.
Empty SLs: Given the TLV encoding used to propagate SR Policies in BGP, it is possible to receive SID-Lists that have no SIDs (SID-Lists are empty). The BGP module in EOS does not pass such empty SID-Lists to SR-TE policy agent. Such SID-Lists will be visible in show bgp sr-te commands but not in show traffic-engineering segment-routing policy commands.
Non Type 1 segments: EOS supports only Type-1 segments. If a BGP update is received with a SID-List that has non Type-1 segments, the entire SID-List is ignored and BGP-4-SRTE_IGNORED_SEGMENT_LIST_UNSUPPORTED_SEGMENTS syslog is emitted. Such SID-Lists are not stored locally, and show bgp sr-te command does not display them.
Note: The SID-Lists that are made up of all Type-1 segments are passed on to the SR-TE policy agent.

Steering Traffic into a Policy

Incoming label is BSID - “Labelled Steering”

At the headend when a packet is received with a label stack that has a BSID of an active CP of a valid SR Policy as the top label, the headend pops the label, and imposes the resolved label stack on the outgoing packet.

Example

Consider an SR Policy with an active candidate path with BSID 965536 and SL with label stack [965540, 900001, 900002]. Assume that 965540 is an IS-IS SR Adjacency SID. An incoming packet has label stack [965536, 100000] then the outgoing label stack is [900001, 900002, 100000].

Steering BGP learnt IP(v6) prefixes - “IP Steering”

Incoming label is BSID - “Labelled Steering”

At the headend, BGP IPv4 and IPv6 routes received with one or more extended color communities are recursively resolved through any active SR Policy that matches the BGP routes’ nexthop and color. When an IPv4 or IPv6 packet is received that is forwarded using this policy, the SL’s resolved label stack is imposed in the outgoing packet.

For BGP routes received with color community to be steered via an SR policy, the route’s nexthop must already be resolvable through IGP. If there is no resolving route in IGP, the route is considered unresolvable and will not be programmed in hardware even if there is a matching SR policy for the corresponding nexthop and color.

If there is no matching SR policy for the received BGP nexthop and color, the route will be resolved through the IGP route in IP RIB. If an active SR policy that matches the BGP nexthop and color gets instantiated at a later time, the BGP route will change from resolving through IGP to the new active SR policy.

Note: The recursion through SR policy is only applicable for BGP routes that are active in RIB.

Color only IP steering using CO bits

It is possible to relax the requirement of an exact match of the BGP route’s nexthop with the endpoint of the SR Policy using the “CO” (Color Only) bits in the color extended community. The “CO” bits are 2 reserved bits repurposed for color only steering as defined in section 3 of Advertising Segment Routing Policies in BGP. The exact match of the nexthop is done with the CO bits set to 00 or 11.

CO = 01 Steering: relaxes the nexthop to match the null endpoint of a policy. For a BGP route with nexthop N and color C, the following order is used for resolution. If there is no IGP route resolving the BGP nexthop, the route is not programmed in hardware.

Active SR policy with endpoint N and color C
Active SR policy with null endpoint (from the same AFI as the BGP route) and color C
Active SR policy with null endpoint from any AFI and color C
IGP route

CO = 10 Steering: in addition to the steps in CO = 01 steering, CO = 10 additionally relaxes the nexthop to match any endpoint. The following order is used for resolving a BGP route with nexthop N and color C. The behavior described is in accordance with section 8.8.1 of the IETF draft Segment Routing Policy for Traffic Engineering.

Active SR policy with endpoint N and color C
Active SR policy with null endpoint (from the same AFI as the BGP route) and color C
Active SR policy with null endpoint from any AFI and color C
Active SR policy for any endpoint from the same AFI as the BGP route and color C
Active SR policy for any endpoint from any AFI and color C
IGP route

ECMP of IPv4/IPv6 Prefixes that Resolve over SR-TE Policies

When multiple BGP paths of BGP unicast prefixes resolve through active SR policies form ECMP, the resulting FIB entry for the BGP route has an ECMP of segment list paths which is a union of all the segments-list entries present in each of the resolving SR policies for the BGP paths.

Example

The following table displays four paths for prefix 192.1.0.0/31, and each of the four paths resolves via SR-TE policies.

Table 1. List of Paths Resolved via SR-TE Policies
Path	Nexthop	Color	Policy EP	Policy Color	Segment Lists	Per SL Traffic Distribution
1	1.0.0.2	CO(00):1000	1.0.0.2	1000	[2500 500], Weight: 1 [2501 500], Weight: 2	8.33% 16.66%
2	1.0.2.2	CO(00):2000	1.0.2.2	2000	[2502 500], Weight: 1 [2503 500], Weight: 1	12.5% 12.5%
3	1.0.4.2	CO(00):3000	1.0.4.2	3000	[2504 500], Weight: 1 [2505 500], Weight: 1	12.5% 12.5%
4	1.0.6.2	CO(00):4000	1.0.6.2	4000	[2506 500], Weight: 1 [2507 500], Weight: 1	12.5% 12.5%

 B I    192.1.0.0/31 [200/0] via SR-TE Policy 1.0.4.2, color 3000
                             via SR-TE tunnel index 6, weight 1
                                via 1.0.4.2, Ethernet1, label 2505 500
                             via SR-TE tunnel index 5, weight 1
                                via 1.0.4.2, Ethernet1, label 2504 500
                          via SR-TE Policy 1.0.0.2, color 1000
                             via SR-TE tunnel index 2, weight 1
                                via 1.0.0.2, Ethernet2, label 2501 500
                             via SR-TE tunnel index 1, weight 1
                                via 1.0.0.2, Ethernet2, label 2500 500
                          via SR-TE Policy 1.0.2.2, color 2000
                             via SR-TE tunnel index 4, weight 1
                                via 1.0.2.2, Ethernet3, label 2503 500
                             via SR-TE tunnel index 3, weight 1
                                via 1.0.2.2, Ethernet3, label 2502 500
                          via SR-TE Policy 1.0.6.2, color 4000
                             via SR-TE tunnel index 8, weight 1
                                via 1.0.6.2, Ethernet6, label 2507 500
                             via SR-TE tunnel index 7, weight 1
                                via 1.0.6.2, Ethernet6, label 2506 500

The traffic distribution honors the weights of the SID-Lists. In the example, each of the four SR Policies will get 25% of the total traffic meant for prefix 192.1.0.0/31. Within each policy, the distribution is based on the weights of the SID-Lists.

ECMP Group when some BGP unicast paths resolve over SR Policies and some via non SR Policy IGP paths

If some BGP paths resolve via SR Policy paths and some BGP paths resolve via non SR Policy IGP, then the ECMP group formed programmed as the active route in FIB, only considers the SR Policy paths. ECMP in the FIB is not formed between paths that resolve over SR Policy and paths that resolve via non SR Policy IGP routes. In the example above, if SR Policy with endpoint 1.0.6.2 and color 4000 becomes inactive or is removed, the FIB path for 192.1.0.0/31 resolves via 3 SR Policies as shown below.

B I    192.1.0.0/31 [200/0] via SR-TE Policy 1.0.4.2, color 3000
                             via SR-TE tunnel index 6, weight 1
                                via 1.0.4.2, Ethernet1, label 2505 500
                             via SR-TE tunnel index 5, weight 1
                                via 1.0.4.2, Ethernet1, label 2504 500
                          via SR-TE Policy 1.0.0.2, color 1000
                             via SR-TE tunnel index 2, weight 1
                                via 1.0.0.2, Ethernet2, label 2501 500
                             via SR-TE tunnel index 1, weight 1
                                via 1.0.0.2, Ethernet2, label 2500 500
                          via SR-TE Policy 1.0.2.2, color 2000
                             via SR-TE tunnel index 4, weight 1
                                via 1.0.2.2, Ethernet3, label 2503 500
                             via SR-TE tunnel index 3, weight 1
                                via 1.0.2.2, Ethernet3, label 2502 500

Note: show ip bgp still shows a 4-way ECMP. The FIB paths switch to resolving via the (non SR Policy) IGP paths when there are no BGP paths in the ECMP group that resolve via an SR Policy.

UCMP of IPv4/IPv6 prefixes using LinkBandwidth (LBW) Extended Community that resolve over SR-TE policies not supported

When multiple BGP paths of BGP unicast prefixes resolve through active SR policies form ECMP, and the unicast paths also contain the LBW extended community, EOS does not form UCMP amongst the unicast paths. Only ECMP is formed at the unicast prefix level. The LBW is ignored the behavior is identical to the behavior explained in the previous section.

Resolution of BGP unicast prefixes that resolve over other BGP unicast prefixes resolved via SR Policies

A BGP unicast prefix P1, that is recursively resolved via another BGP prefix P2, such that P2 resolves via an SR Policy, then in the FIB, P1 is programmed with the resolved nexthop pointing to the non SR Policy resolution of P2. P1 does not use P2s SR Policy for forwarding.

Explicit Null Label Imposition

When the address family of the BGP unicast prefix is not the same as the address family of the endpoint of the SR Policy that the unicast prefixes resolves via, an explicit null label is automatically imposed in the outgoing label stack.

Example

If an IPv4 unicast prefix P1 resolves over a policy whose endpoint EP1 is an IPv6 address (this can happen due to color only CO=01/10 steering with P1 having an IPv4 nexthop) and the SR Policy had a SID-List whose resolved label stack is [1001, 1002, 1003], the outgoing packet is imposed with [1001, 1002, 1003, 2] where 0 is the IPv4 explicit null label.

If an IPv6 prefix P2, resolves over a policy whose endpoint EP2 is an IPv4 address (this can happen with color only CO=01/10 steering with P2 having a IPv6 nexthop) and the SR Policy had a SID-List whose resolved label stack is [1001, 1002, 1003], the outgoing packet is imposed with [1001, 1002, 1003, 2] where 2 is the IPv6 explicit null label.

The following table lists the configurations which result in having explicit-null label in the resolved label stack.

Table 2. Configurations resulting in Explicit-Null Label in Resolved Label Stack
ENLP configuration for the resolving SR Policy	IPv4 Prefixes	IPv6 Prefixes
None	-	-
IPv4	IPv4 explicit null appended to the end of label stack	-
IPv6	-	IPv6 explicit null appended to the end of label stack
Both	IPv4 explicit null appended to the end of label stack	IPv6 explicit null appended to the end of label stack
No/Default config (incase of BGP learnt policies ENLP Sub-TLV is not received)	Resolving SR Policy has IPv4 Endpoint address: No explicit-null	Resolving SR Policy has IPv4 Endpoint address: IPv6 explicit null appended to the end of label stack
	Resolving SR Policy has IPv6 Endpoint address: IPv4 explicit null appended to the end of label stack	Resolving SR Policy has IPv6 Endpoint address: No explicit-null

Traffic Accounting

All egress tunnel counters (MPLS/GRE/MPLSoGRE using SR-TE/Nexthop-group/BGP-LU tunnel types) share the same hardware resource.

7280E/7500E systems: Up to 16k tunnels
7280R/7500R systems: Up to 8k tunnels

Tunnel counters are allocated on a first-come, first-served basis. Configurations using GRE/MPLSoGRE, GRE, and MPLS further limit a maximum of 4k countable egress MPLS tunnels on 7280R/7500R.

FEC Optimizations

The hardware FEC usage could be reduced as the underlying FEC is shared among different routes.

Programming of the active candidate path of an SR-TE policy in hardware is shared between the BSID route and IP steering route.
If all of the following conditions are met, ISIS-SR MPLS routes and tunnel entries directly point to the next hop FEC generated by the routing agent (IGP FEC).
- All the next hops of the MPLS route either point to pop or forward (i.e. swapping to the same label) label action.
- The switch is either a 7280 or a 7500 platform.
The corresponding SR-TE policy BSID routes (and corresponding Segment List tunnels) that resolve over ISIS-SR MPLS routes, will directly point to the IGP FEC.

Configuring SR-TE

The following commands start the SrTePolicy agent and enter the switch into the Traffic Engineering configuration sub-mode.

switch(config)# router traffic-engineering
switch(config-te)# segment-routing

Note: The agent must be running even if the only source of policies is BGP.

Static Policy Configuration

The following commands set the policy using endpoint and color value, and define the BSID for the policy.

switch(config-te-sr)# policy endpoint v4Address|v6Address color color-value
switch(config-te-sr-policy)# binding-sid mpls-label
switch(config-te-sr-policy)# path-group preference value

The following commands enter the policy path configuration sub mode, and adds a segment list to the candidate path.

switch(config-te-sr-policy)# path-group preference value
switch(config-te-sr-policy-path)# segment-list label-stack label1 label2 … weight value

Note: The default weight value is 1. Adding weight is optional. Repear the configuration statement for multiple segment lists per candidate path.

The following commands configures a null label policy.

switch(config-te-sr-policy-path)# explicit-null [none|ipv4|ipv6|both]

Note: The null label policy configuration is optional.

BGP configuration for SR-TE SAFI

The following commands configures a BGP router to activate a neighbor to negotiate and accept SR-TE address-family with this peer.

switch(config)# router bgp <as>
switch(config-router-bgp)# address-family ipv4|ipv6 sr-te
switch(config-router-bgp-af-srte)# neighbor neighbor activate

The following command configures an inbound route-map to filter or modify attributes on incoming SR-TE prefixes from the peer.

switch(config-router-bgp-af-srte)# neighbor neighbor route-map routeMapName in

Configuring Egress SR-TE Traffic Accounting

The following command enables egress traffic accounting for SR policies (also known as MPLS tunnels).

switch(config)# hardware counter feature mpls tunnel

The following command displays current status of the MPLS counters.

switch#show hardware counter feature
Feature            Direction        Counter Resource (Engine)
------------------ ---------------- --------------------------
ACL-IPv4           out              Jericho: 2, 3
ACL                in               Jericho: 4, 5, 6, 7
MPLS tunnel        out              Jericho: 8, 9

The following command disables egress traffic accounting for SR policies.

switch(config)# no hardware counter feature mpls tunnel

The following command displays a summary information of SR-TE SAFI.

switch# show bgp sr-te summary
BGP summary information for VRF default
Router identifier 100.1.1.2, local AS number 100
Neighbor Status Codes: m - Under maintenance
  Neighbor         V  AS           MsgRcvd   MsgSent  InQ OutQ  Up/Down State  PfxRcd PfxAcc
  100.1.1.1        4  100              407       413    0    0 00:18:57 Estab  1      1
  1000::1          4  100              407       413    0    0 00:18:57 Estab  1      1

The following command displays a summary information of candidate paths received from neighbors which have negotiated AFI=1 for SR-TE SAFI.

switch# show bgp sr-te ipv4 summary
BGP summary information for VRF default
Router identifier 100.1.1.2, local AS number 100
Neighbor Status Codes: m - Under maintenance
  Neighbor    V  AS   MsgRcvd  MsgSent InQ OutQ  Up/Down  State  PfxRcd PfxAcc
  100.1.1.1   4  100  407      413     0   0     00:18:57 Estab  0      0

The following command displays a summary information of candidate paths received from neighbors which have negotiated AFI=2 for SR-TE SAFI.

switch# show bgp sr-te ipv6 summary
BGP summary information for VRF default
Router identifier 100.1.1.2, local AS number 100
Neighbor Status Codes: m - Under maintenance
  Neighbor     V  AS   MsgRcvd  MsgSent InQ OutQ  Up/Down  State  PfxRcd PfxAcc
  1000::1      4  100  407      413     0   0     00:18:57 Estab  0      0

The following command displays all the SR-TE candidate paths.

switch# show bgp sr-te
BGP routing table information for VRF default
Router identifier 100.1.1.1, local AS number 100
Policy status codes: * - valid, > - active, E - ECMP head, e - ECMP
                    c - Contributing to ECMP
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

     Endpoint    Color   Distinguisher   Next Hop    Metric  LocPref Weight  Path
*>   133.1.1.1   0       1               130.1.1.3   0       100     0       ?
*>   133.1.1.1   0       2               130.1.1.3   0       100     0       ?
*>   1330::1     0       1               1300::3     0       100     0       ?
*>   1330::1     0       2               1300::3     0       100     0       ?

The following command displays all the SR-TE candidate paths with IPv4 endpoints.

switch# show bgp sr-te ipv4
BGP routing table information for VRF default
Router identifier 100.1.1.1, local AS number 100
Policy status codes: * - valid, > - active, E - ECMP head, e - ECMP
                    c - Contributing to ECMP
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

     Endpoint   Color   Distinguisher   Next Hop    Metric  LocPref Weight  Path
*>   133.1.1.1  0       1               130.1.1.3   0       100     0       ?
*>   133.1.1.1  0       2               130.1.1.3   0       100     0       ?

The following command displays all the SR-TE candidate paths with IPv6 endpoints.

switch# show bgp sr-te ipv6
BGP routing table information for VRF default
Router identifier 100.1.1.1, local AS number 100
Policy status codes: * - valid, > - active, E - ECMP head, e - ECMP
                    c - Contributing to ECMP
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

     Endpoint   Color   Distinguisher   Next Hop   Metric  LocPref Weight  Path
*>   1330::1    0       1               1300::3    0       100     0       ?
*>   1330::1    0       2               1300::3    0       100     0       ?

The following command displays information about a specific candidate path.

switch# show bgp sr-te endpoint 133.1.1.1 color 0 distinguisher 1
BGP routing table information for VRF default
Router identifier 100.1.1.1, local AS number 100
BGP routing table entry for Endpoint: 133.1.1.1 Color: 0 Distinguisher: 1
 Paths: 1 available
  Local
    130.1.1.3 from 100.1.1.2 (100.1.1.2)
      Origin INCOMPLETE, metric 0, localpref 100, IGP metric 0, weight 0, 
      received 00:01:29 ago, valid, internal, best
      Community: no-advertise
      Rx SAFI: SR TE Policy

The following command displays information about a specific candidate path including the contents of the Tunnel encapsulation path attribute TLV of type SR policy.

switch# show bgp sr-te endpoint 133.1.1.1 color 0 distinguisher 1 detail
BGP routing table information for VRF default
Router identifier 100.1.1.1, local AS number 100
BGP routing table entry for Endpoint: 133.1.1.1 Color: 0 Distinguisher: 1
 Paths: 1 available
  Local
    130.1.1.3 from 100.1.1.2 (100.1.1.2)
      Origin INCOMPLETE, metric 0, localpref 100, IGP metric 0, weight 0, 
      received 00:01:29 ago, valid, internal, best
      Community: no-advertise
      Rx SAFI: SR TE Policy
      Tunnel encapsulation attribute: SR Policy
         Preference: 200
         Binding SID: 965536
         Explicit null label policy: IPv4
         Segment-List: Label Stack: [ 16004 16003 ], Weight: 10
         Segment-List: Label Stack: [ 2000 3000 ]

The following command displays information about SR candidate paths received from the specified neighbor. The “policies” keyword displays only the candidate paths that are accepted. “received-policies” additionally also displays the rejected candidate paths.

switch# show bgp neighbors 100.1.1.2 ipv4 sr-te policies
BGP routing table information for VRF default
Router identifier 100.1.1.1, local AS number 100
Policy status codes: * - valid, > - active
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

     Endpoint   Color   Distinguisher   Next Hop    Metric  LocPref Weight  Path
*>   133.1.1.1  0       1               133.1.1.3   0       100     0       ?
*>   133.1.1.1  0       2               133.1.1.3   0       100     0       ?

The following command displays information about SR candidate paths received from the specified neighbor along with the contents of the Tunnel Encapsulation path attribute’s TLV of type SR Policy. The policies keyword displays only the candidate paths that are accepted. received-policies additionally also displays the rejected candidate paths..

switch# show bgp neighbors 100.1.1.2 ipv4 sr-te policies detail
BGP routing table information for VRF default
Router identifier 100.1.1.1, local AS number 100
BGP routing table entry for Endpoint: 133.1.1.1 Color: 0 Distinguisher: 2
 Paths: 1 available
  Local
    130.1.1.3 from 100.1.1.2 (100.1.1.2)
      Origin INCOMPLETE, metric 0, localpref 100, IGP metric 0, weight 0, 
      received 00:01:29 ago, invalid, internal
      Rx SAFI: SR TE Policy
      Tunnel encapsulation attribute: SR Policy
         Preference: 200
         Binding SID: 965536
         Explicit null label policy: IPv4
         Segment-List: Label Stack: [ 16004 16003 ], Weight: 10
         Segment-List: Label Stack: [ 2000 3000 ]

PBR Policies

Policy-Based Routing (PBR) allows the operator to specify the next hop for selected incoming packets on an L3 interface, overriding the routing table. Incoming packets are filtered through a policy map referencing one or more ACLs, and matching packets are routed to the next hop specified.

A PBR policy map is composed of one or more classes and can include next-hop information for each class. It can also include single-line raw match statements, which have the appearance and function of a single line from an ACL. Each class contains an eponymous class map. Class maps are user-created, can be edited or deleted, filter traffic using IPv4 ACLs, and are listed in running-config.

These sections describe PBR policy configuration procedures:

Configuring PBR Policies Arad Platform Switches
Configuring PBR Policies FM6000 Platform Switches
Configuring PBR Policies Petra Platform Switches
Configuring PBR Policies Trident Platform Switches

Traffic Management Configuration Arad Platform Switches

Traffic policies are implemented by policy maps, which are applied to the control plane, or to L3 interfaces for Policy-Based Routing (PBR). Policy maps contain classes, which are composed of class maps and traffic resolution commands.

Traffic Management Conceptual Overview describes traffic policies.

Configuring Control Plane Traffic PoliciesArad Platform Switches

Default control plane traffic policies are implemented automatically without user intervention. These policies are modified by associating traffic resolution commands with static classes that comprise the control plane policy map.

Static Class Maps

Control plane traffic policies utilize static class maps, which are provided by the switch, are not editable, and cannot be deleted.

Editing the Policy Map

The only control plane policy map is copp-system-policy, which cannot be deleted. In its default form, copp-system-policy consists of the classes listed in class (policy-map (control-plane) Arad). Although the underlying class map of each class cannot be edited, the traffic resolution commands can be adjusted. The default classes cannot be removed from the policy map and their sequence within the policy map is not editable.

Policy maps are modified in policy-map configuration mode. The policy-map type copp command enters policy-map configuration mode.

Example

This command enters policy-map configuration mode for editing copp-system-policy.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)#

The class (policy-map (control-plane) Arad) command enters policy-map-class configuration mode, where traffic resolution commands are modified for the configuration mode class.

Example

This command enters policy-map-class configuration mode for the copp-system-lacp static class.

switch(config-pmap-copp-system-policy)# class copp-system-lacp
switch(config-pmap-c-copp-system-policy-copp-system-lacp)#

Two traffic resolution commands determine bandwidth parameters for class traffic:

bandwidth (policy-map-class (control-plane) Arad) specifies the minimum bandwidth.
shape (policy-map-class (control-plane) Arad) specifies the maximum bandwidth.

Example

These commands configure a bandwidth range of 2000 to 4000 kilobits per seconds (kbps) for traffic filtered by the copp-system-lacp class map:

switch(config-pmap-c-copp-system-policy-copp-system-lacp)# bandwidth kbps 2000
switch(config-pmap-c-copp-system-policy-copp-system-lacp)# shape kbps 4000
switch(config-pmap-c-copp-system-policy-copp-system-lacp)#

Policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active command displays the saved version of policy map. The show pending command displays the modified policy map.

Example

These commands exit policy-map-class configuration mode, display the pending policy-map, then exit policy-map configuration mode, which saves the altered policy map to running-config.

switch(config-pmap-c-copp-system-policy-copp-system-lacp)# exit
switch(config-pmap-copp-system-policy)# show pending
policy-map type copp copp-system-policy
  class copp-system-bpdu

  class copp-system-lldp

  class copp-system-lacp
    shape kbps 4000
    bandwidth kbps 2000

  class copp-system-l3ttl1

  class copp-system-l3slowpath


switch(config-pmap-copp-system-policy)# exit
switch(config)#

Applying Policy Maps to the Control Plane

The copp-system-policy policy map is always applied to the control plane. No commands are available to add or remove this assignment.

Displaying Policy Maps

The show policy-map interface type qos command displays the configured values of the policy maps classes and the number of packets filtered and dropped as a result of the class maps.

Example

These commands exit policy-map-class configuration mode, display the pending policy-map, then exit policy-map configuration mode, which saves the altered policy map to running-config.

switch(config)# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy
  Hardware programming status: InProgress

  Class-map: copp-system-mlag (match-any)
       shape : 10000001 kbps
       bandwidth : 10000001 kbps
      Out Packets : 0
      Drop Packets : 0

  Class-map: copp-system-bpdu (match-any)
       shape : 2604 kbps
       bandwidth : 1302 kbps
      Out Packets : 0
      Drop Packets : 0

  Class-map: copp-system-lacp (match-any)
       shape : 4230 kbps
       bandwidth : 2115 kbps
      Out Packets : 0
      Drop Packets : 0

switch(config)#

switch(config-pmap-c-copp-system-policy-copp-system-lacp)# exit

Configuring QoS Traffic Policies Arad Platform Switches

QoS traffic policies are implemented by creating class maps and policy maps, then applying the policy maps to Ethernet and port channel interfaces.

Creating Class Maps

QoS traffic policies utilize dynamic class maps that are created and modified in class-map configuration mode. The class-map type qos command enters class-map configuration mode.

Example

This command enters class-map configuration mode to create QoS class map named Q-CMap_1.

switch(config)# class-map type qos match-any Q-CMap_1
switch(config-cmap-Q-CMap_1)#

A class map contains one IPv4 access control list (ACL). The match ip access-group command assigns an ACL to the class map. Subsequent match commands replace the existing match command. Class maps filter traffic only on ACL permit rules. Deny ACL rules are disregarded.

Example

This command adds the IPv4 ACL named ACL_1 to the class map.

switch(config-cmap-Q-CMap_1)# match ip access-group ACL_1
switch(config-cmap-Q-CMap_1)#

Class-map configuration mode is a group-change mode. Changes made in a group-change mode are saved by exiting the mode. The show active command displays the saved version of class map. The show pending command displays the unsaved class map.

Example

The show active command indicates that the configuration mode class map is not stored in running-config. The show pending command displays the class map to be stored upon exiting class-map configuration mode.

switch(config-cmap-Q-CMap_1)# show active
switch(config-cmap-Q-CMap_1)# show pending
class-map type qos match-any Q-CMap_1
   match ip access-group ACL_1

switch(config-cmap-Q-CMap_1)#

The exit command returns the switch to global configuration mode and saves pending class map changes. The abort command returns the switch to global configuration mode and discards pending changes.

Example

This command exits class-map configuration mode and stores pending changes to running-config.

switch(config-cmap-CP-CMAP_1)# exit
switch(config)# show class-map type control-plane CP-CMAP_1
  Class-map: CP-CMAP_1 (match-any)
    Match: ip access-group name ACLv4_1
switch(config)#

Creating Policy Maps

Policy maps are created and modified in policy-map configuration mode. The policy-map type quality-of-service command enters policy-map configuration mode.

Example

This command places the switch in policy-map configuration mode and creates a QoS policy map named Q-PMAP_1.

switch(config)# policy-map type quality-of-service Q-PMAP_1
switch(config-pmap-Q-PMAP_1)#

Policy map are edited by adding or removing classes. A class automatically contains its eponymous class map; traffic resolution commands are added or edited in policy-map-class configuration mode. The below command adds a class to the configuration mode policy map and places the switch in policy-map-class configuration mode, where traffic resolution commands are added to the class.

Example

This command adds the Q-CMap_1 class to the Q-PMAP_1 policy map and places the switch in policy-map-class configuration mode.

switch(config-pmap-Q-PMAP_1)# class Q-CMap_1
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)#

The set cos commands configure traffic resolution methods for data that passes the class map:

set cos sets the Layer 2 CoS field.
set dscp sets the DSCP value in the ToS byte.
set traffic class specifies a traffic class queue.

Example

These commands configure the policy map to set the CoS field 7 on packets filtered by the class map, then assigns those packets to traffic class 4.

switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# set cos 7
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# set traffic-class 4
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)#

Policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active and show pending commands display the saved and modified policy map versions, respectively.

Example

These commands exit policy-map-class configuration mode, display the pending policy-map, then exit policy-map configuration mode to save the altered policy map to running-config.

switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# exit
switch(config-pmap-Q-PMAP_1)# show pending
policy-map type quality-of-service Q-PMAP_1
  class Q-CMap_1
    set cos 7
    set traffic-class 4

  class class-default

switch(config-pmap-Q-PMAP_1)# exit
switch(config)#

The last class in all QoS policy maps is class-default. The class-default class map matches all traffic except IPv4 or IPv6 traffic and provides no traffic resolution commands. The class-default class map is not editable; traffic resolution commands can be added to the class-default class.

To modify traffic resolution commands for the class-default class, enter policy-map-class configuration mode for the class, then enter the desired set commands.

Example

These commands enter policy-map-class configuration mode for class-default, configures the stream to enter traffic class 2, and saves the altered policy map to running-config.

switch(config)# policy-map type quality-of-service Q-PMap_1
switch(config-pmap-Q-PMap_1)# class class-default
switch(config-pmap-c-Q-PMap_1-class-default)# set traffic-class 2
switch(config-pmap-c-Q-PMap_1-class-default)# exit
switch(config-pmap-Q-PMap_1)# exit
switch(config)# show policy-map type qos Q-PMap_1
Service-policy Q-PMap_1

  Class-map: Q-CMap_1 (match-any)
    Match: ipv6 access-group name ACLv6_1
       set cos 7
       set traffic-class 4

  Class-map: class-default (match-any)
       set traffic-class 2

switch(config)#

Applying Policy Maps to an Interface

The service-policy type qos (Interface mode) command applies a specified policy map to the configuration mode interface.

These commands apply PMAP-1 policy map to interfaceEthernet 8.

switch(config)# interface ethernet 8
switch(config-if-Et8)# show active
switch(config-if-Et8)# service-policy input PMAP-1
switch(config-if-Et8)# show active
interface Ethernet8
   service-policy type qos input PMAP-1
switch(config-if-Et8)#

Configuring PBR Policies Arad Platform Switches

Policy-Based Routing (PBR) is implemented by creating class maps and policy maps, then applying the policy maps to Ethernet interfaces, port channel interfaces or switch virtual interfaces (SVIs).

Creating PBR Class Maps

PBR policies utilize class maps that are created and modified in the class-map configuration mode. The class-map type pbr command enters the class-map configuration mode.

Example

This command enters the class-map configuration mode to create a PBR class map named CMAP1.

switch(config)# class-map type pbr match-any CMAP1
switch(config-cmap-PBR-CMAP1)#

A class map contains one or more access control lists (ACLs). The match (policy-map (pbr)) command assigns an ACL to the class map. Subsequent match commands add additional ACLs to the class map. Class maps filter traffic only on ACL permit rules. Deny ACL rules are disregarded; if a class map includes ACLs with deny rules, the configuration reverts to its previous state.

Example

This command adds the ACL named ACL1 to the class map.

switch(config-cmap-PBR-CMAP1)# match ip access-group ACL1
switch(config-cmap-PBR-CMAP1)#

The class-map configuration mode is a group-change mode. Changes made in a group-change mode are saved by exiting the mode. The show active command displays the saved version of class map.

The show active command indicates that the configuration mode class map is not stored in running-config.

switch(config-cmap-PBR-CMAP1)# show active
switch(config-cmap-PBR-CMAP1)#

The exit command returns the switch to the global configuration mode and saves pending class map changes. The abort command returns the switch to the global configuration mode and discards pending changes.

Example

This command exits class-map configuration mode and stores pending changes to running-config.

switch(config-cmap-PBR-CMAP1)# exit
switch(config)# show class-map type pbr CMAP1
class-map type pbr match-any CMAP1
   10 match ip access-group ACL1
switch(config)#

Creating PBR Policy Maps

Policy maps are created and modified in policy-map configuration mode. The policy-map type pbr command enters the policy-map configuration mode.

Example

This command enters the policy-map configuration mode for creating a PBR policy map named PMAP1.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)#

Policy map are edited by adding or removing classes. A class automatically contains its eponymous class map; next-hop commands are added or edited in the policy-map-class configuration mode. The class (policy-map (pbr)) command adds a class to the configuration mode policy map and places the switch in the policy-map-class configuration mode, where next-hop commands are added to the class.

Example

This command adds the CMAP1 class to the policy map and places the switch into the policy-map-class configuration mode.
```
switch(config-pmap-PMAP1)# class CMAP1
switch(config-pmap-c-PMAP1-CMAP1)#
```
The set nexthop (policy-map-class pbr) command configures the next hop for data that passes the class map.
This command configures the policy map to set the next hop to 10.12.0.5 on packets filtered by the class map.
```
switch(config-pmap-c-PMAP1-CMAP1)# set nexthop 10.12.0.5
switch(config-pmap-c-PMAP1-CMAP1)#
```
The set nexthop-group (policy-map-class(pbr) Arad) command configures a nexthop group as the next hop for data that passes the class map.
These commands configure the policy map PMAP1 to set the next hop to a nexthop group named GROUP1 for traffic defined by class map CMAP1.
```
switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)# class CMAP1
switch(config-pmap-c-PMAP1-CMAP1)# set nexthop-group GROUP1
switch(config-pmap-c-PMAP1-CMAP1)#
```
The policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active command displays the currently saved map version.
These commands exits the policy-map-class configuration mode, then exits the policy-map configuration mode to save the altered policy map to running-config.
```
switch(config-pmap-c-PMAP1-CMAP1)# exit
switch(config-pmap-PMAP1)# exit
switch(config)#
```

Applying a PBR Policy Map to an Interface

The service-policy type pbr (Interface mode) command applies the specified PBR policy map to the configuration mode interface. Only one PBR service policy is supported per interface.

These commands apply the PMAP1 PBR policy map to interface ethernet 8.

switch(config)# interface ethernet 8
switch(config-if-Et8)# service-policy type pbr input PMAP1
switch(config-if-Et8)#

Hardware Decapsulation

When hardware decapsulation takes place, PBR policy maps on Arad platform switches match on outer packet headers (i.e., they match based on the attributes of the packet before it is decapsulated).

Traffic Management Configuration FM6000 Platform Switches

Traffic policies are implemented by policy maps, which are applied to the control plane or an interface. Policy maps contain classes, which are composed of class maps and traffic resolution commands. Traffic Management Conceptual Overview describes traffic policies.

FM6000 platform switches support the following traffic policies:

Control plane policies manage control plane traffic.
QoS traffic policies manage traffic on Ethernet and port channel interfaces.

These sections describe the construction and application of policy maps on FM6000 platform switches:

Configuring Control Plane Traffic Policies FM6000 Platform Switches
Configuring QoS Traffic Policies FM6000 Platform Switches
Configuring PBR Policies FM6000 Platform Switches

Configuring Control Plane Traffic PoliciesFM6000 Platform Switches

Static Class Maps

Control plane traffic policies utilize static class maps, which are provided by the switch, are not editable, and cannot be deleted.

Editing the Policy Map

The only control plane policy map is copp-system-policy, which cannot be deleted. In its default form, copp-system-policy consists of the classes listed in copp-system-policy default classes: FM6000 Platform Switches. Although the underlying class map of each class cannot be edited, the traffic resolution commands can be adjusted. The default classes cannot be removed from the policy map and their sequence within the policy map is not editable.

Table 3. Copp-system-policy Default Classes: FM6000 Platform Switches
Class Name	shape (pps)	bandwidth (pps)
copp-system-arp	10000	1000
copp-system-default	8000	1000
copp-system-ipmcrsvd	10000	1000
copp-system-ipmcmiss	10000	1000
copp-system-igmp	10000	1000
copp-system-l2rsvd	10000	10000
copp-system-l3slowpath	10000	1000
copp-system-pim-ptp	10000	1000
copp-system-ospf-isis	10000	1000
copp-system-selfip	5000	5000
copp-system-selfip-tc6to7	5000	5000
copp-system-sflow	25000	1000

Policy maps are modified in the policy-map configuration mode. The policy-map type copp command enters the policy-map configuration mode.

Example

This command enters the policy-map configuration mode for editing copp-system-policy.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)#

The class (policy-map (control-plane) FM6000) command enters the policy-map-class configuration mode, where traffic resolution commands are modified for the configuration mode class.

Example

This command enters the policy-map-class configuration mode for the copp-system-arp static class.

switch(config-pmap-copp-system-policy)# class copp-system-arp
switch(config-pmap-c-copp-system-policy-copp-system-arp)#

Two traffic resolution commands determine bandwidth parameters for class traffic:

bandwidth (policy-map-class (control-plane) FM6000)
shape (policy-map-class (control-plane) FM6000)

Example

These commands configure a bandwidth range of 2000 to 4000 packets per seconds (pps) for traffic filtered by the copp-system-arp class map:

switch(config-pmap-c-copp-system-policy-copp-system-arp)# bandwidth pps 2000
switch(config-pmap-c-copp-system-policy-copp-system-arp)# shape pps 4000
switch(config-pmap-c-copp-system-policy-copp-system-arp)#

The policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active command displays the saved version of policy map. The show pending command displays the modified policy map.

Example

These commands exit the policy-map-class configuration mode, display the pending policy-map, then exits the policy-map configuration mode, which saves the altered policy map to running-config.

switch(config-pmap-c-copp-system-policy-CP-CMAP_1)# exit
switch(config-pmap-copp-system-policy)# show pending
policy-map type copp copp-system-policy
  class CP-CMAP_1
    shape pps 4000
    bandwidth pps 2000

  class copp-system-bpdu

  class copp-system-lldp

  class copp-system-lacp

  class copp-system-arp



  class copp-system-arpresolver

  class copp-system-default

switch(config-pmap-copp-system-policy)#exit
switch(config)#

Applying Policy Maps to the Control Plane

The copp-system-policy policy map is always applied to the control plane. No commands are available to add or remove this assignment.

Configuring QoS Traffic Policies FM6000 Platform Switches

QoS traffic policies are implemented by creating class maps and policy maps, then applying the policy maps to Ethernet and port channel interfaces.

Creating Class Maps

QoS traffic policies utilize dynamic class maps that are created and modified in the class-map configuration mode. The class-map type qos command enters the class-map configuration mode.

Example

This command enters the class-map configuration mode to create QoS class map named Q-CMap_1.

switch(config)# class-map type qos match-any Q-CMap_1
switch(config-cmap-Q-CMap_1)#

A class map contains one IPv4 access control list (ACL). The match (class-map (qos) FM6000) command assigns an ACL to the class map. Subsequent match commands replace the existing match command. Class maps filter traffic only on ACL permit rules. Deny ACL rules are disregarded.

Example

This command adds the IPv4 ACL named ACL_1 to the class map.

switch(config-cmap-Q-CMap_1)# match ip access-group ACL_1
switch(config-cmap-Q-CMap_1)#

The class-map configuration mode is a group-change mode. Changes made in a group-change mode are saved by exiting the mode. The show active command displays the saved version of class map. The show pending command displays the unsaved class map.

Example

The show active command indicates that the configuration mode class map is not stored in running-config. The show pending command displays the class map to be stored upon exiting the class-map configuration mode.

switch(config-cmap-Q-CMap_1)# show active
switch(config-cmap-Q-CMap_1)# show pending
class-map type qos match-any Q-CMap_1
   match ip access-group ACL_1

switch(config-cmap-Q-CMap_1)#

Example

This command exits the class-map configuration mode and stores pending changes to running-config.

switch(config-cmap-CP-CMAP_1)# exit
switch(config)# show class-map type control-plane CP-CMAP_1
  Class-map: CP-CMAP_1 (match-any)
    Match: ip access-group name ACLv4_1
switch(config)#

Creating Policy Maps

Policy maps are created and modified in the policy-map configuration mode. The policy-map type quality-of-service command enters the policy-map configuration mode.

Example

This command places the switch in the policy-map configuration mode and creates a QoS policy map named Q-PMAP_1.

switch(config)# policy-map type quality-of-service Q-PMAP_1
switch(config-pmap-Q-PMAP_1)#

Policy map are edited by adding or removing classes. A class automatically contains its eponymous class map; traffic resolution commands are added or edited in the policy-map-class configuration mode. The class (policy-map (qos) FM6000) command adds a class to the configuration mode policy map and places the switch in the policy-map-class configuration mode, where traffic resolution commands are added to the class.

Example

This command adds the Q-CMap_1 class to the Q-PMAP_1 policy map and places the switch in the policy-map-class configuration mode.

switch(config-pmap-Q-PMAP_1)# class Q-CMap_1
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)#

set (policy-map-class (qos) FM6000) commands configure traffic resolution methods for data that passes the class map:

set cos sets the Layer 2 CoS field.
set dscp sets the DSCP value in the ToS byte.
set traffic class specifies a traffic class queue.

Example

These commands configure the policy map to set the CoS field 7 on packets filtered by the class map, then assigns those packets to traffic class 4.

switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# set cos 7
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# set traffic-class 4
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)#

The policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active and show pending commands display the saved and modified policy map versions, respectively.

Example

These commands exit the policy-map-class configuration mode, display the pending policy-map, then exits the policy-map configuration mode to save the altered policy map to running-config.

switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# exit
switch(config-pmap-Q-PMAP_1)# show pending
policy-map type quality-of-service Q-PMAP_1
  class Q-CMap_1
    set cos 7
    set traffic-class 4

  class class-default

switch(config-pmap-Q-PMAP_1)# exit
switch(config)#

To modify traffic resolution commands for the class-default class, enter the policy-map-class configuration mode for the class, then enter the desired set commands.

Example

These commands enter the policy-map-class configuration mode for class-default, configures the stream to enter traffic class 2, and saves the altered policy map to running-config.

switch(config)# policy-map type quality-of-service Q-PMap_1
switch(config-pmap-Q-PMap_1) #class class-default
switch(config-pmap-c-Q-PMap_1-class-default)# set traffic-class 2
switch(config-pmap-c-Q-PMap_1-class-default)# exit
switch(config-pmap-Q-PMap_1)# exit
switch(config)# show policy-map type qos Q-PMap_1
Service-policy Q-PMap_1

  Class-map: Q-CMap_1 (match-any)
    Match: ipv6 access-group name ACLv6_1
       set cos 7
       set traffic-class 4

  Class-map: class-default (match-any)
       set traffic-class 2

switch(config)#

Applying Policy Maps to an Interface

The service-policy type qos (Interface mode) command applies a specified policy map to the configuration mode interface.

These commands apply PMAP-1 policy map to interface ethernet 8.

switch(config)# interface ethernet 8
switch(config-if-Et8)# show active
switch(config-if-Et8)# service-policy input PMAP-1
switch(config-if-Et8)# show active
interface Ethernet8
   service-policy type qos input PMAP-1
switch(config-if-Et8)#

Configuring PBR Policies FM6000 Platform Switches

Policy-Based Routing (PBR) is implemented by creating class maps and policy maps, then applying the policy maps to Ethernet interfaces, port channel interfaces or Switch Virtual Interfaces (SVIs).

Creating PBR Class Maps

PBR policies utilize class maps that are created and modified in the class-map configuration mode. The class-map type pbr command enters the class-map configuration mode.

Example

This command enters the class-map configuration mode to create a PBR class map named CMAP1.

switch(config)# class-map type pbr match-any CMAP1
switch(config-cmap-PBR-CMAP1)#

A class map contains one or more IPv4 access control lists (ACLs). The match (policy-map (pbr)) command assigns an ACL to the class map. Subsequent match commands add additional ACLs to the class map. Class maps filter traffic only on ACL permit rules. Deny ACL rules are disregarded; if a class map includes ACLs with deny rules, the configuration reverts to its previous state.

On FM6000 platform switches, counters are not supported, so a counters per-entry (ACL configuration modes) command in an ACL is ignored.

Example

This command adds the IPv4 ACL named ACL1 to the class map.

switch(config-cmap-PBR-CMAP1)# match ip access-group ACL1
switch(config-cmap-PBR-CMAP1)#

The class-map configuration mode is a group-change mode. Changes made in a group-change mode are saved by exiting the mode. The show active command displays the saved version of class map.

The show active command indicates that the configuration mode class map is not stored in running-config.

switch(config-cmap-PBR-CMAP1)# show active
switch(config-cmap-PBR-CMAP1)#

The exit command returns the switch to global configuration mode and saves pending class map changes. The abort command returns the switch to global configuration mode and discards pending changes.

Example

This command exits the class-map configuration mode and stores pending changes to running-config.

switch(config-cmap-PBR-CMAP1)# exit
switch(config)# show class-map type pbr CMAP1
class-map type pbr match-any CMAP1
   10 match ip access-group ACL1
switch(config)#

Creating PBR Policy Maps

Policy maps are created and modified in the policy-map configuration mode. The policy-map type pbr command enters the policy-map configuration mode.

Example

This command enters the policy-map configuration mode for creating a PBR policy map named PMAP1.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)#

Policy map are edited by adding or removing classes. A class automatically contains its eponymous class map; next-hop commands are added or edited in the policy-map-class configuration mode. The class (policy-map (pbr)) command adds a class to the configuration mode policy map and places the switch in the policy-map-class configuration mode, where next-hop commands are added to the class.

Examples

This command adds the CMAP1 class to the policy map and places the switch in the policy-map-class configuration mode.
```
switch(config-pmap-PMAP1)# class CMAP1
switch(config-pmap-c-PMAP1-CMAP1)#
```
The set nexthop (policy-map-class pbr) command configures the next hop for data that passes the class map.
This command configures the policy map to set the next hop to 10.12.0.5 on packets filtered by the class map.
```
switch(config-pmap-c-PMAP1-CMAP1)# set nexthop 10.12.0.5
switch(config-pmap-c-PMAP1-CMAP1)#
```
The policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active command displays the currently saved map version.

Example

These commands exits the policy-map-class configuration mode, then exits the policy-map configuration mode to save the altered policy map to running-config.

switch(config-pmap-c-PMAP1-CMAP1)# exit
switch(config-pmap-PMAP1)# exit
switch(config)#

Applying a PBR Policy Map to an Interface

The service-policy type pbr (Interface mode) command applies the specified PBR policy map to the configuration mode interface. Only one PBR service policy is supported per interface.

These commands apply the PMAP1 PBR policy map to interface ethernet 8.

switch(config)# interface ethernet 8
switch(config-if-Et8)# service-policy type pbr input PMAP1
switch(config-if-Et8)#

Hardware Decapsulation

When hardware decapsulation takes place, PBR policy maps on FM6000 platform switches match on outer packet headers (i.e., they match based on the attributes of the packet before it is decapsulated).

Traffic Management Configuration Petra Platform Switches

Traffic policies are implemented by policy maps, which are applied to the control plane. Policy maps contain classes, which are composed of class maps and traffic resolution commands. QoS traffic policies are not supported on 7500 Series switches.

Traffic Management Conceptual Overview describes traffic policies.

Configuring Control Plane Traffic PoliciesPetra Platform Switches

Static Class Maps

Control plane traffic policies utilize static class maps, which are provided by the switch, are not editable, and cannot be deleted.

Editing the Policy Map

The only control plane policy map is copp-system-policy, which cannot be deleted. In its default form, copp-system-policy consists of the classes listed in copp-system-policy default classes: Petra Platform Switches. Although the underlying class map of each class cannot be edited, the traffic resolution commands can be adjusted. The default classes cannot be removed from the policy map and their sequence within the policy map is not editable.

Table 4. copp-system-policy default classes: Petra Platform Switches
Class Name	shape (kbps)	bandwidth (kbps)
copp-system-bpdu	2500	1250
copp-system-default	2500	250
copp-system-igmp	2500	250
copp-system-ipbroadcast	2500	250
copp-system-ipmc	2500	250
copp-system-ipmcmiss	2500	250
copp-system-ipmcrsvd	2500	250
copp-system-ipunicast	NO LIMIT	250
copp-system-l3destmiss	2500	250
copp-system-l3slowpath	2500	250
copp-system-l3ttl0	2500	250
copp-system-l3ttl1	2500	250
copp-system-lacp	2500	1250
copp-system-lldp	2500	250
copp-system-unicast-arp	2500	250

Policy maps are modified in the policy-map configuration mode. The policy-map type copp command enters the policy-map configuration mode.

Example

This command enters the policy-map configuration mode for editing copp-system-policy.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)#

The class (policy-map (control-plane) Petra) command enters the policy-map-class configuration mode, where traffic resolution commands are modified for the configuration mode class.

Example

This command enters the policy-map-class configuration mode for the copp-system-lldp static class.

switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)#

Two traffic resolution commands determine bandwidth parameters for class traffic:

bandwidth (policy-map-class (control-plane) Petra) specifies the minimum bandwidth.
shape (policy-map-class (control-plane) Petra) specifies the maximum bandwidth.

Example

These commands configure a bandwidth range of 2000 to 4000 kilobits per seconds (kbps) for traffic filtered by the copp-system-arp class map:

switch(config-pmap-c-copp-system-policy-copp-system-lldp)# bandwidth kbps 2000
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# shape kbps 4000
switch(config-pmap-c-copp-system-policy-copp-system-lldp)#

The policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active command displays the saved version of policy map. The show pending command displays the configured policy map.

Petra platform switches do not support all discrete rate values. When a bandwidth or shape command specifies a value that is not supported, the switch converts the rate to the next highest discrete value that it supports. The show policy-map interface type qos command displays the converted rate and not the user configured rate.

Example

These commands exits the policy-map-class configuration mode, display the pending policy-map, then exits the policy-map configuration mode, which saves the altered policy map to running-config.

switch(config-pmap-c-copp-system-policy-copp-system-lacp)# exit
switch(config-pmap-copp-system-policy)# show pending
policy-map type copp copp-system-policy
  class copp-system-bpdu

  class copp-system-lldp
    shape kbps 4000
    bandwidth kbps 2000

  class copp-system-lacp

switch(config-pmap-copp-system-policy)#exit
switch(config)#

Changes are saved with the exit command or discarded with the abort command. The show active command displays the saved version of policy map. The show pending command displays the modified policy map.

Displaying Policy Maps

The show policy-map interface type qos command displays the traffic resolution rates of the policy maps classes and the number of packets filtered and dropped as a result of the class maps. The shape and bandwidth rates may differ from configured values, because the switch does not support all discrete rate values.

Example

These commands exits the policy-map-class configuration mode, display the pending policy-map, then exits the policy-map configuration mode, which saves the altered policy map to running-config.

switch(config)# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy
  Hardware programming status: InProgress

  Class-map: copp-system-mlag (match-any)
       shape : 10000001 kbps
       bandwidth : 10000001 kbps
      Out Packets : 0
      Drop Packets : 0

  Class-map: copp-system-lacp (match-any)
       shape : 2604 kbps
       bandwidth : 1302 kbps
      Out Packets : 0
      Drop Packets : 0

switch(config)#

Applying Policy Maps to the Control Plane

The copp-system-policy policy map is always applied to the control plane. No commands are available to add or remove this assignment.

Configuring QoS Traffic Policies Petra Platform Switches

QoS traffic policies are not supported on Petra platform switches.

Configuring PBR Policies Petra Platform Switches

PBR policies are not supported on Petra platform switches.

Traffic Management Configuration Trident Platform Switches

Trident platform switches support the following traffic policies:

Control plane policies manage control plane traffic.
QoS traffic policies manage traffic on Ethernet and port channel interfaces.

These sections describe the construction and application of policy maps:

Configuring Control Plane Traffic Policies Trident Platform Switches
Configuring QoS Traffic Policies Trident Platform Switches
Configuring PBR Policies Trident Platform Switches

Configuring Control Plane Traffic PoliciesTrident Platform Switches

Default control plane traffic policies are implemented automatically without user intervention. These policies are modified by creating class maps and editing the policy map to include the new class maps.

Creating Class Maps

Control plane traffic policies utilize static and dynamic class maps. Static class maps are provided by the switch, are not editable, and cannot be deleted. Dynamic class maps are created and modified in the class-map configuration mode. The class-map type copp command enters the class-map configuration mode.

Example

This command enters the class-map configuration mode for creating or editing a control plane dynamic class map named CP-CMAP_1.

switch(config)# class-map type copp match-any CP-CMAP_1
switch(config-cmap-CP-CMAP_1)#

Class maps contain one IPv4 or IPv6 access control list (ACL). The match (class-map (control-plane) Trident) command assigns an ACL to the class map. Subsequent match commands replace the existing match command. Class maps filter traffic only on ACL permit rules. Deny ACL rules are disregarded.

Example

This command assigns the IPv4 ACL named ACLv4_1 to the class map.

switch(config-cmap-CP-CMAP_1)# match ip access-group ACLv4_1
switch(config-cmap-CP-CMAP_1)#

The class-map configuration mode is a group-change mode. Changes are saved by exiting the mode. The show active command displays the saved version of class map. The show pending command displays the unsaved class map.

Example

switch(config-cmap-CP-CMAP_1)# show active
switch(config-cmap-CP-CMAP_1)# show pending
class-map type copp match-any CP-CMAP_1
   match ip access-group ACLv4_1

switch(config-cmap-CP-CMAP_1)#

Example

This command exits the class-map configuration mode and stores pending changes to running-config.

switch(config-cmap-CP-CMAP_1)# exit
switch(config)# show class-map type control-plane CP-CMAP_1
  Class-map: CP-CMAP_1 (match-any)
    Match: ip access-group name ACLv4_1
switch(config)#

Editing the Policy Map

The only control plane policy map is copp-system-policy, which cannot be deleted. In its default form, copp-system-policy consists of the classes listed in copp-system-policy default classes: Trident Platform Switches. Although the underlying class map of each class cannot be edited, the traffic resolution commands can be adjusted. The default classes cannot be removed from the policy map and their sequence within the policy map is not editable.

Table 5. copp-system-policy default classes: Trident Platform Switches
Class Name	shape (pps)	bandwidth (pps)
copp-system-bpdu	5000	5000
copp-system-lacp	5000	5000
copp-system-selfip-tc6to7	5000	5000
copp-system-selfip	5000	5000
copp-system-tc6to7	10000	1000
copp-system-lldp	10000	1000
copp-system-ipmcrsvd	10000	1000
copp-system-igmp	10000	1000
copp-system-ipmcmiss	10000	1000
copp-system-glean	10000	1000
copp-system-tc3to5	10000	1000
copp-system-arp	10000	1000
copp-system-arpresolver	10000	1000
copp-system-l3destmiss	10000	1000
copp-system-l3slowpath	10000	1000
copp-system-l3ttl1	10000	1000
copp-system-default	8000	1000
copp-system-acllog	10000	1000
copp-system-sflow	25000	0

Policy maps are modified in the policy-map configuration mode. The policy-map type copp command enters the policy-map configuration mode.

Example

This command enters the policy-map configuration mode for editing copp-system-policy.

switch(config)#policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)#

Dynamic classes are inserted in front of the static classes. Classes automatically contain their eponymous class map; traffic resolution commands are created or edited in the policy-map-class configuration mode. The class (policy-map (control-plane) Trident) command adds a class to the policy map and places the switch in the policy-map-class configuration mode, where traffic resolution commands are added to the class.

Example

This command adds the CP-CMAP_1 class to the copp-system-policy policy map and places the switch in the policy-map-class configuration mode.

switch(config-pmap-copp-system-policy)#class CP-CMAP_1
switch(config-pmap-c-copp-system-policy-CP-CMAP_1)#

Two traffic resolution commands determine bandwidth parameters for class traffic:

bandwidth (policy-map-class (control-plane) Trident) specifies the minimum bandwidth.
shape (policy-map-class (control-plane) Trident) specifies the maximum bandwidth.

Example

These commands configure a bandwidth range of 2000 to 4000 packets per seconds (pps) for traffic filtered by the CP-CMAP_1 class map:

switch(config-pmap-c-copp-system-policy-CP-CMAP_1)# bandwidth pps 2000
switch(config-pmap-c-copp-system-policy-CP-CMAP_1)# shape pps 4000
switch(config-pmap-c-copp-system-policy-CP-CMAP_1)#

Example

The policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active command displays the saved version of policy map. The show pending command displays the modified policy map.

Example

switch(config-pmap-c-copp-system-policy-CP-CMAP_1)# exit
switch(config-pmap-copp-system-policy)# show pending
policy-map type copp copp-system-policy
  class CP-CMAP_1
    shape pps 4000
    bandwidth pps 2000

  class copp-system-bpdu

  class copp-system-lldp

  class copp-system-lacp

  class copp-system-arp

  class copp-system-arpresolver

  class copp-system-default

switch(config-pmap-copp-system-policy)# exit
switch(config)#

Example

To modify traffic resolution commands for a static class, enter the policy-map-class configuration mode for the class, then enter the desired bandwidth and shape commands.

Example

These commands enters the policy-map-class configuration mode for copp-system-bpdu class, change the bandwidth range for the class, then save the altered policy map to running-config.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-bpdu
switch(config-pmap-c-copp-system-policy-copp-system-bpdu)# shape pps 200
switch(config-pmap-c-copp-system-policy-copp-system-bpdu)# bandwidth pps 100
switch(config-pmap-c-copp-system-policy-copp-system-bpdu)# exit
switch(config-pmap-copp-system-policy)# show pending
policy-map type copp copp-system-policy
  class CP-CMAP_1
    shape pps 4000
    bandwidth pps 2000

  class copp-system-bpdu
    shape pps 200
    bandwidth pps 100

  class copp-system-lldp

switch(config-pmap-copp-system-policy)# exit
switch(config)#

Applying Policy Maps to the Control Plane

The copp-system-policy policy map is always applied to the control plane. No commands are available to add or remove this assignment.

Configuring QoS Traffic Policies Trident Platform Switches

QoS traffic policies are implemented by creating class maps and policy maps, then applying the policy maps to Ethernet and port channel interfaces.

Creating Class Maps

QoS traffic policies utilize dynamic class maps that are created and modified in the class-map configuration mode. The class-map type qos command enters the class-map configuration mode.

Example

This command enters the class-map configuration mode to create QoS class map named Q-CMap_1.

switch(config)# class-map type qos match-any Q-CMap_1
switch(config-cmap-Q-CMap_1)#

A class map contains one IPv4 or IPv6 Access Control List (ACL). The match (class-map (qos) Trident) command assigns an ACL to the class map. Subsequent match commands replace the existing match command. Class maps filter traffic only on ACL permit rules. Deny ACL rules are disregarded.

Example

This command adds the IPv6 ACL named ACLv6_1 to the class map.

switch(config-cmap-Q-CMap_1)# match ipv6 access-group ACLv6_1
switch(config-cmap-Q-CMap_1)#

Example

switch(config-cmap-Q-CMap_1)# show active
switch(config-cmap-Q-CMap_1)# show pending
class-map type qos match-any Q-CMap_1
   match ipv6 access-group ACLv6_1

switch(config-cmap-Q-CMap_1)#

Example

This command exits the class-map configuration mode and stores pending changes to running-config.

switch(config-cmap-CP-CMAP_1)# exit
switch(config)# show class-map type control-plane CP-CMAP_1
  Class-map: CP-CMAP_1 (match-any)
    Match: ip access-group name ACLv4_1
switch(config)#

Creating Policy Maps

Policy maps are created and modified in the policy-map configuration mode. The policy-map type quality-of-service command enters the policy-map configuration mode.

Example

This command enters the policy-map configuration mode for creating a QoS policy map named Q-PMAP_1.

switch(config)# policy-map type quality-of-service Q-PMAP_1
switch(config-pmap-Q-PMAP_1)#

Policy maps are edited by adding or removing classes. A class automatically contains its eponymous class map; traffic resolution commands are added or edited in the policy-map-class configuration mode. The class (policy-map (qos) Trident) command adds a class to the configuration mode policy map and places the switch in the policy-map-class configuration mode, where traffic resolution commands are added to the class.

Example

This command adds the Q-CMap_1 class to the Q-PMAP_1 policy map and places the switch in the policy-map-class configuration mode.

switch(config-pmap-Q-PMAP_1)# class Q-CMap_1
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)#

The set (policy-map-class (qos) Trident) command configures traffic resolution methods for data that passes the class map:

set cos sets the layer 2 CoS field.
set dscp sets the DSCP value in the ToS byte.
set traffic class specifies a traffic class queue.

Example

These commands configure the policy map to set CoS field 7 on packets filtered by the class map, then assigns those packets to traffic class 4.

switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# set cos 7
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# set traffic-class 4
switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)#

Example

switch(config-pmap-c-Q-PMAP_1-Q-CMap_1)# exit
switch(config-pmap-Q-PMAP_1)# show pending
policy-map type quality-of-service Q-PMAP_1
  class Q-CMap_1
    set cos 7
    set traffic-class 4

  class class-default

switch(config-pmap-Q-PMAP_1)# exit
switch(config)#

To modify traffic resolution commands for the class-default class, enter the policy-map-class configuration mode for the class, then enter the desired set commands.

Example

These commands enters the policy-map-class configuration mode for class-default, configures the stream to enter traffic class 2, and saves the altered policy map to running-config.

switch(config)# policy-map type quality-of-service Q-PMap_1
switch(config-pmap-Q-PMap_1)# class class-default
switch(config-pmap-c-Q-PMap_1-class-default)# set traffic-class 2
switch(config-pmap-c-Q-PMap_1-class-default)# exit
switch(config-pmap-Q-PMap_1)# exit
switch(config)# show policy-map type qos Q-PMap_1
Service-policy Q-PMap_1

  Class-map: Q-CMap_1 (match-any)
    Match: ipv6 access-group name ACLv6_1
       set cos 7
       set traffic-class 4

  Class-map: class-default (match-any)
       set traffic-class 2

switch(config)#

Applying Policy Maps to an Interface

The service-policy type qos (Interface mode) command applies a specified policy map to the configuration mode interface.

Example

These commands apply PMAP-1 policy map to interface ethernet 8.

switch(config)# interface ethernet 8
switch(config-if-Et8)# show active
switch(config-if-Et8)# service-policy input PMAP-1
switch(config-if-Et8)# show active
interface Ethernet8
   service-policy type qos input PMAP-1
switch(config-if-Et8)#

Configuring PBR Policies Trident Platform Switches

Policy-Based Routing (PBR) is implemented by creating class maps and policy maps, then applying the policy maps to Ethernet interfaces, port channel interfaces or Switch Virtual Interfaces (SVIs).

Creating PBR Class Maps

PBR policies utilize class maps that are created and modified in the class-map configuration mode. The class-map type pbr command enters the class-map configuration mode.

Example

This command enters the class-map configuration mode to create a PBR class map named CMAP1.

switch(config)# class-map type pbr match-any CMAP1
switch(config-cmap-PBR-CMAP1)#

A class map contains one or more Access Control Lists (ACLs). The match (policy-map (pbr)) command assigns an ACL to the class map. Subsequent match commands add additional ACLs to the class map. Class maps filter traffic only on ACL permit rules. Deny ACL rules are disregarded; if a class map includes ACLs with deny rules, the configuration reverts to its previous state.

Examples

This command adds the ACL named ACL1 to the class map.

switch(config-cmap-PBR-CMAP1)# match ip access-group ACL1
switch(config-cmap-PBR-CMAP1)#

The class-map configuration mode is a group-change mode. Changes made in a group-change mode are saved by exiting the mode. The show active command displays the saved version of class map.

The show active command indicates that the configuration mode class map is not stored in running-config.
```
switch(config-cmap-PBR-CMAP1)# show active
switch(config-cmap-PBR-CMAP1)#
```

The exit command returns the switch to global configuration mode and saves pending class map changes. The abort command returns the switch to global configuration mode and discards pending changes.

Example

This command exits the class-map configuration mode and stores pending changes to running-config.

switch(config-cmap-PBR-CMAP1)# exit
switch(config)# show class-map type pbr CMAP1
class-map type pbr match-any CMAP1
   10 match ip access-group ACL1
switch(config)#

Creating PBR Policy Maps

Policy maps are created and modified in the policy-map configuration mode. The policy-map type pbr command enters policy-map configuration mode.

Example

This command enters the policy-map configuration mode for creating a PBR policy map named PMAP1.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)#

Example

This command adds the CMAP1 class to the policy map and places the switch in the policy-map-class configuration mode.
```
switch(config-pmap-PMAP1)# class CMAP1
switch(config-pmap-c-PMAP1-CMAP1)#
```
The set nexthop (policy-map-class pbr) command configures the next hop for data that passes the class map.This command configures the policy map to set the next hop to 10.12.0.5 on packets filtered by the class map.
```
switch(config-pmap-c-PMAP1-CMAP1)# set nexthop 10.12.0.5
switch(config-pmap-c-PMAP1-CMAP1)#
```
The policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active command displays the currently saved map version.These commands exits the policy-map-class configuration mode, then exits the policy-map configuration mode to save the altered policy map to running-config.
```
switch(config-pmap-c-PMAP1-CMAP1)# exit
switch(config-pmap-PMAP1)# exit
switch(config)#
```

Applying a PBR Policy Map to an Interface

The service-policy type pbr (Interface mode) command applies the specified PBR policy map to the configuration mode interface. Only one PBR service policy is supported per interface.

