Manual Switch LightBolt

AsGa LightBOLT
Light BOLT 10GigE Switch

AsGa LightBOLT
LightBOLT 10GigE Switch
User Guide
User Guide
Index
AsGa LightBOLT
User Guide Index
INDEX
1 INTRODUCTION ........................................................................................................................................ 6
1.1 FRONT PANEL ............................................................................................................................... 9
1.2 REAR PANEL............................................................................................................................... 10
2 SPECIFICATION ...................................................................................................................................... 11
2.1 SYSTEM DEFAULTS .................................................................................................................... 11
3 CONFIGURATION ................................................................................................................................... 12
3.1 COMMAND LINE INTERFACE....................................................................................................... 12
3.2 CONVENTIONS USED IN THIS GUIDE ........................................................................................... 12
3.3 COMMAND LINE INTERFACE PRIMER.......................................................................................... 12
3.4 MODES COMMON TO PROTOCOLS .............................................................................................. 14
3.5 COMMAND NEGATION ................................................................................................................ 15
3.6 FORMAT USED FOR COMMAND DESCRIPTION ............................................................................. 15
3.7 INITIAL CONFIGURATION ............................................................................................................ 15
3.8 CONNECTING TO THE SWITCH ..................................................................................................... 16
3.9 CONFIGURING THE SWITCH ........................................................................................................ 17
3.10 MANAGING FILE SYSTEM ........................................................................................................... 26
3.11 CONFIGURING SYSTEM LOGS..................................................................................................... 28
3.12 CONFIGURING YOUR CONSOLE PORT........................................................................................... 29
3.13 CONFIGURING REMOTE OR LOCAL LOGON AUTHENTICATION ................................................... 31
3.14 CONFIGURING SNMP ................................................................................................................. 34
3.15 PORT CONFIGURATION ............................................................................................................... 35
3.16 CONFIGURING IP ADDRESSES ON SWITCHED VIRTUAL INTERFACES SVI´S ................................ 36
3.17 MAC ADDRESS TABLE............................................................................................................... 37
3.18 ACCESS LIST .............................................................................................................................. 38
3.19 DENIAL OF SERVICE ATTACK PREVENTION (DOS PREVENTION) ................................................. 42
3.20 SPANNING TREE PROTOCOLS...................................................................................................... 45
3.21 LINK AGREGATION CONTROL PROTOCOL COMMANDS SET. ....................................................... 69
4 COMMANDS IN ALPHABETIC ORDER .................................................................................................... 74
4.1 ACCESS-LIST .............................................................................................................................. 74

4.2 ACCES-GROUP COMMANDS ........................................................................................................ 77
4.3 BOOT .......................................................................................................................................... 79
4.4 CLEAR COUNTERS....................................................................................................................... 80

4.5 CLEAR MAC-ADDRESS-TABLE ..................................................................................................... 80
4.6 CLASS MAP COMMAND .............................................................................................................. 81
AsGa LightBOLT
User Guide Index
D
4.7 DIR ............................................................................................................................................. 82

4.8 DUPLEX ...................................................................................................................................... 83
4.9 ERASE ........................................................................................................................................ 83

4.10 EXIT ........................................................................................................................................... 84
4.11 FLOLWCONTROL ......................................................................................................................... 84
4.12 HOSTNAME ................................................................................................................................. 85
4.13 INTERFACE ................................................................................................................................. 86

4.14 IP ADDRESS ................................................................................................................................. 86
4.15 IP-ACCESS-GROUP....................................................................................................................... 87
4.16 MAC-ADDRESS-TABLE AGING-TIME ............................................................................................ 88

4.17 MAC-ADDRESS-TABLE FREEZE ................................................................................................... 88
4.18 MAC-ADDRESS-TABLE STATIC .................................................................................................... 89
4.19 SWITCHPORT .............................................................................................................................. 89

4.20 SWITCHPORT MODE .................................................................................................................... 90
4.21 SWITCHPORT ACCESS.................................................................................................................. 91
4.22 SWITCHPORT TRUNK................................................................................................................... 92
4.23 SWITCHPORT MODE TRUNK INGRESS FILTER ............................................................................... 92
4.24 SPEED ......................................................................................................................................... 93
4.25 SHOW INTERFACE ....................................................................................................................... 94
4.26 SHOW INTERFACES ..................................................................................................................... 95
4.27 SHUTDOWN ................................................................................................................................ 96
4.28 SHOW VLAN ............................................................................................................................. 97
4.29 SHOW OUTBOUND ACCESS-PRIORITY-TABLE .............................................................................. 98
4.30 SHOW TRAFFIC-CLASS-TABLE ..................................................................................................... 98
4.31 SHOW USER-PRIORITY ................................................................................................................ 99
4.32 STORM CONTROL ....................................................................................................................... 99
4.33 SNMP-SERVER MANAGER .......................................................................................................... 100
4.34 SNMP-SERVER TRAP-SOURCE .................................................................................................... 101
4.35 SNMP-SERVER ENABLE-TRAPS .................................................................................................. 101
4.36 SNMP-SERVER COMMUNITY ...................................................................................................... 102
AsGa LightBOLT
User Guide Index
4.37 SNMP-SERVER NAME ................................................................................................................ 103
4.38 SNMP-SERVER CONTACT ........................................................................................................... 104
4.39 SNMP-SERVER LOCATION ......................................................................................................... 104
4.40 SNMP-SERVER VIEW ................................................................................................................. 105
4.41 SNMP-SERVER ENGINEID .......................................................................................................... 105
4.42 SNMP-SERVER USER CREATE .................................................................................................... 106
4.43 SHOW SNMP VIEW ..................................................................................................................... 106
4.44 SHOW ALL-FILES ....................................................................................................................... 107
4.45 SHOW LOG-FILES ...................................................................................................................... 107
4.46 SHOW CONFIG-FILES ................................................................................................................. 108
4.47 SHOW IMAGE-FILES .................................................................................................................. 109
4.48 SHOW MAC-ADDRESS-TABLE .................................................................................................... 109
4.49 STORM-CONTROL ..................................................................................................................... 110
4.50 VLAN DATABASE.................................................................................................................... 111

4.51 VLAN ...................................................................................................................................... 111
4.52 VLAN CLASSIFIER ..................................................................................................................... 112
4.53 WRITE ...................................................................................................................................... 113

AsGa LightBOLT
User Guide Safety Warnings
SAFETY WARNINGS
Safety
When installing, operating and maintaining this equipment, basic safety precautions should always be
followed. No adjustment, repair or maintenance should be performed by the operator or user. Only
qualified person or authorized services are allowed to repair or make adjustments to this equipment.
Optical Device
Since this product has an optical device, the following security warnings should be followed:
• Never look directly into the optical transmission interface, aligning your
eye with theoptical device. Doing so, user could expose your eye to a
concentrated beam of optical radiation.
• Do not attempt to adjust the optical device, intending to amplify or
attenuate theoptical signal.
Internal Voltage
As the serial inputs and outputs of this equipment operate with voltages lower
than the 5 volt threshold, it cannot harm the user when handling the equipment.
However, overvoltages coming from the Telecommunication Network could be
present, mainly if the equipment is not properly installed.
Electrostatic Discharge
This product (chassis and printed circuit boards) can be handled by the user, not
presenting any problems concerning electrical discharge. However, it is
recommended user to follow ANSI IPC-A-610 standard for electrical discharge
(ESD) and use a wrist strap when removing or inserting any card into the
equipment.
The information contained in this guide is AsGa’s property, and it is not authorized to publish,
reproduce or to make any other use without written permission of AsGa.
AsGa reserves the right to make changes to this guide without notice.
5
AsGa LightB
LightBolt 10GigE Switch
User Guide Introduction
1 INTRODUCTION
Over the past several years, Ethernet has been the most popular choice of technology for
local area networks (LAN). There are millions of Ethernet users worldwide and still counting growing.
In 1998, the standard for 1-Gigabit Ethernet was released. Today 1-Gigabit Ethernet dominate the
LAN markets.
As the demand for high-speed networks continues to grow, the need for a faster Ethernet
technology became a need. By March 1999, a working group was formed at IEEE 802.3 Higher
Speed Study Group (HSSG) to develop a standard for 10-Gigabit Ethernet, today 10GigE is a reality.
10-Gigabit Ethernet is basically the faster-speed version of Ethernet. It will support the data rate of 10
Gb/s. It offers similar benefits to those of the preceding Ethernet standard.
The potential of 10-Gigabit Ethernet to solve the actual and future network bottlenecks are
enormous.
There are broad groups of users who demand 10-Gigabit Ethernet; for example, enterprise
users, universities, telecommunication carriers, and Internet service providers, but in a last instance;
users and their application will be pushing up this new generation of equipments and its use.
One of the main benefits of 10-Gigabit standard is that it offers a low-cost solution to solve the
current and future demands for bandwidth. Not only the cost of installation is low, but the cost of
network maintenance and management is minimal as well. Management and maintenance for 10-
Gigabit Ethernet may be done by local network administrators as it is done actually for 1GigE
networks.
In addition to the cost reduction benefit, 10-Gigabit Ethernet may allow faster switching. Since
10-Gigabit Ethernet uses the same Ethernet format, it allows seamless integration of LAN, MAN, and
WAN. There is no need for packet fragmentation, reassembling, or address translation 10-Gigabit
Ethernet also offers straightforward scalability (10/100/1000/10000 Mb/s).
Upgrading to 10-Gigabit Ethernet is simple since the upgrade paths are similar to those of 1-
Gigabit Ethernet.
AsGa LightBOLT 10GigE switches offer a seamless path migration to your 10Gig solution,
integrating in just one rack unit 24 1GigE electrical ports (two optical 1GigE combo port available) plus
four 10GigE ports with an unparallel switching capacity: less than 3 microsecond switching time at
full load. In addition to many other capabilities, all switching/routing decisions are solved by hardware,
all Access Control List (ACL´s) are also solved in hardware off loading all host CPU processing time
related with those and many other tasks.
LightBolt family of switches is composed by:
LightBotl 28322-E
• 24 Ports 10/100/1000. Electrical ports. Two Combo ports Electrical/Optical (base on SFP
technology).
• 4 ports 10GE (Two XSFP based plus two 10Gig electrical port XC4 compatible).
• 1 Rack Unit.
• 8K MAC Table.
• 4K L3 IPV4 Table.
LightBotl 28522-E
• 24 Ports 10/100/1000. Electrical Ports. Two Combo ports Electrical/Optical (base on SFP
technology).
• 1 Rack Unit.
• 16K MAC Table.
6
AsGa LightB
LightBotl 28322-O
• 24 Ports 10/100/1000. Optical ports (base on SFP technology).Two Combo ports
Electrical/Optical.
• 1 Rack Unit.
• 8K MAC Table.
LightBotl 28522-O
Electrical/Optical
• 1 Rack Unit.
• 16K MAC Table.
LightBotl 28304-E
technology).
• 4 ports 10GE (Four 10Gig electrical port XC4 compatible).
• 1 Rack Unit.
• 8K MAC Table.
LightBotl 28504-E
technology).
• 1 Rack Unit.
• 16K MAC Table.
LightBotl 28304-O
Electrical/Optical.
• 1 Rack Unit.
• 8K MAC Table.
LightBotl 28504-O
Electrical/Optical.
• 1 Rack Unit.
• 16K MAC Table.
LightBotl 28340-O
Electrical/Optical.
• 4 ports 10GE (Four XSFP based).
• 1 Rack Unit.
• 8K MAC Table.
7
AsGa LightB
LightBotl 28540-O
Electrical/Optical.
• 4 ports 10GE (Four XSFP based).
• 1 Rack Unit.
• 16K MAC Table.
With LightBOLT switches, AsGa introduce AsGOS a compressive CLI (Command Line Interface)
industry standard configuration. AsGOS come in the following packages:
Full Layer 2 protocol support:

• IEEE 802.3ac – VLAN Tagging.
• IEEE 802.1S – Multiple Spanning Tree.
• IEEE 802.1W – Rapid Spanning Tree.
• IEEE 802.1D – Spanning Tree.
• IEEE 802.1Q – Virtual LANs with Port Based VLANs.
Up to 4095 VLANs.
• IEEE 802.1v – Protocol based VLANs.
• IEEE 802.1p – Prioritization of Traffic at the Data-Link Level.
• IEEE 802.1X – Port Authentication. (*)
• IEEE 802.3x – Flow Control.
• Port Mirroring.
Switched Port Analyzer (SPAN).
Remote switched Port Analyzer (RSPAN).
• Broadcast Storm filtering.
• Multicast Storm filtering.
• Rate Limiting (In/Out).
• Static MAC Filtering.
• Mac freezing.
Stop the automatic learning process on the switch.
• Double VLAN / vMAN Tagging Q on Q.
• Support for Jumbo Frames.
• L2 Access Control List. ACLs Support.
• MAC addresses Table size:
Up to 16K MAC addresses for LightBOLT 28504.
Up to 8K MAC addresses for LightBOLT 28304.
• L3 Access Control List ACLs fully supported in Hardware.
• Denied Of Service (DoS) Checking.
DoS checking for source IP equal to destination IP
Fragmented ICMP packets.
Packets with TCP header offset equals to 1.
UDP packets where destination ports is the same as source ports.
TCP packets where destination ports is the dame as source ports.
TCP packets with FIN, URG, PSH bits enable and sequence number = 0.
Minimum TCP header size value for header size
Other specific DoS characteristics are checked.
• Management:
SNMP V1 RFC 1157.
SNMP V2 RFC 1901.
SNMP V3 RFC 257.
- RFC 2575 – View based Access Control Model for SNMP.
CLI industry standard.
TFTP as a transfer protocol for all File exchange operations.
Logging system.
8
AsGa LightB
Configuration Backup and restore: You can save the current configuration settings to a
file on a TFTP server, and later download this file to restore the switch configuration
settings.
Image Backup and restore: You can save or restore the image files on a TFTP
server, and later download or restore it to the switch
Authentication – This switch authenticates management access via the console port,
Telnet. User names and passwords can be configured locally or can be verified via a
remote authentication server RADIUS. Other authentication options include SSH for
secure management access over a Telnet-equivalent connection, IP address filtering
for SNMP/Telnet management.
• Full L3 protocol Support (*). When loaded with this feature set software. In addition to the
before mentioned L2 characteristics the LightBOLT family of switches Full Layer 3 support.
• AsGOS MC Extension (*): Full Layer 2; little Layer 3 package specifically adapted for provide
full management support to AsGa 1GigE Media Converters directly attached to Optical
LightBOLT Family of switches.
The following lines detail basic CLI standard commands available at the current AsGOS L2
version; for more complete information about all command available please refer to the alphabetic
command index.
1.1 Front Panel

The figure 1-1 displays the frontal view of Switch LightBolt.
Figure 1-1: Front Panel.
Position Designation
RJ45 connector for combo port Electrical 10/ 100/ 1000Mbps and indicative Led of activity
[1]
in the port (ports 1 – 24).
[2] SFP connector for combo port Optical.
[3] Microgiga connector for ports 10GE.
[4] Indicative Led for Ethernet link (LINK 1 - 4).
[5] Indicative Led of activity in the port 10GE (ACT 1 - 4).
[6] Indicative Led for activated Switch (PWR).
9
AsGa LightB
1.2 Rear Panel
The figure 1-2 displays the back view of Switch LightBolt.
Figure 1-2: Rear Panel.
Position Designation
[7] RJ45 connector for notebook connection.
[8] DB9 connector for notebook connection.
[9] Backup connectors for power supply input (AC / DC).
[10] Main connectors for power supply input (AC / DC).
1.3 POWER SUPPLY

LightBolt10GigE switch has a 90 to 250VAC or 36V to 60V DC input voltage supply source.
Power input is made through a three-pole connector found in the rear panel. Alternatively, switch may
be supplied with an extra source for protection.
1.4 CONSUMPTION
LightBolt10GigE switch total consumption is 96W (2A).
1.5 DIMENSIONS
• Height: 44,45mm (1U)
• Width: 482,6 mm (19”)
• Depth: 367 mm
1.6 ENVIRONMENTAL CONDITIONS

LightBolt10GigE switch fully meet the “Prática Telebrás 240-600-703” specifications, as class
C – variant 2 – equipment for operation in non-acclimatized, covered environment, within the 0°C to
50°C temperature range.
• Operational Temperature: 0°C to 50°C.
• Storage Temperature: -5°C to 50°C.
• Transportation Temperature: -40°C to 70°C.
• Relative Humidity: Up to 90%, without condensation.
10
AsGa LightB
User Guide Specification
2 SPECIFICATION
2.1 System Defaults
The switch’s system defaults are provided in the configuration file
“Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup
configuration file. The following table lists some of the basic system default.
FUNCTION PARAMETER DEFAULT
Baud Rate 9600 bps
Data Bit 8
CONSOLE PORT CONNECTION Stop Bit 1
Parity N
Console time out Disable 0
User Name: none
Normal Exec
Password: none
Configuration Level Password: none
AUTHENTICATION
RADIUS Disable
SSH V2.0 Disable
Telnet port 23 Disable
SNMP V1; V2; V3 Disable
RO
SNMP
Communities R/WR
Trap
Admin Status Enable
Auto negotiation Enable
Flow Control Disable
10 Mbps Half Duplex
10 Mbps Full Duplex
100 Mbps Half Duplex
GiGE (Electrical) Port Capabilities
PORT CONFIGURATION 100 Mbps Full Duplex
1000 Mbps Full Duplex
Flow Control Disable
Xe (10GigE) Optical Port 10 GigE Full Duplex. Fixed.
Capabilities Flow Control Disable.
Xe (10GigE) XAUI Port 10 GigE Full Duplex. Fixed.
Capabilities Physical: CX4
RATE LIMITING In/Out Disable
BROADCAST STORM
In Disable
SUPPRESSION
MULTICAST LIMIT
In Disable
SUPPRESSION
Mode 802.1D Classic Spanning Tree
SPANNING TREE PROTOCOL
Port Fast Disable
ADDRESS MAC TABLE Aging Time 300 seconds
Default VLAN 1
Port vlan Mode: PVID 1
VIRTUAL LANs VLANs
Frames Acceptable Untagged
Switch Port Mode Access
IP address 0.0.0.0
MANAGEMENT IP SETTINGS Mask 255.0.0.0
Default gateway 0.0.0.0
first-fragment-ip-packets Enable
icmp-attack-check Enable
minimun-icmp-packet-over-size 512
minimun-tcp-header-allowed 20
DENIED OF SERVICES
sip-dip-protection Enable
tcp-fragment-attack Enable
tcp-on-invalid-flags Enable
tcp-udp-sp-equal-dp Eanble
SYSTEM LOG Status Disable
Table 2.1: System Defaults.
11
AsGa LightB
User Guide Configuration
3 CONFIGURATION
3.1 Command Line Interface
This Guide attempts to make configuration simpler as possible; displaying all AsGOS
command lines necessaries to configure LightBOLT series switches. It covers basic configurations for
Basic Access and all Networking Services provided by the platform.
3.2 Conventions Used in this Guide

Conventions for the syntax and procedures describing how to enter information and how
information is displayed on the console are given in the following table.
CONVENTION DESCRIPTION SYNTAX

This monospaced font represents command strings
command syntax show ip ospf
entered on a command line and sample source code.
A variable parameter. Enter a value according to the area AREAID range
UPPERCASE
descriptions that follow. ADDRESS
[parm1|parm2|?parm3]
Used with the square brackets to limit the immediately
expands to parm1 parm3
? question Mark following token to one occurrence. Not to be entered as
parm1 parm2 (with parm3
part of the command.
occurring once)
A keyword parameter. Enter lowercase values exactly as
lowercase show ip ospf
shown.
| The vertical bar. Delimits choices; select one from the list. A.B.C.D|<0-4294967295>
Allows the repetition of the element that immediately
.AA:NN can be expanded
. Dot (period) follows it multiple times. Not to be entered as part of the
to: 1:01 1:02 1:03.
command.
Parenthesis. Delimits optional parameters. Do not enter
() (A.B.C.D|<0-4294967295>)
parentheses as part of any command
Square brackets: groups parameters and keywords into a
[] single unit. Take all parts within these brackets. Do not [parm2|parm2|parm3]
enter brackets as part of any command.
Angle brackets: enclose a numeric range for a keyword.
<> <0-65535>
Do not enter angle brackets as part of any command.
description Proportional font gives specific details about a parameter.
Equal sign: separates the command syntax from
= PROCESSID = <0-65535>
explanatory text.
GE1 (For Giga Bit Etherrnet
IFNAME Indicates the name of an interface. interfaces) XE1 (For 10Giga
Bit Interfaces)
Note: Unless otherwise stated, press Enter after each command entry.
3.3 Command Line Interface Primer