These commands apply the PMAP1 PBR policy map to interface ethernet 8.

switch(config)# interface ethernet 8
switch(config-if-Et8)# service-policy type pbr input PMAP1
switch(config-if-Et8)#

Hardware Decapsulation

When hardware decapsulation takes place, PBR policy maps on Trident platform switches match on inner packet headers (i.e., they match based on the attributes of the decapsulated packet).

Traffic Management Configuration Trident II Platform Switches

Trident platform switches support the following traffic policies:

Control plane policies manage control plane traffic.
QoS traffic policies manage traffic on Ethernet and port channel interfaces.

Configuring Control Plane Traffic PoliciesTrident II Platform Switches

Static Class Maps

Control plane traffic policies utilize static class maps, which are provided by the switch, are not editable, and cannot be deleted.

Editing the Policy Map

The only control plane policy map is copp-system-policy, which cannot be deleted. In its default form, copp-system-policy consists of the classes listed in copp-system-policy default classes: Trident II Platform Switches. Although the underlying class map of each class cannot be edited, the traffic resolution commands can be adjusted. The default classes cannot be removed from the policy map and their sequence within the policy map is not editable.

Table 6. copp-system-policy default classes: Trident II Platform Switches
Class Name	shape (pps)	bandwidth (pps)
copp-system-acllog	1000	10000
copp-system-arp	1000	10000
copp-system-arpresolver	1000	10000
copp-system-bfd	5000	10000
copp-system-bgp	5000	5000
copp-system-bpdu	5000	5000
copp-system-default	1000	8000
copp-system-glean	1000	10000
copp-system-igmp	1000	10000
copp-system-ipmcmiss	1000	10000
copp-system-ipmcrsvd	1000	10000
copp-system-l3destmiss	1000	10000
copp-system-l3slowpath	1000	10000
copp-system-l3ttl1	1000	10000
copp-system-lacp	5000	5000
copp-system-lldp	1000	10000
copp-system-mlag	5000	5000
copp-system-selfip	5000	5000
copp-system-selfip-tc6to7	5000	5000
copp-system-sflow	0	25024
copp-system-tc3to5	1000	10000
copp-system-tc6to7	1000	10000
copp-system-urm	1000	10000

Policy maps are modified in the policy-map configuration mode. The policy-map type copp command enters the policy-map configuration mode.

Example

This command enters the policy-map configuration mode for editing copp-system-policy.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)#

Example

The class (policy-map (control-plane) Trident II) command enters the policy-map-class configuration mode, where traffic resolution commands are modified for the configuration mode class.

Example

This command enters the policy-map-class configuration mode for the copp-system-lacp static class.

switch(config-pmap-copp-system-policy)# class copp-system-lacp
switch(config-pmap-c-copp-system-policy-copp-system-lacp)#

Two traffic resolution commands determine bandwidth parameters for class traffic:

bandwidth (policy-map-class (control-plane) Trident II) specifies the minimum bandwidth.
shape (policy-map-class (control-plane) Trident II) specifies the maximum bandwidth.

Example

These commands configure a bandwidth range of 2000 to 4000 packets per seconds (pps) for traffic filtered by the copp-system-lacp class map:

switch(config-pmap-c-copp-system-policy-copp-system-lacp)# bandwidth pps 2000
switch(config-pmap-c-copp-system-policy-copp-system-lacp)# shape pps 4000
switch(config-pmap-c-copp-system-policy-copp-system-lacp)#

Example

The policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active command displays the saved version of policy map. The show pending command displays the modified policy map.

Example

These commands exits the policy-map-class configuration mode, display the pending policy-map, then exit policy-map configuration mode, which saves the altered policy map to running-config.

switch(config-pmap-c-copp-system-policy-copp-system-lacp)# exit
switch(config-pmap-copp-system-policy)# show pending
policy-map type copp copp-system-policy
  class copp-system-bpdu

  class copp-system-lldp

  class copp-system-lacp
    shape pps 4000
    bandwidth pps 2000

  class copp-system-arp

switch(config-pmap-copp-system-policy)#exit
switch(config)#

Applying Policy Maps to the Control Plane

The copp-system-policy policy map is always applied to the control plane. No commands are available to add or remove this assignment.

Traffic Management Configuration Commands

Traffic Policy (Control Plane) Configuration Commands

bandwidth (policy-map-class (control-plane) Arad)
bandwidth (policy-map-class (control-plane) FM6000)
bandwidth (policy-map-class (control-plane) Helix)
bandwidth (policy-map-class (control-plane) Petra)
bandwidth (policy-map-class (control-plane) Trident)
bandwidth (policy-map-class (control-plane) Trident II)
class-map type copp
class (policy-map (control-plane) Arad)
class (policy-map (control-plane) FM6000)
class (policy-map (control-plane) Helix)
class (policy-map (control-plane) Petra)
class (policy-map (control-plane) Trident)
class (policy-map (control-plane) Trident II)
match (class-map (control-plane) Helix)
match (class-map (control-plane) Trident)
match (class-map (control-plane) Trident II)
policy-map type copp
shape (policy-map-class (control-plane) Arad)
shape (policy-map-class (control-plane) FM6000)
shape (policy-map-class (control-plane) Helix)
shape (policy-map-class (control-plane) Petra)
shape (policy-map-class (control-plane) Trident)
shape (policy-map-class (control-plane) Trident II)

Traffic Policy (PBR) Configuration Commands

action set-ttl
class (policy-map (pbr))
class-map type pbr
feature pbr
match (class-map (pbr))
match (policy-map (pbr))
platform arad tcam counters feature
policy-map type pbr
resequence (class-map (pbr))
resequence (policy-map (pbr))
service-policy type pbr (Interface mode)
set nexthop (policy-map-class pbr)
set nexthop-group (policy-map-class(pbr) Arad)

CPU Traffic Policy Command

feature traffic-policy cpu
feature traffic-policy port

Traffic Policy (QoS) Configuration Commands

class-map type qos
class (policy-map (qos) FM6000)
class (policy-map (qos) Helix)
class (policy-map (qos) Trident)
class (policy-map (qos) Trident II)
match (class-map (qos) FM6000)
match (class-map (qos) Helix)
match (class-map (qos) Trident)
match (class-map (qos) Trident II)
policy-map type quality-of-service
policy-map type quality-of-service policer
service-policy type qos (Interface mode)
set (policy-map-class (qos) FM6000)
set (policy-map-class (qos) Helix)
set (policy-map-class (qos) Trident)
set (policy-map-class (qos) Trident II)

Traffic Policy Display and Utility Commands

clear policy-map counters
show class-map type control-plane
show class-map type pbr
show class-map type qos
show policy-map type copp
show policy-map type pbr
show policy-map type qos
show policy-map type qos counters
show policy-map copp
show policy-map interface type qos
show policy-map interface type qos counters
show traffic-policy

action set-ttl

The TTL action is effective only when it is configured along with a set nexthop or nexthop-group action. The TCAM profile has the set-ttl-3b or set-ttl action in the pbr ip and pbr ipv6 features, such as in the tc-counters system profile.

Command Mode

For IP

TCAM feature PBR IP configuration mode.

For IPv6

TCAM feature PBR IPv6 configuration mode.

Command Syntax

action set-time [set-ttl | set-ttl-3b]

no action set-time [set-ttl | set-ttl-3b]

default action set-time [set-ttl | set-ttl-3b]

Parameters

set-ttl Set time to live.
set-ttl-3bSet 3-bit time to live.

Example

In the following example, for IP, the action sets the time to live for the next hop.

(config)# hardware tcam
(config-tcam)# profile pbr-set-ttl copy default
(config-tcam-profile-pbr-set-ttl)# feature pbr ip
(config-tcam-feature-pbr-ip)# action set-ttl

In the following example, for IPv6, the action sets the time to live for the next hop group.

config)# hardware tcam
(config-tcam)# profile pbr-set-ttl copy default
(config-tcam-profile-pbr-set-ttl)# feature pbr ip
(config-tcam-feature-pbr-ip)# feature pbr ipv6
(config-tcam-feature-pbr-ipv6)# action set-ttl

bandwidth (policy-map-class (control-plane)Arad)

The bandwidth command specifies the minimum bandwidth for traffic filtered by the configuration mode policy map class.

The no bandwidth and default bandwidth commands remove the minimum bandwidth guarantee for the configuration mode class by deleting the corresponding bandwidth command from running-config.

Command Mode

Policy-map-class (control plane) configuration

accessed through class (policy-map (control-plane) Arad)

Command Syntax

bandwidth kbps kilobits

no bandwidth

default bandwidth

Parameters

kilobits Minimum data rate in kilobits per second. Value ranges from 1 to 10000000.

Related Commands

class (policy-map (control-plane) Arad) places the switch in the policy-map-class (control plane) configuration mode.
shape (policy-map-class (control-plane) Arad) specifies the maximum bandwidth for traffic defined by the associated class map in its configuration mode policy map class.

Static Classes Default Bandwidth

Arad platform switches define these default bandwidths for control plane static classes:

copp-system-bgp 250 copp-system-l3lpmoverflow 250
copp-system-bpdu 1250 copp-system-l3slowpath 250
copp-system-default 250 copp-system-l3ttl1 250
copp-system-ipbroadcast 250 copp-system-lacp 1250
copp-system-ipmc 250 copp-system-linklocal 250
copp-system-ipmcmiss 250 copp-system-lldp 250
copp-system-ipunicast 250 copp-system-mlag 250
copp-system-l2broadcast 250 copp-system-multicastsnoop 250
copp-system-l2unicast 250 copp-system-OspfIsis 250
copp-system-l3destmiss 250 copp-system-sflow 250

Example

These commands configure the minimum bandwidth of 500 kbps for data traffic specified by the class map copp-system-lldp of the default control-plane policy map.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# bandwidth kbps 500
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# exit
switch(config-pmap-copp-system-policy)# exit
switch(config)# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy
  Hardware programming status: InProgress

  Class-map: copp-system-lldp (match-any)
       shape : 2500 kbps
       bandwidth : 500 kbps
      Out Packets : 0
      Drop Packets : 0

switch(config)#

bandwidth (policy-map-class (control-plane)FM6000)

The bandwidth command specifies the minimum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration

accessed through class (policy-map (control-plane) FM6000)

Command Syntax

bandwidth pps packets

no bandwidth

default bandwidth

Parameters

packets Minimum data rate in packets per second. Value ranges from 1 to 100000.

Related Commands

class (policy-map (control-plane) FM6000) places the switch in policy-map-class (control plane) configuration mode.
shape (policy-map-class (control-plane) FM6000) specifies the maximum bandwidth for traffic defined by the associated class map in its configuration mode policy map class.

Static Classes Default Bandwidth

FM6000 platform switches define these default bandwidths for control plane static classes:

copp-system-arp 1000 copp-system-l3slowpath 1000
copp-system-default 1000 copp-system-pim-ptp 1000
copp-system-ipmcrsvd 1000 copp-system-ospf-isis 1000
copp-system-ipmcmiss 1000 copp-system-selfip 5000
copp-system-igmp 1000 copp-system-selfip-tc6to7 5000
copp-system-l2rsvd 10000 copp-system-sflow 1000

Example

These commands configure the minimum bandwidth of 1000 packets per second for data traffic specified by the class map PMAP-1 in the policy map named copp-system-policy.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class PMAP-1
switch(config-pmap-c-copp-system-policy-PMAP-1)# bandwidth pps 1000
switch(config-pmap-c-copp-system-policy-PMAP-1)#

bandwidth (policy-map-class (control-plane)Helix)

The bandwidth command specifies the minimum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration

accessed through class (policy-map (control-plane) Helix)

Command Syntax

bandwidth pps packets

no bandwidth

default bandwidth

Parameters

packets Minimum data rate in packets per second. Value ranges from 1 to 100000.

Related Commands

class (policy-map (control-plane) Helix) places the switch in policy-map-class (control plane) configuration mode.
shape (policy-map-class (control-plane) Helix) specifies the maximum bandwidth for traffic defined by the associated class map in its configuration mode policy map class.

Static Classes Default Bandwidth

Helix platform switches define these default bandwidths for control plane static classes:

copp-system-acllog 1000 copp-system-l3ttl1 1000
copp-system-arp 1000 copp-system-lacp 5000
copp-system-arpresolver 1000 copp-system-lldp 1000
copp-system-bfd 5000 copp-system-mlag 5000
copp-system-bgp 5000 copp-system-OspfIsis 5000
copp-system-bpdu 5000 copp-system-selfip 5000
copp-system-default 1000 copp-system-selfip-tc6to7 5000
copp-system-glean 1000 copp-system-sflow 0
copp-system-igmp 1000 copp-system-tc3to5 1000
copp-system-ipmcmiss 1000 copp-system-tc6to7 1000
copp-system-ipmcrsvd 1000 copp-system-urm 1000
copp-system-l3destmiss 1000 copp-system-vrrp 1000
copp-system-l3slowpath 1000

Example

These commands configure the minimum bandwidth of 500 packets per second for data traffic specified by the class map copp-system-lldp.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# bandwidth pps 500
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# exit
switch(config-pmap-copp-system-policy)# exit
switch(config)# show policy-map interface control-plan copp-system-policy
Service-policy input: copp-system-policy
  Number of units programmed: 4
  Hardware programming status: Successful

  Class-map: copp-system-lldp (match-any)
       shape : 10000 pps
       bandwidth : 500 pps
      Out Packets : 304996
      Drop Packets : 0

switch(config)#

bandwidth (policy-map-class (control-plane)Petra)

The bandwidth command specifies the minimum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration

accessed through class (policy-map (control-plane) Petra)

Command Syntax

bandwidth kbps kilobits

no bandwidth

default bandwidth

Parameters

kbits Minimum data rate in kilobits per second. Value ranges from 1 to 10000000.

Related Commands

class (policy-map (control-plane) Petra) places the switch in policy-map-class (control plane) configuration mode.
shape (policy-map-class (control-plane) Petra) specifies the maximum bandwidth for traffic defined by the associated class map in its policy map class configuration mode .

Static Classes Default Bandwidth

Petra platform switches define these default bandwidths for control plane static classes:

copp-system-bpdu 1250 copp-system-l3destmiss 250
copp-system-default 250 copp-system-l3slowpath 250
copp-system-igmp 250 copp-system-l3ttl0 250
copp-system-ipbroadcast 250 copp-system-l3ttl1 250
copp-system-ipmc 250 copp-system-lacp 1250
copp-system-ipmcmiss 250 copp-system-lldp 250
copp-system-ipmcrsvd 250 copp-system-unicast-arp 250
copp-system-ipunicast 250

Guidelines

Petra does not support all discrete rate values. When a specified discrete value is not supported, the switch converts the rate to the next highest discrete value that it supports. The show command displays the converted rate and not the user-configured rate.

Example

These commands configure a minimum bandwidth of 500 kbps for data traffic specified by the class map copp-system-lldp of the default control-plane policy map. Because the switch does not support the discrete value of 500 kbps, it converts the bandwidth up to 651 kbps.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# bandwidth kbps 500
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# exit
switch(config-pmap-copp-system-policy)# exit
switch(config)# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy
  Hardware programming status: InProgress

  Class-map: copp-system-lldp (match-any)
       shape : 2766 kbps
       bandwidth : 651 kbps
      Out Packets : 0
      Drop Packets : 0

switch(config)#

bandwidth (policy-map-class (control-plane)Trident II)

The bandwidth command specifies the minimum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration

accessed through class (policy-map (control-plane) Trident II).

Command Syntax

bandwidth pps packets

no bandwidth

default bandwidth

Parameters

packets Minimum data rate in packets per second. Value ranges from 1 to 100000.

Related Commands

class (policy-map (control-plane) Trident II) places the switch in policy-map-class (control plane) configuration mode.
shape (policy-map-class (control-plane) Trident II) specifies the maximum bandwidth for traffic defined by the associated class map in its configuration mode policy map class.

Static Classes Default Bandwidth

Trident II platform switches define these default bandwidths for control plane static classes:

copp-system-acllog 1000 copp-system-l3slowpath 1000
copp-system-arp 1000 copp-system-l3ttl1 1000
copp-system-arpresolver 1000 copp-system-lacp 5000
copp-system-bfd 5000 copp-system-lldp 1000
copp-system-bgp 5000 copp-system-mlag 5000
copp-system-bpdu 5000 copp-system-selfip 5000
copp-system-default 1000 copp-system-selfip-tc6to7 5000
copp-system-glean 1000 copp-system-sflow 0
copp-system-igmp 1000 copp-system-tc3to5 1000
copp-system-ipmcmiss 1000 copp-system-tc6to7 1000
copp-system-ipmcrsvd 1000 copp-system-urm 1000
copp-system-l3destmiss 1000

Example

These commands configure the minimum bandwidth of 500 packets per second for data traffic specified by the class map copp-system-lldp.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# bandwidth pps 500
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# exit
switch(config-pmap-copp-system-policy)# exit
switch(config)# show policy-map interface control-plan copp-system-policy
Service-policy input: copp-system-policy
  Number of units programmed: 4
  Hardware programming status: Successful

  Class-map: copp-system-lldp (match-any)
       shape : 10000 pps
       bandwidth : 500 pps
      Out Packets : 304996
      Drop Packets : 0

switch(config)#

bandwidth (policy-map-class (control-plane)Trident)

The bandwidth command specifies the minimum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration

accessed through class (policy-map (control-plane) Trident).

Command Syntax

bandwidth pps packets

no bandwidth

default bandwidth

Parameters

packets Minimum data rate in packets per second. Value ranges from 1 to 100000.

Related Commands

class (policy-map (control-plane) Trident) places the switch in policy-map-class (control plane) configuration mode.
shape (policy-map-class (control-plane) Trident) specifies the maximum bandwidth for traffic defined by the associated class map in its configuration mode policy map class.

Static Classes Default Bandwidth

Trident platform switches define these default bandwidths for control plane static classes:

copp-system-arp 1000 copp-system-lldp 1000
copp-system-arpresolver 1000 copp-system-l3destmiss 1000
copp-system-bpdu 5000 copp-system-l3slowpath 1000
copp-system-default 1000 copp-system-l3ttl1 1000
copp-system-glean 1000 copp-system-selfip 5000
copp-system-igmp 1000 copp-system-selfip-tc6to7 5000
copp-system-ipmcmiss 1000 copp-system-sflow 0
copp-system-ipmcrsvd 1000 copp-system-tc6to7 1000
copp-system-lacp 5000 copp-system-tc3to5 1000

Example

These commands configure the minimum bandwidth of 1000 packets per second for data traffic specified by the class map PMAP-1 in the policy map named copp-system-policy.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class PMAP-1
switch(config-pmap-c-copp-system-policy-PMAP-1)# bandwidth pps 1000
switch(config-pmap-c-copp-system-policy-PMAP-1)#

class (policy-map (control-plane) Arad)

The class command places the switch in policy-map-class (control plane) configuration mode, which is a group change mode for changing bandwidth and shape parameters associated with a specified class. All changes in a group change mode edit session are pending until the end of the session.

A policy map is an ordered list of classes. The control plane policy map contains 20 static classes. Each class contains an eponymous class map and may contain bandwidth and shape commands.

The class map identifies a data stream.
bandwidth command defines the streams minimum transmission rate through the control plane.
shape command defines the streams maximum transmission rate through the control plane.

Static class maps identify a data stream by definition. Each data packet is managed by commands of the first class whose map matches the packets content. Dynamic classes are not supported for control plane policing on Arad platform switches.

Each class corresponds to a transmission queue. Queue scheduling is round-robin until bandwidth rate for a queue is exceeded. Scheduling becomes strict-priority with CPU queue number determining priority until the shape rate is reached. Packets are dropped after the shape rate is exceeded.

The exit command returns the switch to policy-map configuration mode. Saving policy-map-class changes also require an exit from policy-map mode, which saves pending policy-map-class and policy-map changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove policy-map-class commands for the specified class assignment from the policy map.

Command Mode

Policy-Map (control plane) configuration accessed through policy-map type copp command.

Command Syntax

class class_name

no class class_name

default class class_name

Parameters

class_name name of the class.

Static Classes

Arad platform switches provide the following static control plane classes:

copp-system-bgp copp-system-l2broadcast copp-system-linklocal
copp-system-bpdu copp-system-l2unicast copp-system-lldp
copp-system-default copp-system-l3destmiss copp-system-mlag
copp-system-ipbroadcast copp-system-l3lpmoverflow copp-system-multicastsnoop
copp-system-ipmc copp-system-l3slowpath copp-system-OspfIsis
copp-system-ipmcmiss copp-system-l3ttl1 copp-system-sflow
copp-system-ipunicast copp-system-lacp

Commands Available in Policy-map-class (control plane) Configuration Mode

bandwidth (policy-map-class (control-plane) Arad)
shape (policy-map-class (control-plane) Arad)
exit saves pending class map changes, then returns the switch to global configuration mode.
abort discards pending class map changes, then returns the switch to global configuration mode.

Related Commands

policy-map type copp places switch in policy-map (control plane) configuration mode.

Example

These commands enters policy-map-class configuration mode to modify the shape, bandwidth parameters associated with the static class named copp-system-lldp.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)#

class (policy-map (control-plane) FM6000)

The class command places the switch in policy-map-class (control plane) configuration mode, which is a group change mode for changing bandwidth and shape parameters associated with a specified class. All changes in a group change mode edit session are pending until the end of the session.

A policy map is an ordered list of classes. The control plane policy map contains 12 static classes. Each class contains an eponymous class map and may contain bandwidth and shape commands.

The class map identifies a data stream.
bandwidth command defines the streams minimum transmission rate through the control plane.
shape command defines the streams maximum transmission rate through the control plane.

The no class and default class commands remove policy-map-class commands for the specified class assignment from the policy map. The class is removed from the policy map if it is a dynamic class.

Command Mode

Policy-Map (control plane) configuration accessed through policy-map type copp command.

Command Syntax

class class_name

no class class_name

default class class_name

Parameters

class_name name of the class.

Static Classes

FM6000 platform switches provide the following static control plane classes:

copp-system-arp copp-system-igmp copp-system-PimPtp
copp-system-default copp-system-l2rsvd copp-system-selfip
copp-system-ipmcmiss copp-system-l3slowpath copp-system-selfip-tc6to7
copp-system-ipmcrsvd copp-system-OspfIsis copp-system-sflow

Commands Available in Policy-map-class (control plane) Configuration Mode

bandwidth (policy-map-class (control-plane) FM6000)
shape (policy-map-class (control-plane) FM6000)
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.

Related Commands

policy-map type copp places switch in policy-map (control plane) configuration mode.

Example

These commands enters policy-map-class configuration mode to modify the shape, bandwidth parameters associated with the static class named copp-system-arp.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-arp
switch(config-pmap-c-copp-system-policy-copp-system-arp)#

class (policy-map (control-plane) Helix)

A policy map is an ordered list of classes. The control plane policy map contains 23 static classes. Each class contains an eponymous class map and may contain bandwidth and shape commands.

The class map identifies a data stream.
bandwidth command defines the streams minimum transmission rate through the control plane.
shape command defines the streams maximum transmission rate through the control plane.

Each class corresponds to a transmission queue. Queue scheduling is strict-priority; CPU queue number determines priority until the shape rate is reached. Packets are dropped after the shape rate is exceeded.

The exit command returns the switch to policy-map configuration mode. Saving policy-map-class changes also require an exit from policy-map mode, which saves the pending policy-map-class and policy-map changes to running-config and returns the switch to global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the policy-map-class commands for the specified class assignment from the policy map.

Command Mode

Policy-Map (control plane) configuration accessed through policy-map type copp command.

Command Syntax

class class_name

no class class_name

default class class_name

Parameters

class_name name of the class.

Static Classes

Helix platform switches provide the following static control plane classes:

copp-system-acllog copp-system-ipmcmiss copp-system-OspfIsis
copp-system-arp copp-system-ipmcrsvd copp-system-selfip
copp-system-arpresolver copp-system-l3destmiss copp-system-selfip-tc6to7
copp-system-bfd copp-system-l3slowpath copp-system-sflow
copp-system-bgp copp-system-l3ttl1 copp-system-tc3to5
copp-system-bpdu copp-system-lacp copp-system-tc6to7
copp-system-default copp-system-lldp copp-system-urm
copp-system-glean copp-system-lldp copp-system-vrrp
copp-system-igmp copp-system-lldp

Commands Available in Policy-map-class (control plane) Configuration Mode

bandwidth (policy-map-class (control-plane) Helix)
shape (policy-map-class (control-plane) Helix)
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.

Related Commands

policy-map type copp places switch in policy-map (control plane) configuration mode.

Example

These commands enters policy-map-class configuration mode to modify the shape, bandwidth parameters associated with the static class named copp-system-arp.

switch(config)# policy-map
switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)#

class (policy-map (control-plane) Petra)

A policy map is an ordered list of classes. The control plane policy map contains 15 static classes. Each class contains an eponymous class map and may contain bandwidth and shape commands.

The class map identifies a data stream.
bandwidth command defines the streams minimum transmission rate through the control plane.
shape command defines the streams maximum transmission rate through the control plane.

The exit command returns the switch to policy-map configuration mode. Saving the policy-map-class changes also require an exit from policy-map mode, which saves the pending policy-map-class and policy-map changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the policy-map-class commands for the specified class assignment from the policy map.

Command Mode

Policy-Map (control plane) configuration accessed through policy-map type copp command.

Command Syntax

class class_name

no class class_name

default class class_name

Parameters

class_name name of the class.

Static Classes

Petra platform switches provide the following static control plane classes:

copp-system-bpdu copp-system-ipmcmiss copp-system-l3ttl0
copp-system-default copp-system-ipmcrsvd copp-system-l3ttl1
copp-system-igmp copp-system-ipunicast copp-system-lacp
copp-system-ipbroadcast copp-system-l3destmiss copp-system-lldp
copp-system-ipmc copp-system-l3slowpath copp-system-unicast-arp

Commands Available in Policy-map-class (control plane) Configuration Mode

bandwidth (policy-map-class (control-plane) Petra)
shape (policy-map-class (control-plane) Petra)
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.

Related Commands

policy-map type copp places switch in policy-map (control plane) configuration mode.

Example

These commands enters policy-map-class configuration mode to modify the shape, bandwidth parameters associated with the static class named copp-system-lldp.

switch(config)# policy-map
switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)#

class (policy-map (control-plane) Trident II)

The class command places the switch in policy-map-class (control plane) configuration mode, which is a group change mode for changing bandwidth and shape parameters associated with a specified class. All changes in a group change mode edit session are pending until the end of the session.

A policy map is an ordered list of classes. The control plane policy map contains 23 static classes. Each class contains an eponymous class map and may contain bandwidth and shape commands.

The class map identifies a data stream.
bandwidth command defines the streams minimum transmission rate through the control plane.
shape command defines the streams maximum transmission rate through the control plane.

The exit command returns the switch to the policy-map configuration mode. Saving the policy-map-class changes also require an exit from the policy-map mode, which saves the pending policy-map-class and policy-map changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the policy-map-class commands for the specified class assignment from the policy map.

Command Mode

Policy-Map (control plane) configuration accessed through policy-map type copp command.

Command Syntax

class class_name

no class class_name

default classclass_name

Parameters

class_name name of the class.

Static Classes

Trident II platform switches provide the following static control plane classes:

copp-system-acllog copp-system-igmp copp-system-mlag
copp-system-arp copp-system-ipmcmiss copp-system-selfip
copp-system-arpresolver copp-system-ipmcrsvd copp-system-selfip-tc6to7
copp-system-bfd copp-system-l3destmiss copp-system-sflow
copp-system-bgp copp-system-l3slowpath copp-system-tc3to5
copp-system-bpdu copp-system-l3ttl1 copp-system-tc6to7
copp-system-default copp-system-lacp copp-system-urm
copp-system-glean copp-system-lldp

Commands Available in Policy-map-class (control plane) Configuration Mode

bandwidth (policy-map-class (control-plane) Trident II)
shape (policy-map-class (control-plane) Trident II)
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.

Related Commands

policy-map type copp places switch in policy-map (control plane) configuration mode.

Example

These commands enters the policy-map-class configuration mode to modify the shape, bandwidth parameters associated with the static class named copp-system-arp.

switch(config)# policy-map
switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)#

class (policy-map (control-plane) Trident)

The class command places the switch in policy-map-class (control plane) configuration mode, which is a group change mode for changing bandwidth and shape parameters associated with a specified class. The command adds the specified class to the policy map if it was not previously included. All changes in a group change mode edit session are pending until the end of the session.

A policy map is an ordered list of classes. The control plane policy map contains 18 static classes and up to 30 dynamic classes. Dynamic classes contain an eponymous class map. All classes may contain bandwidth and shape commands.

The class map identifies a data stream.
bandwidth command defines the streams minimum transmission rate through the control plane.
shape command defines the streams maximum transmission rate through the control plane.

Dynamic class maps identify a data stream with an ACL assigned by match (class-map (control-plane) Trident). Static class maps identify a data stream by definition. Each data packet is managed by commands of the first class whose map matches the packets content.

Static classes are provided with the switch and cannot be removed from the policy map or modified by the class command. Dynamic classes are user defined and added to the policy map by this command. Dynamic classes are always placed in front of the static classes. Bandwidth and shape parameters are editable for all classes.

The exit command returns the switch to policy-map configuration mode. Saving the policy-map-class changes also require an exit from policy-map mode, which saves the pending policy-map-class and policy-map changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the policy-map-class commands for the specified class assignment from the policy map. The class is removed from the policy map if it is a dynamic class.

Command Mode

Policy-Map (control plane) configuration accessed through policy-map type copp command.

Command Syntax

class class_name [PLACEMENT]

no class class_name [PLACEMENT]

default class class_name [PLACEMENT]

Parameters

class_name name of the class.
PLACEMENT Specifies the classs map placement. Configurable only for dynamic classes.
- no parameter New classes are placed between the dynamic and static classes. Previously defined classes retain their current policy map placement.
- insert-before dynamic_class Class is inserted in front of the specified dynamic class.

Static Classes

Trident switches provide the following static control plane classes:

copp-system-acllog copp-system-ipmcmiss copp-system-lldp
copp-system-arp copp-system-ipmcrsvd copp-system-selfip
copp-system-arpresolver copp-system-l3destmiss copp-system-selfip-tc6to7
copp-system-bpdu copp-system-l3slowpath copp-system-sflow
copp-system-glean copp-system-l3ttl1 copp-system-tc3to5
copp-system-igmp copp-system-lacp copp-system-tc6to7

Commands Available in Policy-map-class (control plane) Configuration Mode

bandwidth (policy-map-class (control-plane) Trident)
shape (policy-map-class (control-plane) Trident)
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.

Related Commands

class-map type copp places switch in the class-map (control-plane) configuration mode.
policy-map type copp places switch in the policy-map (control plane) configuration mode.

Example

These commands add CM-1 class to the copp-system-policy policy map.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class CM-1
switch(config-pmap-c-copp-system-policy-CM-1)#

class (policy-map (pbr)

The class (policy-map (pbr) command places the switch in policy-map-class (pbr) configuration mode, which is a group change mode that modifies the specified class of the configuration mode Policy-Based Routing (PBR) policy map. The command adds the class to the policy map if it was not previously included in the policy map. All changes in a group change mode edit session are pending until the mode is exited, and can be canceled by using the abort command.

A PBR policy map is an ordered list of classes. Each class contains an eponymous class map and can contain set commands to specify next hop. Classes without set commands translate to no action being performed on that class of packets.

The class map identifies a data stream through ACLs. Class maps are configured in the class-map (pbr) configuration mode.
Set commands can be used to specify the next hop for a given class. Set commands are configured in policy-map-class (pbr) configuration mode.

PBR policy maps can also contain one or more raw match statements which filter incoming traffic without using ACLs. Data packets are managed by commands of the first class or raw match statement matching the packets contents.

The exit command returns the switch to the policy-map (pbr) configuration mode. However, saving the policy-map-class changes also requires an exit from policy-map (pbr) configuration mode. This saves all the pending policy map and policy-map-class changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the class assignment from the configuration mode policy map by deleting the corresponding class configuration from running-config.

Command Mode

Policy-Map (pbr) Configuration accessed through policy-map type pbr.

Command Syntax

[sequence_number] class class_name

no [sequence_number] class class_name

default [sequence_number] class class_name

no [sequence_number]

default [sequence_number]

Parameters

sequence_number Sequence number (1 to 4294967295) assigned to the rule. If no number is entered, the number is derived by adding 10 to the number of the policy maps last numbered line. To increase the distance between existing entries, use the resequence command.
class_name name of the class.

Commands Available in Policy-map-class (pbr) Configuration Mode

set nexthop (policy-map-class pbr) sets next hop for the class.
exit saves pending class changes and returns switch to policy-map (pbr) configuration mode.
abort discards pending class changes and returns switch to policy-map (pbr) configuration mode.

Related Commands

class-map type pbr places switch in the class-map (pbr) configuration mode.
policy-map type pbr places switch in the policy-map (pbr) configuration mode.

Example

These commands add the CMAP1 class map to the PMAP1 policy map, then place the switch in policy-map-class configuration mode where the next hops can be assigned to the class. Changes will not take effect until both modes are exited.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)# class CMAP1
switch(config-pmap-c-PMAP1-CMAP1)#

class (policy-map (qos) FM6000)

The class command places the switch in policy-map-class (qos) configuration mode, which is a group change mode that modifies the specified class of the configuration mode policy map. The command adds the class to the policy map if it was not previously included in the policy map. All changes in a group change mode edit session are pending until the end of the session.

A policy map is an ordered list of classes. Each class contains an eponymous class map and at least one set command:

The class map identifies a data stream through an ACL. Class maps are configured in the class-map (qos) configuration mode.
Set commands either modify a packets content (CoS or DSCP fields) or assigns it to a traffic class queue. Set commands are configured in the policy-map-class (qos) configuration mode.
Data packets are managed by commands of the first class whose map matches the packets content.

The exit command returns the switch to the policy-map configuration mode. However, saving policy-map-class changes also require an exit from the policy-map mode. This saves all pending policy map and policy-map-class changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the class assignment from the configuration mode policy map by deleting the corresponding class configuration from running-config.

Command Mode

Policy-Map (qos) Configuration accessed through policy-map type quality-of-service.

Command Syntax

class class_name [PLACEMENT]

no class class_name [PLACEMENT]

default class class_name [PLACEMENT]

Parameters

class_name name of the class.
PLACEMENT Specifies the map placement within the list of class maps.
- no parameter Class is placed at the top of the list.
- insert-before existing_class Class is inserted in front of the specified class.

Commands Available in Policy-map-class (qos) Configuration Mode

set (policy-map-class (qos) FM6000)
exit saves pending class changes and returns switch to policy-map (qos) configuration mode.
abort discards pending class changes and returns switch to policy-map (qos) configuration mode.

Related Commands

class-map type qos places switch in the class-map (QoS) configuration mode.
policy-map type quality-of-service places switch in the policy-map (QoS) configuration mode

Example

These commands add the CMAP_1 class map to the PMAP_1 policy map, then places the switch in the policy-map-class configuration mode.

switch(config)# policy-map type quality-of-service PMAP-1
switch(config-pmap-PMAP-1)# class CMAP-1
switch(config-pmap-c-PMAP-1-CMAP-1)#

class (policy-map (qos) Helix)

The class command places the switch in the policy-map-class (QoS) configuration mode, which is a group change mode that modifies the specified class of the configuration mode policy map. The command adds the class to the policy map if it was not previously included in the policy map. All changes in a group change mode edit session are pending until the end of the session.

A policy map is an ordered list of classes. Each class contains an eponymous class map and at least one set command:

The class map identifies a data stream through an ACL. Class maps are configured in the class-map (qos) configuration mode.
Set commands either modify a packets content (CoS or DSCP fields) or assigns it to a traffic class queue. Set commands are configured in the policy-map-class (qos) configuration mode.
Data packets are managed by commands of the first class whose map matches the packets content.

The exit command returns the switch to the policy-map configuration mode. However, saving policy-map-class changes also require an exit from the policy-map mode. This saves all the pending policy map and policy-map-class changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the class assignment from the configuration mode policy map by deleting the corresponding class configuration from running-config.

Command Mode

Policy-Map (qos) Configuration accessed through policy-map type quality-of-service command.

Command Syntax

class class_name [PLACEMENT]

no class class_name [PLACEMENT]

default class class_name [PLACEMENT]

Parameters

class_name name of the class.
PLACEMENT Specifies the map placement within the list of class maps.
- no parameter Class is placed at the top of the list.
- insert-before existing_class Class is inserted in front of the specified class.

Commands Available in Policy-map-class (QoS) Configuration Mode

set (policy-map-class (qos) Helix)
exit saves pending class changes and returns switch to policy-map (qos) configuration mode.
abort discards pending class changes and returns switch to policy-map (qos) configuration mode.

Related Commands

class-map type qos places switch in the class-map (qos) configuration mode.
policy-map type quality-of-service places switch in the policy-map (QoS) configuration mode.

Example

These commands add the CMAP_1 class map to the PMAP_1 policy map, then places the switch in policy-map-class configuration mode.

switch(config)# policy-map type quality-of-service PMAP-1
switch(config-pmap-PMAP-1)# class CMAP-1
switch(config-pmap-c-PMAP-1-CMAP-1)#

class (policy-map (qos) Trident II)

A policy map is an ordered list of classes. Each class contains an eponymous class map and at least one set command:

The class map identifies a data stream through an ACL. Class maps are configured in class-map (qos) configuration mode.
Set commands either modify a packets content (CoS or DSCP fields) or assigns it to a traffic class queue. Set commands are configured in policy-map-class (qos) configuration mode.

Data packets are managed by commands of the first class whose map matches the packets content.

The exit command returns the switch to the policy-map configuration mode. However, saving the policy-map-class changes also require an exit from the policy-map mode. This saves all the pending policy map and policy-map-class changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the class assignment from the configuration mode policy map by deleting the corresponding class configuration from running-config.

Command Mode

Policy-Map (qos) Configuration accessed through policy-map type quality-of-service command.

Command Syntax

class class_name [PLACEMENT]

no class class_name [PLACEMENT]

default class class_name [PLACEMENT]

Parameters

class_name name of the class.
PLACEMENT Specifies the map placement within the list of class maps.
- no parameter Class is placed at the top of the list.
- insert-before existing_class Class is inserted in front of the specified class.

Commands Available in Policy-map-class (qos) Configuration Mode

set (policy-map-class (qos) Trident II)
exit saves pending class changes and returns switch to policy-map (qos) configuration mode.
abort discards pending class changes and returns switch to policy-map (qos) configuration mode.

Related Commands

class-map type qos places switch in class-map (qos) configuration mode.
policy-map type quality-of-service places switch in policy-map (qos) configuration mode.

Example

These commands add the CMAP_1 class map to the PMAP_1 policy map, then places the switch in policy-map-class configuration mode.

switch(config)# policy-map type quality-of-service PMAP-1
switch(config-pmap-PMAP-1)# class CMAP-1
switch(config-pmap-c-PMAP-1-CMAP-1)#

class (policy-map (qos) Trident)

The class command places the switch in policy-map-class (qos) configuration mode, which is a group change mode that modifies the specified class of the configuration mode policy map. The command adds the class to the policy map if it was not previously included in the policy map. All changes in a group change mode edit session are pending until the end of the session.

A policy map is an ordered list of classes. Each class contains an eponymous class map and at least one set command:

The class map identifies a data stream through an ACL. Class maps are configured in class-map (qos) configuration mode.
Set commands either modify a packets content (CoS or DSCP fields) or assigns it to a traffic class queue. Set commands are configured in policy-map-class (qos) configuration mode.
Data packets are managed by commands of the first class whose map matches the packets content.

The exit command returns the switch to policy-map configuration mode. However, saving policy-map-class changes also require an exit from policy-map mode. This saves all the pending policy map and policy-map-class changes to running-config and returns the switch to the global configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no class and default class commands remove the class assignment from the configuration mode policy map by deleting the corresponding class configuration from running-config.

Command Mode

Policy-Map (qos) Configuration accessed through policy-map type quality-of-service command.

Command Syntax

class class_name [PLACEMENT]

no class class_name [PLACEMENT]

default class class_name [PLACEMENT]

Parameters

class_name name of the class.
PLACEMENT Specifies the map placement within the list of class maps.
- no parameter Class is placed at the top of the list.
- insert-before existing_class Class is inserted in front of the specified class.

Commands Available in Policy-map-class (qos) Configuration Mode

set (policy-map-class (qos) Trident)
exit saves pending class changes and returns switch to policy-map (qos) configuration mode.
abort discards pending class changes and returns switch to policy-map (qos) configuration mode.

Related Commands

class-map type qos places switch in class-map (qos) configuration mode.
policy-map type quality-of-service places switch in policy-map (qos) configuration mode.

Example

These commands add the CMAP_1 class map to the PMAP_1 policy map, then places the switch in policy-map-class configuration mode.

switch(config)# policy-map type quality-of-service PMAP-1
switch(config-pmap-PMAP-1)# class CMAP-1
switch(config-pmap-c-PMAP-1-CMAP-1)#

class-map type copp

The class-map type copp command places the switch in Class-Map (control plane) configuration mode, which is a group change mode that modifies a control-plane dynamic class map. A dynamic class map is a data structure that uses Access Control Lists (ACLs) to define a data stream by specifying characteristics of data packets that comprise that stream. Control-plane policy maps use class maps to specify which control plane traffic is controlled by policy map criteria.

The exit command saves pending class map changes to running-config and returns the switch to the global configuration mode. Class map changes are also saved by entering a different configuration mode. The abort command discards pending changes and returns the switch to the global configuration mode.

The no class-map type copp and default class-map type copp commands delete the specified class map by removing the corresponding class-map type copp command and its associated configuration.

Command Mode

Global Configuration

Command Syntax

class-map type copp match-any class_name

no class-map type copp [match-any] class_name

default class-map type copp [match-any] class_name

Parameters

class_name Name of class map.

Commands Available in Class-Map (Control Plane) Configuration Mode

match (class-map (control-plane) Trident)

Related Commands

policy-map type copp
class (policy-map (control-plane) Trident)
class-map type qos

Example

This command creates the control plane class map named CP-MAP-1 and places the switch in class-map configuration mode.

switch(config)# class-map type copp match-any CP-CMAP-1
switch(config-cmap-CP-CMAP-1)#

class-map type pbr

The class-map type pbr command places the switch in the class-map (pbr) configuration mode for the specified class map, and creates the class map if one does not already exist. The class-map (PBR) configuration mode is a group change mode that modifies a class map for Policy-Based Routing (PBR). PBR class maps contain one or more match statements which filter incoming traffic using ACLs. PBRs can then use these class maps to set next-hop IP addresses for the traffic that matches them. (Classes without set commands translate to no action being performed on that class of packets.)

The exit command saves pending class map changes to running-config, then returns the switch to the global configuration mode. Class map changes are also saved by directly entering a different configuration mode. The abort command discards pending changes and returns the switch to the global configuration mode.

The no class-map type pbr and default class-map type pbr commands delete the specified class map by removing the corresponding class-map type pbr command and its associated configuration.

Command Mode

Global Configuration

Command Syntax

class-map type pbr match-any map_name

no class-map type pbr match-any map_name

default class-map type pbr match-any map_name

Parameters

map_name Name of class map.

Commands Available in Class-Map (PBR) configuration mode

match (class-map (pbr))
resequence (class-map (pbr))

Related Commands

policy-map type pbr
class (policy-map (pbr))

Example

This command creates the PBR class map named MAP1 and places the switch in class-map (pbr) configuration mode where match criteria can be configured for the class.

switch(config)# class-map type pbrmatch-any MAP1
switch(config-cmap-MAP1)#

class-map type qos

The class-map type qos command places the switch in the class-map (QoS) configuration mode, which is a group change mode that modifies a QoS dynamic class map. A dynamic class map is a data structure that uses Access Control Lists (ACLs) to define a data stream by specifying characteristics of data packets that comprise that stream. QoS policy maps use class maps to specify the traffic (to which the policy map is assigned) that is transformed by policy map criteria.

The exit command saves pending class map changes to running-config, then returns the switch to the global configuration mode. Class map changes are also saved by entering a different configuration mode. The abort command discards pending changes and returns the switch to the global configuration mode.

The no class-map type qos and default class-map type qos commands delete the specified class map by removing the corresponding class-map type qos command and its associated configuration. The class-map and class-map type qos commands are equivalent.

Command Mode

Global Configuration

Command Syntax

class-map [type qos] match-any class_name

no class-map [type qos] match-any class_name

default class-map [type qos] match-any class_name

Parameters

class_name Name of class map.

Commands Available in Class-Map (QoS) Configuration Mode

match (class-map (qos) FM6000)
match (class-map (qos) Trident)

Conditions

class-map map_name and class-map type qos map_name are identical commands.

Related Commands

policy-map type quality-of-service
class (policy-map (qos) FM6000)
class (policy-map (qos) Trident)

Example

This command creates the QoS class map named MAP-1 and places the switch in class-map configuration mode.

switch(config)# class-map type qos match-any MAP-1
switch(config-cmap-MAP-1)#

clear policy-map counters

The clear policy-map command resets the specified policy map counters to zero. Policy map counters record the quantity of packets that are filtered by the ACLs that comprise a specified policy map.

Command Mode

Privileged EXEC

Command Syntax

clear policy-map INTERFACE_NAME counters MAP_NAME

Parameters

INTERFACE_NAME Interface for which command clears table counters. Options include:
- interface control-plane Control plane.
MAP_NAME Policy map for which command clears counters. Options include:
- copp-system-policy Name of only policy map supported for the control plane.

feature pbr

Policy-Based Routing (PBR) is a feature that is applied on IPv4 or IPv6 routable ports, to preferentially route packets. Forwarding is based on a policy that is enforced at the ingress of the applied interface and overrides normal routing decisions. In addition to matches on regular ACLs, PBR policy-maps can also include “raw match” statements that look like a single entry of an ACL as a convenience for users.

Configuration Mode

For IP:

TCAM PBR profile set TTL configuration mode.

For IPv6:

TCAM feature PBR IP configuration mode.

Command Syntax

For IP:

feature pbr ip [copy]

no feature pbr ip [copy]

default featue pbr ip[copy]

For IPv6:

feature pbr ipv6[copy | bank]

no feature pbr ipv6 [copy | bank]

default featue pbr ipv6 [copy | bank]

Parameters

For IP:

copyCopy a feature from a TCAM profile.

For IPv6:

copyCopy a feature from a TCAM profile.
bankTCAM banks to reserve.

Example

In the following example, the PBR is configured on an IP routable port.

(config)# hardware tcam
(config-tcam)# profile pbr-set-ttl copy default
(config-tcam-profile-pbr-set-ttl)# feature pbr ip

In the following example, the PBR is configured on an IPv6 routable port.

(config)# hardware tcam
(config-tcam)# profile pbr-set-ttl copy default
(config-tcam-profile-pbr-set-ttl)# feature pbr ip
(config-tcam-feature-pbr-ip)# feature pbr ipv6

feature traffic-policy cpu

The feature traffic-policy cpu command configures the CPU traffic policy features for the IPv4 and IPv6 traffic in user-defined TCAM profile.

The no feature traffic-policy cpu and default feature traffic-policy cpu commands remove the CPU policy configurations from running-config.

Command Mode

Hardware TCAM

Command Syntax

feature traffic-policy cpu [ipv4 | ipv6]

no feature traffic-policy cpu [ipv4 | ipv6]

default feature traffic-policy cpu [ipv4 | ipv6]

Parameters

ipv4 CPU traffic policy for IPv4 traffic.
ipv6 CPU traffic policy for IPv6 traffic.

Example

These commands places the switch in the hardware TCAM profile mode and configures the CPU traffic policy features for IPv4 traffic in the TCAM profile test.

switch(config)# hardware tcam 
switch(config-hw-tcam)# profile test
switch(config-hw-tcam-profile-test)# feature traffic-policy cpu ipv4

feature traffic-policy port

The feature traffic-policy port command configures the port-related traffic policy features for the IPv4 and IPv6 traffic in user-defined TCAM profile.

The no feature traffic-policy port and default feature traffic-policy port commands remove the CPU policy configurations from running-config.

Command Mode

Hardware TCAM

Command Syntax

feature traffic-policy port [ipv4 | ipv6]

no feature traffic-policy port [ipv4 | ipv6]

default feature traffic-policy port [ipv4 | ipv6]

Parameters

ipv4 port traffic policy for IPv4 traffic.
ipv6 port traffic policy for IPv6 traffic.

Example

These commands places the switch in the hardware TCAM profile mode and configures the port traffic policy features for IPv4 traffic in the TCAM profile test.

switch(config)# hardware tcam 
switch(config-hw-tcam)# profile test
switch(config-hw-tcam-profile-test)# feature traffic-policy port ipv4

match (class-map (control-plane) Helix)

The match command assigns an ACL to the configuration mode class map. A class map can contain only one ACL. Class maps only use permit rules to filter data; deny rules are ignored. The command accepts IPv4 and IPv4 standard ACLs.

A class map is assigned to a policy map by the class (policy-map (control-plane) Helix) command.

The class map (control plane) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the match statement from the configuration mode class map by deleting the corresponding command from running-config.

Command Mode

Class-Map (control plane) configuration accessed through class-map type copp command.

Command Syntax

match ip access-group list_name

no match ip access-group list_name

default match ip access-group list_name

Parameters

list_name name of ACL assigned to class map.

Related Commands

class-map type copp places the switch in the class-map configuration mode.
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.
class (policy-map (control-plane) Helix) assigns a class map to a policy map.

Guidelines

Static class maps cannot be modified by this command.

Match statements are saved to running-config only upon exiting class-map (control plane) configuration mode.

Example

These commands add the IP ACL list_1 to the map_1 class map, then saves the command by exiting class-map mode.

switch(config)# class-map type copp map_1
switch(config-cmap-map_1)# match ip access-group list_1
switch(config-cmap-map_1)# exit
switch(config)#

match (class-map (control-plane) Trident II)

A class map is assigned to a policy map by the class (policy-map (control-plane) Trident II) command.

The class map (control plane) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the match statement from the configuration mode class map by deleting the corresponding command from running-config.

Command Mode

Class-Map (control plane) configuration accessed through class-map type copp command.

Command Syntax

list_name

Parameters

list_name name of ACL assigned to class map.

Related Commands

class-map type copp places the switch in the class-map configuration mode.
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.
class (policy-map (control-plane) Trident II) assigns a class map to a policy map.

Guidelines

Static class maps cannot be modified by this command.

Match statements are saved to running-config only upon exiting class-map (control plane) configuration mode.

Example

These commands add the IP ACL list_1 to the map_1 class map, then saves the command by exiting class-map mode.

switch(config)# class-map type copp map_1
switch(config-cmap-map_1)# match ip access-group list_1
switch(config-cmap-map_1)# exit
switch(config)#

match (class-map (control-plane) Trident)

A class map is assigned to a policy map by the class (policy-map (control-plane) Trident) command.

Class map (control plane) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the match statement from the configuration mode class map by deleting the corresponding command from running-config.

Command Mode

Class-Map (control plane) configuration accessed through class-map type copp command

Command Syntax

match IP_VERSION access-group list_name

no match IP_VERSION access-group list_name

default match IP_VERSION access-group list_name

Parameters

IP_VERSION IP version of the specified ACL. Options include:
- ipv4 IPv4.
- ipv6 IPv6.
list_name name of ACL assigned to class map.

Related Commands

class-map type copp places the switch in class-map configuration mode.
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.
class (policy-map (control-plane) Trident) assigns a class map to a policy map.

Guidelines

Static class maps cannot be modified by this command.

Match statements are saved to running-config only upon exiting class-map (control plane) configuration mode.

Example

These commands add the IPv4 ACL names list_1 to the map_1 class map, then saves the command by exiting class-map mode.

switch(config)# class-map type copp map_1
switch(config-cmap-map_1)# match ip access-group list_1
switch(config-cmap-map_1)# exit
switch(config)#

match (class-map (pbr))

The match command assigns ACLs to the configuration mode Policy-Based Routing (PBR) class map. The command accepts IPv4, IPv4 standard, IPv6 and IPv6 standard ACLs.

Class map (pbr) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the match statement from the configuration mode class map by deleting the corresponding command from running-config.

Note: PBR ACLs use only permit rules to filter data; if there are deny rules in an ACL used by PBR, the configuration will be reverted.

Command Mode

Class-map (pbr) configuration accessed through class-map type pbr command.

Command Syntax

[sequence_number] match [ip | ipv6] access-group list_name

no [sequence_number] match [ip | ipv6] access-group list_name

default [sequence_number] [ip | ipv6] access-group list_name

no [sequence_number]

default [sequence_number]

Parameters

sequence_number Sequence number (1 to 4294967295) assigned to the rule. If no number is entered, the number is derived by adding 10 to the number of the class maps last numbered line. To increase the distance between existing entries, use the resequence command.
list_name name of ACL assigned to class map.

Related Commands

class-map type pbr places the switch in the class-map configuration mode.
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.
class (policy-map (pbr)) assigns a class map to a policy map.

Example

These commands add the IPv4 ACL named list1 to the map1 class map, then save the change by exiting class-map mode.

switch(config)# class-map type pbr map1
switch(config-cmap-map1)# match ip access-group list1
switch(config-cmap-map1)# exit
switch(config)#

match (class-map (qos) FM6000)

The class map (qos) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the match statement from the configuration mode class map by deleting the corresponding command from running-config.

Command Mode

Class-map (qos) configuration accessed through class-map type qos command.

Command Syntax

match IP_VERSION access-group list_name

no match IP_VERSION access-group list_name

default match IP_VERSION access-group list_name

Parameters

IP_VERSION IP version of the specified ACL. Options include:
- ipv4 IPv4.
list_name name of ACL assigned to class map.

Related Commands

class-map type qos places the switch in the class-map configuration mode.
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.
class (policy-map (qos) FM6000) assigns a class map to a policy map.

Example

These commands add the IPv4 ACL named list_1 to the map_1 class map, then saves the command by exiting class-map mode.

switch(config)# class-map type qos map_1
switch(config-cmap-map_1)# match ip access-group list_1
switch(config-cmap-map_1)# exit
switch(config)#

match (class-map (qos) Helix)

the class map (QoS) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the match statement from the configuration mode class map by deleting the corresponding command from running-config.

Command Mode

Class-Map (QoS) configuration accessed through class-map type qos command.

Command Syntax

match IP_VERSION access-group list_name

no match IP_VERSION access-group list_name

default match IP_VERSION access-group list_name

Parameters

IP_VERSION IP version of the specified ACL. Options include:
- ipv4 IPv4.
- ipv6 IPv6.
list_name name of ACL assigned to class map.

Related Commands

class-map type qos places the switch in the class-map configuration mode.
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.
class (policy-map (qos) Helix) assigns a class map to a policy map.

Example

These commands add the IPv4 ACL named list_1 to the map_1 class map, then saves the command by exiting class-map mode.

switch(config)# class-map type qos map_1
switch(config-cmap-map_1)# match ip access-group list_1
switch(config-cmap-map_1)# exit
switch(config)#

match (class-map (qos) Trident II)

The class map (QoS) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the match statement from the configuration mode class map by deleting the corresponding command from running-config.

Command Mode

The class-map (qos) configuration accessed through class-map type qos command.

Command Syntax

IP_VERSION list_name

Parameters

IP_VERSION IP version of the specified ACL. Options include:
- ipv4 IPv4.
- ipv6 IPv6.
list_name name of ACL assigned to class map.

Related Commands

class-map type qos places the switch in the class-map configuration mode.
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.
class (policy-map (qos) Trident) assigns a class map to a policy map.

Example

These commands add the IPv4 ACL named list_1 to the map_1 class map, then saves the command by exiting class-map mode.

switch(config)# class-map type qos map_1
switch(config-cmap-map_1)# match ip access-group list_1
switch(config-cmap-map_1)# exit
switch(config)#

match (class-map (qos) Trident)

Class map (QoS) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the match statement from the configuration mode class map by deleting the corresponding command from running-config.

Command Mode

Class-Map (qos) configuration accessed through class-map type qos command.

Command Syntax

match IP_VERSION access-group list_name

no match IP_VERSION access-group list_name

default match IP_VERSION access-group list_name

Parameters

IP_VERSION IP version of the specified ACL. Options include:
- ipv4 IPv4.
- ipv6 IPv6.
list_name name of ACL assigned to class map.

Related Commands

class-map type qos places the switch in the class-map configuration mode.
exit saves pending class map changes, then returns the switch to the global configuration mode.
abort discards pending class map changes, then returns the switch to the global configuration mode.
class (policy-map (qos) Trident) assigns a class map to a policy map.

Example

These commands add the IPv4 ACL named list_1 to the map_1 class map, then saves the command by exiting class-map mode.

switch(config)# class-map type qos map_1
switch(config-cmap-map_1)# match ip access-group list_1
switch(config-cmap-map_1)# exit
switch(config)#

match (policy-map (pbr))

The match command creates a policy map clause entry that specifies one filtering condition. When a packet matches the filtering criteria, its next hop is set as specified. When a packets properties do not equal the statement parameters, the packet is evaluated against the next clause or class map in the policy map, as determined by sequence number. If all clauses fail to set a next hop for the packet, the packet is routed according to the FIB.

The no match and default match commands remove the match statement from the configuration mode policy map by deleting the corresponding command from running-config.

Command Mode

Policy-Map (pbr) Configuration accessed through policy-map type pbr command.

Command Syntax

[sequence_number] match ip SOURCE_ADDR DEST_ADDR [set nexthop [recursive] NH-addr_1 [NH-addr_2] ... [NH-addr_n]]

no match ip SOURCE_ADDR DEST_ADDR [set nexthop [recursive] NH-addr_1 [NH-addr_2] ... [NH-addr_n]]

default match match ip SOURCE_ADDR DEST_ADDR [set nexthop [recursive] NH-addr_1 [NH-addr_2] ... [NH-addr_n]]

no SEQ_NUM

default SEQ_NUM

Parameters

sequence_number Sequence number assigned to the rule. If no number is entered, the number is derived by adding 10 to the number of the policy maps last numbered line. To increase the distance between existing entries, use the resequence command.
SOURCE_ADDR and DEST_ADDR source and destination address filters. Options include:
- network_addr subnet address (CIDR or address-mask).
- any packets from or to all addresses are matched.
- host ip_addr IP address (dotted decimal notation).
  Source and destination subnet addresses support discontiguous masks.
recursive enables recursive next hop resolution.
NH_addr IP address of next hop. If multiple addresses are entered, they are treated as an ECMP group.

Related Commands

policy-map type pbr enters the policy-map (PBR) configuration mode.
show policy-map type pbr displays the PBR policy maps.

Example

These commands create a match rule in policy map PMAP1 which sets the next hop to 192.168.3.5 for packets received from 172.16.0.0/12 regardless of their destination, then exit the mode to save the changes.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)# match ip 172.16.0.0/12 any set nexthop 192.163.3.5 
switch(config-pmap-PMAP1)# exit
switch(config)#

platform arad tcam counters feature

The platform arad tcam counters feature command enables incrementing PBR hardware counters corresponding to ACL. If counters for PBR are enabled, then counters for ACL will be automatically disabled in all cases. If counters for ACL are enabled, then counters for PBR will be automatically disabled in all cases.

The no platform arad tcam counters feature command disables PBR/ACL counters selection. The default platform arad tcam counters feature commands resets the default behavior.

Command Mode

Global Configuration

Command Syntax

platform arad tcam counters feature [OPTIONS]

no platform arad tcam counters feature [OPTIONS]

default platform arad tcam counters feature [OPTIONS]

Parameters

OPTIONS Assign the TCAM counters feature. Options include:

pbr assign the TCAM counters feature PBR hardware counters.
acl assign the TCAM counters feature ACL hardware counters.

Example

This command enables incrementing ACL hardware counters selection.

switch(config)# platform arad tcam counters feature acl
switch(config)#

This command disables incrementing ACL hardware counters selection.

switch(config)# no platform arad tcam counters feature acl
switch(config)#

policy-map type copp

The policy-map type copp command places the switch in the policy-map (control plane) configuration mode, which is a group change mode that modifies a control-plane policy map. A policy map is a data structure that consists of class maps that identify a specific data stream and specify bandwidth and shaping parameters that controls its transmission. Control plane policy maps are applied to the control plane to manage traffic.

The copp-system-policy policy map is supplied with the switch and is always applied to the control plane. The copp-system-policy is the only valid control plane policy map.

The exit command saves pending policy map changes to running-config and returns the switch to the global configuration mode. Policy map changes are also saved by entering a different configuration mode. The abort command discards pending changes, returning the switch to the global configuration mode.

The no policy-map type copp and default policy-map type copp commands delete the specified policy map by removing the corresponding policy-map type copp command and its associated configuration.

Command Mode

Global Configuration

Command Syntax

policy-map type copp copp-system-policy

no policy-map type copp copp-system-policy

default policy-map type copp copp-system-policy

The copp-system-policy is supplied with the switch and is the only valid control plane policy map.

Commands Available in Policy-Map Configuration Mode

class (policy-map (control-plane) FM6000)
class (policy-map (control-plane) Trident)

Related Commands

class-map type copp enters the control-plane class-map configuration mode for modifying a control-plane dynamic class map.

Only Helix and Trident platform switches support dynamic classes for control plane policing.

Example

This command places the switch in the policy-map configuration mode to edit the copp-system-policy policy map.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)#

policy-map type pbr

The policy-map type pbr command places the switch in policy-map (pbr) configuration mode, which is a group change mode that modifies a Policy-Based Routing (PBR) policy map. The command also creates the specified policy map if it does not already exist. A PBR policy map is a data structure that consists of class maps that identify specific packets and the next hops for those packets. Policy maps are applied to Ethernet or port channel interfaces to manage traffic.

The no policy-map type pbr and default policy-map type pbr commands delete the specified policy map by removing the corresponding policy-map type pbr command and its associated configuration.

Command Mode

Global Configuration

Command Syntax

policy-map type pbr map_name

no policy-map type pbr map_name

default policy-map type pbr map_name

Parameters

map_name Name of policy map.

Commands Available in Policy-Map Configuration Mode

class (policy-map (pbr))
match (policy-map (pbr))

Related Commands

class-map type pbr
service-policy type pbr (Interface mode)

Example

This command creates the PBR policy map named PMAP1 and places the switch in policy-map configuration mode.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)#

policy-map type quality-of-service

The policy-map type quality-of-service command places the switch in the policy-map (QoS) configuration mode, which is a group change mode that modifies a QoS policy map. A policy map is a data structure that consists of class maps that identify a specific data stream and shaping parameters that controls its transmission. Policy maps are applied to Ethernet or port channel interfaces to manage traffic.

The no policy-map type quality-of-service and default policy-map type quality-of-service commands delete the specified policy map by removing the corresponding policy-map type quality-of-service command and its associated configuration. The policy-map and policy-map type quality-of-service commands are equivalent.

Command Mode

Global Configuration

Command Syntax

policy-map type quality-of-service map_name

no policy-map type quality-of-service map_name

default policy-map type quality-of-service map_name

Parameters

map_name Name of policy map.

Commands Available in Policy-Map Configuration Mode

class (policy-map (qos) FM6000)
class (policy-map (qos) Trident)

Conditions

policy-map map_name and policy-map type quality-of-service map_name are identical commands.

Related Commands

class-map type qos
service-policy type qos (Interface mode)

Example

This command creates the QoS policy map named PMAP-1 and places the switch in the policy-map configuration mode.

switch(config)# policy-map PMAP-1
switch(config-pmap-PMAP-1)#

policy-map type quality-of-service policer

The policy-map type quality-of-service policer copy command is used to copy an existing QoS policy map to the policy map policer.

The policy-map type quality-of-service policer drop counter command is used to enable drop counters for the QoS policy map policer.

The no policy-map type quality-of-service policer and default policy-map type quality-of-service policer commands delete the policy map policer by removing the corresponding policy-map type quality-of-service policer command and its associated configuration.

The no policy-map type quality-of-service policer drop counter and default policy-map type quality-of-service policer drop counter commands disable drop counters for the policy map policer.

Command Mode

Global Configuration

Command Syntax

policy-map type quality-of-service policer copy map_name

policy-map type quality-of-service policer drop counter

no policy-map type quality-of-service policer

default policy-map type quality-of-service policer

Parameters

map_name Name of policy map to copy.

Related Commands

class-map type qos
service-policy type qos (Interface mode)

Example

This command copies the QoS policy map named PMAP-1 to the policy map policer.

switch(config)#policy-map type quality-of-service policer copy PMAP-1
switch(config-pmap-PMAP-1)#

This command enables drop counters for the QoS policy map policer.

switch(config)#policy-map type quality-of-service policer drop counter
switch(config)#

resequence (class-map (pbr))

The resequence command assigns sequence numbers to rules in the configuration mode class map. Command parameters specify the number of the first rule and the numeric interval between consecutive rules. Once changed, rule numbers persist unless changed again using the resequence command, but the interval used for numbering new rules reverts to 10 on the exiting class-map (pbr) configuration mode.