The AsGOS Command Line Interface (CLI) is a text-based facility similar to most industry
standards command lines interfaces. Each command CLI is usually associated with a specific function
or a common task performing it specificly.
Multiple users can telnet and issue commands using the Exec mode and the Privileged Exec
mode. However, only one user is allowed to use the Configure mode at a time, to avoid multiple users
from issuing configuration commands simultaneously.
12
AsGa LightB
3.3.1 Command Line Help
The AsGOS CLI contains a text-based help facility. Access this help by typing in the full or
partial command string then typing “?”. The AsGOS CLI displays the command keywords or
parameters plus a short description.
Note: Some of our command examples showed here are base on features that will be released. All of
them must be taken as typographic examples only.
For example, at the CLI command prompt, type “show ?” (the CLI does not display the question
mark). The CLI displays this keyword list with short descriptions for each keyword:
bgpd# show
debugging Debugging functions (see also 'undebug')
history Display the session command history
ip IP information
memory Memory statistics
route-map route-map information
running-config running configuration
startup-config Contents of startup configuration
version Displays AsGOS version
3.3.2 Syntax Help

The AsGOS CLI can complete the spelling of command or parameter keywords. Begin typing
the command or parameter then press TAB. At the CLI command prompt type sh:
AsGOS> sh
Press TAB. The CLI shows:
AsGOS> show
If the command or parameter partial spelling is ambiguous, the AsGOS CLI displays the
choices that match the abbreviation. Type show i. Press TAB. The CLI shows:
AsGOS> show i
interface ip
AsGOS> show i
The interface displays the interface and ip keywords. Type “n” to select interface and press
TAB. The CLI shows:
AsGOS> show in
AsGOS> show interface
Type ? and the CLI shows the list of parameters for the show interface command.
[IFNAME] Interface name

AsGOS> show interface
This command has but one positional parameter, an interface name. Supply a value for the
IFNAME parameter.
13
AsGa LightB
3.3.3 Command Abbreviations
The AsGOS CLI accepts abbreviations for commands. For example:
sh in Ge7
Is the abbreviation for the “show interface command”.
3.3.4 Command Line Errors

If the switch does not recognize the command after ENTER is pressed, it displays the following
message:
% Unknown command.
If a command is incomplete it displays the following message:
% Command incomplete.
Some commands are too long for the display line and can wrap in mid-parameter or mid-keyword if
necessary.
3.4 Modes Common to Protocols

Exec: This mode, also called the View mode, is the base mode from where users can perform basic
commands like show, exit, quit, help, list, and enable.
Privileged Exec: This mode, also called the Enable mode, allows users to perform debugging
commands, the write commands (for saving and viewing the configuration), show commands, and so
on.
Configure: Sometimes referred to as Configure Terminal, this mode serves as a gateway into the
Interface, AsGOS, Line, Route Map, Key Chain and Address Family modes.
Interface: This mode (or context) is used to configure protocol-specific settings for a particular
interface.
Line: This mode (or context) makes available access-class commands.
14
AsGa LightB
3.5 Command Negation
Some commands can be negated by using a no keyword. Depending on the command or
the parameters, command negation can mean the disabling of one entire feature for the
AsGOS/switch or the disabling of that feature for a specific ID, interface or address.
In the following example, negation is for the base command only. The negated form does
not take any parameter.
default-metric <1-16777214>
no default-metric
3.6 Format used for Command Description

The following lines show us how commands will be represented in the context of this manual:
Command name
Description of the command. What the command does and when should it be used.
Command Syntax
Sample command name mandatory-parameters (OPTIONAL-PARAMETERS)
Default
The status of the command before it is executed. Is it enabled or disabled by default.
Command Mode
Name of the command mode in which this command is to be used. Such as, Exec, Privilege Exec,
Configure mode and so on.
Usage
This section is optional. It describes the the usage of a specific command and the interactions
between parameters. It also includes appropriate sample outputs for show commands.
Example
Used if needed to show the complexities of the command syntax.
Related Commands
This section is optional and lists those commands that are of immediate importance.
Equivalent Commands
This section is optional and lists commands that accomplish the same function.
Validation Commands
This section is optional and lists commands that can be used to validate the effects of other
commands.
3.7 Initial Configuration

The switch includes a built-in network management agent based on a CLI Industry default
access method. A PC may be connected directly to the switch for configuration and all of its features
can be monitored and configured via this command line interface (CLI). In addition to CLI access
method the system has a complete SNMP option; including those defined on SNMP V.3 RFC 2575
(View based Access Control Model for SNMP).
The CLI program can be accessed by a direct connection to the RS-232 serial console port
on the switch; or remotely by a Telnet or SSH connection over the network. For any remote operation
15
AsGa LightB
you need to configure an IP management address. The IP address for this switch is unassigned by
default. To change this address, see “Setting Management IP address” on page 25.
The switch, CLI interface configuration program agent allows you to perform the following
management functions:
• Set user names and passwords.

• Set an IP interface for a management VLAN.
• Configure SNMP parameters.
• Enable/disable any port.
• Set the speed/duplex mode for any port.
• Configure up to 4096 IEEE 802.1Q VLANs.
• Upload and download system software via TFTP.
• Upload and download switch configuration files via TFTP.
• Configure Spanning Tree parameters for all STPx supported.
• Enable port mirroring.
• Set broadcast storm control on any port.
• Display system information and statistics.
• Others.
3.8 Connecting to the switch
3.8.1 Local Configuration

The switch provides an RS-232 serial port that enables a connection to a PC or terminal for
monitoring and configuring the switch. To do this you will need a RS232 (no cross over cable) cable;
attach a VT100-compatible terminal or a PC running your favorite terminal emulation program with the
following parameters configured:
• Select the appropriate serial port (COM port 1 or COM port 2).
• Set the profile to the default switch profile.
• Once you have set up the terminal correctly, the console login screen will be displayed.
• Refer to “Line Commands” for a complete description of console configuration options.
The following picture show the DB9 switch “Pin out”:
3.8.2 Remote Connections

By default your LightBolt switch does not accept any remote configuration neither telnet nor
ssh. You need specifically enable those features trough configuration mode. The following lines
describe those commands in order to enable the Telnet service.
16
AsGa LightB
COMMAND DESCRIPTION
AsGa> enable To enter in configuration mode ingress the enable command

and press enter.
AsGa# service telnet (enable | Disable) Enable or disable the Telnet Service
AsGa# wr Save the current configuration
SSH Service:
COMMAND DESCRIPTION
To enter in configuration mode ingress the enable
AsGa> enable
command and press enter.
AsGa# service ssh (enable | disable) Enable or Disable the SSH Service
AsGa# wr Save the current configuration
As well to gain access to onboard management agent via a network connection, you must first
configure it with a valid IP address, subnet mask, and route (when it is needed) using a console
connection. The IP address for this switch is unassigned by default; see “Setting Management IP
address” on page 25.
This switch supports five simultaneous Telnet sessions. After configuring the switch’s IP
parameters, you can access the onboard configuration program from anywhere within the attached
network. The onboard configuration program can be accessed using Telnet (port 23 by default) or
SSH from any computer attached to the network.
3.9 Configuring the Switch
3.9.1 Basic Configuration – Console Connection

The CLI program provides different command levels — normal access level (Normal Exec)
View mode; privileged access level (Privileged Exec) and configuration mode. The commands
available at the Normal Exec level are a limited subset of those available at the Privileged Exec level
and allow you to only display information and use basic utilities. To fully configure the switch
parameters, you must access the CLI at the privileged Exec level. Access to both CLI levels are
controlled by users names and passwords. The switch has no default user name and password
configured.
Connected to the console port to initiate your console connection, just press <Enter>. At the
first time you will not be prompted for a user name and password. You will have the default prompt
name witch will be “AsGa> “ witch indicate the normal Exec mode operation (or View mode).
At this level you can enter at the configuration mode issuing the following commands:
COMMAND DESCRIPTION
AsGa> Default hostname and prompt will be displayed
To enter in configuration mode ingress the enable command and
AsGa> Enable
press enter.
AsGa# Now you are into configuration mode or privileged mode.
If you have configured a user name and password you will be prompted:
COMMAND DESCRIPTION
After connect your terminal you will be prompted for a user name
and password.
User name: Enter your configured User name.
Password: Enter Your Configured Pass.
AsGa> Default hostname and password.
AsGa> enable Now you can issue the command enable.
AsGa# The prompt will change to “#”. Now you are into the privileged
mode or configuration mode.
17
AsGa LightB
3.9.2 Displaying system configuration
In order to verify your current configuration you need to type the command “show
running” under the privileged Exec level (enable mode). This command displays your
configuration stored into NVRAM and actually running on your system. A typical view of this command
can be summarized:
AsGa#sh run
!
no service password-encryption
!
hostname AsGa
!
spanning-tree mst config
bridge instance 1 vlan 100
bridge region test
!
maximum-paths 8
bridge protocol mstp
bridge acquire
vlan classifier rule 1 ipv4 40.40.40.40/24 vlan 300
vlan classifier rule 2 mac 00.0c4.012 vlan 300
vlan classifier rule 3 proto 8192 encap ethv2 vlan 300
vlan classifier group 1 add rule 1
bridge spanning-tree errdisable-timeout interval 1
bridge cisco-interoperability enable
!
vlan database
vlan 20 bridge name TEST2
vlan 20 bridge state enable
vlan 100 bridge name TEST
vlan 300 bridge name TEST3
vlan 4094 bridge name DEFAULT-VLAN
!
interface ge1
switchport
switchport mode access
switchport access vlan 100
flowcontrol send on
flowcontrol receive on
bridge-group instance 1
spanning-tree portfast
!
interface ge2
switchport
bridge-group
18
AsGa LightB
!
interface ge3
switchport
!
interface ge4
switchport
vlan classifier activate 1
!
interface ge5
!
interface ge6
!
interface ge7
!
interface ge8
!
interface ge9
!
interface ge10
!
interface ge11
switchport
!
interface ge12
switchport
switchport mode trunk
switchport mode trunk ingress-filter enable
switchport trunk allowed vlan add 300
!
interface ge13
!
interface ge14
!
interface ge15
!
interface ge16
!
interface ge17
!
interface ge18
!
interface ge19
!
interface ge20
switchport
switchport mode access ingress-filter enable
flowcontrol send on
19
AsGa LightB
flowcontrol receive on
!
interface ge21
switchport
!
interface ge22
!
interface ge23
switchport
switchport trunk native vlan 4094
!
interface ge24
switchport
!
interface lo
mtu 1500
ip address 127.0.0.1/8
ip address 30.30.30.30/24 secondary
!
interface vlan1.1
!
interface vlan1.20
!
interface vlan1.100
ip address 10.10.10.10/24
!
interface vlan1.300
!
interface vlan1.4094
!
line con 0
exec-timeout 0 0
login
line vty 0 4
exec-timeout 0 0
login local
!
20
AsGa LightB
end
AsGa#
3.9.3 Displaying system inventory
The command “show inventory” shows all basic system information including MAC base
system address; software and hardware versions; manufacturing data; etc. A typical view of this
command is:
System Inventory: Lightbolt 28304E

Mac Address: 00:14:fa:00:29:30
Description: Production Sample
Product code: 15097
Serial number: 1
Manufacturing Date: 01/04/2008
Hardware Version: 15
Firmware Version: 1
System Version: N/A
Startup Version: 1.0.0-RC1
AsGOS Version: 1.0.0-RC5
Product Notes: Not for sale
Resets: 113
3.9.4 Defining 802.1Q VLAN

VLANs are a mechanism to allow network administrators to create logical broadcast domains
that can span across a single switch or multiple switches, regardless of physical proximity. This
function is useful to reduce the size of broadcast domains or to allow groups or users to be logically
grouped without the need to be physically located in the same place.
Your LightBolt switch permits up to 4095 VLANs to be defined on a single switch. The
following figure shows a single VLAN tagued packet:
3.9.4.1 Creating VLANs into the Switch Database

Use the vlan database into configuration mode command to add a VLAN and enter the config-
vlan mode. Use the no statement of this command to delete the VLAN.
vlan vlan-id {enable|disable}|[name vlan-name][state {suspend|active}

no vlan vlan-id
vlan-id ID: of the configured VLAN. Valid IDs are from 1 to 4095. Do not enter leading zeros.
Name: vlan-name (Optional): Specify the VLAN name, an ASCII string from 1 to 32
characters.
State: {suspend | active} (Optional) Specify the VLAN state:
• If active, the VLAN is operational.
21
AsGa LightB
• If suspend, the VLAN is suspended. Suspended VLANs do not traffic
packets.
• Create the VLANs into the VLAN switch database:
COMMAND DESCRIPTION
AsGOS (config)# vlan database Enter the VLAN configuration mode.
Enable VLAN number 5. Specifying the enable
AsGOS (config-vlan)# vlan 5 state enable state allows forwarding of frames on this VLAN-
aware bridge.
AsGOS (config-vlan)# exit Exit the VLAN configuration mode and enter
Configuration mode.
3.9.5 Switch Port Roles

Physical ports in a switch can have two defined roles:
switched ports: ports witch can not accept an IP address or

routed ports: ports witch can accept an IP address.
Note: By default all ports are switched (no routed) access ports with the default per port VLAN ID
(PVID) equal to one (PVID=1). By default the system run classical STP on all those access port.
Use the switchport interface configuration command with no keywords to put an interface
that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration. Use the no statement of this
command to put an interface in Layer 3 mode.
switchport
no switchport
Use the no switchport command (without parameters) to set the interface to the routed-
interface status and to erase all Layer 2 configurations. You must use this command before assigning
an IP address to a routed port.
COMMAND DESCRIPTION
AsGa>config t Enter into configuration mode.
AsGa#interface ge1 Enter into interface ge1 configuration mode.
AsGa(interface)# Now you are into the interface configuration mode.
AsGa(interface)# swtchport Put the interface into the default switchport mode.
AsGa(interface)#end Exit from interface configuration mode.
AsGa# wr Save the configuration.
COMMAND DESCRIPTION
AsGa>config t Enter into configuration mode
AsGa#interface ge1 Enter into interface ge1 configuration mode.
AsGa(interface)# NO swtchport Put the interface into the routed port mode, ready to
accept an IP address.
22
AsGa LightB
3.9.6 Switchport Mode
When the switch receives a frame, it classifies the frame in one of two ways. If the frame is
untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the
receiving port). But if the frame is tagged the switch use the Taggued VLAN ID to identify the port
broadcast domain for the frame.
In order to identify the ports on wich the frame must be sent first at all you need to define the
switch port mode of a port.
Ports can be 3 types:
• Access Ports.
• Trunk Ports.
• Hibrid ports.
Use the switchport mode interface configuration command to configure the mode of a port. Use
the <no> statement of this command to reset the mode to the appropriate default for the device.
switchport mode {access | trunk | hybrid}

no switchport mode {access| trunk | hybrid}
Access: Set the port to access mode. The port is set to access unconditionally and operates as a
nontrunking, single VLAN interface that sends and receives nonencapsulated (non-tagged) frames.
An access port can be assigned to only one VLAN.
Trunk: Set the port to trunk unconditionally. The port is a trunking VLAN Layer-2 interface. The port
sends and receives encapsulated (tagged) frames that identify the VLAN of origination. A trunk is a
point-to-point link between two switches or between a switch and a router.
Hibrid: This mode set the trunk in an hybrid mode wich means that the port acting as a trunk has a
default VLAN for all those packets that arrive at the port untagged. Under this mode the user must
specify the untagged VLAN for all those arriving non tagged packets. Packet going outward for the
specified VLAN ID will go from this trunk in an untagged form.
• Setting an interface into switched port mode access:
COMMAND DESCRIPTION
AsGa>config t Enter in configuration mode.
AsGa#interface ge1 Enter in interface ge1 configuration mode.
AsGa(interface)# swtchport mode access Put the interface in the accces switch port mode.
• Setting an interface in switched port mode trunk:
COMMAND DESCRIPTION
AsGa(interface)# swtchport mode trunk Put the interface in the trunk switch port mode.
23
AsGa LightB
3.9.7 Assigning a VLAN to an Access port
Use the “switchport access” interface configuration command to configure a port as a VLAN
assigned static-access port. If the mode is set to access, the port operates as a member of the
configured VLAN.
switchport access vlan {vlan-id }

no switchport access vlan
COMMAND DESCRIPTION
AsGa(interface)# Now you are in the interface configuration mode.
AsGa(interface)# swtchport access vlan 300 Assign Pert Port VLAN ID to an access port.
3.9.8 Adding VLANs to a Trunk Port

Ports can be access port or trunk port. The table shows the steps necessaries for adding a
VLAN in an trunk port.
• Enabling all VLANs on a trunk port.

COMMAND DESCRIPTION
AsGOS# configure terminal Enter the Configure mode.
AsGOS(config)# Interface GE24 Enter into the Ge24 Interface context.
AsGOS (config_if)# switchport mode trunk Set the switching characteristics of this interface to
trunk mode.
AsGOS (config_if)# switchport trunk allowed
vlan all. Enable all VLANs on this trunk port.
AsGOS (config-if)# exit Exit the interface configuration mode and enter
configuration mode.
• Adding a particular VLAN to a trunk port.

COMMAND DESCRIPTION
AsGOS(config)# Interface GE24 Enter into the Ge24 Interface context.
AsGOS (config_if)# switchport mode trunk Set the switching characteristics of this interface to
trunk mode.
AsGOS (config_if)# switchport trunk add Enable VLAN ID 100 on this trunk port. Any other
vlan 100 vlan than 100 will be filtered by this trunk port.
AsGOS (config-if)# exit Exit the interface configuration mode and enter
configuration mode.
3.9.9 Displaying VLAN information

In order to display the VLAN port assignment you need to issue the command “show vlan all”
specifying the bridge number. The system will show the following list:
24
AsGa LightB
AsgOS#show vlan all
Bridge VLAN ID Name State Member ports

(u)-Untagged,
(t)-Tagged
================================================================
1 1 default ACTIVE
ge1(u)ge2(u)ge3(u)
ge4(u)ge5(u)ge6(u)
ge7(u)ge8(u)ge9(u)ge10(u)
ge23(u)ge24(u)
xe1(u)xe2(u)xe3(u)xe4(u)
3.9.10 Setting Management IP address

You must define an IP address for the switch to obtain management access through a external
network. At this time you can set the management IP address manually. No DHCP is supported.
Remote management is taken from any IP interface defined into the switch, Routed IP
interfaces and Switched Virtual interfaces (SVI´s) are suitable of receive an IP address. Those IP
address can be used as Management interfaces as they appear as directed connected IP interfaces
to the global L3 routing table.
Use the ip address interface configuration command to set an IP address for the Layer 2 switch
or an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch.
Assuming that your LightBolt switch has just one default vlan (VLAN1) and its respective
switched virtual interface (SVI) VLAN1.1; the following commands shows how to set up an IP address
for these particular default SVI; wich can be reached from any interface belonging to those VLAN.
COMMAND DESCRIPTION
AsGa>config t Enter in configuration mode
Enter in interface vlan1.1 configuration mode.
AsGa#interface VLAN1.1 VLAN1.1 is the default switched virtual interface witch
represent the routed interface for the default VLAN 1
AsGa(interface)# Now you are in the interface configuration mode
AsGa(interface)#ipaddress x.x.x.x/y Enter the IP address
AsGa(interface)#end Exit from interface configuration mode
AsGa# wr Save the configuration
In Order to negate this IP address uses the <no> statement of this command. The example use
the SVI VLAN1.1 witch is created by default into the system. Remember that those SVI´s are created
by the system each time that you define a VLAN into the VLAN database. By default those SVI´s does
not contain any IP address.
3.9.11 Specifying Host Name

To assign your host name use the following steps at your privileged command line.
COMMAND DESCRIPTION
AsGOS(config)#hostname LighetBolt Specify your host name.
LightBolt (config)# Your host name will appear as a new prompt in your system.
Exit from configuration mode.
LightBolt# Write Save your changes into permanent memory.
25
AsGa LightB
3.10 Managing file System
3.10.1 File types

Your LightBolt System storage different file types. By default the system has an image file that
runs your current system, this image file is identified by the extension .BIN. You can maintain up to 3
software versions in your system. Also Binary (BIN) files can be from three types:
• AsGos: Binary Files that contain all mayors control planes and switching/routing software. Naming
convention for this file is:
LightBolt-28322-E1-L2-AsGOS-1.0.0-RC4.bin
• System: Binary files that contain no switching / routing control planes software but have some
other software pices. Naming convention for this file is:
LightBolt-28322-E1-L2-System-1.0.0-RC2.bin
• Sanity: Binary files that contain sanity check code. Naming convention for this file is:
LightBolt-28322-E1-L2-Sanity-1.0.0-RC1.bin
In addition to this system file there are configuration files identified by the extension .CONF this
file type storage in a plain text format all configuration rules. There is no limit to the quantity of
configuration files sorted into your system. Just one will be active at time.
Another file type is the .LOG file this file type storage all system sanity test information under
this extension you can find a default file wich name is production.log this file storage all factory
sanity log, this file is a read only file and can not be deleted. The user can decide at startup time run a
new sanity test; its result will be storage under a new file name.
LighBOLT flash system has a flash memory capacity of 32 Mb. This memory can not be
formatted by the user. Use the dir command at privilege level to inspect your file system.
The following shows a typical file system:
AsGa-LAB-1#dir
3.8M Wed Jan 2 01:15:59 2002 LightBolt-28322-E1-L2-AsGOS-1.0.0-RC4.bin
3.8M Mon Jul 21 17:13:49 2036 LightBolt-28322-E1-L2-AsGOS-1.0.0---RC4.bin
1.4M Wed Jan 2 01:18:32 2002 LightBolt-28322-E1-L2-Sanity-1.0.0-RC1.bin
708.8k Mon Jul 21 17:16:06 2036 LightBolt-28322-E1-L2-System-1.0.0---RC4.bin
708.8k Wed Jan 2 01:16:49 2002 LightBolt-28322-E1-L2-System-1.0.0-RC2.bin
3.5k Thu Jul 24 10:59:22 2036 default.conf
0 Mon Jul 14 17:34:08 2036 julio
Flash disk space:

Used Available Use%
11.8M 31.2M 27%
3.10.2 Loading new files into your system

In order to load files into your system you have a total free disk space of 32 Mb. The system
load files into this free memory space using TFTP transfer; to do it you need to make available a
TFTP server and issue the following commands:
For copying from a TFTP server to system memory:

AsGa# copy <TFTP server address> <file name> flash
For copying to TFTP server:
26
AsGa LightB
AsGa# copy <file name> <TFTP server address>
3.10.3 Saving and restoring system Files

In order to store or restore bin images or different configuration files you must use the previous
mentioned commands, You can change your booting image at any time by assigning it as a new
booting image, next reload time it will take effect.
All TFTP saved configuration files can be loaded at any time and will take effect after you
configure as a configuration boot file, at next booting time it will take effect.
3.10.4 Configure your booting process.

Your LightBolt switch boot using an image file plus a configuration file. There is a configuration
file named default.txt wich is your default system configuration file but you can assign at any time and
any combination of booting files plus a bin image to boot your system. To display your booting
information use of the following commands:
ASGA_1#sh boot
Config File:
Startup: AsGa-conf-1
Running: AsGa-conf-1
Last Modified: Mon Apr 7 12:56:13 2036
AsGOS Image:
Startup: LightBolt-28322-E1-L2-AsGOS-1.0.0-RC4.bin
Running: LightBolt-28322-E1-L2-AsGOS-1.0.0-RC4.bin
Last Modified: Thu Apr 3 08:34:12 2036
System Image:
Startup: LightBolt-28322-E1-L2-System-1.0.0-RC2.bin
Running: LightBolt-28322-E1-L2-System-1.0.0-RC2.bin
Last Modified: Tue Apr 1 08:45:23 2036
Sanity Image:
Startup: LightBolt-28322-E1-L2-Sanity-1.0.0-RC1.bin
To change your actual booting configuration files use this commands:
• Changing your AsGOS bin File
COMMAND DESCRIPTION
AsGOS(config)# boot LightBolt-28322-E1-
Specify the booting AsGOS image file name.
L2-AsGOS-1.0.0-RC5.bin
AsGOS (config)# exit Exit from configuration mode.
27
AsGa LightB
• Changing your config File
COMMAND DESCRIPTION
AsGOS(config)# boot config AsGa-conf-2 Specify the booting configuration file name.
• Changing your System File
COMMAND DESCRIPTION
AsGOS(config)# boot systemLightBolt-
Specify the booting system file name.
28322-E1-L2-System-1.0.0-RC3.bin
Under those changes the show boot command will display the show boot command will display
the following changes:
ASGA_1#sh boot
Config File:
AsGOS Image:
System Image:
Sanity Image:
On next booting time the switch will load the new AsGOS; System and config files.
3.11 Configuring System Logs

All system actions can be logged in an internally file for future analysis. All Log files when
created and activated are first stored into RAM and must be explicitly copied to flash by the
user. Log can be sent to a standard view or a sys log server.
AsgOS(config)#log ?
file Logging to file
monitor Copy debug output to the current terminal line
stdout Logging goes to stdout
syslog Logging goes to syslog
trap Limit logging to specified level
28
AsGa LightB
3.11.1 System Log Configuration
Logging is enabled each time you specify a logging method. When logged it can send
messages to specific locations in addition to the console. Under privileged EXEC mode, use one or
more of the following commands to specify the locations that receive messages:
• Logging to a file:
COMMAND DESCRIPTION
AsGOS# configure terminal Enter in the Configure mode.
AsGOS(config)# log <file> Specify the logging file name.
Your file will be stored in RAM; if you need save it you need to type issue the following command:
COMMAND DESCRIPTION
AsGOS# write log Write your log file into permanent memory.
• Logging to a log server:
COMMAND DESCRIPTION
AsGOS(config)# log syslog <IP address> Specify the logging server IP address.
• Logging to a log monitor
COMMAND DESCRIPTION
AsGOS(config)# log monitor Specify loggining method eq monitor
3.12 Configuring your console port

You can access the onboard configuration program by attaching a VT100 compatible device to
the switch’s serial console port. Management access is controlled by the console port parameters,
including a password, timeouts, and basic communication settings.
3.12.1 Console attributes

Data Bits: Sets the number of data bits per character that are interpreted and generated by the
console port. If parity is being generated, specify 7 data bits per character. If no parity is required,
specify 8 data bits per character. (Default: 8 bits).
Parity: Defines the generation of a parity bit. Communication protocols Provided by some terminals
can require a specific parity bit setting. Specify Even, Odd, None, Mark or space. (Default: None)
Speed: Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set
the speed to match the baud rate of the device connected to the serial port. (Default: 9600 bps).
Stop Bits: Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit).
29
AsGa LightB
Session-timeout: Sets the interval that the system waits until user input is detected. If user input is
not detected within the timeout interval, the current session is terminated.
Limits: Timeout in minutes <0-35791> - Timeout in seconds <0-2147483>.
Exec-timeout: Sets the interval that the system waits until user input is detected. If user input is not
detected within the timeout interval, the current
EXEC session is terminated. Limits: Timeout in minutes <0-35791> - Timeout in seconds <0-
2147483>.
Flowcontrol: Sets the current flow control mechanism; it can be set by hardware, software or no flow
control. Direction can be in; out or both. Default No flow control.
Start-character: Sets the current start character used when software flow control mechanism is
activate ( possible ASCII values are 1-255 )
Stop-character: Sets the current stop character used when software flow control mechanism is
activate ( possible ASCII values are 1-255 )
Width: Sets the current screen column width valid values are 0-60.
Length: Sets number of lines on a screen valid values are 0-512.
Privilege level Changes privilege level for line <1-15>.
Escape-character: Changes the current escape character possible values are ASCII from 1-255.
To configure any of those parameters you must issue the following commands. The table
shows just some of those commands.
COMMAND DESCRIPTION
AsGOS(config)# line console Enter in console configuration mode.
AsGOS (config)# speed
<(115200|57600|38400|19200|9600|4800|2400) Change the console speed.
AsGOS (config)# parity (none|even|odd|space|mark) Change the console parity.
AsGOS (config)# flowcontrol (none|software
(in|out)|hardware) Change the console flow control mode.
AsGOS (config)# databits <5-8> Change the console data bits.
AsGOS (config)# exec-timeout <0-35791> (<0-2147483>|) Change the Exec time out for a session
started from console.
AsGOS (config)# session-timeout <0-35791> (<0- Change the session time out for the
2147483>|) console.
3.12.2 Enabling Telnet connections and SSH connections

In order to enable those services on your LightBolt platform you need specifically configure it. If
it is not configured those services will not be available for external connections.
Service Telnet {Enable | disable}

Service SSH {enable | Disable}
COMMAND DESCRIPTION
AsGOS(config)# service SSH enable Enable SSH service.
AsGOS(config)# service telnet enable Enable Telnet Service.
30
AsGa LightB
• Disabling Telnet or SSH services:
COMMAND DESCRIPTION
AsGOS(config)# service SSH disable Disable SSH service.
AsGOS(config)# service telnet disable Disable Telnet Service.
3.13 Configuring Remote or Local Logon Authentication

Use the Authentication commands to restrict management access based on specific user
names and passwords. You can manually configure local access rights on the switch, or you can use
a remote access authentication server based on RADIUS or TACACS+ protocols. Remote
Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System
(TACACS) are logon authentication protocols that use software running on a central server to control
access to RADIUS-aware or TACACS -aware devices on the network.
RADIUS uses UDP while TACACS usesTCP. UDP only offers best effort of packets delivery,
while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password
in the access-request packet from the client to the server, while TACACS encrypts the entire body of
the packet.
3.13.1 Enabling a RADIUS Server

In order to provide remote user and password authentification you need to configure a RADIUS
server properly.
To specify a RADIUS server host, use the radius-server host command in global configuration
mode. To delete the specified RADIUS host, use the <no> statement of this command.
radius-server host HOSTNAME {key STRING | retransmit RETRIES | timeout SEC

| auth-port PORTNO}
HOSTNAME Hostname or dotted IP notation.

key <STRING> Specifies the authentication and encryption key.
Used between the switch and the RADIUS daemon running on a
RADIUS server. This key overrides the global setting of the radius-
server key. If no key string is specified, the global value is used.
retransmit < RETRIES> The number of times a RADIUS request is re-sent to a server, if that
server is not responding or responding slowly. Enter a value in the
range 1 to 100.
timeout <SEC> (Optional) The time interval (in seconds) that the switch waits for the
RADIUS server to reply before retransmitting. This setting overrides
the global value of the radius-server If no timeout value is specified,
the global value is used. Enter a value in the range 1 to 1000.SEC.
auth-port < PORTNO> Specifies the UDP destination port for authentication requests port-
number (Optional) . If unspecified, the port number sets default to
1645.
radius-server key STRING
This command specify the global key string used between the switch and the Radius Server.
Key Set default radius server key

STRING Shared secret among radius server and client.
31
AsGa LightB
3.13.2 Enabling a TACACs Server
In order to provide remote user and password authentification you need toconfigure a
TACACS server properly.
TACACS is a security application that provides centralized validation of users attempting to
gain access to a switch. In order to configure a TACACs client aply the following commands at
configuration prompt.
tacacs-server host HOSTNAME {key STRING | timeout SEC | auth-port PORTNO }
host <HOSTNAME> SET host server. Hostname or dotted IP notation.

key <STRING> SET TACACS+ server key. Key-string.
timeout <SEC> SET TACACS+ server timeout. Timeout in secs <1-1000>.
auth-port < PORTNO> SET TACACS+ server port. Port number (default 49).
3.13.3 Configuring User and Passwords

You can restrict and define management access to this switch using the following options:
• Definig Users:
Localy defined User Accounts: Manually configure access rights on the switch for specific users.
RADIUS User accounts: Configure RADIUS user accounts fore remote authentication.
• Defining control access methods.

IP Filter: Filters management access SSH or Telnet interface.
3.13.3.1 Setting localy defined users and passwords.

Your system has no default user name or password neither for user account nor for privileged
EXEC commands. In order to set locally a administrative User and Password use the following
commands:
username <name> [privilege level] {password <encryption-type> password}
name Specify the user ID as one word. Spaces and quotation marks are not allowed.
level For level, specify the privilege level the user has after gaining access. At
this software revision AsGOS 1.0.0 just level 15 is allowed.
encryption-type Enter 0 to specify that an unencrypted password follows. Enter 5 to specify

that a hidden password follows. In Order to specify an encriptes password
you must have Service encryption enable command at config global.
password Specify the password the user must enter to gain access to the switch
COMMAND DESCRIPTION
AsGOS(config)# user <user-name>
privilege <privilege> password Enter the local database, and establish a username-
<Encryption-level> <password> based authentication system.
AsGOS(config)# end Go to privilege level mode
AsGOS# copy running–config startup-
config Copy running config into startup config.
32
AsGa LightB
3.13.3.2 Setting remotly authenticated users using an external server.
In order to make login authentication in a Raduis server you need to configure the following
commands:
aaa new-model
aaa Authentication, Authorization and Accounting.

new-model Enable new access control comands and functions (disable old configurations)
This command specifies a new model for the authentification process, if not the default
authentification will be used. The default method is: locally defined users. Under this method user
names and passwords will be defined locally at the switch.
aaa authentication login (default|WORD) {local | none | group (WORD |

radius | tacacs)}
aaa Authentication, Authorization and Accounting.

authentication Authentication configurations parameters
login Set authentication lists for logins (local, ssh and telnet)
default The default authentication list.
WORD Named authentication list
local Uses the local username database for authentication
none Uses no authentication
group Uses a list of servers for authentication
WORD Group name servers list for authentication
radius RADIUS servers list for authentication
tacacs TACACS+ servers list for authentication
COMMAND DESCRIPTION
AsGOS(config)# aaa new model Enable a new model for authentification process.
Enable Radius autentification, over a Raduis Server. If
AsGOS(config)# aaa authentication
default radius the authentification process fails no other
authentification method is applied.
AsGOS(config)# aaa authentication login Enable Radius telnet autentification, over a Raduis
default group radius local Server. If the authentification process fails a local
authentificaion process is applied.
• Aplaying The authentification rule on a com port
COMMAND DESCRIPTION
AsGOS(config)# line console Enter in console config mode
AsGOS(config)# ogin authentication Define the default authentification method fa a session
default opened in a console port
AsGOS(config)# exit
Return to the privilege Exec mode
AsGOS# wr
Save configs
33
AsGa LightB
• Aplaying The authentification rule on VTY Sessions
COMMAND DESCRIPTION
AsGOS(config)# line vty 0 5 Enter in vty config mode (for all sessions from 0 to 5)
AsGOS(config)# ogin authentication Define the default authentification method fa a session
default opened on any VTY session from 0 to 5
AsGOS(config)# exit
Return to the privilege Exec mode
AsGOS# wr
Save configs
3.14 Configuring SNMP

SNMP is based on three concepts: managers, agents, and the Management Information Base
(MIB). In any configuration, at least one manager node runs SNMP management software. Network
devices to be managed, such as bridges, routers, servers and workstations, are equipped with an
agent software module. The agent is responsible for providing access to a local MIB objects that
reflects the resources and activities at its node. The agent also responds to the manager commands
to retrieve values from the MIB and to set values in the MIB. An example of an object that can be
retrieved is a counter that keeps track of the number of packets sent and received over a link. An
example of an object that can be set is one that represents the state of a link; the manager could
disable the link by setting the value of the corresponding object to the disabled state.
Such capabilities are fine for implementing a basic network-management system. To enhance
this basic functionality, a new version of SNMP was introduced in 1993 and revised in 1996. SNMPv2
added bulk transfer capability and other functional extensions. However, neither SNMPv1 nor
SNMPv2 offers security features. Specifically, SNMPv1/v2 can neither authenticate the source of a
management message nor provide encryption. Without authentication, it is possible for no authorized
users to exercise SNMP network management functions.
LightBOLT system has support for the three SNMP versions (V1, V2C, V3) In addition to this
features LightBolt Family of switches support OIDs view names according to RFC 2575.
3.14.1 Configuring SNMP V1

The following example shows a typical configuration. For more detailed configuration
parameters please refer to the alphabetic index.
COMMAND DESCRIPTION
AsGOS# snmp-server manager 192.168.1.1 traps- Set the 192.168.1.1 as the server for receiving
version 1 community ASGA traps with community name ASGA. Traps will be
send as SNMP traps version 1.
AsGOS# snmp-server community ASGA rw remote Specify the community name and de IP address
192.168.1.1 for all RW operations.
AsGOS# snmp-server contact ASGA Specify the SNMP contact name.
AsGOS# snmp-server location Rodovia RM Km 4 Specify the SNMP location name.
AsGOS# snmp-server enable trap all Enable all trap sending.
3.14.2 Configuring SNMP V3

To correct the security deficiencies of SNMPv1/v2, SNMPv3 was issued as a set of Proposed
Standards (Table 1). This set of documents does not provide a complete SNMP capability but rather
defines an overall SNMP architecture and a set of security capabilities.
34
AsGa LightB
RFC NUMBER TITLE
2571 An Architecture for Describing SNMP Management Frameworks.
2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP).
2573 SNMPv3 Applications.
2574 User-Based Security Model for SNMPv3.
2575 View-Based Access Control Model (VACM) for SNMP.
Tabela 3.1: SNMPv3 RFCs.
AsGa LightBolt series switches cover all the subjects detailed into those RFC´s. The following
example shows a typical SNMP V.3 configuration for a more detailed command description please
refer to the alphabetic SNMP commands description.
COMMAND DESCRIPTION
AsGOS (config)# snmp-server users create
Dguerri auth md5 brasil3x0 priv naargentina Create the user name.
AsGOs(config)#snmp-server users access
Dguerri ro priv Give the access type to the configured user.
AsGOS(config)# snmp-server manager Set the 192.168.1.1 as the server for receiving
192.168.1.1 traps-version 3 priv Dguerri traps with user Dguerri.
3.15 Port Configuration
3.15.1 Configuring specific basic physical port settings
3.15.1.1 Speed
To change the negotiated speed of the port use the following commands:
COMMAND DESCRIPTION
AsGOS (config)# interface Ge1 Enter in the interface configuration mode.
AsGOs(interface)#speed <auto|10|100|1000> You can modify the Speed to auto negotiation;
or 10Mbps or 100Mbps or 1000 Mbps.
3.15.1.2 Duplex
To change the negotiated mode of one interface use the following commands:
COMMAND DESCRIPTION
AsGOS (config)# interface Ge1 Enter in interface configuration mode.
AsGOs(interface)# duplex < half|full|auto> You can modify the duplex mode to full or half or
auto. In 1000Mbps there is no duplex mode.
3.15.1.3 Flow Control

Use the flow control interface configuration command to set the receive or send flow-control
value for an interface. When flow control sent on a device and it detects any congestion at its end, it
35
AsGa LightB
notifies the link partner or the remote device of the congestion by transmitting a pause frame. When
flow control receive is on for the remote device and it receives a pause frame, it stops transmitting any
data packets.
Under input police rate limit configuration flow control must be enabled in order to
realize the input rate limit condition. Flow control is negotiated per port basis; so if your
“peer” port does not have this capability you can not achieve police rate limit correctly.
To configure flow control on an interface use the following commands:
COMMAND DESCRIPTION
AsGOS (config)# interface Ge1 Enter in interface configuration mode.
You can modify the flow control mode to send
(on|off) or receive (on|off). Receive on means
AsGOs(interface)# send on receive on that the switch honor the flow control. Send on
means that the switch will send flow control
when needed.
3.16 Configuring IP addresses on Switched Virtual Interfaces

SVI´s
A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing
function into the system. Only one SVI can be associated with a VLAN, but you need to configure an
SVI for a VLAN when you wish to route between VLANs or if you wish to create a management
interface.
By default, an SVI “interface VLAN1.1” (VLAN 1) is created to permit remote switch
administration. VLAN number one is the default system VLAN and has associated its interface
VLAN1.1.
Into the SVI representation the first number has an internal meaning and the second one
corresponds to the VLAN tag associated with data frames on 802.1Q encapsulated trunk or the VLAN
ID configured for an access port. The last is true for all SVI´s.
All SVI´s are automatically created when a VLAN ID is added in the VLAN database. SVI´s
provide IP host connectivity; you can configure routing across multiple SVI´s. All those IP SVI´s
addresses appear as directly connected IP address into the global L3 routing Table.
Creating SVIs interfaces:
COMMAND DESCRIPTION
AsGOS(config)# VLAN database Enter in the VLAN database mode.
AsGOS (VLAN)# VLAN 200 Create the VLAN 200.
AsGOS (VLAN)# exit Return.
AsGOS(config)# interface vlan1.200 Enter in the SVI interface configuration mode.
AsGOS (config_if)# ip address 20.20.20.20/24 Assign an IP address.
AsGOS (config_if)# end Exit configuration mode.
AsGOS#
Displaying the global IP routing table:
AsgOS#show ip route
Codes: C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
* - candidate default
36
AsGa LightB
C 20.20.20.0/24 is directly connected, vlan1.200
Now any port (trunk or access) associated to VLAN 200 has direct L3 access to this virtual
switched interface VLAN1.200. Any default gateway can be configured using commands to add static
routes to the routing table in order to reach those networks.
To add Routes use the following commands:
COMMAND DESCRIPTION
AsgOS(config)#ip route 192.168.1.0/24 10.10.10.1 Configuring a static route.
AsGOS(config)# end
More about Static Routing creation and inter VLAN Routing will be deployed on “Routing
Section”.
3.17 MAC Address Table

LightBolt switches have different MAC address tables capabilities according to the platform
acquired:
• LightBolt 28504 has a total MAC address capacity of 16.384 MACs.