Maximum rule sequence number is 4294967295.

Command Mode

Class-Map (PBR) Configuration accessed through class-map type pbr command.

Command Syntax

resequence [start_num [inc_num]]

Parameters

start_num sequence number assigned to the first rule. Default is 10.
inc_num numeric interval between consecutive rules. Default is 10.

Example

The resequence command renumbers the rules in CMAP1, starting the first command at number 100 and incrementing subsequent lines by 20.

switch(config)# class-map type pbr match-any CMAP1
switch(config-cmap-CMAP1)# show active
class-map type pbr match-any CMAP1
10 match ip access-group group1
20 match ip access-group group2
30 match ip access-group group3
switch(config-cmap-CMAP1)# resequence 100 20
switch(config-cmap-CMAP1)# exit
switch(config)# class-map type pbr match-any CMAP1
switch(config-cmap-CMAP1)# show active
class-map type pbr match-any CMAP1
100 match ip access-group group1
120 match ip access-group group2
140 match ip access-group group3

resequence (policy-map (pbr))

The resequence command assigns sequence numbers to rules in the configuration mode policy map. Command parameters specify the number of the first rule and the numeric interval between consecutive rules. Once changed, rule numbers persist unless changed again using the resequence command, but the interval used for numbering new rules reverts to 10 on the exiting policy-map (pbr) configuration mode.

Maximum rule sequence number is 4294967295.

Command Mode

Policy-Map (PBR) Configuration accessed through policy-map type pbr command

Command Syntax

resequence [start_num [inc_num]]

Parameters

start_num sequence number assigned to the first rule. Default is 10.
inc_num numeric interval between consecutive rules. Default is 10.

Example

The resequence command renumbers the rules in PMAP1, starting the first command at number 100 and incrementing subsequent lines by 20.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)# show active
policy-map type pbr PMAP1
10 class CMAP1
set nexthop 172.16.1.1
20 class CMAP2
set nexthop 172.16.2.2
30 class CMAP3
set nexthop 172.16.3.3
switch(config-pmap-PMAP1)# resequence 100 20
switch(config-pmap-PMAP1)# exit
switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)# show active
class-map type pbr PMAP1
100 class CMAP1
set nexthop 172.16.1.1
120 class CMAP2
set nexthop 172.16.2.2
140 class CMAP3
set nexthop 172.16.3.3
switch(config-pmap-PMAP1)#

service-policy type pbr (Interface mode)

The service-policy pbr command applies the specified Policy-Based Routing (PBR) policy map to the configuration mode interface. A PBR policy map is a data structure that consists of class maps that identify specific packets and the next hops for those packets. Policy maps are applied to Ethernet or port channel interfaces to manage traffic. Only one service policy is supported per interface.

The no service-policy pbr and default service-policy pbr commands remove the service policy assignment from the configuration mode interface by deleting the corresponding service-policy pbr command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Interface-VLAN Configuration

Command Syntax

service-policy type pbr TRAFFIC_DIRECTION map_name

no service-policy type pbr TRAFFIC_DIRECTION map_name

default service-policy type pbr TRAFFIC_DIRECTION map_name

Parameters

TRAFFIC_DIRECTION IP address or peer group name. Values include:
- input Policy map applies to inbound packet streams.
map_name Name of policy map.

Guidelines

A policy map that is attached to a port channel interface takes precedence for member interfaces of the port channel over their individual interface Ethernet configuration. Members that are removed from a port channel revert to the policy map implementation specified by its interface Ethernet configuration.

Related Commands

policy-map type pbr

Example

This command applies the PBR policy map PMAP1 to interface Ethernet 8.

switch# config
switch(config)# interface ethernet 8
switch(config-if-Et8)# service-policy type pbr input PMAP1
switch(config-if-Et8)#

service-policy type qos (Interface mode)

The service-policy command applies a specified policy map to the configuration mode interface. A policy map is a data structure that identifies data traffic through class maps, then specifies actions to classify the traffic (by setting the traffic class), mark the traffic (by setting the cos and dscp values), and police the traffic (by setting the police rate) through data packet field modifications.

The no service-policy and default service-policy commands remove the service policy assignment from the configuration mode interface by deleting the corresponding service-policy command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Interface-VLAN Configuration

Command Syntax

service-policy [type qos] TRAFFIC_DIRECTION map_name

no service-policy [type qos] TRAFFIC_DIRECTION map_name

default service-policy [type qos] TRAFFIC_DIRECTION map_name

Parameters

type qos Parameter has no functional effect.
TRAFFIC_DIRECTION Direction of data stream to which command applies. Options include:
- input Policy map applies to inbound packet streams.
- map_name Name of policy map.

Guidelines

DCS-7500E and DCS-7280E limitations:

A maximum of 31 QoS service policies per chip may be applied on L3 interfaces.
Applying different QoS service policies to an SVI and its member interfaces causes unpredictable behavior.
When an SVI on which QoS service policies are applied experiences partial failure due to limited hardware resources, a forwarding agent restart causes unpredictable behavior.
Policy-map programming may fail when QoS service policies are applied on two SVIs if an event causes a member interface to switch membership from one to the other. To change the VLAN membership of an interface in this case, remove the interface from one VLAN before adding it to the other.
Outgoing COS rewrite is not supported.
QoS policy-map counters are not supported.

DCS-7010, DCS-7050, DCS-7050X, DCS-7250X, and DCS-7300X limitations:

When the same policy map is applied to multiple SVIs, TCAM resources are not shared.
A policy map applied to an SVI results in TCAM allocation on all chips whether SVI members are present or not.
Applying different QoS service policies to an SVI and its member interfaces causes unpredictable behavior.

Related Commands

policy-map type quality-of-service

Example

This command applies the PMAP-1 policy map to interface ethernet 8.

switch# config
switch(config)# interface ethernet 8
switch(config-if-Et8)# show active
switch(config-if-Et8)# service-policy input PMAP-1
switch(config-if-Et8)# show active
interface Ethernet8
   service-policy type qos input PMAP-1
switch(config-if-Et8)#

set (policy-map-class (qos)FM6000)

The set command specifies traffic resolution methods for traffic defined by its associated class map in its configuration mode policy map class. Three set statements are available for each class:

cos Sets the Layer 2 class of service field.
dscp Sets the differentiated services code point value in the type of service (ToS) byte.
traffic-class Sets the traffic class queue for data packets.

Each type of set command can be assigned to a class, allowing for the simultaneous modification of both (cos, dscp) fields and assignment to a traffic class.

The no set and default set commands remove the specified data action from the class map by deleting the associated set command from running-config.

Command Mode

Policy-map-class (qos) configuration

accessed through class (policy-map (qos) FM6000) command.

Command Syntax

set QOS_TYPE value

no set QOS_TYPE

default set QOS_TYPE

Parameters

QOS_TYPE Specifies the data stream resolution method. Valid options include:
- cos Layer 2 class of service field of outbound packet is modified.
- dscp Differentiated services code point value in the ToS byte is modified.
- traffic-class Data stream is assigned to a traffic class queue.
value Specifies the data field value or traffic class queue. Valid data range depends on QOS_TYPE.
- QOS_TYPE is cos Value ranges from 0 to 7.
- QOS_TYPE is dscp Value ranges from 0 to 63.
- QOS_TYPE is traffic-class Value ranges from 0 to 7.

Related Commands

policy-map type quality-of-service
class (policy-map (qos) FM6000)

Example

These commands configure the policy map to set CoS field 7 to data traffic specified by the class map CMAP-1, then assigns that data to traffic class queue 4.

switch(config)# policy-map type quality-of-service PMAP-1
switch(config-pmap-PMAP-1)# class CMAP-1
switch(config-pmap-c-PMAP-1-CMAP-1)# set cos 7
switch(config-pmap-c-PMAP-1-CMAP-1)# set traffic-class 4
switch(config-pmap-c-PMAP-1-CMAP-1)#

set (policy-map-class (qos)Helix)

The set command specifies traffic resolution methods for traffic defined by its associated class map in its configuration mode policy map class. Three set statements are available for each class:

cos Sets the Layer 2 class of service field.
dscp Sets the differentiated services code point value in the type of service (ToS) byte.
traffic-class Sets the traffic class queue for data packets.

Each type of set command can be assigned to a class, allowing for the simultaneous modification of both (cos, dscp) fields and assignment to a traffic class.

The no set and default set commands remove the specified data action from the class map by deleting the associated set command from running-config.

Command Mode

Policy-map-class (qos) configuration accessed through class (policy-map (qos) Helix) command.

Command Syntax

set QOS_TYPE value

no set QOS_TYPE

default set QOS_TYPE

Parameters

QOS_TYPE Specifies the data stream resolution method. Valid options include:
- cos Layer 2 class of service field of outbound packet is modified.
- dscp Differentiated services code point value in the ToS byte is modified.
- traffic-class Data stream is assigned to a traffic class queue.
value Specifies the data field value or traffic class queue. Valid data range depends on QOS type.
- QOS_TYPE is cos Value ranges from 0 to 7.
- QOS_TYPE is dscp Value ranges from 0 to 63.
- QOS_TYPE is traffic-class Value ranges from 0 to 7.

Related Commands

policy-map type quality-of-service
class (policy-map (qos) Helix)

Example

These commands configure the policy map to set CoS field 7 to data traffic specified by the class map CMAP-1, then assigns that data to traffic class queue 4.

switch(config)# policy-map type quality-of-service PMAP-1
switch(config-pmap-PMAP-1)# class CMAP-1
switch(config-pmap-c-PMAP-1-CMAP-1)# set cos 7
switch(config-pmap-c-PMAP-1-CMAP-1)# set traffic-class 4
switch(config-pmap-c-PMAP-1-CMAP-1)#

set (policy-map-class (qos)Trident II)

The set command specifies traffic resolution methods for traffic defined by its associated class map in its configuration mode policy map class. Three set statements are available for each class:

cos Sets the Layer 2 class of service field.
dscp Sets the differentiated services code point value in the type of service (ToS) byte.
traffic-class Sets the traffic class queue for data packets.

Each type of set command can be assigned to a class, allowing for the simultaneous modification of both (cos, dscp) fields and assignment to a traffic class.

The no set and default set commands remove the specified data action from the class map by deleting the associated set command from running-config.

Command Mode

Policy-map-class (qos) configuration accessed through class (policy-map (qos) Trident) command.

Command Syntax

set QOS_TYPE value

no set QOS_TYPE

default set QOS_TYPE

Parameters

QOS_TYPE Specifies the data stream resolution method. Valid options include:
- cos Layer 2 class of service field of outbound packet is modified.
- dscp Differentiated services code point value in the ToS byte is modified.
- traffic-class Data stream is assigned to a traffic class queue.
value Specifies the data field value or traffic class queue. Valid data range depends on QOS type.
- QOS_TYPE is cos Value ranges from 0 to 7.
- QOS_TYPE is dscp Value ranges from 0 to 63.
- QOS_TYPE is traffic-class Value ranges from 0 to 7.

Related Commands

policy-map type quality-of-service
class (policy-map (qos) Trident)

Example

These commands configure the policy map to set CoS field 7 to data traffic specified by the class map CMAP-1, then assigns that data to traffic class queue 4.

switch(config)# policy-map type quality-of-service PMAP-1
switch(config-pmap-PMAP-1)# class CMAP-1
switch(config-pmap-c-PMAP-1-CMAP-1)# set cos 7
switch(config-pmap-c-PMAP-1-CMAP-1)# set traffic-class 4
switch(config-pmap-c-PMAP-1-CMAP-1)#

set (policy-map-class (qos)Trident)

The set command specifies traffic resolution methods for traffic defined by its associated class map in its configuration mode policy map class. Three set statements are available for each class:

cos Sets the Layer 2 class of service field.
dscp Sets the differentiated services code point value in the type of service (ToS) byte.
traffic-class Sets the traffic class queue for data packets.

Each type of set command can be assigned to a class, allowing for the simultaneous modification of both (cos, dscp) fields and assignment to a traffic class.

The no set and default set commands remove the specified data action from the class map by deleting the associated set command from running-config.

Command Mode

Policy-map-class (qos) configuration accessed through class (policy-map (qos) Trident) command.

Command Syntax

set QOS_TYPE value

no set QOS_TYPE

default set QOS_TYPE

Parameters

QOS_TYPE Specifies the data stream resolution method. Valid options include:
- cos Layer 2 class of service field of outbound packet is modified.
- dscp Differentiated services code point value in the ToS byte is modified.
- traffic-class Data stream is assigned to a traffic class queue.
value Specifies the data field value or traffic class queue. Valid data range depends on QOS type.
- QOS_TYPE is cos Value ranges from 0 to 7.
- QOS_TYPE is dscp Value ranges from 0 to 63.
- QOS_TYPE is traffic-class Value ranges from 0 to 7.

Related Commands

policy-map type quality-of-service
class (policy-map (qos) Trident)

Example

These commands configure the policy map to set CoS field 7 to data traffic specified by the class map CMAP-1, then assigns that data to traffic class queue 4.

switch(config)# policy-map type quality-of-service PMAP-1
switch(config-pmap-PMAP-1)# class CMAP-1
switch(config-pmap-c-PMAP-1-CMAP-1)# set cos 7
switch(config-pmap-c-PMAP-1-CMAP-1)# set traffic-class 4
switch(config-pmap-c-PMAP-1-CMAP-1)#

set nexthop (policy-map-class pbr)

The set nexthop command specifies the next hop for traffic defined by its associated class map in its configuration mode policy map class.

The no set nexthop and default set nexthop commands remove the specified action from the class map by deleting the associated set nexthop command from running-config.

Command Mode

Policy-map-class (pbr) configuration accessed through class (policy-map (pbr)) command.

Command Syntax

set nexthop [recursive] NH-addr_1 [NH-addr_2] ... [NH-addr_n]

no set nexthop [recursive]

default set nexthop [recursive]

Parameters

recursive enables recursive next hop resolution.
NH_addr IP address of next hop. If multiple addresses are entered, they are treated as an ECMP group.

Related Commands

policy-map type pbr
class (policy-map (pbr))

Example

These 192.168.5.3 commands configure the policy map PMAP1 to set the next hop to for traffic defined by class map CMAP1.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)# class CMAP1
switch(config-pmap-c-PMAP1-CMAP1)# set nexthop 192.168.5.3
switch(config-pmap-c-PMAP1-CMAP1)#

set nexthop-group (policy-map-class(pbr) Arad)

The set nexthop-group command specifies a nexthop group as the next hop for traffic defined by its associated class map in its configuration mode policy map class.

The no set nexthop-group and default set nexthop-group commands remove the specified action from the class map by deleting the associated set nexthop-group command from running-config.

Command Mode

Policy-map-class (pbr) configuration accessed through class (policy-map (pbr)) command.

Command Syntax

set nexthop-group group_name

no set nexthop-group group_name

default set nexthop-group group_name

Parameters

group_name name of ECMP group to use as next hop.

Related Commands

policy-map type pbr
class (policy-map (pbr))

Example

These commands configure the policy map PMAP1 to set the next hop to a nexthop group named GROUP1 for traffic defined by class map CMAP1.

switch(config)# policy-map type pbr PMAP1
switch(config-pmap-PMAP1)# class CMAP1
switch(config-pmap-c-PMAP1-CMAP1)# set nexthop-group GROUP1
switch(config-pmap-c-PMAP1-CMAP1)#

shape (policy-map-class (control-plane)Arad)

The shape command specifies the maximum bandwidth for traffic filtered by the configuration mode policy map class.

The no shape and default shape commands remove the maximum bandwidth restriction for the configuration mode class by deleting the corresponding bandwidth command from running-config.

Command Mode

Policy-map-class (control plane) configuration accessed through class (policy-map (control-plane) Arad)

Command Syntax

Parameters

kilobits Maximum data rate in kilobits per second. Value ranges from 1 to 10000000.

Related Commands

class (policy-map (control-plane) Arad) places the switch in the policy-map-class (control plane) configuration mode.
bandwidth (policy-map-class (control-plane) Arad) specifies the minimum bandwidth for traffic defined by its associated class map in its configuration mode policy map class.

Static Classes Default Shape

Arad platform switches define these default shapes for static classes:

copp-system-bgp 2500 copp-system-l3lpmoverflow 2500
copp-system-bpdu 2500 copp-system-l3slowpath 2500
copp-system-default 2500 copp-system-l3ttl1 2500
copp-system-ipbroadcast 2500 copp-system-lacp 2500
copp-system-ipmc 2500 copp-system-linklocal 2500
copp-system-ipmcmiss 2500 copp-system-lldp 2500
copp-system-ipunicast NO LIMIT copp-system-mlag 2500
copp-system-l2broadcast 2500 copp-system-multicastsnoop 2500
copp-system-l2unicast NO LIMIT copp-system-OspfIsis 2500
copp-system-l3destmiss 2500 copp-system-sflow 2500

Example

These commands configure the maximum bandwidth of 2000 kbps for data traffic specified by the class map copp-system-lldp of the default control-plane policy map.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# shape kbps 2000
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# exit
switch(config-pmap-copp-system-policy)# exit
switch(config)# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy

  Class-map: copp-system-lldp (match-any)
       shape : 2000 kbps
       bandwidth : 250 kbps
      Out Packets : 0
      Drop Packets : 0

switch(config)#

shape (policy-map-class (control-plane)FM6000)

The shape command specifies the maximum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration accessed through class (policy-map (control-plane) FM6000).

Command Syntax

shape pps packets

no shape

default shape

Parameters

packets Maximum data rate in packets per second. Value ranges from 1 to 100000.

Related Commands

class (policy-map (control-plane) FM6000) places the switch in the policy-map-class (control plane) configuration mode.
bandwidth (policy-map-class (control-plane) FM6000) specifies the minimum bandwidth for traffic defined by its associated class map in its configuration mode policy map class.

Static Classes Default Shape

FM6000 platform switches define these default shapes for static classes:

copp-system-arp 10000 copp-system-l3slowpath 10000
copp-system-default 8000 copp-system-pim-ptp 10000
copp-system-ipmcrsvd 10000 copp-system-ospf-isis 10000
copp-system-ipmcmiss 10000 copp-system-selfip 5000
copp-system-igmp 10000 copp-system-selfip-tc6to7 5000
copp-system-l2rsvd 10000 copp-system-sflow 25000

Example

These commands configure a maximum bandwidth of 5000 packets per second for data traffic specified by the class map PMAP-1 in the policy map named copp-system-policy.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class PMAP-1
switch(config-pmap-c-copp-system-policy-PMAP-1)# shape pps 5000
switch(config-pmap-c-copp-system-policy-PMAP-1)#

shape (policy-map-class (control-plane)Helix)

The shape command specifies the maximum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration accessed through class (policy-map (control-plane) Helix).

Command Syntax

shape pps packets

no shape

default shape

Parameters

packets Maximum data rate in packets per second. Value ranges from 1 to 100000.

Static Classes Default Shape

Trident platform switches define these default shapes for static classes:

copp-system-acllog 10000 copp-system-l3ttl1 10000
copp-system-arp 10000 copp-system-lacp 5000
copp-system-arpresolver 10000 copp-system-lldp 10000
copp-system-bfd 10000 copp-system-mlag 5000
copp-system-bgp 5000 copp-system-OspfIsis 10000
copp-system-bpdu 5000 copp-system-selfip 5000
copp-system-default 8000 copp-system-selfip-tc6to7 5000
copp-system-glean 10000 copp-system-sflow 25024
copp-system-igmp 10000 copp-system-tc3to5 10000
copp-system-ipmcmiss 10000 copp-system-tc6to7 10000
copp-system-ipmcrsvd 10000 copp-system-urm 10000
copp-system-l3destmiss 10000 copp-system-vrrp 5000
copp-system-l3slowpath 10000

Related Commands

class (policy-map (control-plane) Helix) places the switch in the policy-map-class (control plane) configuration mode.
bandwidth (policy-map-class (control-plane) Helix) specifies the minimum bandwidth for traffic defined by its associated class map in its configuration mode policy map class.

Example

These commands configure a maximum bandwidth of 5000 packets per second for data traffic specified by the copp-system-lldp of the default control-plane policy map.

switch(config)# policy-map type control-plan copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# shape pps 5000
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# exit
switch(config-pmap-copp-system-policy)# exit
switch(config)# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy

  Class-map: copp-system-lldp (match-any)
       shape : 5000 pps
       bandwidth : 500 pps
      Out Packets : 305961
      Drop Packets : 0

switch(config)#

shape (policy-map-class (control-plane)Petra)

The shape command specifies the maximum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration accessed through class (policy-map (control-plane) Petra)

Command Syntax

shape kbps kilobits

no shape

default shape

Parameters

kilobits Maximum data rate in kilobits per second. Value ranges from 1 to 10000000.

Related Commands

class (policy-map (control-plane) Petra) places the switch in policy-map-class (control plane) configuration mode.
bandwidth (policy-map-class (control-plane) Petra) specifies the minimum bandwidth for traffic defined by its associated class map in its configuration mode policy map class.

Static Classes Default Shape

Petra platform switches define these default shapes for static classes:

copp-system-bpdu 2500 copp-system-l3destmiss 2500
copp-system-default 2500 copp-system-l3slowpath 2500
copp-system-igmp 2500 copp-system-l3ttl0 2500
copp-system-ipbroadcast 2500 copp-system-l3ttl1 2500
copp-system-ipmc 2500 copp-system-lacp 2500
copp-system-ipmcmiss 2500 copp-system-lldp 2500
copp-system-ipmcrsvd 2500 copp-system-unicast-arp 2500
copp-system-ipunicast No Limit

Guidelines

Example

These commands configure the maximum bandwidth of 2000 kbps for data traffic specified by the class map copp-system-lldp of the default control-plane policy map. Because the switch does not support the discrete value of 2000 kbps, it converts the bandwidth up to 2115 kbps.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# shape kbps 2000
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# exit
switch(config-pmap-copp-system-policy)# exit
switch(config)# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy

  Class-map: copp-system-lldp (match-any)
       shape : 2115 kbps
       bandwidth : 325 kbps
      Out Packets : 0
      Drop Packets : 0

switch(config)#

shape (policy-map-class (control-plane)Trident II)

The shape command specifies the maximum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration accessed through class (policy-map (control-plane) Trident II).

Command Syntax

shape pps packets

no shape

default shape

Parameters

packets Maximum data rate in packets per second. Value ranges from 1 to 100000.

Static Classes Default Shape

Trident II platform switches define these default shapes for static classes:

copp-system-acllog 10000 copp-system-l3slowpath 10000
copp-system-arp 10000 copp-system-l3ttl1 10000
copp-system-arpresolver 10000 copp-system-lacp 5000
copp-system-bfd 10000 copp-system-lldp 10000
copp-system-bgp 5000 copp-system-mlag 5000
copp-system-bpdu 5000 copp-system-selfip 5000
copp-system-default 8000 copp-system-selfip-tc6to7 5000
copp-system-glean 10000 copp-system-sflow 25024
copp-system-igmp 10000 copp-system-tc3to5 10000
copp-system-ipmcmiss 10000 copp-system-tc6to7 10000
copp-system-ipmcrsvd 10000 copp-system-urm 10000

Related Commands

class (policy-map (control-plane) Trident II) places the switch in policy-map-class (control plane) configuration mode.
bandwidth (policy-map-class (control-plane) Trident II) specifies the minimum bandwidth for traffic defined by its associated class map in its configuration mode policy map class.

Example

These commands configure a maximum bandwidth of 5000 packets per second for data traffic specified by the copp-system-lldp of the default control-plane policy map.

switch(config)# policy-map type control-plan copp-system-policy
switch(config-pmap-copp-system-policy)# class copp-system-lldp
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# shape pps 5000
switch(config-pmap-c-copp-system-policy-copp-system-lldp)# exit
switch(config-pmap-copp-system-policy)# exit
switch(config)# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy

  Class-map: copp-system-lldp (match-any)
       shape : 5000 pps
       bandwidth : 500 pps
      Out Packets : 305961
      Drop Packets : 0

switch(config)#

shape (policy-map-class (control-plane)Trident)

The shape command specifies the maximum bandwidth for traffic filtered by the configuration mode policy map class.

Command Mode

Policy-map-class (control plane) configuration accessed through class (policy-map (control-plane) Trident).

Command Syntax

shape pps packets

no shape

default shape

Parameters

packets Maximum data rate in packets per second. Value ranges from 1 to 100000.

Static Classes Default Shape

Trident platform switches define these default shapes for static classes:

copp-system-arp 10000 copp-system-lldp 10000
copp-system-arpresolver 10000 copp-system-l3destmiss 10000
copp-system-bpdu 5000 copp-system-l3slowpath 10000
copp-system-default 8000 copp-system-l3ttl1 10000
copp-system-glean 10000 copp-system-selfip 5000
copp-system-igmp 10000 copp-system-selfip-tc6to7 5000
copp-system-ipmcmiss 10000 copp-system-sflow 25000
copp-system-ipmcrsvd 10000 copp-system-tc3to5 10000
copp-system-lacp 5000 copp-system-tc6to7 10000

Related Commands

class (policy-map (control-plane) Trident) places the switch in the policy-map-class (control plane) configuration mode.
bandwidth (policy-map-class (control-plane) Trident) specifies the minimum bandwidth for traffic defined by its associated class map in its configuration mode policy map class.

Example

These commands configure a maximum bandwidth of 5000 packets per second for data traffic specified by the class map PMAP-1 in the policy map named copp-system-policy.

switch(config)# policy-map type copp copp-system-policy
switch(config-pmap-copp-system-policy)# class PMAP-1
switch(config-pmap-c-copp-system-policy-PMAP-1)# shape pps 5000
switch(config-pmap-c-copp-system-policy-PMAP-1)

show class-map type control-plane

The show class-map command displays contents of available control-plane class maps. Control-plane class maps can be added to the copp-system-policy policy map. Control-plane class maps can be static class maps defined by the system or dynamic maps created in class-map configuration mode.

Dynamic class maps are composed of statements that match IPv4 access control lists. Static class maps are defined by the switch and cannot be altered.

Command Mode

EXEC

Command Syntax

show class-map type control-plane [MAP_NAME]

Parameters

MAP_NAME Name of class map displayed by the command. Options include:

no parameter Command displays all control plane class maps.
name_text Command displays specified control-plane class maps.

Related Command

show class-map command displays QoS class maps.
show class-map type qos displays control plane class maps.

Example

This command displays the available control plane class maps.

switch# show class-map type control-plane
  Class-map: CM-CP1 (match-any)
    Match: ip access-group name LIST-CP1
  Class-map: copp-system-acllog (match-any)
  Class-map: copp-system-arp (match-any)
  Class-map: copp-system-arpresolver (match-any)
  Class-map: copp-system-bpdu (match-any)
  Class-map: copp-system-glean (match-any)
  Class-map: copp-system-igmp (match-any)
  Class-map: copp-system-ipmcmiss (match-any)
  Class-map: copp-system-ipmcrsvd (match-any)
  Class-map: copp-system-l3destmiss (match-any)
  Class-map: copp-system-l3slowpath (match-any)
  Class-map: copp-system-l3ttl1 (match-any)
  Class-map: copp-system-lacp (match-any)
  Class-map: copp-system-lldp (match-any)
  Class-map: copp-system-selfip (match-any)
  Class-map: copp-system-selfip-tc6to7 (match-any)
  Class-map: copp-system-sflow (match-any)
  Class-map: copp-system-tc3to5 (match-any)
  Class-map: copp-system-tc6to7 (match-any)
switch>

show class-map type pbr

The show class-map command displays contents of all available Policy-Based Routing (PBR) class maps, or of a specified PBR class map. PBR class maps are used by PBR policy maps. PBR class maps are dynamic maps that are created in class-map-configuration mode. Dynamic class maps are composed of statements that match IPv4 or IPv6 access control lists.

Command Mode

EXEC

Command Syntax

show class-map type pbr [map_name]

Parameters

map_name Name of class map displayed by the command. If no parameter is entered, command show all available PBR class maps.

Related Command

show policy-map type pbr displays PBR policy maps.

Example

This command displays the contents of the PBR class map CMAP1.

switch# show class-map type pbr CMAP1
  Class-map: CMAP1 (match-any)
    Match: 10 ip access-group PBRgroup1
    Match: 20 ip access-group PBRgroup2
    Match: 30 ip access-group PBRgroup3
switch>

show class-map type qos

The show class-mapcommand displays contents of all available QoS class maps. QoS class maps are used by QoS policy maps. QoS class maps are dynamic maps that are created in class-map configuration mode. Dynamic class maps are composed of statements that match IPv4 or IPv6 access control lists.

Command Mode

EXEC

Command Syntax

show class-map [type qos][MAP_NAME]

Parameters

MAP_NAME Name of class map displayed by the command.

no parameter Command displays all QoS class maps.
name_text Command displays specified QoS class maps.

show class-map and show class-map type qos are identical commands.

Related Command

show class-map type control-plane displays control plane class maps.

Example

This command displays the available QoS class maps.

switch# show class-map type qos
  Class-map: CM-Q1 (match-any)
    Match: ipv6 access-group name LIST-1
  Class-map: CM-Q2 (match-any)
    Match: ip access-group name LIST-2
switch>

show policy-map copp

The show policy-map copp command displays contents of the control-plane policy map. Control-plane policy maps are applied to the control plane, and copp-system-policy is the only supported policy map.

Command Mode

EXEC

Command Syntax

show policy-map copp copp-system-policy

Example

This command displays the contents and throughput of the policy map applied to the control plane.

switch# show policy-map copp copp-system-policy
Service-policy input: copp-system-policy
  Number of units programmed: 1
  Hardware programming status: Successful

  Class-map: copp-system-bpdu (match-any)
       shape : 5000 pps
       bandwidth : 5000 pps
      Out Packets : 2
      Drop Packets : 0

  Class-map: copp-system-lacp (match-any)
       shape : 5000 pps
       bandwidth : 5000 pps
      Out Packets : 0
      Drop Packets : 0

switch>

show policy-map interface type qos counters

The show policy-map interface command displays the quantity of packets that are filtered by ACLs applied to a interface.

Command Mode

EXEC

Command Syntax

show policy-map [INTERFACE_NAME][type qos][TRAFFIC] counters

Parameters

INTERFACE_NAME Filters policy map list by interfaces. Options include:
- no parameter Displays data for all configured interfaces.
- interface ethernet e_range Ethernet ports for which command displays policy maps.
- interface port-channel p_range Port channels for which command displays policy maps.
TRAFFIC Filters policy maps by the traffic they manage. Options include:
- no parameter Policy maps that manage interfaces ingress traffic (same as input option).
- input Policy maps that manage interfaces ingress traffic.

Example

This command displays the policy maps applied to interfaces Ethernet 7 and 8.

switch# show policy-map interface ethernet 7-8
Service-policy input: PMAP-1
  Hardware programming status: Successful

  Class-map: cmap-1 (match-any)
    Match: ip access-group name LIST-2
       set cos 6

  Class-map: class-default (match-any)

Service-policy input: PMAP-2
  Hardware programming status: Successful

  Class-map: cmap-2 (match-any)
    Match: ip access-group name LIST-2
       set dscp 10

  Class-map: class-default (match-any)

switch#

show policy-map interface type qos

The show policy-map interface command displays contents of the policy maps applied to specified interfaces or to the control plane.

Command Mode

EXEC

Command Syntax

show policy-map interface INTERFACE_NAME [type qos] [TRAFFIC]

Parameters

INTERFACE_NAME Filters policy map list by interfaces. Options include:
- ethernet e_range Ethernet ports for which command displays policy maps.
- port-channel p_range Port channels for which command displays policy maps.
TRAFFIC Filters policy maps by the traffic they manage. Options include:
- no parameter Policy maps that manage interfaces ingress traffic (same as input option).
- input Policy maps that manage interfaces ingress traffic.

Example

This command displays the policy maps applied to interfaces Ethernet 7 and 8.

switch# show policy-map interface ethernet 7-8
Service-policy input: PMAP-1
  Hardware programming status: Successful

  Class-map: cmap-1 (match-any)
    Match: ip access-group name LIST-2
       set cos 6

  Class-map: class-default (match-any)

Service-policy input: PMAP-2
  Hardware programming status: Successful

  Class-map: cmap-2 (match-any)
    Match: ip access-group name LIST-2
       set dscp 10

  Class-map: class-default (match-any)

switch#

show policy-map type copp

The show policy-map type copp command displays contents of control plane policy maps. Control-plane policy maps are applied to the control plane; copp-system-policy is the only supported policy map.

Command options filter the output to display contents of all policy maps, contents of a specified policy map, or contents of a single class map within a specified policy map.

Command Mode

EXEC

Command Syntax

show policy-map type copp copp-system-policy [CMAP_NAME]

Parameters

CMAP_NAME Name of class map displayed by the command.

no parameter Command displays all class maps in specified policy map.
class_name Command displays specified class map.

Example

This command displays the contents of the copp-system-bpdu class map in the copp-system-policy policy maps.

switch# show policy-map type copp copp-system-policy class copp-system-bpdu
  Class-map: copp-system-bpdu (match-any)
       shape : 5000 pps
       bandwidth : 5000 pps

switch>

show policy-map type pbr

The show policy-map pbr command displays contents of Policy-Based Routing (PBR) policy maps. PBR policy maps are applied to Ethernet interfaces, port channel interfaces or switch virtual interfaces (SVIs).

Command options filter the output to either display contents of all policy maps, contents of a specified policy map, or summary contents of all or a specified policy map.

Command Mode

EXEC

Command Syntax

show policy-map type pbr [PMAP_NAME][DATA_LEVEL]

Parameters

PMAP_NAME Name of policy map displayed by the command.
- no parameter Command displays all policy maps.
- policy_map Command displays specified policy map.
DATA_LEVEL Type of information the command displays. Values include:
- no parameter Command displays all class maps in specified policy map.
- summary Command displays summary data for the specified policy map.

Example

This command displays the contents of all PBR policy maps in running-config.

switch# show policy-map type pbr
Service policy PMAP1
Configured on:
Applied on:
10: Class-map: CMAP1 (match-any)
Match: 10 ip access-group PBRgroup1
Match: 20 ip access-group PBRgroup2
Match: 30 ip access-group PBRgroup3
Configured actions: set nexthop 172.16.10.12
20: Class-map: CMAP2 (match-any)
Match: 10 ip access-group PBRgroup1
Match: 10 ip access-group PBRgroup4
Match: 20 ip access-group PBRgroup5
Configured actions: set nexthop 192.168.15.15
switch#

show policy-map type qos counters

The show policy-map counters command displays the quantity of packets that are filtered by the ACLs that comprise a specified QoS policy map.

Command Mode

EXEC

Command Syntax

show policy-map [type qos] pmap_name [TRAFFIC] counters [INFO_LEVEL]

Parameters

pmap_name Name of policy map displayed by the command.
TRAFFIC Filters policy maps by the traffic they manage. Options include:
- no parameter Policy maps that manage interfaces ingress traffic (same as input option).
- input Policy maps that manage interfaces ingress traffic.
INFO_LEVEL amount of information that is displayed. Options include:
- no parameter displays summarized information about the policy map.
- detail displays detailed policy map information.

show policy-map type qos

The show policy-map qos command displays contents of QoS policy maps. QoS policy maps are applied to Ethernet or port channel interfaces.

Command options filter the output to either display contents of all policy maps, contents of a specified policy map, or contents of a single class map within a specified policy map.

Command Mode

EXEC

Command Syntax

show policy-map [type qos][PMAP_NAME [CMAP_NAME]]

Parameters

PMAP_NAME Name of policy map displayed by the command.
- no parameter Command displays all policy maps.
- policy_map Command displays specified policy map.
CMAP_NAME Name of class map displayed by the command. This option is available only when the command includes a policy map name.
- no parameter Command displays all class maps in specified policy map.
- class_name Command displays specified class map.

Example

This command displays the contents of all QoS policy maps in running-config.

switch# show policy-map type qos
Service-policy input: PMAP-1
  Hardware programming status: Successful

  Class-map: xeter (match-any)
    Match: ip access-group name LIST-1
       set cos 6

  Class-map: class-default (match-any)

Service-policy PMAP-2

  Class-map: class-default (match-any)

switch#

show traffic-policy

The show traffic-policy command displays traffic policy information on the interface.

Command Mode

EXEC

Command Syntax

show traffic-policy NAME interface

show traffic-policy interface [DETAILS]

Parameters

DETAILS Details requested. Options include:

summary Display summary information about the policy.
- errors Display all configured remote grantees, associated profile name and latest update.
- details Display all interfaces on which the policy has been configured.

Examples

This command displays the sumary information configured on the switch interfaces.

switch(config-traffic-policies)# show traffic-policy interface summary
Traffic policy samplePolicy
   Configured on interfaces: Ethernet1/1, Ethernet2/1, Ethernet3/1, ...
   Applied on interfaces for IPv4 traffic: Ethernet1/1, Ethernet2/1, Ethernet3/1, ...
   Applied on interfaces for IPv6 traffic:
   Total number of rules configured: 3
      match SIMPLE ipv4
      match ipv4-all-default ipv4
      match ipv6-all-default ipv6

This command displays information about the traffic policy named samplePolicy.

switch(config-traffic-policies)# show traffic-policy samplePolicy interface
Traffic policy samplePolicy
   Configured on interfaces: Ethernet1/1, Ethernet2/1, Ethernet3/1, ...
   Applied on interfaces for IPv4 traffic: Ethernet1/1, Ethernet2/1, Ethernet3/1, ...
   Applied on interfaces for IPv6 traffic:
   Total number of rules configured: 3
      match SIMPLE ipv4
         Source prefix: 192.0.2.0/24
                        198.51.100.0/24
         Destination prefix: 203.0.113.0/24
         Protocol: tcp
            Source port: 50-100
                         110-200
         Actions: Drop
      match ipv4-all-default ipv4
      match ipv6-all-default ipv6

This command displays all interfaces on which samplePolicy has been configured.

switch(config-traffic-policies)# show traffic-policy interface detail
Traffic policy samplePolicy
   Configured on interfaces: Ethernet1/1, Ethernet2/1, Ethernet3/1, Ethernet4/1
   Applied on interfaces for IPv4 traffic: Ethernet1/1, Ethernet2/1, Ethernet3/1, Ethernet4/1
   Applied on interfaces for IPv6 traffic:
   Total number of rules configured: 3
      match SIMPLE ipv4
         Source prefix: 192.0.2.0/24
                        198.51.100.0/24
         Destination prefix: 203.0.113.0/24
         Protocol: tcp
            Source port: 50-100
                         110-200
         Actions: Drop
      match ipv4-all-default ipv4
      match ipv6-all-default ipv6

This command displays installation errors for a match statement. The example has no errors.

switch(config-traffic-policies)# show traffic-policy interface errors
Traffic policy samplePolicy
   Failed on interface for IPv4 traffic:
   Failed on interface for IPv6 traffic:

Interface Configuration

This chapter describes Ethernet ports supported by Arista switches as well as channel groups, port channels, port channel interfaces, Link Aggregation Control Protocol (LACP), and Multi-Chassis Link Aggregation. This chapter contains the following sections:

Ethernet Ports

This section describes Ethernet ports supported by Arista switches. Topics covered in this section include:

Ethernet Ports Introduction
Ethernet Standards
Ethernet Physical Layer
Interfaces
MRU Enforcement
Ethernet Configuration Procedures
Ethernet Configuration Commands

Ethernet Ports Introduction

Arista switches support a variety of Ethernet network interfaces. This chapter describes the configuration and monitoring options available in Arista switching platforms.

Ethernet Standards

Ethernet, standardized in IEEE 802.3, is a group of technologies used for communication over local area networks. Ethernet communication divides data streams into frames containing addresses (source and destination), payload, and Cyclical Redundancy Check (CRC) information.

IEEE 802.3 also describes two types of optical fiber: Single-Mode Fiber (SMF) and Multi-Mode Fiber (MMF). MMF range limits from 50 to 500 meters range.

100 Gigabit Ethernet

The 100 Gigabit Ethernet (100GbE) standard defines an Ethernet implementation with a nominal data rate of 100 billion bits per second over 10x10G, 4x25G, or 1x100G. 100 Gigabit Ethernet implements full duplex point to point links connected by network switches. Arista switches support 100GBASE-10SR through MXP ports.

40 Gigabit Ethernet

The 40 Gigabit Ethernet (40GbE) standard defines an Ethernet implementation with a nominal data rate of 40 billion bits per second over multiple 10 gigabit lanes. 40 Gigabit Ethernet implements full duplex point to point links connected by network switches. 40 gigabit Ethernet standards are named 40GBASE-xyz, as interpreted by 40GBASE-xyz Interpretation.

Table 1. 40GBASE-xyz Interpretation
x	y	z
Non-fiber media type, or fiber wavelength	PHY encoding	Number of WWDM wavelengths or XAUI Lanes
C = Copper F = Serial SMF K = Backplane L = Long (1310 nm) S = Short (850 nm)	R = LAN PHY (64B/66B)	No value = 1 (serial) 4 = 4 WWDM wavelengths or XAUI Lanes

10 Gigabit Ethernet

The 10 Gigabit Ethernet (10GbE) standard defines an Ethernet implementation with a nominal data rate of 10 billion bits per second. 10 Gigabit Ethernet implements full duplex point to point links connected by network switches. Half duplex operation, hubs and CSMA/CD do not exist in 10GbE. The standard encompasses several PHY standards; a networking device may support different PHY types through pluggable PHY modules. 10GbE standards are named 10GBASE-xyz, as interpreted by 10GBASE-xyz Interpretation.

Table 2. 10GBASE-xyz Interpretation
x	y	z
media type or wavelength, if media type is fiber	PHY encoding type	Number of WWDM wavelengths or XAUI Lanes
C = Copper (twin axial) T = Twisted Pair S = Short (850 nm) L = Long (1310 nm) E = Extended (1550 nm) Z = Ultra extended (1550 nm)	R = LAN PHY (64B/66B) X = LAN PHY (8B/10B) W = WAN PHY(*) (64B/66B)	If omitted, value = 1 (serial) 4 = 4 WWDM wavelengths or XAUI Lanes

Gigabit Ethernet

The Gigabit Ethernet (GbE), defined by IEEE 802.3-2008, describes an Ethernet version with a nominal data rate of one billion bits per second. GbE cables and equipment are similar to those used in previous standards. While full-duplex links in switches is the typical implementation, the specification permits half-duplex links connected through hubs.

Gigabit Ethernet physical layer standards that Arista switches support include 1000BASE-X (optical fiber), 1000BASE-T (twisted pair cable), and 1000BASE-CX (balanced copper cable).

1000BASE-SX is a fiber optic standard that utilizes multi-mode fiber supporting 770 to 860 nm, near infrared (NIR) light wavelength to transmit data over distances ranging from 220 to 550 meters. 1000BASE-SX is typically used for intra-building links in large office buildings, co-location facilities and carrier neutral Internet exchanges.
1000BASE-LX is a fiber standard that utilizes a long wavelength laser (1,2701,355 nm), with a RMS spectral width of 4 nm to transmit data up to 5 km. 1000BASE-LX can run on all common types of multi-mode fiber with a maximum segment length of 550 m.
1000BASE-T is a standard for gigabit Ethernet over copper wiring. Each 1000BASE-T network segment can be a maximum length of 100 meters.

10/100/1000 BASE-T

Arista switches provide 10/100/1000 BASE-T Mbps Ethernet out of band management ports. Auto-negotiation is enabled on these interfaces. Speed (10/100/1000), duplex (half/full), and flow control settings are available using the appropriate speed and flowcontrol commands.

Power over Ethernet (PoE)

Selected Arista switches provide Power over Ethernet (PoE) to power connected devices. Arista’s PoE implementation is compliant with IEEE standards 802.3af and 802.3at, and includes partial support for 802.3bt.

When a standards-compliant Powered Device (PD) is connected to a PoE-enabled Ethernet port, it is recognized by a specific resistor signature, and its power class is determined by hardware negotiation; more granular power adjustments can then be managed by Link Layer Discovery Protocol (LLDP).

Link Fault Signaling

Link Fault Signaling (LFS) is a mechanism by which remote link faults are transmitted to the peer over the link that is experiencing problems by configuring specific actions. LFS operates between the remote Reconciliation Sublayer (remote RS) and the local Reconciliation Sub-layer (local RS). Faults that are detected between the remote RS and the local RS are treated by the local RS as Local Faults.

LFS enables monitoring FCS and Symbol errors on an interface and if they exceed a configured threshold, one of the following three actions are enabled.

Disable the error on the interface
Generate system log messages
Generate a link fault

Ethernet Physical Layer

The Ethernet Physical Layer (PHY) includes hardware components connecting a switchs MAC layer to the transceiver, cable, and ultimately a peer link partner.

Data exist in digital form at the MAC layer. On the line side of the PHY, data exist as analog signals: light blips on optical fiber or voltage pulses on copper cable. Signals may be distorted while in transit and recovery may require signal processing. Ethernet physical layer components include a PHY and a transceiver.

PHYs

The PHY provides translation services between the MAC layer and transceiver. It also helps to establish links between the local MAC layer and peer devices by detecting and signaling fault conditions. The PHY line-side interface receives Ethernet frames from the link partner as analog waveforms. The PHY uses signal processing to recover the encoded bits, then sends them to the MAC layer.

PHY line-side interface components and their functions include:

Physical Medium Attachment (PMA): Framing, octet synchronization, scrambling / descrambling.
Physical Medium Dependent (PMD): Consists of the transceiver.
Physical Coding Sublayer (PCS): Performs auto-negotiation and coding (8B/10B or 64B/66B).

The MAC sublayer of the PHY provides a logical connection between the MAC layer and the peer device by initializing, controlling, and managing the connection with the peer.

Ethernet frames transmitted by the switch are received by the PHY system-side interface as a sequence of digital bits. The PHY encodes them into a media-specific waveform for transmission through the line-side interface and transceiver to the link peer. This encoding may include signal processing, such as signal pre-distortion and forward error correction.

PHY system-side interface components and their functions include:

10 Gigabit Attachment Unit Interface (XAUI): Connects an Ethernet MAC to a 10G PHY.
Serial Gigabit Media Independent Attachment (SGMII): Connects an Ethernet MAC to a 1G PHY.

Transceivers

A transceiver connects the PHY to an external cable (optical fiber or twisted-pair copper) and through a physical connector (LC jack for fiber or RJ-45 jack for copper).

Optical transceivers convert the PHY signal into light pulses that are sent through optical fiber.
Copper transceivers connect the PHY to twisted-pair copper cabling.

Arista Small Form-Factor Pluggable (SFP+) and Quad Small Form Factor Pluggable (QSFP+) modules and cables provide high-density, low-power Ethernet connectivity over fiber and copper media. Arista offers transceivers that span data rates, media types, and transmission distances.

Arista 10 Gigabit Ethernet SFP+ Modules

10GBASE-SR (Short Reach)
- Link length maximum 300 meters over multi-mode fiber.
Optical interoperability with 10GBASE-SRL.
10GBASE-SRL (Short Reach Lite)
- Link length maximum 100 meters over multi-mode fiber.
- Optical interoperability with 10GBASE-SR.
10GBASE-LRL (Long Reach Lite)
- Link length maximum 1 km over single-mode fiber.
- Optical interoperability with 10GBASE-LR (1 km maximum).
10GBASE-LR (Long Reach)
- Link length maximum 10 km over single-mode fiber.
- Optical interoperability with 10GBASE-LRL (1 km maximum).
10GBASE-LRM (Long Reach Multimode)
- Link length maximum 220 meters over multi-mode fiber (50 um and 62.5 um).
10GBASE-ER (Extended Reach)
- Link length maximum 40 km over single-mode fiber.
10GBASE-ZR (Ultra-Extended Reach)
- Link length maximum 80 km over single-mode fiber.
10GBASE-DWDM (Dense Wavelength Division Multiplexing)
- Link length maximum 80 km over single-mode fiber (40 color options).
- Tunable SFP+ Optics Module, Full C-Band 50 GHz ITU Grid, up to 80km over duplex SMF.

Arista 10 Gigabit Ethernet CR Cable Modules

10GBASE-CR SFP+ to SFP+ Cables
- Link lengths of 0.5, 1, 1.5, 2, 2.5, 3, 5, and 7 meters over twinax copper cable.
- Includes SFP+ connectors on both ends.
4 x 10GbE QSFP+ to 4 x SFP+ twinax copper cables.
- Link lengths of 0.5, 1, 2, 3, and 5 meters over twinax copper cable

Arista 25 Gigabit Ethernet Modules

25GBASE-CR SFP28 Cable
- Capable of 10G/25G with link length of 1 to 5 meters.
AOC-S-S-25G SFP28 to SFP28 25GbE Active Optical Cable.
- Link length of 3 to 30 meters.
SFP-25G-SR SFP28 Optics Module
- Link length up to 70m over OM3 MMF or 100m over OM4 MMF.
SFP-25G-LR SFP28 Optics Module
- Link length up to 10 kilometers over duplex SMF

Arista 40 Gigabit Ethernet QSFP+ Cables and Optics

40GBASE-SR4 QSFP+ Transceiver.
- Link length maximum 100 meters over parallel OM3 or 150 meters over OM4 MMF.
- Optical interoperability with 40GBASE-XSR4 (100/150 meter maximum).
40GBASE-XSR4 QSFP+ Transceiver.
- Link length maximum 300 meters over parallel OM3 or 450 meters over OM4 MMF.
- Optical interoperability with 40GBASE-SR4 (100/150 meter maximum).
40GBASE-LR4 QSFP+.
- Link length maximum 10 km over duplex single-mode fiber.
40GBASE-CR4 QSFP+ to QSFP+ twinax copper cables.
- Link lengths of 1, 2, 3, 5, and 7 meters over twinax copper cable.
40G-SRBD Bidirectional QSFP+ Optic.
- Link length maximum up to 100 meters over parallel OM3 or 150 meters over OM4 MMF.
40G Univ QSFP+ Optic.
- Link length maximum up to 150 meters over duplex OM3/OM4 and 500 meters over duplex SMF.
40GBASE-LRL QSFP+ Optic.
- Link length maximum up to 1 kilometer over duplex SMF.
40GBASE-PLRL4 QSFP+ Optic.
- Link length maximum up to 1 kilometer over parallel SMF (4x10G LR up to 1 km).
40GBASE-PLR4 QSFP+ Optic
- Link length maximum up to 1 kilometer over parallel SMF (4x10G LR up to 1 km).
40GBASE-ER QSFP+ Optic.
- Link length maximum up to 40 kilometers duplex SMF.

Arista Gigabit Ethernet SFP Options

1000BASE-SX (Short Haul).
- Multi-mode fiber.
- Link length maximum 550 meter.
1000BASE-LX (Long Haul).
- Single-mode fiber.
- Link length maximum 10 km (single mode).
1000BASE-T (RJ-45 Copper).
- Category 5 cabling.
- Full duplex 1000Mbps connectivity.

Arista 100 Gigabit Ethernet QSFP Modules

100GBASE-SR4 QSFP transceiver.
- Link length up to 70 meters over parallel OM3 or 100 meters over OM4 multi-mode fiber.
100GBASE-SWDM4 QSFP transceiver.
- Link length up to 70 meters over OM3 or 100 meters over OM4 duplex multi-mode fiber.
100GBASE-SRBD BIDI QSFP transceiver.
- Link length up to 70 meters over OM3 or 100 meters over OM4 duplex multi-mode fiber.
100GBASE-PSM4 40G/100G dual speed QSFP Optics Module.
- Link length up to 500 meters over parallel single-mode fiber.
100GBASE-CWDM4 40G/100G dual speed QSFP Optics Module.
- Link length up to 2 km over duplex single-mode fiber.
100GBASE-LRL4 QSFP Optics Module.
- Link length up to 2 km over duplex single-mode fiber.
100GBASE-LR4 QSFP Optics Module.
- Link length up to 10 km over duplex single-mode fiber.
100GBASE-ERL4 QSFP Optics Module.
- Link length up to 40 km over duplex single-mode fiber.
100G DWDM QSFP transceiver.
- Link length up to 80 km over single-mode fiber.
100GBASE-CR4 QSFP to QSFP Twinax Copper Cable.
- Link length of 1 to 5 meters.
100GBASE-CR4 QSFP to 4 x 25GbE SFP Twinax Copper Cable.
- Link length of 1 to 5 meters.

Internal Ports

Several Arista switches include internal ports that connect directly to an external cable through an RJ-45 jack. Internal ports available on Arista switches include:

100/1000BASE-T (7048T-A)
100/1000/10GBASE-T (7050-T)

AOC Cables

AOC-Q-Q-100G QSFP 100GbE Active Optical Cable.
- Link length of 3 to 30 meters
AOC-Q-Q-40G QSFP+ to QSFP+ 40GbE Active Optical Cable.
- Link length of 3 to 100 meters.
AOC-S-S-25G SFP28 to SFP28 25GbE Active Optical Cable.
- Link length of 3 to 30 meters.

400GBASE-ZR Transceivers

400GBASE-ZR transceiver is the industry’s first multi-vendor DWDM standard, a Digital Coherent Optical module with tunable laser, using DWDM multiplexing and 16QAM modulation and capable of delivering 400G per port over distances up to 120 km.

Key software features supported:

Compliant with CMIS4.0/CMIS4.1 (CMIS5.0) and Coherent CMIS
Frequency tuning (100GHz and 75GHz grids)
DOM monitoring, including VDM (Versatile Diagnostics Monitoring) pages, defined in CMIS4.0
Coherent alarms and faults, including pages, defined by Coherent CMIS
Configurable Tx output power
A separate command for shutting down Tx output path for unidirectional mode
1-sec update of pre-FEC BER, OSNR, ESNR
Support of 4x100G mode for the 400GBASE-ZR transceivers (EOS release 4.25.2F)
Support of 400GBASE-ZR with Open Forward Error Correction (O-FEC) (EOS release 4.25.2F)
Override a transceiver slot’s maximum power limit (EOS release 4.25.2F)

Platform Compatibility

The 400GBASE-ZR transceiver is a power class 8 module with power consumption up to 20W, the highest power consumption among 400G transceivers.

In theory, every 400GBASE OSFP or QSFP-DD switch is qualified to host 400GBASE-ZR transceivers. However, the actual number of 400GBASE-ZR modules that can be plugged in the switch simultaneously may vary, depending on platform (modular vs fixed) and ASIC type. It is always recommended to discuss installation of 400GBASE-ZR modules with Arista support.

Using 400GBASE-ZR in Combination with OSFP-LS

Arista EOS allows using OSFP-LS (pluggable line system in the OSFP form factor), instead of traditional DCI line systems.

Configuring 400GBASE-ZR Transceivers

Laser Frequency Configuration

All coherent modules, including 400GBASE-ZR, require their laser frequency to be explicitly configured. To configure laser frequency in 400GBASE-ZR, use the transceiver frequency command under the defined interface, providing frequency in Gigahertz, in the range 191.3-196.1 THz. If laser frequency is not configured or is configured outside the valid range, all interfaces associated with the port are put into error disabled state.

switch# conf
switch(config)#
switch(config)# interface Ethernet12/1
switch(config-if-Et12/1)# transceiver frequency 193100
switch(config-if-Et12/1)#

Configured and Operational frequency settings can be verified using the show interface transceiver hardware command.

Note:

It can take up to 90 seconds for the 400GBASE-ZR module to fully complete frequency tuning.
The frequency plan for 400GBASE-ZR modules support channel spacings of 100GHz or 75GHz. It is recommended to use operating frequency channel definitions in chapter 15 of [4].

Transmit Output Power Configuration

CMIS4.0 defines support of configurable transmit output power as an optional feature. Check the output of show interface transceiver eeprom command for page 04h, registers 196-201 to see if it is supported.

Programmable output power advertisement (04h:196-201):
    Lane programmable output power supported (04h:196): true
    Min programmable output power (04h:198-199): -14 dB
    Max programmable output power (04h:200-201): -10 dB

Transmit Output Power can be configured using transceiver transmitter signal power command.

switch# conf
switch(config)# interface Ethernet14/1
switch(config-if-Et14/1)# transceiver transmitter signal-power ?
switch(config-if-Et14/1)# transceiver transmitter signal-power -10

Configured Tx Power is verified using the show interface transceiver hardware command. Actual operational Tx Power can be verified using show interface transceiver command.

Note:

400GBASE-ZR does not have a recommended level of transmit laser power. In most cases, it is OK to stay with default power.
Some vendors may not populate the range of supported output power correctly. The range -10 to -14 dBm should be supported. Contact Arista Support if you are planning to configure output power outside of this range.

Transmit Output Disable and Unidirectional Mode

In the coherent optics, shutdown command impacts both transmit and receive path and can’t be used to set up unidirectional mode. To shut down Tx output path, use the transceiver transmitter disabled command:

switch# conf
switch(config)# interface Ethernet14/1
switch(config-if-Et14/1)# transceiver transmitter DISABLED

To re-enable transmit output, use the no or default version of the above configuration command.

Configuring 4x100G mode for 400GBASE-ZR transceivers

4x100G mode connects 4 host ethernet interfaces, over electrical interfaces 100GAUI-2 to the single optical lane, acting as 4x1 muxponder. To enable the mode on a 400GBASE-ZR transceiver, configure the speed on each of the 4 interfaces.

switch(config-if-Et4/1)# speed 100g-2
switch(config-if-Et4/3,4/5,4/7)# speed 100g-2

switch# show interfaces ethernet 4/1-5/8 status
Port   	Name   Status   	  Vlan 	Duplex Speed  Type     	Flags Encapsulation
Et4/1       	  connected 	  1    	full   100G   400GBASE-ZR               	 
Et4/3       	  connected 	  1    	full   100G   400GBASE-ZR               	 
Et4/5       	  connected 	  1    	full   100G   400GBASE-ZR               	 
Et4/7       	  connected 	  1    	full   100G   400GBASE-ZR               	 
Et5/1       	  connected          1    	full   100G   400GBASE-ZR               	 
Et5/3       	  connected          1    	full   100G   400GBASE-ZR               	 
Et5/5       	  connected          1    	full   100G   400GBASE-ZR               	 
Et5/7       	  connected   	1    	full   100G   400GBASE-ZR

Each of the ethernet interfaces can be independently shut down without affecting the transmission over the other interfaces.

switch(config-if-Et4/1,4/3,4/5)# shutdown
switch# show interfaces ethernet 4/1-5/8 status
Port   	Name   Status   	  Vlan 	Duplex Speed  Type     	Flags Encapsulation
Et4/1       	  disabled 	  1    	full   100G   400GBASE-ZR               	 
Et4/3       	  disabled 	  1    	full   100G   400GBASE-ZR               	 
Et4/5       	  disabled 	  1    	full   100G   400GBASE-ZR               	 
Et4/7       	  connected	  1    	full   100G   400GBASE-ZR               	 
Et5/1       	  notconnect        1    	full   100G   400GBASE-ZR               	 
Et5/3       	  notconnect        1    	full   100G   400GBASE-ZR               	 
Et5/5       	  notconnect        1    	full   100G   400GBASE-ZR               	 
Et5/7       	  connected	   1    	full   100G   400GBASE-ZR

switch# show interfaces ethernet 4/1 transceiver
If device is externally calibrated, only calibrated values are printed.
N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).
                            	Bias  	Optical   Optical           	 
      	Temp   	Voltage    Current    Tx Power  Rx Power          	 
Port  	(Celsius)  (Volts)    (mA)  	(dBm)     (dBm)  	Last Update  
----- 	---------  --------   --------  --------  --------    -------------------
Et4/1	     59.00      3.25     279.70     -9.46     -8.29    0:00:01 ago

Shutting down all 4 interfaces will however disable the laser:

switch(config-if-Et4/7)# shutdown
switch# show interfaces ethernet 4/1-5/8 status
Port   	Name   Status   	  Vlan 	Duplex Speed  Type     	Flags Encapsulation
Et4/1       	  disabled 	  1    	full   100G   400GBASE-ZR               	 
Et4/3       	  disabled 	  1    	full   100G   400GBASE-ZR               	 
Et4/5       	  disabled 	  1    	full   100G   400GBASE-ZR               	 
Et4/7       	  disabled	   1    	full   100G   400GBASE-ZR               	 
Et5/1       	  notconnect        1    	full   100G   400GBASE-ZR               	 
Et5/3       	  notconnect        1    	full   100G   400GBASE-ZR               	 
Et5/5       	  notconnect        1    	full   100G   400GBASE-ZR               	 
Et5/7       	  notconnect	  1    	full   100G   400GBASE-ZR

switch# show interfaces ethernet 4/1 transceiver
If device is externally calibrated, only calibrated values are printed.
N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).
                            	Bias  	Optical   Optical           	 
      	Temp   	Voltage    Current    Tx Power  Rx Power          	 
Port  	(Celsius)  (Volts)    (mA)  	(dBm)     (dBm)  	Last Update  
----- 	---------  --------   --------  --------  --------    -------------------
Et4/1	     44.00      3.33       0.00    -30.00    -30.00    0:00:01 ago

Configuring Open Forward Error Correction on 400GBASE-ZR

Open FEC (O-FEC) is a Forward Error Correction encoder and decoder, specified in the Open ZR+ MSA [2], with an overhead of 15.3% and a net coding gain of 11.6dB for 16QAM modulation. Compared to the Concatenated FEC (C-FEC), which is a default FEC specified for 400GBASE-ZR coherent transceivers by CMIS4.0, O-FEC provides higher coding gain (11.6dB for O-FEC vs 10.8 dB for C-FEC /16QAM), and it can correct pre-FEC BER of up to 2e-2.

The error-correction encoding <FEC> command configures the transceiver’s optical transmission to use O-FEC:

switch(config-if-Et4/1)# error-correction encoding open

Transceiver slot’s Maximum Power Limit

The transceiver power ignore command allows EOS to bypass the power check for the transceivers to be operational.

Switch(config-if-Et4/1)# transceiver power ignore
! You can risk damaging hardware by using transceiver modules with high power consumption. We recommend that you do this only under direction from Arista Networks.

Show Commands

show interface transceiver eeprom

The show interface transceiver eeprom command displays the parsed capabilities.

Example

For 400GBASE-ZR, parsing of frequency tuning, power tuning ( page 04h ) and VDM configuration pages (20h-23h) is added.

switch# show interface Ethernet15/1 transceiver eeprom
Ethernet15 EEPROM:
...
  Frequency tuning support (04h:128-129):
    Grid spacing capabilities (04h:128):
      100 GHz grid supported (04h:128): true
      12.5 GHz grid supported (04h:128): false
      25 GHz grid supported (04h:128): false
      3.125 GHz grid supported (04h:128): false
      33 GHz grid supported (04h:128): false
      50 GHz grid supported (04h:128): false
      6.25 GHz grid supported (04h:128): false
      75 GHz grid supported (04h:128): true
    Tunable wavelength (04h:128): true
    Fine tuning support (04h:129): false
  Supported channel boundaries (04h:130-161):
    100 GHz grid (04h:150-153):
      Lowest channel (04h:150-151): -18
      Lowest frequency (04h:150-151): 191300000 MHz
      Highest channel (04h:152-153): 30
      Highest frequency (04h:152-153): 196100000 MHz
    75 GHz grid (04h:158-161):
      Lowest channel (04h:158-159): -72
      Lowest frequency (04h:158-159): 191300000 MHz
      Highest channel (04h:160-161): 120
      Highest frequency (04h:160-161): 196100000 MHz
  Programmable output power advertisement (04h:196-201):
    Lane programmable output power supported (04h:196): false
  VDM configuration (20h:128-255;21h:128-255):
    VDM group 1 (20h:128-255):
      Parameter 1 (20h:128-129):
        Lane (20h:128): 0
        Threshold ID (20h:128): 0
        Parameter type (20h:129): Laser temperature
      Parameter 3 (20h:132-133):
        Lane (20h:132): 0
        Threshold ID (20h:132): 2
        Parameter type (20h:133): eSNR host input
      Parameter 4 (20h:134-135):
        Lane (20h:134): 1
        Threshold ID (20h:134): 2
        Parameter type (20h:135): eSNR host input
      Parameter 5 (20h:136-137):
        Lane (20h:136): 2
        Threshold ID (20h:136): 2
        Parameter type (20h:137): eSNR host input
...
       Parameter 84 (21h:166-167):
        Lane (21h:166): 0
        Threshold ID (21h:166): 14
        Parameter type (21h:167): MER
  Number of VDM groups supported (2Fh:128): 2

show interface transceiver dom

The show interface transceiver dom command displays the most important current performance data on the media (line) side.