• LightBolt 28304 has a total MAC address capacity of 8.192 MACs.
MAC address learning process is an automatic hardware base process, all learned address are
subject to the aging process; this process ensure that after 300 seconds of no hearing a particular
source MAC this will be deleted from the table.
All lookup process into the LightBolt platform is done by hardware. This feature allows wire line
rates for all packet sizes and conditions. For switching decisions the MAC-SA, VID is used to search
the L2 table. When a match is found the packet is forwarded to the specific port indicated into the
same table. When the address is not found the packet generates a Destination Lookup Failure (DLF)
signal and it is flooded to all port member of that VLAN.
3.17.1 Displaying MAC address tables

Command used to show the mac address table has the following semantics.
show mac-address-table(dynamic | static | interfaceIFNAME | vlan <1-4094>|)
You must specify which Static; Dynamic; interface; or vlan portion of the table, in order to
display the entries associated with it.
Take as an example the following displays
LightBolt#show mac-address-table
VLAN address type interface Hit

200 0000.C003.0102 Dynamic ge4 Yes
All 0036.0A4B.0002 Static L3 CPU No
200 0000.0101.0202 Static ge1 No
200 0000.C001.0102 Dynamic ge2 Yes
Total address matching this criteria: 4
LightBolt#show mac-address-table interface ge2
37
AsGa LightB
200 0000.C001.0102 Dynamic ge2 Yes
LightBolt#show mac-address-table vlan 200

200 0000.C003.0102 Dynamic ge4 Yes
200 0000.0101.0202 Static ge1 No
200 0000.C001.0102 Dynamic ge2 Yes
The hit bit column shows if the MAC address (Source or Destination) has being hide during the
last aging period.
3.17.2 Setting the aging time

Use the mac address-table aging-time global configuration command to set the length of time
that a dynamic entry remains in the MAC address table after the entry is used or updated. Use the
<no> statement of this command to return to the default setting. The aging time applies to all VLANs.
The default value for this time is 300 seconds. To modify the aging time issue the following command:
COMMAND DESCRIPTION
AsGOS# configure terminal Enter the Configure mode
AsGOS (config)# mac-address-table aging-time Configure the Aging time in seconds. It is
200 applied to all VLANs/MACs in the table.
3.17.3 Setting a Static MAC address

Making a MAC entry static means that this address has no aging process associated with it.
This MAC address will persist all the time into the MAC address table. Static MAC address must be
associated with a VLAN and Port pairs
COMMAND DESCRIPTION
AsGOS(config)# mac-address-table static Configure the static entry MAC address
0000.0101.0202 vlan 122 interface ge2 associated with a VLAN and Port.
3.18 Access List

Typically, when you think in an access-list you think about permitting or denying certain type
of traffic to ingress or egress from your system. You can think this type of process as protecting your
network from certain traffic types. But this is not the only use for access-list; access-lists have many
other purposes. For example with access-lists, you can mark traffic from a specific source and/or
destination addresses and prioritize that traffic over other traffic. With access-lists, you can allow or
disallow certain routes to be added in your routing, etc.
3.18.1 Access-Lists Categories

There are two main categories of access-lists, Standard and Extended. What do we mean
by standard or extended type of access-list? Standard and Extended access-lists allow different type
of control.
38
AsGa LightB
Standard Access-Lists x Extended Access-Lists
Standard Access-List: With standard access-lists you can check just the source IP address of the
packet, meaning, you can check to see if the source address happens to be a specific IP address (or
IP subnet), then you can permit or deny that packet.
Extended Access-List: With extended access-list, there are many things that can be checked.
Besides source L3 addresses, you can check for destination L3 addresses, source/destination port
number, or source/destination protocol number just for mention some examples.
Named Access-Lists
Standard Access Lists are in the range from 1- 99. Extended access-lists are in the range from
100-199. That would mean that you can only have 99 standard access-lists or 100 extended access-
lists on any given equipment. If you really wanted more than 99 standard access-lists or more than
100 extended access-list, you can use Named access-list.
With named access-list, you can classify it to be standard or extended, and then you will follow
the same rules (meaning standard named access-list can check for source address only and
extended named access-list can check for all those other things mentioned earlier). In order to argue
the number of standard and extended access list we provide an expanded range for each. The
expanded range for standard access-list is 1300-1999 and for extended it is 2000-2699.
3.18.2 Wildcard Mask

With both standard and extended access-lists you could use something called wildcard mask.
Let us understand the wildcard mask first, before we go into the details of the implementations of
standard or extended access-list. The wild card mask functions in reverse manner to a subnet mask.
Many times they are named “inverse mask”.
A wildcard mask is used to mark-specific bit patterns in an address. Since we are now talking
about bits (i.e., binary), then we need to know that there are two possibilities - 0 and 1. The binary 0 is
used to represent a match and a binary 1 is used to represent a "don't care" condition. So,
0 means must match!!

1 means don't care!!!
The Table shows an example of wildcard or inverse mask use:
IP Address 172 16 32 0
Binary format 10101100 00010000 00100000 00000000
Network Mask 11111111 11111111 11100000 00000000
Wildcard 00000000 00000000 00011111 11111111

Take only
Take all bits Take all bits the first 3
Result as match as match bits as Dont care
creteria criteria matching
criteria
39
AsGa LightB
3.18.3 Configuring IP standard Access List
COMMAND DESCRIPTION
AsGOS (config)# access-list Define a standard IP access list by using a source
<standard access-list-number> (deny address and wildcard.
| permit) source = <IP Address> The access-list-number is a decimal number from 1 to
<source-wildcard>
99 or 1300 to 1999.
Enter deny or permit to specify whether to deny or
permit access if conditions are matched.
The source is the source address of the network or
host from which the packet is being sent specified as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any as an abbreviation for
source and source-wildcard
of 0.0.0.0 255.255.255.255. You do not need
to enter a source-wildcard.
• The keyword host as an abbreviation for
source and source-wildcard of source 0.0.0.0.
Use the no access-list access-list-number global configuration command to delete the entire ACL.
3.18.4 Configuring IP extended Acees List
COMMAND DESCRIPTION
AsGOS(config)#access-list Define a extended IP access
<extended access-list-number> The access-list-number is a decimal number from 100-to
(deny|permit|remark) 199 or 2000 to 2699.
protocol <Portocol ID> Enter deny or permit to specify whether to deny or permit
(A.B.C.D A.B.C.D|any|host access if conditions are matched.
Enter remark to indicate an access list entry comment
A.B.C.D) (A.B.C.D
The protocol indicate a valid protocol ID specified as a single
A.B.C.D|any|host A.B.C.D)
number o a character set:
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
A.B.C.D: Source address A.B.C.D Source wildcard bits.
Any: Specify Any source host.
host : Specify A single source host A.B.C.D Source address
A.B.C.D Destination address A.B.C.D Destination wildcard
bits.
any: Specify any destination host.
host : Specify a single destination host A.B.C.D Destination
address.
40
AsGa LightB
Extended ACLs specifying the source and Destination ports for TCP/UDP sessions.
COMMAND DESCRIPTION
AsGOS(config)# access-list<extended Define a extended IP access number
access-list-number>
(deny|permit|remark) (tcp|udp) Deny: Specify packets to reject
(A.B.C.D A.B.C.D | any | host permit: Specify packets to forward
A.B.C.D)
Remark: Access list entry comment
(A.B.C.D A.B.C.D |any | host
A.B.C.D) tcp:Transmission Control Protocol
Src (eq|gt|lt|neq) PORT dst udp: User Datagram Protocol
(eq|gt|lt|neq) PORT A.B.C.D: Source address
A.B.C.D: Source wildcard bits
any: Any source host
host: A single source host
A.B.C.D: Source address
A.B.C.D: Destination address
A.B.C.D: Destination wildcard bits
Any: Any destination host
host: A single destination host
A.B.C.D: Destination address
Src: Source (TCP/UDP) port
eq: Equal
gt: Greater than
lt: Less than
neq: Not equal
PORT: Port number <0-65535>
dst: Destination (TCP/UDP) port
eq: Equal
gt: Greater than
lt: Less than
neq: Not equal
PORT: Port number <0-65535>
For a complete syntax of access list please refer the alphabetic session.
3.18.5 Istaling IP based Access List

In order to control access to an interface, use the ip access-group command in interface
configuration mode. To remove the specified access group, use the <no> statement of this command.
COMMAND DESCRIPTION
AsGOS# configure terminal Enter in the Configuration mode
AsGOS (config)# interface <IF- Enter into Interface configuration mode.enter a Valid
NAME> Interface ID.
AsGOS(config-if)# ip access- Ip Interface Internet Protocol config commands
group <ACL-Number> (in|out) access-group Specify access control for packets
ACL-number IP access list number (Standard or
Extended)
in This ACL is intaled for inbound packets
Out This ACL is installed for outbound packets
Note: In AsGOS ACLs can be installed on an inoterface as in; out or both.
41
AsGa LightB
3.18.6 Configuring MAC Bases Access List
COMMAND DESCRIPTION
AsGOS (config)# access-list deny Specify packets to reject
<MAC-ACeess-List Number> permit Specify packets to permit
(deny|permit) <MAC ; MAC-MASK | MAC Source host's MAC address in
any > <MAC; MAC-MASK | any;> HHHH.HHHH.HHHH format
any Source any
MASK Source mask in HHHH.HHHH.HHHH format
MAC Destination host's MAC address in
HHHH.HHHH.HHHH formatce
any Destination any
MASK Destintion mask in HHHH.HHHH.HHHH format
3.18.7 Istaling MAC based Access List
COMMAND DESCRIPTION
AsGOS# configure terminal Enter in the Configure mode
AsGOS (config)# interface <IF- Enter into Interface configuration mode.enter a Valid
NAME> Interface ID.
AsGOS(config-if)# mac access- Mac config commands
group <ACL-Number> (in) access-group Specify access control for packets
ACL-number IP access list number (Standard or
Extended)
in This ACL is instaled for inbound packets
Note: MAC access Lis can not be instales as OUT into a Interface context.
3.18.8 Aplaying multiple entries to an ACL

Access list can be generated with multiple entries. Assuming the following rules:
access-list 100 deny ip any any

access-list 100 permit ip any host 10.10.10.10
In this case; the last statement has the bigger priority. All paquets with destination IP address
that match with 10.10.10.10 will be switched.
access-list deny ip host 10.10.10.10 any

access-list deny tcp any any dst eq 80
access-list permit ip any host 20.20.20.20
In this case a packet with src-ip 10.10.10.10 dst-ip 20.20.20.20 tcp port 80 will be not bloqued,
because all statement have a “match” for this packet but the last one permit it, the entrie with big
priority.
3.19 Denial of service attack prevention (DoS Prevention)

LightBolt family of switches have a hardware base built in mechanisms in order to detect and
refuse some of the most common DoS attacks. The following lines can be used to little understanding
some of the most common attacks and explain the settings to prevent those attacks.
Denial of service definition: It is an attempt to make a computer resource unavailable to its
intended users.
42
AsGa LightB
3.19.1 IP packet with invalid “First-fragment”
A type of attack involving fragments is known as the “tiny fragment attack”. Two TCP fragments
are created. The first fragment is so small that it does not even include the full TCP header,
particularly the destination port number. The second fragment contains the reminder of the TCP
header, including the port number. Some firewalls and intrusion detection systems may let one or
both fragments pass through, particularly if they do not perform packet reassembly. Under this setting
if the first fragment of the packet does not have a full TCP header length the packet will be dropped.
COMMAND DESCRIPTION
AsGOS(config)# denial-of-service Enter into Dos mode configuration
AsGOS(config-dos)# first-fragment-ip-packets
Enable the first fragment DoS Checking.
enable
All packets detected under those conditions will be discarded.
3.19.2 Fragmented ICMP packets- icmp-attack-check

This type of attack sends the victim's computer series of highly fragmented, oversized ICMP
data packets over the connection. The computer receiving the data packets locks when it tries to put
the fragments together.
If the TCP/IP stack was not built properly, when it tries to keep track and put together several
packets, the result is a memory overflow, which in turn causes the machine to stop responding.
Usually, the attacker only needs to send few packets, locking the victim's computer instantaneously.
When the victim restarts the computer, the connection with the attacker is lost and the attacker
remains anonymous.
Under this setting the system will check for highly ICMP fragmented packet and ICMP Ping
Packets with payloads mayors than those specified by “minimun-icmp-packet-over-size”. Default
value 256.
COMMAND DESCRIPTION
AsGOS(config)# denial-of-service Enter into Dos mode configuration.
AsGOS(config-dos)# icmp-attack-check enable Enable ICMP DoS attack checking.
AsGOS(config-dos)# minimun-icmp-packet-over- Modify the minimum packet oversize ICMP
size 512 packet size.
AsGOS(config-dos)# end
3.19.3 TCP fragment attack

The attack consists of requesting a TCP connection fragmented into two IP packets. The first IP
packet of 68 bytes only holds the 8 first bytes of the TCP header (source and destination ports and
sequence number). The data in the second IP packet then holds the TCP connection request (SYN
flag is 1 and ACK flag is 0).
However, IP filters apply the same rule to all the fragments in a packet. The filter of the first
fragment (Fragment Offset = 0) defines the rule, accordingly it applies to the other fragments
(Fragment Offset = 1) without any other type of control. So, when defragmenting at IP level on the
target machine, the connection request packet is rebuilt and passed to the TCP layer. The connection
is established despite the IP filter in between which should have prevented it.
Under this setting the system will check for highly TCP fragmented packet and with payloads minors
than those specified by “minimun-tcp-header-allowed”. Default value 20.
43
AsGa LightB
COMMAND DESCRIPTION
AsGOS(config-dos)# tcp-fragment-attack enable Enable TCP fragment protection.
AsGOS(config-dos)# minimun-tcp-header-allowed 20 Modify the minimum TCP header allowed.
3.19.4 Source IP equal to destination IP attack

This type of attack named LAND attack involves IP packets where the source and destination
address are set to address the same device. The attack involves sending a spoofed TCP SYN packet
(connection initiation) with the target host's IP address and an open port as both source and
destination. The reason a LAND attack works is because it causes the machine to reply to itself
continuously.
UDP/TCP packets where destination ports is the same as source ports are also
considered land type attacks.
Under this setting the system will check for SIP equal to DIP and UDP and TCP source and
destination equals ports.
COMMAND DESCRIPTION
AsGOS(config-dos)# sip-dip-protection enable SAIP = DAIP checking.
AsGOS(config-dos)# tcp-udp-sp-equal-dp enable Source and Destination TCP/UDP checking.
3.19.5 Check on invalid TCP flags

TCP is an abbreviation for the Transmission Control Protocol, defined in RFC 793 which was
released in September of 1981. TCP is a connection oriented protocol that can reliably get information
from one host to another across a network. By reliable, we mean that TCP guarantees that all data
will arrive uncorrupted at the remote host, automatically detecting dropped or corrupted packets and
resending them as needed.
Every TCP packet includes a header, which is defined by the RFC as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
44
AsGa LightB
Programs utilize TCP by passing it buffers of data. TCP breaks this data into packages known
as segments, and then uses IP to further package these segments into datagrams. Finally, the
datagrams are embedded into a network packet which can be routed across a network.
When the packet arrives at its destination, the IP stack on the remote host extracts the
datagram from the packet, then the segment from the datagram. The segment is then passed up to
the TCP stack, where it can be validated. Ultimately the TCP stack can reassemble all the segments
into the complete buffer which is then passed to the application. TCP provides two way
communication, so this same process occurs in both directions.
Inside of the packet there are some bits related with control structures. Particularly there are six
'control bits' defined in TCP, one or more of which is defined in each packet. The control bits are
'SYN', 'ACK', 'PSH', 'URG', 'RST', and 'FIN'. TCP uses these bits to define the purpose and contents
of a packet. We will briefly define them.
• URG means out of band data. For example in the telnet session if you press ctr-c tcp stack will
send a packet, which has this flag set.
• SYN bit has meaning only when establishing connection e.g. in the handshaking procedure.
Both sides of the connection need to send this special packet with SYN flag on.
• When the ACK flag is on the Acknowledgement field in the tcp packet contains the number of
the next acknowledgeable tcp packet with this sequence number. This bit is on almost in every
packet. ACK flag tells to the target machine that the sending machine has approved all
packets with sequence number below the Ack number in the packet.
• If the reset flag (RST) is on then the connection is destroyed and all data structures in memory
for the connection must be freed.
• With interactive connections PSH (push) flag is used to gain rapid and smooth interaction. The
packet is not queued but rather sent as soon as possible. Interactive programs should thus
use this flag.
• FIN flag tells to the target machine that it should not take anymore data packets from the
sending machine. E.g. the sending machine tells that it wount send anymore packets but can
still receive packets by himself.
AsGa LightBolt Switches have a hardware based built in mechanism to detect malicious control
flag bit combinations. The detected combinations are:
• TCP SYN FLAG = 1 and Source Port < 1024.

• TCP Control Flags =0 and sequence number 0.
• TCP FIN, PUSH, URG bit set and sequence =0.
• TCP SYN, FIN sets.
Under this setting the system will check for those malicious combinations.
COMMAND DESCRIPTION
AsGOS(config)#denial-of-service Enter into Dos mode configuration.
AsGOS(config-dos)#tcp-on-invalid-flags enable Enable the TCP invalid Flag checking.
3.20 Spanning Tree Protocols.
3.20.1 Common Spanning Tree Protocol Commands

All commands in this chapter can be used in the Spanning Tree Protocol (STP), Rapid
Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) daemons.
45
AsGa LightB
3.20.1.1 bridge forward-time
Use this command to set the time (in seconds) after which (if this bridge is the root bridge) each
port changes states to learning and forwarding. This value is used by all instances. To restore the
default value of 15 seconds, use the <no> statement with this command.
Command Syntax
bridge forward-time FORWARD_DELAY

no bridge forward-time
FORWARD_DELAY = <4-30> the forwarding time delay in seconds.
Command Mode
Configure mode
Default
The default value is 15 seconds.
Usage
The allowable range for forward-time is 4-30 seconds. Care should be exercised if the value is to be
made below 7 seconds.
Examples
AsGOS# configure terminal

AsGOS(config)# bridge forward-time 6
Related Commands
bridge protocol ieee
3.20.1.2 bridge hello-time

Use this command to set the hello-time, the time in seconds after which (if this bridge is the root
bridge) all the bridges in a bridged LAN exchange Bridge Protocol Data Units (BPDUs). A very low
value of this parameter leads to excessive traffic on the network, while a higher value delays the
detection of topology change. This value is used by all instances. To restore the default value of the
hello time, use the <no> parameter.
Command Syntax
bridge hello-time HELLOTIME

no bridge hello-time
HELLOTIME = <1-10> The hello BPDU interval in seconds.
Default
Default value is 2 seconds.
46
AsGa LightB
Command Mode
Configure mode
Usage
Configure the bridge instance NAME before using this command. The allowable range of values is 1-
10 seconds. However, make sure that the value of hello time is always greater than the value of hold
time (1 second by default).
Examples

AsGOS(config)# bridge hello-time 3
3.20.1.3 bridge max-age

Use this command to set the max-age for a bridge. This value is used by all instances. Use the
<no> statement with this command to restore the default value of max-age.
Command Syntax
bridge max-age MAXAGE

no bridge max-age
MAXAGE = <6-40> The maximum time, in seconds, to listen for the root
bridge.
Command Mode
Configure mode
Default
The default value of bridge max-age is 20 seconds.
Usage
Max-age is the maximum time in seconds for which (if a bridge is the root bridge) a message is
considered valid. This prevents the frames from looping indefinitely.
The value of max-age should be greater than twice the value of hello time plus one, but less than
twice the value of forward delay minus one. The allowable range for max-age is 6-40 seconds.
Configure this value sufficiently high, so that a frame generated by root can be propagated to the lead
nodes without exceeding the max-age.
Examples

AsGOS(config)# bridge max-age 12
3.20.1.4 bridge priority

Use this command to set bridge priority for the common instance. Using a lower priority
indicates a greater likelihood of the bridge becoming root.
47
AsGa LightB
Command Syntax
bridge priority PRIORITY

PRIORITY = <0-61440> The bridge priority.
Command Mode
Configure mode
Default
The default priority is 32678 (or hex 0x8000).
Usage
This command must be used to set the priority of the bridge. The priority values can be set only in
increments of 4094.
Examples

AsGOS(config)# bridge priority 200
3.20.1.5 bridge spanning-tree errdisable-timeout enable

Use this command to enable the errdisable-timeout facility, which sets a timeout for ports that
are disabled due to the BPDU guard feature.
Command Syntax
bridge spanning-tree errdisable-timeout enable
Default
By default, the port is enabled after 300 seconds.
Command Mode
Configure mode
Usage
The BPDU guard feature shuts down the port on receiving a BPDU on a BPDU-guard enabled port.
This command associates a timer with the feature such that the port gets enabled back without
manual intervention after a set interval.
This interval can be configured by the user using the bridge spanning-tree errdisable-
timeout interval command.
Example

AsGOS(config)# bridge spanning-tree errdisable-timeout enable
48
AsGa LightB
3.20.1.6 bridge spanning-tree errdisable-timeout interval
Use this command to specify the time interval after which a port is brought back up.
Command Syntax
bridge spanning-tree errdisable-timeout interval <10-1000000>

<10-1000000> Specify the errdisable-timeout interval in seconds.
Default
By default, the port is enabled after 300 seconds.
Command Mode
Configure mode
Example

AsGOS(config)# bridge 4 spanning-tree errdisable-timeout interval 34
3.20.1.7 bridge spanning-tree portfast bpdu-filter