Example

switch# show interface Ethernet11/1 transceiver dom
Ch: Channel, N/A: not applicable, TX: transmit, RX: receive
mA: milliamperes, dBm: decibels (milliwatts), C: Celsius, V: Volts

Port 11
Last update: 0:00:05 ago
                                             Value
                                        ----------------
   Case temperature                         66.59 C
   Voltage                                   3.26 V
   TX power                                -10.23 dBm
   RX total power                          -11.61 dBm
   RX channel power                        -11.94 dBm
   Pre-FEC BER                           1.82e-03 
   Post-FEC errored frames ratio         0.00e+00 
   Chromatic dispersion (short link)         0.00 ps/nm
   Chromatic dispersion (long link)          0.00 ps/nm
   Differential group delay                  9.31 ps
   SOPMD                                     0.00 ps^2
   Polarization dependent loss               0.40 dB
   Received OSNR estimate                   35.10 dB
   Received ESNR estimate                   17.50 dB
   Carrier frequency offset                  0.00 MHz
   Error vector magnitude                  100.00 %
   SOP rate of change                        0.00 krad/s
   Laser temperature                        59.54 C
   Laser frequency                         193100.00 GHz

BER: Bit Error Rate
FEC: Forward Error Correction
OSNR: Optical Signal to Noise Ratio
ESNR: Electrical Signal to Noise Ratio
SOP: State of Polarization
SOPMD: State of Polarization Mode Dispersion

show interfaces hardware

The show interfaces hardware command displays the speed capabilities of a module. A 400GBASE-ZR supports 4x100G mode if the 100G-2/full speed is supported.

Example

switch# show interfaces ethernet 4/1 hardware 
*  = Requires speed group setting change
Ethernet4/1
  Model: DCS-7280PR3K-24
  Type: 400GBASE-ZR
  Speed/duplex: 100G-2/full,400G-8/full(default)
  Flowcontrol: rx-(off,on),tx-(off)
  Modulation: 16QAM
  Error correction: C-FEC(16QAM(default)), O-FEC(16QAM)

The show interface status command displays the ethernet interfaces:

switch#show interfaces ethernet 4/1,4/3,4/5,4/7 status
Port      Name  Status   	Vlan 	Duplex Speed  Type     	Flags Encapsulation
Et4/1           connected	1    	full   100G   400GBASE-ZR
Et4/3           connected	1    	full   100G   400GBASE-ZR
Et4/5           connected	1    	full   100G   400GBASE-ZR
Et4/7           connected	1    	full   100G   400GBASE-ZR

show transceiver status interface

The show transceiver status interface command displays the most important alarms, faults and interface status and the existence of 4 host interfaces.

Example

For 400GBASE-ZR modules, media and host side coherent alarms, host-side pre-FEC BER, defined in the Coherent CMIS and post-FEC BER have been added to the command’s output:

switch# show transceiver status interface Ethernet 4/1,4/3,4/5,4/7
                                Current State        Changes       Last Change
                                -------------        -------       -----------
Port 4
  Transceiver               	400GBASE-ZR             3   	2:32:34 ago
  Transceiver SN            	204653947                  	 
  Presence                  	present                       	 
  Adapters                  	none                          	 
  Bad EEPROM checksums                                     0   	never
  Resets                                                   0   	2:32:41 ago
  Interrupts                                               0   	never
  Data path firmware fault  	ok                       0   	never
  Module firmware fault     	ok                       0   	never
  Temperature high alarm    	ok                       0   	never
  Temperature high warn     	ok                       0   	never
  Temperature low alarm     	ok                       0   	never
  Temperature low warn      	ok                       0   	never
  Voltage high alarm        	ok                       0   	never
  Voltage high warn         	ok                       0   	never
  Voltage low alarm         	ok                       2   	2:32:19 ago
  Voltage low warn          	ok                       2   	2:32:19 ago
  Module state              	ready                    6   	0:02:21 ago
  Data path 1 state         	activated                12         0:01:33 ago
  Data path 2 state         	activated                12   	0:01:33 ago
  Data path 3 state         	activated                12   	0:01:33 ago
  Data path 4 state         	activated                12   	0:01:33 ago
  Data path 5 state         	activated                12   	0:01:33 ago
  Data path 6 state         	activated                12   	0:01:33 ago
  Data path 7 state         	activated                12   	0:01:33 ago
  Data path 8 state         	activated                12   	0:01:33 ago
  RX LOS                    	ok                        4   	0:01:33 ago
  TX fault                  	ok                        0   	never
  RX CDR LOL                	ok                        4   	0:01:31 ago
  TX power high alarm       	ok                        0   	never
  TX power high warn        	ok                        4   	0:02:12 ago
  TX power low alarm        	ok                        4   	0:02:21 ago
  TX power low warn         	ok                        6   	0:02:12 ago
  TX bias high alarm        	ok                        0   	never
  TX bias high warn         	ok                        0   	never
  TX bias low alarm         	ok                        0   	never
  TX bias low warn          	ok                        0   	never
  RX power high alarm       	ok                        0   	never
  RX power high warn        	ok                        0   	never
  RX power low alarm        	ok                        0   	never
  RX power low warn         	ok                        0   	never
  TX loss of alignment      	ok                        0   	never
  TX out of alignment       	ok                        0   	never
  TX clock monitor unit LOL 	ok                        0   	never
  TX reference clock LOL    	ok                        0   	never
  TX deskew LOL             	ok                        0   	never
  TX FIFO error             	ok                        0   	never
  RX demodulator LOL        	ok                        4   	0:01:30 ago
  RX CD compensation LOL    	ok                        4   	0:01:30 ago
  RX loss of alignment      	ok                        0   	never
  RX out of alignment       	ok                        0   	never
  RX deskew LOL             	ok                        0   	never
  RX FIFO error             	ok                        0   	never
  RX FEC excessive degrade  	ok                        0   	never
  RX FEC detected degrade   	ok                        0   	never
  Freq tuning in progress   	idle                      8   	0:01:32 ago
  Freq tuning busy          	ok                        0   	never
  Freq tuning invalid channel      ok                        0   	never
  Freq tuning completed     	no                        8   	0:01:30 ago
Ethernet4/1
  Operational speed         	100Gbps                       	 
  Pre-FEC bit error rate    	0.00e+00                      	 
  Post-FEC errored frames ratio 0.00e+00                      	 
  TX LOS
	Host lane 1             	ok                      2   	0:02:21 ago
	Host lane 2             	ok                      2   	0:02:21 ago
  TX CDR LOL
	Host lane 1             	ok                      2   	0:02:21 ago
	Host lane 2             	ok                      0   	never
  TX adaptive input EQ fault
	Host lane 1             	ok                      2   	0:02:21 ago
	Host lane 2             	ok                      2   	0:02:21 ago
Ethernet4/3
  Operational speed         	100Gbps                       	 
  Pre-FEC bit error rate    	0.00e+00                      	 
  Post-FEC errored frames ratio 0.00e+00                      	 
  TX LOS
	Host lane 3             	ok                      2   	0:02:21 ago
	Host lane 4             	ok                      2   	0:02:21 ago
  TX CDR LOL
	Host lane 3             	ok                      2   	0:02:21 ago
	Host lane 4             	ok                      2   	0:02:21 ago
  TX adaptive input EQ fault
	Host lane 3             	ok                      2   	0:02:21 ago
	Host lane 4             	ok                      2   	0:02:21 ago
Ethernet4/5
  Operational speed         	100Gbps                       	 
  Pre-FEC bit error rate    	0.00e+00                      	 
  Post-FEC errored frames ratio 0.00e+00                      	 
  TX LOS
	Host lane 5             	ok                      2   	0:02:21 ago
	Host lane 6             	ok                      2   	0:02:21 ago
  TX CDR LOL
	Host lane 5             	ok                      0   	never
	Host lane 6             	ok                      2   	0:02:21 ago
  TX adaptive input EQ fault
	Host lane 5             	ok                      0   	never
	Host lane 6             	ok                      2   	0:02:21 ago
Ethernet4/7
  Operational speed         	100Gbps                       	 
  Pre-FEC bit error rate    	0.00e+00                      	 
  Post-FEC errored frames ratio 0.00e+00                      	 
  TX LOS
	Host lane 7             	ok                      2   	0:02:21 ago
	Host lane 8             	ok                      2   	0:02:21 ago
  TX CDR LOL
	Host lane 7             	ok                      2   	0:02:21 ago
	Host lane 8             	ok                      2   	0:02:21 ago
  TX adaptive input EQ fault
	Host lane 7             	ok                      2   	0:02:21 ago
	Host lane 8             	ok                      0   	never

Wavelength/Frequency and Output Power Status
The show interface transceiver hardware command displays the configured and programmed wavelength and output power. It takes a short time for the configured wavelength or output power to be programmed into the transceiver. The configured wavelength/output power and programmed wavelength/output power should not differ for extended periods of time.
```
switch# show interface Ethernet23/1 trans hardware
Name: Et23/1
Media type: 400GBASE-ZR
Maximum module power (W): 20.0
Maximum slot power (W): 20.0
Configured frequency (GHz): 193100.0
Computed wavelength (nm): 1552.52
Operational frequency (GHz): 193,100.0
Operational wavelength (nm): 1552.52
Configured TX power (dBm): -10.0
Operational TX power (dBm): -10.0
```
Note: Configured transmit output power and operational transmit output power are only displayed if configurable output power is supported by the module.

Troubleshooting

Check transceiver type – make sure it is 400GBASE-ZR
Check peer transceiver – make sure it is also 400GBASE-ZR.
Check that channel/frequency is configured and interfaces are not in errdisabled state
Check that the selected frequency is matching on both sides of the optical link
Check that transmit output is not disabled
If Tx power is not configured, check that it is in the range of -6 dB to -12 dB.
If Tx power is configured, check that matches its configured values on both sides of the optical link.
Check Rx power. The best performance of an optical link is achieved when the received power is -10dB.
Collect the output of CLI commands listed in the “Show commands” section before making a request for support from the development team.
Check that pre-FEC BER ( ‘show transceiver dom’ command ) is in the correctable range ( less than 1e-2 ).
‘show transceiver status interface’ - check that module state is ‘Ready’, datapath state is ‘Activated’. Check for possible alarms and faults

Link Issues

If a link has issues, the following commands and files are useful for debugging and Arista TAC.

show interfaces <interfaceName> phy detail
show interfaces <interfaceName> transceiver detail
show idprom transceiver <interfaceName> ext
files in /var/log/agents/*
files in /var/log/qt/*
/var/log/messages*

Limitations

400GBASE-ZR transceivers are relatively new. The modules could be Arista branded or 3rd party, from multiple vendors. For 3rd party optics, some optional properties (Tx output power, support of 75GHz grid) or DOM properties in the VDM pages, may not be implemented.

MXP Ports

MXP ports provide embedded optics that operate in one of three modes: 10GbE (12 ports), 40GbE (3 ports), and 100GbE (1 port). Each mode requires a specified cable is implemented through configuration commands. MXP ports utilize multi-mode fiber to provide support over 150 meters.

100GbE mode requires an MTP-24 to MTP-24 cable, which uses 20 of 24 fibers to carry 100Gbe across 10 send and 10 receive channels. When connecting two 100GbE MXP ports, the TX lanes must be crossed with the RX lanes.
40GbE mode requires an MTP cable that provides a split into three MTP-12 ends. The cable splits the MXP port into three MTP-12 ends, each compatible with standards based 40GBASE-SR4 ports over OM3 or OM4 fiber up to 100m or 150m.
10GbE mode requires an MTP cable that provides a split into 12x10G with LC connectors to adapt the MXP port into 12x10GbE. The cable splits the MXP port into twelve LC ends for using SR or SRL optics over multimode OM3/OM4 cables.

Interfaces

Arista switches provide two physical interface types that receive, process, and transmit Ethernet frames: Ethernet interfaces and Management interfaces.

Each Ethernet interface is assigned a 48-bit MAC address and communicates with other interfaces by exchanging data packets. Each packet contains the MAC address of its source and destination interface. Ethernet interfaces establish link level connections by exchanging packets. Interfaces do not typically accept packets with a destination address of a different interface.

Ethernet data packets are frames. A frame begins with preamble and start fields, followed by an Ethernet header that includes source and destination MAC addresses. The middle section contains payload data, including headers for other protocols carried in the frame. The frame ends with a 32-bit Cyclic Redundancy Check (CRC) field that interfaces use to detect data corrupted during transmission.

Ethernet Interfaces

Ethernet speed and duplex configuration options depend on the media type of the interface:

40G, OSFP, QSFP+, QSFP-DD, and QSFP200: Default operation is as four 10G ports. Speed command options support configuration as a single 40G port.
1000BASE-T / 2.5GBASE-T / 5GBASE-T / 10GBASE-T (copper): Default configuration enables the Clause 28 auto-negotiation for the port to negotiate the speed based on peer capabilities. Depending on individual SKU capabilities, these ports support 10M/100M/1G/2.5G/5G and 10G rates and half / full-duplex mode of operation. The Speed auto SPEED command limits the port advertisements only to a specific speed. The SPEED commands disables the Clause 28 auto-negotiation and uses the specified speed as the forced speed setting.sa commands.
10GBASE-T (SFP+): Port operates as a single 10G port. speed commands do not affect configuration.
100G CFP2: Default operation is 100G. It cannot be split, and its speed cannot be changed.
100G MXP: Operates as three 40G ports on the 7050 platform. On the 7050 platforms, available speed/duplex settings are three 40G ports or twelve 10G ports. Adjustments are made with speed commands.
100G QSFP100: Available speeds are transceiver-dependent. The QSFP100 transceiver supports a single 100G port, four 25G ports, or two 50G ports; the QSFP+ transceiver supports one 40G port or four 10G ports; the CWDM transceiver supports all five configurations. Adjustments are made using speed commands.
The SFP1000BASE-T transceivers advertise one speed at a time only. Hence, the desired speed and negotiation must be configured explicitly using the following commands:
- speed auto: auto-negotiated 1Gbps (this is because no speed is specified and we are defaulting to advertise 1G).
- speed auto 1Gfull / speed auto: auto-negotiated 1Gbps (note that per BASE-T standard, 1G must be negotiated).
- speed auto 100full: auto-negotiated 100Mbps.
- speed 100full: non-negotiated / forced 100Mbps.
The SFP10GBASE-Ts transceivers advertise one speed at a time only, similar to SFP1000BASE-Ts, unlike native BASE-T ports. The no and default speed commands configure the PHY to advertise only 10G.

For information relating to transceivers, see Transceivers.

Subinterfaces

Subinterfaces divide a single ethernet or port channel interface into multiple logical L3 interfaces based on the 802.1q tag (VLAN ID) of incoming traffic. Subinterfaces are commonly used in the L2/L3 boundary device, but they can also be used to isolate traffic with 802.1q tags between L3 peers by assigning each subinterface to a different VRF.

While subinterfaces can be configured on a port channel interface (the virtual interface associated with a port channel), the following restrictions apply:

An L3 interface with subinterfaces configured on it should not be made a member of a port channel.
An interface that is a member of a port channel should not have subinterfaces configured on it.
A subinterface cannot be made a member of a port channel.

Subinterfaces on multiple ports can be assigned the same VLAN ID, but there is no bridging between subinterfaces (or between subinterfaces and SVIs), and each subinterface is considered to be in a separate bridge domain.

The following features are supported on subinterfaces:

Unicast and multicast routing
BGP, OSPF, ISIS, PIM
ACL
VRF
VRRP
SNMP
Subinterface counters (on some platforms)
VXLAN (on some platforms)
MPLS (on some platforms)
GRE (on some platforms)
PBR (on some platforms)
QoS (on some platforms)
Inheriting QoS settings (trust mode and default DSCP) from the parent interface
Inheriting MTU setting from parent interface

The following are not supported on subinterfaces:

Per-subinterface MTU setting
Per-subinterface SFLOW settings
Per-subinterface mirroring settings

Shared Shaper across Multiple Subinterfaces

Sub-interfaces can be grouped into logical units called scheduling groups, which are shaped as a single unit. Each scheduling group may be assigned a scheduling policy which defines a shape rate in kbps and optionally a guaranteed bandwidth, also in kbps.

The guaranteed bandwidth is used if the sum of the shape rates of all scheduling groups and sub-interfaces that are not part of groups for a parent interface exceeds the available bandwidth. Each sub-interface within that scheduling group may have its own independent shape rate which are applied in a hierarchical manner.

Adding a sub-interface to a scheduling group results in allocation of dedicated Virtual Output Queues (VOQ) for the sub-interface.

Configuring Shared Shaper

Scheduling groups and scheduling policies are configured in the qos scheduling CLI mode.

First, configure one or more sub-interfaces.

Then, create a scheduling policy with the desired shape rate and optional guaranteed bandwidth:

switch(config)# qos scheduling
switch(config-qos-scheduling)# scheduling policy P1
switch(config-qos-scheduling-policy-P1)# shape rate 75000000
switch(config-qos-scheduling-policy-P1)# bandwidth guaranteed 10000000

The shape rate and guaranteed bandwidth may also be defined as percents of the next highest level of the hierarchy (in this case line rate):
```
switch(config-qos-scheduling-policy-P1)# shape rate 75 percent
switch(config-qos-scheduling-policy-P1)# bandwidth guaranteed percent 10
```

Create the scheduling group on the parent interface:

switch(config)# qos scheduling
switch(config-qos-scheduling)# interface et1
switch(config-qos-scheduling-intf-Ethernet1)# scheduling group G1

Assign a policy to the scheduling group:

switch(config-qos-scheduling-intf-Ethernet1-group-G1)# policy P1

Assign members to the scheduling group (members may be put all on one line or on separate lines):
```
switch(config-qos-scheduling-intf-Ethernet1-group-G1)# members et1.1 et1.2
```

Show Commands

QoS configuration on one or more scheduling groups. Both group name and parent interface name are optional, in which case all groups are displayed as shown in the example below:

Example

switch# show qos scheduling group G1 Ethernet1
Interface: Et1
Scheduling Group Name: G1
Bandwidth: 10.1 / 10.0 (Gbps)
Shape Rate: 75.2 / 75.0 (Gbps)

Member         Bandwidth        Shape Rate
                (units)           (units)
------       -------------  ------------------
Et1.1           - /  - (-)  50.1 / 50.0 (Gbps)
Et1.2           - /  - (-)  30.1 / 30.0 (Gbps)

QOS configuration on a parent interface will show scheduling groups configured on the parent interface.

Example

switch# show qos interface Ethernet1
Ethernet1:

   Trust Mode: DSCP
   Default COS: 0
   Default DSCP: 0

   Port shaping rate: disabled

Scheduling Group        Bandwidth           Shape Rate
                         (units)             (units)
----------------    ------------------  ------------------
G1                  10.1 / 10.0 (Gbps)  75.1 / 75.0 (Gbps)

The entire scheduling hierarchy for a subinterface can be displayed. This displays the shape rate for each transmit queue and then the shape rate and guaranteed bandwidth at every other level of the hierarchy.

Example

switch# show qos scheduling hierarchy Ethernet1.1
Interface     Hierarchy Level            Bandwidth             Shape Rate
                                         (units)               (units)
---------    -------------------------  ------------------     ----------------
Et1/1.100     tx queue (0)                  - /    -            100 / 100 (Mbps)
              tx queue (2)                  - /    -            200 / 200 (Mbps)
              subinterface (Et1/1.1)      100 /  100 (Mbps)     500 / 500 (Mbps)
              group (G1)                  10 /   10 (Gbps)       75 /  75 (Gbps)
              parent (Et1/1) (100 Gbps)    - /    -               - /   -  ( - )

Agile Ports

Agile Ports are a feature of the 7150S Series that allows the user to configure adjacent blocks of 4 x SFP+ interfaces as a single 40G link. The set of interfaces that can be combined to form a higher speed port is restricted by the hardware configuration. Only interfaces that pass through a common PHY component can be combined. One interface within a combinable set is designated as the primary port.

When the primary interface is configured as a higher speed port, all configuration statements are performed on that interface. All other interfaces in the set are subsumed and not individually configurable when the primary interface is configured as the higher speed port. This feature allows the 7150S-24 to behave as a 4x40G switch (using 16 SFP+) and the remaining SFP+ provide 8 x 10Gports. On the 7150S-52 this allows up to 13x 40G (all 52 ports grouped as 40G) and on the 7150S-64 Agile Ports allows the switch to be deployed with up to 16 native 40G interfaces - 4 are QSFP+ and the remaining 12 as 4xSFP+ groups.

Management Interfaces

The management interface is a Layer 3 host port that is typically connected to a PC for performing out of band switch management tasks. Each switch has one or two management interfaces. Only one port needs to manage the switch; the second port, when available, provides redundancy.

Management interfaces are 10/100/1000 BASE-T interfaces. By default, auto-negotiation is enabled on management interfaces. All combinations of speed 10/100/1000 and full or half duplex is enforceable on these interfaces through speed commands.

Management ports are enabled by default. The switch cannot route packets between management ports and network (Ethernet interface) ports because they are in separate routing domains. When the PC is multiple hops from the management port, packet exchanges through Layer 3 devices between the management port and PC may require the enabling of routing protocols.

The Ethernet management ports are accessed remotely over a common network or locally through a directly connected PC. An IP address and static route to the default gateway must be configured to access the switch through a remote connection.

Tunable SFP

Tuning of DWDM 10G SFP+ transceivers (10GBASE-DWDM) includes:

Tuning transceiver wavelength/frequency by channel number.
Showing wavelengths/frequencies for specified channels supported by the transceiver.
Showing current wavelength/frequency settings of the transceiver interface.

For information relating to tuning the transceiver wavelength/frequency by channel number, refer to the command transceiver channel. To show the current wavelength/frequency settings for specified channels, refer to the command show interfaces transceiver channels. To show the current wavelength/frequency settings of an interface, refer to the command show interfaces transceiver hardware.

MRU Enforcement

Maximum Receive Unit (MRU) enforcement provides the ability to drop frames that exceed a configured threshold on the ingress interface.

Configuring MRU Enforcement

MRU is configurable per-interface, and can be configured on Ethernet and Port-Channel interfaces. Frames with size greater than the configured MRU value drop on the ingress, and do not forward to the destined egress interface. MRU enforcement happens at the Ethernet interface and applies to both L2 and L3 traffic. Note that FCS (frame check sequence) is included in the frame size.

Ethernet Interface

switch(config)# interface ethernet 1
switch(config)# l2 mru 9000

Frames with size greater than 9000 bytes ingressing into Ethernet1 are dropped.

Port-Channel Interface

Members of a Port-Channel interface inherit the Port-Channel interface’s MRU value. Members’ MRU configured in the Ethernet interface configuration mode has no effects.

switch(config)# interface ethernet 1 - 4
switch(config-if-Et1-4)# channel-group 10 mode active
switch(config)# interface port-Channel 10
switch(config-if-Po10)#

Frames with size greater than 9000 bytes ingressing into Ethernet1, 2, 3, and 4 are dropped.

Sub-interfaces

MRU configured on an Ethernet interface or Port-Channel are applied to all of its sub-interfaces.

Default Behaviours

By default, MRU is set to the maximum value.

For DCS-7280R3 and DCS-7500R3 series
- The maximum MRU is 10240 bytes
For other supported platforms
- In TapAgg mode, the maximum MRU is 10240 bytes.
- In non TapAgg mode, the maximum MRU is 10200 bytes.

MRU Enforcement Show commands

The MRU on an interface is found in the show interface output.

switch(config)# show interface ethernet 1
Ethernet1 is up, line protocol is up (connected)
  Hardware is Ethernet, address is 444c.a8b7.1ed8 (bia 444c.a8b7.1ed8)
  Member of Port-Channel10
  Ethernet MTU 10178 bytes, Ethernet MRU 1500 bytes, BW 10000000 kbit
  Full-duplex, 10Gb/s, auto negotiation: off, uni-link: disabled.

Counter

MRU dropped packets are counted per-chip.

The Ethernet interfaces corresponding chip are found in the show platform fap mapping output.

switch(config)# show platform fap mapping interface Ethernet 1
Jericho0 (FapId: 0  BaseSystemCoreId: 0)
Port             SysPhyPort   Voq   Core  FapPort  OtmPort BaseQPair QPairs Xlge NifPort
----------------------------------------------------------------------------------------
Ethernet1        100          2608  0      2       0        0         8     8     33

Reassembly Errors use per-chip counters from the show hardware counter drop output.

switch(config)# show hardware counter drop
Type  Chip       CounterName       : Count    : First Occurrence    : Last Occurrence
-----------------------------------------------------------------------------------------
A     Jericho0   ReassemblyErrors  : 12132989 : 2020-09-22 17:05:45 : 2020-09-22 17:22:40

Ethernet Configuration Procedures

These sections describe Ethernet and Management interface configuration procedures:

Physical Interface Configuration Modes
Assigning a MAC Address to an Interface
Port Groups (QSFP+ and SFP+ Interface Selection)
Referencing Modular Ports
Referencing Multi-lane Ports
Hitless Speed Change with Dynamic Logical Ports
QSFP+ Ethernet Port Configuration
QSFP100 Ethernet Port Configuration
CFP2 Ethernet Port Configuration
Default QSFP Mode Support
MXP Ethernet Port Configuration
Port Speed Capabilities
Agile Ports
Subinterface Configuration
Maximum Latency Tail-drop Thresholds
Autonegotiated Settings
Displaying Ethernet Port Properties
Ingress Counters
Configuring Ingress Traffic-Class Counters
Ingress and Egress Per Port for IPv4 and IPv6 Counters Overview
Hardware Counter Support
Configuring Power over Ethernet (PoE)
Configuring Link Fault Signaling
Configuring Hardware TCAM
CPU Traffic Policy
TCAM Profile for Configurable Port Qualifier Sizing

Physical Interface Configuration Modes

The switch provides two configuration modes for modifying Ethernet parameters:

Interface-Ethernet mode configures parameters for specified Ethernet interfaces.
Interface-Management mode configures parameters for specified management Ethernet interfaces.

Physical interfaces cannot be created or removed.

Multiple interfaces can be simultaneously configured. Commands are available for configuring Ethernet specific, layer 2, Layer 3, and application layer parameters. Commands that modify protocol specific settings in Ethernet configuration mode are listed in the protocol chapters.

The interface ethernet command places the switch in Ethernet-interface configuration mode.
The interface management command places the switch in management configuration mode.

Examples

This command places the switch in Ethernet-interface mode for interface ethernet 5-7 and 10.
```
switch(config)# interface ethernet 5-7,10
switch(config-if-Et5-7,10)#
```
This command places the switch in management-interface mode for management interface 1.
```
switch(config)# interface management 1
switch(config-if-Ma1)#
```

Assigning a MAC Address to an Interface

Ethernet and Management interfaces are assigned a MAC address when manufactured. This address is the burn-in address. The mac-address command assigns a MAC address to the configuration mode interface in place of the burn-in address. The no mac-address command reverts the interfaces current MAC address to its burn-in address.

Examples

This command assigns the MAC address of 001c.2804.17e1 to Ethernet interface 7.
```
switch(config-if-Et7)# mac-address 001c.2804.17e1
```

This command displays the MAC address of interface ethernet 7. The active MAC address is 001c.2804.17e1. The burn-in address is 001c.7312.02e2.

switch(config-if-Et7)# show interface ethernet 7
Ethernet7 is up, line protocol is up (connected)
  Hardware is Ethernet, address is 001c.2804.17e1 (bia 001c.7312.02e2)
  Description: b.e45
switch(config-if-Et7)#

Port Groups (QSFP+ and SFP+ Interface Selection)

Several of Arista’s fixed switches limit the number of 10G data lanes in operation through the use of port groups. A port group is a set of interfaces that can be configured as four SFP+ interfaces or a single QSFP+ interface. When configured in SFP+ mode, the port group enables four standalone 10GbE interfaces using SFP+ optics. When configured in QSFP+ mode, the port group enables a single QSFP+ interface (in addition to the dedicated QSFP+ ports), which can operate as a single 40GbE port, or as four 10GbE ports with the appropriate breakout cabling.

Hardware port groups are used on the following systems:

DCS-7050Q-16
DCS-7050QX-32S

Use the hardware port-group command to select the interface mode for the specified port group.

Note: The hardware port-group command restarts the forwarding agent, which disrupts traffic on all switch ports.

Example

These commands configure the DCS-7050-Q16 switch to enable four SFP+ interfaces and one extra QSFP+ interface by enabling the SFP+ interfaces in port-group 1 and the QSFP+ interface in port-group 2.

switch(config)# hardware port-group 1 select Et17-20
switch(config)# hardware port-group 2 select Et16/1-4

The show hardware port-group command displays the status of ports in the port groups.

Example

This command displays the status of the flexible ports within the two port groups on a DCS-7050Q-16 switch.

switch# show hardware port-group

Portgroup: 1    Active Ports: Et17-20
Port            State
------------------------------------------
Ethernet17      Active
Ethernet18      Active
Ethernet19      Active
Ethernet20      Active
Ethernet15/1    ErrDisabled
Ethernet15/2    ErrDisabled
Ethernet15/3    ErrDisabled
Ethernet15/4    ErrDisabled

Portgroup: 2    Active Ports: Et16/1-4
Port            State
------------------------------------------
Ethernet16/1Active
Ethernet16/2Active
Ethernet16/3Active
Ethernet16/4Active
Ethernet21ErrDisabled
Ethernet22ErrDisabled
Ethernet23ErrDisabled
Ethernet24ErrDisabled

DCS-7280CR3-36S

The DCS-7280CR3-36S has 28 dedicated 100Gb/s QSFP ports, plus two port groups. The port groups support either two additional QSFP-DD (400Gb/s) ports or four QSFP56 (200Gb/s) ports as shown in Table 3.

Table 3. DCS-7280CR3-36S Port Groups
Port Group 1 Active Interface(s)		Port Group 2 Active Interface(s)
In QSFP-DD Mode	In QSFP56 Mode (Default)	In QSFP-DD Mode	In QSFP56 Mode (Default)
Et33/1-8 (one QSFP-DD port)	Et33/1-4,Et34/1-4 (two QSFP56 ports)	Et35/1-8 (one QSFP-DD port)	Et35/1-4,Et36/1-4 (two QSFP56 ports)

DCS-7050Q-16

The DCS-7050Q-16 has 14 dedicated QSFP+ ports, plus two port groups. The port groups support either two additional QSFP+ ports or eight SFP+ ports as shown in DCS-7050Q-16 Port Groups.

Table 4. DCS-7050Q-16 Port Groups
Port Group 1 Active Interface(s)		Port Group 2 Active Interface(s)
In SFP+ Mode	In QSFP+ Mode (Default)	In SFP+ Mode	In QSFP+ Mode (Default)
Et17-20 (four SFP+ ports)	Et15/1-4 (one QSFP+ port)	Et21-24 (four SFP+ ports)	Et16/1-4 (one QSFP+ port)

DCS-7050QX-32S

The DCS-7050QX-32S has 31 dedicated QSFP+ ports, plus one port group. The port group supports either one additional QSFP+ port or four SFP+ ports as shown in DCS-7050QX-32S Port Groups.

Table 5. DCS-7050QX-32S Port Groups
Port Group 1 Active Interface(s)
In SFP+ Mode	In QSFP+ Mode (Default)
Et1-4 (four SFP+ ports)	Et5/1-4 (one QSFP+ port)

Referencing Modular Ports

Arista modular switches provide port access through installed line cards. The maximum number of line cards on a modular switch varies with the switch series and model.

Several CLI commands modify modular parameters for all ports on a specified line card or controlled by a specified chip. This manual uses these conventions to reference modular components:

card_x refers to a line card.
module_y refers to a QSFP+ module.
port_z refers to a line card or module port.

Commands that display Ethernet port status use the following conventions:

SFP ports: card_x/port_z to label the line card-port location of modular ports.
QSFP ports: card_x/module_y/port_z to label the line card-port location of modular ports.

QSFP+ Ethernet Port Configuration describe QSFP+ module usage.

Example

This command displays the status of interfaces 1 to 9 on line card 4:

switch# show interface ethernet 4/1-9 status
Port      Name              Status       Vlan        Duplex  Speed Type
Et4/1                       connected    1             full    10G Not Present
Et4/2                       connected    1             full    10G Not Present
Et4/3                       connected    1             full    10G Not Present
Et4/4                       connected    1             full    10G Not Present
Et4/5                       connected    1             full    10G Not Present
Et4/6                       connected    1             full    10G Not Present
Et4/7                       connected    1             full    10G Not Present
Et4/8                       connected    1             full    10G Not Present
Et4/9                       connected    1             full    10G Not Present
switch>

Referencing Multi-lane Ports

EOS supports two types of Ethernet ports:

single-lane (also called fixed-lane)
multi-lane (also called flexible-lane)

Single-lane (or fixed-lane) ports are always modeled as a single interface within EOS. While the speed of the interface may be configurable, the physical port can never be broken out into multiple lower-speed interfaces. Single-lane ports use the following naming scheme:

Ethernet <port #> (for fixed switches)
Ethernet <module #>/<port #> (for modular switches)

Multi-lane (or flexible lane) ports are made up of multiple parallel lanes, each served by its own laser. Multi-lane ports can be configured to combine the lanes and operate as a single native high-speed interface (a 40GbE or 100GbE interface), or to operate each lower-speed interface independently (four 10GbE or 25GbE interfaces). Multi-lane ports use the following naming scheme:

Ethernet port #/lane # (for fixed switches)

Ethernet module #/port #/lane # (for modular switches)

The operational state displayed for each lane of a multi-lane port is determined by the configuration applied to the primary lane(s), as shown in Lane States. When broken out into multiple lower-speed interfaces, all lanes will be active in parallel, and each will display its operational state as connected or not connected. In high-speed mode, only the primary lane(s) will be displayed as active, with the remaining lanes showing as errdisabled. The exception is the CFP2 module: when it is configured as a single 100GbE port, the primary lane is displayed as active in the CLI while the other lanes are hidden.

Table 6. Lane States
Parent Port Configured Mode	Primary Lane(s)	Secondary Lanes
single high-speed interface	active (connected/not connected)	inactive (errdisabled)
multi-interface breakout	active (connected/not connected)	active (connected/not connected)

A multi-lane port is configured as a single high-speed interface or multiple breakout interfaces by using the speed command on the primary lane(s) of the port. For specific configuration instructions and details regarding the primary lane(s) of a specific interface, refer to the configuration section for the appropriate interface type:

QSFP+ Ethernet Port Configuration
QSFP100 Ethernet Port Configuration
CFP2 Ethernet Port Configuration
MXP Ethernet Port Configuration

Note: Use of the speed command to configure a multi-lane port is hitless on the 7050X, 7060X, 7250X, 7260X, 7280CR3, 7280SE, 7300X, 7320X and 7500E series platforms. On all other platforms, this command restarts the forwarding agent, which will result in traffic disruption. On 7160 series platforms, use of the speed command is hitless, but if the command changes the number of port lanes, packets may be dropped on unrelated ports.

Hitless Speed Change with Dynamic Logical Ports

Higher speed ports on several switches can be broken out into multiple interfaces that can be configured at lower speeds. Each of these interfaces is called a Logical Port (LP). Switches such as the DCS-7260CX3-64, allocate and deallocate the logical ports dynamically to optimize hardware resources. Care must be taken for hitless speed changes, therefore, as a change of speed on a Dynamic Logical Port (DLP) may impact the status of one or more related DLP(s).

Checking Status of DLPs

The following example is applicable to a switch that supports a breakout of a 100G physical port to 4x 25G DLPs.

The command displays the status of Et 45/1-4, when a 100G physical port is broken out to 4x 25G DLPs.

switch(config)# show interfaces ethernet 45/1-4 status
Port   	Name   Status   	Vlan 	Duplex Speed  Type     	Flags 
Et45/1        	notconnect   1    	full   25G	Not Present
Et45/2        	notconnect   1    	full   25G	Not Present
Et45/3        	notconnect   1    	full   25G	Not Present
Et45/4        	notconnect   1    	full   25G	Not Present

The following example displays the inactive interfaces (DLPs) when the 100G physical port is configured for the 100G speed.

switch(config)# show interfaces ethernet 45/1-4 status
Port   	Name   Status   	Vlan 	Duplex Speed  Type     	Flags
Et45/1        	notconnect	1    	full   100G   Not Present
Et45/2        	inactive  	1    	unconf unconf Not Present
Et45/3        	inactive  	1    	unconf unconf Not Present
Et45/4        	inactive  	1    	unconf unconf Not Present

By default, inactive interfaces will not be displayed by this command. To enable showing them, use the following command.

switch(config)# [no] service interface inactive expose

Only systems without DLP allocation have enough logical ports for every interface to be active simultaneously.

The following example displays the logical port pool information and current logical port allocation status for a fully loaded switch.

switch> show hardware logical-port pool status
Pool Max Free Configured Interfaces
---- --- ---- ---------- ------------------------------------------------------
   1  18    2         16 Et2/5/1-2/8/4,3/5/1-3/8/4,4/5/1-4/8/4,5/9/1-5/12/4
   2  18    2         16 Et2/1/1-2/4/4,3/9/1-3/12/4,4/1/1-4/4/4,5/5/1-5/8/4
   3  18    2         16 Et2/9/1-2/12/4,3/1/1-3/4/4,4/9/1-4/12/4,5/1/1-5/4/4
   4  18    2         16 Et2/13/1-2/16/4,3/13/1-3/16/4,4/13/1-4/16/4,5/13/1-5/16/4
   5  18    2         16 Et6/13/1-6/16/4,7/13/1-7/16/4,8/13/1-8/16/4,9/13/1-9/16/4
   6  18    2         16 Et6/1/1-6/4/4,7/9/1-7/12/4,8/1/1-8/4/4,9/9/1-9/12/4
   7  18    2         16 Et6/5/1-6/8/4,7/1/1-7/4/4,8/9/1-8/12/4,9/1/1-9/4/4
   8  18    2         16 Et6/9/1-6/12/4,7/5/1-7/8/4,8/5/1-8/8/4,9/5/1-9/8/4

The following example displays the logical port pool information and current logical port allocation status for a switch with only Linecard 3, 4, 5, and 7 inserted.

switch> show hardware logical-port pool status
Pool Max Free Configured Interfaces
---- --- ---- ---------- ------------------------------------------------------
   1  18    8         10 Et3/5/1-3/8/4,4/2/1-8,5/3/1-8
   2  18   12          6 Et3/9/1-3/12/4,4/1/1-8,5/2/1-8
   3  18    8         10 Et3/1/1-3/4/4,4/3/1-8,5/1/1-8
   4  18    7         11 Et3/13/1-3/16/4,4/4/1-8,5/4/1-8
   5  18   16          2 Et7/13/1-7/16/4
   6  18   14          4 Et7/9/1-7/12/4
   7  18   14          4 Et7/1/1-7/4/4
   8  18   12          6 Et7/5/1-7/8/4

QSFP+ Ethernet Port Configuration

Each QSFP+ module contains four data lanes which can be used individually or combined to form a single, higher-speed interface. This allows a QSFP+ Ethernet port to be configured as a single 40GbE interface or as four 10GbE interfaces.

When the four lanes are combined to form a 40GbE interface, display commands will show lane /1 as connected or not connected, and will show lanes /2 through /4 as errdisabled.

The following sections describe the configuration of QSFP+ ports.

Configuring a QSFP+ Module as a Single 40GbE Interface

To configure the port as a single 40GbE interface, combine the modules four data lanes by using the speed command (speed forced 40g full) on the ports /1 lane (the primary lane).

Note: Use of the speed command to configure a multi-lane port is hitless on the 7050X, 7060X, 7250X, 7260X, 7280SE, 7300X, 7320X and 7500E series platforms. On all other platforms, this command restarts the forwarding agent, which will result in traffic disruption. On 7160 series platforms, use of the speed command is hitless, but if the command changes the number of port lanes, packets may be dropped on unrelated ports.

Enter interface Ethernet configuration mode for lane /1 of the QSFP+ Ethernet interface.
```
switch(config)# interface ethernet 5/1/1
```
Enter the speed 40gfull command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/1/1)# speed 40gfull
```

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/1/1)# show interfaces status
Port Name Status Vlan Duplex Speed Type Flags
Et1 connected 2 full 1G 10GBASE-T
    <-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/1/1 connected 1 full 40G 40GBASE-SR4
Et5/1/2 errdisabled 1 unconf unconf 40GBASE-SR4
Et5/1/3 errdisabled 1 unconf unconf 40GBASE-SR4
Et5/1/4 errdisabled 1 unconf unconf 40GBASE-SR4
     <-------OUTPUT OMITTED FROM EXAMPLE-------->

Configuring a QSFP+ Module as Four 10GbE Interfaces

To configure the port as four 10GbE interfaces, use the speed command (speed 10000full) on the ports /1 lane (the primary lane).

Enter interface Ethernet configuration mode for lane /1 of the QSFP+ Ethernet interface.
```
switch(config)# interface ethernet 5/1/1
```
Enter the speed 10000full command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/1/1)# speed 10000full
```

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/1/1)# show interfaces status  
PortNameStatusVlanDuplexSpeedTypeFlags 
Et1connected2full1G10GBASE-T 
Et5/1/1connected1full10G40GBASE-SR4 
Et5/1/2connected1full10G40GBASE-SR4 
Et5/1/3connected1full10G40GBASE-SR4 
Et5/1/4connected1full10G40GBASE-SR4

QSFP100 Ethernet Port Configuration

Each QSFP100 module contains four data lanes which can be used individually or combined to form a single, higher-speed interface. This allows a QSFP100 Ethernet port to be configured as a single 100GbE interface, a single 40GbE interface, or four 10GbE interfaces. The default mode is a single 100GbE interface.

The 7060X, 7260X and 7320X platforms also allow a QSFP100 port to be configured as two 50GbE interfaces or four 25GbE interfaces.

When the lanes are combined to form a higher-speed interface, display commands show the primary lane(s) as connected or not connected, and shows the other lanes as errdisabled.

The following sections describe the configuration of QSFP+ ports.

Configuring a QSFP100 Module as a Single 100GbE Interface

By default, the QSFP100 module operates as a single 100GbE interface; using the default speed or no speed command on the primary lane restores the default behavior.

To explicitly configure the port as a single 100GbE interface, combine the modules four data lanes by using the speed command (speed 100gfull) on the ports /1 lane (the primary lane).

Enter interface Ethernet configuration mode for lane /1 of the QSFP100 Ethernet interface.
```
switch(config)# interface ethernet 5/1/1
```
Enter the speed 100gfull command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/1/1)# speed 100gfull
```

Use the show interfaces status command to confirm the change in configuration.


switch(config-if-Et5/1/1)# show interfaces status
Port    Name     Status    Vlan    Duplex     Speed    Type    Flags 
Et1              connected    2     full      1G     10GBASE-T 
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/1/1          connected    1     full      100G   100GBASE-SR4 
Et5/1/2          errdisabled  1    unconf    unconf  100GBASE-SR4 
Et5/1/3          errdisabled  1    unconf    unconf  100GBASE-SR4 
Et5/1/4          errdisabled  1    unconf     unconf 100GBASE-SR4
<-------OUTPUT OMITTED FROM EXAMPLE-------->

Configuring a QSFP100 Module as Two 50GbE Interfaces

To configure the port as a two 50GbE interfaces, configure the modules four data lanes by using the speed command (speed 50gfull) on the ports /1 and /3 lanes. This configuration is available on 7060X, 7260X and 7320X platforms.

Note:

Use of the speed command to configure a multi-lane port is hitless on the 7050X, 7060X, 7250X, 7260X, 7280CR3, s7280SE, 7300X, 7320X and 7500E series platforms. On all other platforms, this command restarts the forwarding agent, which will result in traffic disruption. On 7160 series platforms, use of the speed command is hitless, but if the command changes the number of port lanes, packets may be dropped on unrelated ports.

Enter interface Ethernet configuration mode for lane /1 of the QSFP100 Ethernet interface.
```
switch(config)# interface ethernet 5/1/1
```
Enter the speed 50gfullcommand. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/1/1)# speed 50gfull
```

Repeat the above steps for lane /3.

switch(config-if-Et5/1/1)#interface ethernet 5/1/3
switch(config-if-Et5/1/3)#speed 50gfull

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/1/1)# show interfaces status 
Port       Name     Status      Vlan      Duplex    Speed    Type      Flags
Et1                connected     2          full     1G     10GBASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/1/1            connected     1          full     50G    100GBASE-SR4
Et5/1/2            errdisabled   1          unconf  unconf  100GBASE-SR4
Et5/1/3            connected     1          full     50G    100GBASE-SR4
Et5/1/4            errdisabled   1          unconf  unconf  100GBASE-SR4
<-------OUTPUT OMITTED FROM EXAMPLE-------->

Configuring a QSFP100 Module as a Single 40GbE Interface

To configure the port as a single 40GbE interface, combine the modules four data lanes by using the speed command (speed 40gfull) on the ports /1 lane (the primary lane).

Note:

Use of the speed command to configure a multi-lane port is hitless on the 7050X, 7060X, 7250X, 7260X, 7280CR3, 7280SE, 7300X, 7320X and 7500E series platforms. On all other platforms, this command restarts the forwarding agent, which will result in traffic disruption. On 7160 series platforms, use of the speed command is hitless, but if the command changes the number of port lanes, packets may be dropped on unrelated ports.

Enter interface Ethernet configuration mode for lane /1 of the QSFP100 Ethernet interface.
```
switch(config)# interface ethernet 5/1/1 
```
Enter the speed 40gfull command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/1/1)# speed 40gfull 
```

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/1/1)# show interfaces status
Port     Name     Status      Vlan     Duplex    Speed     Type     Flags
Et1               connected     2       full       1G     10GBASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/1/1           connected     1       full       40G    100GBASE-SR4
Et5/1/2           errdisabled   1       unconf    unconf  100GBASE-SR4
Et5/1/3           errdisabled   1       unconf    unconf  100GBASE-SR4
Et5/1/4           errdisabled   1       unconf    unconf  100GBASE-SR4
<-------OUTPUT OMITTED FROM EXAMPLE-------->

Configuring a QSFP100 Module as Four 10GbE Interfaces

To configure the port as four 10GbE interfaces, use the speed command (speed 10000full) on the ports /1 lane (the primary lane).

Enter interface Ethernet configuration mode for lane /1 of the QSFP100 Ethernet interface.
```
switch(config)# interface ethernet 5/1/1 
```
Enter the speed 10000full command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/1/1)# speed 10000full 
```

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/1/1)# show interfaces status 
Port       Name       Status      Vlan     Duplex    Speed      Type         Flags
Et1                   connected    2        full        1G    10GBASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/1/1               connected    1        full        10G   100GBASE-SR4
Et5/1/2               connected    1        full        10G   100GBASE-SR4
Et5/1/3               connected    1        full        10G   100GBASE-SR4
Et5/1/4               connected    1        full        10G   100GBASE-SR4
<-------OUTPUT OMITTED FROM EXAMPLE-------->

CFP2 Ethernet Port Configuration

Each CFP2 module contains ten data lanes. The configuration options available on the port depend on the optic inserted:

CFP2-100G-LR4 optics operate only in 100GbE mode.
CF2-100G-ER4 optics operate only 100GbE mode.
CFP2-100G-XSR10 optics can be configured as a single 100GbE interface or as ten 10GbE interfaces.

When the port is configured as ten 10GbE interface, each lane is active and visible in CLI display commands. When the lanes are combined to form a single 100GbE interface, display commands will show the primary lane as connected or not connected; all other lanes will be hidden.

The following sections describe the configuration of CFP2 ports.

Configuring a CFP2 Module a as a Single100GbE Interface

To configure the port as a single 100GbE interface (the default configuration), combine the modules ten data lanes by using the speed command (speed 100gfull) on the ports /1 lane (the primary lane).

This configuration is available for all pluggable optics.

Enter interface Ethernet configuration mode for lane /1 of the CFP2 Ethernet interface.
```
switch(config)# interface ethernet 5/1/1 
```
Enter the speed 100gfull command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/1/1)# speed 100gfull
```

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/1/1)# show interfaces status 
Port      Name      Status     Vlan     Duplex    Speed     Type      Flags
Et1                 connected    2       full       1G     10GBASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/1/1             connected    1       full      100G    100GBASE-SR1
Et5/2/1             connected    1       full      100G    100GBASE-SR1
<-------OUTPUT OMITTED FROM EXAMPLE-------->

Configuring a CFP2 Module as Ten 10GbE Interfaces

To configure the port as four 10GbE interfaces, use the speed command (speed 10000full) on the ports /1 lane (the primary lane).

This configuration is available only for CFP2-100G-XSR10 optics.

Enter interface Ethernet configuration mode for lane /1 of the CFP2 Ethernet interface.
```
switch(config)# interface ethernet 5/1/1
```
Enter the speed 10000full command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/1/1)# speed 10000full 
```

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/1/1)# show interfaces status
Port     Name    Status     Vlan Duplex   Speed   Type       Flags
Et1             connected    2    full      1G   10GBASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/1/1         connected    1    full      10G  100GBASE-SR1
Et5/1/2         connected    1    full      10G  100GBASE-SR1
Et5/1/3         connected    1    full      10G  100GBASE-SR1
Et5/1/4         connected    1    full      10G  100GBASE-SR1
Et5/1/5         connected    1    full      10G  100GBASE-SR1
Et5/1/6         connected    1    full      10G  100GBASE-SR1
Et5/1/7         connected    1    full      10G  100GBASE-SR1
Et5/1/8         connected    1    full      10G  100GBASE-SR1
Et5/1/9         connected    1    full      10G  100GBASE-SR1
Et5/1/10        connected    1    full      10G  100GBASE-SR1
<-------OUTPUT OMITTED FROM EXAMPLE-------->

Default QSFP Mode Support

QSFP+ transceiver supports 40G and 4x10G. This feature provides support for changing the default QSFP mode between 40G and 4x10G on all ports with QSFP+ transceivers.

Configuration

On all front panel ports which support this feature, the following global configuration command changes their default QSFP mode from 40G to 4x10G,

transceiver qsfp default-mode 4x10G

The no or default version of the command reverts the default QSFP mode back to 40G.

Note: This configuration command is not honored on ports that do not support this feature (such as QSFP100 ports with external PHY always choose 40G as the default QSFP mode).

Show Commands

There is no explicit show command to display the default QSFP mode. Use the show running-config command to determine whether the default QSFP mode is 4x10G or 40G. Use the show interfaces hardware command to check the default QSFP mode on the given ports.

When default QSFP mode is configured as 4x10G, the output of show running-config contains transceiver qsfp default-mode 4x10G. In the output of the show interfaces hardware command, 10G is shown as the default speed.

switch(config)# transceiver qsfp default-mode 4x10G
switch(config)# show running-config | grep 4x10G
transceiver qsfp default-mode 4x10G
switch(config)# show interfaces ethernet 35/1 hardware
*  = Requires speed group setting change
Ethernet35/1
  Model:          DCS-7280CR3-32P4
  Type:           40GBASE-CR4
  Speed/Duplex:   10G/full(default),40G/full,auto
  Flowcontrol:    rx-(off,on,desired),tx-(off)

When default QSFP mode configuration is reverted the default, the output of show running-config command does not contain transceiver qsfp default-mode 4x10G. In the output of show interfaces hardware command, 40G is shown as the default speed.

switch(config)# no transceiver qsfp default-mode
switch(config)# show running-config | grep 4x10G
switch(config)# show interfaces ethernet 35/1 hardware
*  = Requires speed group setting change
Ethernet35/1
  Model:          DCS-7280CR3-32P4
  Type:           40GBASE-CR4
  Speed/Duplex:   10G/full,40G/full(default),auto
  Flowcontrol:    rx-(off,on,desired),tx-(off)

Limitations

There is support for the no transceiver qsfp default-mode 4x10G command on the DCS-7300X Series, but the default QSFP mode still remains as 4x10G.

MXP Ethernet Port Configuration

Each MXP module contains twelve data lanes which can be used individually or combined to form one or more higher-speed interfaces. This allows an MXP Ethernet port to be configured as a single 100GbE interface, up to twelve 10GbE interfaces, or a mixture of 40GbE and 10GbE ports.

MXP ports do not use pluggable optics: instead, an MTP-24 ribbon is inserted directly into the port. The remote end of the MTP 24 ribbon must then be broken out using a splitter cable or cartridge based on the operational mode and speed of the MXP port.

When four lanes of an MXP interface are combined to form a 40GbE port, CLI commands show the primary lane of that group as connected or not connected and the other three lanes as errdisabled.

The following sections describe the configuration of MXP interfaces.

Configuring an MXP Module as a Single 100GbE Interface

To configure the port as a single 100GbE interface (the default configuration), enter the speed command (speed 100gfull) on the ports /1 lane (the primary lane). This combines lanes 1-10 and disables lanes 11 and 12.

Under this configuration, CLI display commands will show lane /1 as connected or not connected, and show lanes /2-/12 as errdisabled.

Enter interface Ethernet configuration mode for lane /1 of the MXP Ethernet interface.
```
switch(config)# interface ethernet 5/49/1
```
Enter the speed 100gfull command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/49/1)# speed 100gfull
```

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/49/1)# show interfaces status 
Port          Name        Status        Vlan        Duplex     Speed      Type          Flags
Et1                       connected      2           full        1G      10GBASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/49/1                  connected      1           full       100G     100GBASE-SR1
Et5/49/2                  errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/3                  errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/4                  errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/5                  errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/6                  errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/7                  errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/8                  errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/9                  errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/10                 errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/11                 errdisabled    1           unconf     unconf   100GBASE-SR1
Et5/49/12                 errdisabled    1           unconf     unconf   100GBASE-SR1

Configuring an MXP Module With 40GbE Interfaces

Each set of four lanes on the MXP module is independently configurable as a single 40GbE interface or four 10GbE interfaces. To configure four lanes as a single 40GbE interface, enter the speed command (speed forced 40gfull) on the groups primary lane (/1, /5, or /9). To revert a group of four lanes to functioning as four independent 10GbE interfaces, enter the speed 10000full command on the primary lane of the group.

When four lanes of an MXP interface are combined to form a 40GbE port, CLI commands will show the primary lane of that group as connected or not connected and the other three lanes as errdisabled. In groups of four lanes which are configured as four independent 10GbE interfaces, each lane will be displayed in the CLI as connected or not connected.

Note that a speed forced 100gfull command entered on the /1 lane takes precedence over speed 40gfull commands on the /5 and /9 lanes.

The example below shows the steps for configuring an MXP module as three 40GbE interfaces.

Enter interface Ethernet configuration mode for lane /1 of the MXP Ethernet interface.
```
switch(config)# interface ethernet 5/49/1
```
Enter the speed 40gfull command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/49/1)# speed 40gfull
```

Repeat the above steps for lanes /5 and /9.

switch(config-if-Et5/49/1)# interface ethernet 5/49/5 
switch(config-if-Et5/49/5)# speed 40gfull
switch(config-if-Et5/49/5)# interface ethernet 5/49/9
switch(config-if-Et5/49/9)# speed 40gfull

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/49/9)# show interfaces status 
Port Name Status Vlan Duplex Speed Type Flags
Et1          connected       2     full      1G      10GBASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/49/1     connected       1     full     40G      100GBASE-SR1
Et5/49/2     errdisabled     1     unconf   unconf   100GBASE-SR1
Et5/49/3     errdisabled     1     unconf   unconf   100GBASE-SR1
Et5/49/4     errdisabled     1     unconf   unconf   100GBASE-SR1
Et5/49/5     connected       1     full     40G      100GBASE-SR1
Et5/49/6     errdisabled     1     unconf   unconf   100GBASE-SR1
Et5/49/7     errdisabled     1     unconf   unconf   100GBASE-SR1
Et5/49/8     errdisabled     1     unconf   unconf   100GBASE-SR1
Et5/49/9     connected       1     full     40G      100GBASE-SR1
Et5/49/10    errdisabled     1     unconf   unconf   100GBASE-SR1
Et5/49/11    errdisabled     1     unconf   unconf   100GBASE-SR1
Et5/49/12    errdisabled     1     unconf   unconf   100GBASE-SR1

Configuring an MXP Module as Twelve 10GbE Interfaces

Each lane of an MXP port functions as a 10GbE interface when it is not included in a higher-speed interface configuration (either actively or as an errdisabled port).

To explicitly configure the port as twelve 10GbE interfaces, use the speed command (speed 10000full) on all twelve lanes of the port.

When each lane is configured as an independent 10GbE interface, CLI display commands show each lane as connected or not connected.

Enter interface Ethernet configuration mode for all twelve lanes of the MXP Ethernet interface.
```
switch(config)# interface ethernet 5/49/1-12
```
Enter the speed 10000full command. Depending on the platform, this command may restart the forwarding agent, disrupting traffic on all ports for 60 seconds or more.
```
switch(config-if-Et5/49/1-12)# speed 10000full
```

Use the show interfaces status command to confirm the change in configuration.

switch(config-if-Et5/49/1-12)# show interfaces status 
Port       Name      Status      Vlan      Duplex       Speed      Type       Flags
Et1                 connected      2        full          1G      10GBASE-T
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et5/1/1             connected      1        full          10G     100GBASE-SR1
Et5/1/2             connected      1        full          10G     100GBASE-SR1
Et5/1/3             connected      1        full          10G     100GBASE-SR1
Et5/1/4             connected      1        full          10G     100GBASE-SR1
Et5/1/5             connected      1        full          10G     100GBASE-SR1
Et5/1/6             connected      1        full          10G     100GBASE-SR1
Et5/1/7             connected      1        full          10G     100GBASE-SR1
Et5/1/8             connected      1        full          10G     100GBASE-SR1
Et5/1/9             connected      1        full          10G     100GBASE-SR1
Et5/1/10            connected      1        full          10G     100GBASE-SR1
<-------OUTPUT OMITTED FROM EXAMPLE-------->

Port Speed Capabilities

The supported speeds supported on each Arista platform per interface type are described in Supported Speeds (GbE).

Table 7. Supported Speeds (GbE)
Platform	SFP+	SFP28	QSFP+	QSFP100	MXP	CFP2
7050	100M, 1, 10	N/A	1, 10, 40	N/A	N/A	N/A
7050X	100M, 1, 10	N/A	1, 10, 40	N/A	10, 40	N/A
7050X2	100M, 1, 10	N/A	1, 10, 40	N/A	N/A	N/A
7050X3	100M, 1, 10	1, 10, 25	N/A	10, 25, 40, 50, 100	N/A	N/A
7250X	N/A	N/A	1, 10, 40	N/A	N/A	N/A
7060X	100M, 1, 10	N/A	N/A	10, 25, 40, 50, 100	N/A	N/A
7060X2	100M, 1, 10	1, 10, 25	N/A	10, 25, 40, 50, 100	N/A	N/A
7260X3	100M, 1, 10	N/A	N/A	10, 25, 40, 50, 100	N/A	N/A
7300X	100M, 1, 10	N/A	1, 10, 40	N/A	N/A	N/A
7300X3	N/A	1, 10, 25	N/A	10, 25, 40, 50, 100	N/A	N/A
7320X	N/A	N/A	N/A	10, 25, 40, 50, 100	N/A	N/A
7150S	1, 10	N/A	1, 10, 40	N/A	N/A	N/A
7048T	1, 10	N/A	N/A	N/A	N/A	N/A
7500	1, 10	N/A	1, 10, 40	N/A	N/A	N/A
7500E	1, 10	N/A	1, 10, 40	10, 40, 100	10, 40, 100	100
7500R	1, 10	1, 10, 25	1, 10, 40	10, 25, 40, 50, 100	N/A	N/A
7280SE	1, 10	N/A	1, 10, 40	10, 40, 100	10, 40, 100	N/A
7280QR	N/A	N/A	1, 10, 40	10, 25, 40, 50, 100	N/A	N/A
7280SR (R2)	1, 10	1, 10, 25	N/A	10, 25, 40, 50, 100	N/A	100, 200
7280CR	N/A	N/A	N/A	10, 25, 40, 50, 100	N/A	N/A
7010T	100M, 1, 10	N/A	N/A	N/A	N/A	N/A

Agile Ports

An agile port is an interface that can function as a 10G port or can subsume a predefined set of 10G interfaces to form an interface with higher speed capabilities.

The set of interfaces that can be combined to form a higher speed port is restricted by the hardware configuration. Only interfaces that pass through a common PHY component can be combined. One interface within a combinable set is designated as the primary port.

To view the set of available agile ports and the subsumable interfaces that comprise them, enter show platform fm6000 agileport map.
To configure the primary port as a higher speed port, enter speed 40gfull or speed auto 40gfull.
To revert the primary port and its subsumed ports to 10G interfaces, enter no speed.

Subinterface Configuration

For a subinterface to be operational on an Ethernet or port channel interface, the parent interface must be configured as a routed port and be administratively up, and a VLAN must be configured on the subinterface. If the parent interface goes down, all subinterfaces automatically go down as well, but will come back up with the same configuration once the parent interface is up.

Note that a port channel should not contain Ethernet interfaces with subinterfaces configured on them, and that subinterfaces cannot be members of a port channel.

Subinterfaces are named by adding a period followed by a unique subinterface number to the name of the parent interface. Note that the subinterface number has no relation to the ID of the VLAN corresponding to the subinterface.

Subinterfaces are available on the following platforms:

DCS-7050X
DCS-7060X
DCS-7250X
DCS-7260X
DCS-7280E
DCS-7300X
DCS-7320X
DCS-7500E

Creating a Subinterface

To create a subinterface on an Ethernet or port channel interface:

Bring up the parent interface and ensure that it is configured as a routed port.

switch(config)# interface Ethernet1/1
switch(config-if-Et1/1)# no switchport 
switch(config-if-Et1/1)# no shutdown

Configure a VLAN on the subinterface. The encapsulation dot1q vlan command is also used for VLAN translation, but in this context it associates a VLAN with the subinterface.
```
switch(config-if-Et1/1)# interface Ethernet1/1.1
switch(config-if-Et1/1.1)# encapsulation dot1q vlan 100
```

Configure an IP address on the subinterface (optional) and ensure that it is up.

switch(config-if-Et1/1)# ip address 10.0.0.1/24
switch(config-if-Et1/1)# no shutdown 
switch(config-if-Et1/1)#

Creating a Range of Subinterfaces

A range of subinterfaces can also be configured simultaneously. The following example configures subinterfaces 1 to 100 on Ethernet interface 1/1, and assigns VLANs 501 through 600 to them. Note that the range of interfaces must be the same size as the range of VLAN IDs.

Example

switch(config)# interface eth1/1.1-100
switch(config-if-Et1/1.1-100)# no shutdown
switch(config-if-Et1/1.1-100)# encapsulation dot1q vlan {501,600}
switch(config-if-Et1/1.1-100)# exit
switch(config)#

Parent Interface Configuration

For subinterfaces to function, the parent interface must be administratively up and configured as a routed port.

Some settings are inherited by subinterfaces from the parent interface. These include QoS (trust mode and default DSCP) and MTU.

Additionally, on the DCS-7050X, DCS-7250X, and DCS-7300X platforms, the parent interface may be configured with an IP address. In this case, untagged packets are treated as incoming traffic on the parent interface

Configuring Routing Features on a Subinterface

Once a subinterface is created, the following features can be configured on it:

Unicast and multicast routing
BGP, OSPF, ISIS, PIM
VRF
VRRP
SNMP
Inheritance of QoS (trust mode and default DSCP) and MTU settings from the parent interface

Additionally, these features can be configured on subinterfaces on Arad (DCS-7500E and DCS-7280E) platforms:

Subinterface counters on ingress
VXLAN
MPLS
GRE
PBR
QoS

Displaying Subinterface Information

Subinterface information is displayed using the same show commands as for other interfaces.

Examples

This command displays summary information for all IP interfaces on the switch, including subinterfaces.

switch# show ip interfaces brief
 Interface           IP Address     Status    Protocol     MTU
 Ethernet1/1         10.1.1.1/24up      up        1500  
 Ethernet1/1.1       10.0.0.1/24up      up        1500
 Ethernet1/2         unassigned         up          up     1500

This command displays information for subinterface Ethernet 1/1.1.

switch# show interface ethernet 1/1.1
Ethernet1/1.1 is down, line protocol is lowerlayerdown (notconnect)
  Hardware is Subinterface, address is 001c.735d.65dc
  Internet address is 10.0.0.1/24
  Broadcast address is 255.255.255.255
  Address determined by manual configuration
  IP MTU 1500 bytes , BW 10000000 kbit
  Down 59 seconds
switch>

This command displays status information for all subinterfaces configured on the switch.

switch# show interfaces status sub-interfaces
Port       Name    Status       Vlan     Duplex       Speed       Type                Flags
Et1.1              connect      101        full       10G         dot1q-encapsulation
Et1.2              connect      102        full       10G         dot1q-encapsulation
Et1.3              connect      103        full       10G         dot1q-encapsulation
Et1.4              connect      103        full       10G         dot1q-encapsulation

Maximum Latency Tail-drop Thresholds

The maximum latency for Tail-drop thresholds can be configured in interface configuration mode or in the QoS profile. QoS profile configuration mode is a group change mode.