Use this command to set portfast BPDU filter for the bridge. All ports that have their BPDU filter
set to default take the same value of bpdu-filter as that of bridge. Use the <no> statement with this
command to disabled the BPDU filter for the bridge.
Command Syntax
(no) bridge spanning-tree portfast bpdu-filter
Command Mode
Configure mode
Usage
The Spanning Tree Protocol sends BPDUs from all ports. Enabling the BPDU Filter feature ensures
that PortFastenabled ports do not transmit or receive any BPDUs. Use the show spanning tree
command to display administratively configured and currently running values of the bpdu-filter
parameter for bridge and port.
Example

AsGOS(config)# bridge spanning-tree portfast bpdu-filter
Related Commands
spanning-tree portfast bpdu-filter
49
AsGa LightB
3.20.1.8 bridge spanning-tree portfast bpdu-guard
Use this command to enable the BPDU (Bridge Protocol Data Unit) Guard feature on a bridge. Use
the <no> statement with this command to disable the BPDU Guard feature on a bridge.
Command Syntax
(no) bridge spanning-tree portfast bpdu-guard
Command Mode
Configure mode
Usage
When the BPDU Guard feature is set for a bridge, all portfast-enabled ports of the bridge that have
bpdu-guard set to default shut down the port on receiving a BPDU. In this case, the BPDU is not
processed. You can either bring the port back up manually by using the no shutdown command, or
configure the errdisable-timeout feature to enable the port after the specified time interval.
Use the <show spanning-tree> command to display the bridge and port configurations for the
BPDU Guard feature. It shows both the administratively configured and currently running values of
bpdu-guard.
Example

AsGOS(config)# bridge spanning-tree portfast bpdu-guard
Related Commands
spanning-tree portfast bpdu-guard, show spanning-tree
3.20.1.9 bridge-group path-cost

Use this command to set the cost of a path associated with a bridge-group. The lower the path
cost, the greater the likelihood of the bridge becoming root.
Command Syntax
bridge-group path-cost PATHCOST

no bridge-group path-cost
PATHCOST = <1-200000000> The cost to be assigned to the group.
Default
The default bridge-group path cost is 0.
Command Mode
Interface mode
50
AsGa LightB
Examples

AsGOS(config)# interface eth1
AsGOS(config-if)# bridge-group path-cost 123
3.20.1.10 bridge-group priority

Use this command to set the port priority for a bridge. The lower priority indicates a greater
likelihood of the bridge becoming root.
Command Syntax
bridge-group priority PRIORITY

PRIORITY = <0-240> The priority to be assigned to the group.
Default
The default priority is 1.
Command Mode
Interface mode.
Examples

AsGOS(config-if)# bridge-group 4 priority 100
3.20.1.11 spanning-tree guard root

Use this command to enable the Root Guard feature for the port. The root guard feature
disables reception of superior BPDUs. Use the <no> statement with this command to disable the root
guard feature for the port.
Command Syntax
(no)spanning-tree guard root
Command Mode
Interface mode
Usage
The Root Guard feature makes sure that the port on which it is enabled is a designated port. If the
Root Guard enabled port receives a superior BPDU, it goes to a Listening state (for STP) or
discarding state (for RSTP and MSTP).
Example

AsGOS(config)# interface ge0
51
AsGa LightB
AsGOS(config-if)# spanning-tree guard root
3.20.2 STP Commands

This chapter lists the commands that are exclusive to the Spanning Tree Protocol (STP). For
other commands useful in the Spanning Tree Protocol, see the Common Spanning Tree Protocol
Commands chapter.
3.20.2.1 bridge shutdown

Use the <bridge shutdown> command to disable a bridge, and <no bridge shutdown> to reset
the bridge.
Command Syntax
bridge shutdown
no bridge shutdown
Command Mode
Configure mode
Usage
Make sure to use the <bridge instance NAME> command before using this command.
Examples

AsGOS(config)# bridge shutdown 4
Related Commands
bridge instance
3.20.2.2 bridge spanning-tree enable

Use this command to enable the Spanning Tree Protocol on a bridge. Use the <no> statement
to disable the Spanning Tree Protocol on the bridge.
Command Syntax
(no) bridge spanning-tree enable
Command Mode
Configure mode
Default
There is no default value.
52
AsGa LightB
Example

AsGOS(config)# bridge 2 spanning-tree enable
3.20.2.3 debug stp

Use this command to turn on, and turn off, debugging and echoing data to the console, at
various levels. Use the <no> statement with this command to turn off debugging.
Command Syntax
debug stp (all|cli|event|PACKET|protocol|timer)

all echoes all STP debugging levels to the console.
cli echoes STP commands to the console.
event echoes events to console.
PACKET = packet rx|tx echoes STP packets to the console.
rx received packets.
tx transmitted packets.
protocol echoes protocol changes to the console.
timer echoes timer start to the console.
Command Mode
Configure mode
Examples

AsGOS(config)# debug stp all
AsGOS(config)# debug stp cli
AsGOS(config)# debug stp packet rx
AsGOS(config)# debug stp protocol detail
AsGOS(config)# debug stp timer
3.20.2.4 show spanning-tree

This command shows the state of the spanning tree for all named bridge groups. To modify the
lines displayed, use the | (output modifier token); to save the output to a file, use the > (output
redirection token). For more information, see AsGOS Command Line Interface Environment.
Command Syntax
show spanning-tree
Command Mode
Privileged Exec, Configure and Interface modes.
Examples
AsGOS# show spanning-tree
53
AsGa LightB
Usage
The following is an output of this command displaying the spanning tree.

% a: spanning tree enabled - learning enabled
% a: ageing-time 300 - root path cost 0 - priority 40
% a: forward-time 15 - hello-time 2 - max-age 20 - root port 0
% a: root id 0000000475e650cf
% a: bridge id 0000000475e650cf
% a: hello timer 0 - tcn timer 0 - topo change timer 0
% a: 1 topology changes - last topology change Tue Dec 16 23:05:33 2003
% eth3: port 5 - id 8005 - path cost 20000000 - designated cost 0
% eth3: designated port id 8005 - state Forwarding - priority 128
% eth3: designated root 0000000475e650cf
% eth3: designated bridge 0000000475e650cf
% eth3: forward-timer 0 - hold-timer 0 - msg age timer 0
% eth3: forward-transitions 2
3.20.3 RSTP Commands

This chapter lists the commands that are exclusive to the Rapid Spanning Tree Protocol. For
other commands useful in the RSTP, see the Common Spanning Tree Protocol Commands chapter.
3.20.3.1 bridge rapid-spanning-tree enable

Use this command to enable the Rapid Spanning Tree Protocol on a bridge. Use the <no>
statement to disable the Rapid Spanning Tree Protocol on the bridge.
Command Syntax
<no> bridge rapid-spanning-tree enable

Bridge-group ID used for bridging.
Command Mode
Configure mode
Default
Examples

AsGOS(config)# bridge rapid-spanning-tree enable
54
AsGa LightB
3.20.3.2 bridge shutdown
Use this command to reset a bridge. Use the <bridge shutdown> command to disable a
bridge, and <no bridge shutdown> to return the bridge to operation.
Command Syntax
bridge shutdown
no bridge shutdown
Bridge-group ID used for bridging.
Command Mode
Configure mode
Usage
The bridge instance NAME must exist prior to using this command.
Examples

AsGOS(config)# bridge shutdown
3.20.3.3 clear spanning-tree detected protocols

Use this command to clear the detected protocols for a specific bridge or interface.
Command Syntax
clear spanning-tree detected protocols [bridge]|[interface IFNAME]

IFNAME Specify the name of the interface on which protocols have to be
cleared.
Command Mode
Privileged Exec mode
Example
AsGOS# clear spanning-tree detected protocols bridge
3.20.3.4 debug rstp

various levels. Use the no parameter with this command to turn off debugging.
Command Syntax
debug rstp (all|cli|PACKET|PROTOCOL|TIMER)

all echoes all RSTP debugging levels to the console.
cli echoes RSTP commands to the console.
PACKET = packet rx|tx echoes RSTP packets to the console.
55
AsGa LightB
PROTOCOL = protocol (detail) echoes protocol changes to the console.
TIMER = timer (detail) echoes timer start to the console.
detail displays detailed output.
Command Mode
Configure mode
Examples

AsGOS(config)# debug rstp all
AsGOS(config)# debug rstp cli
AsGOS(config)# debug rstp packet rx
AsGOS(config)# debug rstp protocol detail
AsGOS(config)# debug rstp timer
3.20.3.5 show spanning-tree

This command shows the state of the spanning tree for all named bridge-groups. To modify the
lines displayed, use the | (output modifier token); to save the output to a file, use the > (output
redirection token).
Command Syntax
show spanning-tree
Command Mode
Privileged Exec, Configure and Interface modes.
Examples
Usage
The following is an output of this command displaying the state of the spanning tree.

% a: spanning tree enabled - learning enabled
% a: ageing-time 300 - root path cost 0 - priority 40
% a: forward-time 15 - hello-time 2 - max-age 20 - root port 0
% a: root id 0000000475e650cf
% a: bridge id 0000000475e650cf
% a: hello timer 0 - tcn timer 0 - topo change timer 0
% a: 1 topology changes - last topology change Tue Dec 16 23:05:33 2003
56
AsGa LightB
3.20.3.6 spanning-tree force-version

Use this command to specify the version. A version identifier of less than a value of 2 enforces
the spanning tree protocol. Although the command supports an input range of 0-3, for RSTP, the valid
range is 0-2. Use the no parameter with this command to set the default protocol version.
Command Syntax
(no) spanning-tree force-version VERSION

VERSION <0-3> Version identifier. (0 - STP, 1- Not supported, 2 - RSTP, 3 - MSTP)
Command Mode
Interface mode
Examples
Set the value to enforce the spanning tree protocol:

AsGOS(config-if)# spanning-tree force-version 1
Set the default protocol version:

AsGOS(config-if)# no spanning-tree force-version
3.20.3.7 spanning-tree link-type

Use this command to enable or disable point-to-point or shared link types. Use the <no>
statement with this command to disable rapid transition.
Command Syntax
(no) spanning-tree link-type point-to-point

(no) spanning-tree link-type shared
shared: Disable rapid transition.

point-to-point: Enable rapid transition.
Command Mode
Interface mode
Usage
RSTP has a backward-compatible STP mode, spanning-tree link-type shared. An

alternative is the spanning-tree force-version 0.
57
AsGa LightB
Examples

AsGOS(config-if)# spanning-tree link-type point-to-point
3.20.4 MSTP Commands

This chapter lists the commands that are exclusive to the Multiple Spanning Tree Protocol
(MSTP). For other commands useful in the MSTP, see the Common Spanning Tree Protocol
Commands chapter.
3.20.4.1 bridge cisco-interoperability

Use this command to enable/disable Cisco interoperability for MSTP.
Command Syntax
bridge cisco-interoperability (enable | disable)

enable: Enable Cisco interoperability for MSTP bridge.
Disable: Disable Cisco interoperability for MSTP bridge
Default
If this command is not used, Cisco interoperability is disabled.
Command Mode
Configure mode
Usage
If Cisco interoperability is required, all AsGOS boxes in the switched LAN must be Cisco-
interoperability enabled. When AsGOS is interoperating with Cisco, the only criteria used to classify a
region are the region name and revision level.VLAN to instance mapping is not used to classify
regions when interoperating with Cisco.
Examples
To enable Cisco interoperability on a Layer-2 switch for a particular bridge (bridge 2 in this example):

AsGOS(config)# bridge cisco-interoperability enable
To disable Cisco interoperability on a Layer-2 switch for a particular bridge:

AsGOS(config)# bridge cisco-interoperability disable
3.20.4.2 bridge instance priority

Set the bridge priority for an MST instance to the value specified. To restore the default value of
the bridge priority, use the <no> statement with this command.
58
AsGa LightB
Command Syntax
bridge <1-32> instance INSTANCE_ID priority BRIDGE_PRIORITY

no bridge <1-32> instance INSTANCE_ID priority
<1-32> Specify the bridge-group ID.

INSTANCE_ID Specify the instance ID.
BRIDGE_PRIORITY <0-61440> Specify the bridge priority (a lower priority indicates a greater
likelihood of the bridge becoming root).
Command Mode
Configure mode.
Default
The default value of the priority for each instance is 32768.
Usage
The lower the priority of the bridge, the better the chances are of the bridge becoming a root bridge or
a designated bridge for the LAN. The permitted range of values is 0-61440. The priority values can be
set only in increments of 4094.
Examples

AsGOS(config)# bridge 4 instance 3 priority 3
3.20.4.3 bridge instance vlan

Use this command to create an instance of a VLAN. This command can be used only after the
VLAN is defined.
Command Syntax
bridge <1-32> instance INSTANCE_ID vlan VLAN_ID

no bridge <1-32> vlan VLAN_ID

INSTANCE_ID Specify the instance ID.
VLAN_ID <1-4094> Specify a VLAN ID to be associated to the instance.
Command Mode
MST Configuration Mode
Usage
The permitted range of instances is 0-15. Instance 0 refers to the internal spanning tree. The VLANs
must be created before being associated with an MST instance (MSTI). If the VLAN range is not
specified, the MSTI will not be created.
Example
59
AsGa LightB
AsGOS(config)# bridge 2 protocol mstp
AsGOS(config)# spanning-tree mst configuration
AsGOS(config-mst) bridge 2 instance 2 vlan 30
3.20.4.4 bridge max-hops

Use this command to specify the maximum allowed hops for a BPDU in an MST region. This
parameter is used by all the instances of the MST. To restore the default value, use the no parameter
with this command.
Command Syntax
bridge <1-32> max-hops HOP_COUNT

no bridge <1-32> max-hops

HOP_COUNT Maximum hops the BPDU will be valid for.
Command Mode
Configure Mode
Default
The default max-hops in a MST region are 20.
Usage
Specifying the max hops for a BPDU prevents the messages from looping indefinitely in the network.
When a bridge receives a MST BPDU that has exceeded the allowed max-hops, it discards the
BPDU.
Examples

AsGOS(config)# bridge 3 max-hops 25
3.20.4.5 bridge multiple-spanning-tree enable

Use this command to enable the Multiple Spanning Tree Protocol on a bridge. Use the <no>
statement to disable the command.
Command Syntax
(no) bridge <1-32> multiple-spanning-tree enable

Command Mode
Configure mode
Default
60
AsGa LightB
Example

AsGOS(config)# bridge 2 multiple spanning-tree enable
3.20.4.6 bridge region

Use this command to create an MST region, and specify a name to it. MST bridges of a region
form different spanning trees for different VLANs.
Command Syntax
bridge <1-32> region REGION_NAME

no bridge <1-32> region REGION_NAME

REGION_NAME Specify the name of the region.
Command Mode
MST Configuration mode
Default
By default, each MST bridge starts with the region name as its bridge address. This means each MST
bridge is a region by itself, unless specifically added to one.
Examples

AsGOS(config-mst)# bridge 3 region IPI
3.20.4.7 bridge revision

Use this command to specify the number for configuration information.
Command Syntax
bridge <1-32> revision REVISION_NUM

REVISION_NUM <0-255> Revision number.
Command Mode
MST Configuration Mode
Default
The default value of revision number is 0.
Examples

61
AsGa LightB
AsGOS(config-mst)# bridge 3 revision 25
3.20.4.8 bridge-group instance

Use this command to assign a Multiple Spanning Tree instance to a port. Use the <no>
statement with this command to remove the instance.
Command Syntax
bridge-group <1-32> instance INSTANCE_ID

no bridge-group <1-32> instance
<1-32> Specify the bridge-group number for bridging.

INSTANCE_ID <1-16> Specify the instance ID.
Command Mode
Interface mode
Examples

AsGOS(config-if)# bridge-group 4 instance 3
3.20.4.9 bridge-group instance path-cost

Use this command to set the cost of a path associated with an interface. Use the <no>
statement with this command to restore the default cost value of the path.
Command Syntax
bridge-group <1-32> instance INSTANCE_ID path-cost PATH_COST

no bridge-group <1-32> path-cost
<1-32> Specify the bridge-group number for bridging

PATH_COST <1-200000000> Specify the cost of path in the range of <1-200000000> (a lower path-
cost indicates a greater likelihood of the specific interface becoming a root)
Command Mode
Interface mode
Default
Assuming a 10 Mb/s link speed, the default value is configured as 200,000.
Examples

AsGOS(config-if)# bridge-group 4 instance 3 path-cost 1000
62
AsGa LightB
3.20.4.10 bridge-group instance priority
Use this command to set the port priority for a bridge group. Use the <no> statement with this
command to restore the default priority value.
Command Syntax
bridge-group <1-32> instance INSTANCE_ID priority PRIORITY

no bridge-group <1-32> instance priority INSTANCE_ID
<1-32> Specify the bridge-group number for bridging.

INSTANCE_ID Specify the identifier.
PRIORITY <0-240> Specify the port priority in a range of <0-240> (a lower priority indicates greater
likelihood of the interface becoming a root).
Command Mode
Interface mode
Default
The default value of port priority for each instance is 128.
Usage
The Multiple Spanning Tree Protocol uses port priority as a tiebreaker to determine which port should
forward frames for a particular instance on a LAN, or which port should be the root port for an
instance. A lower value implies a better priority. In the case of the same priority, the interface index
will serve as the tiebreaker, with the lower-numbered interface being preferred over others. The
permitted range is 0-240. The priority values can only be set in increments of 16.
Examples

AsGOS(config-if)# bridge-group 4 instance 3 priority 121
3.20.4.11 clear spanning-tree detected protocols

Use this command to clear the detected protocols for a specific bridge or interface.
Command Syntax
clear spanning-tree detected protocols [bridge <1-32>]|[interface IFNAME]

<1-32> Specify the number of the bridge group on which protocols have to be cleared.
IFNAME Specify the name of the interface on which protocols have to be cleared
Command Mode
Default
The default value of revision number is 0.
63
AsGa LightB
Examples
AsGOS# clear spanning-tree detected protocols bridge 2
3.20.4.12 debug mstp

various levels. Use the no parameter with this command, to turn off debugging.
Command Syntax
debug mstp (all|cli|PACKET|PROTOCOL|TIMER)
all echoes all STP debugging levels to the console.
cli echoes STP commands to the console.
PACKET = packet rx|tx echoes MSTP packets to the console.
PROTOCOL protocol (detail) echoes protocol changes to the console.
TIMER timer (detail) echoes timer start to the console.
detail detailed output.
Command Mode
Exec, Privileged Exec and Configure modes
Examples

AsGOS(config)# debug mstp all
AsGOS(config)# debug mstp cli
AsGOS(config)# debug mstp packet rx
AsGOS(config)# debug mstp protocol detail
AsGOS(config)# debug mstp timer
3.20.4.13 show spanning-tree mst

Use this command to display the filtering database values. This command displays the number
of instances created, and VLANs associated with it.
Command Syntax
show spanning-tree mst
Command Mode
Enable mode and Interface mode
Usage
The following is a display of this command showing the number of instances created, and the VLANs
associated with it.
AsGOS# show spanning-tree mst

% b: Bridge up - Spanning Tree Enabled
% b: CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 32768
% b: Forward Delay 15 - Hello Time 2 - Max Age 20 - Max-hops 20
% b: CIST Root Id 8000000475e93ffe
% b: CIST Reg Root Id 8000000475e93ffe
64
AsGa LightB
% b: CST Bridge Id 8000000475e93ffe
%
% Instance VLAN
% 0: 1
% 2: 4
3.20.4.14 show spanning-tree mst config

Use this command to display MSTP configuration information for a bridge.
Command Syntax
show spanning-tree mst config
Command Mode
Usage
The following show output displays the MSTP configuration information for bridge b.
AsGOS# show spanning-tree mst config

%
% MSTP Configuration Information for bridge b :
%------------------------------------------------------
% Format Id : 0
% Name : My Name
% Revision Level : 0
% Digest : 0x80DEE46DA92A98CF21C603291B22880A
%------------------------------------------------------
3.20.4.15 show spanning-tree mst detail