Example

These commands configure the maximum latency value for VOQ tail-drop threshold on transmit queue 3 on interface Ethernet1. The latency value can be specified to a maximum of 50 ms. Both milliseconds and microseconds may be used.

switch(config)# interface Ethernet1
switch(config-if-Et1)# tx-queue 3
switch(config-if-Et1-txq-3)# latency maximum <1-50000> microseconds
switch(config-if-Et1-txq-3)# latency maximum <1-50> milliseconds
switch(config)#

Autonegotiated Settings

In autonegotiation, the transmission speed, duplex setting, and flow control parameters used for Ethernet-based communication can be automatically negotiated between connected devices to establish optimized common settings.

Speed and Duplex

The speed command affects the transmission speed and duplex setting for the configuration mode interface. When a speed command is in effect on an interface, autonegotiation of speed and duplex settings is disabled for the interface; to enable autonegotiation, use the speed auto command.

The scope and effect of the speed command depends on the interface type; see Ethernet Interfaces and Ethernet Configuration Procedures for detailed information on the speed settings for different interfaces.

Flow Control

Flow control is a data transmission option that temporarily stops a device from sending data because of a peer data overflow condition. If a device sends data faster than the receiver can accept it, the receiver's buffer can overflow. The receiving device then sends a PAUSE frame, instructing the sending device to halt transmission for a specified period.

Flow control commands configure administrative settings for flow control packets.

The flowcontrol receive command configures the port's ability to receive flow control pause frames.
- off: port does not process pause frames that it receives.
- on: port processes pause frames that it receives.
- desired: port autonegotiates; processes pause frames if peer is set to send or desired.
The flowcontrol send command configures the port's ability to transmit flow control pause frames.
- off: port does not send pause frames.
- on: port sends pause frames.
- desired: port autonegotiates; sends pause frames if peer is set to receive or desired.

Desired is not an available parameter option. Ethernet data ports cannot be set to desired. Management ports are set to desired by default and with the no flowcontrol receive command.

The port linking process includes flow control negotiation. Ports must have compatible flow control settings to create a link. Compatible Settings for Flow Control Negotiation lists the compatible flow control settings.

Table 8. Compatible Settings for Flow Control Negotiation
local port	peer port
receive on	send on or send desired
receive off	send off or send desired
receive desired	send on , send off, or send desired
send on	receive on or receive desired
send off	receive off or receive desired
send desired	receive on , receive off, or receive desired

Example

These commands set the flow control receive and send to on on interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# flowcontrol receive on
switch(config-if-Et5)# flowcontrol send on
switch(config-if-Et5)#

Displaying Ethernet Port Properties

Show commands are available to display various Ethernet configuration and operational status on each interface. Ethernet settings that are viewable include:

Port Type
PHY Status
Negotiated Settings
Flow Control
Capabilities

Port Type

The port type is viewable from the output of show interfaces status, show interfaces hardware, and show interfaces transceiver properties commands.

Examples

This show interfaces status command displays the status of Ethernet interfaces 1-5.

switch# show interfaces status
Port      Name              Status       Vlan        Duplex  Speed Type
Et1                         connected    1             full    10G 10GBASE-SRL
Et2                         connected    1             full    10G 10GBASE-SRL
Et3                         connected    1             full    10G 10GBASE-SRL
Et4                         connected    1             full    10G 10GBASE-SRL
Et5                         notconnect   1             full    10G Not Present
switch>

This show interfaces hardware command displays the speed, duplex, and flow control capabilities of Ethernet interfaces 2 and 18.

switch# show interfaces ethernet 2,18 hardware
Ethernet2
  Model:        DCS-7150S-64-CL
  Type:         10GBASE-CR
  Speed/Duplex: 10G/full,40G/full,auto
  Flowcontrol:  rx-(off,on,desired),tx-(off,on,desired)
Ethernet18
  Model:        DCS-7150S-64-CL
  Type:         10GBASE-SR
  Speed/Duplex: 10G/full
  Flowcontrol:  rx-(off,on),tx-(off,on)
switch>

This command displays the media type, speed, and duplex properties for Ethernet interfaces 1.

switch# show interfaces ethernet 1 transceiver properties
Name : Et1
Administrative Speed: 10G
Administrative Duplex: full
Operational Speed: 10G (forced)
Operational Duplex: full (forced)
Media Type: 10GBASE-SRL

PHY

PHY information for each Ethernet interface is viewed by entering the show interfaces phy command.

Example

This command summarizes PHY information for Ethernet interfaces 1-3.

switch#show interfaces ethernet 1-3 phy
Key:
   U    = Link up
   D    = Link down
   R    = RX Fault
   T    = TX Fault
   B    = High BER
   L    = No Block Lock
   A    = No XAUI Lane Alignment
   0123 = No XAUI lane sync in lane N

                                  State    Reset
Port           PHY state        Changes    Count PMA/PMD PCS   XAUI
-------------- --------------- -------- -------- ------- ----- --------
Ethernet1      linkUp             14518     1750 U..     U.... U.......
Ethernet2      linkUp             13944     1704 U..     U.... U.......
Ethernet3detectingXcvr          3        1               D..A0123
switch>

Negotiated Settings

Speed, duplex, and flow control settings are displayed through the show interfaces hardware, PHY information for each Ethernet interface is viewed by entering the show interfaces hardware, show interfaces flow-control, and show interfaces status commands.

Examples

This command displays speed/duplex and flow control settings for Ethernet interface 1.

switch#show interfaces ethernet 1 hardware
Ethernet1
  Model:        DCS-7150S-64-CL
  Type:         10GBASE-SR
  Speed/Duplex: 10G/full
  Flowcontrol:  rx-(off,on),tx-(off,on)
switch>

This command shows the flow control settings for Ethernet interfaces 1-2.

switch#show flow-control interface ethernet 1-2
Port       Send FlowControl  Receive FlowControl  RxPause       TxPause
           admin    oper     admin    oper
---------  -------- -------- -------- --------    ------------- -------------
Et1        off      off      off      off         0             0
Et2        off      off      off      off         0             0
switch>

This command displays the speed type and duplex settings for management interfaces 1-2.

switch#show interfaces management 1-2 status
Port      Name              Status       Vlan        Duplex  Speed Type
Ma1                         connected    routed      a-full a-100M 10/100/1000
Ma2                         connected    routed      a-full   a-1G 10/100/1000
switch>

Ingress Counters

The Ingress counters enables the switch to count the ingress traffic on the Layer 3 ports of the switch.

Any ingress traffic on Layer 3 sub-interfaces and VLAN interface with IPv4 and IPv6 addresses are accounted irrespective of the routing decision. The VLAN counters are supported on DCS- 7050x, DCS-7250x, and DCS-7300x series switches and not supported on any routed ports.

Configuring Ingress Counters

The hardware counter feature in command enables the switch to count the ingress traffic on the Layer 3 port of the switch. Any traffic on Layer 3 sub-interfaces and VLAN interface with IPv4 and IPv6 addresses are accounted irrespective of the routing decision.

Examples

This command configures the ingress traffic count on the sub-interfaces. The no form of the command disables the counter configuration from the switch ports.
```
switch# hardware counter feature subinterface in
```
This command configures the ingress traffic count on the VLAN interface. The no form of the command disables the counter configuration from the VLAN configured switch ports.
```
switch# hardware counter feature vlan-interface in
```

Displaying the Ingress Counter Information

The show interface counters command displays the Layer 3 ingress traffic count information. Run this command to view the traffic counts on a sub-interface or VLAN interface of the switch. The clear counters command resets the counters to 0.

Example

This command displays the ingress traffic count on a VLAN interface vl12.

switch# show interface vl12 counters incoming
L3 Interface InOctets InUcastPkts InMcastPkts
Vl12           3136          47           2

Configuring Ingress Traffic-Class Counters

Ingress traffic class counter support is enabled in order to display per traffic-class counters on ingress interfaces, and supported on routed-ports and subinterfaces. Both packet and octet counts are displayed.

Examples

This command enables traffic-class counter support.

switch(config)# hardware counter feature traffic-class in

This command enables TCAM profile tc-counters if this profile is configured.
```
switch(config)# hardware tcam profile tc-counters
```

Hardware Counter Support

Hardware counter support allows enabling counters for features using programmable hardware counter resources.

Hardware counter support can be used to count the following feature specific counters:

Ingress VLAN-interface counters count the packets/octets ingressing through a VLAN interface.
Egress VLAN-interface counters count the packets/octets egressing a VLAN interface.
Ingress subinterface counters count the packets/octets ingressing through a subinterface.
Egress subinterface counters count the packets/octets egressing a subinterface.
VXLAN VNI counters count the packets/octets encapsulated/decapsulated per VNI.
VXLAN VTEP counters count the packets/octets encapsulated/decapsulated per VTEP.
Route counter for IPv4/IPv6 routes count the packets/octets routed using the route entry.
Ingress GRE Tunnel Interface counters count the packets/octets ingressing through the GRE Tunnel Interface.
Egress GRE Tunnel Interface counters count the packets/octets egressing through the GRE Tunnel Interface.

Hardware Counter Support Configuration

You can enable the Hardware Counter feature on a per-feature basis using the hardware counter feature command. The no hardware counter feature disables the feature. Multiple ingress and egress hardware counter features can work concurrently.

Note: Enabling the hardware counter features may impact the transit traffic.

Ingress VLAN Interface Counters

The hardware counter feature vlan-interface in command enables the counting of ingress VLAN interface counters. When configured, the switch counts the number of unicast packets, multicast packets, and total octets ingressing through the VLAN interface for every VLAN interface configured in the system.

Example

switch# [no]hardware counter feature vlan-interface in

Egress VLAN Interface Counters

Thehardware counter feature vlan-interface out command enables the counting of egress VLAN interface counters. When configured, the switch counts the number of unicast packets, multicast packets, and total octets egressing the VLAN interface for every VLAN interface configured in the system.

Example

switch# [no]hardware counter feature vlan-interface out

Ingress SubInterface Counters

The hardware counter feature subinterface in command enables the counting of ingress subinterface counters. When configured, the switch counts the number of unicast packets, multicast packets, and total octets ingressing through the subinterface for every L3 subinterface configured in the system.

Example

switch# [no]hardware counter feature subinterface in

Egress SubInterface Counters

The hardware counter feature subinterface out command enables the counting of egress subinterface counters. When configured, the switch counts the number of unicast packets, multicast packets, and total octets egressing the subinterface for every L3 subinterface configured in the system.

Example

switch# [no]hardware counter feature subinterface out

VXLAN VNI Encapsulation Counters

The hardware counter feature vni encap command enables the counting of per VNI encap counters. When enabled, the switch counts the number of packets and bytes egressing a VNI through VTI, encap BUM packets, and the number of encap packets dropped due to any reason.

Example

switch(config)# [no]hardware counter feature vni encap

VXLAN VNI Decapsulation Counters

The hardware counter feature vni decap command enables the per VNI decap counters. When enabled, the switch counts the number of packets/octets received from VTEP and decapsulated for each VNI.

Example

switch(config)# [no]hardware counter feature vni decap

Route Counters

The hardware counter feature route command configures the route counters for the specified IP version and ip-address/ip-prefix. When enabled, the switch counts the number of packets/bytes hitting a route. The VRF name is optional and default VRF is assumed if no VRF is specified.

Example

switch(config)# [no]hardware counter feature route[ipv4|ipv6]vrf <name>][ip-address|ip-address-prefix]

GRE Tunnel Interface Encapsulation Counters

The hardware counter feature gre tunnel interface out command enables GRE Tunnel Interface encap counters. When enabled, the switch counts the number of unicast GRE packets and total octets getting encapsulated on the Tunnel Interface.

Example

switch(config)# [no]hardware counter feature gre tunnel interface out

GRE Tunnel Interface Decapsulation Counters

The hardware counter feature gre tunnel interface in command enables GRE Tunnel Interface decap counters. When enabled, the switch counts the number of unicast GRE packets and total octets getting decapsulated on the Tunnel Interface.

Example

switch(config)# [no]hardware counter feature gre tunnel interface in

MRU Enforcement Show commands

The MRU on an interface is found in the show interface output.

switch(config)# show interface ethernet 1
Ethernet1 is up, line protocol is up (connected)
  Hardware is Ethernet, address is 444c.a8b7.1ed8 (bia 444c.a8b7.1ed8)
  Member of Port-Channel10
  Ethernet MTU 10178 bytes, Ethernet MRU 1500 bytes, BW 10000000 kbit
  Full-duplex, 10Gb/s, auto negotiation: off, uni-link: disabled.

Counter

MRU dropped packets are counted per-chip.

The Ethernet interfaces corresponding chip are found in the show platform fap mapping output.

switch(config)# show platform fap mapping interface Ethernet 1
Jericho0 (FapId: 0  BaseSystemCoreId: 0)
Port             SysPhyPort   Voq   Core  FapPort  OtmPort BaseQPair QPairs Xlge NifPort
----------------------------------------------------------------------------------------
Ethernet1        100          2608  0      2       0        0         8     8     33

Reassembly Errors use per-chip counters from the show hardware counter drop output.

switch(config)# show hardware counter drop
Type  Chip       CounterName       : Count    : First Occurrence    : Last Occurrence
-----------------------------------------------------------------------------------------
A     Jericho0   ReassemblyErrors  : 12132989 : 2020-09-22 17:05:45 : 2020-09-22 17:22:40

Configuring Power over Ethernet (PoE)

Power over Ethernet (PoE) is enabled by default on all Ethernet ports of PoE-capable switches, and the switch will detect IEEE-compliant Powered Devices (PDs) when they are plugged into a port and supply power appropriately.

Limitations

Ethernet ports will not detect non IEEE-compliant devices by default, and may not be able to detect or power them even if configured to do so.
If attached PDs overload the switch, it will power off. This can occur when an attached PD increases its power demand via LLDP, when too many PDs are connected to the switch, or when a power supply fails on a heavily loaded dual-supply switch.
Power-cycling the switch will cause temporary loss of power to attached PDs.
PoE is not available on management interfaces.

Disabling PoE on an Interface

On switches which support PoE, it is enabled by default on all Ethernet ports but can be disabled per-port with the poe disabled command.

Example

These commands disable PoE on Ethernet interface 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# poe disabled
switch(config-if-Et5)#

PoE Power Settings

When an IEEE-compliant powered device (PD) is connected to a PoE-enabled Ethernet port, it is recognized by a specific resistor signature, and its initial power needs are determined by hardware negotiation, after which further negotiation is managed through the Link Layer Discovery Protocol (LLDP). For details, see Configuring LLDP for Power over Ethernet.

PoE power output can be limited on a port using the poe limit command. The power limit represents the power output at the Ethernet port; actual power delivered to the PD will be lower due to power loss along the Ethernet cable.

Note: LLDP uses Power Via MDI type-length-value elements (TLVs) to allow the switch to dynamically negotiate power needs with PDs. LLDP will not include Power Via MDI TLVs for the interface if a power limit has been configured on it.

Examples

These commands limit nominal PoE power output on Ethernet interface 5 to 10 W.

switch(config)# interface ethernet 5
switch(config-if-Et5)# poe limit 10 watts
switch(config-if-Et5)#

These commands limit nominal PoE power output on Ethernet interface 7 to 4 W.

switch(config)# interface ethernet 7
switch(config-if-Et7)# poe limit class 1
switch(config-if-Et7)#

Detecting Legacy PDs

To configure an interface to use hardware detection for these non-compliant PoE devices and attempt to power them, use the poe legacy detect command.

Note: Non IEEE-compliant PDs are not officially supported. Arista cannot guarantee compatibility with such devices, and they may not be detected even when legacy detection is enabled on the port they are connected to.

Example

These commands configure interface ethernet 5 to attempt to detect and power non-compliant PDs.

switch(config)# interface ethernet 5
switch(config-if-Et5)# poe legacy detect
switch(config-if-Et5)#

Displaying PoE Information

To display PoE information for a specific interface range or for all Ethernet interfaces, use the show poe command.

Example

This command displays PoE information for Ethernet interface 46.

switch(config)# show poe interface ethernet 46
show poe interface ethernet 46
PSELLDPPowerGrantedPort
Port Enabled Enabled Limit  Power   State   Class  Power Current Voltage Temperature
---- ------- ------- ------ ------- ------- ------ ----- ------- ------- -----------
46      True    True 15.40W 15.40W  powered class0  1.40W 27.00mA 55.04V  41.25C
switch(config-if-Et7)#

Configuring Link Fault Signaling

As part of the Link Fault Signaling (LFS) configuration, a new configuration mode called theEthernet Operations Administration and Management (EOAM) mode is introduced. The EOAM profile has a link-error sub-mode wherein the threshold, action, and the period is configured for both FCS and Symbol errors. The period can be in seconds or in number of frames. The default values are threshold 0, action syslog, and period 0 seconds. If the errors exceed the threshold within the given period, the configured action is executed. The recovery time configures the recovery timeout value for link fault signaling. Only one EOAM profile is associated with a port.

The following steps enable configuring the LFS parameters:

Enable the EOAM mode.
```
switch(config)# monitor ethernet oam
```
Create an EOAM profile named as profile1.
```
switch(config-eoam)# profile profile1
```

Enter the EOAM link-error sub-mode.

switch(config-eoam-profile-profile1)# link-error

Enter the commands in the profile link-error submode to configure a specific LFS parameter.


switch(config-eoam-profile-profile1-link-error)# symbol action errdisable
switch(config-eoam-profile-profile1-link-error)# symbol period 300 frames
switch(config-eoam-profile-profile1-link-error)# symbol threshold 20
switch(config-eoam-profile-profile1-link-error)# recovery-time 40

Apply the EOAM profile profile1 to the Ethernet interface 1/1.


switch(config)# interface ethernet 1/1
switch(config-if-Et1/1)# monitor ethernet oam profile profile1

Configuring Hardware TCAM

Ternary Content-Addressable Memory (TCAM) is a specialized type of high-speed memory that increase the speed of route look-up, packet classification, packet forwarding and access control list-based commands. The hardware tcam command is used to configure and place the switch in the TCAM mode. In this mode the user can configure few TCAM related commands such as feature, profile and system.

In the TCAM mode, use the feature command to configure the reservation of TCAM banks for the features like ACL, IPsec, flow-spec, l2-protocol, PBR, QoS, TCP-MSS-ceiling, traffic-policy. The profile command configures a new TCAM profile, or just copy the TCAM profile which is already created using the hardware tcam profile command such as default, mirroring-acl, pbr-match-nexthop-group, qos, tap-aggregation-default, tap-aggregation-extended, tc-counters, test, VXLAN-routing. Similarly, the system command configures the system-wide TCAM profiles.

Example

This command places the switch in Hardware TCAM configuration mode.

switch(config)# hardware tcam
switch(config-hw-tcam)#

These are the commands allowed to configure in Hardware TCAM mode.

Examples

This command allow the switch to configure the TCAM feature.

switch(config)# hardware tcam
switch(config-hw-tcam)# feature

This command allow the switch to configure TCAM profile.

switch(config)# hardware tcam
switch(config-hw-tcam)# profile

This command allow the switch to configure TCAM system profile.

switch(config)# hardware tcam
switch(config-hw-tcam)# system

CPU Traffic Policy

Create a TCAM profile to enable actions such as permit, deny, and police in hardware before the traffic gets to the kernel for processing. The action is taken based on IP packet header information such as DSCP, L4 port values, fragmentation bits, etc.

TCAM Profile Example

The following file extract displays an example of a TCAM profile, cpu-traffic-policy, with features configured to enable CPU traffic policy.

hardware tcam
   profile cpu-traffic-policy
      feature acl port ip
         sequence 45
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip tcp-control ttl
         action count drop
         packet ipv4 forwarding bridged
         packet ipv4 forwarding routed
         packet ipv4 forwarding routed multicast
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet ipv4 non-VXLAN forwarding routed decap
         packet ipv4 VXLAN eth ipv4 forwarding routed decap
         packet ipv4 VXLAN forwarding bridged decap
      feature acl port ipv6
         sequence 25
         key field dst-ipv6 ipv6-next-header ipv6-traffic-class l4-dst-port l4-ops-3b l4-src-port src-ipv6-high src-ipv6-low tcp-control
         action count drop mirror
         packet ipv6 forwarding bridged
         packet ipv6 forwarding routed
         packet ipv6 forwarding routed multicast
         packet ipv6 ipv6 forwarding routed decap
      feature acl subintf ip
         sequence 40
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops-18b l4-src-port src-ip tcp-control ttl
         action count drop mirror
         packet ipv4 forwarding routed
      feature acl subintf ipv6
         sequence 15
         key field dst-ipv6 ipv6-next-header l4-dst-port l4-src-port src-ipv6-high src-ipv6-low tcp-control
         action count drop mirror redirect
         packet ipv6 forwarding routed
      feature counter lfib
         sequence 85
      feature mpls
         sequence 5
         key size limit 160
         action drop redirect set-ecn
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding mpls
         packet mpls non-ip forwarding mpls
      feature mpls pop ingress
         sequence 90
      feature pbr mpls
         sequence 65
         key size limit 160
         key field mpls-inner-ip-tos
         action count drop redirect
         packet mpls ipv4 forwarding mpls
         packet mpls ipv6 forwarding mpls
         packet mpls non-ip forwarding mpls
      feature qos ip
         sequence 75
         key size limit 160
         key field dscp dst-ip ip-frag ip-protocol l4-dst-port l4-ops l4-src-port src-ip
         action set-dscp set-policer set-tc
         packet ipv4 forwarding routed
         packet ipv4 forwarding routed multicast
         packet ipv4 mpls ipv4 forwarding mpls decap
         packet ipv4 mpls ipv6 forwarding mpls decap
         packet ipv4 non-VXLAN forwarding routed decap
      feature qos ipv6
         sequence 70
         key field dst-ipv6 ipv6-next-header ipv6-traffic-class l4-dst-port l4-src-port src-ipv6-high src-ipv6-low
         action set-dscp set-policer set-tct
         packet ipv6 forwarding routed
      feature traffic-policy cpu ipv4
         sequence 1
         key size limit 160
         key field dst-ip ip-frag ip-protocol l4-dst-port l4-src-port src-ip
         action count set-drop-precedence set-policer
      feature traffic-policy cpu ipv6
         sequence 2
         key field dst-ipv6 ipv6-next-header l4-dst-port l4-src-port src-ipv6-high src-ipv6-low
         action count set-drop-precedence set-policer
   system profile cpu-traffic-policy

Configuring the Policy

The following configures cpu-traffic-policy under the traffic-policies global configuration mode.

traffic-policies
  cpu traffic-policy <name> vrf <vrf-list>
  traffic-policy <name>
    match <rule-name> <ipv4 | ipv6> [ <after | before> <rule-name> ]         
      source prefix       A.B.C.D/E [ A.B.C.D/E ]
      destination prefix  A.B.C.D/E [ A.B.C.D/E ]
      protocol <protocol-list> | {tcp,udp}
                          [ source port <port-list> | 
                                        field-set <port-set-name> ] |
                          [ destination port <port-list> |
                                        field-set <port-set-name> ]
      actions
         drop
         police rate <rate> <unit>
         count

The following applies the policies to the VRFs. The policy is applied to all interfaces belonging to the VRF.

traffic-policies
  cpu traffic-policy <name> vrf all

Default Rules

The ipv4-all-default and ipv6-all-default are programmed by default and cannot be reordered, or removed. Only the associated action can be changed. The permit rule is never installed and is the default action for packet processing.

Examples

L3 Protocol Match Criteria (protocol neighbors bgp)

The following displays the configuration of a profile to match on a set of configured protocol peers which allows only TCP traffic from those BGP peers.

traffic-policies
  cpu traffic-policy <name> vrf <vrf-list>
  traffic-policy <name>
    match <rule-name> <ipv4 | ipv6> [ <after | before> <rule-name> ]         
      source prefix       A.B.C.D/E [ A.B.C.D/E ]
      destination prefix  A.B.C.D/E [ A.B.C.D/E ]
      protocol <protocol-list> | {tcp,udp}
                          [ source port <port-list> | 
                                        field-set <port-set-name> ] |
                          [ destination port <port-list> |
                                        field-set <port-set-name> ]
      actions
         drop
         police rate <rate> <unit>
         count

traffic-policies
  cpu traffic-policy <traffic-policy-name> vrf all
    match <rule-name> <ipv4 | ipv6> [ <after | before> <rule-name> ]        
      protocol neighbors bgp
      actions
         drop

traffic-policies
   cpu traffic-policy foo vrf all
      traffic-policy foo
         match BGP ipv4
            protocol neighbors bgp

The following policy permits dynamic peers from the listen-range 2.0.0.0/24 and all IPv6 BGP LL peers.

traffic-policies
   traffic-policy cpuPolicy
      match BGP ipv4
         protocol neighbors bgp
      match BGP-DYN ipv4
         source prefix 2.0.0.0/24
      match BGP-LL ipv6
         source prefix fe80::/64

Note: Configuring any match criteria will result in a CLI error when combined with the protocol neighbor bgp match criteria as these conflict with the expanded BGP rules.

The following displays error messages with conflicting configurations.

traffic-policies
   traffic-policy cpuPolicy
      match BGP ipv4
         protocol neighbors bgp
         source prefix 1.0.0.1/32
! The ‘source prefix’ subcommand is not supported when the ‘protocol neighbors’ subcommand is configured.

traffic-policies
   traffic-policy cpuPolicy
      match BGP ipv4
         source prefix 1.0.0.1/32
         protocol neighbors bgp
! The ‘protocol neighbors’ subcommand is not supported when any other match subcommands are configured.

Deny other BGP Traffic

The following displays a policy to whitelist some BGP sessions and other management IPs or IP protocol. The policy is inadequate as attempts to create BGP sessions from 1.0.0.0/24 (for example) will pass through this policy unfiltered.

traffic-policies
   cpu traffic-policy CPU vrf all   
   traffic-policy CPU
      match BGP ipv4
         protocol neighbors bgp
      match BFD ipv4
         source address 1.0.0.0/24 1.0.1.0/24 1.0.4.0/24
      match ipv4-all-default ipv4
         actions
            drop
      match ipv6-all-default ipv6
         actions
            drop

The following displays a policy to whitelist some BGP sessions and other management IPs or IP protocol. The policy is effective and easier to implement for administrators.

traffic-policies
   cpu traffic-policy CPU
   traffic-policy CPU
      match BGP ipv4
         protocol neighbors bgp
      match BGP-REST ipv4
         protocol tcp udp destination port 179
         actions
            drop
      match BFD ipv4
         source address 1.0.0.0/24 1.0.1.0/24 1.0.4.0/24
      match ipv4-all-default ipv4
         actions
            drop
      match ipv6-all-default ipv6
         actions
            drop

The following displays a policy to whitelist some BGP sessions and other management IPs or IP protocol. The policy is effective and easier to implement for administrators. The clause matches on any inbound traffic destined for the configured BGP port(s).

traffic-policies
   cpu traffic-policy CPU
   traffic-policy CPU
      match BGP ipv4
         protocol neighbors bgp
      match BGP-REST ipv4
         protocol bgp
         actions
            drop
      match BFD ipv4
         source address 1.0.0.0/24 1.0.1.0/24 1.0.4.0/24
      match ipv4-all-default ipv4
         actions
            drop
      match ipv6-all-default ipv6
         actions
            drop

Actions

Drop: packet is discarded on a match

Police: tracks the usage for each BGP neighbor, and holds it to a maximum rate.

The police rate <rate-value> [rate-unit] command sets the policing rate. The optional rate-unit are bps, kbps (default), mbps, and gbps. The following configures a policing rate of 15 kbps for each BGP neighbor.

traffic-policies
   cpu traffic-policy CPU vrf all
   traffic-policy CPU
      match BGP ipv4
         protocol neighbors bgp
         actions
            police rate 15 kbps

Count

The following enables counters for the CPU traffic policy to count all packets matching the rule in which the count action is configured.

no hardware counter feature acl out <address-family>

hardware counter feature traffic-policy cpu

traffic-policies
   cpu traffic-policy CPU vrf all
   traffic-policy CPU
      match BGP ipv4
         protocol neighbors bgp
         actions
            count

Use-case Scenarios

Securing BGP Neighbors

The following implements a policy to secure BGP neighbors.

traffic-policies
   cpu traffic-policy CPU-DEFAULT vrf all
   traffic-policy CPU-DEFAULT
      match ICMPV6 ipv6
         protocol icmpv6
      match BGP ipv4
         protocol neighbors bgp
      match BGP-OTHER ipv4
         protocol bgp
         actions
            drop
      match BGP6 ipv6
         protocol neighbors bgp
      match BGP-OTHER6 ipv6
         protocol bgp
         actions
            drop
      match OSPF ipv4
         protocol ospf
      match ipv4-all-default ipv4
         actions
            drop
      match ipv6-all-default ipv6
         actions
            drop

Whitelist BFD Neighbors (not neighbor-specific)

Add the following rule to Whitelist BFD Neighbors.

traffic-policies
   traffic-policy CPU-DEFAULT
      match BFD-DPORT ipv4
         protocol udp destination port 3784-3785
      match BFD-SPORT ipv4
         protocol udp source port 49152
      match BFD-DPORT6 ipv6
         protocol udp destination port 3784-3785
      match BFD-SPORT6 ipv6
         protocol udp source port 49152
      match ipv4-all-default ipv4
         actions
            drop
      match ipv6-all-default ipv6
         actions
            drop

Whitelist a few Common Control-plane Protocols and Deny others

Add the following rule to Whitelist protocols such as ICMPv6 while denying others.

traffic-policies
   cpu traffic-policy CPU-DEFAULT vrf all
   traffic-policy CPU-DEFAULT
      match ICMPV6 ipv6
         protocol icmpv6
      match BGP ipv4
         protocol neighbors bgp
      match BGP-OTHER ipv4
         protocol bgp
         actions
            drop
      match BGP6 ipv6
         protocol neighbors bgp
      match BGP-OTHER6 ipv6
         protocol bgp
         actions
            drop
      match OSPF ipv4
         protocol ospf
      match PIM4 ipv4
         protocol pim
      match PIM6 ipv6
         protocol pim
      match ipv4-all-default ipv4
         actions
            drop
      match ipv6-all-default ipv6
         actions
            drop

TCAM Profile for Configurable Port Qualifier Sizing

A TCAM profile can be created from scratch, or the feature can be added to a copy of the default TCAM profile. When creating a profile from scratch, care must be taken to ensure that all needed TCAM features are included in the profile.

Modifying a Default TCAM Profile to allow Dynamic Sizing for ACL Labels

The following commands create a copy of the default TCAM profile, name it port-qualifier-size, and configure it to support a 6-bit dynamic sizing for ACL labels for IPKGV. Once the profile has been created, it can be applied to the system.

switch(config)# hardware tcam
switch(config-hw-tcam)# profile port-qualifier-size copy default
switch(config-hw-tcam-profile-port-qualifier-size)# feature port-qualifier-size ip copy 
system-feature-source-profile
switch(config-hw-tcam-profile-port-qualifier-size-feature-port-qualifier-size)# port-qualifier-size 6
switch(config-hw-tcam-profile-port-qualifier-size-feature-port-qualifier-size)# exit
switch(config-hw-tcam-profile-port-qualifier-size)# feature acl port ip
switch(config-hw-tcam-profile-port-qualifier-size)# exit
switch(config-hw-tcam)# exit
switch(config)#

Verifying the Configuration of Dynamic Qualifier Size

The following command verifies the configuration.

switch# show running-config
hardware tcam
   profile port-qualifier-size
      feature acl port ip
         port qualifier size 6 bits

Verifying the Configuration of System Profile

The following command verifies the system profile was configured and applied successfully. The profile name appears in both the Configuration and Status columns.

switch# show harware tcam profile
              Configuration               Status
Linecard1     port-qualifier-size         port-qualifier-size
Linecard2     port-qualifier-size         port-qualifier-size
Linecard3     port-qualifier-size         port-qualifier-size

When the profile does not get applied correctly, the Status column shows Error.

switch#show harware tcam profile
                Configuration              Status
Linecard1       port-qualifier-size        ERROR
Linecard2       port-qualifier-size        ERROR
Linecard3       port-qualifier-size        ERROR

Note: The packet type, the key field must be set. The dynamic qualifier size can be set for ACL. Not all hardware platforms support this feature. Modular systems require all linecards to support this feature for the profile to be applicable.

Ethernet Configuration Commands

Global Configuration Commands

clear counters
clear VXLAN counters
hardware port-group
hardware counter feature
hardware counter feature in (DCS-7050x, 7350x, 7300x)
hardware tcam
interface ethernet
interface ethernet create
interface management
monitor ethernet oam
transceiver channel
transceiver qsfp default-mode

Hardware TCAM Commands

feature
system

Interface Configuration CommandsEthernet and Management Interfaces

flowcontrol receive
flowcontrol send
link-debounce
mac-address
poe disabled
poe legacy detect
poe limit
power budget
power budget exceed action (warning | hold-down)
speed

EOAM Configuration Commands

link-error
monitor ethernet oam profile
profile

Link-error Configuration Commands

action
period
phy link detection aggressive
recovery-time
threshold

Interface Display Commands

400GBASE-ZR Transceivers Display Commands

show interface transceiver dom
show interface transceiver eeprom
show transceiver status interface

Shared Support across Multiple Subinterfaces Commands

qos scheduling
show qos scheduling

action

The action command configures the link monitoring action that is specified for the link fault signaling event.

The no actioncommand removes the action type specified for the chosen link fault signaling. The default action command configures the link monitoring action as system log type.

Command Mode

Link-error Configuration

Command Syntax

{fcs | symbol} action [linkfault | errdisable | log]

no {fcs | symbol} action [linkfault | errdisable | log]

default {fcs | symbol} action [linkfault | errdisable | log]

Parameters

fcs Inbound packets with frame check sequence (FCS) error.
symbol Inbound packets with symbol error.
linkfault The link fault action type.
errdisable The errdisable action type.
log The system log action type.

Related Commands

period
threshold

Example

These commands set the errdisable action type for the profile profile1 in the Link-error configuration mode for symbol error.

switch(config)# monitor ethernet oam
switch(config-eoam)# profile profile1
switch(config-eoam-profile-profile1)# link-error
switch(config-eoam-profile-profile1-link-error)# symbol action errdisable

clear counters

The clear counters command in privileged EXEC mode resets the counters to zero for the specified interfaces including VLAN interfaces, Sub-Interfaces, and GRE Tunnel Interfaces.

Command Mode

Privileged EXEC

Command Syntax

clear counters [vlan vlanId | Tunnel tunnelID][[route][ipv4 | ipv6][vrf]]

Parameters

vlan vlanId Clears the VLAN Interface and subinterface Ingress and Egress counters.
Tunnel tunnelID Allows the command to be used for clearing counters only for the specified VLAN interface.
routeClears the route counters.
- ipv4 Allows targeting the clearing of IPv4 route counters.
- ipv6 Allows targeting the clearing of IPv6 route counters.
vrf Allows specifying the VRF to only clear the route counters for the VRF.

Examples

Clears the VLAN Interface and subinterface ingress and egress counters.
```
switch# clear counters[vlan vlanId]
```
Clears the GRE Tunnel Interface Ingress and Egress counters.
```
switch# clear counters[tunnel TunnelId]
```

clear VXLAN counters

Use the clear VXLAN counters command to clear the VXLAN encap and decap counters.

Command Mode

EXEC

Command Syntax

clear VXLAN counters [[vni | [vtep [vtep-ip-address | unlearnt]]]

Parameters

vni Clears the VXLAN counters.
vtep Clears the VTEP counters.
- vtep-ip-address Clears the counters for the specified VTEP.
- unlearnt Clears the counters for unlearned VTEPs. Unlearned VTEPs track the counts of packets received by the switch before the VTEP is learned.

feature

Thefeature command allows the user to reserve the number of TCAM banks for the following features such as ACL, flow-spec, IPsec, l2-protocol, PBR, QoS, TCP-MSS-ceiling, traffic-policy.

Theexit command returns the switch to global configuration mode.

Command Mode

Hardware TCAM

Command Syntax

feature

Example

This commands allows the switch to configure the TCAM flow-spec feature for IPv4 ports.

switch(config-hw-tcam)# feature flow-spec port ipv4 bank maximum count 12

flowcontrol receive

The flowcontrol receive command configures administrative settings for inbound flowcontrol packets. Ethernet ports use flow control to delay packet transmission when port buffers run out of space. Ports transmit a pause frame when their buffers are full, signaling their peer ports to delay sending packets for a specified period.

The flowcontrol receive command configures the configuration mode port's ability to receive flowcontrol pause frames.

off: port does not process pause frames that it receives.
on: port processes pause frames that it receives.
desired: port autonegotiates flow control; processes pause frames if the peer is set to send desired.

Desired is not an available parameter option. Ethernet data ports cannot be set to desired. Management ports are set to desired by default and with the no flowcontrol receive command.

The port linking process includes flow control negotiation. Ports must have compatible flow control settings to create a link. The table below lists the compatible flow control settings.

Table 9. Compatible Settings for Flow Control Negotiation – Local Port Receiving
local port	peer port
receive on	send on or send desired
receive off	send off or send desired
receive desired	send on , send off, or send desired

The no flowcontrol receive and default flowcontrol receive commands restore the default flowcontrol setting for the configuration mode interface by removing the corresponding flowcontrol receive command from running-config. The default setting is off for Ethernet data ports and desired for Management ports.

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

Command Syntax

flowcontrol receive STATE

no flowcontrol receive

default flowcontrol receive

Parameters

STATE flow control pause frame processing setting. Options include:

On
Off

Example

These commands set the flow control received on Ethernet interface 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# flowcontrol receive on
switch(config-if-Et5)#

flowcontrol send

The flowcontrol send command configures administrative settings for outbound flow control packets. Ethernet ports use flow control to delay packet transmission when port buffers run out of space. Ports transmit a pause frame when their buffers are full, signaling their peer ports to delay sending packets for a specified period.

The flowcontrol send command configures the configuration mode port's ability to transmit flow control pause frames.

off: port does not send pause frames.
on: port sends pause frames.
desired: port autonegotiates flow control; sends pause frames if the peer is set to receive desired.

Desired is not an available parameter option. Ethernet data ports cannot be set to desired. Management ports are set to desired by default and with the no flowcontrol send command.

Table 10. Compatible Settings for Flow Control Negotiation Local Port Transmitting
local port	peer port
send on	receive on or receive desired
send off	receive off or receive desired
send desired	receive on , receive off, or receive desired

The no flowcontrol send and default flowcontrol send commands restore the default flow control setting for the configuration mode interface by removing the corresponding flowcontrol send command from running-config. The default setting is off for Ethernet data ports and desired for Management ports.

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

Command Syntax

flowcontrol send STATE

no flowcontrol send

default flowcontrol send

Parameters

STATE Flow control send setting. Options include:

on
off

Example

These commands set the flow control sent on interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# flowcontrol send on
switch(config-if-Et5)#

hardware counter feature

You can enable on a per feature basis the hardware counter feature command from the global configuration mode. The no hardware counter feature disables the feature. Multiple ingress and egress hardware counter features can work concurrently.

Command Mode

Global configuration mode

Command Syntax

Parameters

vlan-interface Enables VLAN interface counters
- in Enables the counting of ingress VLAN interface counters. When configured, the switch counts the number of unicast packets, multicast packets and total octets ingressing through the VLANinterface for every VLAN interface configured in the system.
- out Enables the counting of egress VLAN interface counters. When configured, the switch counts the number of unicast packets, multicast packets and total octets egressing the vlan interface for every vlan interface configured in the system.
subinterfaceEnables the counting subinterface counters.
- inEnables the counting of ingress subinterface counters. When configured, the switch counts the number of unicast packets, multicast packets and total octets ingressing through the subinterface for every L3 subinterface configured in the system.
- out Enables the counting of egress subinterface counters. When configured, the switch counts the number of unicast packets, multicast packets and total octets egressing the subinterface for every L3 subinterface configured in the system.
vniEnables the counting of per VNI counters.
- encap Enables the per encap counters. When enabled, the switch counts the number of packets/octets coming from the edge, encapsulated on the device and directed towards the core.
- decap Enables the per VTEP decap counters. When enabled, the switch counts the number of packets/octets coming from the core, decapsulated on the device and heading towards the edge per each VTEP.
routeConfigures the route counters for the specified ip version and ip-address/ip-prefix. When enabled, the switch counts the number of packets/bytes hitting a route.
- ipv4Identifies the IPv4 route.
- ipv6 Identifies the IPv6 route.
vrf name The VRF name is optional and default VRF is assumed if no VRF is specified.
ip-address Specifies the target IP address.
ip-address-prefix Specifies the target IP address prefix.
gre tunnel interfaceEnables GRE tunnel interface counters.
- in Enables GRE tunnel interface decap counters. When enabled, the switch counts the number of unicast GRE packets and total octets getting decapsulated on the tunnel interface.
- out Enables GRE Tunnel Interface encap counters. When enabled, the switch counts the number of unicast GRE packets and total octets getting encapsulated on the Tunnel Interface.

Examples

switch# hardware counters feature vlan-interface in

switch# hardware counter feature vlan-interface out

switch# hardware counter feature subinterface in

switch# hardware counter feature subinterface out

switch(config)# hardware counter feature vni encap

switch(config)# hardware counter feature vni decap

switch(config)# hardware counter feature vtep encap

switch(config)# hardware counter feature vtep decap

switch(config)# hardware counter feature gre tunnel interface in

switch(config)# hardware counter feature gre tunnel interface out

hardware counter feature in (DCS-7050x, 7350x, 7300x)

The hardware counter feature command enables the switch to count the ingress traffic on the Layer 3 port of the switch. Any traffic on Layer 3 sub-interfaces and VLAN interface with IPv4 and IPv6 addresses are accounted irrespective of the routing decision.

The no hardware counter feature in command disable the counter configuration from the switch ports. By default the ingress counter is disabled on the switch.

Command Mode

Global Configuration

Command Syntax

hardware counter feature [INTERFACE]in

no hardware counter feature [INTERFACE]in

Parameters

INTERFACE Layer 3 interface on the switch.

subinterface Displays the subinterface traffic count.
vlan-interface Displays the VLAN-interface traffic count.

Examples

This command configures the ingress traffic count on the sub-interfaces.
```
switch# hardware counter feature subinterface in
```
This command configures the ingress traffic count on the VLAN interface.
```
switch# hardware counter feature vlan-interface in
```

These commands enable the QSFP+ interface in port group 1 and SFP+ interfaces in port group 2 on a DCS-7050Q-16 switch, display the port group status, and display interface status.


switch(config)# hardware port-group 1 select Et15/1-4
switch(config)# hardware port-group 2 select Et21-24
switch(config)# show hardware port-group

Portgroup: 1    Active Ports: Et17-20
Port            State
------------------------------------------
Ethernet17      ErrDisabled
Ethernet18      ErrDisabled
Ethernet19      ErrDisabled
Ethernet20      ErrDisabled
Ethernet15/1    Active
Ethernet15/2    Active
Ethernet15/3    Active
Ethernet15/4    Active

Portgroup: 2    Active Ports: Et16/1-4
Port            State
------------------------------------------
Ethernet16/1    Active
Ethernet16/2    Active
Ethernet16/3    Active
Ethernet16/4    Active
Ethernet21      ErrDisabled
Ethernet22      ErrDisabled
Ethernet23      ErrDisabled
Ethernet24      ErrDisabled
switch(config)# show interfaces status
Port      Name              Status       Vlan        Duplex  Speed Type
Et1/1                       connected    in Po621      full    40G 40GBASE-CR4
Et1/2                       errdisabled  inactive    unconf unconf 40GBASE-CR4
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et15/1                      connected    in Po711      full    40G 40GBASE-CR4
Et15/2                      errdisabled  inactive    unconf unconf Not Present
Et15/3                      errdisabled  inactive    unconf unconf Not Present
Et15/4                      errdisabled  inactive    unconf unconf Not Present
Et16/1                      errdisabled  inactive    unconf unconf Not Present
Et16/2                      errdisabled  inactive    unconf unconf Not Present
Et16/3                      errdisabled  inactive    unconf unconf Not Present
Et16/4                      errdisabled  inactive    unconf unconf Not Present
Et17                        errdisabled  inactive    unconf unconf Not Present
Et18                        errdisabled  inactive    unconf unconf Not Present
Et19                        errdisabled  inactive    unconf unconf Not Present
Et20                        errdisabled  inactive    unconf unconf Not Present
Et21                        connected    425           full    10G 10GBASE-SRL
Et22                        connected    611           full    10G 10GBASE-SRL
Et23                        connected    in Po998      full    10G 10GBASE-SLR
Et24                        connected    in Po998      full    10G 10GBASE-SLR
switch(config)#

These commands enable the QSFP+ interface in port group 1 and SFP+ interfaces in port group 2 on a DCS-7050Q-16 switch, display the port group status, and display interface status.


switch(config)# hardware port-group 1 select Et15/1-4
switch(config)# hardware port-group 2 select Et21-24

switch(config)# show hardware port-group

Portgroup: 1    Active Ports: Et17-20
Port            State
------------------------------------------
Ethernet17      ErrDisabled
Ethernet18      ErrDisabled
Ethernet19      ErrDisabled
Ethernet20      ErrDisabled
Ethernet15/1    Active
Ethernet15/2    Active
Ethernet15/3    Active
Ethernet15/4    Active

Portgroup: 2    Active Ports: Et16/1-4
Port            State
------------------------------------------
Ethernet16/1    Active
Ethernet16/2    Active
Ethernet16/3    Active
Ethernet16/4    Active
Ethernet21      ErrDisabled
Ethernet22      ErrDisabled
Ethernet23      ErrDisabled
Ethernet24      ErrDisabled
switch(config)# show interfaces status
Port      Name              Status       Vlan        Duplex  Speed Type
Et1/1                       connected    in Po621      full    40G 40GBASE-CR4
Et1/2                       errdisabled  inactive    unconf unconf 40GBASE-CR4
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Et15/1                      connected    in Po711      full    40G 40GBASE-CR4
Et15/2                      errdisabled  inactive    unconf unconf Not Present
Et15/3                      errdisabled  inactive    unconf unconf Not Present
Et15/4                      errdisabled  inactive    unconf unconf Not Present
Et16/1                      errdisabled  inactive    unconf unconf Not Present
Et16/2                      errdisabled  inactive    unconf unconf Not Present
Et16/3                      errdisabled  inactive    unconf unconf Not Present
Et16/4                      errdisabled  inactive    unconf unconf Not Present
Et17                        errdisabled  inactive    unconf unconf Not Present
Et18                        errdisabled  inactive    unconf unconf Not Present
Et19                        errdisabled  inactive    unconf unconf Not Present
Et20                        errdisabled  inactive    unconf unconf Not Present
Et21                        connected    425           full    10G 10GBASE-SRL
Et22                        connected    611           full    10G 10GBASE-SRL
Et23                        connected    in Po998      full    10G 10GBASE-SLR
Et24                        connected    in Po998      full    10G 10GBASE-SLR
switch(config)#

hardware port-group

The hardware port-group command configures a port group to activate either a single interface at a higher speed such as QSFP-DD at 400Gb/s, or multiple interfaces at a lower speed such as QSFP-56 at 200Gb/s.

The no hardware port-group and default hardware port-group commands restore the default settings for the specified port group, by removing the corresponding hardware port-group command from running-config.

The hardware port-group command is available on DCS-7280CR3-36S, DCS-7050Q-16, and DCS-7050QX-32S switches, and has different parameters on each platform.

Command Mode

Global Configuration

Command Syntax

hardware port-group port_group_id select port_group_mode

no hardware port-group port_group_id [ select port_group_mode ]

default hardware port-group port_group_id [ select port_group_mode ]

Parameters

port_group_id

Label of the port group. On the 7280CR3-36S and 7050Q-16, the valid options are 1 and 2. On the 7050QX-32S, only label 1 is available.
port_group_mode
Ports activated by the command. Options vary by platform and depend on the port_group_id value.
- DCS-7280CR3-36
  - Port group 1:
    
    1x-qsfp-dd(Et33): Ethernet33/1 is capable of 400Gb/s. Ethernet34 is inactive.
    
    2x-qsfp-56(Et33,Et34): Ethernet33/1 is not capable of 400Gb/s. Ethernet34 is active.
  - Port group 2:
    
    1x-qsfp-dd(Et35): Ethernet35/1 is capable of 400Gb/s. Ethernet36 is inactive.
    
    2x-qsfp-56(Et35,36): Ethernet35/1 is not capable of 400Gb/s. Ethernet36 is active.
- DCS-7050Q-16
  - Port group 1:
    
    Et15/1-4: QSFP+ port is activated on port group 1.
    
    Et17-20: SFP+ ports are activated on port group 1.
  - Port group 2:
    
    Et16/1-4: QSFP+ port is activated on port group 2.
    
    Et21-23: SFP+ ports are activated on port group 2.
- DCS-7050QX-32S
  - Port group 1:
    
    Et15/1-4: QSFP+ port is activated on port group 1.
    
    Et17-20: SFP+ ports are activated on port group 1.
  - Port group 2:
    
    Invalid port group.

Examples

On a DCS-7280CR3-36S switch, the following commands activate Ethernet35/1 as a QSFP-DD (400Gb/s) port and deactivate Ethernet36, and then display the port-group status.

switch(config)#hardware port-group 2 select 1x-qsfp-dd(Et35)
!
                  WARNING!
   Changing the port-group mode will cause all
   interfaces on ports 35,36 to flap.

Do you wish to proceed with this command? [y/N]y
switch(config)#show hardware port-group

Portgroup: 1    Active Ports: Et33/1-4,34/1-4
Limitations: 400G unavailable on Ethernet33/1
Port            State
------------------------------------------
Ethernet33/1    Active
Ethernet33/2    Active
Ethernet33/3    Active
Ethernet33/4    Active
Ethernet33/5    Inactive
Ethernet33/6    Inactive
Ethernet33/7    Inactive
Ethernet33/8    Inactive
Ethernet34/1    Active
Ethernet34/2    Active
Ethernet34/3    Active
Ethernet34/4    Active

Portgroup: 2    Active Ports: Et35/1-8
Port            State
------------------------------------------
Ethernet35/1    Active
Ethernet35/2    Active
Ethernet35/3    Active
Ethernet35/4    Active
Ethernet35/5    Active
Ethernet35/6    Active
Ethernet35/7    Active
Ethernet35/8    Active
Ethernet36/1    Inactive
Ethernet36/2    Inactive
Ethernet36/3    Inactive
Ethernet36/4    Inactive
switch(config)#

On a DCS-7280CR3-36S switch, the following commands restore settings for port group 2 to the default values, and then display the port-group status.

switch(config)#no hardware port-group 2
!
                  WARNING!
   Changing the port-group mode will cause all
   interfaces on ports 35,36 to flap.

Do you wish to proceed with this command? [y/N]y
switch(config)#show hardware port-group

Portgroup: 1    Active Ports: Et33/1-4,34/1-4
Limitations: 400G unavailable on Ethernet33/1
Port            State
------------------------------------------
Ethernet33/1    Active
Ethernet33/2    Active
Ethernet33/3    Active
Ethernet33/4    Active
Ethernet33/5    Inactive
Ethernet33/6    Inactive
Ethernet33/7    Inactive
Ethernet33/8    Inactive
Ethernet34/1    Active
Ethernet34/2    Active
Ethernet34/3    Active
Ethernet34/4    Active

Portgroup: 2    Active Ports: Et35/1-4,36/1-4
Limitations: 400G unavailable on Ethernet35/1
Port            State
------------------------------------------
Ethernet35/1    Active
Ethernet35/2    Active
Ethernet35/3    Active
Ethernet35/4    Active
Ethernet35/5    Inactive
Ethernet35/6    Inactive
Ethernet35/7    Inactive
Ethernet35/8    Inactive
Ethernet36/1    Active
Ethernet36/2    Active
Ethernet36/3    Active
Ethernet36/4    Active
switch(config)#

hardware tcam

The hardware tcam command places the switch in Hardware TCAM configuration mode.

The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

hardware tcam

Related Commands

profile
interface ethernet

Example

This command places the switch in Hardware TCAM configuration mode.

switch(config)# hardware tcam
switch(config-hw-tcam)#

interface ethernet create

The interface ethernet create command is used to configure a range of Ethernet subinterfaces. The command places the switch in Ethernet-interface configuration mode for the specified range of subinterfaces.

Command Mode

Global Configuration

Command Syntax

interface ethernet create sub_range

Parameters

sub_range Range of subinterfaces to be configured. Subinterfaces are named by adding a period followed by a unique subinterface number to the name of the parent interface.

Example

This command enters interface configuration mode for Ethernet subinterfaces 1/1.1-100:

switch(config)# interface ethernet create 1/1.100
switch(config-if-Et1/1.1-100)#

interface ethernet

The interface ethernet command places the switch in Ethernet-interface configuration mode for the specified interfaces. The command can specify a single interface or multiple interfaces.

Ethernet interfaces are physical interfaces and are not created or removed.

Interface management commands include:

description
exit
load-interval
mtu
shutdown (Interfaces)

Ethernet management commands include:

flowcontrol
mac-address
speed

Chapters describing supported protocols and other features list additional configuration commands available from Ethernet interface configuration mode.

Command Mode

Global Configuration

Command Syntax

interface ethernet e_range

Parameters

e_range Ethernet interfaces (number, range, or comma-delimited list of numbers and ranges). Valid Ethernet numbers depend on the switchs available Ethernet interfaces.

Examples

This command enters interface configuration mode for Ethernet interfaces 1 and 2:
```
switch(config)# interface ethernet 1-2
switch(config-if-Et1-2)#
```
This command enters interface configuration mode for interface ethernet 1:
```
switch(config)# interface ethernet 1
switch(config-if-Et1)#
```

interface management

The interface management command places the switch in management-interface configuration mode for the specified interfaces. The list can specify a single interface or multiple interfaces if the switch contains more than one management interface.

Management interfaces are physical interfaces and are not created or removed.

Interface management commands include:

description
exit
load-interval
mtu
shutdown (Interfaces)

Ethernet management commands include:

flowcontrol
mac-address
speed

Chapters describing supported protocols and other features list additional configuration commands available from management-interface configuration mode.

Command Mode

Global Configuration

Command Syntax

interface management m_range

Parameter

m_range Management interfaces (number, range, or comma-delimited list of numbers and ranges).

Valid management numbers depend on the switchs available management interfaces. A value of 0, where available, configures the virtual management interface on a dual-supervisor modular switch. Management interface 0 accesses management port 1 on the active supervisor of a dual-supervisor modular switch.

Examples

This command enters the interface configuration mode for management interfaces 1 and 2.
```
switch(config)# interface management 1-2
switch(config-if-Ma1-2)#
```
This command enters the interface configuration mode for management interface 1:
```
switch(config)# interface management 1
switch(config-if-Ma1)#
```

link-debounce

The link-debounce command configures the link debounce time for the configuration mode interface. Link debounce time is the time that advertisements for new link states are delayed after the link state is established. By default, debounce time is set to zero, disabling link debounce.

Debounce times for link-up and link-down transitions can be independently configured.

Link-up debounce time: the delay before an interface advertises link down to link up transitions.
Link-down debounce time: the delay before an interface advertises link up to link down transitions.

The no link-debounce and default link-debounce commands restore the default debounce setting for the configuration mode interface by removing the corresponding link-debounce command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

Command Syntax

link-debounce time WAIT_TIME

no link-debounce time WAIT_TIME

default link-debounce time WAIT_TIME

Parameters

WAIT_TIME Link debounce period (milliseconds). All debounce values range from 0 (disabled) to 30000 (30 seconds). Options include:

0 - 30000One debounce value assigned as both link up and link down.
0 - 30000 0 - 30000Two debounce values: link up is first, link down is second.

Examples

These commands set the link-up and link-down debounce period to 10 seconds on interface ethernet 5.

switch(config)# interface ethernet 5
switch(config-if-Et5)# link-debounce time 10000
switch(config-if-Et5)#

These commands set the link-up debounce to 10 seconds and the link-down debounce period to zero on interface ethernet 5.
```
switch(config)# interface ethernet 5
switch(config-if-Et5)# link-debounce time 10000 0
switch(config-if-Et5)#
```
These commands set the link-up debounce to 0 and the link-down debounce period to 12.5 seconds on interface ethernet 5.
```
switch(config)# interface ethernet 5
switch(config-if-Et5)# link-debounce time 0 12500
switch(config-if-Et5)#
```

link-error

The link-error command places the Ethernet Operations, Administration, and Management (EOAM) profile in the EOAM link-error sub-mode.

The no link-error and default link-error commands exit from the EOAM link-error sub-mode.

Command Mode

EOAM Configuration

Command Syntax

link-error

no link-error

default link-error

Related Commands

monitor ethernet oam profile
show monitor ethernet oam profile

Example

These commands place the EOAM profile profile1 in the link-error sub-mode.

switch(config)# monitor ethernet oam
switch(config-eoam)# profile profile1
switch(config-eoam-profile-profile1)# link-error
switch(config-eoam-profile-profile1-link-error)#

mac-address

The mac-address command assigns a MAC address to the configuration mode interface. An interfaces default MAC address is its burn-in address.

The no mac-address and default mac-address commands revert the interface to its default MAC address by removing the corresponding mac-address command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

Command Syntax

mac-address address

no mac-address

default mac-address

Parameter

address MAC address assigned to the interface. Format is dotted hex notation (H.H.H). Disallowed addresses are 0.0.0 and FFFF.FFFF.FFFF.

Example

This command assigns the MAC address of 001c.2804.17e1 to interface ethernet 7, then displays interface parameters, including the assigned address.

switch(config)# interface ethernet 7
switch(config-if-Et7)# mac-address 001c.2804.17e1
switch(config-if-Et7)# show interface ethernet 7
Ethernet3 is up, line protocol is up (connected)
  Hardware is Ethernet, address is 001c.2804.17e1 (bia 001c.7312.02e2)
  Description: b.e45
  MTU 9212 bytes, BW 10000000 Kbit
  Full-duplex, 10Gb/s, auto negotiation: off
  Last clearing of "show interface" counters never
  5 seconds input rate 7.84 kbps (0.0% with framing), 10 packets/sec
  5 seconds output rate 270 kbps (0.0% with framing), 24 packets/sec
     1363799 packets input, 222736140 bytes
     Received 0 broadcasts, 290904 multicast
     0 runts, 0 giants
     0 input errors, 0 CRC, 0 alignment, 0 symbol
     0 PAUSE input
     2264927 packets output, 2348747214 bytes
     Sent 0 broadcasts, 28573 multicast
     0 output errors, 0 collisions
     0 late collision, 0 deferred
     0 PAUSE output
switch(config-if-Et7)#

monitor ethernet oam profile

The monitor ethernet oam profile command applies the EOAM profile to the specific interface in interface configuration mode.

The no monitor ethernet oam profile and default monitor ethernet oam profile commands remove the EOAM profile from the interface.

Command Mode

Interface Configuration

Command Syntax

monitor ethernet oam profile name

no monitor ethernet oam profile

default monitor ethernet oam profile

Parameters

name The EOAM profile name. An EOAM profile cannot be named as summary.

Related Commands

link-error
show monitor ethernet oam profile

Example

These commands apply the EOAM profile profile1 to the interface ethernet 1/1.

switch(config)# interface ethernet 1/1
switch(config-if-Et1/1)# monitor ethernet oam profile profile1

monitor ethernet oam

The monitor ethernet oam command places the switch in the Ethernet Operations, Administration, and Management (EOAM) configuration mode.

The no monitor ethernet oam and default monitor ethernet oam commands exit from the EOAM configuration mode.

Command Mode

Global Configuration

Command Syntax

monitor ethernet oam

no monitor ethernet oam

default monitor ethernet oam

Example

This command places the switch in the EOAM configuration mode.

switch(config)# monitor ethernet oam
switch(config-eoam)#

period

The period command configures the link monitoring period that is specified for a link error in terms of number of frames or seconds.

Theno period command removes the period type specified on the chosen link error. The defaultperiodcommand configures the link monitoring period as zero seconds.

Command Mode

Link-error Configuration

Command Syntax

{fcs | symbol} period num {seconds | frames}

no {fcs | symbol} period num {seconds | frames}

default {fcs | symbol} period num {seconds | frames}

Parameters

fcs Inbound packets with Frame Check Sequence (FCS) error.
symbol Inbound packets with symbol error.
num The link monitoring period in frames or seconds. The frames value ranges from 1 to 4000000000. The seconds value ranges from 2 to 200 seconds. The default value is 2 seconds.
- seconds The monitor errors per num seconds.
- frames The monitor errors per num frames.

Related Commands

action
threshold

Example

These commands set the frames period type for the profile profile1 in the Link-error configuration mode for 300 frames.

switch(config)# monitor ethernet oam                        
switch(config-eoam)# profile profile1
switch(config-eoam-profile-profile1)# link-error
switch(config-eoam-profile-profile1-link-error)# symbol period 300 frames

phy link detection aggressive

The phy link detection aggressive command allows configuration of interfaces for aggressive link-up declaration (~50 ms) on those interfaces. no/default phy link detection aggressive configuration reverts to a more reliable link-up with at least a two-second delay. When the aggressive mode is not supported, the system generates an advisory message.

Command Mode

Global Configuration

Command Syntax

phy link detection aggressive

no phy link detection aggressive

default phy link detection aggressive

Examples

This command configures aggressive link detection.

switch(config-if-Et1)# phy link detection aggressive
switch(config-if-Et1)#

This command configures aggressive link detection but fails on a platform that does not support the feature.

switch(config-if-Et1)# phy link detection aggressive
detection     detection not supported on this hardware platform
switch(config-if-Et1)#

poe disabled

Power over Ethernet (PoE) is enabled on all Ethernet ports by default on switches that support PoE. The poe disabled command disables PoE on the configuration-mode interface.

The no poe disabled and default poe disabled commands restore PoE on the interface by removing the corresponding poe disabled command from running-config.

Command Mode

Interface-Ethernet Configuration

Command Syntax

poe disabled

no poe disabled

default poe disabled

Example

These commands disable PoE on interface ethernet 7.

switch(config)# interface ethernet 7
switch(config-if-Et7)# poe disabled
switch(config-if-Et7)#

poe legacy detect

IEEE-compliant Powered Devices (PDs) are recognized by a specific resistance signature to a test signal sent by the switch, but non-compliant (legacy or proprietary) PDs may use a capacitive signature instead. The poe legacy detect command causes the configuration-mode interface to attempt to use hardware detection for these non-compliant PoE devices and power them. By default, legacy PD detection is disabled, and legacy devices are not powered.

The no poe legacy detect and default poe legacy detect commands restore the default behavior by removing the corresponding poe legacy detect command from running-config.

Command Mode

Interface-Ethernet Configuration

Command Syntax

poe legacy detect

no poe legacy detect

default poe legacy detect

Example

These commands configure interface ethernet 7 to attempt to detect and power capacitive PDs.

switch(config)#interface ethernet 7
switch(config-if-Et7)#poe legacy detect
switch(config-if-Et7)#

poe limit

Power over Ethernet (PoE) power output is limited by the hardware-negotiated power level and by the total power capacity of the switch. The poe limit command sets an additional maximum power output for the configuration-mode interface. The power limit represents the power output at the Ethernet port; actual power delivered to the PD will be lower due to power loss along the Ethernet cable.

Note: If a power limit is set by this command, Power Via MDI TLVs will not be sent from the interface. See Configuring LLDP for Power over Ethernet for details.

The no poe limit and default poe limit commands restore the default power limitation by removing the corresponding poe limit command from running-config.

Command Mode

Interface-Ethernet Configuration

Command Syntax

poe limit {class class_num | watt_num watts}

no poe limit

default poe limit

Parameters

class_num Specifies the power output limit by power class. Values range from 0-6 as follows:
- Class 0 = 15.4 W
- Class 1 = 4 W
- Class 2 = 7 W
- Class 3 = 15.4 W
- Class 4 = 30 W
- Class 5 = 45 W
- Class 6 = 60 W
watt_num Specifies the power output limit in watts. Values range from 0-60. A value of 0 watts prevents the port from providing PoE power.

Examples

These commands limit nominal PoE power output on interface ethernet 7 to 10 W.

switch(config)# interface ethernet 7
switch(config-if-Et7)# poe limit 10 watts
switch(config-if-Et7)#

These commands limit nominal PoE power output on interface ethernet 7 to 4 W.

switch(config)# interface ethernet 7
switch(config-if-Et7)# poe limit class 1
switch(config-if-Et7)#

power budget

Power over Ethernet (PoE) budget is not set on all Ethernet ports by default on switches that support PoE. The power budget [n] watts command sets a limit of 'n' watts available for use by the ports on the switch. Otherwise, available power for PoE is limited to the sum of all power provided by the PSUs minus the power reserved for the chassis.

The no power budget restores the default state.

Command Mode

Interface-Ethernet Configuration

Command Syntax

power budget [n] watts

no power budget

Example

The following command sets the PoE power budget to 600W.

switch(config)# power budget 600 watts

power budget exceed action (warning | hold-down)

When the Power over Ethernet (PoE) ports exceeds the budgeted amount, the switch issues a warning and continues to provide additional power above the budgeted limit. The power budget exceed action hold-down command causes the switch to issue a warning and limit the power to the configured limit.

The no power budget restores the default state.

Command Mode

Interface-Ethernet Configuration

Command Syntax

power budget exceed action hold-down

no power budget

Example

The following commands set the PoE power budget to 600W and configure the switch to not exceed the limit.

switch(config)# power budget 600 watts
switch(config)# power budget exceed action hold-down

profile

The profile command creates an Ethernet Operations, Administration, and Management (EOAM) profile in the EOAM configuration mode.

The no profile and default profile commands exit from the EOAM configuration mode.

Command Mode

EOAM Configuration

Command Syntax

profile profile_name

no profile profile_name

default profile profile_name

Parameter

profile_name The profile name that is specified.

Related Commands

monitor ethernet oam profile
show monitor ethernet oam profile

Guidelines

Run the shutdown or no shutdown command to bring the port back to the normal state.

Example

These commands create an EOAM profile profile1 in the EOAM configuration mode.

switch(config)# monitor ethernet oam
switch(config-eoam)# profile profile1
switch(config-eoam-profile-profile1)#

qos scheduling

The qos scheduling command places the switch in the QoS scheduling mode under which the scheduling groups and scheduling policies are configured for shared shaper across multiple subinterfaces.

The no qos scheduling command removes the QoS scheduling configuration from the running-config.

Command Mode

QoS Scheduling Mode

Command Syntax

qos scheduling

no qos scheduling

Example

These commands create a scheduling policy with the desired shape rate and optional guaranteed bandwidth:

switch(config)# qos scheduling
switch(config-qos-scheduling)# scheduling policy P1
switch(config-qos-scheduling-policy-P1)# shape rate 75000000
switch(config-qos-scheduling-policy-P1)# bandwidth guaranteed 10000000

recovery-time

The recovery-time command configures the recovery timeout value for link fault signaling.

The no recovery-time command and the default recovery-timecommand removes the recovery timeout value specified for the chosen link error.

Command Mode

Link-error Configuration

Command Syntax

recovery-time value

no recovery-time value

default recovery-time value

Parameters

value Specifies the recovery timeout value for LFS. The value ranges from 20 to 200.

Related Commands

action
period
threshold

Example

These commands set the recovery time value of 40 for the profile profile1 in the Link-error configuration mode.

switch(config)# monitor ethernet oam
switch(config-eoam)# profile profile1                      
switch(config-eoam-profile-profile1)# link-error
switch(config-eoam-profile-profile1-link-error)# recovery-time 40

show hardware counter

The show hardware counter command displays counter events across time intervals.

Command Mode

EXEC

Command Syntax

show hardware counter

Example

This command displays counter events across all time intervals, which are currently more than one standard deviation apart from a given time interval.

switch(config-handler-eventHandler1-counters)# show hardware counter events
-----------------------------------------------------------------------------------------
Interval | Event Name  | Chip | First  | Last  | Count | Z-Score
 |  | Name | Occurrence  | Occurrence  |  | 
-----------------------------------------------------------------------------------------
5 Min  | MacCounters |  All | 2017-01-31 09:31:35 | 2017-01-31 09:44:32 |  5 | -6.9430
10 Min | MacCounters |  All | 2017-01-31 09:39:43 | 2017-01-31 09:44:32 |  3 | -4.8123
-----------------------------------------------------------------------------------------
switch(config-handler-eventHandler1-counters)#

show hardware port-group

The show hardware port-group command displays the status of DCS-7050Q-16 port-groups. Port groups contain one QSFP+ interface and a set of four SFP+ interfaces. In each port group, either the QSFP+ interface or the SFP+ interface set is enabled. The port groups are configured independent of each other.

Port group 1 contains interface 15 (QSFP+) and interfaces 17-20 (SFP+).
Port group 2 contains interface 16 (QSFP+) and interfaces 21-24 (SFP+).

Command Mode

EXEC

Command Syntax

show hardware port-group

Guidelines

The hardware port-group command is available on on DCS-7050Q-16 switches.

Example

This command displays the status of ports in the two port groups on a DCS-7050Q-16 switch.

switch# show hardware port-group

Portgroup: 1    Active Ports: Et15/1-4
Port            State
------------------------------------------
Ethernet17      ErrDisabled
Ethernet18      ErrDisabled
Ethernet19      ErrDisabled
Ethernet20      ErrDisabled
Ethernet15/1    Active
Ethernet15/2    Active
Ethernet15/3    Active
Ethernet15/4    Active

Portgroup: 2    Active Ports: Et16/1-4
Port            State
------------------------------------------
Ethernet16/1    Active
Ethernet16/2    Active
Ethernet16/3    Active
Ethernet16/4    Active
Ethernet21      ErrDisabled
Ethernet22      ErrDisabled
Ethernet23      ErrDisabled
Ethernet24      ErrDisabled
switch>

show interfaces counters bins

The show interfaces counters bins command displays packet counters, categorized by packet length, for the specified interfaces. Packet length counters that the command displays include:

64 bytes
65-127 bytes
128-255 bytes
256-511 bytes
512-1023 bytes
1024-1522 bytes
larger than 1522 bytes

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] counters bins

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter All interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
port-channel p_range Port-Channel Interface range specified by p_range.

Related Commands

show interfaces counters
show interfaces counters errors
show interfaces counters queue
show interfaces counters rates

Example

This command displays packet counter results for interface ethernet 1 and interface ethernet 2.

switch#show interfaces ethernet 1-2 counters bins
Input
Port                64 Byte      65-127 Byte     128-255 Byte     256-511 Byte
------------------------------------------------------------------------------
Et1                    2503         56681135          1045154          1029152
Et2                       8         50216275          1518179          1086297

Port          512-1023 Byte   1024-1522 Byte    1523-MAX Byte
-------------------------------------------------------------
Et1                  625825         17157823          8246822
Et2                  631173         27059077          5755101
switch>

show interfaces counters errors

The show interfaces counters errors command displays the error counters for the specified interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] counters errors

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter All interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
port-channel p_range Port-Channel Interface range specified by p_range.

Display Values

The table displays the following counters for each listed interface:

FCS: Inbound packets with CRC error and proper size.
Align: Inbound packets with improper size (undersized or oversized).
Symbol: Inbound packets with symbol error and proper size.
Rx: Total inbound error packets.
Runts: Outbound packets that terminated early or dropped because of underflow.
Giants: Outbound packets that overflowed the receiver and were dropped.
Tx: Total outbound error packets.

Related Commands

show interfaces counters
show interfaces counters bins
show interfaces counters queue
show interfaces counters rates

Examples

This command displays the error packet counters on interface ethernet 1 and interface ethernet 2.

switch# show interfaces ethernet 1-2 counters errors
Port               FCS    Align   Symbol       Rx    Runts   Giants       Tx
Et1                  0        0        0        0        0        0        0
Et2                  0        0        0        0        0        0        0
switch>

show interfaces counters ip

Use the show interfaces counters ip command to display IPv4, IPv6 packets, and octets.

Command Mode

EXEC

Command Syntax

show interfaces counters ip

Example

The following command IPv4 and IPv6 ingress and egress counters: configuration mode.

switch# show interfaces counters ip
Interface   IPv4InOctets    IPv4InPkts     IPv6InOctets    IPv6InPkts
Et1/1            0               0               0               0Et1/2            0               0               0               0
Et1/3            0               0               0               0
Et1/4            0               0               0               0
 ...
Interface  IPv4OutOctets  IPv4OutPkts    IPv6OutOctets   IPv6OutPkts    
Et1/1            0               0               0               0
Et1/2            0               0               0               0
Et1/3            0               0               0               0
Et1/4            0               0               0               0
                        ...

show interfaces counters queue

The show interfaces counters queue command displays the queue drop counters for the specified interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] counters queue

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter All interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
port-channel p_range Port-Channel Interface range specified by p_range.

Related Commands

show interfaces counters
show interfaces counters bins
show interfaces counters errors
show interfaces counters rates

Example

This command displays the queue drop counters for interface ethernet 1 and interface ethernet 2.

switch# show interfaces ethernet 1-2 counters queue
Port                  InDrops
Et1                       180
Et2                       169
switch>

show interfaces counters rates

The show interfaces counters rates command displays the received and transmitted packet rate counters for the specified interfaces. Counter rates provided include megabits per second (Mbps), kilopackets per second (Kpps) and utilization percentage.

All port rates are approximately calculated. Note that, when displaying the rate information of a port channel, the rate value of the port channel differs from the sum of the rates for the member ports. The discrepancy is likely to be larger for port channels with fewer ports except for port channels with single ports. The rate values of individual member ports are less inaccurate than the rate values of the port channel as a whole.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] counters rates

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter All interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
port-channel p_range Port-Channel Interface range specified by p_range.

Related Commands

show interfaces counters
show interfaces counters bins
show interfaces counters errors
show interfaces counters queue

Example

This command displays rate counters for interface ethernet 1 and interface ethernet 2.

switch# show interfaces ethernet 1-2 counters rates
Port        Intvl   In Mbps      %  In Kpps  Out Mbps      % Out Kpps
Et1          0:05      53.3   0.5%        5      31.2   0.3%        2
Et2          0:05      43.3   0.4%        4       0.1   0.0%        0
switch#

show interface counters

Use the show interface counters command to view the VLAN interface, subinterface, and the GRE Tunnel interface ingress and egress counters. The show interface counters command output includes the L3 interfaces when the corresponding hardware counter feature is enabled.

Command Mode

EXEC

Command Syntax

show interface counters

Example

Use the show interface counters command to display the VLAN interface, subinterface, GRE tunnel interface ingress and egress counters:

switch#show interface counters
L3 Interface       InOctets     InUcastPkts     InMcastPkts
Vl12                      0               0               0
Et1.1                     0               0               0
                   InOctets          InPkts
Tun1 		       0               0


L3 Interface       OutOctets     OutUcastPkts     OutMcastPkts
Vl12                      0               0               0
Et1.1                     0               0               0
                   OutOctets          OutPkts
Tun1 		        0               0

show interfaces counters

The show interface counters command displays the Layer 3 ingress traffic count information. Run this command to view the traffic counts on a sub-interface or VLAN interface. The clear counters command resets the counters to zero. Counters displayed by the command include:

inbound bytes
inbound unicast packets
inbound multicast packets
inbound broadcast packets
outbound bytes
outbound unicast packets
outbound multicast packets
outbound broadcast packets

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] counters [incoming]

Parameters

INTERFACE Interface type and numbers. Options include:
- no parameter All interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- management m_range Management interface range specified by m_range.
- port-channel p_range Port-Channel Interface range specified by p_range.
- subinterface Displays the subinterface traffic counts.
- vlan-interface Displays the VLAN-interface traffic counts.
incoming Displays the traffic count for the ingress port.
Note: When no interface is specified, the output starts with ingress and egress counters section for regular interfaces, followed by section for the ingress L3 Interface counters.

Related Commands

show interfaces counters bins
show interfaces counters errors
show interfaces counters queue
show interfaces counters rates

Examples

This command displays byte and packet counters for interface ethernet 1 and interface ethernet 2

switch# show interfaces ethernet 1-2 counters
Port                 InOctets     InUcastPkts     InMcastPkts     InBcastPkts
Et1               99002845169        79116358           75557            2275
Et2               81289180585        76278345           86422              11

Port                OutOctets    OutUcastPkts    OutMcastPkts    OutBcastPkts
Et1                4347928323         6085482          356173            2276
Et2                4512762190         5791718          110498              15
switch>

This command displays the ingress traffic count on a VLAN interface vl12.

switch# show interface vl12 counters incoming
L3 Interface InOctets InUcastPkts InMcastPkts
Vl12           3136          47           2

show interfaces flow-control

The show interfaces flow-control command displays administrative and operational flow control data for the specified interfaces. Administrative data is the parameter settings stored in running-config for the specified interface; the switch uses these settings to negotiate flow control with the peer switch. Operational data is the resolved flow control setting that controls the ports behavior.

Command Mode

EXEC

Command Syntax

show [INTERFACE] flow-control

Parameters

INTERFACE Interface type and number for which flow control data is displayed.

no parameter All interfaces.
ethernet e_range Ethernet interfaces in the specified range.
management m_range Management interfaces in the specified range.

Valid e_range and m_range formats include number, number range, or comma-delimited list of numbers and ranges.

Example

This command shows the settings for Ethernet interfaces 1-10.

switch# show flow-control interface ethernet 1-10
Port       Send FlowControl  Receive FlowControl  RxPause       TxPause
           admin    oper     admin    oper
---------  -------- -------- -------- --------    ------------- -------------
Et1        off      off      off      off         0             0
Et2        off      off      off      off         0             0
Et3        off      off      off      off         0             0
Et4        off      off      off      off         0             0
Et5        off      off      off      off         0             0
Et6        off      off      off      off         0             0
Et7        off      off      off      off         0             0
Et8        off      off      off      off         0             0
Et9        off      off      off      off         0             0
Et10       off      off      off      off         0             0
switch#

show interfaces hardware default

The show interfaces hardware default command displays the static interface capability information of the specified interfaces. This command displays information related to the speed, auto-negotiation, error correction, and modulation capabilities (when applicable) of a system’s ports. The command also provides information displayed by the show interfaces hardware command, such as model number, interface type, duplex mode, and flow control settings of the specific interface. Compared to the show interfaces hardware command, this command accounts for the capabilities of the system architecture only, and does not consider the capabilities of a transceiver.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] hardware default

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter all interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.

Valid e_range and m_range formats include number, number range, or comma-delimited list of numbers and ranges.

Examples

This command displays the static interface capability information at the default level.

switch> show interfaces hardware default
Ethernet1
  Model:     DCS-7020TR-48
  Type:      1000BASE-T
  Speed/Duplex: 100M/full,1G/full
  Flowcontrol:  rx-(off,on,desired),tx-(off)
  Autoneg CL28: 100M/full,1G/full
  Autoneg CL37: 1G/full
switch>

This command displays the static interface capability information for interface ethernet 4/1/1

switch> show interfaces ethernet 4/1/1 hardware default
Ethernet4/1/1
  Model:     7500R2AK-36CQ-LC
  Type:      40GBASE-CR4
  Speed/Duplex: 1G/full,10G/full,25G/full,40G/full,50G/full,100G/full
  Flowcontrol:  rx-(off,on,desired),tx-(off)
  Autoneg CL28: 1G/full,10G/full
  Autoneg CL73:
IEEE:           25G/full,40G/full,100G/full
Consortium: 25G/full,50G/full
  Error Correction:
Reed-Solomon: 25G,50G,100G
Fire-code:   25G,50G

show interfaces hardware

The show interfaces hardware command displays the model number, interface type, duplex mode, and flow control settings of the specified interfaces. The capabilities command is available on Ethernet and management interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] hardware

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter All interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.

Valid e_range and m_range formats include number, number range, or comma-delimited list of numbers and ranges.

Example

This command displays the model number, interface type, duplex mode, and flow control settings for interface ethernet 2 and interface ethernet 18.

switch# show interfaces ethernet 2,18 hardware
Ethernet2
  Model:        DCS-7150S-64-CL
  Type:         10GBASE-CR
  Speed/Duplex: 10G/full,40G/full,auto
  Flowcontrol:  rx-(off,on,desired),tx-(off,on,desired)
Ethernet18
  Model:        DCS-7150S-64-CL
  Type:         10GBASE-SR
  Speed/Duplex: 10G/full
  Flowcontrol:  rx-(off,on),tx-(off,on)
switch#

show interfaces interactions

The show interfaces interactions command aims to provide users a resource that explains various relationships between ethernet interfaces. It describes interactions in which a configuration on an interface causes another set of interfaces to become inactive or have reduced capabilities. Examples include a primary interface consuming subordinate interfaces to service a four-lane speed or platform restrictions that require four interfaces of a port to operate at the same speed.

Command Mode

EXEC

Command Syntax

show interfaces [intf] interactions

Parameters

intf Hardware Ethernet interface. You can restrict the output by interface name.

Examples

The information is displayed as a text dump. Each section of information appears on a separate indentation level. The first indent level is the interface, the second is the desired configuration, and the third is the list of interactions. For example, the output below describes the following:

If the user wants to configure Ethernet2/1 for 40G, Ethernet2/2-4 becomes inactive.

If the user wants to configure Ethernet2/1 for 10G, it does not affect other interfaces.

switch# show interface et2/1 interactions
* = includes less than 10G speeds that the interface is capable of

Ethernet2/1:
  For speed 40G
    Ethernet2/2-4 become inactive
  For speed 10G*
    No interactions with other interfaces

The asterisk next to the 10G entry indicates that these same interactions apply for speeds lower than 10G that the interface supports. In other words, if this interface also supported 1G or 100M, the configuration does not affect other interfaces.

Types of Interactions

No Interactions

If there are no interactions for the given interfaces, the display shows No interfaces interactions. Depending on what configurations actually have interactions, the line could appear at a number of different indentation levels. The rules are:

If all specified interfaces have no interactions, print at the first indentation level.
If only some specified interfaces have no interactions and those interfaces have no interactions at any speeds, print at the second indentation level for those interfaces.

If only some specified interfaces have no interactions and those interfaces only have interactions at some speeds, print at the third indentation level for those speeds.

switch# show int et1,2 interactions
No interfaces interactions

switch# show int et1,2,5/1 interactions
* = includes less than 10G speeds that the interface is capable of

Ethernet1
  No interactions with other interfaces
Ethernet2
  No interactions with other interfaces
Ethernet5/1
  For speed 40G
    Ethernet5/2-4 become inactive
  For speed 10G*
    No interactions with other interfaces

Inactive Interfaces

If a configuration on an interface causes other interfaces to become inactive, a message similar to the ones bolded below appear. A common example of this is configuring a QSFP28 port for 100G, which results in the /2,/3, and /4 interfaces becoming inactive. Note that display information for inactive interfaces are included in the specified range, ignoring whether or not inactive interfaces are exposed.

switch#show interfaces et11/1,11/3 interactions
* = includes less than 10G speeds that the interface is capable of

Ethernet11/1:
  For speed 100G-4
    Ethernet11/2-4 become inactive
  For speed 50G-2
    Ethernet11/2,11/4 become inactive
    Ethernet11/3 is limited to 50G-2
  For speed 40G
    Ethernet11/2-4 become inactive
  For speed 25G
    Ethernet11/2-4 are limited to 25G
  For speed 10G*
    Ethernet11/2-4 are limited to 10G*
Ethernet11/3:
  For speed 50G-2
    Ethernet11/4 becomes inactive
    Primary interface Ethernet11/1 must be operating at 50G-2
  For speed 25G
    Primary interface Ethernet11/1 must be operating at 25G
  For speed 10G*
    Primary interface Ethernet11/1 must be operating at 10G*

Required Primary Interface Configuration

Some interface configurations require a particular primary interface configuration to function. These interactions are captured with messages similar to the ones bolded below.

switch#show interfaces et11/1,11/3 interactions
* = includes less than 10G speeds that the interface is capable of

Ethernet11/1:
  For speed 100G-4
    Ethernet11/2-4 become inactive
  For speed 50G-2
    Ethernet11/2,11/4 become inactive
    Ethernet11/3 is limited to 50G-2
  For speed 40G
    Ethernet11/2-4 become inactive
  For speed 25G
    Ethernet11/2-4 are limited to 25G
  For speed 10G*
    Ethernet11/2-4 are limited to 10G*
Ethernet11/3:
  For speed 50G-2
    Ethernet11/4 becomes inactive
    Primary interface Ethernet11/1 must be operating at 50G-2
  For speed 25G
    Primary interface Ethernet11/1 must be operating at 25G
  For speed 10G*
    Primary interface Ethernet11/1 must be operating at 10G*

Hardware Speed-Group Requirements

Some interface configurations require an additional speed-group configuration in order to operate correctly.If speed-group configurations are required, there will be a message displayed similar to the ones bolded below.

Note: A single speed-group may include more than one compatibility setting. Using the example below as reference, Ethernet1/1 at 100G-4 and Ethernet2/1 at 40G are compatible configurations as long as hardware speed-group 1 can include 50g and 10g rates simultaneously.

switch# show interfaces et1/1,2/1 interactions
* = includes less than 10G speeds that the interface is capable of

Ethernet1/1:
  For speed 100G-4
    Ethernet1/2-4 become inactive
    Hardware speed-group 1 must include 50g
  For speed 40G
    Ethernet1/2-4 become inactive
    Hardware speed-group 1 must include 10g
  For speed 25G
    Ethernet2/1,2/3 become inactive
    Ethernet1/3 is limited to 25G/10G
    Hardware speed-group 1 must include 25g
  For speed 10G
    Ethernet2/1,2/3 become inactive
    Ethernet1/3 is limited to 25G/10G
    Hardware speed-group 1 must include 10g
Ethernet2/1:
  For speed 100G-4
    Ethernet2/3 becomes inactive
    Ethernet1/1 must be operating at 100G-4/50G-2/40G
    Hardware speed-group 1 must include 50g
  For speed 40G
    Ethernet2/3 becomes inactive
    Ethernet1/1 must be operating at 100G-4/50G-2/40G
    Hardware speed-group 1 must include 10g

Compatible Parent Interface Configuration

The parent interface may be configured for any one of the list of compatible rates. Additionally, more than one interface may be required to be configured at a compatible rate. These interactions are captured with messages similar to the ones bolded below

Note: Using the example below as a reference, suppose that Ethernet1/1 is configured for 100G-4 and that the goal is to configure Ethernet1/8 to 50G-1. According to the display, Ethernet1/1 is configured for a compatible rate. That said, in order for Ethernet1/1 to operate at 100G-4, hardware speed-group 1 must be configured to include the 25g compatibility setting. Additionally, hardware speed-group 1 must also include the 50g compatibility setting to enable Ethernet1/8 to operate at 50G-1. Interactions on Ethernet1/5 and Ethernet1/7 must be considered as well (omitted from the example for brevity).

switch# show interfaces et1/1,1/8 interactions
* = includes less than 10G speeds that the interface is capable of

Ethernet1/1:
  Ethernet1/1-4/8 share 18 interface hardware resources
  For speed 400G-8
    Ethernet1/2-8 become inactive
    Hardware speed-group 1 must include 50g
  For speed 200G-4
    Ethernet1/2-4 become inactive
    Hardware speed-group 1 must include 50g
  For speed 100G-2
    Ethernet1/2 becomes inactive
    Hardware speed-group 1 must include 50g
  For speed 100G-4
    Ethernet1/2-4 become inactive
    Hardware speed-group 1 must include 25g
  For speed 50G-1
    Hardware speed-group 1 must include 50g
  For speed 50G-2
    Ethernet1/2 becomes inactive
    Hardware speed-group 1 must include 25g
  For speed 40G
    Ethernet1/2-4 become inactive
    Hardware speed-group 1 must include 10g
  For speed 25G
    Hardware speed-group 1 must include 25g
  For speed 10G
    Hardware speed-group 1 must include 10g
Ethernet1/8:
  For speed 50G-1
    Ethernet1/1 must be operating at 200G-4/100G-2/100G-4/50G-1/50G-2/40G/25G/10G
    Ethernet1/5 must be operating at 100G-2/50G-1/50G-2/25G/10G
    Ethernet1/7 must be operating at 50G-1/25G/10G
    Hardware speed-group 1 must include 50g

Speed-limited Interfaces

Some interface configurations limit at what other interfaces can operate. If such limitations occur, a message displays similar to the ones bolded below.

switch# show interfaces et11/1,11/3 interactions
* = includes less than 10G speeds that the interface is capable of

Ethernet11/1:
  For speed 100G-4
    Ethernet11/2-4 become inactive
  For speed 50G-2
    Ethernet11/2,11/4 become inactive
    Ethernet11/3 is limited to 50G-2
  For speed 40G
    Ethernet11/2-4 become inactive
  For speed 25G
    Ethernet11/2-4 are limited to 25G
  For speed 10G*
    Ethernet11/2-4 are limited to 10G*
Ethernet11/3:
  For speed 50G-2
    Ethernet11/4 becomes inactive
    Primary interface Ethernet11/1 must be operating at 50G-2
  For speed 25G
    Primary interface Ethernet11/1 must be operating at 25G
  For speed 10G*
    Primary interface Ethernet11/1 must be operating at 10G*

Interfaces Sharing Logical Ports

Some interface ranges share logical port resources. If an interface shares logical ports with other interfaces, a message displays similar to the ones bolded below.

Note: There must be logical ports available for an interface to become operational. Not all interfaces sharing logical ports can be operational simultaneously. Inactive interfaces do not consume a resource.

switch# show interfaces et1/1,4/1 interactions
* = includes less than 10G speeds that the interface is capable of

Ethernet1/1:
  Ethernet1/1-4/8 share 18 interface hardware resources
  For speed 400G-8
    ...
Ethernet4/1:
  Ethernet1/1-4/8 share 18 interface hardware resources
  For speed 400G-8
    ...

show interfaces negotiation

The show interfaces negotiation command displays the speed, duplex, and flow control auto-negotiation status for the specified interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] negotiation [INFO_LEVEL]

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter Display information for all interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
Valid e_range and m_range formats include number, number range, or comma-delimited list of numbers and ranges.
INFO_LEVEL Amount of information that is displayed. Options include:
- no parameter Displays status and negotiated setting of local ports.
- detail Displays status and negotiated settings of local ports and their peers.

Examples

This command displays the negotiated status of management 1 and management 2 interfaces.

switch# show interface management 1-2 negotiation
Port       Autoneg            Negotiated Settings
           Status   Speed     Duplex    Rx Pause  Tx Pause
---------  -------  --------  --------  --------  --------
Ma1        success  100M      full      off       off
Ma2        success  auto      auto      off       off
switch>

This command displays the negotiated status of management 1 interface and its peer interface.

switch# show interface management 1 negotiation detail
Management1 :

Auto-Negotiation Mode     10/100/1000 BASE-T (IEEE Clause 28)
Auto-Negotiation Status   Success

  Advertisements       Speed           Duplex     Pause
                       --------------- ---------- --------------------
      Local            10M/100M/1G     half/full  Disabled
      Link Partner     None            None       None

  Resolution           100Mb/s         full       Rx=off,Tx=off
switch>

show interfaces phy

The show interfaces phy command displays physical layer characteristics for the specified interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] phy [INFO_LEVEL]

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter All interfaces.
ethernet e_range Ethernet interfaces in specified range.
Valid e_range formats include number, number range, or comma-delimited list of numbers and ranges.
INFO_LEVEL Amount of information that is displayed. Options include:
- no parameter Command displays table that summarizes PHY data.
- detail Command displays data block for each specified interface.

Examples

This command summarizes PHY information for Ethernet interfaces 1-5.

switch# show interfaces ethernet 1-5 phy
Key:
   U    = Link up
   D    = Link down
   R    = RX Fault
   T    = TX Fault
   B    = High BER
   L    = No Block Lock
   A    = No XAUI Lane Alignment
   0123 = No XAUI lane sync in lane N

                                  State    Reset
Port           PHY state        Changes    Count PMA/PMD PCS   XAUI
-------------- --------------- -------- -------- ------- ----- --------
Ethernet1      linkUp             14518     1750 U..     U.... U.......
Ethernet2      linkUp             13944     1704 U..     U.... U.......
Ethernet3      linkUp             13994     1694 U..     U.... U.......
Ethernet4      linkUp             13721     1604 U..     U.... U.......
Ethernet5      detectingXcvr          3        1               D..A0123
switch#

This command displays detailed PHY information for interface ethernet 1.

switch# show interfaces ethernet 1 phy detail
Current System Time: Mon Dec  5 11:32:57 2011
Ethernet1
                              Current State     Changes            Last Change
  PHY state                   linkUp              14523            0:02:01 ago
  HW resets                                        1751            0:02:07 ago
  Transceiver                 10GBASE-SRL          1704            0:02:06 ago
  Transceiver SN              C743UCZUD
  Oper speed                  10Gbps
  Interrupt Count                                 71142
  Diags mode                  normalOperation
  Model                       ael2005c
  Active uC image             microInit_mdio_SR_AEL2005C_28
  Loopback                    none
  PMA/PMD RX signal detect    ok                  11497            0:37:24 ago
  PMA/PMD RX link status      up                  11756            0:37:24 ago
  PMA/PMD RX fault            ok                  11756            0:37:24 ago
  PMA/PMD TX fault            ok                      0                  never
  PCS RX link status          up                   9859            0:02:03 ago
  PCS RX fault                ok                   9832            0:02:03 ago
  PCS TX fault                ok                    330            0:27:44 ago
  PCS block lock              ok                   9827            0:02:03 ago
  PCS high BER                ok                   8455            0:02:05 ago
  PCS err blocks              255                                  0:02:03 ago
  PCS BER                     16                  50092            0:02:05 ago
  XFI/XAUI TX link status     up                   1282            0:27:44 ago
  XFI/XAUI RX fault           ok                    585            0:27:44 ago
  XFI/XAUI TX fault           ok                   2142            0:02:05 ago
  XFI/XAUI alignment status   ok                   2929            0:02:05 ago
  XAUI lane 0-3 sync          (0123) = 1111        2932            0:02:05 ago
  XAUI sync w/o align HWM     0                                          never
  XAUI sync w/o align max OK  5
  XAUI excess sync w/o align  0                                          never
  Xcvr EEPROM read timeout                           46    4 days, 6:33:45 ago
  Spurious xcvr detection                             0                  never
  DOM control/status fail                             0
  I2C snoop reset             0
  I2C snoop reset (xcvr)      0
  Margin count                5                last > 0            0:00:00 ago
  EDC resets                  1                                    0:02:03 ago
  EDC FFE0 - FFE11            -4 -5 57 -6 -6 -2 1 0 -2 -1 1 -1
  EDC FBE1 - FBE4             6 -1 5 -1
  EDC TFBE1 - TFBE4           1 2 1 2
  EDC VGA1, VGA3              12 115
  TX path attenuation         3.0 dB
  TX preemphasis              (0,63,4) (pre,main,post)
switch#

show interfaces status errdisabled

The show interfaces status errdisabled command displays interfaces that are in errdisabled state, including their link status and errdisable cause.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] status errdisabled

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter Display information for all interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
port-channel p_range Port-Channel Interface range specified by p_range.
Valid e_range and m_range formats include number, number range, or comma-delimited list of numbers and ranges.

Example

This command displays the error-disabled ports.

switch# show interfaces status errdisabled

Port    Name           Status        Reason
------- -------------- ------------- ------------------
Et49/2                 errdisabled   multi-lane-intf
Et49/3                 errdisabled   multi-lane-intf
Et49/4                 errdisabled   multi-lane-intf
switch>

show interfaces status

The show interfaces status command displays the interface name, link status, vlan, duplex, speed, and type of the specified interfaces. When the command includes a link status, the results are filtered to display only interfaces whose link status match the specified type.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE]status [STATUS_TYPE]

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter All existing interfaces.
ethernet e_range Ethernet interfaces in the specified range.
management m_range Management interfaces in the specified range.
port-channel p_range All existing port-channel interfaces in the specified range.
Valid e_range, m_range, and p_range formats include number, number range, or comma-delimited list of numbers and ranges.
STATUS_TYP Einterface status upon which the command filters output. Options include:
- no parameter Command does not filter on interface status.
- connected Interfaces connected to another port.
- notconnect Unconnected interfaces that are capable of connecting to another port.
- disabled Interfaces that have been powered down or disabled.
- sub-interfaces L3 subinterfaces configured on the switch.
  Command may include multiple status types (connected, notconnect, disabled), which can be placed in any order.

Examples

This command displays the status of Ethernet interfaces 1-5.

switch# show interfaces ethernet 1-5 status
Port      Name              Status       Vlan        Duplex  Speed Type
Et1                         connected    1             full    10G 10GBASE-SRL
Et2                         connected    1             full    10G 10GBASE-SRL
Et3                         connected    1             full    10G 10GBASE-SRL
Et4                         connected    1             full    10G 10GBASE-SRL
Et5                         notconnect   1             full    10G Not Present
switch>

This command displays status information for all subinterfaces configured on the switch.

switch# show interfaces status sub-interfaces
Port       Name    Status       Vlan     Duplex Speed  Type                Flags
Et1.1              connect       101      full   10G   dot1q-encapsulation
Et1.2              connect       102      full   10G   dot1q-encapsulation
Et1.3              connect       103      full   10G   dot1q-encapsulation
Et1.4              connect       103      full   10G   dot1q-encapsulation
switch>

show interface transceiver dom

The show interface [<intf>] transceiver dom command displays the most important current performance data on the media (line) side.

Example

switch# show interface Ethernet11/1 transceiver dom
Ch: Channel, N/A: not applicable, TX: transmit, RX: receive
mA: milliamperes, dBm: decibels (milliwatts), C: Celsius, V: Volts

Port 11
Last update: 0:00:05 ago
                                             Value
                                        ----------------
   Case temperature                         66.59 C
   Voltage                                   3.26 V
   TX power                                -10.23 dBm
   RX total power                          -11.61 dBm
   RX channel power                        -11.94 dBm
   Pre-FEC BER                           1.82e-03 
   Post-FEC errored frames ratio         0.00e+00 
   Chromatic dispersion (short link)         0.00 ps/nm
   Chromatic dispersion (long link)          0.00 ps/nm
   Differential group delay                  9.31 ps
   SOPMD                                     0.00 ps^2
   Polarization dependent loss               0.40 dB
   Received OSNR estimate                   35.10 dB
   Received ESNR estimate                   17.50 dB
   Carrier frequency offset                  0.00 MHz
   Error vector magnitude                  100.00 %
   SOP rate of change                        0.00 krad/s
   Laser temperature                        59.54 C
   Laser frequency                         193100.00 GHz

BER: Bit Error Rate
FEC: Forward Error Correction
OSNR: Optical Signal to Noise Ratio
ESNR: Electrical Signal to Noise Ratio
SOP: State of Polarization
SOPMD: State of Polarization Mode Dispersion

show interface transceiver eeprom

The show interface [<intf>] transceiver eeprom command displays the parsed capabilities.

Example

For 400GBASE-ZR, parsing of frequency tuning, power tuning ( page 04h ) and VDM configuration pages (20h-23h) is added.

switch# show interface Ethernet15/1 transceiver eeprom
Ethernet15 EEPROM:
...
  Frequency tuning support (04h:128-129):
    Grid spacing capabilities (04h:128):
      100 GHz grid supported (04h:128): true
      12.5 GHz grid supported (04h:128): false
      25 GHz grid supported (04h:128): false
      3.125 GHz grid supported (04h:128): false
      33 GHz grid supported (04h:128): false
      50 GHz grid supported (04h:128): false
      6.25 GHz grid supported (04h:128): false
      75 GHz grid supported (04h:128): true
    Tunable wavelength (04h:128): true
    Fine tuning support (04h:129): false
  Supported channel boundaries (04h:130-161):
    100 GHz grid (04h:150-153):
      Lowest channel (04h:150-151): -18
      Lowest frequency (04h:150-151): 191300000 MHz
      Highest channel (04h:152-153): 30
      Highest frequency (04h:152-153): 196100000 MHz
    75 GHz grid (04h:158-161):
      Lowest channel (04h:158-159): -72
      Lowest frequency (04h:158-159): 191300000 MHz
      Highest channel (04h:160-161): 120
      Highest frequency (04h:160-161): 196100000 MHz
  Programmable output power advertisement (04h:196-201):
    Lane programmable output power supported (04h:196): false
  VDM configuration (20h:128-255;21h:128-255):
    VDM group 1 (20h:128-255):
      Parameter 1 (20h:128-129):
        Lane (20h:128): 0
        Threshold ID (20h:128): 0
        Parameter type (20h:129): Laser temperature
      Parameter 3 (20h:132-133):
        Lane (20h:132): 0
        Threshold ID (20h:132): 2
        Parameter type (20h:133): eSNR host input
      Parameter 4 (20h:134-135):
        Lane (20h:134): 1
        Threshold ID (20h:134): 2
        Parameter type (20h:135): eSNR host input
      Parameter 5 (20h:136-137):
        Lane (20h:136): 2
        Threshold ID (20h:136): 2
        Parameter type (20h:137): eSNR host input
...
       Parameter 84 (21h:166-167):
        Lane (21h:166): 0
        Threshold ID (21h:166): 14
        Parameter type (21h:167): MER
  Number of VDM groups supported (2Fh:128): 2

show interfaces transceiver channels

The show interfaces transceiver channels command displays current wavelength/frequency settings for the specified channels.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE e_range] transceiver channels

Parameters

INTERFACE Interface type and port numbers.

ethernet e_range Ethernet interface range specified by e_range.

Related Commands

transceiver channel
show interfaces transceiver hardware

Example

This command displays the supported wave lengths/frequencies and their corresponding channel numbers on Ethernet interface 4 to slot 3 through 4.

switch(config-as-if-Et4/1/3)#show interfaces ethernet 4/3/4 transceiver 
channels
Name: Et4/3/4
100GHz- 50GHz-
Wavelength Frequency spacing spacing
(nm) (GHz) Channel Channel
---------- --------- ------- -------
1567.95 191,200 1 1
1567.54 191,250 2
1567.13 191,300 2 3
1566.72 191,350 4
....
1529.16 196,050 98
1528.77 196,100 50 99
1528.38 196,150 100
switch(config-as-if-Et4/1/3)#

show interfaces transceiver hardware

The show interfaces transceiver hardware command displays current wavelength/frequency settings for the specified transceiver interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] ethernet e_range transceiver hardware

Parameters

INTERFACE Interface type and port numbers.

ethernet e_range Ethernet interface range specified by e_range.

Related Commands

transceiver channel
show interfaces transceiver channels

Example

This command displays the current wavelength/frequency settings on interface ethernet 4 to slot 3 through 4.

switch(config-as-if-Et4/1/3)# show interfaces ethernet 4 / 3 / 4 transceiver hardware
Name: Et4/3/4
Media Type: 10GBASE-DWDM
Configured Channel : 39
Configured Grid (GHz) : 50
Computed Frequency (GHz) : 193,100
Computed Wavelength (nm) : 1552.52
Operational Channel : 39 (Default)
Operational Grid (GHz) : 50 (Default)
Operational Frequency (GHz): 193,100
Operational Wavelength (nm): 1552.52
switch(config-as-if-Et4/1/3)#

show interfaces transceiver properties

The show interfaces transceiver properties command displays configuration information for the specified interfaces. Information provided by the command includes the media type, interface speed-duplex settings, speed-duplex operating state.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] transceiver properties

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter Display information for all interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
Valid e_range and m_range formats include number, number range, or comma-delimited list of numbers and ranges.

Related Commands

show interfaces transceiver

Example

This command displays the media type, speed, and duplex properties for Ethernet interfaces 1-3.

switch# show interfaces ethernet 1-3 transceiver properties
Name : Et1
Administrative Speed: 10G
Administrative Duplex: full
Operational Speed: 10G (forced)
Operational Duplex: full (forced)
Media Type: 10GBASE-SRL

Name : Et2
Administrative Speed: 10G
Administrative Duplex: full
Operational Speed: 10G (forced)
Operational Duplex: full (forced)
Media Type: 10GBASE-SRL

Name : Et3
Administrative Speed: 10G
Administrative Duplex: full
Operational Speed: 10G (forced)
Operational Duplex: full (forced)
Media Type: 10GBASE-SRL

switch>

show interfaces transceiver

The show interfaces transceiver command displays operational transceiver data for the specified interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] transceiver [DATA_FORMAT]

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter All interfaces.
ethernet e_range Ethernet interface range specified by e_range.
management m_range Management interface range specified by m_range.
Valid e_range, and m_range formats include number, number range, or comma-delimited list of numbers and ranges.
DATA_FORMAT format used to display the data. Options include:
- no parameter table entries separated by tabs.
- csv table entries separated by commas.

Related Commands

show interfaces transceiver properties

Example

This command displays transceiver data on interface ethernet 1 through interface ethernet 4.

switch# show interfaces ethernet 1-4 transceiver
If device is externally calibrated, only calibrated values are printed.
N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).
                             Bias      Optical   Optical
        Temp       Voltage   Current   Tx Power  Rx Power  Last Update
Port    (Celsius)  (Volts)   (mA)      (dBm)     (dBm)     (Date Time)
-----   ---------  --------  --------  --------  --------  -------------------
Et1      34.17      3.30      6.75     -2.41     -2.83     2011-12-02 16:18:48
Et2      35.08      3.30      6.75     -2.23     -2.06     2011-12-02 16:18:42
Et3      36.72      3.30      7.20     -2.02     -2.14     2011-12-02 16:18:49
Et4      35.91      3.30      6.92     -2.20     -2.23     2011-12-02 16:18:45
switch#

show monitor ethernet oam profile

The show monitor ethernet oam profile command displays configuration information for the specified ethernet OAM profile name or the summary information of all configured profile names.

Command Mode

EXEC

Command Syntax

show monitor ethernet oam profile [name | summary]

Parameters

name The EOAM profile name.
summary The EOAM summary of all profiles that are configured.

Related Commands

link-error
monitor ethernet oam profile

Examples

This command displays the OAM profile configuration information for the specific profile name.

switch# show monitor ethernet oam profile[name] 

         Ethernet OAM Profile : p

         Error Type : symbol

                           Threshold  :    20  frames
                           Action     :           log
                           Period     :    20 seconds

         Error Type : fcs
                           Threshold  :    10  frames
                           Action     :     linkfault
                           Period     :   100  frame

         Recovery Timeout : 20

This command displays the OAM profile configuration summary for all profiles configured.

switch# show monitor ethernet oam profile [name] summary

         Eoam Profile : p 
            Configured on:  Et3/1-4,5

show platform fm6000 agileport map

The show platform fm6000 agileport map command displays the list of Ethernet interfaces that are combinable to form a higher speed port.

Command Mode

Privileged EXEC

Command Syntax

show platform fm6000 agileport map

Example

These commands displays the agile port map for the switch, then configures Ethernet interface 13 as a 40G port, subsuming Ethernet interfaces 15, 17 and 19.

switch# show platform fm6000 agileport map

-----------------------------------------------------------------
Agile Ports       |        Interfaces subsumed in 40G link
-----------------------------------------------------------------
Ethernet1         |  Ethernet3      Ethernet5      Ethernet7
Ethernet2         |  Ethernet4      Ethernet6      Ethernet8
Ethernet13        |  Ethernet15     Ethernet17     Ethernet19
Ethernet14        |  Ethernet16     Ethernet18     Ethernet20

switch# config
switch(config)# interface ethernet 13
switch(config-if-Et13)# speed 40gfull

  WARNING!  Executing this command will cause the forwarding agent
            to be restarted. All interfaces will briefly drop links
            and forwarding on all interfaces will momentarily stop.


            Do you wish to proceed with this command? [y/N]

Ethernet13 configured for 40G.
Ethernet15, Ethernet17 and Ethernet19 are now subsumed.
switch(config-if-Et13)#

show platform trident flexcounters

Use the show platform trident flexcounters command to display the L3 interfaces when the corresponding hardware counter feature is enabled.

Command Mode

Privileged EXEC

Command Syntax

show platform trident flexcounters [vni [egress summary | ingress summary]]|[[vtep [decap summary | encap summary]]

Parameters

vni Displays the VNI feature state.
- egress summary Displays the egress direction flexcounters summary.
- ingress summary Displays the ingress direction flexcounters summary.
vtep Displays the VTEP feature state
- decap summary Displays the decap direction flexcounter summary.
- encap summary Displays the encap direction flexcounter summary.

Examples

The following example displays the headings for the show platform tridant flexcounters vni egress summary show command.

switch# show platform tridant flexcounters vni egress summary
VNI      EgrVfiIndex    PoolId    OffsetMode    BaseCounterIndex
-----------------------------------------------------------------

The following example displays the headings for the show platform trident flexcounters vni ingress summary show command.

switch# show platform trident flexcounters vni ingress summary
VNI      VfiIndex    PoolId    OffsetMode    BaseCounterIndex
--------------------------------------------------------------

The following example displays the headings for the show platform trident flexcounters vtep decap summary show command.

switch# show platform trident flexcounters vtep decap summary
VTEP      SvpIndex    PoolId    OffsetMode    BaseCounterIndex
---------------------------------------------------------------

The following example displays the headings for the show platform trident flexcounters vtep encap summaryshow command.

switch# show platform trident flexcounters vtep encap summary
VTEP      DvpIndex    PoolId    OffsetMode    BaseCounterIndex
---------------------------------------------------------------

show platform trident flexcounters l3intf

Use the show platform trident flexcounters l3intf command to display the subinterface, SVI, and GRE tunnel interface features.

Command Mode

EXEC

Command Syntax

show platform trident flexcounters l3intf [[in | out] [summary | values]]

Parameters

in summary Displays the details of the hardware resources allocated to the ingress subinterface, SVI, and GRE Tunnel Interface features.
out summary Displays the details of the hardware resources allocated to the egress subinterface, SVI, and GRE Tunnel Interface features.
in values Displays the counters in the counter and snapshot table for the ingress subinterface, SVI, and GRE Tunnel Inteface features.
out values Displays the counters in the counter and snapshot table for the egress subinterface, SVI, and GRE Tunnel Interface features.

Note: The counter values in this show command output are not reset by the clear counters command.

Examples

Use the show platform trident flexcounters l3intf in summary command to display the details of the hardware resources allocated to the ingress subinterface, SVI, and GRE Tunnel Interface features.

switch# show platform trident flexcounters l3intf in summary
L3intf     CounterIndex    PoolId    OffsetMode   BaseCounterIndex
-------------------------------------------------------------------

Use the show platform trident flexcounters l3intf out summary command to display the details of the hardware resources allocated to the egress subinterface, SVI, and GRE Tunnel Interface features.

switch# show platform trident flexcounters l3intf out summary
L3intf     CounterIndex    PoolId    OffsetMode   BaseCounterIndex
-------------------------------------------------------------------

Use the show platform trident flexcounters l3intf in values command to display the counters in the counter and snapshot table for the ingress subinterface, SVI, and GRE Tunnel Interface features.

switch# show platform trident flexcounters l3intf in values
L3intf   Offser Bytes(cntTbl)    Bytes(snapTbl)    Pkts(cntTbl)    Pkts(snapTbl)
---------------------------------------------------------------------------------

Use the show platform trident flexcounters l3intf out values command to display the counters in the counter and snapshot table for the egress subinterface, SVI, and GRE Tunnel Interface features.

switch# show platform trident flexcounters l3intf out values

L3intf   Offser Bytes(cntTbl)    Bytes(snapTbl)    Pkts(cntTbl)    Pkts(snapTbl)
--------------------------------------------------------------------------------

show poe

The show poe command displays PoE information for a specified port range or for all ports.

Command Mode

Privileged EXEC

Command Syntax

show poe [INTERFACE]

Parameters

INTERFACE Interface type and numbers. Options include:

no parameter Display information for all interfaces.
ethernet e_range Ethernet interface range specified by e_range.

Example

This command displays PoE information for interface ethernet 46.

switch(config)# show poe interface ethernet 46

Port Enabled Enabled Limit  Power   State   Class  Power Current Voltage Temperature
---- ------- ------- ------ ------- ------- ------ ----- ------- ------- -----------
46      True    True 15.40W  15.40W powered class0 1.40W 27.00mA  55.04V      41.25C
switch(config-if-Et7)#

show qos scheduling

The show qos scheduling command displays the QoS configuration on one or more scheduling groups. Both group name and parent interface name are optional, in which case all groups will be displayed.

Command Mode

Privileged EXEC

Command Syntax

show qos scheduling Options

Parameter

Options include the Group, Interface or the Hierarchy.

Example

This command displays the QoS configuration for scheduling group G1 of interface Ethernet1.

switch# show qos scheduling group G1 Ethernet1
Interface: Et1
Scheduling Group Name: G1
Bandwidth: 10.1 / 10.0 (Gbps)
Shape Rate: 75.2 / 75.0 (Gbps)

Member         Bandwidth        Shape Rate
                (units)           (units)
------       -------------  ------------------
Et1.1           - /  - (-)  50.1 / 50.0 (Gbps)
Et1.2           - /  - (-)  30.1 / 30.0 (Gbps)

show route counters

Use the show route [ipv4 | ipv6] counters to display the IPv4 or IPv6 pack and byte counts.

Command Mode

EXEC

Command Syntax

show route [ipv4 | ipv6]

Parameters

ipv4 Displays IPv4 route counters.
ipv6 Displays IPv6 route counters.

Example

The following example displays the IPv4 packet and byte count.

switch# show route ipv4 counters
Vrf Name        Prefix       Packet Count    Byte Count
-------- ---------------- ------------------ ----------
 default    22.0.0.0/8                     0          0
 default    32.0.0.0/8                     0          0

show transceiver status interface

The show transceiver status interface [<intf>] command displays the most important alarms, faults and interface status.

Example

For 400GBASE-ZR modules, media and host side coherent alarms, host-side pre-FEC BER, defined in the Coherent CMIS and post-FEC BER have been added to the command’s output:

switch# show transceiver status interface Ethernet14/1
                                Current State        Changes       Last Change
                                -------------        -------       -----------
Port 14
  Transceiver                   400GBASE-ZR                1       0:15:09 ago
  Transceiver SN                200554050                          
  Presence                      present                            
  Adapters                      none                               
  Bad EEPROM checksums                                     0       never
  Resets                                                   0       0:15:14 ago
  Interrupts                                               0       never
  Data path firmware fault      ok                         0       never
  Module firmware fault         ok                         0       never
  Temperature high alarm        ok                         0       never
  Temperature high warn         ok                         0       never
  Temperature low alarm         ok                         0       never
  Temperature low warn          ok                         0       never
  Voltage high alarm            ok                         0       never
  Voltage high warn             ok                         0       never
  Voltage low alarm             ok                         0       never
  Voltage low warn              ok                         0       never
  Module state                  ready                      4       0:14:55 ago
  Data path 1 state             activated                  4       0:07:21 ago
  Data path 2 state             activated                  4       0:07:21 ago
  Data path 3 state             activated                  4       0:07:21 ago
  Data path 4 state             activated                  4       0:07:21 ago
  Data path 5 state             activated                  4       0:07:21 ago
  Data path 6 state             activated                  4       0:07:21 ago
  Data path 7 state             activated                  4       0:07:21 ago
  Data path 8 state             activated                  4       0:07:21 ago
  RX LOS                        ok                         2       0:05:54 ago
  TX fault                      ok                         0       never
  RX CDR LOL                    ok                         0       never
  TX power high alarm           ok                         0       never
  TX power high warn            ok                         2       0:07:39 ago
  TX power low alarm            ok                         2       0:07:50 ago
  TX power low warn             ok                         4       0:07:39 ago
  TX bias high alarm            ok                         0       never
  TX bias high warn             ok                         0       never
  TX bias low alarm             ok                         0       never
  TX bias low warn              ok                         0       never
  RX power high alarm           ok                         0       never
  RX power high warn            ok                         0       never
  RX power low alarm            ok                         0       never
  RX power low warn             ok                         0       never
  TX loss of alignment       ok                         0       never
  TX out of alignment           ok                         0       never
  TX clock monitor unit LOL     ok                         0       never
  TX reference clock LOL        ok                         0       never
  TX deskew LOL                 ok                         0       never
  TX FIFO error                 ok                         0       never
  RX demodulator LOL            ok                         0       never
  RX CD compensation LOL        ok                         0       never
  RX loss of alignment          ok                         0       never
  RX out of alignment           ok                         0       never
  RX deskew LOL                 ok                         0       never
  RX FIFO error                 ok                         0       never
  RX FEC excessive degrade      ok                         0       never
  RX FEC detected degrade       ok                         0       never
  Freq tuning in progress       idle                       0       never
  Freq tuning busy              ok                         0       never
  Freq tuning invalid channel   ok                         0       never
  Freq tuning completed         no                         2       0:07:34 ago
Ethernet14/1
  Operational speed             400Gbps                            
  Pre-FEC bit error rate        0.00e+00                           
  Post-FEC errored frames ratio 0.00e+00                           
  TX LOS
    Host lane 1                 ok                         0       never
    Host lane 2                 ok                         0       never
    Host lane 3                 ok                         0       never
    Host lane 4                 ok                         0       never
    Host lane 5                 ok                         0       never
    Host lane 6                 ok                         0       never
    Host lane 7                 ok                         0       never
    Host lane 8                 ok                         0       never
  TX CDR LOL
    Host lane 1                 ok                         0       never
    Host lane 2                 ok                         0       never
    Host lane 3                 ok                         0       never
    Host lane 4                 ok                         0       never
    Host lane 5                 ok                         0       never
    Host lane 6                 ok                         0       never
    Host lane 7                 ok                         0       never
    Host lane 8                 ok                         0       never
  TX adaptive input EQ fault
    Host lane 1                 ok                         0       never
    Host lane 2                 ok                         0       never
    Host lane 3                 ok                         0       never
    Host lane 4                 ok                         0       never
    Host lane 5                 ok                         0       never
    Host lane 6                 ok                         0       never
    Host lane 7                 ok                         0       never
    Host lane 8                 ok                         0       never

Note:In the operational state, module state is ‘Ready’ and datapath state for all 8 lanes is activated.

show VXLAN counters vni

Use the show VXLAN counters vni command to display the encapsulation and decapsulation counters at the VNI.

Command Mode

Privledged EXEC

Command Syntax

show VXLAN counters vni [encap | decap]

Parameters

encapDisplays the encapsulation related counters at the VNI.
decap Displays the decapsulation related counters at the VNI.

Examples

The following show VXLAN counters vni encap command displays the encapsulation related commands at the VNI.

switch# show VXLAN counters vni encap
                                      Encap BUM   Encap Drop
VNI       Encap Bytes  Encap Packets  Packets     Packets
-------- ------------- -------------- ----------- -----------
2824963             0               0           0           0
7023745             0               0           0           0

Encap Packets displays the total count of L2 packets that have been successfully encapsulated by the VNI towards the VTEP.

Encap Drop Or Exception Packets display the total count of L2 packets that have been encapsulated and dropped for any reason.

The following show VXLAN counters vni decap command displays the decapsulation related counters at the VNI.

switch# show VXLAN counters vni decap
                                                      Decap Drop Or             
                            Decap Known   Decap BUM       Exception
VNI       Decap Bytes   Unicast Packets      Packets        Packets
-------   -----------   ---------------   ----------   -------------
2824963             0                 0            0               0
7023745             0                 0            0               0

Decap Known UnicastPkts displays the total count of L2 known unicast packets coming into the VTI hitting the VTEP and getting decapsulated.

Decap BUM Packets displays the total count of L2 BUM packets coming into the VTI hitting the VTEP and getting decapsulated.

Decap Drop or Exception Packets displays the count of L2 packets coming into the VTI and getting dropped for any reason.

speed

The speed command configures the transmission speed and duplex setting for the configuration mode interface. The scope and effect of this command depends on the interface type. Interface types include:

40GBASE (QSFP+): Default is 4x10G-full. Speed forced 40gfull and Speed auto 40gfull configure interface as a 40G port.
10GBASE-T: Default is 10G-full. Speed command affects interface.
10GBASE (SFP+): Default is 10G-full. Speed command does not affect interface.
1000BASE (copper): Default is 1G-full. speed auto 100full affects interface.
1000BASE (fiber): Default is 1G-full. Speed command does not affect interface.
10/100/1000: Default is auto-negotiation. Speed command (10/100/1000 options) affects interface.

The speed 40gfull and auto 40gfull commands configure a QSFP+ Ethernet interface as a 40G port. The no speed and no auto 40gfull commands configure a QSFP+ Ethernet interface as four 10G ports. These commands must be applied to the /1 port. These commands are hitless on the 7050X, 7060X, 7250X, 7260X, 7280SE, 7300X, 7320X and 7500E series platforms. On all other platforms, these commands restart the forwarding agent, which will result in traffic disruption.

The no speed and default speed commands restore the default setting for the configuration mode interface by removing the corresponding speed command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Management Configuration

Command Syntax

speed MODE

no speed

default speed

Parameters

MODE Transmission speed and duplex setting. Options include:

speed auto auto negotiation mode. (For SFP-1G-T, auto-negotiates 1Gbps, this is because no speed is specified, and we are defaulting to advertise 1G).
speed auto 40gfull auto negotiation mode with clause 73 auto negotiation.
speed auto 1G full/ speed 1G auto-negotiated 1Gbps (note that per BASE-T standard, 1G must be negotiated).
speed auto 100full auto-negotiated 100Mbps.
speed 100full non-negotiated and true-forced 100Mbps.
Note: Interfaces using clause 73 auto negotiation must connect to a device that runs clause 73 auto negotiation.
sfp-1000baset auto auto-negotiation mode (fu).
10000full 10G full duplex.
1000full 1G full duplex.
1000half 1G half duplex.
100full 100M full duplex.
100gfull 100G full duplex.
100half 100M half duplex.
10full 10M full duplex.
10half 10M half duplex.
40gfull 40G full duplex.

On 40GBASE and 100GBASE interfaces, options that change the SFP+ and MXP interfaces (the auto 40gfull, the 40gfull, and the no speed options) may restart the forwarding agent on some switch platforms, disrupting traffic on all ports for more than a minute.

Guidelines

Note: The SFP-1G-T transceivers advertise one speed at a time only. Hence, the desired speed and negotiation must be configured explicitly using the speed auto, speed auto 1G full/ speed 1G, speed auto 100full, and speed 100full commands.

Examples

This command configures a 40GBASE interface as a 40G port.

switch(config)# interface ethernet 49/1
switch(config-if-Et49/1)# speed 40gfull
switch(config-if-Et49/1)# show interface ethernet 49/1 - 49/4 status
Port      Name          Status       Vlan        Duplex  Speed Type
Et49/1                  connected    in Po999      full    40G 40GBASE-CR4
Et49/2                  errdisabled  inactive    unconf unconf 40GBASE-CR4
Et49/3                  errdisabled  inactive    unconf unconf 40GBASE-CR4
Et49/4                  errdisabled  inactive    unconf unconf 40GBASE-CR4
switch(config-if-Et49/1)#

This command configures a 40GBASE interface as four 10G ports (default configuration).

switch(config-if-Et49/1)# no speed
switch(config-if-Et49/1)# show interface ethernet 49/1 - 49/4 status
Port      Name          Status       Vlan        Duplex  Speed Type
Et49/1                  connected    routed        full    10G 40GBASE-SR4
Et49/2                  connected    routed        full    10G 40GBASE-SR4
Et49/3                  connected    routed        full    10G 40GBASE-SR4
Et49/4                  notconnect   inactive      full    10G 40GBASE-SR4
switch(config-if-Et49/1)#

system

The system command allows the user to configure the system-wide TCAM profiles such as default, mirroring-acl, mpls-evpn, pbr-match-nexthop-group, qos, tap-aggregation-default, tap-aggregation-extended, tc-counters, test, and VXLAN-routing.

The exit command returns the switch to global configuration mode.

Command Mode

Hardware TCAM

Command Syntax

system profile name

Parameter

name TCAM profile name.

Reference

hardware tcam

Example

This commands allow the switch to configure the TCAM profile qos.

switch(config-hw-tcam)# system profile qos

threshold

The threshold command configures the link monitoring threshold value that is specified for a link error.

The no threshold and the default threshold commands remove the threshold value specified for the chosen link error.

Command Mode

Link-error Configuration

Command Syntax

[fcs | symbol] threshold threshold_value

no [fcs | symbol] threshold threshold_value

default [fcs | symbol] threshold threshold_value

Parameters

fcs Inbound packets with Frame check sequence (FCS) error.
symbol Inbound packets with symbol error.
threshold_value Specifies the threshold value in number of errors. The value ranges from 1 to 100.

Related Commands

action
period

Example

These commands set the threshold value of 20 for the profile profile1 in the link-error configuration mode.

switch(config)# monitor ethernet oam
switch(config-eoam)# profile profile1
switch(config-eoam-profile-profile1)# link-error                        
switch(config-eoam-profile-profile1-link-error)# symbol threshold 20

transceiver channel

The transceiver channel command displays transceiver wavelength/frequency by channel number. The channel numbering depends on the selected grid-spacing mode. The default grid-spacing mode is 50GHz-spacing.

If the startup configuration does not specify the channel number for the interface, the transceiver will automatically tune to the default channel (i.e. channel-39 of 50GHz-spacing grid) when it is inserted.
If the configured wavelength/frequency is not supported by the transceiver, the transceiver is tuned to the default channel (i.e. channel-39 of 50GHz-spacing grid).

The interface is shutdown before the channel number is configured.

Command Mode

Global Configuration

Command Syntax

transceiver channel CHANNEL_NUMBER grid-spacing SPACING_GRID

no transceiver channel CHANNEL_NUMBER grid-spacing SPACING_GRID

default transceiver channel CHANNEL_NUMBER grid-spacing SPACING_GRID

Parameters

CHANNEL-NUMBER The default channel is 39 (50GHz-spacing grid) which corresponds to a frequency of 193,100 GHz and a wavelength of 1552.52 nm.
GRID_SPACING Grid-spacing mode (optional) depends on the selected grid-spacing mode. The default grid-spacing mode is 50GHz-spacing. For example, channel 39 of 50GHz-spacing grid is equivalent to channel 20 of 100GHz-spacing grid, which corresponds to a frequency of 193,100 GHz and a wavelength of 1552.52 nm.
- SPACING_GRID default grid-spacing mode in GHz.

Related Commands

show interfaces transceiver channels
show interfaces transceiver hardware

Example

This command tunes the transceiver on slot number 4 to slot 1 through 3 of 50GHz-spacing grid.

switch(config-as)# interface ethernet 4/1/3
switch(config-if-Et4/1/3)# transceiver channel 1 grid-spacing 50
switch(config-if-Et4/1/3)#

transceiver qsfp default-mode

The transceiver qsfp default-mode command specifies the transmission mode of all QSFP transceiver modules that are not explicitly configured.

Each QSFP+ module Ethernet interface is configurable as a single 40G port or as four 10G ports. The switch displays four ports for each interface. Each ports status depends on the interface configuration:

The /1 port is active (connected or not connected), regardless of the interface configuration.
The /2, /3, and /4 ports are error-disabled when the interface is configured as a single 40G port.
All ports are active (connected or not connected), when the interface is configured as four 10G ports.

QSFP modules that are not configured through a speed command are operated as four 10G ports.

The no transceiver qsfp default-mode and default transceiver qsfp default-mode commands restore the default-mode transceiver setting from 40G to4x10G.

Command Mode

Global Configuration

Command Syntax

transceiver qsfp default-mode 4x10G

no transceiver qsfp default-mode

default transceiver qsfp default-mode

Note: QSFP100 ports with external PHY always have 40G as the default QSFP mode.

Guidelines

The transceiver qsfp default-mode 4x10g statement is always in running-config and cannot be modified or removed in the current release.

Example

When default QSFP mode is configured as 4x10G, the show running-config contains transceiver qsfp default-mode 4x10G. show interfaces hardware shows 10G as the default speed.

switch(config)# transceiver qsfp default-mode 4x10G
switch(config)# show running-config | grep 4x10G
transceiver qsfp default-mode 4x10G
switch(config)# show interfaces ethernet 35/1 hardware
*  = Requires speed group setting change
Ethernet35/1
  Model:          DCS-7280CR3-32P4
  Type:           40GBASE-CR4
  Speed/Duplex:   10G/full(default),40G/full,auto
  Flowcontrol:    rx-(off,on,desired),tx-(off)

When QSFP mode configuration is reverted to the default, show running-configdoes not contain transceiver qsfp default-mode 4x10G. show interfaces hardware shows 40G as the default speed.

switch(config)# no transceiver qsfp default-mode
switch(config)# show running-config | grep 4x10G
switch(config)# show interfaces ethernet 35/1 hardware
*  = Requires speed group setting change
Ethernet35/1
  Model:          DCS-7280CR3-32P4
  Type:           40GBASE-CR4
  Speed/Duplex:   10G/full,40G/full(default),auto
  Flowcontrol:    rx-(off,on,desired),tx-(off)

Port Channels and LACP

This chapter describes channel groups, port channels, port channel interfaces, and the Link Aggregation Control Protocol (LACP). This chapter contains the following sections:

Port Channel Introduction
Port Channel Conceptual Overview
Port Channel Configuration Procedures
Load Balancing Hash Algorithms
Port Channel and LACP Configuration Commands

Port Channel Introduction

Arista’s switching platforms support industry-standard link aggregation protocols. Arista switches optimize traffic throughput by using MAC addressing, IP addressing, and services fields to effectively load share traffic across aggregated links. Managers can configure multiple ports into a logical port channel, either statically or dynamically through the IEEE Link Aggregation Control Protocol (LACP). Various negotiation modes are supported to accommodate different configurations and peripheral requirements, including LACP fallback to support devices that need simple network connectivity to retrieve images or configurations prior to engaging port channel aggregation modes.