Use this command to display the filtering database values. The <show spanning-tree
mst> detail prints the detailed information about each instance, and all interfaces associated with that
particular instance.
Command Syntax
show spanning-tree mst detail
Command Mode
Usage
The following is a display of this command showing displaying detailed information about each
instance, and all interfaces associated with them.
AsGOS# show spanning-tree mst detail
% 1: Bridge up - Spanning Tree Enabled
% 1: CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 0
% 1: Forward Delay 15 - Hello Time 2 - Max Age 20 - Max-hops 20
% 1: CIST Root Id 0000009027342b72
% 1: CIST Reg Root Id 0000009027342b72
% 1: CST Bridge Id 0000009027342b72
% 1: portfast bpdu-filter disabled
% 1: portfast bpdu-guard disabled
65
AsGa LightB
% 1: portfast errdisable timeout disabled
% 1: portfast errdisable timeout interval 1 sec
% eth2: Port 4 - Id 8004 - Role Designated - State Forwarding
% eth2: Designated External Path Cost 0 -Internal Path Cost 0
% eth2: Configured Path Cost 200000 - Add type Explicit ref count 2
% eth2: Designated Port Id 8004 - CST Priority 128 -
% eth2: CIST Root 0000009027342b72
% eth2: Regional Root 0000009027342b72
% eth2: Designated Bridge 0000009027342b72
% eth2: Message Age 0 - Max Age 20
% eth2: CIST Hello Time 2 - Forward Delay 15
% eth2: CIST Forward Timer 0 - Msg Age Timer 0 - Hello Timer 0
% eth2: Version Multiple Spanning Tree Protocol - Received None - Send STP
% eth2: No portfast configured - Current portfast off
% eth2: portfast bpdu-guard default - Current portfast bpdu-guard off
% eth2: portfast bpdu-filter default - Current portfast bpdu-filter off
% eth2: no root guard configured - Current root guard off
% eth2: Configured Link Type point-to-point - Current point-to-point
%
% eth1: Designated External Path Cost 0 -Internal Path Cost 0
% eth1: Configured Path Cost 200000 - Add type Explicit ref count 2
% eth1: Designated Port Id 8003 - CST Priority 128 -
% eth1: CIST Root 0000009027342b72
% eth1: Regional Root 0000009027342b72
% eth1: CIST Hello Time 2 - Forward Delay 15
% eth1: CIST Forward Timer 0 - Msg Age Timer 0 - Hello Timer 0
% eth1: Version Multiple Spanning Tree Protocol - Received STP - Send STP
% eth1: No portfast configured - Current portfast off
% eth1: portfast bpdu-guard default - Current portfast bpdu-guard off
% eth1: portfast bpdu-filter default - Current portfast bpdu-filter off
% eth1: no root guard configured - Current root guard off
% eth1: Configured Link Type point-to-point - Current point-to-point
%
% Instance 1: Vlans: 2
% 1: MSTI Root Path Cost 0 - MSTI Root Port 0 - MSTI Bridge Priority 32768
% 1: MSTI Root Id 8001009027342b72
% 1: MSTI Bridge Id 8001009027342b72
% eth2: Designated Internal Path Cost 0 - Designated Port Id 8004
% eth2: Configured Internal Path Cost 200000
% eth2: Configured CST External Path cost 200000
% eth2: CST Priority 128 - MSTI Priority 128
% eth2: Designated Root 8001009027342b72
% eth2: Hello Time 2 - Forward Delay 15
% eth2: Forward Timer 0 - Msg Age Timer 0 - Hello Timer 0
%
3.20.4.16 show spanning-tree mst instance

The <show spanning-tree mst instance> displays detailed information for the specified
instance, and all interfaces associated with that instance.
66
AsGa LightB
Command Syntax
show spanning-tree mst instance INSTANCE_ID

INSTANCE_ID Specify the instance ID for which information needs to be
displayed.
Command Mode
Usage
The following is a display of this command showing detailed information for instance 2.
AsGOS# show spanning-tree mst instance 2
% 1: Bridge up - Spanning Tree Enabled
% 1: CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 0
% 1: Forward Delay 15 - Hello Time 2 - Max Age 20 - Max-hops 20
% 1: CIST Root Id 0000009027342b72
% 1: CIST Reg Root Id 0000009027342b72
% 1: CST Bridge Id 0000009027342b72
% 1: portfast bpdu-filter disabled
% 1: portfast bpdu-guard disabled
% 1: portfast errdisable timeout disabled
% 1: portfast errdisable timeout interval 1 sec
%
% 1: MSTI Root Path Cost 0 - MSTI Root Port 0 - MSTI Bridge Priority 32768
% 1: MSTI Root Id 8002009027342b72
% 1: MSTI Bridge Id 8002009027342b72
% eth2: Port 4 - Id 8004 - Role Designated - State Discarding
%
% eth1: Port 3 - Id 8003 - Role Designated - State Discarding
3.20.4.17 spanning-tree force-version

Use this command to specify the spanning-tree force (STP) version. A version identifier of less
than a value of 2 enforces the spanning tree protocol. Use the no parameter with this command to set
the default protocol version.
Command Syntax
(no) spanning-tree force-version VERSION

VERSION <0-3> Version identifier. (0 - STP, 1- Not supported, 2 - RSTP, 3 - MSTP)
67
AsGa LightB
Command Mode
Interface mode
Examples
Set the value to enforce the spanning tree protocol:

AsGOS(config-if)# spanning-tree force-version 1
Set the default protocol version:

AsGOS(config-if)# no spanning-tree force-version
3.20.4.18 link-type
Use this command to enable or disable point-to-point or shared link types.
Command Syntax
(no) spanning-tree link-type point-to-point

(no) spanning-tree link-type shared
shared Disable rapid transition.

point-to-point Enable rapid transition.
Command Mode
Interface mode
Usage
MSTP has a backward-compatible STP mode, spanning-tree link-type shared. An

alternative is the spanning-tree force-version 0.
Examples

AsGOS(config-if)# spanning-tree link-type point-to-point
3.20.4.19 spanning-tree mst configuration

Use this command to enter the Multiple Spanning Tree Configuration mode.
Command Syntax
spanning-tree mst configuration
Command Mode
Configure mode
68
AsGa LightB
Examples

AsGOS(config-mst)#
3.21 Link Agregation Control Protocol Commands Set.

Link Aggregation Control Protocol (LACP) is part of an IEEE specification (802.3ad) that allows
to bundle physical ports into a single logical channel. LACP allows a switch to negotiate an automatic
bundle by sending special PDUs named LACP packets to the peer.
Link Aggregation provides several benefits: Increased bandwidth, load balancing, and allows
you to create redundant ethernet links. If a link in a ethernet channel goes down, the switches on
wich is configured to use LACP will automatically fail over to the links that are still up and remain
connected
3.21.1 channel-group
Assign the interface to a channel group, and specify the LACP mode. For channel-group-
number, the range is 1 to 32. Each Channel can have up to eight compatibly configured Ethernet
interfaces.
When You configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the
channel-group interface configuration command, the system creates the port-channel logical
interface. Each Ethernet Interfaces pertaining to the same LACP Group will heritage port-channel
interface characteristics.
Command Syntax
channel-group [ channel-group-number ] <1-32> mode ( lacp

(active|passive) | static)
For channel-group-number, the range is 1 to 32. Each
For mode, select one of these keywords:
Lacp: Select this port channel as a LACP port channel.
active: Enables LACP only if an LACP device is detected. It places an interface into an active
negotiating state, in which the interface starts negotiations with other interfaces by sending LACP
packets.
passive: Enables LACP on an interface and places it into a passive negotiating state, in which the
interface responds to LACP packets that it receives, but does not start LACP packet negotiation.
Command Mode
Interface mode
Usage
channel-group [ channel-group-number ] <1-32> mode ( lacp (active|passive)

| static)
69
AsGa LightB
Examples

AsGOS(config-if)# channel-group 20 mode lacp active

AsGOS(config-if)# channel-group 21 mode lacp static
Related commands
no channel-group
show etherchannel lacp <1-32>
show etherchannel static
3.21.2 port-channel load-balance

This command can be used to specify the load balance method used on a Particular Port
Channel. You can use one of severall hashing methos for a particular port trunk. Is not necessary for
other switch share the same port channel load balance method. This parameter is not negotiated
during the port channel LACP procedure.
Command Syntax
port-channel load-balance (dst-mac | src-mac | src-dst-mac | dst-ip | src-
ip | src-dst-ip)
dst-mac Use Destination Mac address based load balancing

src-mac Use Source Mac address based load balancing
src-dst-mac Use Source and Destination Mac address based load balancing
dst-ip Use Destination IP address based load balancing
src-ip Use Source IP address based load balancing
rc-dst-ip Use Source and Destination IP address based load balancing
Command Mode
Interface mode
Usage
port-channel load-balance (dst-mac | src-mac | src-dst-mac | dst-ip | src-
ip | src-dst-ip)
Examples

AsGOS(config-if)# port-channel load-balance dest-mac
70
AsGa LightB
3.21.3 lacp port-priority
Sets the priority for an Ethernet member link, also known as an Ethernet port, in an IEEE
802.3ad link aggregation group (LAG) bundle. The member link with the lowest numerical priority
value has the highest priority. The Ethernet member link with the highest priority is selected first to
join the LAG bundle. The <no version> command restores the default priority value, 32768.
Command Syntax
lacp port-priority <priority-value>
priority-value, the range is 1 to 65535. By default, the priority value is 32768. The lower the
range, the more likely that the interface will be used for LACP transmission.
Command Mode
Interface mode
Usage
lacp port-priority <priority-value>
Examples

AsGOS(config)# port-channel load-balance dest-mac
AsGOS(config)# lacp port-priority 20000
3.21.4 lacp timeout

Periodic transmissions of LACP PDUs occur at either a slow or fast transmission rate,
depending upon the expressed LACP timeout variable (Long Timeout or Short Timout).
Command Syntax
lacp timeout (short|long)
timeout Number of seconds before invalidating a received LACP data unit (DU).
short LACP short timeout. Default short timeout value is 3 seconds.
long LACP long timeout. Default long timeout value is 90 seconds.
Command Mode
Config global mode
Examples

AsGOS(config)# channel-group 20 mode lacp active
AsGOS(config)# port-channel load-balance dest-mac
AsGOS(config)# lacp port-priority 20000
AsGOS(config)# lacp timeout short
71
AsGa LightB
3.21.5 lacp system-priority
The LACP system ID is the combination of the LACP system priority value and the MAC
address of the switch. This command set the System ID for the LACPPDU´s to be exchanged.
Command Syntax
lacp system-priority [System –Priority] <1-65535>
system-priority LACP system priority
SYS-Priority LACP system priority <1-65535> default 32768
Command Mode
Config Global mode
Examples
AsGOS(config)# lacp system-priority 20000
3.21.6 show lacp counters

This command show all lacp related counters
Command Syntax
show lacp <Port-channel ID> counters
Command Mode
Exec mode
Examples
AsgOS#show lacp 1 counters
% Traffic statistics
Port LACPDUs Marker Pckt err
Sent Recv Sent Recv Sent Recv
% Aggregator port-channel1 1000000
ge10 6 10 0 0 0 0
ge12 6 7 0 0 0 0
3.21.7 show etherchannel detail

Command Syntax
Command Mode
Exec mode
Examples
AsgOS#show etherchannel detail

72
AsGa LightB
% Mac address: 00:14:fa:00:29:d5
% Admin Key: 0001 - Oper Key 0001
% Receive link count: 1 - Transmit link count: 0
% Individual: 0 - Ready: 1
% Partner LAG- 0x8000,00-14-fa-00-2a-08
% Link: ge10 (5010) sync: 1
% Link: ge12 (5012) sync: 1
3.21.8 show etherchannel summary

Command Syntax
Command Mode
Exec mode
Examples
AsgOS#show etherchannel summary

% Admin Key: 0001 - Oper Key 0001
% Link: ge10 (5010) sync: 1
% Link: ge12 (5012) sync: 1
3.21.9 show port etherchannel

Command Syntax
Command Mode
Exec mode
Examples
AsgOS#show port etherchannel ge10

% LACP link info: ge10 - 5010
% LAG ID: 0x8000,00-14-fa-00-29-d5
% Partner oper LAG ID: 0x8000,00-14-fa-00-2a-08
% Actor priority: 0x8000 (32768)
% Admin key: 0x0001 (1) Oper key: 0x0001 (1)
% Physical admin key:(1)
% Receive machine state : Current
% Periodic Transmission machine state : Slow periodic
% Mux machine state : Collecting/Distributing
% Oper state: ACT:0 TIM:0 AGG:1 SYN:1 COL:1 DIS:1 DEF:0 EXP:0
% Partner oper state: ACT:1 TIM:0 AGG:1 SYN:1 COL:1 DIS:1 DEF:0 EXP:0
% Partner link info: admin port 0
% Partner oper port: 5010
% Partner admin LAG ID: 0x0000-00:00:00:00:0000
% Admin state: ACT:0 TIM:0 AGG:1 SYN:0 COL:0 DIS:0 DEF:1 EXP:0
% Partner admin state: ACT:0 TIM:0 AGG:1 SYN:0 COL:0 DIS:0 DEF:1 EXP:0
% Partner system priority - admin:0x8000 - oper:0x8000
% Aggregator ID: 1000000
73
AsGa LightB
User Guide Commands
4 COMMANDS IN ALPHABETIC ORDER
A
4.1 Access-list
An ACL is a sequential collection of permit and deny conditions. The switch tests packets
against the conditions in an access list one by one. The first match determines whether the switch
accepts or rejects the packet. Because the switch stops testing conditions after the first match, the
order of the conditions is critical. If no conditions match, the switch denies the packet.
In LightBolt switches all ACL processing is absolutely accomplished in hardware with no impact in
CPU processing time.
These are the steps to use IP ACLs:
Step 1: Create an ACL by specifying an access list number or name and access conditions.
Step 2: Apply the ACL wethever you need it.
The software supports these styles of ACLs or access lists for IP:
• Standard IP access lists use source addresses for matching operations.

• Extended IP access lists use source and destination addresses for matching operations and
optional protocol-type information for finer granularity of control.
4.1.1 Access List Numbers

The number you use to denote your ACL shows the type of access list that you are creating
The LightBolt 28xxx switch supports IP standard and IP extended access lists, numbers 1 to 199 and
1300 to 2699.
The table lists the access-list number and corresponding access list type:
<1-99> IP standard access list

<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
WORD IP AsGOS access-list name
4.1.2 Access List Masks

Masks are used with IP addresses in IP ACLs to specify what should be permitted and
denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large
values on the left side, for example, IP address 209.165.202.129 with a 255.255.255.224 mask.
Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse
mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the
74
AsGa LightB
User Guide Commands
results determine which address bits are to be considered in processing the traffic. A 0 indicates that
the address bits must be considered (exact match); a 1 in the mask is a "don't care".
The Table shows an example of wildcard or inverse mask use:
IP Address 172 16 32 0
Binary format 10101100 00010000 00100000 00000000
Network Mask 11111111 11111111 11100000 00000000
Wildcard 00000000 00000000 00011111 11111111

Take only
Take all bits Take all bits the first 3
Result as match as match bits as Dont care
creteria criteria matching
criteria
Command Syntax
• Syntax for MAC ACls
AsGa (config)# access-list <MAC ACL number> (deny|permit) [(Source =

<SMAC> | Any); SMASK] [(destination = <DMAC>; MASK)].
deny Specify packets to reject.

permit Specify packets to permit
SMAC Source host's MAC address in HHHH.HHHH.HHHH format.
SMASK Source mask in HHHH.HHHH.HHHH format.
any Source any.
DMAC Destination host's MAC address in HHHH.HHHH.HHHH format.
DMASK Destintion mask in HHHH.HHHH.HHHH format.
• Syntax for Standard ACL
AsGa(config)# access-list < standar ACL number> (deny|permit|remark) [SA-

IP = <A.B.C.D> wildcards = <A.B.C.D> | host <A.B.C.D>].
deny Specify packets to reject.

permit Specify packets to forward.
remark Access list entry comment.
host A single host address. In this case no wildcards is needed.
A.B.C.D Address to match.
A.B.C.D Wildcard bits.
• Syntax for Extended ACL
AsGa (config)# access-list < extended ACL number> (deny|permit|remark);

protocol = <protocol ID>; [(SA-IP = <A.B.C.D> wildcard = <A.B.C.D> | any |
host <A.B.C.D>)]; [DA-IP = <A.B.C.D> wildcards = <A.B.C.D> | any | host
<A.B.C.D>)]
deny Specify packets to reject

permit Specify packets to forward
remark Access list entry comment
75
AsGa LightB
User Guide Commands
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
A.B.C.D Source address
A.B.C.D Source wildcard bits
any Any source host
host A single source host
A.B.C.D Destination address
A.B.C.D Destination wildcard bits
any Any destination host
host A single destination host
AsGa (config)# access-list < extended ACL number> (deny|permit|remark);

<tcp|udp>; ID>; [(SA-IP = <A.B.C.D> wildcard = <A.B.C.D> | any | host
<A.B.C.D>)]; [DA-IP = <A.B.C.D> wildcards = <A.B.C.D> | any | host
<A.B.C.D>)]; <src | dest> (eq|gt|lt|neq) PORT
deny Specify packets to reject

permit Specify packets to forward
remark Access list entry comment
A.B.C.D Source wildcard bits
any Any source host
host A single source host
A.B.C.D Destination wildcard bits
any Any destination host
host A single destination host
src Source (TCP/UDP) port
eq Equal
gt Greater than
lt Less than
neq Not equal
PORT Port number <0-65535>
76
AsGa LightB
User Guide Commands
Command Mode
Config mode
Default
No access lists are configured.
Examples
Related Commands
Mac access-group
Ip access-group
Class maps
4.2 Acces-Group commands
4.2.1 mac access-group

Use the mac access-group interface configuration command to apply a MAC access control list
(ACL) to a interface. Use the <no> statementof this command to remove all MAC ACLs or the
specified ACL from the interface. Create the MAC ACL by using the mac access-list extended global
configuration command.
When an inbound packet is received on an interface with a MAC ACL applied, the switch
checks the match conditions in the ACL. If the conditions are matched, the switch forwards or drops
the packet, according to the ACL action.
If the specified ACL does not exist, the switch forwards all packets.
Command Syntax
mac access-group <mac-ACL number> in

no mac access-group <mac-acl number>
Command Mode
Interface configuration
Examples
Related Commands
Mac access-list
4.2.2 ip acc ess-Group

Use the ip access-group interface configuration command to control access to a Layer 2 or
Layer 3 interface. Use the <no> statement of this command to remove all access groups or the
specified access group from the interface.
You can apply any kind of standard or extended access lists to an interface. To define an
access list by name, use the ip access-list global configuration command. To define a numbered
access list, use the access list global configuration command. You can use numbered standard
access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199
and 2000 to 2699.
77
AsGa LightB
User Guide Commands
For standard inbound access lists, after the switch receives a packet, it checks the source
address of the packet against the access list. IP extended access lists can optionally check other
fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access
list permits the packet, the switch continues to process the packet. If the access list denies the packet,
the switch discards the packet.
Command Syntax
ip access-group <access-list-number | name>; <{in | out>
no ip access-group <access-list-number | name>; <in | out>
access-list-number: The number of the IP access control list (ACL), from 1 to 199 or from 1300
to 2699
name: The name of an IP ACL, specified in the ip access-list global configuration command
in: Specify filtering on inbound packets
out:Specify filtering on outbound packets
Command Mode
Examples
Related Commands
Access-list
Mac-access-group
78
AsGa LightB
User Guide Commands
B
4.3 Boot
Use this command to change your booting parameters:
Command Syntax
Boot {system | config | AsGOS } file-name
System change your booting system image.