Arista’s Multi-chassis Link Aggregation protocol (MLAG) supports LAGs across paired Arista switches to provide both link aggregation and active/active redundancy.

Port Channel Conceptual Overview

Channel Groups and Port Channels

A port channel is a communication link between two switches supported by matching channel group interfaces on each switch. A port channel is also referred to as a Link Aggregation Group (LAG). Port channels combine the bandwidth of multiple Ethernet ports into a single logical link.

A channel group is a collection of Ethernet interfaces on a single switch. A port channel interface is a virtual interface that serves a corresponding channel group and connects to a compatible interface on another switch to form a port channel. Port channel interfaces can be configured and used in a manner similar to Ethernet interfaces. Port channel interfaces are configurable as Layer 2 interfaces, Layer 3 (routable) interfaces, and VLAN members. Most Ethernet interface configuration options are also available to port channel interfaces.

Port Channel Subinterfaces

Port channel subinterfaces divide a single port channel interface into multiple logical L3 interfaces based on the 802.1q tag (VLAN ID) of incoming traffic. Subinterfaces are commonly used in the L2/L3 boundary device, but they can also be used to isolate traffic with 802.1q tags between L3 peers by assigning each subinterface to a different VRF.

For further details about subinterfaces, see Subinterfaces.

Link Aggregation Control Protocol (LACP)

The Link Aggregation Control Protocol (LACP), described by IEEE 802.3ad, defines a method for two switches to automatically establish and maintain link aggregation groups (LAGs, also called channel groups or port channels). Using LACP, a switch can configure LACP-compatible ports into a dynamic LAG. The ports try to complete LACP negotiation automatically with the linked ports (also configured as a dynamic LAG) on the partner switch. The maximum number of ports per LAG varies by platform; numbers for each platform in the latest EOS release are available here: https://www.arista.com/en/support/product-documentation/supported-features.

Static LAGs

In static mode (with the channel-group mode configured as on on the member interfaces), the switch aggregates links without an awareness of LAGs on the partner switch and without LACP negotiation. The member ports do not send LACP packets or process inbound LACP packets on static LAGs. Packets may drop when static LAG configurations differ between switches.

Dynamic LAGs

Dynamic LAGs are aware of their partners’ port-channel states. Interfaces configured as dynamic LAGs are designated as active or passive.

Active interfaces send LACP Protocol Data Units (LACP PDUs) at a rate of one per second when forming a channel with an interface on the peer switch. An aggregate forms if the peer runs LACP in active or passive mode.
Passive interfaces only send LACP PDUs in response to PDUs received from the partner. The partner switch must be in active mode and initiates negotiation by sending a LACP packet. The passive mode switch receives and responds to the packet to form a LAG.

An active interface can form port channels with passive or active partner interfaces, but port channels are not formed when the interface on each switch is passive.

Table 1 summarizes the effect of different LACP mode combinations:

Table 1. LACP Mode Combinations
Switch 1	Switch 2	Comments
active	active	Links aggregate when LACP negotiation is successful.
active	passive	Links aggregate when LACP negotiation is successful.
passive	passive	Links do not aggregate because LACP negotiation is not initiated.
on (static)	on (static)	Links aggregate without LACP.
on (static)	active or passive	Links aggregate on the static switch without LACP; links do not aggregate on the other switch, and no port-channel connection is established with the partner.

During synchronization, interfaces in dynamic LAGs transmit one LACP PDU per second. After synchronization is complete, interfaces exchange one PDU every thirty seconds, facilitated by a default timeout of 30 seconds and a failure tolerance of three. Under these parameters, when the switch does not receive a LACP PDU for an interface during a ninety-second period, it records the partner interface as failed and removes the interface from the port channel.

Fallback Mode

An active interface that is not in fallback mode does not form a LAG until it receives PDUs from, and negotiates with its peer. Fallback mode allows an active LACP interface to maintain a LAG without receiving PDUs from its peer. The fallback timer specifies the period the LAG waits to receive a peer PDU. Upon timer expiry, the port channel reverts to its configured fallback mode if one is configured.

Static fallback: the port channel maintains one active port while in fallback mode; all its other member ports are in standby mode until a LACP PDU is received by the port channel. All member ports send (and can receive) LACP PDUs, but only the active port sends or receives data.

Individual fallback: all member ports act as individual switch ports while in fallback mode. Individual port configuration (rather than port channel configuration) is active while the port channel is in fallback mode, with the exception of ACLs. This includes VLAN membership. All member ports send and receive data, and continue to send LACP PDUs. As soon as a LACP PDU is received by a member of the port channel, all ports revert to normal port-channel operation.

The switch uses a link aggregation hash algorithm to determine the forwarding path within a link aggregation group. The IP and MAC header fields can be selected as components of the hash algorithm.

Port Channel Configuration Procedures

These sections describe channel group and port channel configuration procedures:

Configuring a Channel Group
Configuring a Port Channel Interface
Maximum Port Channel ID Increase
Configuring Port Channel Subinterfaces
Configuring LACP
Displaying Port Channel Information

Configuring a Channel Group

Creating a Channel Group

The channel-group command assigns the configuration-mode Ethernet interfaces to a channel group, creates the channel group if it does not already exist, and specifies LACP attributes for the channel.

Channel groups are associated with a port channel interface immediately upon their creation. A command that creates a new channel group also creates a port channel with a matching ID. The port channel is configured in port-channel configuration mode. Configuration changes to a port channel interface propagate to all Ethernet interfaces in the corresponding channel group.

LACP is enabled on the member interfaces by setting the channel-group mode to active or passive. Setting the mode to on disabled LACP on the member interfaces and creates a static channel group.

Example:

These commands assign Ethernet interfaces 1 and 2 to channel group 10 (creating the channel group if it does not already exist), enable LACP on those interfaces, and place the channel group in a negotiating state.

switch(config)# interface ethernet 1-2
switch(config-if-Et1-2)# channel-group 10 mode active
switch(config-if-Et1-2)#

Adding an Interface to a Channel Group

The channel-group command is also used to add the configuration mode interface to an existing channel group. When adding channels to a previously created channel group, the channel-group mode for the new channel must match the mode for the existing group.

Example

These commands add Ethernet interfaces 7 through 10 to previously created channel group 10, using the channel-group mode (active) under which it was created.

switch(config)# interface ethernet 7-10
switch(config-if-Et7-10)# channel-group 10 mode active
switch(config-if-Et7-10)#

Removing an Interface from a Channel Group

The no channel-group command removes the configuration mode interface from the specified channel group. Deleting all members of a channel group does not remove the associated port channel interface from running-config.

Example

These commands removes interface ethernet 8 from previously created channel group 10.

switch(config)# interface ethernet 8
switch(config-if-Et8)# no channel-group
switch(config-if-Et8)#

Configuring a Port-Channel as Mixed-Speed

By default, only configured members of the same speed become active. The port-channel speed mixed command configures a port channel with the ability to have active members of multiple speeds.

Note: Available on the 7020, 7280, 7500, and 7800 platforms. Minimum links is not available on mixed-speed port channels.

Example

switch(config)# interface port-channel 1
switch(config-if-Po1)# port-channel speed mixed

Configuring Minimum Links

Note: Minimum links is not available on Mixed-Speed Port-Channels. If a minimum requirement is desired for a Mixed-Speed Port-Channel, consider Minimum Speed instead. On Port-Channels that are not mixed-speed, if both Minimum Links and Minimum Speed are configured, then Minimum Speed will take precedence.

Configuring Minimum Speed

The port-channel speed minimum command specifies the cumulative minimum speed of all active members in order for a port channel to become active. If there is less than the specified by this command, the port channel interface does not become active.

Note: If both minimum speed and minimum links are configured, minimum speed will take precedence.

Example

These command sets 100 Gbps as the minimum speed needed for port channel 1 to become active.

switch(config)# interface port-channel 1
switch(config-if-Po1)# port-channel speed minimum 100 gbps

Deleting a Channel Group

A channel group is deleted by removing all Ethernet interfaces from the channel group. A channel group’s LACP mode can be changed only by deleting the channel group and then creating an equivalent group with a different LACP mode. Deleting a channel group by removing all Ethernet interfaces from the group preserves the port channel interface and its configuration settings.

View running-config to verify the deletion of all Ethernet interfaces from a channel group.

Configuring a Port Channel Interface

Creating a Port Channel Interface

The switch provides two methods for creating port channel interfaces:

creating a channel group simultaneously creates an associated port channel.
the interface port-channel command creates a port channel without assigning Ethernet channels to the new interface.

The interface port-channel command places the switch in interface-port channel configuration mode.

Example

This command creates interface port-channel 8 and places the switch in port channel interface configuration mode.

switch(config)# interface port-channel 8
switch(config-if-Po8)#

Deleting a Port Channel Interface

The no interface port-channel command deletes the configuration mode port channel interface and removes the channel group assignment for each Ethernet interface assigned to the group associated with the port channel interface. Removing all Ethernet interfaces from a channel group does not remove the associated port channel interface from running-config.

Maximum Port Channel ID Increase

Previously, the maximum valid port channel ID was equal to the maximum number of port channels configurable on the system, 2000, and this feature increases the maximum ID to 999,999 while maintaining the same limit of 2000 port channels on the system.

Configuration

This feature does not involve any specific configuration procedure, but it does include visible changes to port channel configuration commands. In the following examples, suppose port channels 1-2000 have already been configured, so creating Port-Channel 2001 would exceed the configuration limit.

switch(config)# interface create port-channel 2001
Port channel config limit 2000 reached. No interfaces were created.

switch(config-ifEtX)# channel-group 2001 mode 
Port channel config limit 2000 reached. No interfaces were created.

Show Commands

Changes to existing show commands simply involve displaying when a port channel is inactive. In the following examples, suppose port channels 2001-4001 are configured, Port-Channel 4001 is inactive, and Ethernet1 is a member of Port-Channel 4001.

switch(config)# show lacp 1-$ aggregates
Port channel 4001 is inactive. The number of configured port channels exceeds the config limit 2000.
Port-Channels1-2000,4002-999999 not configured as LAG
Port Channel Port-Channel2001:
Aggregate ID: [(8000,00-1c-73-04-36-d7,0001,0000,0000),(8000,00-1c-73-09-a0-f3,0001,0000,0000)]
  Bundled Ports: Ethernet43 Ethernet44 Ethernet45 Ethernet46
Port Channel Port-Channel2002:
Aggregate ID: [(8000,00-1c-73-01-02-1e,0002,0000,0000),(8000,00-1c-73-04-36-d7,0002,0000,0000)]
  Bundled Ports: Ethernet47 Ethernet48
Port Channel Port-Channel2003:
Aggregate ID: [(8000,00-1c-73-04-36-d7,0003,0000,0000),(8000,00-1c-73-0c-02-7d,0001,0000,0000)]
  Bundled Ports: Ethernet3 Ethernet4
Port Channel Port-Channel2004:
Aggregate ID: [(0001,00-22-b0-57-23-be,0031,0000,0000),(8000,00-1c-73-04-36-d7,0004,0000,0000)]
  Bundled Ports: Ethernet42
Port Channel Port-Channel2005:
Aggregate ID: [(0001,00-22-b0-5a-0c-51,0033,0000,0000),(8000,00-1c-73-04-36-d7,0005,0000,0000)]
  Bundled Ports: Ethernet41




switch(config)# show lacp 1-$ counters
Port channel 4001 is inactive. The number of configured port channels exceeds the config limit 2000.
Port-Channels1-2000,4002-999999 not configured as LAG


switch(config)# show lacp 1-$ internal
Port channel 4001 is inactive. The number of configured port channels exceeds the config limit 2000.
Port-Channels1-2000,4002-999999 not configured as LAG
LACP System-identifier: 8000,00-1c-73-04-36-d7
State: A = Active, P = Passive; S=ShortTimeout, L=LongTimeout;
       G = Aggregable, I = Individual; s+=InSync, s-=OutOfSync;
       C = Collecting, X = state machine expired,
       D = Distributing, d = default neighbor state
             |Partner                                 Actor
Port Status  | Sys-id                 Port#  State    OperKey  PortPriority
----------------------------------------------------------------------------
Port Channel Port-Channel2001:
Et43 Bundled | 8000,00-1c-73-09-a0-f3    43  ALGs+CD   0x0001         32768
Et44 Bundled | 8000,00-1c-73-09-a0-f3    44  ALGs+CD   0x0001         32768
Et45 Bundled | 8000,00-1c-73-09-a0-f3    45  ALGs+CD   0x0001         32768
Et46 Bundled | 8000,00-1c-73-09-a0-f3    46  ALGs+CD   0x0001         32768

switch(config)# show lacp 1-$ peer
Port channel 4001 is inactive. The number of configured port channels exceeds the config limit 2000.
Port-Channels1-2000,4002-999999 not configured as LAG
State: A = Active, P = Passive; S=ShortTimeout, L=LongTimeout;
       G = Aggregable, I = Individual; s+=InSync, s-=OutOfSync;
       C = Collecting, X = state machine expired,
       D = Distributing, d = default neighbor state
               |                          Partner
Port   Status  | Sys-id                  Port#   State     OperKey  PortPri
----------------------------------------------------------------------------
Port Channel Port-Channel2001:
Et1    Bundled | 8000,00-1c-73-00-13-19      1   ALGs+CD    0x0001    32768
Et2    Bundled | 8000,00-1c-73-00-13-19      2   ALGs+CD    0x0001    32768
Port Channel Port-Channel2002:
Et23   Bundled | 8000,00-1c-73-04-36-d7     47   ALGs+CD    0x0002    32768
Et24   Bundled | 8000,00-1c-73-04-36-d7     48   ALGs+CD    0x0002    32768
Port Channel Port-Channel2004*:
Et3    Bundled | 8000,00-1c-73-0b-a8-0e     45   ALGs+CD    0x0001    32768
Et4    Bundled | 8000,00-1c-73-0b-a8-0e     46   ALGs+CD    0x0001    32768
Port Channel Port-Channel2005*:
Et19   Bundled | 8000,00-1c-73-0c-30-09     49   ALGs+CD    0x0005    32768
Et20   Bundled | 8000,00-1c-73-0c-30-09     50   ALGs+CD    0x0005    32768
Port Channel Port-Channel2006*:
Et6    Bundled | 8000,00-1c-73-01-07-b9     49   ALGs+CD    0x0001    32768
Port Channel Port-Channel2007*:
Et5    Bundled | 8000,00-1c-73-0f-6b-22     51   ALGs+CD    0x0001    32768
Port Channel Port-Channel2008*:
Et10   Bundled | 8000,00-1c-73-10-40-fa     51   ALGs+CD    0x0001    32768
 
* - Only local interfaces for MLAGs are displayed. Connect to the peer to
    see the state for peer interfaces.

switch(config)# show lacp interface Ethernet1 [(internal|neighbor|peer)]
Interface Ethernet1 is a member of an inactive LACP port channel. The number of configured port channels exceeds the config limit 2000.

switch(config)# show port-channel 1-$
Port Channel Port-Channel2001:
  No Active Ports
...
Port Channel Port-Channel4000:
  No Active Ports
Port Channel Port-Channel4001:
  Inactive, The number of configured port channels exceeds the config limit 2000.

switch(config)# show port-channel (dense|summary)

                  Flags
-------------------------- ----------------------------- -------------------------
   a - LACP Active            p - LACP Passive           * - static fallback
   F - Fallback enabled       f - Fallback configured    ^ - individual fallback
   U - In Use                 D - Down                   
   + - In-Sync                - - Out-of-Sync            i - incompatible with agg
   P - bundled in Po          s - suspended              G - Aggregable
   I - Individual             S - ShortTimeout           w - wait for agg
   E - Inactive. The number of configured port channels exceeds the config limit

Number of channels in use: ...
Number of aggregators: ...

   Port-Channel       Protocol    Ports
------------------ -------------- -------------------
   Po2001(U)          LACP(a)     Et47(PG+) Et48(PG+)
   Po2002(U)          LACP(a)     Et39(PG+) Et40(PG+)
   Po4001(E)          Static      Et7(P)

Limitations

The number of configured port channels can exceed the configurable limit if two configuration sessions simultaneously create two different port channels. In this scenario, port channels that exceed the limit are inactive. This is uncommon and does not impact traffic in any way. If an inactive port channel exists and an active port channel is deleted, then the inactive port channel is activated.
Only port channels with ID from 1 to 2000 are configured as MLAG port channels.

Configuring Port Channel Subinterfaces

When configuring subinterfaces on a port channel interface (the virtual interface associated with a port channel), the following restrictions apply:

An L3 interface with subinterfaces configured on it should not be made a member of a port channel.

An interface that is a member of a port channel should not have subinterfaces configured on it.
A subinterface cannot be made a member of a port channel.

Port channel subinterfaces are otherwise configured similarly to Ethernet subinterfaces. For additional information, see Subinterfaces.

Configuring LACP

Configuring the Channel-group Mode

The channel-group mode is configured when a channel group is created using the channel-group command. A channel group’s mode cannot be modified without deleting the entire channel group, but it can be modified without deleting the port channel interface associated with the channel group. The mode setting defines whether the port channel is static or dynamic, and whether a dynamic port channel is active or passive.

Examples

These commands create a dynamic channel group and place it in LACP active mode.

switch(config)# interface ethernet 1-2
switch(config-if-Et1-2)# channel-group 10 mode active
switch(config-if-Et1-2)#

These commands create a static channel group.

switch(config)# interface ethernet 4-5
switch(config-if-Et4-5)# channel-group 11 mode on
switch(config-if-Et4-5)#

Configuring the System Priority

Each switch is assigned a globally unique system identifier by concatenating the system priority (16 bits) to the MAC address of one of its physical ports (48 bits). The system identifier is used by peer devices when forming an aggregation to verify that all links are from the same switch. The system identifier is also used when dynamically changing aggregation capabilities in response to LACP information; the system with the numerically lower system identifier is permitted to dynamically change advertised aggregation capabilities.

The lacp system-priority command configures the switch’s LACP system priority.

Example

This command assigns the system priority of 8192 to the switch.

switch(config)# lacp system-priority 8192
switch(config)#

Configuring Port Priority

LACP port priority determines the port that is active in a LAG in fallback mode. Numerically lower values have higher priority. Port priority is supported on port channels that are enabled with LACP physical interfaces.

The lacp port-priority command sets the aggregating port priority for the configuration mode interface.

Example

This command assigns the port priority of 4096 to Ethernet interface 1.

switch(config-if-Et1)# lacp port-priority 4096
switch(config-if-Et1)#

Configuring the LACP Packet Reception Rate

The lacp timer command sets the reception rate of LACP packets on the local device for the interface being configured. This command supports the following reception rates:

normal: LACP packets are received at the following rates:
- 30 seconds for synchronized interfaces.
- One second for interfaces that are being synchronized.
fast: LACP packets are received every second.

Example

This command sets the LACP reception rate to one second on the Ethernet interface 4.

switch(config-if-Et4)# lacp timer fast
switch(config-if-Et4)#

Configuring LACP Fallback

Fallback mode (static or individual) is configured on a port channel interface with the port-channel lacp fallback command. The fallback timeout interval is configured with the port-channel lacp fallback timeout command. Fallback timeout settings persist in running-config without taking effect for interfaces that are not configured into fallback mode. The default fallback timeout period is 90 seconds.

Examples

These commands enable LACP static fallback mode, then configure an LACP fallback timeout of 100 seconds on port channel interface 13. If LACP negotiation fails, only the member port with the lowest LACP priority will remain active until an LACP PDU is received by one of the member ports.

switch(config)# interface port-channel 13
switch(config-if-Po13)# port-channel lacp fallback static
switch(config-if-Po13)# port-channel lacp fallback timeout 100
switch(config-if-Po13)# show active
interface Port-Channel13
   port-channel lacp fallback static
   port-channel lacp fallback timeout 100
switch(config-if-Po13)#

These commands enable LACP individual fallback mode, then configure an LACP fallback timeout of 50 seconds on port channel interface 17. If LACP negotiation fails, all member ports will act as individual switch ports, using port-specific configuration, until a LACP PDU is received by one of the member ports.

switch(config)# interface port-channel 17
switch(config-if-Po17)# port-channel lacp fallback individual
switch(config-if-Po17)# port-channel lacp fallback timeout 50
switch(config-if-Po17)# show active
interface Port-Channel17
   port-channel lacp fallback individual
   port-channel lacp fallback timeout 50
switch(config-if-Po17)#

Configuring Minimum Links

The port-channel min-links command specifies the minimum number of interfaces that the configuration mode LAG requires to be active. If there are fewer ports than specified by this command, the port channel interface does not become active.

Note: In static LAGs, the min-links value must be met for the LAG to be active. The LAG will not become active until it has at least the min-links number of functioning links in the channel group. If failed links cause the number to drop below the minimum, the LAG will go down and administrator action will be required to bring it back up. In dynamic LAGs, the LACP protocol must determine that at least min-links physical ports are aggregable (they are physically compatible and have the same keys both remotely and locally) before it begins negotiating to make any ports active members of the port-channel. However once negotiation begins, an error on the partner’s side or an error in programming of member interfaces can cause the LAG to become active with fewer than the minimum number of links. EOS evaluates min-links after min-links-review-timeout (linearly proportional to configured min-links) when LACP protocol collecting and/or distributing state changes. If the number of active member interfaces in a port-channel is less than configured min-links, it brings the corresponding port-channel Link Down and syslogs LAG-4-MINLINK_INTF_INSUFFICIENT message. If additional interfaces get programmed as collecting and distributing, EOS re-evaluates min-links on the port-channel. If sufficient number of interfaces are available to be a part of port-channel, then all interfaces of the corresponding port-channel are re-enabled for LACP negotiation and the port-channel becomes Link Up. LAG-4-MINLINK_INTF_NORMAL is syslogged after min-links-review-timeout if the min-links condition is satisfied; otherwise LAG-4-MINLINK_INTF_INSUFFICIENT is syslogged and the port-channel goes Link Down. If an interface remains in collecting state but not in distributing state for min-links-review-timeout, it is moved out of collecting state. It is periodically re-enabled after min-links-retry-timeout (which is 360 seconds) till it progresses to collecting and distributing. Meanwhile, if a port-channel becomes Link Up because sufficient number of interfaces progressed to collecting and distributing states, then this interface is enabled for LACP negotiation.

Example

This command sets four as the minimum number of ports required for port channel 5 to become active.

switch(config-if-Po5)# port-channel min-links 4
switch(config-if-Po5)#

Configuring Minimum Links Review Interval

The port-channel min-links review interval command enables or disables timer based min-links review feature for all port-channels. The timer based min-links feature is enabled when all of the following conditions are true. It is disabled otherwise:

The min-links configured is greater than 1.
LACP fallback is disabled.
The number of interfaces configured in the port-channel is more than min-links.
The number of active member interfaces in the port-channel is less than min-links.
The default timer values are:
- min-links-review-timeout = min-links-timeout-base + f (configured min-links)
- min-links-timeout-base = 180 seconds
- min-links-retry-timeout = 360 seconds

Displaying Port Channel Information

Port channel information is accessed using some of the show commands listed under Interface Display Commands. Ensure that while using the show interfaces counters rates command to view the rate information of a port channel, rate values for the individual member ports are less inaccurate than rate values of the port channel.

Both the port channel rate and the individual port rates are calculated approximations; the rate value of a port channel might vary from the total of the rates for the member ports. The discrepancy is likely to be larger for port channels with fewer ports, and will be most obvious in single-port port channels.

Load Balancing Hash Algorithms

The switch balances packet load across multiple links in a port channel by calculating a hash value based on packet header fields. The hash value determines the active member link through which the packet is transmitted. This method, in addition to balancing the load in the LAG, ensures that all packets in a data stream follow the same network path.

In network topologies that include MLAGs or Multiple Paths with Equal Cost (ECMP), programming all switches to perform the same hash calculation increases the risk of hash polarization, which leads to uneven load distribution among LAG and MLAG member links. This uneven distribution is avoided by performing different hash calculations on each switch routing the paths.

The port-channel load-balance command specifies the seed for hashing algorithms that balance the load across ports comprising a port channel. Available seed values vary by switch platform.

Example

This command configures the hash seed of 10 on 7150 Series (FM6000 platform) switches.

switch(config)# port-channel load-balance fm6000 10
switch(config)#

Hashing algorithm inputs varies by switch platform. These sections describe hashing algorithm inputs for each platform.

Load Balance Hash Algorithms on 7048 and 7500 Series Switches
Load Balance Hash Algorithms on 7500E Series Switches
Load Balance Hash Algorithms on 7050 Series Switches
Load Balance Hash Algorithms on 7150 Series Switches

Load Balance Hash Algorithms on 7048 and 7500 Series Switches

One command configures the load balance hash algorithm on 7048 and 7500 Series switches:

port-channel load-balance petraA fields ip: controls the hash algorithm for IP packets by specifying the algorithm’s use of IP and MAC header fields. Fields that the command can specify include source and destination IP addresses, source and destination port fields (for TCP and UDP packets), and the entire MAC address header.

The hash algorithm for non-IP packets is not configurable and always includes the entire MAC header.

Example

These commands configure the load balance algorithm for IP packets by using the entire MAC header.

switch(config)# port-channel load-balance petraA fields ip mac-header
switch(config)#

Load Balance Hash Algorithms on 7500E Series Switches

One command configures the load balance hash algorithm on 7500E Series switches:

port-channel load-balance arad fields ip: controls the hash algorithm for IP packets by specifying the algorithm’s use of IP and MAC header fields. Fields that the command can specify include source and destination IP addresses, source and destination port fields (for TCP and UDP packets), and the entire MAC address header.

The hash algorithm for non-IP packets is not configurable and always includes the entire MAC header.

Example

These commands configure the load balance algorithm for IP packets by using the entire MAC header.

switch(config)# port-channel load-balance arad fields ip mac-header
switch(config)#

Dynamic and Symmetric LAG Hashing

Dynamic LAG hashing enables high link utilization and highly even distribution among LAG members by employing a randomized hashing algorithm. Symmetric LAG hashing allows the two flows of a bidirectional communication link, even when the two flows enter the switch on different ingress ports, to be hashed to the same member of a LAG on egress.

Dynamic and symmetric LAG hashing policies are enabled via named port-channel load-balancing profiles. LAG load-balancing policies can be provisioned on per line-card basis using these profiles. Load-balancing profiles can be used to provision all LAG load-balance attributes, including hash polynomials, hash seeds, and hash fields.

When no specific LAG hashing profile is assigned to a line card, then a global LAG hashing profile can be defined and applied to all the line cards with no LAG hashing defined on them.

Note, if no profile is selected as global profile then the default profile takes the precedence and set as a global profile. The default profile is reserved and if it is set as a global profile it cannot be deleted, if the profile is deleted then the following warning message is displayed.

Note: When a global profile is already set and if some other profile is tried to configured as a default profile the following warning message is displayed “! A global load balancing profile myProfile is currently active. This setting will not take effect.”

Examples

These commands configure a load balance profile for symmetric hashing.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance arad profile
switch(config-sand-load-balance-profile-symmetric-profile-1)# hash symmetric
switch(config-sand-load-balance-profile-symmetric-profile-1)# show active
load-balance policies
   load-balance arad profile symmetric-profile-1
      hash symmetric

These commands configure a load balance profile for dynamic hashing.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance arad profile
switch(config-sand-load-balance-profile-dynamic-hash-profile-1)# distribution 
clock
switch(config-sand-load-balance-profile-dynamic-hash-profile-1)# show active
load-balance policies
   load-balance arad profile dynamic-hash-profile-1
      distribution clock

This command assigns a named load-balancing profile to a linecard.

switch(config)# port-channel load-balance module 3-7 sand profile Linecard5
switch(config)#

This command unassigns a named load-balancing profile to a linecard.

switch(config)# no port-channel load-balance module 3-7 sand profile Linecard5
switch(config)#

This command configures a global profile on all line cards on which LAG hashing is not defined.
```
switch(config)# port-channel load-balance sand profile myGlobalProfile
```

These commands designates a default profile as a global profile, if no other profile is set as a global profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance sand profile default

These commands configure a hash seed in a profile and assigns it as a global profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance sand profile myGlobalProfile
switch(config-sand-load-balance-profile-myGlobalProfile)# hash seed 20
switch(config)# port-channel load-balance sand profile myGlobalProfile

This command assigns a named load-balancing profile to a linecard.

switch(config)# port-channel load-balance module 3-7 sand profile Linecard5
switch(config)#

This command unassigns a named load-balancing profile to a linecard.

switch(config)# no port-channel load-balance module 3-7 sand profile Linecard5
switch(config)#

Load Balance Hash Algorithms on 7050 Series Switches

Three commands configure the load balance hash algorithm on 7050 Series switches:

port-channel load-balance trident fields ip controls the hash algorithm for IP packets by specifying the algorithm’s use of IP and MAC header fields. Fields that the command can specify include source and destination IP addresses, source and destination port fields (for TCP and UDP packets), and fields specified by the port-channel load-balance trident fields mac command.
port-channel load-balance trident fields ipv6 controls the hash algorithm for IPv6 packets by specifying the algorithm’s use of IP and MAC header fields. Fields that the command can specify include source and destination IP addresses, source and destination port fields (for TCP and UDP packets), and fields specified by the port-channel load-balance trident fields mac command.
port-channel load-balance trident fields mac controls the hash algorithm for non-IP packets b specifying the algorithm’s use of MAC header fields. Fields that the command can specify include the MAC source address, MAC destination address, and Ethernet type fields.

Example

These commands configure the switch’s port channel load balance for non IP packets by using the MAC destination and Ethernet type fields in the hashing algorithm.

switch(config)# port-channel load-balance trident fields mac dst-mac eth-type
switch(config)#

Load Balance Hash Algorithms on 7150 Series Switches

Load balance profiles specify parameters used by hashing algorithms that distribute traffic across ports comprising a port channel or among component ECMP routes. The switch supports 16 load balance profiles, including the default profile. The default load balance profile is configured through port-channel load-balance fm6000 fields ip and port-channel load-balance fm6000 fields mac commands.

Load Balance Profiles

Load balance profiles are managed in load-balance-policies configuration mode. The load-balance-policies configuration mode provides commands that display the contents of all configured profiles and place the switch in load-balance-profile command. Load balance profiles are created by entering the load-balance-profile mode and edited while in that mode.

The load-balance policies command places the switch in load-balance-policies configuration mode. Load balance profiles specify the inputs used by the hashing algorithms that distribute traffic across ports comprising a port channel or among ECMP routes.

Examples

This command places the switch in load-balance-policies configuration mode.

switch(config)# load-balance policies
switch(config-load-balance-policies)#

This command displays the contents of the four load balance profiles configured on the switch.

switch(config-load-balance-policies)# show active

load-balance policies
   load-balance fm6000 profile F-01
      port-channel hash-seed 22
      fields ip dscp
      distribution random port-channel
   !
   load-balance fm6000 profile F-02
      fields ip protocol dst-ip
      distribution random port-channel
   !
   load-balance fm6000 profile F-03
      fields ip protocol dst-ip
      fields mac dst-mac eth-type
      distribution random ecmp port-channel
   !
   load-balance fm6000 profile F-04

switch(config-load-balance-policies)#

Creating a Load Balance Profile

The load-balance fm6000 profile command places the switch in load-balance-profile configuration mode to configure a specified load balance profile. The command specifies the name of the profile that subsequent commands modify. It creates a profile if the profile it references does not exist.

Example

These commands enter load-balance-profile configuration mode, creates the LB-5 profile, and lists the default settings for the profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance fm6000 profile LB-5
switch(config-load-balance-profile-LB-5)# show active all

load-balance policies
   load-balance fm6000 profile LB-5
      port-channel hash-seed 0
      fields mac dst-mac src-mac eth-type vlan-priority vlan-id
      fields ip protocol dst-ip dst-port src-ip src-port dscp
      no distribution symmetric-hash
      no distribution random

switch(config-load-balance-profile-LB-5)#

Configuring a Load Balance Profile

These commands are available in load-balance-profile configuration mode to specify the parameters that comprise a profile.

The fields ip command specifies the L3/L4 data fields used by the hash algorithm defined by the configuration mode load balance profile.
The fields mac command specifies the L2 data fields used by the hash algorithm defined by the configuration mode load balance profile.
The distribution symmetric-hash command enforces traffic symmetry on data distributed by the hash algorithm defined by the configuration mode load balance profile. Symmetric traffic is the flow of both directions of a data stream across the same physical link.
The distribution random command specifies the random distribution of data packets handled by the hash algorithm defined by the configuration mode load balance profile.

Example

These commands configure the following components of the hash algorithm defined by the LB-7 load balance profile:

L2 header fields: MAC destination address, VLAN priority.
L3/L4 header fields: Source IP address, protocol field.

Symmetric hash distribution of IP and non-IP packets.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance fm6000 profile LB-7
switch(config-load-balance-profile-LB-7)# fields ip src-ip protocol
switch(config-load-balance-profile-LB-7)# fields mac dst-mac vlan-priority
switch(config-load-balance-profile-LB-7)# distribution symmetric-hash mac-ip
switch(config-load-balance-profile-LB-7)# show active
load-balance policies
   load-balance fm6000 profile LB-7
      fields mac dst-mac vlan-priority
      fields ip protocol src-ip
      distribution symmetric-hash mac-ip
switch(config-load-balance-profile-LB-7)# exit
switch(config-load-balance-policies)# exit
switch(config)# exit

Assigning a Load Balance Profile to an Interface

The ingress load-balance profile command applies a specified load-balance profile to the configuration mode interface. Load balance profiles specify parameters used by hashing algorithms that distribute traffic across ports comprising a port channel or among ECMP routes. The switch supports 16 load balance profiles, including the default profile.

Example

This command applies the LB-1 load balance profile to interface port-channel 100.

switch(config)# interface port-channel 100
switch(config-if-Po100)# ingress load-balance profile LB-1
switch(config-if-Po100)# show active
interface Port-Channel100
   ingress load-balance profile LB-1
switch(config-if-Po100)#

Default Load Balance Profile

Two commands configure the load balance default profile on 7150 Series switches:

port-channel load-balance fm6000 fields ip controls the hash algorithm for IP packets by specifying the algorithm’s use of IP and MAC header fields. Fields that the command can specify include source and destination IP addresses, source and destination port fields (for TCP and UDP packets).
port-channel load-balance fm6000 fields mac controls the hash algorithm for non-IP packets by specifying the algorithm’s use of MAC header fields. Fields that the command can specify include include the MAC source address, MAC destination address, and Ethernet type, VLAN-ID, and VLAN-priority fields.

Examples

These commands configure the load balance default profile for IP packets by using source and destination IP address fields, along with source and destination port fields for TCP, and UDP packets.
```
switch(config)# port-channel load-balance fm6000 fields ip ip-tcp-udp-header
switch(config)#
```

This command applies the default load balance profile to interface port-channel 100.

switch(config)# interface port-channel 100
switch(config-if-Po100)# no ingress load-balance profile
switch(config-if-Po100)# show active
interface Port-Channel100
switch(config-if-Po100)#

Port Channel and LACP Configuration Commands

Global Port Channel and LACP Configuration Commands

interface port-channel
lacp system-priority

Interface Configuration Commands – Ethernet Interface

channel-group
lacp port-priority
lacp timer
port-channel lacp fallback
port-channel lacp fallback timeout
port-channel min-links
port-channel min-links review interval
port-channel speed minimum
port-channel speed mixed

Load Balance (Default) Commands

port-channel load-balance
port-channel load-balance arad fields ip
port-channel load-balance fm6000 fields ip
port-channel load-balance fm6000 fields mac
port-channel load-balance module
port-channel load-balance petraA fields ip
port-channel load-balance sand profile (7500E/7500R)
port-channel load-balance trident fields ip
port-channel load-balance trident fields ipv6
port-channel load-balance trident fields mac

Load Balance Policies Commands

distribution random
distribution symmetric-hash
fields ip
fields mac
hash-seed
ingress load-balance profile
load-balance fm6000 profile
load-balance policies
load-balance sand profile (7500E/7500R)
port-channel hash-seed

EXEC Commands

show lacp aggregates
show lacp counters
show lacp interface
show lacp internal
show lacp peer
show lacp sys-id
show load-balance profile
show port-channel
show port-channel dense
show port-channel limits
show port-channel load-balance
show port-channel load-balance fields

channel-group

The channel-group command assigns the configuration mode Ethernet interfaces to a channel group, creates the group if it does not already exist, and sets the port-channel mode for the group. When adding interfaces to a previously created channel group, the port-channel mode for the newly added interfaces must match the mode for the existing group.

Channel groups are associated with a port channel interface immediately upon their creation. A command that creates a new channel group also creates a port channel with a matching ID. The port channel is configured in Port-channel Configuration Mode. Configuration changes to a port channel interface propagate to all Ethernet interfaces in the corresponding channel group. The interface port-channel command places the switch in the interface-port-channel configuration mode.

The no channel-group and default channel group commands remove the configuration-mode interface from the specified channel group.

Command Mode

Interface-Ethernet Configuration

Command Syntax

channel-group number mode group_mode

no channel-group

default channel-group

Parameters

number Specifies a channel group ID. Values range from 1 through 2000.
group_mode Specifies the channel-group mode for the channel group. Values include:
- on Port channel is static and LACP is disabled on member interfaces. Port neither verifies nor negotiates port channel membership.
  - active Port channel is dynamic and member interfaces are active LACP ports that transmit and receive LACP negotiation packets.
  - passive Port channel is dynamic and member interfaces are passive LACP ports that respond to LACP negotiation packets but do not generate them.

Guidelines: Port Channels

You can configure a port channel to contain many ports, but only a subset may be active at a time. All active ports in a port channel must be compatible. Compatibility includes many factors and is platform-specific. For example, compatibility may require identical operating parameters such as speed and Maximum Transmission Unit (MTU). Compatibility may only be possible between specific ports because of the internal organization of the switch.

Guidelines: MLAG Configurations

Static LAG is not recommended in MLAG configurations. However, these considerations apply when the channel group mode is on while configuring static MLAG:

When configuring multiple interfaces on the same static port channel:
- all interfaces must physically connect to the same neighboring switch.
- the neighboring switch must configure all interfaces into the same port channel.

The switches are misconfigured when these conditions are not met.

Disable the static port channel membership before moving any cables connected to these interfaces or changing a static port channel membership on the remote switch.

Examples

These commands assign Ethernet interfaces 8 and 9 to channel group 10, and enable LACP in negotiating mode.

switch(config)# interface ethernet 8-9
switch(config-if-Et8-9)# channel-group 10 mode active
switch(config-if-Et8-9)# show active
interface Ethernet8
   channel-group 10 mode active
interface Ethernet9
   channel-group 10 mode active
switch(config-if-Et8-9)#

These commands assign Ethernet interfaces 12 and 13 to static channel group 11. LACP is disabled on these interfaces.

switch(config)# interface ethernet 12-13
switch(config-if-Et12-13)# channel-group 11 mode on
switch(config-if-Et12-13)# show active
interface Ethernet12
   channel-group 11 mode on
interface Ethernet13
   channel-group 11 mode on
switch(config-if-Et12-13)#

distribution random

The distribution random command specifies the random distribution of data packets handled by the hash algorithm defined by the configuration mode load balance profile. All data fields and hash seeds that are configured for the profile are used as seeds for the random number generator that defines the distribution of individual packets.

Command options allow for the random distribution of traffic across port channel links and ECMP routes. Random distribution can be enabled for either, both, or neither.

The no distribution random and default distribution random commands remove random distribution on the configuration mode load balance profile by deleting the corresponding distribution random command from the configuration.

Command Mode

Load-balance-profile Configuration

Command Syntax

distribution random BALANCE_TYPE

no distribution random

default distribution random

Parameters

SCOPE Specifies use of random distribution for port channels and ECMP routes. Options include:

no parameter Random distribution is enabled for ECMP routes and port channel links.
ecmp Random distribution is enabled for ECMP routes.
port-channel Random distribution is enabled for port channel links.
port-channel ecmp Random distribution is enabled for ECMP routes and port channel links.
ecmp port-channel Random distribution is enabled for ECMP routes and port channel links.

Guidelines

The distribution random command takes precedence over the distribution symmetric-hash command when both methods are simultaneously enabled.

Related Commands

load-balance fm6000 profile places the switch in the load-balance-profile configuration mode.

Example

These commands configure symmetric hashing on all traffic distributed through the algorithm defined by the LB-1 load balance profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance fm6000 profile LB-1
switch(config-load-balance-profile-LB-1)# distribution random ecmp port-channel
switch(config-load-balance-profile-LB-1)# show active
load-balance policies
   load-balance fm6000 profile LB-1
      distribution random ecmp port-channel
switch(config-load-balance-profile-LB-1)#

distribution symmetric-hash

The distribution symmetric-hash command enforces traffic symmetry on data distributed by the hash algorithm defined by the configuration mode load balance profile. Symmetric traffic is the flow of both directions of a data stream across the same physical link.

Two symmetric-hash options specify the traffic upon which symmetry is enforced:

distribution symmetric-hash mac specifies that only non-IP traffic is hashed symmetrically. IP traffic is hashed normally without regard to symmetry.
distribution symmetric-hash mac-ip specifies that all traffic is hashed symmetrically.

The no distribution symmetric-hash and default distribution symmetric-hash commands remove the specified hashing symmetry restriction on the configuration mode load balance profile by deleting the corresponding distribution symmetric-hash command from running-config.

Command Mode

Load-balance-profile

Command Syntax

distribution symmetric-hash FIELD_TYPE

no distribution symmetric-hash

default distribution symmetric-hash

Parameters

FIELD_TYPE Fields the hashing algorithm uses for Layer 3 routing. Options include:

mac Non-IP traffic is hashed symmetrically.
mac-ip All traffic is hashed symmetrically.

Guidelines

The distribution random command takes precedence over the distribution symmetric-hash command when both methods are simultaneously enabled.

Related Commands

load-balance fm6000 profile places the switch in the load-balance-profile configuration mode.

Example

These commands configure symmetric hashing on all traffic distributed through the algorithm defined by the LB-1 load balance profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance fm6000 profile LB-1
switch(config-load-balance-profile-LB-1)# distribution symmetric-hash mac-ip
switch(config-load-balance-profile-LB-1)# show active
load-balance policies
   load-balance fm6000 profile LB-1
      distribution symmetric-hash mac-ip
switch(config-load-balance-profile-LB-1)#

fields ip

The fields ip command specifies the L3/L4 data fields used by the hash algorithm defined by the configuration mode load balance profile. When a load balance profile is assigned to a port channel or Ethernet interface, its associated hash algorithm determines the distribution of packets that ingress the interface. Profile algorithms can load balance packets across port channel links or ECMP routes.

The switch calculates a hash value by using the packet header fields to balance packets across links. The hash value determines the link through which the packet is transmitted. This method also ensures that all packets in a flow follow the same network path. Packet flow is modified by changing the inputs to the port channel hash algorithm.

In network topologies that include MLAGs, programming all switches to perform the same hash calculation increases the risk of hash polarization, which leads to uneven load distribution among LAG and MLAG member links in MLAG switches. This problem is avoided by performing different hash calculations between the MLAG switch, and a non-peer switch connected to it.

The no fields ip configures the algorithm not to use L3/L4 data fields. The default fields ip command restores the default data L3/L4 fields to the load balancing algorithm defined by the configuration mode profile by removing the corresponding fields ip or no fields ip command from running-config.

Command Mode

Load-balance-profile Configuration

Command Syntax

fields ip IP_FIELD

no fields ip

default fields ip

Parameters

IP_FIELD Specifies the L3/L4 fields the hashing algorithm uses. Options include:

dscp Algorithm uses dscp field.
dst-ip Algorithm uses destination IP address field.
dst-port Algorithm uses destination TCP/UDP port field.
protocol Algorithm uses protocol field.
src-ip Algorithm uses source IP address field.
src-port Algorithm uses source TCP/UDP port field.

Command may include from one to six fields, in any combination and listed in any order. The default setting is the selection of all fields.

Related Commands

load-balance fm6000 profile places the switch in the load-balance-profile configuration mode.

Example

These commands specify the IP source and protocol fields as components of the hash algorithm defined by the LB-1 load balance profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance fm6000 profile LB-1
switch(config-load-balance-profile-LB-1)# fields ip src-ip protocol
switch(config-load-balance-profile-LB-1)# show active
load-balance policies
   load-balance fm6000 profile LB-1
      fields ip protocol src-ip
switch(config-load-balance-profile-LB-1)#

fields mac

The fields mac command specifies the L2 data fields used by the hash algorithm defined by the configuration mode load balance profile. When a load balance profile is assigned to a port channel or Ethernet interface, its associated hash algorithm determines the distribution of packets that ingress the interface. Profile algorithms can load balance packets across port channel links or ECMP routes.

The switch calculates a hash value using the packet header fields to balance packets across links. The hash value determines the link through which the packet is transmitted. This method also ensures that all packets in a flow follow the same network path. Packet flow is modified by changing the inputs to the port channel hash algorithm.

The no fields mac configures the algorithm not to use L2 data fields. The default fields mac command restores the default data L2 fields to the load balancing algorithm defined by the configuration mode profile by removing the corresponding fields mac or no fields mac command from running-config.

Command Mode

Load-balance-profile Configuration

Command Syntax

fields mac MAC_FIELD

no fields mac

default fields mac

Parameters

MAC_FIELD Specifies the L2 fields the hashing algorithm uses. Options include:

dst-mac Algorithm uses the MAC destination field.
eth-type Algorithm uses the Ethernet port type field.
src-mac Algorithm uses MAC source field.
vlan-id Algorithm uses VLAN ID field.
vlan-priority Algorithm uses VLAN priority field.

Related Commands

The load-balance fm6000 profile command places the switch in to the load-balance-profile configuration mode.

Example

These commands specify the MAC destination and VLAN priority fields as components of the hash algorithm defined by the LB-1 load balance profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance fm6000 profile LB-1
switch(config-load-balance-profile-LB-1)# fields mac dst-mac vlan-priority
switch(config-load-balance-profile-LB-1)# show active
load-balance policies
   load-balance fm6000 profile LB-1
      fields mac dst-mac vlan-priority
switch(config-load-balance-profile-LB-1)#

hash-seed

The hash-seed command specifies the seed used by the hash algorithm defined by the configuration mode load balance profile. Profile algorithms can load balance packets across port channel links or ECMP routes.

The no hash-seed and default hash-seed commands restore the default hash seed value of 0 to the load balancing algorithm defined by the configuration mode profile by removing the corresponding hash-seed command from running-config.

Command Mode

Load-balance-profile Configuration

Command Syntax

hash-seed number

no hash-seed number

default hash-seed number

Parameters

number Specifies the value of the hash seed. Value ranges from 0 to 39.

Example

These commands configure the hash seed 20 in a profile and assign it as the global profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance sand profile myGlobalProfile
switch(config-sand-load-balance-profile-myGlobalProfile)# hash-seed 20
switch(config)# port-channel load-balance sand profile myGlobalProfile

ingress load-balance profile

The ingress load-balance profile command applies the specified load-balance profile to the configuration mode interface. Load balance profiles specify parameters used by hashing algorithms that distribute traffic across ports comprising a port channel or among ECMP routes. The switch supports 16 load balance profiles, including the default profile.

Load balance profiles can be assigned to Ethernet and port channel interfaces. Profiles define the distribution method of traffic that ingresses the interface among the ports comprising a port channel or routes comprising an ECMP.

The default load balance profile is configured through port-channel load-balance fm6000 fields ip and port-channel load-balance fm6000 fields mac commands.

The no ingress load-balance profile and default ingress load-balance profile commands restore the default load balance profile for the configuration mode interface by removing the corresponding ingress load-balance profile command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

ingress load-balance profile profile_name

no ingress load-balance profile

default ingress load-balance profile

Parameters

profile_name Name of profile assigned to interface.

Example

This command applies the LB-1 load balance profile to port channel interface 100.

switch(config)# interface port-channel 100
switch(config-if-Po100)# show active
interface Port-Channel100

switch(config-if-Po100)# ingress load-balance profile LB-1
switch(config-if-Po100)#
interface Port-Channel100
   ingress load-balance profile LB-1

switch(config-if-Po100)#

interface port-channel

The interface port-channel command places the switch in port-channel interface configuration mode for modifying parameters of specified link aggregation (LAG) interfaces. When entering configuration mode to modify existing port channel interfaces, the command can specify multiple interfaces.

The command creates a port channel interface if the specified interface does not exist prior to issuing the command. When creating an interface, the command can only specify a single interface.

The no interface port-channel and default interface port-channel commands delete the specified LAG interfaces from running-config.

Command Mode

Global Configuration

Command Syntax

interface port-channel p_range

no interface port-channel p_range

default interface port-channel p_range

Parameter

p_range Port channel interfaces (number, range, or comma-delimited list of numbers and ranges).

Port channel numbers range from 1 to 2000.

Guidelines

When configuring a port channel, you do not need to issue the interface port-channel command before assigning a port to the port channel (see the channel-group command). The port channel number is implicitly created when a port is added to the specified port channel with the channel-group number command.

To display ports that are members of a port channel, enter show port-channel. To view information about hardware limitations for a port channel, enter show port-channel limits.

All active ports in a port channel must be compatible. Compatibility comprises many factors and is specific to a given platform. For example, compatibility may require identical operating parameters such as speed and/or Maximum Transmission Unit (MTU). Compatibility may only be possible between specific ports because of internal organization of the switch.

You can configure a port channel with a set of ports such that more than one subset of the member ports are mutually compatible. Port channels in EOS are designed to activate the compatible subset of ports with the largest aggregate capacity. A subset with two 40 Gbps ports (aggregate capacity 80 Gbps) has preference to a subset with five active 10 Gbps ports (aggregate capacity 50 Gbps).

Example

This example creates interface port-channel 3:

switch(config)# interface port-channel 3
switch(config-if-Po3)#

lacp port-priority

The lacp port-priority command sets the aggregating port priority for the configuration mode interface. Priority is supported on port channels with LACP-enabled physical interfaces. LACP port priority determines the port that is active in a LAG in fallback mode. Numerically lower values have higher priority.

Each port in an aggregation is assigned a 32-bit port identifier by prepending the port priority (16 bits) to the port number (16 bits). Port priority determines the ports that are placed in standby mode when hardware limitations prevent a single aggregation of all compatible ports.

Priority numbers range from 0 to 65535. The default is 32768. Interfaces with higher priority numbers are placed in standby mode before interfaces with lower priority numbers.

The no lacp port-priority and default lacp port-priority commands restore the default port-priority to the configuration mode interface by removing the corresponding lacp port-priority command from running-config.

Command Mode

Interface-Ethernet Configuration

Command Syntax

lacp port-priority priority_value

no lacp port-priority

default lacp port-priority

Parameters

priority_level Port priority. Values range from 0 to 65535. Default is 32768

Example

These commands assign the port priority of 4096 to interface ethernet 8.

switch(config)# interface ethernet 8
switch(config-if-Et8)# lacp port-priority 4096
switch(config-if-Et8)# show active
interface Ethernet8
   lacp port-priority 4096
switch(config-if-Et8)#

lacp system-priority

The lacp system-priority command configures the switch’s LACP system priority. Values range between 0 and 65535. Default value is 32768.

Each switch is assigned a globally unique 64-bit system identifier by prepending the system priority (16 bits) to the MAC address of one of its physical ports (48 bits). Peer devices use the system identifier when forming an aggregation to verify that all links are from the same switch. The system identifier is also used when dynamically changing aggregation capabilities resulting from LACP data; the system with the numerically lower system identifier can dynamically change advertised aggregation parameters.

The no lacp system-priority and default lacp system-priority commands restore the default system priority by removing the lacp system-priority command from running-config.

Command Mode

Global Configuration

Command Syntax

lacp system-priority priority_value

no lacp system-priority

default lacp system-priority

Parameters

priority_value System priority number. Values range from 0 to 65535. Default is 32768.

Example

This command assigns the system priority of 8192 to the switch.

switch(config)# lacp system-priority 8192
switch(config)#

lacp timer

The lacp timer command configures the LACP reception interval on the configuration mode interface. The LACP timeout specifies the reception rate of LACP packets at interfaces supporting LACP. Supported rates include:

normal: 30 seconds with synchronized interfaces; one second while interfaces are synchronizing.
fast: one second.

This command is supported on LACP-enabled interfaces. The default value is normal.

The no lacp timer and default lacp timer commands restore the default value of normal on the configuration mode interface by deleting the corresponding lacp timer command from running-config.

Command Mode

Interface-Ethernet Configuration

Command Syntax

lacp timer RATE_LEVEL

no lacp timer

default lacp timer

Parameters

RATE_LEVEL LACP reception interval. Options include:

fast One second.
normal 30 seconds for synchronized interfaces; 1 second while interfaces synchronize.

Example

This command sets the LACP timer to 1 second on ethernet interface 4.

switch(config-if-Et4)# lacp timer fast
switch(config-if-Et4)#

load-balance fm6000 profile

The load-balance fm6000 profile command places the switch in load-balance-profile configuration mode to configure a specified load balance profile. The command specifies the name of the profile that subsequent commands modify. It creates a profile if the profile it references does not exist.

Load balance profiles specify parameters used by hashing algorithms that distribute traffic across ports comprising a port channel or among component ECMP routes. The switch supports 16 load balance profiles, including the default profile. The default load balance profile is configured through port-channel load-balance fm6000 fields ip and port-channel load-balance fm6000 fields mac commands.

The load balance profile name is referenced when it is applied to an interface. The default profile is not associated with a name and is applied to an interface in the absence of a named profile assignment.

The no load-balance fm6000 profile and default load-balance fm6000 profile commands delete the specified load balance profile from running-config. Profiles that are assigned to an interface cannot be deleted. Attempts to delete an assigned profile generate a profile in use error messages.

The load-balance fm6000 profile command is accessible from load-balance-policies configuration mode. The load-balance-profile configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the load-balance-policies configuration mode does not affect the configuration. The exit command returns the switch to the load-balance-policies configuration mode.

Command Mode

Load-balance-policies Configuration

Command Syntax

load-balance fm6000 profile profile_name

no load-balance fm6000 profile profile_name

default load-balance fm6000 profile profile_name

Parameters

profile_name Name of the load-balance profile.

Commands Available in Load-balance-profile Configuration Mode

fields ip
fields mac
distribution random
distribution symmetric-hash
port-channel hash-seed
show active displays the contents of the configuration mode profile.

Related Commands

The load-balance policies command places the switch in to theload-balance-policies configuration mode.
The ingress load-balance profile command applies a load-balance profile to an Ethernet or port channel interface.
The show load-balance profile command displays the contents of load balance profiles.

Example

These commands enters the load-balance-profile configuration mode, creates the LB-1 profile, and lists the default settings for the profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance fm6000 profile LB-1
switch(config-load-balance-profile-LB-1)# show active all
load-balance policies
   load-balance fm6000 profile LB-1
      port-channel hash-seed 0
      fields mac dst-mac src-mac eth-type vlan-priority vlan-id
      fields ip protocol dst-ip dst-port src-ip src-port dscp
      no distribution symmetric-hash
      no distribution random
switch(config-load-balance-profile-LB-1)#

load-balance policies

The load-balance policies command places the switch in load-balance-policies configuration mode. Load-balance-policies configuration mode provides commands for managing load-balance profiles. Load balance profiles specify the inputs used by the hashing algorithms that distribute traffic across ports comprising a port channel or among ECMP routes.

The no load-balance policies and default load-balance policies commands delete all load balance profiles from running-config. The command generates an error message when at least one profile is assigned to an interface.

Load-balance-policies configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the load-balance-policies configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

load-balance policies

no load-balance policies

default load-balance policies

Commands Available in Load-balance-policies Configuration Mode

load-balance fm6000 profile places the switch in load-balance-profile configuration mode.
show active displays contents of all load balance profiles.

Related Commands

The ingress load-balance profile command applies a load-balance profile to an Ethernet or port channel interface.
The show load-balance profile command displays the contents of load balance profiles.

Examples

This command places the switch in the load-balance-policies configuration mode.

switch(config)# load-balance policies
switch(config-load-balance-policies)#

This command displays the contents of the three configured load balance profiles.

switch(config-load-balance-policies)# show active

load-balance policies
   load-balance fm6000 profile F-01
      port-channel hash-seed 22
      fields ip dscp
      distribution random port-channel
   !
   load-balance fm6000 profile F-02
      fields ip protocol dst-ip
      fields mac dst-mac eth-type
      distribution random ecmp port-channel
   !
   load-balance fm6000 profile F-03

switch(config-load-balance-policies)#

load-balance sand profile (7500E/7500R)

The load-balance sand profile command configures a load-balance profile on a sand module switch. A default profile is designated as a global profile when no other profile is set as global profile. Note, a warning message is displayed when a profile is entered or deleted.

If no load-balance sand profile command is executed when the profile set is default then the following warning message is displayed:

! profile default is a reserved profile and cannot be deleted

Command Mode

Global Configuration

Command Syntax

load-balance sand profile profile_name

no load-balance sand profile profile_name

Parameter

profile_name Name of the profile assigned to the selected module.

Examples

These commands designate a default profile as a global profile on sand module platform switch. Note, a warning message is displayed when a profile is entered or deleted.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance sand profile default
 ! profile default is a reserved profile
! profile default is the current global profile

When no form of the command is executed it displays the following warning message.

switch(config)# load-balance policies
switch(config-load-balance-policies)# no load-balance sand profile default
! profile default is a reserved profile and cannot be deleted

port-channel hash-seed

The port-channel hash-seed command specifies the seed used by the hash algorithm defined by the configuration mode load balance profile when distributing the load across ports comprising a port channel. When a load balance profile is assigned to a port channel or Ethernet interface, its associated hash algorithm determines the distribution of packets that ingress the interface. Profile algorithms can load balance packets across port channel links or ECMP routes.

The hash seed that the algorithm uses to select port channel links or ECMP routes is configured by the ip load-sharing command.

The no port-channel hash-seed and default port-channel hash-seed commands restore the default hash seed value of 0 to the load balancing algorithm defined by the configuration mode profile by removing the corresponding port-channel hash-seed command from running-config.

Command Mode

Load-balance-profile Configuration

Command Syntax

port-channel hash-seed number

no port-channel hash-seed

default port-channel hash-seed

Parameters

number The hash seed. Value ranges from 0 to 39.

Related Commands

The load-balance fm6000 profile command places the switch in to the load-balance-profile configuration mode.

Example

Thes commands configure the port-channel hash seed of 22 for the hash algorithm defined by the LB-1 load balance profile.

switch(config)# load-balance policies
switch(config-load-balance-policies)# load-balance fm6000 profile LB-1
switch(config-load-balance-profile-LB-1)# port-channel hash-seed 22
switch(config-load-balance-profile-LB-1)# show active
load-balance policies
   load-balance fm6000 profile LB-1
      port-channel hash-seed 22
switch(config-load-balance-profile-LB-1)#

port-channel lacp fallback

The port-channel lacp fallback command enables the LACP fallback mode on the interface.

LACP fallback is unconfigured and disabled by default. An LACP interface without fallback enabled does not form a LAG until it receives PDUs from its peer.

LACP fallback can be configured on an interface in static or individual mode:

static mode The port channel member with the lowest LACP port priority is active and maintains contact with the peer (sending and receiving data) while other port channel members remain in standby mode until a LACP PDU is received. All members continue to send (and can receive) LACP PDUs.
individual mode All port channel members act as individual ports, reverting to their port-specific configuration while the channel is in fallback mode, and continue to send and receive data. All members continue to send LACP PDUs until a LACP PDU is received by one of the member ports.

The no port-channel lacp fallback and default port-channel lacp fallback commands disable LACP fallback mode on the configuration mode interface by removing the corresponding port-channel lacp fallback command from running-config.

Command Mode

Interface-Port-Channel Configuration

Command Syntax

port-channel lacp fallback [MODE]

no port-channel lacp fallback

default port-channel lacp fallback

Parameters

MODE LACP fallback mode. Options include:

no parameter Enables static LACP fallback mode.
- static Enables static LACP fallback mode.
- individual Eenables individual LACP fallback mode.

Related Commands

The port-channel lacp fallback timeout command configures the fallback timeout period for a port channel interface. The default LACP fallback timeout period is 90 seconds.
The lacp port-priority command configures the port priority for an individual interface.

Examples

These commands enable LACP static fallback mode, then configure an LACP fallback timeout of 100 seconds on interface port-channel 13. If LACP negotiation fails, only the member port with the lowest LACP priority will remain active until an LACP PDU is received by one of the member ports.

switch(config)# interface port-channel 13
switch(config-if-Po13)# port-channel lacp fallback static
switch(config-if-Po13)# port-channel lacp fallback timeout 100
switch(config-if-Po13)# show active
interface Port-Channel13
   port-channel lacp fallback static
   port-channel lacp fallback timeout 100
switch(config-if-Po13)#

These commands enable LACP individual fallback mode, then configure an LACP fallback timeout of 50 seconds on interface port-channel 17. If LACP negotiation fails, all member ports will act as individual switch ports, using port-specific configuration, until a LACP PDU is received by one of the member ports.

switch(config)# interface port-channel 17
switch(config-if-Po17)# port-channel lacp fallback individual
switch(config-if-Po17)# port-channel lacp fallback timeout 50
switch(config-if-Po17)# show active
interface Port-Channel17
   port-channel lacp fallback individual
   port-channel lacp fallback timeout 50
switch(config-if-Po17)#

port-channel lacp fallback timeout

The port-channel lacp fallback timeout command specifies the fallback timeout period for the configuration mode interface.

Fallback timeout settings persist in running-config without taking effect for interfaces that are not configured into fallback mode. The default fallback timeout period is 90 seconds.

The no port-channel lacp fallback timeout and default port-channel lacp fallback timeout commands restore the default fallback timeout of 90 seconds for the configuration mode interface by removing the corresponding port-channel lacp fallback timeout command from running-config.

Command Mode

Interface-Port-Channel Configuration

Command Syntax

port-channel lacp fallback timeout period

no port-channel lacp fallback timeout

default port-channel lacp fallback timeout

Parameters

period Maximum interval between receipt of LACP PDU packets (seconds). Value ranges from 1 to 300 seconds. Default value is 90.

Related Commands

The port-channel lacp fallback command configures fallback mode for a port channel interface.

Guidelines

The fallback timeout period should not be shorter than the LACP reception interval (lacp timer). The default LACP reception interval is 30 seconds.

Example

This command enables LACP fallback mode, then configures an LACP fallback timeout of 100 seconds on interface port-channel 13.

switch(config)# interface port-channel 13
switch(config-if-Po13)# port-channel lacp fallback
switch(config-if-Po13)# port-channel lacp fallback timeout 100
switch(config-if-Po13)# show active
interface Port-Channel13
   port-channel lacp fallback
   port-channel lacp fallback timeout 100
switch(config-if-Po13)#

port-channel load-balance

The port-channel load-balance command specifies the seed in the hashing algorithm that balances the load across ports comprising a port channel. Available seed values vary by switch platform.

The no port-channel load-balance and default port-channel load-balance commands remove the port-channel load-balance command from running-config, restoring the default hash seed value of 0.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance platform { hash_seed | fields ip fields | hash hash_function }

no port-channel load-balance platform [ hash_seed ]

default port-channel load-balance platform [ hash_seed ]

Parameters

Note: Parameter options vary by switch model. Verify available options with the ? command.

platform ASIC switching device. Value depends on the switch model.
hash_seed The numerical seed for the hash function. Value range varies by switch platform:
- arad 0 to 65535.
- fm6000 0 to 39.
- petraA Uses field inputs only.
- trident 0 to 47.
For trident platform switches, algorithms using hash seeds between 0 and 15 typically result in more effective distribution of data streams across the port channels.
fields Which fields will be used as inputs to the port channel hash.
- gre Configure which GRE fields are inputs to the hash.
- ip Configure which fields are inputs to the hash for IPv4 packets.
- ipv6 Configure which fields are inputs to the hash for IPv6 packets.
- mac Configure which MAC fields are inputs to the hash.
- mac-in-mac Configure which MAC-in-MAC fields are inputs to the hash.
- mpls Configure which MPLS fields are inputs to the hash.
- destination-ip Use the Layer 3 IP destination address in the hash.
- destination-port Use the Layer 4 TCP/UDP destination port in the hash.
- dst-ip Use the destination IP address in the hash.
- dst-mac Use the destination Payload MAC in the hash (or the destination MAC address in the MAC hash).
- eth-type Use the Ethernet type in the MAC hash.
- ip-in-ip Use the outer IP header in the hash for IPv4 over IPv4 GRE tunnel.
- ip-in-ipv6 Use the outer IP header in the hash for IPv4 over IPv6 GRE tunnel.
- ipv6-in-ip Use the outer IP header in the hash for IPv6 over IPv4 GRE tunnel.
- ipv6-in-ipv6 Use the outer IP header in the hash for IPv6 over IPv6 GRE tunnel.
- ip-tcp-udp-header Use the Layer 3 and Layer 4 hashes.
- isid Use the MAC-in-MAC ISID in the hash.
- label Use the MPLS label in the hash.
- mac-header Use the MAC hash.
- outer-mac Use the outer MAC of source and destination in the hash.
- source-ip Use the Layer 3 IP source address in the hash.
- src-ip Use the source IP address in the hash.
- source-port Use l\Layer 4 TCP/UDP source port in the hash.
- src-mac Use the source payload MAC in the hash (or the source MAC address in the MAC hash).

hash_function Specifies the hash polynomial function. Values range from 0-2.