Config change your current booting configuration file.
AsGos change your AsGos booting file.
Command Mode
Exec mode
Default
By default the system boot using a default.txt configuration file and its default system image file.
Examples
AsgOS(config)#boot
AsgOS(config)#boot system LightBolt-28322-E1-L2-System-1.0.0-RC3.bin
AsgOS(config)# show boot
Config File:
AsGOS Image:
System Image:
Sanity Image:
AsgOS(config)#
Related Commands
show boot
79
AsGa LightB
User Guide Commands
C
4.4 Clear counters
Use this privileged command to clear all system counters.
Command Syntax
Clear counters { <IFNAME> | all}
IFNAME: Specify a particular interface name (GE or XE)

All: Clear all system counter
Command Mode
Eexec
Default
No default for this command
Examples
AsGOS# clear counters ge1
Or
AsGOS# clear counters all
Related Commands
No related commands.
4.5 Clear mac-address-table

Command Syntax
clear mac-address-table (dynamic | static)(address mac-address | interface ifname
| vlan vilan-id <1-4094>|)
clear "Reset functions"

mac-address-table "MAC forwarding table"
static "Static entries"
dynamic "Dynamic entries"
address "Address keyword"
MAC "MAC address in HHHH.HHHH.HHHH format"
interface "Interface keyword"
IFNAME "Interface name"
vlan "VLAN keyword"
<1-4094> "VLAN id"
80
AsGa LightB
User Guide Commands
Command Mode
Exec mode
Examples
Related Commands
Show mac-address
4.6 Class Map Command

Use the class-map global configuration command to name and to isolate a specific traffic
flow from all other traffic. The class map defines the criteria to use to match against a specific traffic
flow to further classify it. Match statements can include criterion such as an ACL, IP precedence
values, or DSCP values. The match criterion is defined with one match statement entered within the
class-map configuration mode.
Command Syntax
class-map [match-all | match-any | match-all-flows] class-map-name
match-all: (Optional) Perform a logical-AND of all matching statements under this class map. All
criteria in the class map must be matched.
match-any: (Optional) Perform a logical-OR of the matching statements under this class map. One
or more criteria must be matched.
match-all-flows: (Optional) used to define a full matching for all flows no other statements are
defined when this type of matching is used.
class-map-name: Name of the class map.
Command Mode
Global configuration mode
Default
No class maps are configured by default.
Usage
Use this command to specify the name of the class for which you want to create or modify class-map
match criteria and to enter class-map configuration mode.
The class-map command and its subcommands are used to define packet classification, as part of a
globally named service policy applied on a per-interface basis.
description: describes the class map. The show class-map privileged EXEC command displays
the description and the name of the class-map.
exit: exits from QoS class-map configuration mode.
match: configures classification criteria used under the named Class-map:
Use the match class-map configuration command to define the match criteria to classify traffic. Use
the <no> statement of this command to remove the match criteria.
81
AsGa LightB
User Guide Commands
match {access-group acl-index-or-name | class-map class-map-name | ip dscp
dscp-list | ip precedence ip-precedence-list | vlan vlan-list}
no match {access-group acl-index-or-name | class-map class-map-name | ip

dscp dscp-list | ip precedence ip-precedence-list | vlan vlan-list}
access-group acl-index-or-name: Number or name of an IP standard or extended access

control list (ACL) or MAC ACL.
class-map class-map-name: Name of predefined class map for classification that is performed
on a per-port per-VLAN basis.
ip dscp dscp-list: List of up to eight IP Differentiated Services Code Point (DSCP) values to
match against incoming packets. Separate each value with a space. The range is 0 to 63.
ip precedence ip-precedence-list: List of up to eight IP-precedence values to match
against incoming packets. Separate each value with a space. The range is 0 to 7.
vlan vlan-list: List of VLANs to match against incoming packets. You can enter up to 30 VLAN
IDs. Use a hyphen for a range of VLANs. A VLAN range is counted as two VLAN IDs. Use a space to
separate individual VLANs. The range is 1 to 4094.
no: removes a match statement from a class map.
rename: renames the current class map. If you rename a class map with a name that is already in
use, this message appears:
A class-map with this name already exists
Examples
Related Commands
D
4.7 Dir
Use the <dir> command to display a list of files on your system.
Command Syntax
Dir
Command Mode
Exec mode
Default
No default
Examples
AsGOS#dir
-rw-r--r-- 1 1000 users 7.5M Jul 10 2007 asgos-ver1.0.bin
-rw-r----- 1 root root 3.1k Jul 10 2007 AsGOS.conf
-rw-r--r-- 1 root root 2.4k Jun 29 19:05 sanity.log
-rw-r--r-- 1 root root 2.4k Jun 19 11:51 production.log
-rw-r----- 1 root root 2.3k Jun 15 19:18 default.conf
82
AsGa LightB
User Guide Commands
Flash disk space:
Used Available Use%
7.7M 24.3M 24%
Related Commands
4.8 Duplex
Use the duplex interface configuration command to specify the duplex mode of operation for
Gigabit Ethernet ports. Use the <no> statement of this command to return the port to its default value.
Command Syntax
duplex {full | half | auto}
full Port is in full-duplex mode.

Half Port is in half-duplex mode.
Auto Port automatically detects whether it should run in full- or half-duplex mode.
no duplex
Command Mode
Interface
Default
All interfaces are set to auto as default command.
Examples

AsGOS(interface)# duplex half
Related Commands
E
4.9 Erase
Use this command to erase the configuration file and restore it to its defaults values.
Command Syntax
erase
Command Mode
Configure mode
83
AsGa LightB
User Guide Commands
Default
Examples
LightBolt(config)# erase
LightBolt(config)#
4.10 Exit
Use the exit VLAN configuration command to implement the proposed new virtual LAN (VLAN)
into the local database.
Command Syntax
No special arguments for this command
Command Mode
Vlan database
Default
This command has no default values.
Examples
AsGOS(config-vlan)# exit
AsGOS#
Related Commands
Vlan database
F
4.11 Flowcontrol
Use the flowcontrol interface configuration command to set the receive or send flow-control
value for an interface. When flow control send is on for a device and it detects any congestion at its
end, it notifies the link partner or the remote device of the congestion by transmitting a pause frame.
When flow control receive is on for the remote device and it receives a pause frame, it stops
transmitting any data packets. This prevents any loss of data packets during the congestion period.
Use the <receive off> and <send off > keywords to disable flow control.
Command Syntax
flowcontrol < send | receive > <on | off>
84
AsGa LightB
User Guide Commands
flowcontrol IEEE 802.3x Flow Control
send Flow control on send
receive Flow control on receive
on Turn on flow control
off Turn off flow control
Command Mode
Interface
Usage
Flowcontrol send on
Flowcontrol receive on
Examples
LightBolt# configure t
LightBolt(configure) interface ge1
LightBolt(interface) flowcontrol send on
LightBolt(interface) flowcontrol receive on
Related Commands
No flowcontrol
H
4.12 Hostname
Command Syntax
Command Mode
Default
Examples
Related Commands
85
AsGa LightB
User Guide Commands
I
4.13 Interface
Use the interface global configuration command to enter in the configuration mode for a
physical interface or to create or access switch virtual interface (SVI) and automatically enter interface
configuration mode. Use the no interface vlan form of this command to delete an SVI.
SVIs are created the first time you enter the interface vlan vlan command for a particular vlan.
The vlan corresponds to the VLAN-tag associated with data frames 802.1q encapsulated trunk or the
VLAN ID configured for an access port.
interface {interface-id | vlan vlan-id}

no interface {interface-id | vlan vlan-id}
Command Mode
Configure mode
Default
No default value.
Examples

AsGOS(interface)#

AsGOS(config)# interface vlan1.200
AsGOS(interface-vlan)#
Related Commands
show interface
shutdown
4.14 Ip address
Use the ip address interface configuration command to set an IP address for the Layer 2 switch
or an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch. Use the
<no> statement of this command to remove an IP address or to disable IP processing.
Command Syntax
ip address <ip-address>/< subnet-mask>
no ip address [ip-address / subnet-mask]
Command Mode
Interface
86
AsGa LightB
User Guide Commands
Default
No default sets for this command.
Examples

AsGOS(interface)# ip address 10.10.10.10/23

AsGOS(config)# interface vlan1.200
AsGOS(interface-vlan)# ip address 10.10.10.10/23
Related Commands
4.15 Ip-access-group
Use the ip access-group interface configuration command to control access to a Layer 2
interface. Use the <no> statementof this command to remove all access groups or the specified
access group from the interface.
Command Syntax
ip access-group {access-list-number } {in | out}
no ip access-group [access-list-number] {in | out}
Command Mode
Default
Examples
LightBOLT(config)# interface ge1

LightBOLT (config-if)# ip access-group 101 in
Related Commands
access list
87
AsGa LightB
User Guide Commands
M
4.16 Mac-address-table aging-time
Use the mac address-table aging-time global configuration command to set the length of time
that a dynamic entry remains in the MAC address table after the entry is used or updated. Use the
<no> statement of this command to return to the default setting. The aging time applies to all VLANs.
The default value for this time is 300 seconds.
Command Syntax
mac-address-table aging-time (<0-0>|<10-1000000>)
mac-address-table MAC forwarding table"
aging-time Time a learned mac address will persist after
last update:
<0-0> Enter 0 to disable aging"
<10-1000000> Aging time in seconds"
Command Mode
Config mode
Usage
mac-address-table aging-time 10
Examples
LightBolt(configure)# mac-address-table aging-time 10
Related Commands
no mac-address-table aging-time
show mac-address-table aging-time
4.17 Mac-address-table freeze

This command permit to freeze the learning process of the mac table. All mac address learned
will persist until the <no> statementof this command will be issue or a reboot process occurs.
Command Syntax
mac-address-table freeze
mac-address-table MAC forwarding table
freeze Freeze changes in mac-address table
Command Mode
Exec mode
88
AsGa LightB
User Guide Commands
Usage
mac-address-table freeze
Examples
LightBolt (configure)# mac-address-table freeze
Related Commands
no mac-address-table freeze
4.18 Mac-address-table static

Use the mac address-table static global configuration command to add static addresses to the
MAC address table. Use the <no> statement of this command to remove static entries from the table.
Command Syntax
mac-address-table static MAC vlan <1-4094> interface IFNAME
mac-address-table MAC forwarding table
static Add a static entry
MAC MAC address in HHHH.HHHH.HHHH format
vlan Select a VLAN id
<1-4094> VLAN id
interface Select a interface
IFNAME Interface name
Command Mode
Exec mode
Usage
mac-address-table static 0001.fa09.0909 vlan 20 interface ge1
Examples
LightBolt#configure t
LightBolt(configure)# mac-address-ta
S
4.19 Switchport
Use this command to put a port as switched port. By default all ports in LightBolt switches are
switched ports. You can negate this using <no switchport> command and put the interface in routed
mode operation.
89
AsGa LightB
User Guide Commands
Command Syntax
Switchport
Command Mode
Configure mode interface mode
Default
No switchport.
At Startup all port are switched port and all port are access port attached to VLAN 1. All ports are also
attached to Bridge Group 1 running classic Spanning Tree Protocol (802.1D).
Examples

AsGOS(interface)# switchport.
Related Commands
4.20 Switchport mode

Use the switchport mode interface configuration command to configure the VLAN membership
mode of a port. Use the <no> statementof this command to reset the mode to the appropriate default
for the device.
Command Syntax
Switchport mode {access | trunk | hybrid}
no switchport mode
Access: Set the port to access mode. The port is set to access unconditionally and operates as a
nontrunking, single VLAN interface that transmits and receives non-tagged frames. An access port
can be assigned to only one VLAN.
Trunk: Set the port to trunk unconditionally. The port is a trunking VLAN Layer-2 interface. The port
transmits and receives encapsulated (tagged) frames that identify the VLAN of origination. A trunk is a
point-to-point link between two switches or between a switch and a router. AsGa LightBolt switches
use 802.1Q tag encapsulation method.
Hibrid: This mode set the trunk in an hybrid mode witch means that the port acting as a trunk has a
default VLAN for all those packet witch arrive at the port untagged. Under this mode the user must
specify the untagged VLAN for all those arriving non tagged packets. Out going packet for the
specified VLAN ID will go out from this trunk in an untagged form.
In addition: for this VLAN; this port act as an access port.

Under the hybrid mode the default VLAN is specified using the following sentence:
AsGos (interface ge16) switchport hybrid vlan <VLAN ID>

VLAN ID = 1-4095
And then the user must specify the non tagged nature of this VLAN for this port using the following
command:
90
AsGa LightB
User Guide Commands
AsGos (interface ge16) switchport hybrid allowed vlan add <VLAN ID> egress-
tagged disable
VLAN ID =1-4095
Command Mode
Default
No default.
Examples
AsGOS(interface)# switchport mode trunk
AsGOS(interface)# switch port allowed vlan all
AsGos (interface ge16)

AsGos (interface ge16) switchport
AsGos (interface ge16) switchport mode hybrid
AsGos (interface ge16) switchport hybrid vlan 101
AsGos (interface ge16) switchport mode hybrid acceptable-frame-type all
AsGos (interface ge16) switchport hybrid allowed vlan add 100 egress-tagged enable
AsGos (interface ge16) switchport hybrid allowed vlan add 101 egress-tagged
disable
AsGos (interface ge16) switchport hybrid allowed vlan add 200 egress-tagged enable
Related Commands
Switchport
4.21 Switchport access

Use the switchport access interface configuration command to configure a port as a static-
access If the mode is set to access, the port operates as a member of the configured virtual LAN
(VLAN). Use the <no> statement of this command to reset the access mode to the default VLAN for
the switch.
Command Syntax
switchport access { vlan <vlan-id> | vlan-staking}
vlan ID: Per port VLAN ID configured for this port. Range 2:4093.
Vlan-staking: use this command to enable vlan staking on a particular port (Q in Q method). All
frames will be tagged on top of the existing tag (Customer Tag) with the VLAN ID configured under
this port. Port must be an access port in order to enable vlan staking on it.
Command Mode
Default
No default.
91
AsGa LightB
User Guide Commands
Examples

AsGOS(interface)# switchport access vlan 200
AsGOS(interface)#switchport access vlan-staking
Related Commands
vlandatabase
VLAN
Switchport mode
4.22 Switchport trunk

Use the switchport trunk interface configuration command to set the trunk characteristics when
the interface is in trunking mode. Use the <no> statementof this command to reset all of the trunking
characteristics to the defaults. Use the no form with keywords to reset that characteristic to the
defaults. The encapsulation method for AsGa switches is based on 802.1Q tagging.
Command Syntax
switchport trunk [allowed vlan <allowed vlan ID list>]
vlan ID: 2:4093
Command Mode
Default
All VLAN´s ID are allowed by default
Examples

AsGOS(interface)# switchport trunk allowed vlan 2,3,4,300
Related Commands
vlandatabase
VLAN
Switchport mode
4.23 Switchport mode trunk ingress filter

Use the switchport mode trunk interface configuration command to configure the VLAN filtering
mode of a port. Under this command just only those VLANs defined will be accepted by this trunk
port. Any non taggued frame will be discarded.
Command Syntax
Switchport mode trunk ingress filter <enable | disable>
92
AsGa LightB
User Guide Commands
Command Mode
Interface mode
Default
The ingress filter is disable by default
Examples
interface ge12
switchport
bridge-group 1
bridge-group 1 instance 1
!
4.24 Speed
Use the speed interface configuration command to specify the speed of a port. Use the <no> or
default form of this command to return the port to its default value. 10 GigE interfaces has no option
for this command. Those interfaces work only at 10Gig Ethernet standard.
Command Syntax
speed <10 | 100 | 1000| auto>
10 Port runs at 10 Mbps.

100 Port runs at 100 Mbps.
1000 Port run at 1000 Mbps
auto Port automatically detects the speed it should run at based on the
port at the other end of the link
no speed
Command Mode
Interface
Default
All interfaces are set to auto as default command.
Examples

AsGOS(interface)# speed 100
Related Commands
Interface
93
AsGa LightB
User Guide Commands
4.25 Show Interface
Use the show interface privileged EXEC command to display the administrative and operational
status of a port.
Command Syntax
show interface <interface-id>
Command Mode
Default
No default sets for this command.
Examples
AsGOS# show interface
hw link speed/ auto max link MAC

interface type stat duplex neg? frame scan address
ge1 ETH down - yes 1522 SW -
ge4 ETH down - yes 1522 RT 00.f6.04.aa.00.06
ge8 ETH down - yes 1522 RT 00.f6.04.aa.00.0a
ge9 ETH down - yes 1522 RT 00.f6.04.aa.00.0b
ge10 ETH down - yes 1522 RT 00.f6.04.aa.00.0c
ge11 ETH down - yes 1522 RT 00.f6.04.aa.00.0d
ge12 ETH down - yes 1522 RT 00.f6.04.aa.00.0e
ge13 ETH down - yes 1522 RT 00.f6.04.aa.00.0f
lo LB up - yes 1500 RT 00.00.00.00.00.00
vlan1.1 VLAN - - yes 1522 - 00.f6.04.aa.00.02
vlan1.20 VLAN - - yes 1522 - 00.f6.04.aa.00.02
vlan1.100 VLAN - - yes 1522 - 00.f6.04.aa.00.02
xe1 ETH down 10G FD no 1522 RT 00.f6.04.aa.00.1b
xe2 ETH down 10G FD no 1522 RT 00.f6.04.aa.00.1c
AsGOS# show interface ge1
hw link speed/auto max link MAC

interface type stat duplex neg? frame scan address
94
AsGa LightB
User Guide Commands
Related Commands
4.26 Show Interfaces

Use the <show interfaces> privileged EXEC command to display various counters for the
switch or for all interfaces o for a specific interface.
Command Syntax
AsGOS# show interfaces ge1
AsGOS# show interfaces
Command Mode
EXEC
Default
Examples
AsGOS#show interfaces
-----------------------------------------------------
Interface name.................................: ge1
Total Packets Received (Octets)................: 0
Total Packets Received Without Errors..........: 0
Total Packets Received Discarded...............: 0
Total Packets Transmitted (Octets).............: 5312
Total Packets Transmitted Successfully.........: 83
Total Packets Transmitted Errors...............: 0
-----------------------------------------------------
-----------------------------------------------------
Still showing all other interfaces counters.
AsGOS# show interfaces ge1

95
AsGa LightB
User Guide Commands
Unicast Packets Received.......................: 0
Multicast Packets Received.....................: 0
Broadcast Packets Received.....................: 0

Unicast Packets Transmitted....................: 0
Multicast Packets Transmitted..................: 112
Broadcast Packets Transmitted..................: 0
Total RX and TX Octets.........................: 7168

Packets RX and TX 64 Octets....................: 112
Packets RX and TX 65-127 Octets................: 0
Packets RX and TX 128-255 Octets...............: 0
Packets RX and TX 256-511 Octets...............: 0
Packets RX and TX 512-1023 Octets..............: 0
Packets RX and TX 1024-1518 Octets.............: 0
Packets RX and TX > 1518 Octets................: 0
802.3x Pause Frames Received...................: 0

802.3x Pause Frames Transmitted................: 0
Total Packets Received Not Forwarded...........: 0

Jabbers Received...............................: 0
Fragments/Undersize Received...................: 0
Oversized packets..............................: 0
Alignment Errors...............................: 0
FCS Errors.....................................: 0
Too Long Frames Errors.........................: 0

Total Packets Transmitted Discarded............: 0
Single Collision Frames........................: 0
Multiple Collision Frames......................: 0
Excessive Collision Frames.....................: 0
Related Commands
4.27 Shutdown
Use the shutdown interface configuration command to disable an interface. Use the <no>
statement of this command to restart a disabled port or switch virtual interface (SVI).
The <shutdown> command for a port causes it to stop forwarding. You can enable the port
with the <no shutdown> command. The <shutdown> command disables all functions on the specified
interface.
Command Syntax
shutdown
no shutdown
Command Mode
Interface
96
AsGa LightB
User Guide Commands
Default
No default for this command.
Examples
AsGOS(interface)# shutdown
Related Commands
Interface
Interface vlan1<VLAN ID>
4.28 Show VLAN

Use the show vlan user EXEC command to display the parameters for all configured virtual
LANs.
Command Syntax
AsGOS# show vlan <all | VLANID> bridge <bridge ID>
Command Mode
EXEC
Default
No Default for this command.
Examples
AsgOS#show vlan all bridge 1
Bridge VLAN ID Name State

Member ports
(u)-Untagged, (t)-Tagged
----------------------------------------------------------------------------------
1 1 default ACTIVE ge1(u) ge2(u) ge3(u) ge4(u)
ge5(u) ge6(u) ge7(u) ge8(u)
ge9(u) ge10(u) ge11(u) ge12(u)
ge13(u) ge14(u) ge15(u)
ge16(u) ge17(u) ge18(u)
ge19(u) ge20(u) ge21(u)
ge22(u) ge23(u) ge24(u) xe1(u)
xe2(u) xe3(u) xe4(u)
Related Commands
97
AsGa LightB
User Guide Commands
4.29 Show outbound access-priority-table
Use this command to display data about the access-priority table. To modify the lines
displayed, use the | (output modifier token); to save the output to a file, use the > output redirection
token. For more information, see the AsGOS Command Line Interface Environment chapter.
Command Syntax
show outbound access-priority-table interface IFNAME

IFNAME Specify the name of the interface.
Command Mode
Usage
AsGOS# show outbound access-priority-table interface eth4
802.3 Format Outbound Access Priority
1
0
0
0
0
0
0
4.30 Show traffic-class-table

Use this command to display the data in the traffic class table.
To modify the lines displayed, use the | (output modifier token); to save the output to a file,
use the > (output redirection token). For more information, see AsGOS Command Line Interface
Environment.
Command Syntax
show traffic-class-table interface IFNAME

IFNAME Specify the name of the interface.
Command Mode
Usage
The following is a display of this command showing the traffic class table for interface eth1.
AsGOS# show traffic-class-table interface eth1

User Prio / Num Traffic Classes
1 2 3 4 5 6 7 8
0 0 0 0 0 0 0 0 0
1 0 0 0 0 0 0 0 0
2 0 0 0 0 0 0 0 0
3 0 0 0 0 0 0 0 0
4 0 0 0 0 0 0 0 0
5 0 0 0 0 0 0 0 0
6 0 0 0 0 0 0 0 0
98
AsGa LightB
User Guide Commands
Examples
AsGOS# show traffic-class-table interface eth1
Related Commands
4.31 Show user-priority

Use this command to display the user priority data. To modify the lines displayed, use the |
(output modifier token); to save the output to a file, use the > (output redirection token). For more
information, see AsGOS Command Line Interface Environment.
Command Syntax
show user-priority interface IFNAME
Command Mode
Usage
The following is output display of this command showing set user priority for interface eth4.
AsGOS# show user-priority interface eth4

Default user priority : 7
Examples
AsGOS# show user-priority interface eth0
Related Commands
4.32 Storm Control