Example

This command configures a hash seed of 10 on an FM6000 platform switch.

switch(config)# port-channel load-balance fm6000 10
switch(config)#

port-channel load-balance arad fields ip

The port-channel load-balance arad fields ip command specifies the data fields that the port channel load balance hash algorithm uses for distributing IP packets on Arad platform switches. The hashing algorithm fields used for IP packets differ from the fields used for non-IP packets.

The switch calculates a hash value using the packet header fields to load balance packets across links in a port channel. The hash value determines the link through which the packet is transmitted. This method also ensures that all packets in a flow follow the same network path. Packet flow is modified by changing the inputs to the port channel hash algorithm.

The no port-channel load-balance arad fields ip and default port-channel load-balance arad fields ip commands restore the default data fields for the IP packet load balancing algorithm by removing the port-channel load-balance arad A fields ip command from running-config.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance arad fields ip IP_FIELD_NAME

no port-channel load-balance arad fields ip

default port-channel load-balance arad fields ip

Parameters

IP_FIELD_NAME Fields the hashing algorithm uses for Layer 3 routing. Options include:

ip-tcp-udp-header Algorithm uses source and destination IP address fields. Source and destination port fields are included for TCP and UDP packets.
- mac-header Algorithm uses entire MAC header.
  A command can only specify one option. The default setting is ip-tcp-udp-header.

Guidelines

The port channel hash algorithm for non-IP packets is not configurable and always includes the entire MAC header.

Related Command

The port-channel load-balance command configures the hash seed for the algorithm.

Example

These commands configure the switch’s port channel load balance hash algorithm for IP packets to use source and destination IP address (and port) fields.

switch(config)# port-channel load-balance fm6000 fields ip ip-tcp-udp-header
switch(config)#

port-channel load-balance fm6000 fields ip

The port-channel load-balance fm6000 fields ip command specifies the data fields that the port channel load balance hash algorithm uses for distributing IP packets on FM6000 platform switches. The hashing algorithm fields used for IP packets differ from the fields used for non-IP packets.

The no port-channel load-balance fm6000 fields ip and default port-channel load-balance fm6000 fields ip commands restore the default data fields for the IP packet load balancing algorithm by removing the port-channel load-balance fm6000 fields ip command from running-config.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance fm6000 fields ip IP_FIELD_NAME

no port-channel load-balance fm6000 fields ip

default port-channel load-balance fm6000 fields ip

Parameters

IP_FIELD_NAME Specifies fields the hashing algorithm uses for layer 3 routing. Options include:

ip-tcp-udp-header Algorithm uses source and destination IP address fields. Source and destination port fields are included for TCP and UDP packets.

A command can only specify one option. The default setting is ip-tcp-udp-header.

Related Commands

The port-channel load-balance command configures the hash seed for the algorithm.
The port-channel load-balance fm6000 fields mac command controls the hash algorithm for non-IP packets.

Example

These commands configure the switch’s port channel load balance for IP packets by source and destination IP address and port fields.

switch(config)# port-channel load-balance fm6000 fields ip ip-tcp-udp-header
switch(config)#

port-channel load-balance fm6000 fields mac

The port-channel load-balance fm6000 fields mac command specifies data fields that configure the port channel load balance hash algorithm for non-IP packets on FM6000 platform switches. The hashing algorithm fields used for balancing non-IP packets differ from the fields used for IP packets.

The no port-channel load-balance fm6000 fields mac and default port-channel load-balance fm6000 fields mac commands restore the default data fields for the non-IP packet load balancing algorithm by removing the port-channel load-balance fm6000 fields mac command from running-config.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance fm6000 fields mac MAC_FIELD_NAME

no port-channel load-balance fm6000 fields mac

default port-channel load-balance fm6000 fields mac

Parameters

MAC_FIELD_NAME Fields the hashing algorithm uses for Layer 2 routing. Options include:

dst-mac MAC destination field.
eth-type EtherType field.
src-mac MAC source field.
vlan-id VLAN ID field.
vlan-priority VLAN priority field.

Command may include from one to five fields, in any combination and listed in any order. The default setting is the selection of all fields.

Related Commands

The port-channel load-balance command configures the hash seed for the algorithm.
The port-channel load-balance fm6000 fields ip command controls the hash algorithm for IP packets.

Example

These commands configure the switch’s port channel load balance for non-IP packets by using the MAC destination and Ethernet type fields in the hashing algorithm.

switch(config)# port-channel load-balance fm6000 fields mac dst-mac eth-type 
switch(config)#

port-channel load-balance module

The port-channel load-balance module command assigns a named load-balancing profile to a linecard.

Note: Available on the 7500E platform.

The no port-channel load-balance module and default port-channel load-balance module commands unassigns the load balancing module, or restores the default data fields for the load balancing module.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance module LINECARD_RANGE sand profile PROFILE_NAME

no port-channel load-balance module LINECARD_RANGE sand profile PROFILE_NAME

default port-channel load-balance module LINECARD_RANGE sand profile PROFILE_NAME

Parameters

LINECARD_RANGE Linecard number range includes:
- 3-10 Linecard number range.
PROFILE_NAMELoad-balance profile name.

Examples

This command assigns a named load-balancing profile to a linecard.

switch(config)# port-channel load-balance module 3-7 sand profile Linecard5
switch(config)#

This command unassigns a named load-balancing profile to a linecard.

switch(config)# no port-channel load-balance module 3-7 sand profile Linecard5
switch(config)#

port-channel load-balance petraA fields ip

The port-channel load-balance petraA fields ip command specifies the data fields that the port channel load balance hash algorithm uses for distributing IP packets on Petra platform switches. The hashing algorithm fields used for IP packets differ from the fields used for non-IP packets.

The no port-channel load-balance petraA fields ip and default port-channel load-balance petraA fields ip commands restore the default data fields for the IP packet load balancing algorithm by removing the port-channel load-balance petraA fields ip command from running-config.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance petraA fields ip IP_FIELD_NAME

no port-channel load-balance petraA fields ip

default port-channel load-balance petraA fields ip

Parameters

IP_FIELD_NAME Fields the hashing algorithm uses for Layer 3 routing. Options include:

ip-tcp-udp-header Algorithm uses source and destination IP address fields. Source and destination port fields are included for TCP and UDP packets.
mac-header Algorithm uses entire MAC header.

A command can only specify one option. The default setting is ip-tcp-udp-header.

Guidelines

The port channel hash algorithm for non-IP packets is not configurable and always includes the entire MAC header.

Related Command

The port-channel load-balance command configures the hash seed for the algorithm.

Example

These commands configure the switch’s port channel load balance hash algorithm for IP packets to use source and destination IP address (and port) fields.

switch(config)# port-channel load-balance fm6000 fields ip ip-tcp-udp-header
switch(config)#

port-channel load-balance sand profile (7500E/7500R)

The port-channel load-balance sand profile command configures a global LAG hashing profile on the port channel interface. A default profile is set as a global profile when no other profile is set as global.

The no port-channel load-balance sand profile command removes the active profile from the port-channel load-balance command from running-config, restoring the default profile.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance sand profile profile_name

no port-channel load-balance sand profile profile_name

Parameter

profile_name Name of the profile assigned to the selected module.

Example

This command configures a global LAG hashing profile on 7500 series platform switch.

switch(config)# port-channel load-balance sand profile myGlobalProfile
switch(config)#

port-channel load-balance trident fields ip

The port-channel load-balance trident fields ip command specifies the data fields that the port channel load balance hash algorithm uses for distributing IP packets on Trident platform switches. The hashing algorithm fields used for IP packets differ from the fields used for non-IP packets.

The no port-channel load-balance trident fields ip and default port-channel load-balance trident fields ip commands restore the default data fields for the IP packet load balancing algorithm by removing the port-channel load-balance trident fields ip command from running-config.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance trident fields ip IP_FIELD_NAME

no port-channel load-balance trident fields ip

default port-channel load-balance trident fields ip

default port-channel load-balance trident fields ip ingress-interface disabled

Parameters

IP_FIELD_NAME Specifies fields the hashing algorithm uses for Layer 3 routing. Command may include from one to four of the following four options, in any combination and listed in any order.
- destination-ip Algorithm uses destination IP address field.
- source-ip Algorithm uses source IP address field.
- destination-port Agorithm uses destination TCP/UDP port field.
- source-port Algorithm uses source TCP/UDP port field.
  - ip-tcp-udp-header Algorithm uses source and destination IP address fields. Source and destination port fields are included for TCP and UDP packets.
    Note: This option cannot be used in combination with any other option.
- mac-header Algorithm uses fields specified by port-channel load-balance trident fields mac.
  Note: This option cannot be used in combination with any other option.
- ingress-interface Disable from LAG hashing.

Default setting is ip-tcp-udp-header

Related Commands

The port-channel load-balance command configures the hash seed for the algorithm.
The port-channel load-balance trident fields ipv6 command controls the hash algorithm for IPv6 packets.
The port-channel load-balance trident fields mac command controls the hash algorithm for non-IP/IPv6 packets.

Examples

These commands configure the switch’s port channel load balance for IP packets by using the IPv6 destination field in the hashing algorithm.
```
switch(config)# port-channel load-balance trident fields ip destination-ip
switch(config)#
```

This command disables the ingress interface for IPv4 traffic.

switch(config)# port-channel load-balance trident fields ip ingress-interface disabled
switch(config)#

port-channel load-balance trident fields ipv6

The port-channel load-balance trident fields ipv6 command specifies the data fields that the port channel load balance hash algorithm uses for distributing IPv6 packets on Trident platform switches. The hashing algorithm fields used for IPv6 packets differ from the fields used for non-IPv6 packets.

The no port-channel load-balance trident fields ipv6 and default port-channel load-balance trident fields ipv6 commands restore the default data fields for the IPv6 packet load balancing algorithm by removing the port-channel load-balance trident fields ipv6 command from running-config.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance trident fields ipv6 IP_FIELD_NAME

no port-channel load-balance trident fields ipv6

default port-channel load-balance trident fields ipv6

Parameters

IP_FIELD_NAME Specifies fields the hashing algorithm uses for Layer 3 routing. Command may include from one to four of the following four options, in any combination and listed in any order.
- destination-ip Algorithm uses destination IPv6 address field.
- source-ip Algorithm uses source IPv6 address field.
- destination-port Algorithm uses destination TCP/UDP port field.
- source-port Algorithm uses source TCP/UDP port field.
  - ip-tcp-udp-header Algorithm uses source and destination IPv6 address fields. Source and destination port fields are included for TCP and UDP packets.
    Note: This option can’t be used in combination with any other option.
  - mac-header Algorithm uses fields specified by port-channel load-balance trident fields mac.
    Note: This option can’t be used in combination with any other option.
  - ingress-interface Disable from LAG hashing.
  Default setting is ip-tcp-udp-header

Related Commands

The port-channel load-balance command configures the hash seed for the algorithm.
The port-channel load-balance trident fields ipv6 commands controls the hash algorithm for non-IP packets.
The port-channel load-balance trident fields mac command controls the hash algorithm for non-IP packets.

Examples

These commands configure the switch’s port channel load balance for IP packets by using the IPv6 source field in the hashing algorithm.
```
switch(config)# port-channel load-balance trident fields ipv6 source-ip
switch(config)#
```

This command disables the ingress interface for IPv6 traffic.

switch(config)# port-channel load-balance trident fields ipv6 ingress-interface disabled
switch(config)#

port-channel load-balance trident fields mac

The port-channel load-balance trident fields mac command specifies data fields that the port channel load balance hash algorithm uses for distributing non-IP packets on Trident platform switches. The hashing algorithm fields used for non-IP packets differ from the fields used for IP packets.

The no port-channel load-balance trident fields mac and default port-channel load-balance trident fields mac commands restore the default data fields for the non-IP packet load balancing algorithm by removing the port-channel load-balance trident fields mac command from running-config.

Command Mode

Global Configuration

Command Syntax

port-channel load-balance trident fields mac MAC_FIELD_NAME

no port-channel load-balance trident fields mac

default port-channel load-balance trident fields mac

default port-channel load-balance trident fields mac ingress-interface disabled

Parameters

MAC_FIELD_NAMEFields the hashing algorithm uses for Layer 2 routing. Options include:
- dst-mac MAC destination field.
- eth-type EtherType field.
- src-mac MAC source field.
- ingress-interface Disable from LAG hashing.
Command may include from one to three fields, in any combination and listed in any order. The default setting is the selection of all fields.

Related Commands

port-channel load-balance configures the hash seed for the algorithm.
port-channel load-balance trident fields ip controls the hash algorithm for IP packets.
port-channel load-balance trident fields ipv6 controls the hash algorithm for IP packets.

Examples

These commands configure the switch’s port channel load balance for non-IP packets by using the MAC destination and Ethernet type fields in the hashing algorithm.
```
switch(config)# port-channel load-balance trident fields mac dst-mac eth-type  
switch(config)#
```

This command disables the ingress interface for IPv4 traffic.

switch(config)# port-channel load-balance trident fields mac ingress-interface disabled
switch(config)#

port-channel min-links

The port-channel min-links command specifies the minimum number of interfaces that the configuration mode LAG requires to become active. If there are fewer ports than specified by this command, the port channel interface does not become active. The default min-links value is 0.

The no port-channel min-links and default port-channel min-links commands restore the default min-links setting for the configuration mode LAG by removing the corresponding port-channel min-links command from the configuration.

Note: In static LAGs, the min-links value must be met for the LAG to be active. The LAG will not become active until it has at least the min-links number of functioning links in the channel group. If failed links cause the number to drop below the minimum, the LAG will go down and administrator action will be required to bring it back up. In dynamic LAGs, the LACP protocol must determine that at least min-links physical ports are aggregable (they are physically compatible and have the same keys both remotely and locally) before it begins negotiating to make any ports active members of the port-channel. However once negotiation begins, an error on the partner’s side or an error in programming of member interfaces can cause the LAG to become active with fewer than the minimum number of links. EOS evaluates min-links after min-links-review-timeout (linearly proportional to configured min-links) when LACP protocol collecting and/or distributing state changes. If the number of active member interfaces in a port-channel is less than configured min-links, it brings the corresponding port-channel Link Down and syslogs LAG-4-MINLINK_INTF_INSUFFICIENT message. If additional interfaces get programmed as collecting and distributing, EOS re-evaluates min-links on the port-channel. If sufficient number of interfaces are available to be a part of port-channel, then all interfaces of the corresponding port-channel are re-enabled for LACP negotiation and the port-channel becomes Link Up. LAG-4-MINLINK_INTF_NORMAL is syslogged after min-links-review-timeout if the min-links condition is satisfied; otherwise LAG-4-MINLINK_INTF_INSUFFICIENT is syslogged and the port-channel goes Link Down. If an interface remains in collecting state but not in distributing state for min-links-review-timeout, it is moved out of collecting state. It is periodically re-enabled after min-links-retry-timeout (which is 360s seconds) till it progresses to collecting and distributing. Meanwhile, if a port-channel becomes Link Up because sufficient number of interfaces progressed to collecting and distributing states, then this interface is enabled for LACP negotiation.

Command Mode

Interface-Port-Channel Configuration

Command Syntax

port-channel min-links quantity

no port-channel min-links

default port-channel min-links

Parameters

quantity Minimum number of interfaces. Value range varies by platform. Default value is 0.

Example

These commands set 4 as the minimum number of ports required for port channel 13 to become active.

switch(config)# interface port-channel 13
switch(config-if-Po13)# port-channel min-links 4
switch(config-if-Po13)# show active
interface Port-Channel13
   port-channel min-links 4
switch(config-if-Po13)#

port-channel min-links review interval

The port-channel min-links review interval command enables or disables timer based min-links review feature for all port-channels.

The no port-channel min-links review interval and default port-channel min-links review intervalcommands restore the default min-links-timeout-base to 180 seconds by removing the corresponding port-channel min-links review interval command from running-config.

Command Mode

Global Configuration

Command Syntax

port-channel min-links review interval timeout (seconds)

no port-channel min-links review interval

default port-channel min-links review interval

Guidelines

The min-links-timeout-base interval for port-channels can be set within the range of 0 to 600 seconds. When setting the review interval to zero, the command has the following effect:

Disables the timer-based min-links review feature for all port-channels.
- For LACP port-channels, it prevents the port-channel from bringing link up (even after one or more member ports were negotiated to collect or distribute (rx or tx)) until there are sufficient member interfaces ready to join the port-channel. Meanwhile, the partner can enable the port-channel link with fewer than required member interfaces. This configuration does not impact port-channels without min-links configuration.

Related Command

port-channel min-links

Example

This command sets the port-channel min-links interval to 200 seconds.

switch(config)# port-channel min-links review interval 200

port-channel speed mixed

The port-channel speed mixed command configures a port channel with the ability to have active members of multiple speeds.

Note: Available on the 7020, 7280, 7500, and 7800 platforms. Minimum links is not available on mixed-speed port channels.

Command Mode

Interface-Port-Channel Configuration

Command Syntax

port-channel speed mixed

Related Commands

The interface port-channel command places the switch in the interface-port-channel configuration mode.

Example

These commands place the switch in the interface port-channel mode and configure the mixed speed port-channel.

switch(config)# interface port-channel 1
switch(config-if-Po1)# port-channel speed mixed

port-channel speed minimum

The port-channel speed minimum command specifies the cumulative minimum speed of all active members in order for a port channel to become active. If there is less than the specified by this command, the port channel interface does not become active.

Note: If both minimum speed and minimum links are configured, minimum speed will take precedence.

Command Mode

Interface-Port-Channel Configuration

Command Syntax

port-channel speed minimum speed-value

Parameter

speed-value Minimum speed value. The value ranges from 1 to 65535.

Related Command

The interface port-channel command places the switch in interface-port-channel configuration mode.

Example

These command sets 100 Gbps as the minimum speed needed for port channel 1 to become active.

switch(config)# interface port-channel 1
switch(config-if-Po1)# port-channel speed minimum 100 gbps

show lacp aggregates

The show lacp aggregates command displays aggregate IDs and the list of bundled ports for all specified port channels.

Command Mode

EXEC

Command Syntax

show lacp [PORT_LIST] aggregates [PORT_LEVEL] [INFO_LEVEL]

Note: PORT_LEVEL and INFO_LEVEL parameters can be placed in any order.

Parameters

PORT_LIST Port channels for which aggregate information is displayed. Options include:
- <no parameter> All configured port channels.
- c_range Channel list (number, range, or comma-delimited list of numbers and ranges).
PORT_LEVEL Ports displayed, in terms of aggregation status. Options include:
- no parameter Ports bundled by LACP into the port channel.
- all-ports All channel group ports, including channel group members not bundled into the port channel interface.
INFO_LEVEL Amount of information that is displayed. Options include:
- no parameter Aggregate ID and bundled ports for each channel.
- brief Aggregate ID and bundled ports for each channel.
- detailed Aggregate ID and bundled ports for each channel.

Example

This command lists aggregate information for all configured port channels.

switch> show lacp aggregates

Port Channel Port-Channel1:
 Aggregate ID: 
[(8000,00-1c-73-04-36-d7,0001,0000,0000),(8000,00-1c-73-09-a0-f3,0001,0000,0000)]
  Bundled Ports: Ethernet43 Ethernet44 Ethernet45 Ethernet46
Port Channel Port-Channel2:
 Aggregate ID: 
[(8000,00-1c-73-01-02-1e,0002,0000,0000),(8000,00-1c-73-04-36-d7,0002,0000,0000)]
  Bundled Ports: Ethernet47 Ethernet48
Port Channel Port-Channel3:
 Aggregate ID: 
[(8000,00-1c-73-04-36-d7,0003,0000,0000),(8000,00-1c-73-0c-02-7d,0001,0000,0000)]
  Bundled Ports: Ethernet3 Ethernet4
Port Channel Port-Channel4:
 Aggregate ID: 
[(0001,00-22-b0-57-23-be,0031,0000,0000),(8000,00-1c-73-04-36-d7,0004,0000,0000)]
  Bundled Ports: Ethernet1 Ethernet2
Port Channel Port-Channel5:
 Aggregate ID: 
[(0001,00-22-b0-5a-0c-51,0033,0000,0000),(8000,00-1c-73-04-36-d7,0005,0000,0000)]
  Bundled Ports: Ethernet41
switch>

show lacp counters

The show lacp counters command displays LACP traffic statistics.

Command Mode

EXEC

Command Syntax

show lacp [PORT_LIST] counters [PORT_LEVEL] [INFO_LEVEL]

Note: PORT_LEVEL and INFO_LEVEL parameters can be interchanged while running the command.

Parameters

PORT_LIST Ports for which port information is displayed. Options include:
- no parameter All configured port channels.
- c_rangePorts in specified channel list (number, number range, or list of numbers and ranges).
- interface Ports on all interfaces.
- interface ethernet e_num Port on Ethernet interface specified by e_num.
- interface port-channel p_num Port on port channel interface specified by p_num.
PORT_LEVELPorts displayed, in terms of aggregation status. Options include:
- no parameter Only ports bundled by LACP into an aggregate.
- all-ports All ports, including LACP candidates that are not bundled.
INFO_LEVEL Amount of information that is displayed. Options include:
- no parameter Displays packet transmission (TX and RX) statistics.
- brief Displays packet transmission (TX and RX) statistics.
- detailed Displays packet transmission (TX and RX) statistics and actor-partner statistics.

Example

This command displays transmission statistics for all configured port channels.

switch> show lacp counters brief

                      LACPDUs         Markers   Marker Response
Port   Status        RX         TX   RX    TX   RX    TX   Illegal
------------------------------------------------------------------
Port Channel Port-Channel1:
Et43   Bundled   396979     396959    0     0    0     0    0
Et44   Bundled   396979     396959    0     0    0     0    0
Et45   Bundled   396979     396959    0     0    0     0    0
Et46   Bundled   396979     396959    0     0    0     0    0

Port Channel Port-Channel2:
Et47   Bundled   396836     396883    0     0    0     0    0
Et48   Bundled   396838     396883    0     0    0     0    0

switch>

show lacp interface

The show lacp interface command displays port status for all port channels that include the specified interfaces. Within the displays for each listed port channel, the output displays sys-id, partner port, state, actor port, and port priority for each interface in the channel.

Command Mode

EXEC

Command Syntax

show lacp interface [INTERFACE_PORT] [PORT_LEVEL] [INFO_LEVEL]

Note: INTERFACE_PORT is listed first when present. Other parameters can be listed in any order.

Parameters

INTERFACE_PORT Interfaces for which information is displayed. Options include:
- no parameter All interfaces in channel groups.
- ethernet e_num Ethernet interface specified by e_num.
- port-channel p_num Port channel interface specified by p_num.
PORT_LEVEL Ports displayed, in terms of aggregation status. Options include:
- no parameter Command lists data for ports bundled by LACP into the aggregate.
- all-ports Command lists data for all ports, including LACP candidates that are not bundled.
INFO_LEVEL Amount of information that is displayed. Options include:
- no parameter Displays same information as brief option.
- brief Displays LACP configuration data, including sys-id, actor, priorities, and keys.
- detailed Includes brief option information plus state machine data.

Example

This command displays LACP configuration information for all ethernet interfaces.

switch> show lacp interface
State: A = Active, P = Passive; S=ShortTimeout, L=LongTimeout;
       G = Aggregable, I = Individual; s+=InSync, s-=OutOfSync;
       C = Collecting, X = state machine expired,
       D = Distributing, d = default neighbor state

             |                       Partner                         Actor
Port Status  | Sys-id                 Port# State   OperKey PortPri  Port#
----------------------------------------------------------------------------
Port Channel Port-Channel1:
Et43 Bundled | 8000,00-1c-73-09-a0-f3    43 ALGs+CD  0x0001   32768   43
Et44 Bundled | 8000,00-1c-73-09-a0-f3    44 ALGs+CD  0x0001   32768   44
Et45 Bundled | 8000,00-1c-73-09-a0-f3    45 ALGs+CD  0x0001   32768   45
Et46 Bundled | 8000,00-1c-73-09-a0-f3    46 ALGs+CD  0x0001   32768   46
Port Channel Port-Channel2:
Et47 Bundled | 8000,00-1c-73-01-02-1e    23 ALGs+CD  0x0002   32768   47
Et48 Bundled | 8000,00-1c-73-01-02-1e    24 ALGs+CD  0x0002   32768   48

             |                 Actor
Port Status  |   State         OperKey    PortPriority
-------------------------------------------------------
Port Channel Port-Channel1:
Et43 Bundled |   ALGs+CD        0x0001           32768
Et44 Bundled |   ALGs+CD        0x0001           32768
Et45 Bundled |   ALGs+CD        0x0001           32768
Et46 Bundled |   ALGs+CD        0x0001           32768
Port Channel Port-Channel2:
Et47 Bundled |   ALGs+CD        0x0002           32768
Et48 Bundled |   ALGs+CD        0x0002           32768

switch>

show lacp internal

The show lacp internal command displays the local LACP state for all specified channels. Local state data includes the state machines and LACP protocol information.

Command Mode

EXEC

Command Syntax

show lacp [PORT_LIST] internal [PORT_LEVEL] [INFO_LEVEL]

Parameters

PORT_LIST Interface for which port information is displayed. Options include:
- no parameter All configured port channels.
- c_rangePorts in specified channel list (number, number range, or list of numbers and ranges).
- interface Ports on all interfaces.
- interface ethernet e_num Ethernet interface specified by e_num.
- interface port-channel p_num Port channel interface specified by p_num.
PORT_LEVEL Ports displayed, in terms of aggregation status. Options include:
- no parameter Command lists data for ports bundled by LACP into an aggregate.
- all-ports Command lists data for all ports, including LACP candidates that are not bundled.
INFO_LEVELAmount of information that is displayed. Options include:
- no parameter Displays same information as brief option.
- brief Displays LACP configuration data, including sys-id, actor, priorities, and keys.
- detailed Includes brief option information plus state machine data.
Note: PORT_LEVEL and INFO_LEVEL parameters can be placed in any order.

Example

This command displays internal data for all configured port channels.

switch> show lacp internal

LACP System-identifier: 8000,00-1c-73-04-36-d7
State: A = Active, P = Passive; S=ShortTimeout, L=LongTimeout;
       G = Aggregable, I = Individual; s+=InSync, s-=OutOfSync;
       C = Collecting, X = state machine expired,
       D = Distributing, d = default neighbor state
             |Partner                                 Actor
Port Status  | Sys-id                 Port#  State    OperKey  PortPriority
----------------------------------------------------------------------------
Port Channel Port-Channel1:
Et43 Bundled | 8000,00-1c-73-09-a0-f3    43  ALGs+CD   0x0001   32768
Et44 Bundled | 8000,00-1c-73-09-a0-f3    44  ALGs+CD   0x0001   32768
Et45 Bundled | 8000,00-1c-73-09-a0-f3    45  ALGs+CD   0x0001   32768
Et46 Bundled | 8000,00-1c-73-09-a0-f3    46  ALGs+CD   0x0001   32768

show lacp peer

The show lacp peer command displays the LACP protocol state of the remote neighbor for all specified port channels.

Command Mode

EXEC

Command Syntax

show lacp [PORT_LIST] peer [PORT_LEVEL] [INFO_LEVEL]

Note: PORT_LEVEL and INFO_LEVEL parameters can be placed in any order.

Parameters

PORT_LISTInterface for which port information is displayed. Options include:
- no parameter Displays information for all configured port channels.
- c_range Ports in specified channel list (number, number range, or list of numbers and ranges).
- interface Ports on all interfaces.
- interface ethernet e_num Ethernet interface specified by e_num.
- interface port-channel p_num Port channel interface specified by p_num.
PORT_LEVEL Ports displayed, in terms of aggregation status. Options include:
- no parameter Command lists data for ports bundled by LACP into an aggregate.
- all-ports Command lists data for all ports, including LACP candidates that are not bundled.
INFO_LEVEL Amount of information that is displayed. Options include:
- no parameter Displays same information as brief option.
- brief Displays LACP configuration data, including sys-id, actor, priorities, and keys.
- detailed Includes brief option information plus state machine data.

Example

This command displays the LACP protocol state of the remote neighbor for all port channels.

switch> show lacp peer
 
State: A = Active, P = Passive; S=ShortTimeout, L=LongTimeout;
       G = Aggregable, I = Individual; s+=InSync, s-=OutOfSync;
       C = Collecting, X = state machine expired,
       D = Distributing, d = default neighbor state
               |                          Partner
Port   Status  | Sys-id                  Port#   State     OperKey  PortPri
----------------------------------------------------------------------------
Port Channel Port-Channel1:
Et1    Bundled | 8000,00-1c-73-00-13-19      1   ALGs+CD    0x0001    32768
Et2    Bundled | 8000,00-1c-73-00-13-19      2   ALGs+CD    0x0001    32768
Port Channel Port-Channel2:
Et23   Bundled | 8000,00-1c-73-04-36-d7     47   ALGs+CD    0x0002    32768
Et24   Bundled | 8000,00-1c-73-04-36-d7     48   ALGs+CD    0x0002    32768
Port Channel Port-Channel4*:
Et3    Bundled | 8000,00-1c-73-0b-a8-0e     45   ALGs+CD    0x0001    32768
Et4    Bundled | 8000,00-1c-73-0b-a8-0e     46   ALGs+CD    0x0001    32768
Port Channel Port-Channel5*:
Et19   Bundled | 8000,00-1c-73-0c-30-09     49   ALGs+CD    0x0005    32768
Et20   Bundled | 8000,00-1c-73-0c-30-09     50   ALGs+CD    0x0005    32768
Port Channel Port-Channel6*:
Et6    Bundled | 8000,00-1c-73-01-07-b9     49   ALGs+CD    0x0001    32768
Port Channel Port-Channel7*:
Et5    Bundled | 8000,00-1c-73-0f-6b-22     51   ALGs+CD    0x0001    32768
Port Channel Port-Channel8*:
Et10   Bundled | 8000,00-1c-73-10-40-fa     51   ALGs+CD    0x0001    32768

* - Only local interfaces for MLAGs are displayed. Connect to the peer to
    see the state for peer interfaces.
switch>

show lacp sys-id

The show lacp sys-id command displays the System Identifier the switch uses when negotiating remote LACP implementations.

Command Mode

EXEC

Command Syntax

show lacp sys-id [INFO_LEVEL]

Parameters

INFO_LEVEL Amount of information that is displayed. Options include:

no parameter Displays system identifier.
brief Displays system identifier.
detailed Displays system identifier and system priority, including the MAC address.

Examples

This command displays the system identifier.

switch> show lacp sys-id brief
8000,00-1c-73-04-36-d7

This command displays the system identifier and system priority.

switch> show lacp sys-id detailed
System Identifier used by LACP:
System priority: 32768  Switch MAC Address: 00:1c:73:04:36:d7
  802.11.43 representation: 8000,00-1c-73-04-36-d7

show load-balance profile

The show load-balance profile command displays the contents of the specified load balance profiles. Load balance profiles specify parameters used by hashing algorithms that distribute traffic across ports comprising a port channel or among component ECMP routes.

Command Mode

EXEC

Command Syntax

show load-balance profile [PROFILES]

Parameters

PROFILES Load balance profiles for which command displays contents. Options include:

no parameter Displays all load balance profiles.
profile_name Displays specified profile.

Related Commands

load-balance policies places the switch in load-balance-policies configuration mode.
ingress load-balance profile applies a load-balance profile to an Ethernet or port channel interface.

Example

This command displays the contents of the LB-1 load balance profile.

switch> show load-balance profile LB-1

---------- LB-1 ----------

Source MAC address hashing               ON
Destination MAC address hashing          ON
Ethernet type hashing                    ON
VLAN ID hashing                          ON
IP protocol field hashing                ON
DSCP field hashing is                    ON
Symmetric hashing for non-IP packets     OFF
Symmetric hashing for IP packets         OFF
Random distribution for port-channel     ON
Random distribution for ecmp             ON

Profile LB-1 is applied on the following
    Port-Channel100

---------- myGlobalProfile (global) ----------
L3 hashing is ON
Symmetric hashing is OFF
Hashing mode is flow-based
Hash polynomial is 3
Hash seed is 0
Profile myGlobalProfile (global) is applied on the following
Linecard3
Linecard4
Linecard5
Linecard6

switch>

show port-channel

The show port-channel command displays information about members the specified port channels.

Command Mode

EXEC

Command Syntax

show port-channel [MEMBERS] [PORT_LIST] [INFO_LEVEL]

Parameters

MEMBERSList of port channels for which information is displayed. Options include:
- no parameterAll configured port channels.
- p_rangePorts in specified channel list (number, number range, or list of numbers and ranges).
PORT_LEVELPorts displayed, in terms of aggregation status. Options include:
- no parameterDisplays information on ports that are active members of the LAG.
- active-portsDisplays information on ports that are active members of the LAG.
- all-ports Displays information on all ports (active or inactive) configured for LAG.
INFO_LEVELAmount of information that is displayed. Options include:
- no parameterDisplays information at the brief level.
- briefDisplays information at the brief level.
- detailedDisplays information at the detail level.

Display Values

Port Channel Type and name of the port channel.
Time became active Time when the port channel came up.
Protocol Protocol operating on the port channel.
Mode Status of the Ethernet interface on the port. The status value is Active or Inactive.
No active ports Number of active ports on the port channel.
Configured but inactive ports Ports configured but that are not actively up.
Reason unconfigured Reason why the port is not part of the LAG.

Guidelines

You can configure a port channel to contain many ports, but only a subset may be active at a time. All active ports in a port channel must be compatible. Compatibility includes many factors and is platform specific. For example, compatibility may require identical operating parameters such as speed and Maximum Transmission Unit (MTU). Compatibility may only be possible between specific ports because of the internal organization of the switch.

Examples

This command displays output from the show port-channel command.

switch> show port-channel 3
Port Channel Port-Channel3: 
  Active Ports: 
       Port                Time became active       Protocol    Mode    
    ----------------------------------------------------------------------- 
       Ethernet3           15:33:41                 LACP        Active 
       PeerEthernet3       15:33:41                 LACP        Active

This command displays output from the show port-channel active-ports command.

switch> show port-channel active-ports
Port Channel Port-Channel3:
  No Active Ports
Port Channel Port-Channel11:
  No Active Ports
switch>

This command displays output from the show port-channel all-ports command.

switch> show port-channel all-ports
Port Channel Port-Channel3:
  No Active Ports
  Configured, but inactive ports:
      Port            Time became inactive    Reason unconfigured
    ----------------------------------------------------------------------------
      Ethernet3       Always                  not compatible with aggregate

Port Channel Port-Channel11:
  No Active Ports
  Configured, but inactive ports:
      Port            Time became inactive    Reason unconfigured
    ----------------------------------------------------------------------------
      Ethernet25      Always                  not compatible with aggregate
      Ethernet26      Always                  not compatible with aggregate

This command displays details about the port-channel configuration:
```
switch#show port-channel 50 detailed 
Port Channel Port-Channel50 (Fallback State: Unconfigured): 
Minimum links: unconfigured Minimum speed: unconfigured 
Current weight/Max weight: 1/16 

Active Ports: 
Port                  Time Became Active        Protocol       Mode         Weight      State
-------------------- ------------------------ -------------- ------------ ------------ ------
Ethernet51            Wed 15:19:30              LACP           Active       1           Rx,Tx 
PeerEthernet52        Wed 15:19:28              LACP           Active       0           Unknown
```
This output displays the following information:
- Port - the Active ports on an interface.
- Time Became Active - The time when a port came up on the network.
- Protocol - the network protocol associated with the port.
- Mode - the current mode of the port as Active or Inactive.
- Weight -The member port weight is directly proportional to other members speeds and determines the number of packets sent over the member port when it bcomes active. For same speed port-channels, all members have a weight ofone (1).
- State - the state of the port as receiving (Rx) traffic, transmitting (Tx) traffic, or Unknown.

show port-channel dense

The show port-channel dense command displays the port-channels on the switch and lists their component interfaces, LACP status, and set flags.

Command Mode

EXEC

Command Syntax

show port-channel dense

Example

This command displays show port-channel dense output:

switch> show port-channel dense

    Flags
---------------------------------------------------------------------
a - LACP Active        p - LACP Passive
U - In Use             D - Down
+ - In-Sync            - - Out-of-Sync      i - incompatible with agg
P - bundled in Po      s - suspended        G - Aggregable
I - Individual         S - ShortTimeout     w - wait for agg

Number of channels in use: 2
Number of aggregators:2

   Port-Channel       Protocol    Ports
-------------------------------------------------------
   Po1(U)             LACP(a)      Et47(PG+) Et48(PG+)
   Po2(U)             LACP(a)      Et39(PG+) Et40(PG+)

show port-channel limits

The show port-channel limits command displays groups of ports that are compatible and may be joined into port channels. Each group of compatible ports is called a LAG group. For each LAG group, the command also displays Max interfaces and Max ports per interface.

Max interfaces defines the maximum number of active port channels that may be formed out of these ports.
Max ports per interface defines the maximum number of active ports allowed in a port channel from the compatibility group.

All active ports in a port channel must be compatible. Compatibility comprises many factors and is specific to a given platform. For example, compatibility may require identical operating parameters such as speed and/or ZMaximum Transmission Unit (MTU). Compatibility may only be possible between specific ports because of internal organization of the switch.

Command Mode

EXEC

Command Syntax

show port-channel limits

Example

This command displays show port-channel list output:

switch> show port-channel limits

LAG Group: focalpoint
--------------------------------------------------------------------------
  Max port-channels per group: 24, Max ports per port-channel: 16
  24 compatible ports: Ethernet1  Ethernet2  Ethernet3  Ethernet4
                       Ethernet5  Ethernet6  Ethernet7  Ethernet8
                       Ethernet9  Ethernet10 Ethernet11 Ethernet12
                       Ethernet13 Ethernet14 Ethernet15 Ethernet16
                       Ethernet17 Ethernet18 Ethernet19 Ethernet20
                       Ethernet21 Ethernet22 Ethernet23 Ethernet24
--------------------------------------------------------------------------

show port-channel load-balance fields

The show port-channel load-balance fields command displays the fields that the hashing algorithm uses to distribute traffic across the interfaces that comprise the port channels.

Command Mode

EXEC

Command Syntax

show port-channel load-balance HARDWARE fields

Parameters

HARDWARE ASIC switching device. Selection options depend on the switch model and include:

arad
fm6000
petraA
trident

Example

This command displays the hashing fields used for balancing port channel traffic.

switch> show port-channel load-balance fm6000 fields

Source MAC address hashing for non-IP packets is ON
Destination MAC address hashing for non-IP packets is ON
Ethernet type hashing for non-IP packets is ON
VLAN ID hashing for non-IP packets is ON
VLAN priority hashing for non-IP packets is ON
Source MAC address hashing for IP packets is ON
Destination MAC address hashing for IP packets is ON
Ethernet type hashing for IP packets is ON
VLAN ID hashing for IP packets is ON
VLAN priority hashing for IP packets is ON
IP source address hashing is ON
IP destination address hashing is ON
IP protocol field hashing is ON
TCP/UDP source port hashing is ON
TCP/UDP destination port hashing is ON

switch>

show port-channel load-balance

The show port-channel load-balance command displays the traffic distribution between the member ports of the specified port channels. The command displays distribution for unicast, multicast, and broadcast streams.

The distribution values displayed are based on the total interface counters which start from 0 at boot time or when the counters are cleared. For more current traffic distribution values, clear the interface counters of the member interfaces using the clear counters command.

Command Mode

EXEC

Command Syntax

show port-channel load-balance [MEMBERS]

Parameters

MEMBERS list of port channels for which information is displayed. Options include:

no parameter all configured port channels.
c_range ports in specified channel list (number, number range, or list of numbers and ranges).

Example

This command displays traffic distribution for all configured port channels.

switch> show port-channel load-balance
ChanId      Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst
------ --------- ------- ------- ------- ------- ------- -------
     8      Et10 100.00% 100.00% 100.00% 100.00%   0.00% 100.00%
------ --------- ------- ------- ------- ------- ------- -------
     1       Et1  13.97%  42.37%  47.71%  30.94%   0.43%  99.84%
     1       Et2  86.03%  57.63%  52.29%  69.06%  99.57%   0.16%
------ --------- ------- ------- ------- ------- ------- -------
     2      Et23  48.27%  50.71%  26.79%  73.22%   0.00% 100.00%
     2      Et24  51.73%  49.29%  73.21%  26.78%   0.00%   0.00%
------ --------- ------- ------- ------- ------- ------- -------
     4       Et3  55.97%  63.29%  51.32%  73.49%   0.00%   0.00%
     4       Et4  44.03%  36.71%  48.68%  26.51%   0.00%   0.00%
------ --------- ------- ------- ------- ------- ------- -------
     5      Et19  39.64%  37.71%  50.00%  90.71%   0.00%   0.00%
     5      Et20  60.36%  62.29%  50.00%   9.29%   0.00% 100.00%
------ --------- ------- ------- ------- ------- ------- -------
     6       Et6 100.00% 100.00% 100.00% 100.00%   0.00% 100.00%
------ --------- ------- ------- ------- ------- ------- -------
     7       Et5 100.00%   0.00% 100.00% 100.00%   0.00%   0.00%
switch>

Configuring and Viewing Environment Settings

This section contain the following topics:

Overriding Automatic Shutdown
Viewing Environment Status
Locating Components on the Switch

Overriding Automatic Shutdown

This section contains the following topics:

Overheating
Insufficient Fans
Fan Speed

Overheating

The switch can be configured to continue operating during temperature shutdown conditions. Ignoring a temperature shutdown condition is strongly discouraged because operating at high temperatures can damage the switch and void the warranty.

Temperature shutdown condition actions are specified by the environment overheat action command. The switch displays this warning when configured to ignore shutdown temperature conditions.

Switch(config)# environment overheat action ignore
====================================================================
WARNING: Overriding the system shutdown behavior when the system
is overheating is unsupported and should only be done under
the direction of an Arista Networks engineer. You risk damaging
hardware by not shutting down the system in this situation, and doing
so without direction from Arista Networks can be grounds for voiding
your warranty. To re-enable the shutdown-on-overheat behavior, use
the 'environment overheat action shutdown' command.
====================================================================
Switch(config)#

The running-config contains the environment overheat action command when it is set to ignore. When the command is not in running-config, the switch shuts down when an overheating condition exists.

The following running-config file lists the environment overheat action command.

switch# show running-config
! Command: show running-config
! device: switch (DCS-7150S-64-CL, EOS-4.13.2F)


ip route 0.0.0.0/0 10.255.255.1
!
environment overheat action ignore
!
!
end
switch#

Insufficient Fans

The switch can be configured to ignore the insufficient fan shutdown condition. This is strongly discouraged because continued operation without sufficient cooling may lead to a critical temperature condition that can damage the switch and void the warranty.

Insufficient-fans shutdown override is configured by the environment insufficient-fans action command. The switch displays this warning when configured to ignore insufficient-fan conditions.

switch(config)# environment insufficient-fans action ignore
====================================================================
WARNING: Overriding the system shutdown behavior when the system
has insufficient fans inserted is unsupported and should only be done 
under
the direction of an Arista Networks engineer. You risk damaging
hardware by not shutting down the system in this situation, and doing
so without direction from Arista Networks can be grounds for voiding
your warranty. To re-enable the shutdown-on-overheat behavior, use
the 'environment insufficient-fans action shutdown' command.
====================================================================
switch(config)#

The running-config contains the environment insufficient-fans action command when it is set to ignore. When running-config does not contain this command, the switch shuts down when it detects an insufficient-fans condition.

Fan Speed

The switch can be configured to override the automatic fan speed. The switch normally controls the fan speed to maintain optimal operating temperatures. The fans can be configured to operate at a constant speed regardless of the switch temperature conditions.

Fan speed override is configured by the environment fan-speed command. The switch displays this warning when its control of fan speed is overridden.

switch(config)# environment fan-speed override 50
====================================================================
WARNING: Overriding the system fan speed is unsupported and should only
be done under the direction of an Arista Networks engineer.
You can risk damaging hardware by setting the fan speed too low
and doing so without direction from Arista Networks can be grounds
for voiding your warranty.
To set the fan speed back to automatic mode, use the
'environment fan-speed auto' command
====================================================================
switch(config)#

The running-config contains the environment fan-speed override command if it is set to override. When running-config does not contain this command, the switch controls the fan speed.

Viewing Environment Status

This section contains the following topics:

Power Status
Temperature Status
Fan Status
System Status

Power Status

The show environment power command displays the status of the power supplies.

Example

This command displays the status of the power supplies.

switch> show environment power
Power Input Output Output
Supply  Model         Capacity  Current  Current  Power    Status
------- ------------- --------- -------- -------- -------- -------
1       PWR-650AC      650W      0.44A    10.50A  124.0W   Ok
Switch>

Temperature Status

To display internal temperature sensor status, enter show environment temperature.

switch> show environment temperature
System temperature status is: Ok
                                               Alert      Critical
Sensor  Description               Temperature  Threshold  Threshold
------- ------------------------- ------------ ---------- ----------
1       Front-panel temp sensor   22.000C       65C        75C
2       Fan controller 1 sensor   23.000C       75C        85C
3       Fan controller 2 sensor   28.000C       75C        85C
4       Switch chip 1 sensor      40.000C       105C       115C
5       VRM 1 temp sensor         48.000C       105C       110C
switch>

System temperature status is the first line that the command displays. System temperature status values indicate the following:

Ok: All sensors report temperatures below the alert threshold.
Overheating: At least one sensor reports a temperature above its alert threshold.
Critical: At least one sensor reports a temperature above its critical threshold.
Unknown: The switch is initializing.
Sensor Failed: At least one sensor is not functioning.

Fan Status

The show system environment cooling command displays the cooling and fan status.

Example

This command displays the fan and cooling status:

switch> show system environment cooling
System cooling status is: Ok
Ambient temperature: 22C
Airflow: port-side-intake
Fan Tray  Status          Speed
--------- --------------- ------
1 Ok 35%
2 Ok 35%
3 Ok 35%
4 Ok 35%
5 Ok 35%
switch>

System Status

The show system environment all command lists the temperature, cooling, fan, and power supply information that the individual show environment commands display, as described in Temperature Status, Fans, and Power.

Example

This command displays the temperature, cooling, fan, and power supply status:

switch> show system environment all
System temperature status is: Ok
                                               Alert      Critical
Sensor  Description              Temperature   Threshold  Threshold
------- ------------------------ ------------- ---------- ----------
1       Front-panel temp sensor   22.750C       65C        75C
2       Fan controller 1 sensor   24.000C       75C        85C
3       Fan controller 2 sensor   29.000C       75C        85C
4       Switch chip 1 sensor      41.000C       105C       115C
5       VRM 1 temp sensor         49.000C       105C       110C

System cooling status is: Ok
Ambient temperature: 22C
Airflow: port-side-intake
Fan Tray  Status           Speed
--------- --------------- ------
1         Ok                 35%
2         Ok                 35%
3         Ok                 35%
4         Ok                 35%
5         Ok                 35%

Power                         Input    Output   Output
Supply  Model       Capacity  Current  Current  Power    Status
------- ----------- --------- -------- -------- -------- -------
1       PWR-650AC   650W       0.44A   10.50A   124.0W   Ok

Locating Components on the Switch

When a component requires service, the switch administrator may use the locator-led command to assist a technician in finding the component. The command causes the status LED on the specified component to flash, and also displays a “service requested” message on the LCD panel of modular switches or lights the blue locator light on the front of fixed switches. Use the show locator-led command to display all locator LEDs currently enabled on the switch.

This command enables the locator LED on fan tray 3:

switch# locator-led fantray 3
Enabling locator led for FanTray3
switch#

This command displays all locator LEDs enabled on the switch:

switch# show locator-led
There are no locator LED enabled
switch#

Environment Commands

Environment Control Configuration Commands

environment fan-speed
environment insufficient-fans action
environment overheat action
locator-led

Environment Display Commands

show environment power
show environment temperature
show locator-led
show system environment all
show system environment cooling
show system environment power budget

environment fan-speed

The environment fan-speed command determines the method of controlling the speed of the switch fans. The switch automatically controls the fan speed by default.

The switch normally controls the fan speed to maintain optimal operating temperatures. The fans can be configured to operate at a constant speed regardless of the switch temperature conditions.

The no environment fan-speed and default environment fan-speed commands restore the default action of automatic fan-speed control by removing the environment fan-speed override statement from running-config.

Note: Overriding the system fan speed is unsupported and should only be done under the direction of an Arista Networks engineer. You can risk damaging hardware by setting the fan speed too low. Doing so without direction from Arista Networks can be grounds for voiding your warranty.

Command Mode

Global Configuration

Command Syntax

environment fan-speed ACTION

no environment fan-speed

default environment fan-speed

Parameters

ACTION Fan speed control method. Valid settings include:

auto Fan speed is controlled by the switch.
This option restores the default setting by removing the environment fan-speed override command from running-config
override percent Fan speed is set to the specified percentage of the maximum. Valid percent settings range from 30 to 100.

Examples

This command overrides the automatic fan speed control and configures the fans to operate at 50% of maximum speed.

switch(config)# environment fan-speed override 50
====================================================================
WARNING: Overriding the system fan speed is unsupported and should 
only be done under the direction of an Arista Networks engineer.
You can risk damaging hardware by setting the fan speed too low
and doing so without direction from Arista Networks can be grounds
for voiding your warranty.
To set the fan speed back to automatic mode, use the
'environment fan-speed auto' command
====================================================================
switch(config)#

This command restores control of the fan speed to the switch.
```
switch(config)# environment fan-speed auto
switch(config)#
```

environment insufficient-fans action

The environment insufficient-fans command controls the switch response to the insufficient fan condition. By default, the switch initiates a shutdown procedure when it senses insufficient fans.

The switch operates normally when one fan is not operating. Non-functioning modules should not be removed from the switch unless they are immediately replaced; adequate switch cooling requires the installation of all components, including a non-functional fan.

Two non-operational fans trigger an insufficient fan shutdown condition. This condition normally initiates a power down procedure.

The no environment insufficient-fans and default environment insufficient-fans commands restore the default shutdown response to the insufficient-fans condition by removing the environment insufficient-fans action ignore statement from running-config.

Note: Overriding the system shutdown behavior when the system has insufficient fans inserted is unsupported and should only be done under the direction of an Arista Networks engineer. You risk damaging hardware by not shutting down the system in this situation, and doing so without direction from Arista Networks can be grounds for voiding your warranty.

Command Mode

Global Configuration

Command Syntax

environment insufficient-fans action REMEDY

no environment insufficient-fans action

default environment insufficient-fans action

Parameters

REMEDY Configures action when switch senses an insufficient fan condition. Settings include:

ignore Switch continues operating when insufficient fans are operating.
shutdown Switch shuts power down when insufficient fans are operating.
The shutdown parameter restores default behavior by removing the environment insufficient-fans command from running-config.

Examples

This command configures the switch to continue operating after it senses insufficient fan condition.

switch(config)# environment insufficient-fans action ignore
====================================================================
WARNING: Overriding the system shutdown behavior when the system
has insufficient fans inserted is unsupported and should only be done 
under the direction of an Arista Networks engineer. You risk damaging
hardware by not shutting down the system in this situation, and doing
so without direction from Arista Networks can be grounds for voiding
your warranty. To re-enable the shutdown-on-overheat behavior, use
the 'environment insufficient-fans action shutdown' command.
====================================================================

This command configures the switch to shut down when it senses an insufficient fan condition.
```
switch(config)# environment insufficient-fans action shutdown
switch(config)#
```

environment overheat action

The environment overheat command controls the switch response to an overheat condition. By default, the switch shuts down when it senses an overheat condition.

Note: Overriding the system shutdown behavior when the system is overheating is unsupported and should only be done under the direction of an Arista Networks engineer. You risk damaging hardware by not shutting down the system in this situation, and doing so without direction from Arista Networks can be grounds for voiding your warranty.

Arista switches include internal temperature sensors. The number and location of the sensors vary with each switch model. Each sensor is assigned temperature thresholds that denote alert and critical conditions. Temperatures that exceed the threshold trigger the following:

Alert Threshold: All fans run at maximum speed and a warning message is logged.
Critical Threshold: The component is shut down immediately and its Status LED flashes orange.

In modular systems, cards are shut down when their temperatures exceed the critical threshold. The switch normally shuts down if the temperature remains above the critical threshold for three minutes.

The no environment overheat action and default environment overheat action commands restore the default shutdown response to the environment overheat condition by removing the environment overheat action ignore statement from running-config.

Command Mode

Global Configuration

Command Syntax

environment overheat action REMEDY

no environment overheat action

default environment overheat action

Parameters

REMEDY Reaction to an overheat condition. Default value is shutdown.

shutdown Switch shuts power down by an overheat condition.
ignore Switch continues operating during an overheat condition.

Examples

This command configures the switch to continue operating after it senses an overheat condition.

switch(config)# environment overheat action ignore
====================================================================
WARNING: Overriding the system shutdown behavior when the system
is overheating is unsupported and should only be done under
the direction of an Arista Networks engineer. You risk damaging
hardware by not shutting down the system in this situation, and doing
so without direction from Arista Networks can be grounds for voiding
your warranty. To re-enable the shutdown-on-overheat behavior, use
the 'environment overheat action shutdown' command.
====================================================================
switch(config)#

This command configures the switch to shut down when it senses an overheat condition.
```
switch(config)# environment overheat action shutdown
switch(config)#
```

locator-led

When a component requires service, the locator-led command activates a locator to assist a technician in finding the component. The command causes the status LED on the specified component to flash, and also displays a “service requested” message on the LCD panel of modular switches or lights the blue locator light on the front of fixed switches. The available locators vary by platform; to see a list of the locator LEDs available on the switch, use the locator-led ? command. To disable the locator LED, use the no locator-led command.

Command Mode

Privileged EXEC

Command Syntax

locator-led {fantray tray_num | interface interface | module module_num | powersupply supply_num}

no locator-led {fantray tray_num | interface interface | module module_num | powersupply supply_num}

Parameters

fantray tray_num Activates locator on specified fan tray.
interface interface Activates locator on specified interface.
module module_num Activates locator on specified module.
powersupply supply_num Activates locator on specified power supply.

Examples:

This command enables the locator LED on fantray 3.

switch# locator-led fantray 3
Enabling locator led for FanTray3
switch#

This command disables the locator LED on fantray 3.

switch# no locator-led fantray 3
Disabling locator led for FanTray3
switch#

This command displays the locator LEDs available on the switch.

switch# locator-led ?
  fantray      Fan tray LED
  interface    Interface LED
  module       Module LED
  powersupply  Power supply LED
switch#

show environment power

The show environment power command displays the status of all power supplies in the switch.

Command Mode

EXEC

Command Syntax

show environment power [INFO_LEVEL]

Parameters

INFO_LEVEL Specifies level of detail that the command displays. Options include:

no parameter Displays current and power levels for each supply.
detail Also includes status codes that can report error conditions.

Example

This command displays the status of power supplies on the switch.

switch>show environment power
Power                        Input    Output   Output
Supply  Model      Capacity  Current  Current  Power    Status
------- ---------- --------- -------- -------- -------- -------
1       PWR-760AC  760W       0.81A    11.00A   132.8W   Ok
2       PWR-760AC  760W       0.00A    0.00A    0.0W AC  Loss
switch>

show environment temperature

The show environment temperature command displays the operating temperature of all sensors on the switch.

Command Mode

EXEC

Command Syntax

show environment temperature [MODULE_NAME] [INFO_LEVEL]

Parameters

MODULE_NAME Specifies modules for which data is displayed. This parameter is only available on modular switches. Options include:
- no parameter All modules (identical to all option).
- fabric fab_num Specified fabric module. Number range varies with switch model.
- linecard line_num Line card module. Number range varies with switch model.
- supervisor super_num Supervisor module. Number range varies with switch model.
- mod_num Supervisor (1 to 2) or line card (3 to 18) module.
- all All modules.
INFO_LEVEL Specifies level of detail that the command displays. Options include:
- no parameter Displays table that lists the temperature and thresholds of each sensor.
- detail Displays data block for each sensor listing the current temperature and historic data.

Display Values

System temperature status is the first line that the command displays. Values report the following:

Ok All sensors report temperatures below the alert threshold.
Overheating At least one sensor reports a temperature above its alert threshold.
Critical At least one sensor reports a temperature above its critical threshold.
Unknown The switch is initializing.
Sensor Failed At least one sensor is not functioning.

Examples

This command displays a table that lists the temperature measured by each sensor.

switch> show environment temperature
System temperature status is: Ok
                                              Alert      Critical
Sensor  Description              Temperature  Threshold  Threshold
------- ------------------------ ------------ ---------- ----------
1       Front-panel temp sensor   30.750C       65C        75C
2       Fan controller 1 sensor   32.000C       75C        85C
3       Fan controller 2 sensor   38.000C       75C        85C
4       Switch chip 1 sensor      50.000C       105C       115C
5       VRM 1 temp sensor         60.000C       105C       110C
switch>

This command lists the temperature detected by each sensor, and includes the number of previous alerts, the time of the last alert, and the time of the last temperature change.

switch> show environment temperature detail
TempSensor1 - Front-panel temp sensor
                       Current State   Count    Last Change
  Temperature          30.750C
  Max Temperature      35.000C                  4 days, 23:35:24 ago
  Alert                 False           0        never

TempSensor2 - Fan controller 1 sensor
                       Current State    Count    Last Change
  Temperature           32.000C
  Max Temperature       36.000C                  4 days, 23:32:46 ago
  Alert                  False           0        never

TempSensor3 - Fan controller 2 sensor
                        Current State    Count     Last Change
  Temperature            38.000C
  Max Temperature        41.000C                   4 days, 23:37:56 ago
  Alert                  False            0        never

TempSensor4 - Switch chip 1 sensor
                         Current State    Count    Last Change
  Temperature            51.000C
  Max Temperature        53.000C                    4 days, 23:35:16 ago
  Alert                  False              0       never

TempSensor5 - VRM 1 temp sensor
                          Current State     Count    Last Change
  Temperature             60.000C
  Max Temperature         62.000C                    4 days, 22:54:51 ago
  Alert                   False             0        never

switch>

show locator-led

The show locator-led command displays the status of locator LEDs enabled on the switch.

Command Mode

Privileged EXEC

Command Syntax

show locator-led

Example

This command displays all locator LEDs enabled on the switch.

switch# show locator-led
There are no locator LED enabled
switch#

show system environment all

The show system environment all command displays temperature, cooling, and power supply status.

Command Mode

EXEC

Command Syntax

show system environment all

Example

This command displays the switch’s temperature, cooling, and power supply status

switch> show system environment all
System temperature status is: Ok
                                              Alert      Critical
Sensor  Description              Temperature  Threshold  Threshold
------- ------------------------ ------------- ---------- ----------
1       Front-panel temp sensor   31.000C       65C        75C
2       Fan controller 1 sensor   32.000C       75C        85C
3       Fan controller 2 sensor   38.000C       75C        85C
4       Switch chip 1 sensor      50.000C       105C       115C
5       VRM 1 temp sensor         60.000C       105C       110C

System cooling status is: Ok
Ambient temperature: 31C
Airflow: port-side-intake
Fan Tray  Status           Speed
--------- --------------- ------
1         Ok                 52%
2         Ok                 52%
3         Ok                 52%
4         Ok                 52%
5         Ok                 52%

Power                         Input    Output   Output
Supply  Model       Capacity  Current  Current  Power    Status
------- ----------- --------- -------- -------- -------- -------
1       PWR-760AC    760W     0.81A    11.00A    132.6W  Ok
2       PWR-760AC    760W     0.00A     0.00A      0.0W  AC Loss

switch>

show system environment cooling

The show system environment cooling command displays fan status, air flow direction, and ambient temperature on the switch.

Command Mode

EXEC

Command Syntax

show system environment cooling [INFO_LEVEL]

Parameters

INFO_LEVEL Specifies level of detail that the command displays. Options include:
- no parameter Displays the fan status, air flow direction, and ambient switch temperature.
- detail Also displays actual and configured fan speed of each fan.

Status

System Cooling Status
- Ok No more than one fan has failed or is not inserted.
- Insufficient fans More than one fan has failed or is not inserted. This status is also displayed if fans with different airflow directions are installed. The switch shuts down if the error is not resolved.
- Ambient temperature Temperature of the surrounding area.
- Airflow Indicates the direction of the installed fans:
  - port-side-intake All fans flow air from the front (port side) to the rear of the chassis.
  - port-side-exhaust All fans flow air from the rear to the front (port side) of the chassis.
  - incompatible fans Fans with different airflow directions are inserted.
  - Unknown The switch is initializing.
Fan Tray Status table Displays the status and operating speed of each fan. Status values indicate the following conditions:
- OK The fan is operating normally.
- Failed The fan is not operating normally.
- Unknown The system is initializing.
- Not Inserted The system is unable to detect the specified fan.
- Unsupported The system detects a fan that the current software version does not support.

Example

This command displays the fan status, air flow direction, and ambient switch temperature.

switch> show system environment cooling
System cooling status is: Ok
Ambient temperature: 30C
Airflow: port-side-intake
Fan Tray  Status           Speed
--------- --------------- ------
1         Ok                 51%
2         Ok                 51%
3         Ok                 51%
4         Ok                 51%
5         Ok                 51%
switch>

show system environment power budget

The show system environment power budget command displays the configured power budget for PoE switches and a table to show the current consumption.

Command Mode

EXEC

Command Syntax

show system environment power budget

This command displays the configured power budget for a PoE switch and a table to show the current consumption

switch>show system environment power budget
Budget is 300.0W out of 1425.2W of total power
Active devices using up to 60.0W

Device                  Consumed               
Name                    Power                  
----------------------- -----------------------
Ethernet37              30.0W                  
Ethernet38              30.0W                  
Total                   60.0W 

switch>

Page 9 of 15

End of Support

EOS 4.32.2F User Manual - IP Address Locking Configuration

IP Address Locking Configuration

IP Address Locking Overview

Release Updates

Preparing a Switch for IP Address Locking

Enabling a DHCP Server for IPv4 Address Locking

Adding a Local Layer 3 Interface

Clearing Leases

Configuring IP Locking Static Leases

Configuring Locked Address Expiration

Displaying IP Address Locking Counters

Enabling IP Address Locking

Enabling IP Address Locking

Enabling IPv6 Address Locking

Disabling IP Address Locking

Enabling IP Address Locking on Ports

Enabling IP Address Locking on All Ports of a VLAN

Blocking IPv4 and ARP Packets

IPv6 Locking

Configuring IPv6 Address Locking

Enforcing Locked IP Addresses

Displaying IP Address Locking

Limitations

IP Address Locking Commands

address locking

address locking deny

address locking dhcp

address locking lease

address locking lease query

address locking local-interface

clear address locking lease

lease mac

locked-address expiration mac disabled

locked-address ipv4 enforcement disabled

locked-address ipv6 enforcement disabled

show address locking

show address locking counters

show address locking table ipv4

EOS 4.32.2F User Manual - Data Plane Security

Data Plane Security

IP NAT

Inside and Outside Addresses

Static IP NAT

Configuring Static NAT

Configuring Source NAT

Configuring Destination NAT

Configuring Twice NAT

Static NAT Configuration Considerations

Egress VLAN Filter for Static NAT

Dynamic NAT

Configuring Dynamic NAT

Prerequisites

Configure the Address Pool

Set the IP Address

Configuring Dynamic NAT Priority

Configuring Dynamic NAT with Overload

Define the NAT Source Address for Translation

Specify the Timeout Values

Verify the NAT Configuration

Display the Address Pools

Clearing IP NAT Table Entries

Dynamic NAT Configuration Considerations

Configuring Dynamic NAT Using Pools in a L2 Adjacent Network

Configuring Dynamic NAT Using Pool in a L3 Network

Configuring Dynamic NAT Using Overload with ECMP Routes

Dynamic NAT Peer State Synchronization

Configuring Dynamic NAT Peer State Synchronization

Applying NAT profile on a Tunnel Interface

IP NAT Commands

clear ip nat flow translation

ip address

ip nat destination static

ip nat pool

ip nat source dynamic

ip nat source static

ip nat translation counters

ip nat translation low-mark

ip nat translation max-entries

ip nat translation tcp-timeout