To enable broadcast, multicast, or Destination Lookup Failure (DLF) storm control on a
particular port, use the <storm-control> command in interface configuration mode. To disable storm
control for broadcast, multicast, or DLF traffic, use the <no> statementof this command.
Command Syntax
storm-control < broadcast | dlf | multicast> < level>
broadcast: type this key to limit the maximum broadcast traffic to be admitted by a specific port.
dlf: is the maximum throughput of dlf (destination lookup failure) to be forwarded/admitted by a
specific port. A dlf occur each time that a no MAC address match is accomplished.
multicast: use this key to limit the maximum multicast traffic to be admitted by a specific port.
level: specify the maximum level of the specific traffic admitted by a specific port. This level is
intended to be a % of the maximum speed of the port.
99
AsGa LightB
User Guide Commands
Command Mode
Interface mode
Usage
AsGOS(config-if)#storm-control broadcast <% of the maximum Speed Port>
Examples
AsGOS(config-if)#storm-control broadcast 30
AsGOS(config-if)#storm-control dlf 50
AsGOS(config-if)#storm-control multicast 10
Related Commands
4.33 Snmp-server manager

Use the snmp-server host global configuration command to specify the recipient (host) of a
Simple Network Management Protocol notification operation. Use the <no> statement of this
command to remove the specified host. UP to five host can be provisioned.
Command Syntax
snmp-server manager ip-address traps-version ( ( 1 | 2c ) community
community | 3 ( noauth | auth | priv ) username ) ( udp-port port | )
snmp-server Configure parameters to SNMP Agent

manager Set manager configuration to send traps
ip-address IP address of a manager
traps-version Set the traps version
1 Traps version 1
2c Traps version 2
community: Set the community string for
SNMPv1/v2c transactions
community Communnity string
3 Traps version 3
noauth No authorization
auth Authorization
priv Privative
username Username
udp-port Set the port to send SNMP traps
port UDP Port number
Command Mode
Config mode
Usage
LightBOLT(config)# snmp-server manager ip-address (traps-version ( 1 | 2c | 3 user
username (auth | noauth | priv) | ) (community string | ) (upd-port port | )
100
AsGa LightB
User Guide Commands
Examples
LightBOLT(config)# snmp-server manager 192.168.1.1 traps-version 1 community AsGa
upd-port 162
LightBOLT(config)# snmp-server manager 192.168.1.1 traps-version 2c community AsGa

upd-port 162
LightBOLT(config)# snmp-server manager 192.168.1.1 traps-version 3 user ASGA auth

community AsGa upd-port 162
Related Commands
4.34 Snmp-server trap-source

This command specify the interface (with the corresponding IP address) from which a Simple
Network Management Protocol (SNMP) trap should originate, use the <snmp-server trap-source>
command in global configuration mode. To remove the source designation, use the <no> statementof
the command.
Command Syntax
snmp-server trap-source <IFNAME>
IFNAME: is any valid interface with a valid IP address
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server trap-source <IFNAME>
Examples
LightBOLT(config)# snmp-server trap-source loopback 0
LightBOLT(config)# snmp-server trap-source GE1
LightBOLT(config)# snmp-server trap-source vlan1.400
Related Commands
4.35 Snmp-server enable-traps

To configure the system to send these SNMP notifications, you must enter at least one <snmp-
server enable traps> command. If you enter the command with no keywords, all notification types are
enabled. If you enter the command with a keyword, only the notification type related to that keyword is
enabled. To enable multiple types of notifications, you must issue a separate <snmp-server enable>
traps command for each notification type and notification option.
Command Syntax
snmp-server <enable | Disable> trap ( linkUp | linkDown | coldstart | warmreset |
config | bridge | vlancreate | vlandelete | copy-config | snmp-notify | all )
101
AsGa LightB
User Guide Commands
enable Enable SNMP traps configuration
disable Disable SNMP traps configuration
trap Turn On SNMP traps
linkUp LinkUp trap
linkDown LinkDown trap
coldstart coldstart trap
warmreset warmreset trap
config config trap
bridge bridge trap
vlancreate vlancreate trap
vlandelete vlandelete trap
copy-config copy-config trap
snmp-notify notify snmp configuration change trap
all All traps
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server enable traps

LightBOLT(config)# snmp-server enable traps <trap list>
Examples
LightBOLT(config)# snmp-server enable traps linkdown

LightBOLT(config)# snmp-server enable traps linkup
LightBOLT(config)# snmp-server enable traps coldstart
LightBOLT(config)# snmp-server enable traps warmstart
LightBOLT(config)# snmp-server enable traps config
LightBOLT(config)# snmp-server enable traps bridge
LightBOLT(config)# snmp-server enable traps vlancreate
LightBOLT(config)# snmp-server enable traps vlandelete
LightBOLT(config)# snmp-server enable traps copy-config
Related Commands
4.36 Snmp-server community

This command set up the community access string to permit access to the Simple Network
Management Protocol (SNMP), use the <snmp-server community> command in global configuration
mode. To remove the specified community string, use the <no> statement of this command
Command Syntax
snmp-server community string (ro | rw) (remote ip-addres | ) (view view-name | )
<string> Community string that consists of 1 to 32 alphanumeric characters much like a password,
permitting access to SNMP. Blank spaces are not permitted in the community string.
ro: (Optional) Specifies read-only access. Authorized management stations can retrieve only MIB
objects.
102
AsGa LightB
User Guide Commands
rw: (Optional) Specifies read-write access. Authorized management stations can both retrieve and
modify MIB objects.
remote: Specify the remote SNMP management system. When specify the system check for snmp
messages coming from the server.
view: specify the particular view associated to the community string.
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server community <string> <ro | rw>
Examples
LightBOLT(config)# snmp-server community ready2u ro
Related Commands
4.37 Snmp-server name

Use this command in order to specify the administrative SNMP server name. Use the <no>
statement of this command to negate a name.
Command Syntax
snmp-server name name

snmp-server "Configure parameters to SNMP Agent"
name "Change administrative name"
name "Administrative name"
Command Mode
Config
Usage
snmp-server name name TEST
Examples
LightBolt(configure)# snmp-server name name TEST
Related Commands
103
AsGa LightB
User Guide Commands
4.38 Snmp-server contact
To set the system contact (sysContact) string, use the <snmp-server contact> command in
global configuration mode. To remove the system contact information, use the <no> statement of this
command.
Command Syntax
snmp-server contact <text>

no snmp-server contact
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server contact <text>.
Examples
LightBOLT(config)# snmp-server contact AsGa.S.A.
Related Commands
4.39 Snmp-server location

To set the system location string, use the <snmp-server location> command in global configuration
mode. To remove the location string, use the <no> statement of this command.
Command Syntax
snmp-server location <text>

text: String that describes the system location information
Command Mode
Exec mode
Usage
LightBOLT(config)# snmp-server location <text>
Examples
LightBOLT(config)# snmp-server location Rodovia Roberto Moreira KM4
Related Commands
104
AsGa LightB
User Guide Commands
4.40 Snmp-server view
This command can be used to create different views of different OIDs trees. Using this
command a snmp server can gain access just to those OIDs assigned to it. The rest of OIDs will not
be displayed. Use the no form of this command to negate it.
Command Syntax
snmp-server view view-name oid-tree (included | excluded)

view-name: specify a particular name of the view.
oid-tree: specify the oid of a particular view witch can be included or excluded
Command Mode
Exec mode
Usage
snmp-server view <name of the view> <oid tree> <include | exclude>
Examples
LightBOLT(config)# snmp-server view System 1.3.6.1.2.1.1 included
Related Commands
no snmp-server view view-name
snmp-server community string (ro | rw) (remote ip-addres ) (view view-name )
show snmp view
4.41 Snmp-server engineID

Use this command to specify the SNMP V3 server engine ID. This command can be used to
specify the Local and remote server engine name; when remote server engine; the remote IP server
address must be specified.
Command Syntax
snmp-server engineID <local | remote ip-address > engine-string
engineID Configure a name for either the local/remote SNMP engine

remote Specifies the remote copy of SNMP engine
ip-address Ip-address of remote
engine-name The name of a copy of SNMP engine (hexadecimal)
Command Mode
Exec mode
Usage
snmp-server engineID local engine-string

snmp-server engineID remote ip-address engine-string
105
AsGa LightB
User Guide Commands
Examples
LightBOLT(config)# snmp-server engineID local SYTEM

LightBOLT(config)# snmp-server engineID remote 192.168.1.1 SYSTEM
Related Commands
no snmp-server engineID (local | remote ip-address)

show snmp engineID ( local | remote )
4.42 Snmp-server user create

Use this command to define the users under SNMP V3 mode.
Command Syntax
snmp-server users create username auth ( md5 | sha ) auth-password ( priv priv-
password | )

users Users configurations
create Create a new user
username Name of the user on the host that connects to the
agent
auth Which authentication level should be used
md5 HMAC-MD5-96 authentication level
sha HMAC-SHA-96 authentication level
auth-password Specifies th authentication user password
priv Use of the User-based Security Model
priv-password Specifies the privacy user password
Command Mode
Exec
Usage
Examples
LightBOLT(config)#
Related Commands
show snmp users

no snmp-server user ( access ( ro | rw ) | base ) username
4.43 Show snmp view

Use This command to display how OIDs are assigned to different Views.
Command Syntax
show snmp view
106
AsGa LightB
User Guide Commands
Command Mode
Exec
Examples
LightBolt#show snmp view
View Name Oid-tree Type

interfaces .1.3.6.1.2.1.2 included
interfaces .1.3.6.1.2.1.31.1.1 included
vlan .1.3.6.1.2.1.17 included
vlan .1.3.6.1.2.1.17.6 excluded
Related Commands
snmp-server view
no snmp-server view viewname
4.44 show all-files

This command show all stored files types. Those files can be Configuration Files, Image Files,
and log files.
Command Syntax
Show all-files
Command Mode
Exec mode
Usage
LightBOLT# show all-files
Examples
LightBOLT# show all-files

File name File type
teste2.log Log file
teste.conf Config file
teste.log Log file
AsGOS.conf Config file
Related Commands
4.45 Show log-files

This command shows all log files stored in permanent memory.
Command Syntax
show log-files
107
AsGa LightB
User Guide Commands
Command Mode
Exec mode
Usage
LightBOLT# show log-files
Examples
LightBOLT# show log-files

File name File type
teste2.log Log file
teste.log Log file
Related Commands
4.46 Show config-files

This command shows all configuration files stored in permanent memory. Specifying witch of
those files are used al startup time.
Command Syntax
show config-files
Command Mode
Exec mode
Usage
LightBOLT# show config-files
Examples
LightBOLT# show config-files
List of available files:

File name File type Startup Running
teste.conf Config file no no
AsGOS.conf Config file yes yes
Related Commands
108
AsGa LightB
User Guide Commands
4.47 Show image-files
Command Syntax
Command Mode
Usage
Examples
Related Commands
4.48 Show mac-address-table

Use the show mac address-table user EXEC command to display MAC address table
information for the specified MAC address.
Command Syntax
show mac-address-table (dynamic | static | interface IFNAME | vlan <1-

4094>|)
show Show running system information
mac-address-table MAC forwarding table <cr> All table
dynamic Show only dynamic entries
static Show only static entries
interface Show by interface
IFNAME Interface name
vlan Show by vlan id <1-4094>VLAN id
Command Mode
Enable mode
Usage
Show mac-address-table dynamic

Show max-address-table vlan 40
Show mac-address-table interface ge24
Examples
LightBolt#show mac-address-table

200 0000.C003.0102 Dynamic ge4 Yes
All 0036.0A4B.0002 Static L3 CPU No
200 0000.0101.0202 Static 1 No
200 0000.C001.0102 Dynamic ge2 Yes
LightBolt#show mac-address-table interface ge2

200 0000.C001.0102 Dynamic ge2 Yes
109
AsGa LightB
User Guide Commands
LightBolt#show mac-address-table vlan 200
200 0000.C003.0102 Dynamic ge4 Yes
200 0000.0101.0202 Static ge1 No
200 0000.C001.0102 Dynamic ge2 Yes
Related Commands
4.49 Storm-control
Use this command to select the appropriate storm control level for broadcast multicast packets or for
a Destination Lookup Failure DLF . Use the <no> statement of this command to negate its actions.
Command Syntax
storm-control (broadcast | multicast | dlf) level LEVEL
storm-control Set the switching characteristics of Layer2 interface

broadcast Set Broadcast Rate Limiting
multicast Set Multicast Rate Limiting
dlf Set DLF Broadcast Rate Limiting
level LEVEL Threshold Percentage (0.0-100.0)
Command Mode
Interface
Usage
storm-control broadcast level 0.9

storm-control multicast level 1
storm control dlf level 5
Examples
LightBolt(Configure)# interface ge1
LightBolt(interface)# storm-control broadcast 5
Related Commands
no storm-control (broadcast|multicast|dlf) level

show storm-control (IFNAME|)
110
AsGa LightB
User Guide Commands
V
4.50 VLAN Database
Use the vlan database privileged EXEC command to enter virtual LAN (VLAN) configuration
mode. From this mode, you can add, delete, and modify VLAN configurations.
Command Syntax
VLAN database <NO ARGUMENTS>
Command Mode
Configure mode
Default
No Default
Examples

AsGOS(config)# vlan database
AsGOS(VLAN)#
Related Commands
VLAN
4.51 VLAN
Use the VLAN configuration command to configure virtual LAN (VLAN) characteristics for a
specific VLAN. Use the <no> statement of this command without additional parameters to delete a
VLAN. All VLANs created under this command are Ethernet 802.1Q VLAN’s.
Command Syntax
VLAN <VLAN ID> Bridge <Bridge ID> name <VLAN Name>
VLAN ID: <2-4093>

Bridge ID <1-32> Bridge group at witch this VLAN is attached.
VLAN name: a text VLAN reference name
Command Mode
Configure mode Vlan Database mode
Default
The default VLAN ID is 1. By Default at power on the system start with all ports as access port with
per port VLAN equal to 1 and attached to Bridge Group 1. The Bridge Group 1 run classic STP
(802.1D).
111
AsGa LightB
User Guide Commands
Examples

AsGOS(config)# vlan database
AsGOS(VLAN)# VLAN 200 bridge 1 name TEST
Related Commands
bridge protocol ieee
4.52 Vlan classifier

Use The VLAN classifier command in global and Interface context in order to create a classifier
rule/group and assign it to an interface.The vlan classifier command permit creates a group and
assigns different classification rules inside of it. Then this group can be applied to an interface.
Use the <no vlan> classifier in an interface context in order to eliminate this classification group from
an interface context.
Use the <no vlan classifier group> <group number> in order to eliminate a complete group.
Use the vlan classifier group <group number> delete rule <rule number> to delete a particular rule
inside a group.
Up to 255 rules can be configured on a single group.
Up to 16 groups can be configured.
Command Syntax
vlan classifier <group | rule>
vlan classifier group <group number> <add | delete> rule <rule number>
vlan classifier rule <rule number> < ipv4 | mac | proto >
ipv4 format: A.B.C.D/M ipv4 address in A.B.C.D/M format
mac format: HHHH.HHHH.HHHH
proto: <0-65535> ethernet decimal
arp protocol - Address Resolution
atalkaarp protocol - Appletalk AARP
atalkddp protocol - Appletalk DDP
atmmulti protocol - MultiProtocol Over ATM
atmtransport protocol - Frame-based ATM Transport
dec protocol - DEC Assigned
deccustom protocol - DEC Customer use
decdiagnostics protocol - DEC Diagnostics
decdnadumpload protocol - DEC DNA Dump/Load
decdnaremoteconsole protocol - DEC DNA Remote Console
decdnarouting protocol - DEC DNA Routing
declat protocol - DEC LAT
decsyscomm protocol - DEC Systems Comms Arch
g8bpqx25 protocol - G8BPQ AX.25
ieeeaddrtrans protocol - Xerox IEEE802.3 PUP Address
Translation
ieeepup protocol - Xerox IEEE802.3 PUP
ip protocol - IP
ipv6 protocol - IPv6
ipx protocol - IPX
pppdiscovery protocol - PPPoE discovery
pppsession protocol - PPPoE session
rarp protocol - Reverse Address Resolution
x25 protocol - CCITT X.25
xeroxaddrtrans protocol - Xerox PUP Address Translation
xeroxpup protocol - Xerox PUP
112
AsGa LightB
User Guide Commands
Command Mode
Config mode
Interface mode
Default
No default
Examples
!
bridge 1 protocol mstp
bridge 1 acquire
vlan classifier rule 1 mac 0000.c004.0102 vlan 300
vlan classifier rule 2 ipv4 40.40.40.40/24 vlan 300
vlan classifier rule 3 proto 8192 encap ethv2 vlan 300
!
vlan database
vlan 300 bridge 1 name TEST3
vlan 300 bridge 1 state enable
!
interface ge4
switchport
bridge-group 1
vlan classifier activate 1
!
Related Commands
Vlan Database
Interface
W
4.53 Write
Use this command to transfer into or from permanent memory all system files. File types can
be: configuration files log files or image files.
Command Syntax
Write <config-file | log-file | image_file> <File name> <from-tftp | to-tftp>
<server: IPaddress>
Command Mode
Configure mode
113
AsGa LightB
User Guide Commands
Default
Examples
LightBolt(config)#write config-file 1.0.1LightBolt29304.txt from-tftp server
192.168.1.1
114
AsGa LightB
User Guide Warranty
WARRANTY
This product is guaranteed against production defects for a

period of 12 months to count starting from the date of the product’s
invoicing.
In case a production defect has been verified, AsGa will decide
on changing or repairing the defective equipment.
The transportation expenses related to the Customer's
equipment for AsGa will run due to the Customer. The shipment
expenses concerning the repaired / replaced equipment of AsGa for the
Customer will run due to AsGa.
This warranty is not extensive to the defects or damages caused
by inappropriate handling, inadequate maintenance, non authorized
modification, wrong use or operation in an environment outside of the
specifications of the equipment, as well as defects provoked by
atmospheric discharges.
This product is certified by Anatel, in accordance with the
procedures regulated by the Resolution No. 242 / 2000.
LightBolt 28304 LightBolt 28504
LightBolt 28322 LightBolt 28522
For consulting products certified by Anatel visits:

http://sistemas.anatel.gov.br/sgch/
13/10/2008 – ED.01.4.γ
AsGa LightB
User Guide Warranty

Manual Switch LightBolt

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Manual Switch LightBolt

Transféré par

Droits d'auteur :

Formats disponibles

AsGa LightBOLT

Light BOLT 10GigE Switch

4 COMMANDS IN ALPHABETIC ORDER .................................................................................................... 74

4.1 ACCESS-LIST .............................................................................................................................. 74

4.3 BOOT .......................................................................................................................................... 79

4.4 CLEAR COUNTERS....................................................................................................................... 80

4.7 DIR ............................................................................................................................................. 82

4.9 ERASE ........................................................................................................................................ 83

4.11 FLOLWCONTROL ......................................................................................................................... 84

4.12 HOSTNAME ................................................................................................................................. 85

4.13 INTERFACE ................................................................................................................................. 86

4.16 MAC-ADDRESS-TABLE AGING-TIME ............................................................................................ 88

4.19 SWITCHPORT .............................................................................................................................. 89

4.50 VLAN DATABASE.................................................................................................................... 111

4.53 WRITE ...................................................................................................................................... 113

LightBolt family of switches is composed by:

Full Layer 2 protocol support:

1.1 Front Panel

Figure 1-1: Front Panel.

Figure 1-2: Rear Panel.

1.3 POWER SUPPLY

1.6 ENVIRONMENTAL CONDITIONS

Table 2.1: System Defaults.

3.2 Conventions Used in this Guide

CONVENTION DESCRIPTION SYNTAX

3.3 Command Line Interface Primer

3.3.2 Syntax Help

[IFNAME] Interface name

Is the abbreviation for the “show interface command”.

3.3.4 Command Line Errors

If a command is incomplete it displays the following message:

3.4 Modes Common to Protocols

Line: This mode (or context) makes available access-class commands.

3.6 Format used for Command Description

3.7 Initial Configuration

• Set user names and passwords.

3.8 Connecting to the switch

3.8.1 Local Configuration

The following picture show the DB9 switch “Pin out”:

3.8.2 Remote Connections

AsGa> enable To enter in configuration mode ingress the enable command

3.9 Configuring the Switch

3.9.1 Basic Configuration – Console Connection

3.9.3 Displaying system inventory

System Inventory: Lightbolt 28304E

3.9.4 Defining 802.1Q VLAN

3.9.4.1 Creating VLANs into the Switch Database

vlan vlan-id {enable|disable}|[name vlan-name][state {suspend|active}

• Create the VLANs into the VLAN switch database:

3.9.5 Switch Port Roles

switched ports: ports witch can not accept an IP address or

switchport mode {access | trunk | hybrid}

• Setting an interface into switched port mode access:

• Setting an interface in switched port mode trunk:

switchport access vlan {vlan-id }

3.9.8 Adding VLANs to a Trunk Port

• Enabling all VLANs on a trunk port.

• Adding a particular VLAN to a trunk port.

3.9.9 Displaying VLAN information

Bridge VLAN ID Name State Member ports

3.9.10 Setting Management IP address

3.9.11 Specifying Host Name

3.10.1 File types

Flash disk space: