Netgear Xcm8810 Owner S Manual XCM8800_UG

Netgear-Xcm8806-Owner-S-Manual netgear-xcm8806-owner-s-manual

2014-07-06

: Netgear Netgear-Xcm8810-Owner-S-Manual netgear-xcm8810-owner-s-manual netgear pdf

Open the PDF directly: View PDF PDF.
Page Count: 968

DownloadNetgear Netgear-Xcm8810-Owner-S-Manual XCM8800_UG
Open PDF In BrowserView PDF
NETGEAR 8800 User
Manual
S of t wa re Version 1 2. 4

350 East Plumeria Drive
San Jose, CA 95134
USA
March 2011
202-10804-01
v1.0

NETGEAR 8800 User Manual

© 2011 NETGEAR, Inc. All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of NETGEAR, Inc.

Technical Support
Thank you for choosing NETGEAR. To register your product, get the latest product updates, or get support online,
visit us at http://support.netgear.com. 
Phone (US & Canada only): 1-888-NETGEAR
Phone (Other Countries): See Support information card.

Trademarks
NETGEAR, the NETGEAR logo, ReadyNAS, ProSafe, Smart Wizard, Auto Uplink, X-RAID2, and NeoTV are
trademarks or registered trademarks of NETGEAR, Inc. Microsoft, Windows, Windows NT, and Vista are
registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or
trademarks of their respective holders.

Statement of Conditions
To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes
to the products described in this document without notice. NETGEAR does not assume any liability that may occur
due to the use, or application of, the product(s) or circuit layout(s) described herein.

Revision History
Publication Part Number

Version

Publish Date

Comments

202-10804-01

v1.0

March 2011

First publication

2 |

Contents
Chapter 1 Overview
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Platform-Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Related Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Part 1: Using the NETGEAR 8800
Chapter 2 Getting Started
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Software Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Logging in to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Understanding the Command Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Syntax Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Command Shortcuts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Object Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Port Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Numerical Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Line-Editing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Command History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Accessing the Switch for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Safe Defaults Setup Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Configuring Management Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Account Access Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configuring the Banner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Startup Screen and Prompt Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Default Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Creating a Management Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Failsafe Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Applying a Password to the Default Account . . . . . . . . . . . . . . . . . . . . . 45
Applying Security to Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Displaying Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Access to Both MSM/MM Console Ports . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Contents | 3

NETGEAR 8800 User Manual

Domain Name Service Client Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Checking Basic Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Displaying Switch Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 3 Managing the Switch
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Understanding the XCM8800 Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Using the Console Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Using the 10/100 Ethernet Management Port . . . . . . . . . . . . . . . . . . . . . . 53
Authenticating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
TACACS+. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Management Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
About the Telnet Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
About the Telnet Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Connecting to Another Host Using Telnet . . . . . . . . . . . . . . . . . . . . . . . 56
Configuring Switch IP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Configuring Telnet Access to the Switch . . . . . . . . . . . . . . . . . . . . . . . . 58
Disconnecting a Telnet Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Using Secure Shell 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Using the Trivial File Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Connecting to Another Host Using TFTP . . . . . . . . . . . . . . . . . . . . . . . . 63
Understanding System Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Node Election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Replicating Data Between Nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Viewing Node Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Understanding Hitless Failover Support. . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Protocol Support for Hitless Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Hitless Failover Caveats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Understanding Power Supply Management. . . . . . . . . . . . . . . . . . . . . . . . 72
Using Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Displaying Power Supply Information. . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Using the Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . 76
Enabling and Disabling SNMPv1/v2c and SNMPv3. . . . . . . . . . . . . . . . 77
Accessing Switch Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configuring SNMPv1/v2c Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Displaying SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Message Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
SNMPv3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
SNMPv3 MIB Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
SNMPv3 Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

4 |

Contents

NETGEAR 8800 User Manual

Using the Simple Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring and Using SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
SNTP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Chapter 4 Managing the XCM8800 Software
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Using the XCM8800 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Moving or Renaming Files on the Switch . . . . . . . . . . . . . . . . . . . . . . . . 97
Copying Files on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Displaying Files on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Transferring Files to and from the Switch . . . . . . . . . . . . . . . . . . . . . . . 101
Deleting Files from the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Managing the Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Managing XCM8800 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Displaying Process Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Stopping a Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Starting a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Understanding Memory Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Monitoring CPU Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Disabling CPU Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Enabling CPU Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Displaying CPU Utilization History . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Chapter 5 Configuring Slots and Ports on a Switch
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring Slots on NETGEAR 8800 Switches . . . . . . . . . . . . . . . . . . . 114
Details on I/O Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Configuring Ports on a Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Port Numbering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Enabling and Disabling Switch Ports . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring Switch Port Speed and Duplex Setting . . . . . . . . . . . . . . . 117
Jumbo Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Guidelines for Jumbo Frames. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Enabling Jumbo Frames per Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Enabling Jumbo Frames. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Path MTU Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
IP Fragmentation with Jumbo Frames . . . . . . . . . . . . . . . . . . . . . . . . . 123
IP Fragmentation within a VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Link Aggregation on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Link Aggregation Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Dynamic Versus Static Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Load-Sharing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Health Check Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Guidelines for Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring Switch Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Load-Sharing Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Contents

|

5

NETGEAR 8800 User Manual

Displaying Switch Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Guidelines for Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Mirroring Rules and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Mirroring Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Verifying the Mirroring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Remote Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Use of Remote Mirroring with Redundancy Protocols . . . . . . . . . . . . . 144
Remote Mirroring with STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Software-Controlled Redundant Port and Smart Redundancy. . . . . . . . . 146
Guidelines for Software-Controlled Redundant Ports and Port Groups147
Configuring Software-Controlled Redundant Ports . . . . . . . . . . . . . . . 147
Verifying Software-Controlled Redundant Port Configurations . . . . . . 148
Displaying Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Chapter 6 LLDP
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
LLDP Packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Transmitting LLDP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Receiving LLDP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Managing LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Supported TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Mandatory TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Optional TLVs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configuring LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Enabling and Disabling LLDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Configuring the System Description TLV Advertisement . . . . . . . . . . . 165
Configuring LLDP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Configuring SNMP for LLDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring Optional TLV Advertisements . . . . . . . . . . . . . . . . . . . . . . 167
Unconfiguring LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Displaying LLDP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Displaying LLDP Port Configuration Information and Statistics . . . . . . 170
Displaying LLDP Information Detected from Neighboring Ports. . . . . . 171

Chapter 7 PoE
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
NETGEAR Networks PoE Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Summary of PoE Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Power Checking for PoE Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Power Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Enabling PoE to the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Power Reserve Budget. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
PD Disconnect Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Port Disconnect or Fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

6 |

Contents

NETGEAR 8800 User Manual

Port Power Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
PoE Usage Threshold. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Legacy Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
PoE Operator Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Configuring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Enabling Inline Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Reserving Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Setting the Disconnect Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Configuring the Usage Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Configuring the Switch to Detect Legacy PDs . . . . . . . . . . . . . . . . . . . 182
Configuring the Operator Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Configuring PoE Port Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Power Cycling Connected PDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Adding an XCM88P Daughter Card to an Existing Configuration. . . . . 184
Displaying PoE Settings and Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Clearing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Displaying System Power Information . . . . . . . . . . . . . . . . . . . . . . . . . 186
Displaying Slot PoE Information on NETGEAR 8800 Switches . . . . . . 187
Displaying Port PoE Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Chapter 8 Status Monitoring and Statistics
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Viewing Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Viewing Port Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Using the Port Monitoring Display Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Viewing VLAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Performing Switch Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Running Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Observing LED Behavior During a Diagnostic Test . . . . . . . . . . . . . . . 199
Displaying Diagnostic Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Using the System Health Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Understanding the System Health Checker . . . . . . . . . . . . . . . . . . . . . 202
Enabling Diagnostic Packets on NETGEAR 8800 Switches . . . . . . . . 203
Configuring Diagnostic Packets on the Switch . . . . . . . . . . . . . . . . . . . 203
Disabling Diagnostic Packets on the Switch. . . . . . . . . . . . . . . . . . . . . 203
Displaying the System Health Check Setting . . . . . . . . . . . . . . . . . . . . 203
System Health Check Examples: Diagnostics . . . . . . . . . . . . . . . . . . . 204
Setting the System Recovery Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Configuring Software Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Configuring Module Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Viewing Fan Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Viewing the System Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
System Temperature Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Power Supply Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Using the Event Management System/Logging . . . . . . . . . . . . . . . . . . . . 214
Sending Event Messages to Log Targets. . . . . . . . . . . . . . . . . . . . . . . 215
Filtering Events Sent to Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Contents

|

7

NETGEAR 8800 User Manual

Displaying Real-Time Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Displaying Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Uploading Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Displaying Counts of Event Occurrences . . . . . . . . . . . . . . . . . . . . . . . 227
Displaying Debug Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Logging Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Using sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Sampling Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Configuring sFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Additional sFlow Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . 231
sFlow Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Displaying sFlow Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Using RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
About RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Supported RMON Groups of the Switch. . . . . . . . . . . . . . . . . . . . . . . . 234
Configuring RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Event Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Displaying RMON Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
SMON. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Chapter 9 VLANs
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Virtual Routers and VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Types of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Tagged VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Protocol-Based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Precedence of Tagged Packets Over Protocol Filters . . . . . . . . . . . . . 246
Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
VLAN Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Renaming a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring VLANs on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Creating and Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Enabling and Disabling VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
VLAN Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Displaying Protocol Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
PVLAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Configuring PVLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Displaying PVLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
PVLAN Configuration Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
PVLAN Configuration Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

8 |

Contents

NETGEAR 8800 User Manual

Chapter 10 FDB
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
FDB Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
How FDB Entries Get Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
FDB Entry Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Managing the FDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Adding a Permanent Static Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuring the FDB Aging Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Adding Virtual MAC Entries from IP ARP Packets . . . . . . . . . . . . . . . . 275
Clearing FDB Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Managing Multiple Port FDB Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Supporting Remote Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Managing FDB MAC Address Tracking . . . . . . . . . . . . . . . . . . . . . . . . 277
Displaying FDB Entries and Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Displaying FDB Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Displaying FDB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
MAC-Based Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Managing MAC Address Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Managing Egress Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Displaying Learning and Flooding Settings . . . . . . . . . . . . . . . . . . . . . 282
Creating Blackhole FDB Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Multicast FDB with Multiport Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Chapter 11 Virtual Routers
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Types of Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
User Virtual Router Configuration Domain . . . . . . . . . . . . . . . . . . . . . . 287
Managing Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Creating and Deleting User Virtual Routers . . . . . . . . . . . . . . . . . . . . . 288
Changing the VR Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Adding and Deleting Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . 289
Configuring Ports to Use One or More Virtual Routers. . . . . . . . . . . . . 290
Displaying Ports and Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Configuring the Routing Protocols and VLANs. . . . . . . . . . . . . . . . . . . 292
Virtual Router Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Chapter 12 Policy Manager
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Creating and Editing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Using the Edit Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Using a Separate Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Checking Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Refreshing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Applying Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Applying ACL Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Applying Routing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Contents

|

9

NETGEAR 8800 User Manual

Chapter 13

ACLs

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
ACL Rule Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Matching All Egress Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Comments and Descriptions in ACL Policy Files . . . . . . . . . . . . . . . . . 302
Types of Rule Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Action Modifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
ACL Rule Syntax Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Layer-2 Protocol Tunneling ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Dynamic ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Creating the Dynamic ACL Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Configuring the ACL Rule on the Interface. . . . . . . . . . . . . . . . . . . . . . 314
Configuring ACL Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
ACL Evaluation Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Applying ACL Policy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Displaying and Clearing ACL Counters . . . . . . . . . . . . . . . . . . . . . . . . 321
Example ACL Rule Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
ACL Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
ACL Slices and Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
ACL Counters—Shared and Dedicated . . . . . . . . . . . . . . . . . . . . . . . . 337
Policy-Based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Layer 3 Policy-Based Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Layer 2 Policy-Based Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Policy-Based Redirection Redundancy . . . . . . . . . . . . . . . . . . . . . . . . 341
ACL Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Chapter 14

Routing Policies

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Routing Policy File Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Policy Match Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Policy Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Policy Action Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Applying Routing Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Translating an access profile to a policy. . . . . . . . . . . . . . . . . . . . . . . . 353
Translating a Route Map to a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Chapter 15

QoS

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Applications and Types of QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Traffic Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Introduction to Rate Limiting, Rate Shaping, and Scheduling . . . . . . . 366
Meters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

10 |

Contents

NETGEAR 8800 User Manual

Multicast Traffic Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Egress Port Rate Limiting and Rate Shaping . . . . . . . . . . . . . . . . . . . . 371
Configuring QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Platform Configuration Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Selecting the QoS Scheduling Method . . . . . . . . . . . . . . . . . . . . . . . . . 373
Configuring 802.1p or DSCP Replacement . . . . . . . . . . . . . . . . . . . . . 374
Configuring Egress QoS Profile Rate Shaping . . . . . . . . . . . . . . . . . . . 378
Configuring Egress Port Rate Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Configuring Traffic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Creating and Managing Meters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Adjusting the Byte Count Used to Calculate Traffic Rates . . . . . . . . . . 384
Controlling Flooding, Multicast, and Broadcast Traffic on Ingress Ports385
Displaying QoS Configuration and Performance . . . . . . . . . . . . . . . . . . . 385
Displaying Traffic Group Configuration Data . . . . . . . . . . . . . . . . . . . . 385
Displaying the Rate-Limiting and Rate-Shaping Configuration. . . . . . . 386
Displaying Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Chapter 16 Network Login
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Web-Based, MAC-Based, and 802.1x Authentication . . . . . . . . . . . . . 390
Multiple Supplicant Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Campus and ISP Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Network Login and Hitless Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Configuring Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Enabling or Disabling Network Login on the Switch . . . . . . . . . . . . . . . 395
Enabling or Disabling Network Login on a Specific Port. . . . . . . . . . . . 395
Configuring the Move Fail Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Displaying Network Login Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Exclusions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Authenticating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Local Database Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Interoperability Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Enabling and Disabling 802.1x Network Login . . . . . . . . . . . . . . . . . . . 403
802.1x Network Login Configuration Example . . . . . . . . . . . . . . . . . . . 404
Configuring Guest VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Post-authentication VLAN Movement. . . . . . . . . . . . . . . . . . . . . . . . . . 408
802.1x Authentication and Network Access Protection . . . . . . . . . . . . 408
Web-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Enabling and Disabling Web-Based Network Login . . . . . . . . . . . . . . . 413
Configuring the Base URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Configuring the Redirect Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Configuring Proxy Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Configuring Session Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Configuring Logout Privilege. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Configuring the Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Customizable Authentication Failure Response . . . . . . . . . . . . . . . . . . 417

Contents

|

11

NETGEAR 8800 User Manual

Customizable Graphical Image in Logout Popup Window . . . . . . . . . . 417
Web-Based Network Login Configuration Example . . . . . . . . . . . . . . . 418
Web-Based Authentication User Login. . . . . . . . . . . . . . . . . . . . . . . . . 419
MAC-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Enabling and Disabling MAC-Based Network Login . . . . . . . . . . . . . . 422
Associating a MAC Address to a Specific Port. . . . . . . . . . . . . . . . . . . 422
Adding and Deleting MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 423
Displaying the MAC Address List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Configuring Reauthentication Period . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Secure MAC Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . 424
MAC-Based Network Login Configuration Example. . . . . . . . . . . . . . . 425
Additional Network Login Configuration Details . . . . . . . . . . . . . . . . . . . . 425
Configuring Network Login MAC-Based VLANs. . . . . . . . . . . . . . . . . . 426
Configuring Dynamic VLANs for Network Login. . . . . . . . . . . . . . . . . . 428
Configuring Network Login Port Restart . . . . . . . . . . . . . . . . . . . . . . . . 431
Authentication Failure and Services Unavailable Handling . . . . . . . . . 432

Chapter 17

Security

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Safe Defaults Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
MAC Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Limiting Dynamic MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
MAC Address Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
MAC Address Lockdown with Timeout. . . . . . . . . . . . . . . . . . . . . . . . . 440
DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Enabling and Disabling DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Configuring the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Displaying DHCP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
DHCP Snooping and Trusted DHCP Server . . . . . . . . . . . . . . . . . . . . 447
Source IP Lockdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
ARP Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Gratuitous ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
ARP Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Denial of Service Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Configuring Simulated Denial of Service Protection. . . . . . . . . . . . . . . 462
Configuring Denial of Service Protection . . . . . . . . . . . . . . . . . . . . . . . 463
Protocol Anomaly Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Flood Rate Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Authenticating Management Sessions Through the Local Database. . . . 465
Authenticating Management Sessions Through a TACACS+ Server . . . 465
Configuring the TACACS+ Client for Authentication and Authorization 466
Configuring the TACACS+ Client for Accounting . . . . . . . . . . . . . . . . . 468
Authenticating Management Sessions Through a RADIUS Server . . . . . 471
How NETGEAR Switches Work with RADIUS Servers . . . . . . . . . . . . 472
Configuration Overview for Authenticating Management Sessions . . . 473
Authenticating Network Login Users Through a RADIUS Server. . . . . . . 474

12 |

Contents

NETGEAR 8800 User Manual

How Network Login Authentication Differs from Management Session Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configuration Overview for Authenticating Network Login Users . . . . . 475
Configuring the RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Configuring the RADIUS Client for Authentication and Authorization. . 475
Configuring the RADIUS Client for Accounting. . . . . . . . . . . . . . . . . . . 477
RADIUS Server Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . 479
Configuring User Authentication (Users File) . . . . . . . . . . . . . . . . . . . . 479
Configuring the Dictionary File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Configuring Command Authorization (RADIUS Profiles) . . . . . . . . . . . 489
Additional RADIUS Configuration Examples . . . . . . . . . . . . . . . . . . . . 492
Implementation Notes for Specific RADIUS Servers . . . . . . . . . . . . . . 496
Setting Up Open LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Configuring a Windows XP Supplicant for 802.1x Authentication . . . . . . 503
Hyptertext Transfer Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Secure Shell 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Enabling SSH2 for Inbound Switch Access . . . . . . . . . . . . . . . . . . . . . 505
Viewing SSH2 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Using ACLs to Control SSH2 Access . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Using SCP2 from an External SSH2 Client . . . . . . . . . . . . . . . . . . . . . 510
Understanding the SSH2 Client Functions on the Switch. . . . . . . . . . . 511
Using SFTP from an External SSH2 Client . . . . . . . . . . . . . . . . . . . . . 512
Secure Socket Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Enabling and Disabling SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Creating Certificates and Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . 515
Displaying SSL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Part 2: Using Switching and Routing Protocols
Chapter 18 STP
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Compatibility Between IEEE 802.1D-1998 and IEEE 802.1D-2004 STP Bridges
520
BPDU Restrict on Edge Safeguard. . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Spanning Tree Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Member VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
STPD Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Encapsulation Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
STP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Binding Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Rapid Root Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
STPD BPDU Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
STP and Hitless Failover—Modular Switches Only . . . . . . . . . . . . . . . 537
STP Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Basic STP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Multiple STPDs on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
VLANs Spanning Multiple STPDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Contents

|

13

NETGEAR 8800 User Manual

EMISTP Deployment Constraints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Per VLAN Spanning Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
STPD VLAN Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Native VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
RSTP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
RSTP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
MSTP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
MSTP Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
STP and Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
STP Rules and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Configuring STP on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Displaying STP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
STP Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Basic 802.1D Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . 575
EMISTP Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
RSTP 802.1w Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . 577
MSTP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Chapter 19

VRRP

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
VRRP and Hitless Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
VRRP Master Election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
VRRP Master Preemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
VRRP Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
VRRP Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
VRRP Tracking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
VRRP Tracking Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
VRRP VLAN Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
VRRP Route Table Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
VRRP Ping Tracking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Displaying VRRP Tracking Information . . . . . . . . . . . . . . . . . . . . . . . . 589
VRRP Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Simple VRRP Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Fully Redundant VRRP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
VRRP Tracking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Chapter 20

IPv4 Unicast Routing

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Router Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Populating the Routing Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Hardware Routing Table Management. . . . . . . . . . . . . . . . . . . . . . . . . 604
Configuring Unicast Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Configuring Basic Unicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Adding a Default Route or Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Configuring Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

14 |

Contents

NETGEAR 8800 User Manual

Configuring the Relative Route Priority. . . . . . . . . . . . . . . . . . . . . . . . . 613
Configuring Hardware Routing Table Usage . . . . . . . . . . . . . . . . . . . . 613
Configuring IP Route Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Configuring Route Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Configuring Static Route Advertisement. . . . . . . . . . . . . . . . . . . . . . . . 614
Verifying the Routing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Viewing IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Viewing the IP ARP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Viewing IP ARP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Viewing the IP Configuration for a VLAN . . . . . . . . . . . . . . . . . . . . . . . 615
Viewing Compressed Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Routing Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Proxy ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
ARP-Incapable Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Proxy ARP Between Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
IPv4 Multinetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Multinetting Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
How Multinetting Affects Other Features . . . . . . . . . . . . . . . . . . . . . . . 621
Configuring IPv4 Multinetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
IP Multinetting Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
DHCP/BOOTP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Configuring the DHCP Relay Agent Option (Option 82) at Layer 3 . . . 627
Verifying the DHCP/BOOTP Relay Configuration . . . . . . . . . . . . . . . . 629
Broadcast UDP Packet Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Configuring UDP Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
UDP Echo Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
IP Broadcast Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
IP Broadcast Handling Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Command-line Support for IP Broadcast Handling. . . . . . . . . . . . . . . . 633
VLAN Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
VLAN Aggregation Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
VLAN Aggregation Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
SubVLAN Address Range Checking . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Isolation Option for Communication Between SubVLANs . . . . . . . . . . 636
VLAN Aggregation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Verifying the VLAN Aggregation Configuration. . . . . . . . . . . . . . . . . . . 637

Chapter 21 IPv6 Unicast Routing
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Router Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Specifying IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Neighbor Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
Populating the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Configuring IP Unicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Configuring Basic IP Unicast Routing. . . . . . . . . . . . . . . . . . . . . . . . . . 647
Managing Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

Contents

|

15

NETGEAR 8800 User Manual

Managing Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Managing Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Verifying the IP Unicast Routing Configuration . . . . . . . . . . . . . . . . . . 651
Configuring Route Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Configuring Route Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Hardware Forwarding Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Hardware Forwarding Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Hardware Tunnel Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Routing Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Tunnel Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
6in4 Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
6to4 Tunnel Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

Chapter 22

RIP

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
RIP Versus OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
Advantages of RIP and OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
Overview of RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Split Horizon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Poison Reverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Triggered Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Route Advertisement of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
RIP Version 1 Versus RIP Version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Route Redistribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Configuring Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
RIP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666

Chapter 23

RIPng

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
RIPng Versus OSPFv3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Advantages of RIPng and OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Overview of RIPng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Split Horizon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Poison Reverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Triggered Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Route Advertisement of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Route Redistribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Configuring Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
RIPng Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671

Chapter 24

OSPF

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
OSPF Edge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Link State Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674

16 |

Contents

NETGEAR 8800 User Manual

Graceful OSPF Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676
Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Point-to-Point Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Configuring Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
OSPF Timers and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Configuring OSPF Wait Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
OSPF Wait Interval Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
OSPF Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Configuration for ABR1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Configuration for IR1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Displaying OSPF Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686

Chapter 25 OSPFv3
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
OSPFv3 Edge Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Link State Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Link-Type Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Configuring Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
OSPFv3 Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
OSPFv3 Configuration Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
Configuration for Router 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Configuration for Router 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Configuration for Router 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696

Chapter 26 BGP
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
BGP Four-Byte AS Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
BGP Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
BGP Community Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Extended Community Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Multiprotocol BGP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
BGP Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Route Reflectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Route Confederations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Route Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Inactive Route Advertisement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Default Route Origination and Advertisement . . . . . . . . . . . . . . . . . . . 711
Using the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
Looped AS_Path Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
BGP Peer Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
BGP Route Flap Dampening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
BGP Route Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Stripping Out Private AS Numbers from Route Updates . . . . . . . . . . . 716

Contents

|

17

NETGEAR 8800 User Manual

Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
BGP ECMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
BGP Static Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
Graceful BGP Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Cease Subcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Fast External Fallover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Capability Negotiation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Route Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723

Chapter 27

Multicast Routing and Switching

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Multicast Routing Table and RPF Overview. . . . . . . . . . . . . . . . . . . . . . . 725
PIM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
PIM Edge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
PIM Dense Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
PIM Sparse Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
PIM Mode Interoperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
PIM Source Specific Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
PIM Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
IGMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Static IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
IGMP Snooping Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Limiting the Number of Multicast Sessions on a Port . . . . . . . . . . . . . . 736
Enabling and Disabling IGMP Snooping Fast Leave . . . . . . . . . . . . . . 736
Using IGMP-SSM Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Configuring IP Multicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Enabling Multicast Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Configuring PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Configuring Multicast Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
PIM Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
Multicast VLAN Registration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Basic MVR Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Inter-Multicast VLAN Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
MVR Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
Displaying Multicast Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
Displaying the Multicast Routing Table . . . . . . . . . . . . . . . . . . . . . . . . 756
Displaying the Multicast Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
Looking Up a Multicast Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
Looking Up the RPF for a Multicast Source . . . . . . . . . . . . . . . . . . . . . 756
Displaying the PIM Snooping Configuration . . . . . . . . . . . . . . . . . . . . . 757
Troubleshooting PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
Multicast Trace Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
Multicast Router Information Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758

18 |

Contents

NETGEAR 8800 User Manual

Chapter 28 IPv6 Multicast
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
Managing MLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Enabling and Disabling MLD on a VLAN . . . . . . . . . . . . . . . . . . . . . . . 760
Configuring MLD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Clearing MLD Group Registration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Configuring Static MLD Groups and Routers . . . . . . . . . . . . . . . . . . . . 760
Displaying MLD Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761

Chapter 29 MSDP
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
PIM Border Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
MSDP Peers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
MSDP Default Peers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
Peer Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Policy Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
SA Request Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
MSDP Mesh-Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
Anycast RP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
SA Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
Maximum SA Cache Entry Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Scaling Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Configuring MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Configuring an MSDP Mesh-Group . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Configuring Anycast RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775

Chapter 30 vMAN (PBN)
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
vMANs (PBNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
vMAN Configuration Options and Features . . . . . . . . . . . . . . . . . . . . . 782
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
Configuring vMANs (PBNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
Configuring vMAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
Displaying vMAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
vMAN Example, NETGEAR 8810. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Multiple vMAN Ethertype Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790

Contents

|

19

NETGEAR 8800 User Manual

Part 3: Appendixes
Appendix A XCM8800 Software Licenses
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Switch License Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Aggregation License Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Advanced Core License Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Displaying Software Licenses and Feature Packs . . . . . . . . . . . . . . . . . . 798
Obtaining a License Voucher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Enabling and Verifying Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Obtaining Feature Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799

Appendix B Software Upgrade and Boot Options
Downloading a New Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Image Filename Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
Understanding the Image Version String . . . . . . . . . . . . . . . . . . . . . . . 803
Software Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Selecting a Primary or a Secondary Image . . . . . . . . . . . . . . . . . . . . . 803
Installing a Core Image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Installing a Modular Software Package . . . . . . . . . . . . . . . . . . . . . . . . 806
Rebooting the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Rebooting the Management Module . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Understanding Hitless Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Understanding the I/O Version Number . . . . . . . . . . . . . . . . . . . . . . . . 811
Performing a Hitless Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
Hitless Upgrade Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Configuration Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
Viewing a Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Returning to Factory Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
ASCII-Formatted Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Using TFTP to Upload the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 822
Using TFTP to Download the Configuration. . . . . . . . . . . . . . . . . . . . . . . 824
Synchronizing Nodes on Modular Switches . . . . . . . . . . . . . . . . . . . . . . . 825
Additional Behavior on the NETGEAR 8800 Series Switches . . . . . . . 825
Automatic Synchronization of Configuration Files . . . . . . . . . . . . . . . . 825
Accessing the Bootloader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826
Upgrading the Firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Displaying the BootROM and Firmware Versions . . . . . . . . . . . . . . . . . . 828

Appendix C Troubleshooting
Troubleshooting Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
Layer 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
Layer 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833
Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834

20 |

Contents

NETGEAR 8800 User Manual

General Tips and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . 835
MSM Prompt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Command Prompt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Port Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Software License Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
STP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
Using the Rescue Software Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Obtaining the Rescue Image from a TFTP Server . . . . . . . . . . . . . . . . 842
Obtaining the Rescue Image from an External Compact Flash Memory Card843
Debug Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Saving Debug Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
Enabling the Switch to Send Debug Information to the Memory Card . 845
Copying Debug Information to an External Memory Card . . . . . . . . . . 846
Copying Debug Information to a TFTP Server . . . . . . . . . . . . . . . . . . . 846
Managing Debug Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Evaluation Precedence for ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
TOP Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
TFTP Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
System Odometer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Monitored Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Recorded Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Temperature Operating Range. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
Corrupted BootROM on NETGEAR 8800 Series Switches . . . . . . . . . . . 853
Inserting Powered Devices in the PoE Module . . . . . . . . . . . . . . . . . . . . 854
Modifying the Hardware Table Hash Algorithm . . . . . . . . . . . . . . . . . . . . 854
Configuring the Hash Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Viewing the Hash Algorithm Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . 855
Contacting NETGEAR Technical Support . . . . . . . . . . . . . . . . . . . . . . . . 855

Appendix D Supported Protocols, MIBs, and Standards
MIB Support Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
Standard MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
NETGEAR Proprietary MIBs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896

Appendix E Glossary
Index

Contents

|

21

1.

Overview

1

This chapter contains the following sections:
•

Introduction on page 22

•

Conventions on page 23

•

Related Publications on page 24

Introduction
This guide provides the required information to configure the NETGEAR 8800 software in the
currently supported versions running on NETGEAR switches.
This guide is intended for use by network administrators who are responsible for installing and
setting up network equipment. Working knowledge of the following is assumed:
•

Local area networks (LANs)

•

Ethernet concepts

•

Ethernet switching and bridging concepts

•

Routing concepts

•

Internet Protocol (IP) concepts

•

Routing Information Protocol (RIP) and Open Shortest Path First (OSPF)

•

Border Gateway Protocol (BGP-4) concepts

•

IP multicast concepts

•

Protocol Independent Multicast (PIM) concepts

•

Simple Network Management Protocol (SNMP)

Note: If any information in the release notes included with your switch
differs from the information in this guide, follow the release notes.

Chapter 1. Overview

|

22

NETGEAR 8800 User Manual

Terminology
When features, functionality, or operation is specific to a switch family, the family name is
used. Explanations about features and operations that are the same across all product
families simply refer to the product as the “switch.”

Conventions
This section describes conventions used in the documentation.

Platform-Naming Conventions
The information in this guide applies to the following NETGEAR 8800 series switches: the
NETGEAR 8810 and the NETGEAR 8806.

Text Conventions
Table 1 and Table 2 list the conventions used throughout this guide.
Table 1. Notice Icons
Icon

Notice Type

Alerts you to...

Caution

Risk of personal injury, system damage, or loss of data.

Warning

Risk of severe personal injury.

Table 2. Text Conventions
Convention

Description

Screen display

This typeface indicates command syntax, or represents information as it appears on the
screen.

The words “enter”
and “type”

When you see the word “enter” in this guide, you must type something, and then press the
Return or Enter key. Do not press the Return or Enter key when an instruction simply says
“type.”

[Key] names

Key names are written with brackets, such as [Return] or [Esc].
If you must press two or more keys simultaneously, the key names are linked with a plus
sign (+). Example:
Press [Ctrl]+[Alt]+[Del].

Words in italicized type

Italics emphasize a point or denote new terms at the place where they are defined in the
text. (Italics are also used when referring to publication titles.)

Chapter 1. Overview

|

23

NETGEAR 8800 User Manual

Related Publications
The publications related to this one are:
•

NETGEAR 8800 Chassis Switch CLI Manual

•

NETGEAR 8800 Release Notes

•

NETGEAR 8800 Series Switches Hardware Installation Guide

Documentation for NETGEAR products is available on the World Wide Web at the following
location:
http://www.netgear.com/

24 | Chapter 1. Overview

NETGEAR 8800 User Manual

Chapter 1. Overview

|

25

Part 1: Using the NETGEAR 8800

2.

Getting Started

2

This chapter includes the following sections:
•

Overview on page 27

•

Software Required on page 28

•

Logging in to the Switch on page 28

•

Understanding the Command Syntax on page 29

•

Port Numbering on page 34

•

Line-Editing Keys on page 34

•

Command History on page 35

•

Common Commands on page 35

•

Accessing the Switch for the First Time on page 38

•

Configuring Management Access on page 39

•

Managing Passwords on page 45

•

Access to Both MSM/MM Console Ports on page 47

•

Domain Name Service Client Services on page 47

•

Checking Basic Connectivity on page 48

•

Displaying Switch Information on page 50

Overview
Table 3 lists the products that run XCM8800 software.
Table 3. NETGEAR 8800 Switches
Switch Series

Switches

NETGEAR 8800 Series

NETGEAR 8810
NETGEAR 8806

This chapter describes how to get started using the XCM8800 software on these switches.

Chapter 2. Getting Started

|

27

NETGEAR 8800 User Manual

Software Required
The tables in this section describe the software version required for each switch that runs
XCM8800 software.

Note: The features available on each switch are determined by the
installed feature license and optional feature packs. For more
information, see Appendix A, XCM8800 Software Licenses.

Table 4 lists the NETGEAR 8000 series modules and the XCM8800 software version
required to support each module.
Table 4. NETGEAR 8000 Series Switch Modules and Required Software
Module Series Name

Modules

Minimum Software
Version

MSMs

XCM88S1

XCM8800 12.4

8800-series

XCM8824F
XCM8848T
XCM8808X
XCM888F

XCM8800 12.4

Logging in to the Switch
The initial login prompt appears as follows:
(Pending-AAA) login:

At this point, the failsafe account is now available, but the normal AAA login security is not.
(For additional information on using the failsafe account, see Failsafe Accounts on page 44.)
Wait for the following message to appear:
Authentication Service (AAA) on the master node is now available for login.

At this point, the normal AAA login security is available. When you now press the [Enter] key,
the following prompt appears:
login

Whether or not you press the [Enter] key, once you see the above message you can perform
a normal login. (See Default Accounts on page 43.)

28 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Understanding the Command Syntax
This section describes the steps to take when entering a command. See the sections that
follow for detailed information on using the command line interface (CLI).
The NETGEAR 8800 command syntax is described in detail in the NETGEAR 8800 Chassis
Switch CLI Manual. Some commands are also described in this guide in order to describe
how to use the features of the XCM8800 software. However, only a subset of commands are
described here, and in some cases only a subset of the options that a command supports.
The NETGEAR 8800 Chassis Switch CLI Manual should be considered the definitive source
for information on NETGEAR 8800 commands.
You may enter configuration commands at the # prompt. At the > prompt, you may enter only
monitoring commands, not configuration commands. When you log in as administrator
(which has read and write access), you see the # prompt. When you log in as user (which
has only read access), you will see the > prompt. As you are booting up, you may see the >
command prompt. When the bootup process is complete, the # prompt is displayed.
When entering a command at the prompt, ensure that you have the appropriate privilege
level. Most configuration commands require you to have the administrator privilege level. For
more information on setting CLI privilege levels, see the NETGEAR 8800 Chassis Switch CLI
Manual. To use the CLI:
1. Enter the command name.
If the command does not include a parameter or values, skip to step 3. If the command
requires more information, continue to step 2.
2. If the command includes a parameter, enter the parameter name and values.
The value part of the command specifies how you want the parameter to be set. Values
include numerics, strings, or addresses, depending on the parameter.
3. After entering the complete command, press [Return].

Note: If an asterisk (*) appears in front of the command line prompt, it
indicates that you have outstanding configuration changes that have
not been saved. For more information on saving configuration
changes, see Appendix B, Software Upgrade and Boot Options.

This section describes the following topics:
•

Syntax Helper on page 30

•

Command Shortcuts on page 30

•

Object Names on page 31

•

Symbols on page 32

•

Limits on page 33

Chapter 2. Getting Started

|

29

NETGEAR 8800 User Manual

Syntax Helper
The CLI has a built-in syntax helper. If you are unsure of the complete syntax for a particular
command, enter as much of the command as possible and press [Tab] or [?]. The syntax
helper provides a list of options for the remainder of the command and places the cursor at
the end of the command you have entered so far, ready for the next option.
If you enter an invalid command, the syntax helper notifies you of your error and indicates
where the error is located.
If the command is one where the next option is a named component (such as a VLAN,
access profile, or route map), the syntax helper also lists any currently configured names that
might be used as the next option. In situations where this list is very long, the syntax helper
lists only one line of names, followed by an ellipses (...) to indicate that there are more names
that can be displayed.
The syntax helper also provides assistance if you have entered an incorrect command.

Abbreviated Syntax
Abbreviated syntax is the shortest unambiguous allowable abbreviation of a command or
parameter. Typically, this is the first three letters of the command. If you do not enter enough
letters to allow the switch to determine which command you mean, the syntax helper provides
a list of the options based on the portion of the command you have entered.

Note: When using abbreviated syntax, you must enter enough characters
to make the command unambiguous and distinguishable to the
switch.

Command Shortcuts
Components are typically named using the create command. When you enter a command to
configure a named component, you do not need to use the keyword of the component. For
example, to create a VLAN, enter a VLAN name:
create vlan engineering

After you have created the name for the VLAN, you can then eliminate the keyword vlan from
all other commands that require the name to be entered. For example, instead of entering the
modular switch command:
configure vlan engineering delete port 1:3,4:6

you can enter the following shortcut:
configure engineering delete port 1:3,4:6

30 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Object Names
All named components within a category of the switch configuration, such as VLAN, must be
given a unique object name. Object names must begin with an alphabetical character and
may contain alphanumeric characters and underscores (_), but they cannot contain spaces.
The maximum allowed length for a name is 32 characters.
Object names can be reused across categories (for example, STPD and VLAN names). If the
software encounters any ambiguity in the components within your command, it generates a
message requesting that you clarify the object you specified.

Note: If you use the same name across categories, NETGEAR
recommends that you specify the identifying keyword as well as the
actual name. If you do not use the keyword, the system may return
an error message.

Reserved Keywords
Keywords such as vlan, stp, and other 2nd level keywords, are determined to be reserved
keywords and cannot be used as object names. This restriction applies to the specific word
(vlan) only, while expanded versions (vlan2) can be used.
A complete list of the reserved keywords for XCM8800 12.4.2 and later software is displayed
in Table 5. Any keyword that is not on this list can be used as an object name. Prior to 12.4.2,
all keywords were reserved, that is, none of them could be used for naming user-created
objects such as VLANs.

Chapter 2. Getting Started

|

31

NETGEAR 8800 User Manual

Table 5. Reserved Keywords
Reserved Keywords
aaa
access-list
account
accounts
bandwidth
banner
bfd
bgp
bootp
bootprelay
brm
bvlan
cancel
cfgmgr
cfm
checkpoint-
data
cli
cli-config-
logging
clipaging
configuration
configure
continuous
count
counters
cpu-monitoring
cpu-transmit-
priority
cvlan
debug
debug-mode
devmgr
dhcp
dhcp-client
dhcp-server
diagnostics
diffserv
dns-client
dont-fragment
dos-protect
dot1ag
dot1p
dot1q
ds
edp
egress

elrp
elrp-client
ems
epm
fabric
failover
failsafe-
account
fans
fdb
fdbentry
firmware
flood-group
flooding
flow-control
flow-redirect
forwarding
from
get
hal
hclag
heartbeat
icmp
identity-
management
idletimeout
idmgr
igmp
image
ingress
inline-power
internal-
memory
interval
iob-debug-level
iparp
ipconfig
ipforwarding
ipmc
ipmcforwarding
ipmroute
ip-mtu
ip-option
iproute
ip-security
ipstats

ipv4
IPv4
ipv6
IPv6
ipv6acl
irdp
isid
isis
jumbo-frame
jumbo-frame-size
l2stats
l2vpn
lacp
learning
learning-domain
license
license-info
licenses
lldp
log
loopback-mode
mac
mac-binding
mac-lockdown-
timeout
management
mcast
memory
memorycard
meter
mirroring
mld
mrinfo
msdp
msgsrv
msm
msm-failover
mstp
mtrace
multiple-
response-timeout
mvr
neighbor-
discovery
netlogin
nettools
node

nodemgr
odometers
ospf
ospfv3
pim
policy
ports
power
primary
private-vlan
process
protocol
put
qosprofile
qosscheduler
radius
radius-
accounting
rip
ripng
rmon
router-
discovery
rtmgr
safe-default-
script
script
secondary
session
sflow
sharing
show
slot
slot-poll-
interval
smartredundancy
snmp
snmpv3
sntp-client
source
ssl
stacking
stacking-
support
stack-topology
start-size
stp
stpd

subvlan-proxy-
arp
svlan
switch
switch-mode
sys-health-check
syslog
sys-recovery-
level
tacacs
tacacs-
accounting
tacacsauthorization
tech
telnet
telnetd
temperature
tftpd
thttpd
time
timeout
timezone
tos
traffic
trusted-ports
trusted-servers
ttl
tunnel
udp
udp-echo-server
udp-profile
update
var
version
virtual-router
vlan
vpls
vr
vrrp
watchdog
web
xmlc
xmld
xml-mode
xml-notification

Symbols
You may see a variety of symbols shown as part of the command syntax. These symbols
explain how to enter the command, and you do not type them as part of the command itself.
Table 6 summarizes command syntax symbols.

32 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Note: XCM8800 software does not support the ampersand (&), left angle
bracket (<), or right angle bracket (>), because they are reserved
characters with special meaning in XML.

Table 6. Command Syntax Symbols
Symbol

Description

angle brackets < >

Enclose a variable or value. You must specify the variable or value. For example, in the
syntax
configure vlan  ipaddress 
you must supply a VLAN name for  and an address for 
when entering the command. Do not type the angle brackets and do not include spaces
within angle brackets.

square brackets [ ]

Enclose a required value or list of required arguments. One or more values or arguments
can be specified. For example, in the syntax
disable port [ | all]
you must specify either specific ports or all for all ports when entering the command. Do
not type the square brackets.

vertical bar |

Separates mutually exclusive items in a list, one of which must be entered. For example,
in the syntax
configure snmp add community [readonly | readwrite]

you must specify either the read or write community string in the command. Do not type
the vertical bar.

braces { }

Enclose an optional value or a list of optional arguments. One or more values or
arguments can be specified. For example, in the syntax
reboot {time      } {cancel}
{msm } {slot  | node-address 
| stack-topology {as-standby} }
You can specify either a particular date and time combination, or the keyword cancel to
cancel a previously scheduled reboot. (In this command, if you do not specify an
argument, the command will prompt, asking if you want to reboot the switch now.) Do not
type the braces.

Limits
The command line can process up to 4500 characters, including spaces. If you attempt to
enter more than 4500 characters, the switch emits an audible “beep” and will not accept any
further input. The first 4500 characters are processed, however.

Chapter 2. Getting Started

|

33

NETGEAR 8800 User Manual

Port Numbering
The XCM8800 software runs on both stand-alone and modular switches, and the port
numbering scheme is slightly different on each.

Note: The keyword all acts on all possible ports; it continues on all ports
even if one port in the sequence fails.

Numerical Ranges
On the NETGEAR 8800 switch, the port number is a combination of the slot number and the
port number. The nomenclature for the port number is as follows:
slot:port

For example, if an I/O module that has a total of four ports is installed in slot 2 of the chassis,
the following ports are valid:
•

2:1

•

2:2

•

2:3

•

2:4

You can also use wildcard combinations (*) to specify multiple modular slot and port
combinations. The following wildcard combinations are allowed:
•

slot:*—Specifies

all ports on a particular I/O module.

•

slot:x-slot:y—Specifies

•

slot:x-y—Specifies

•

slota:x-slotb:y—Specifies a contiguous series of ports that begin on one I/O module
and end on another node.

a contiguous series of ports on a particular I/O module.

a contiguous series of ports on a particular I/O module.

Line-Editing Keys
Table 7 describes the line-editing keys available using the CLI.
Table 7. Line-Editing Keys
Key(s)

Description

Left arrow or [Ctrl] + B

Moves the cursor one character to the left.

Right arrow or [Ctrl] + F

Moves the cursor one character to the right.

[Ctrl] + H or Backspace

Deletes character to left of cursor and shifts remainder of line to left.

34 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Table 7. Line-Editing Keys (Continued)
Key(s)

Description

Delete or [Ctrl] + D

Deletes character under cursor and shifts remainder of line to left.

[Ctrl] + K

Deletes characters from under cursor to end of line.

Insert

Toggles on and off. When toggled on, inserts text and shifts previous text to right.

[Ctrl] + A

Moves cursor to first character in line.

[Ctrl] + E

Moves cursor to last character in line.

[Ctrl] + L

Clears screen and movers cursor to beginning of line.

[Ctrl] + P or Up Arrow

Displays previous command in command history buffer and places cursor at end
of command.

[Ctrl] + N or Down Arrow

Displays next command in command history buffer and places cursor at end of
command.

[Ctrl] + U

Clears all characters typed from cursor to beginning of line.

[Ctrl] + W

Deletes previous word.

[Ctrl] + C

Interrupts the current CLI command execution.

Command History
The XCM8800 software stores the commands you enter. You can display a list of these
commands by using the following command:
history

Common Commands
Table 8 describes some of the common commands used to manage the switch. Commands
specific to a particular feature may also be described in other chapters of this guide. For a
detailed description of the commands and their options, see the NETGEAR 8800 Chassis
Switch CLI Manual.
Table 8. Common Commands
Command

Description

clear session [history |  | all] Terminates a Telnet or SSH2 session from the switch.
configure account [all | ]

Configures a user account password.
Passwords can have a minimum of 0 character and can
have a maximum of 32 characters. Passwords and user
names are case-sensitive.

Chapter 2. Getting Started

|

35

NETGEAR 8800 User Manual

Table 8. Common Commands (Continued)
Command

Description

configure banner

Configures the banner string. You can enter up to 24
rows of 79-column text that is displayed before the login
prompt of each session. Press [Return] at the beginning
of a line to terminate the command and apply the
banner. To clear the banner, press [Return] at the
beginning of the first line.

configure ports  {medium
[copper | fiber]} auto off speed 
duplex [half | full]

Manually configures the port speed and duplex setting
of one or more ports on a switch.

configure slot  module


Configures a slot for a particular I/O module card.
Note: This command is available only on
modular switches.

configure ssh2 key {pregenerated}

Generates the SSH2 host key. If you cannot find SSH
commands, your XCM8800 image probably does not
have SSH preinstalled. To download and install the
SSH module, go to
http://kbserver.netgear.com/products/8806.asp or
http://kbserver.netgear.com/products/8810.asp.

configure sys-recovery-level [all |
none]

Configures a recovery option for instances where an
exception occurs in XCM8800 software.

configure time   
  

Configures the system date and time. The format is as
follows:
mm dd yyyy hh mm ss
The time uses a 24-hour clock format. You cannot set
the year earlier than 2003 or past 2036.

configure timezone {name }
 {autodst {name
} {}
{begins [every  | on
] {at } {ends
[every  | on ]
{at }}} | noautodst}

Configures the time zone information to the configured
offset from GMT time. The format of GMT_offset is +/minutes from GMT time. The autodst and
noautodst options enable and disable automatic
Daylight Saving Time change based on the North
American standard.
Additional options are described in the NETGEAR 8800
Chassis Switch CLI Manual.

configure {vlan}  ipaddress
[ {} |
ipv6-link-local | {eui64}
]

Configures an IP address and subnet mask for a VLAN.

create account [admin | user]
 {encrypted }

Creates a user account. This command is available to
admin-level users and to users with RADIUS command
authorization. The username is between 1 and 32
characters, the password is between 0 and 32
characters.

create vlan  {vr }

Creates a VLAN.

36 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Table 8. Common Commands (Continued)
Command

Description

delete account 

Deletes a user account.

delete vlan 

Deletes a VLAN.

disable bootp vlan [ | all]

Disables BOOTP for one or more VLANs.

disable cli-config-logging

Disables logging of CLI commands to the Syslog.

disable clipaging

Disables pausing of the screen display when a show
command output reaches the end of the page.

disable idletimeout

Disables the timer that disconnects all sessions. After
being disabled, console sessions remain open until the
switch is rebooted or until you log off. Telnet sessions
remain open until you close the Telnet client. SSH2
sessions time out after 61 minutes of inactivity.

disable port [ | all]

Disables one or more ports on the switch.

disable ssh2

Disables SSH2 Telnet access to the switch.

disable telnet

Disables Telnet access to the switch.

enable bootp vlan [ | all]

Enables BOOTP for one or more VLANs.

enable cli-config-logging

Enables the logging of CLI configuration commands to
the Syslog for auditing purposes. The default setting is
enabled.

enable clipaging

Enables pausing of the screen display when show
command output reaches the end of the page. The
default setting is enabled.

enable idletimeout

Enables a timer that disconnects all sessions (Telnet,
SSH2, and console) after 20 minutes of inactivity. The
default setting is enabled.

enable license {software} 

Enables a particular software feature license. Specify
 as an integer.
The command unconfigure switch {all} does
not clear licensing information. This license cannot be
disabled once it is enabled on the switch.

enable ssh2 {access-profile
[ | none]} {port
} {vr [ | all
| default]}

Enables SSH2 sessions. By default, SSH2 is disabled.
When enabled, SSH2 uses TCP port number 22. If you
cannot find SSH commands, your XCM8800 image
probably does not have SSH preinstalled. To download
and install the SSH module, go to
http://kbserver.netgear.com/products/8806.asp or
http://kbserver.netgear.com/products/8810.asp.

enable telnet

Enables Telnet access to the switch. By default, Telnet
uses TCP port number 23.

history

Displays the commands entered on the switch.

Chapter 2. Getting Started

|

37

NETGEAR 8800 User Manual

Table 8. Common Commands (Continued)
Command

Description

show banner

Displays the user-configured banner.

unconfigure switch {all}

Resets all switch parameters (with the exception of
defined user accounts, and date and time information)
to the factory defaults.
If you specify the keyword all, the switch erases the
currently selected configuration image in flash memory
and reboots. As a result, all parameters are reset to
default settings.

Accessing the Switch for the First Time
When you take your switch from the box and set it up for the first time, you must connect to
the console to access the switch. You are prompted with an interactive script that specifically
asks if you want to disable Telnet and SNMP, so these will not be available on your switch at
next reboot. This is called the safe defaults mode.
After you connect to the console and log in to the switch, the screen displays several
interactive questions that lead you through configuring the management access that you
want. You disable SNMP, or Telnet access by using the interactive script (see Safe Defaults
Setup Method on page 38).
All ports are enabled in the factory default setting; you can choose to have all unconfigured
ports disabled on reboot using the interactive questions.
In addition, you can return to the safe defaults mode by issuing the following commands:
•

unconfigure switch all

•

configure safe-default-script

Safe Defaults Setup Method
After you connect to the console port of the switch, or after you issue the unconfigure switch
all or configure safe-default-script CLI command, the system returns the
following interactive script:
This switch currently has all management methods enabled for convenience reasons.
Please answer these questions about the security settings you would like to use.
Telnet is enabled by default. Telnet is unencrypted and has been the target of
security exploits in the past.
Would you like to disable Telnet? [y/N]:
SNMP access is enabled by default. SNMP uses no encryption, SNMPv3 can be

38 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

configured to eliminate this problem.
Would you like to disable SNMP? [y/N]:
All ports are enabled by default. In some secure applications, it maybe more
desirable for the ports to be turned off.
Would you like unconfigured ports to be turned off by default? [y/N]:
Changing the default failsafe account username and password is highly
recommended.

If you choose to do so, please remember the username and

password as this information cannot be recovered by NETGEAR.
Would you like to change the failsafe account username and password
now? [y/N]:
Would you like to permit failsafe account access via the management port?
[y/N]:
Since you have chosen less secure management methods, please remember to
increase the security of your network by taking the following actions:
* change your admin password
* change your failsafe account username and password
* change your SNMP public and private strings
* consider using SNMPv3 to secure network management traffic

You see this interactive script only under the following conditions:
•

At initial login (when you use the switch the first time)

•

After the command unconfigure switch all

•

After the command configure safe-default-script

All the changes you make using this interactive script can be saved through switch reboots, if
you save the setting. If you want to change the management access:
•

Use the configure safe-default-script command which maintains your configuration
and reruns the script.

•

Use the unconfigure switch all command which resets your switch to the default
factory setting and reruns this script.

Configuring Management Access
This section discusses the following topics:
•

Account Access Levels on page 40

•

Configuring the Banner on page 40

•

Startup Screen and Prompt Text on page 41

Chapter 2. Getting Started

|

39

NETGEAR 8800 User Manual

•

Default Accounts on page 43

•

Creating a Management Account on page 43

•

Failsafe Accounts on page 44

Account Access Levels
XCM8800 software supports the following two levels of management:
•

User

•

Administrator

In addition to the management levels, you can optionally use an external RADIUS server to
provide CLI command authorization checking for each command. For more information on
RADIUS, see Chapter 17, Security.

User Account
A user-level account has viewing access to all manageable parameters, with the exception
of:
•

User account database

•

SNMP community strings

A person with a user-level account can use the ping command to test device reachability
and change the password assigned to the account name. If you have logged on with user
capabilities, the command line prompt ends with a (>) sign. For example:
XCM8806-1.2 >

Administrator Account
A person with an administrator-level account can view and change all switch parameters.
With this level, you can also add and delete users, as well as change the password
associated with any account name (to erase the password, use the unconfigure switch all
command).
The administrator can disconnect a management session that has been established by way
of a Telnet connection. If this happens, the user logged on by way of the Telnet connection is
notified that the session has been terminated.
If you have logged on with administrator capabilities, the command line prompt ends with a
(#) sign. For example:
XCM8806-1.18 #

Configuring the Banner
You can configure a banner that displays as soon as you power-up the switch, before the
login prompt. To add a banner to your switch, use the following command:
configure banner {acknowledge)

40 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Using the acknowledge parameter prompts the user with the following message after the
banner appears and before the login prompt:
Hit any key to accept these provisions.

To disable the acknowledgement feature, which forces the user to press a key before the
login screen displays, use the configure banner command omitting the acknowledge
parameter.

Startup Screen and Prompt Text
Once you log into the switch, the system displays the startup screen, as follows:
login: admin
password: blue7
XCM8800
Copyright (C) 2000-2006 NETGEAR, Inc. All rights reserved.
Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957;
6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,01
2,082.
==============================================================================
Press the  or '?' key at any time for completions.
Remember to save your configuration changes.
* .1 #

You must have an administrator-level account to change the text of the prompt. The prompt
text is taken from the SNMP sysname setting.
The number that follows the period after the switch name indicates the sequential line of the
specific command or line for this CLI session.
If an asterisk (*) appears in front of the command line prompt, it indicates that you have
outstanding configuration changes that have not been saved. For example:
* XCM8806-1.19 #

If you have logged on with administrator capabilities, the command line prompt ends with a
(#) sign. For example:
XCM8806-1.18 #

If you have logged on with user capabilities, the command line prompt ends with a (>) sign.
For example:
XCM8806-1.2 >

Using the system recovery commands (see Chapter 8, Status Monitoring and Statistics for
information on system recovery), you can configure either one or more specified slots on a
modular switch or the entire stand-alone switch to shut down in case of an error. If you have
configured this feature and a hardware error is detected, the system displays an explanatory

Chapter 2. Getting Started

|

41

NETGEAR 8800 User Manual

message on the startup screen. The message is slightly different, depending on whether you
are working on a modular switch or a stand-alone switch.
The following sample shows the startup screen if any of the slots in a modular switch are shut
down as a result of the system recovery configuration:
login: admin
password:
XCM8800
Copyright (C) 2000-2006 NETGEAR, Inc. All rights reserved.
Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957;
6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,01
2,082.
==============================================================================
Press the  or '?' key at any time for completions.
Remember to save your configuration changes.
The I/O modules in the following slots are shut down: 1,3
Use the "clear sys-recovery-level" command to restore I/O modules
! XCM8806-8810.1 #

When an exclamation point (!) appears in front of the command line prompt, it indicates that
one or more slots or the entire stand-alone switch are shut down as a result of your system
recovery configuration and a switch error. (See Chapter 8, Status Monitoring and Statistics for
complete information on system recovery and system health check features.)
The following sample shows the startup screen if a stand-alone switch is shut down as a
result of the system recovery configuration:
login: admin
password:
NETGEAR XCM8800
Copyright (C) 2000-2006 NETGEAR, Inc. All rights reserved.
Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957;
6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,01
2,082.
==============================================================================
Press the  or '?' key at any time for completions.
Remember to save your configuration changes.
All switch ports have been shut down.
Use the "clear sys-recovery-level" command to restore all ports.

42 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Default Accounts
By default, the switch is configured with two accounts, as shown in Table 9.
Table 9. Default Accounts
Account Name

Access Level

admin

This user can access and change all manageable parameters. However, the user may
not delete all admin accounts.

user

This user can view (but not change) all manageable parameters, with the following
exceptions:
• This user cannot view the user account database.
• This user cannot view the SNMP community strings.

To change the password on the default account, see Applying a Password to the Default
Account on page 45.

Creating a Management Account
The switch can have a total of 16 management accounts. You can use the default names
(admin and user), or you can create new names and passwords for the accounts. Passwords
can have a minimum of 0 characters and a maximum of 32 characters.
To create a new account:
1. Log in to the switch as admin.
2. At the password prompt, press [Return], or enter the password that you have configured for
the admin account.
3. Add a new user by using the following command:
create account [admin | user]  {encrypted
}
If you do not specify a password or the keyword “encrypted”, you are prompted for one.
If you do not want a password associated with the specified account, press [Enter] twice.

Viewing Accounts
To view the accounts that have been created, you must have administrator privileges. To see
the accounts, use the following command:
show accounts

Deleting an Account
To delete an account, you must have administrator privileges. To delete an account, use the
following command:
delete account 

Chapter 2. Getting Started

|

43

NETGEAR 8800 User Manual

Failsafe Accounts
The failsafe account is the account of last resort to access your switch. This account is never
displayed by the show accounts command, but it is always present on the switch. To display
whether the user configured a username and password for the failsafe account or to show the
configured connection-type access restrictions use the following command:
show failsafe-account

The failsafe account has admin access level. To configure the account name and password
for the failsafe account, use the following command:
configure failsafe-account {[deny | permit] [all | control | serial | ssh {vr } |
telnet {vr }]}

When you use the command with no parameters, you are prompted for the failsafe account
name and prompted twice to specify the password for the account. For example:
XCM8806-10808.1 # configure failsafe-account
enter failsafe user name: blue5green
enter failsafe password:
enter password again:
XCM8806-10808.2

When you use the command with the permit or deny parameter, the connection-type access
restrictions are altered as specified. For example:
XCM8806-8810.1 # configure failsafe-account deny all
XCM8806-8810.2 # configure failsafe-account permit serial

The failsafe account is immediately saved to NVRAM. On a modular switch, the failsafe
account is saved to both MSM/MMs' NVRAMs if both are present.
You need not provide the existing failsafe account information to change it.

Note: The information that you use to configure the failsafe account
cannot be recovered by NETGEAR. Technical support cannot
retrieve passwords or account names for this account. Protect this
information carefully.

To access your switch using the failsafe account:
1. Connect to the switch using one of the (configured) permitted connection types.
2. At the switch login prompt, carefully enter the failsafe account name. If you enter an
erroneous account name, you cannot re-enter the correct name. In that case, press [Enter]
until you get a login prompt and then try again.
3. When prompted, enter the password.

44 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Managing Passwords
When you first access the switch, you have a default account. You configure a password for
your default account. As you create other accounts (see Creating a Management Account on
page 43), you configure passwords for those accounts.
The software allows you to apply additional security to the passwords. You can enforce a
specific format and minimum length for the password. Additionally, you can age out the
password, prevent a user from employing a previously used password, and lock users out of
the account after three consecutive failed login attempts.
You can change the password to an encrypted password after you create an account.
This section describes the following topics:
•

Applying a Password to the Default Account on page 45

•

Applying Security to Passwords on page 46

•

Displaying Passwords on page 47

Applying a Password to the Default Account
Default accounts do not have passwords assigned to them. Passwords can have a minimum
of 0 and a maximum of 32 characters. (If you specify the format of passwords using the
configure account password-policy char-validation command, the minimum is 8
characters.)

Note: Passwords and user names are case-sensitive.

To add a password to the default admin account:
1. Log in to the switch using the name admin.
2. At the password prompt, press [Enter].
3. Add a default admin password of green by entering the following command:
configure account admin green

To add a password to the default user account:
1. Log in to the switch using the name user.
2. At the password prompt, press [Enter], or enter the password that you have configured for
the user account.
3. Add a default user password of blue by entering the following command:
configure account user blue

Chapter 2. Getting Started

|

45

NETGEAR 8800 User Manual

Note: If you forget your password while logged out of the CLI, you can use
the bootloader to reinstall a default switch configuration, which
allows access to the switch without a password. Note that this
process reconfigures all switch settings back to the initial default
configuration.

Applying Security to Passwords
You can increase the security of your system by enforcing password restrictions, which will
make it more difficult for unauthorized users to access your system.
You can specify that each password must include at least two characters of each of the
following four character types:
•

Upper-case A-Z

•

Lower-case a-z

•

0-9

•

!, @, #, $, %, ^, *, (, )

To set this format for the password, use the following command:
configure account [all | ] password-policy char-validation [none | all-char-groups]

You can enforce a minimum length for the password and set a maximum time limit, after
which the password will not be accepted.
To set a minimum length for the password, use the following command:
configure account [all | ] password-policy min-length [ | none]

To age out the password after a specified time, use the following command:
configure account [all | ] password-policy max-age [ | none]

You can block users from employing previously used passwords by issuing the command:
configure account [all | ] password-policy history [ | none]

By default, the system terminates a session after the user has three consecutive failed login
attempts. The user may then launch another session (which again would terminate after
three consecutive failed login attempts). To increase security, you can lock users out of the
system entirely after three failed consecutive login attempts. To use this feature, use the
following command:
configure account [all | ] password-policy lockout-on-login-failures [on | off]

46 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Note: If you are not working on SSH, you can configure the number of
failed logins that trigger lockout, using the configure cli
max-failed-logins  command. (This
command also sets the number of failed logins that terminate the
particular session.)

After the user’s account is locked out (using the configure account password-policy
lockout-on-login-failures command), it must be specifically re-enabled by an
administrator. To re-enable a locked-out account, use the following command:
clear account [all | ] lockout

Selecting the all option affects the setting of all existing and future new accounts.

Note: The default admin account and failsafe accounts are never locked
out, no matter how many consecutive failed login attempts.

Displaying Passwords
To display the accounts and any applied password security, use the following command:
show accounts password-policy

You can also display which accounts may be locked out by issuing the following command:
show accounts

Access to Both MSM/MM Console Ports
You can access either the primary or the backup MSM/MM regardless of which console port
you are connected to.
Use the following command:
telnet msm [a | b]

Domain Name Service Client Services
The Domain Name Service (DNS) client in XCM8800 software augments the following
commands to allow them to accept either IP addresses or host names:
•

telnet

•

download bootrom

•

download image

Chapter 2. Getting Started

|

47

NETGEAR 8800 User Manual

•

ping

•

traceroute

•

configure radius server client-ip

•

configure tacacs server client-ip

The DNS client can resolve host names to both IPv4 and IPv6 addresses.
In addition, the nslookup utility can be used to return the IP address of a host name.
You can specify up to eight DNS servers for use by the DNS client using the following
command:
configure dns-client add

You can specify a default domain for use when a host name is used without a domain. Use
the following command:
configure dns-client default-domain

For example, if you specify the domain xyz-inc.com as the default domain, then a command
such as ping accounting1 will be taken as if it had been entered
ping accounting1.xyz-inc.com.

Checking Basic Connectivity
The switch offers the following commands for checking basic connectivity:
•

ping

•

traceroute

Ping
The ping command enables you to send Internet Control Message Protocol (ICMP) echo
messages to a remote IP device. The ping command is available for both the user and
administrator privilege level.
The ping command syntax is:
ping {count  {start-size } | continuous {start-size } |
{start-size  {end-size }}} {udp} {dont-fragment} {ttl } {tos
} {interval } {vr } {ipv4  | ipv6 } {from} {with
record-route}

Options for the ping command are described in Table 10.

48 | Chapter 2. Getting Started

NETGEAR 8800 User Manual

Table 10. Ping Command Parameters
Parameter

Description

count

Specifies the number of ping requests to send.

start-size

Specifies the size, in bytes, of the packet to be sent, or the starting size if incremental
packets are to be sent.

continuous

Specifies that UDP or ICMP echo messages are to be sent continuously. This option can
be interrupted by pressing [Ctrl] + C.

end-size

Specifies an end size for packets to be sent.

udp

Specifies that the ping request should use UDP instead of ICMP.

dont-fragment

Sets the IP to not fragment the bit.

ttl

Sets the TTL value.

tos

Sets the TOS value.

interval

Sets the time interval between sending out ping requests.

vr

Specifies the virtual router name to use for sending out the echo message. If not
specified, VR-Default is used.
Note: User-created VRs are supported only on the platforms listed for this
feature in Appendix A, XCM8800 Software Licenses.

ipv4

Specifies IPv4 transport.

ipv6

Specifies IPv6 transport.
Note: If you are contacting an IPv6 link local address, you must specify the
VLAN you are sending the message from: ping   % .

host

Specifies a host name or IP address (either v4 or v6).

from

Uses the specified source address. If not specified, the address of the transmitting
interface is used.

with record-route

Sets the traceroute information.

If a ping request fails, the switch stops sending the request after three attempts. Press [Ctrl] +
C to interrupt a ping request earlier. The statistics are tabulated after the ping is interrupted or
stops.
You use the ipv6 variable to ping an IPv6 host by generating an ICMPv6 echo request
message and sending the message to the specified address. If you are contacting an IPv6
link local address, you must specify the VLAN you are sending the message from, as shown
in the following example (you must include the % sign): ping  
% .

Chapter 2. Getting Started

|

49

NETGEAR 8800 User Manual

Traceroute
The traceroute command enables you to trace the routed path between the switch and a
destination endstation. The traceroute command syntax is:
traceroute {vr } {ipv4 } {ipv6 } {ttl } {from } {[port ]
| icmp}

Where:
•

vr

is the name of the virtual router.

•

ipv4/ipv6

•

from uses the specified source address in the ICMP packet. If not specified, the address
of the transmitting interface is used.

•

host is the host of the destination endstation. To use the hostname, you must first
configure DNS.

•

ttl configures the switch to trace the hops until the time-to-live has been exceeded for
the switch.

•

port

uses the specified UDP port number.

•

icmp

uses ICMP echo messages to trace the routed path.

is the transport.

Displaying Switch Information
To display basic information about the switch, use the following command:
show switch

50 | Chapter 2. Getting Started

3.

Managing the Switch

3

This chapter includes the following sections:
•

Overview on page 51

•

Understanding the XCM8800 Shell on page 52

•

Using the Console Interface on page 52

•

Using the 10/100 Ethernet Management Port on page 53

•

Authenticating Users on page 53

•

Using Telnet on page 54

•

Using Secure Shell 2 on page 62

•

Using the Trivial File Transfer Protocol on page 62

•

Understanding System Redundancy on page 64

•

Understanding Hitless Failover Support on page 69

•

Understanding Power Supply Management on page 72

•

Using the Simple Network Management Protocol on page 76

•

Using the Simple Network Time Protocol on page 89

Overview
Using XCM8800, you can manage the switch using the following methods:
•

Access the command line interface (CLI) by connecting a terminal (or workstation with
terminal-emulation software) to the console port.

•

Access the switch remotely using TCP/IP through one of the switch ports or through the
dedicated 10/100 unshielded twisted pair (UTP) Ethernet management port. Remote
access includes:

•

•

Telnet using the CLI interface.

•

Secure Shell (SSH2) using the CLI interface.

•

Simple Network Management Protocol (SNMP) access using EPICenter or another
SNMP manager.

Download software updates and upgrades. For more information, see Appendix B,
Software Upgrade and Boot Options.

Chapter 3. Managing the Switch

|

51

NETGEAR 8800 User Manual

The switch supports up to the following number of concurrent user sessions:
•

One console session (two console sessions are available if two management modules
are installed)

•

Eight shell sessions

•

Eight Telnet sessions

•

Eight Trivial File Transfer Protocol (TFTP) sessions

•

Eight SSH2 sessions

Understanding the XCM8800 Shell
When you log in to XCM8800 from a terminal, you enter the shell with a shell prompt
displayed. At the prompt, you input the commands to be executed on the switch. After the
switch processes and executes a command, the results are relayed to and displayed on your
terminal.
The shell supports ANSI, VT100, and XTERM terminal emulation and adjusts to the correct
terminal type and window size. In addition, the shell supports UNIX-style page view for
page-by-page command output capability.
By default, up to eight active shell sessions can access the switch concurrently; however, you
can change the number of simultaneous, active shell sessions supported by the switch. You
can configure up to 16 active shell sessions. Configurable shell sessions include both Telnet
and SSH connections (not console CLI connections). If only eight active shell sessions can
access the switch, a combination of eight Telnet and SSH connections can access the switch
even though Telnet and SSH each support eight connections. For example, if you have six
Telnet sessions and two SSH sessions, no one else can access the switch until a connection
is terminated or you access the switch via the console.
If you configure a new limit, only new incoming shell sessions are affected. If you decrease
the limit and the current number of sessions already exceeds the new maximum, the switch
refuses only new incoming connections until the number of shell session drops below the
new limit. Already connected shell sessions are not disconnected as a result of decreasing
the limit.
To configure the number of shell sessions accepted by the switch, use the following
command:
configure cli max-sessions

For more information about the line-editing keys that you can use with the XOS shell, see
Line-Editing Keys on page 34.

Using the Console Interface
The CLI built into the switch is accessible by way of the 9-pin, RS-232 port labeled console.
On a modular switch, the console port is located on the front of the management module
(MSM/MM). On a stand-alone switch, the console port is located on the front panel.

52 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

Note: For more information on the console port pinouts, see the hardware
installation guide included with your switch.

After the connection has been established, you see the switch prompt and you can log in.

Using the 10/100 Ethernet Management Port
The management module provide a dedicated 10/100 Mbps Ethernet management port. This
port provides dedicated remote access to the switch using TCP/IP. It supports the following
management methods:
•

Telnet/SSH2 using the CLI interface

•

SNMP access using EPICenter or another SNMP manager

The switch uses the Ethernet management port only for host operation, not for switching or
routing. The TCP/IP configuration for the management port is done using the same syntax as
used for virtual LAN (VLAN) configuration. The VLAN mgmt comes preconfigured with only
the management port as a member. The management port is a member of the virtual router
VR-Mgmt.
When you configure the IP address for the VLAN mgmt, this address gets assigned to the
primary MSM/MM. You can connect to the management port on the primary MSM/MM for any
switch configuration. The management port on the backup MSM/MM is available only when
failover occurs. At that time, the primary MSM/MM relinquishes its role, the backup MSM/MM
takes over, and the VLAN mgmt on the new primary MSM/MM acquires the IP address of the
previous primary MSM/MM.
To configure the IP address and subnet mask for the VLAN mgmt, use the following
command:
configure vlan mgmt ipaddress /

To configure the default gateway (you must specify VR-Mgmt for the management port and
VLAN mgmt), use the following command:
configure iproute add default  {} {multicast | multicast-only | unicast |
unicast-only} {vr }

The following example configuration sets the management port IP address to 192.168.1.50,
mask length of 25, and configures the gateway to use 192.168.1.1:
configure vlan mgmt ipaddress 192.168.1.50/25
configure iproute add default 192.168.1.1 vr vr-mgmt

Authenticating Users
XCM8800 provides three methods to authenticate users who log in to the switch:
•

RADIUS client

Chapter 3. Managing the Switch

|

53

NETGEAR 8800 User Manual

•

TACACS+

•

Local database of accounts and passwords

Note: You cannot configure RADIUS and TACACS+ at the same time.

RADIUS Client
Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for
authenticating and centrally administrating access to network nodes. The XCM8800 RADIUS
client implementation allows authentication for Telnet or console access to the switch.
For detailed information about RADIUS and configuring a RADIUS client, see Chapter 17,
Security.

TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for
providing authentication, authorization, and accounting on a central server, similar in function
to the RADIUS client. The XCM8800 version of TACACS+ is used to authenticate prospective
users who are attempting to administer the switch. TACACS+ is used to communicate
between the switch and an authentication database.
For detailed information about TACACS+ and configuring TACACS+, see Chapter 17,
Security.

Management Accounts
XCM8800 supports two levels of management accounts (local database of accounts and
passwords): User and Administrator. A user level account can view but not change all
manageable parameters, with the exception of the user account database and SNMP
community strings. An administrator level account can view and change all manageable
parameters.
For detailed information about configuring management accounts, see Chapter 2, Getting
Started.

Using Telnet
XCM8800 supports the Telnet Protocol based on RFC 854. Telnet allows interactive remote
access to a device and is based on a client/server model. XCM8800 uses Telnet to connect
to other devices from the switch (client) and to allow incoming connections for switch
management using the CLI (server).
This section describes the following topics:

54 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

•

About the Telnet Client on page 55

•

About the Telnet Server on page 55

•

Connecting to Another Host Using Telnet on page 56

•

Configuring Switch IP Parameters on page 56

•

Configuring Telnet Access to the Switch on page 58

•

Disconnecting a Telnet Session on page 62

About the Telnet Client
Before you can start an outgoing Telnet session on the switch, you must set up the IP
parameters described in Configuring Switch IP Parameters on page 56. Telnet is enabled
and uses VR-Mgmt by default.

Note: Maximize the Telnet screen so that automatically updating screens
display correctly.

If you use Telnet to establish a connection to the switch, you must specify the IP address or
host name of the device that you want to connect to. Check the user manual supplied with
the Telnet facility if you are unsure of how to do this.
After the connection is established, you see the switch prompt and you can log in.
The same is true if you use the switch to connect to another host. From the CLI, you must
specify the IP address or host name of the device that you want to connect to. If the host is
accessible and you are allowed access, you may log in.
For more information about using the Telnet client on the switch, see Connecting to Another
Host Using Telnet on page 56.

About the Telnet Server
Any workstation with a Telnet facility should be able to communicate with the switch over a
TCP/IP network using VT100 terminal emulation.
Up to eight active Telnet sessions can access the switch concurrently. If you enable the idle
timer using the enable idletimeout command, the Telnet connection times out after 20
minutes of inactivity by default. If a connection to a Telnet session is lost inadvertently, the
switch terminates the session within two hours.
The switch accepts IPv6 connections.
For information about the Telnet server on the switch, see the following sections:
•

Configuring Telnet Access to the Switch on page 58

•

Disconnecting a Telnet Session on page 62

Chapter 3. Managing the Switch

|

55

NETGEAR 8800 User Manual

Connecting to Another Host Using Telnet
You can Telnet from the current CLI session to another host using the following command:
telnet {vr } [ | ] {}

Note: User-created VRs are supported only on the platforms listed for this
feature in Appendix A, XCM8800 Software Licenses.

If the TCP port number is not specified, the Telnet session defaults to port 23. If the virtual
router name is not specified, the Telnet session defaults to VR-Mgmt. Only VT100 emulation
is supported.
You can use Telnet to access either the primary or the backup MSM/MM regardless of which
console port you are connected to. For more information see Chapter 2, Getting Started.

Configuring Switch IP Parameters
To manage the switch by way of a Telnet connection or by using an SNMP Network Manager,
you must first configure the switch IP parameters.

Using a BOOTP or DHCP Server
If you are using IP and you have a Bootstrap Protocol (BOOTP) server set up correctly on
your network, you must provide the following information to the BOOTP server:
•

Switch Media Access Control (MAC) address, found on the rear label of the switch

•

IP address

•

Subnet address mask (optional)

The switch contains a BOOTP and Dynamic Host Configuration Protocol (DHCP) client, so if
you have a BOOTP or DHCP server in your IP network, you can have it assign IP addresses
to the switch. This is more likely to be desirable on the switch's VLAN mgmt than it is on any
other VLANs.
You can enable the BOOTP or DHCP client per VLAN by using the following commands:
enable bootp vlan [ | all]
enable dhcp vlan [ | all]

You can disable the BOOTP or DHCP client per VLAN by using the following commands:
disable bootp vlan [ | all]
disable dhcp vlan [ | all]

To view the current state of the BOOTP or DHCP client, use the following command:
show dhcp-client state

56 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

The switch does not retain IP addresses assigned by BOOTP or DHCP through a power
cycle, even if the configuration has been saved. To retain the IP address through a power
cycle, you must configure the IP address of the VLAN using the CLI or Telnet.
If you need the switch's MAC address to configure your BOOTP or DHCP server, you can
find it on the rear label of the switch. Note that all VLANs configured to use BOOTP or DHCP
use the same MAC address to get their IP address, so you cannot configure the BOOTP or
DHCP server to assign multiple specific IP addresses to a switch depending solely on the
MAC address.

Manually Configuring the IP Settings
If you are using IP without a BOOTP server, you must enter the IP parameters for the switch
in order for the SNMP Network Manager or Telnet software to communicate with the device.
To assign IP parameters to the switch, you must perform the following tasks:
•

Log in to the switch with administrator privileges using the console interface.

•

Assign an IP address and subnet mask to a VLAN.
The switch comes configured with a default VLAN named default. To use Telnet or an
SNMP Network Manager, you must have at least one VLAN on the switch, and that VLAN
must be assigned an IP address and subnet mask. IP addresses are always assigned to
each VLAN. The switch can be assigned multiple IP addresses (one for each VLAN).

Note: For information on creating and configuring VLANs, see Chapter 9,
VLANs.

To manually configure the IP settings:
1. Connect a terminal or workstation running terminal emulation software to the console
port, as detailed in Using the Console Interface on page 52.
2. At your terminal, press [Return] one or more times until you see the login prompt.
3. At the login prompt, enter your user name and password. Note that they are both
case-sensitive. Ensure that you have entered a user name and password with administrator
privileges.
• If you are logging in for the first time, use the default user name admin to log in with
administrator privileges. For example:
login: admin

Administrator capabilities enable you to access all switch functions. The default user
names have no passwords assigned.
•

If you have been assigned a user name and password with administrator privileges,
enter them at the login prompt.

4. At the password prompt, enter the password and press [Return].
When you have successfully logged in to the switch, the command line prompt displays
the name of the switch.

Chapter 3. Managing the Switch

|

57

NETGEAR 8800 User Manual

5. Assign an IP address and subnetwork mask for the default VLAN by using the following
command:
configure {vlan}  ipaddress [ {} | ipv6-link-local |
{eui64} ]

For example:
configure vlan default ipaddress 123.45.67.8 255.255.255.0

The changes take effect immediately.

Note: As a general rule, when configuring any IP addresses for the switch,
you can express a subnet mask by using dotted decimal notation or
by using classless inter domain routing notation (CIDR). CIDR uses
a forward slash plus the number of bits in the subnet mask. Using
CIDR notation, the command identical to the previous example is:
configure vlan default ipaddress 123.45.67.8/24

6. Configure the default route for the switch using the following command:
configure iproute add default  {} {multicast | multicast-only |
unicast | unicast-only} {vr }

For example:
configure iproute add default 123.45.67.1

7. Save your configuration changes so that they will be in effect after the next switch reboot.
• If you want to save your changes to the currently booted configuration, use the
following command:
save

•

XCM8800 allows you to select or create a configuration file name of your choice to
save the configuration to. If you want to save your changes to an existing or new
configuration file, use the following command:
save configuration [ | ]

8. Log out of the switch by typing:
logout or quit

Configuring Telnet Access to the Switch
By default, Telnet services are enabled on the switch and all virtual routers listen for incoming
Telnet requests. The switch accepts IPv6 connections.

Note: User-created VRs are supported only on the platforms listed for this
feature in Appendix A, XCM8800 Software Licenses.

58 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

The safe defaults mode runs an interactive script that allows you to enable or disable SNMP,
Telnet, and switch ports. When you set up your switch for the first time, you must connect to
the console port to access the switch. After logging in to the switch, you enter safe defaults
mode. Although SNMP, Telnet, and switch ports are enabled by default, the script prompts
you to confirm those settings.
If you choose to keep the default setting for Telnet—the default setting is enabled—the switch
returns the following interactive script:
Since you have chosen less secure management methods, please remember to
increase the security of your network by taking the following actions:
* change your admin password
* change your SNMP public and private strings
* consider using SNMPv3 to secure network management traffic

For more detailed information about safe defaults mode, see Safe Defaults Setup Method on
page 38.
To configure the virtual router from which you receive a Telnet request, use the following
command:
configure telnet vr [all | default | ]

To change the default TCP port number, use the following command:
configure telnet port [ | default]

The range for the port number is 1 through 65535. The following TCP port numbers are
reserved and cannot be used for Telnet connections: 22, 80, and 1023. If you attempt to
configure a reserved port, the switch displays an error message.

Using ACLs to Control Telnet Access
By default, Telnet services are enabled on the switch. You can restrict Telnet access by using
an access control list (ACL) and implementing an ACL policy. You configure an ACL policy to
permit or deny a specific list of IP addresses and subnet masks for the Telnet port.
There are two methods to load ACL policies to the switch:
•

Use the edit policy command to launch a VI-like editor on the switch. You can create the
policy directly on the switch.

•

Use the tftp command to transfer a policy that you created using a text editor on another
system to the switch.

For more information about creating and implementing ACLs and policies, see Chapter 12,
Policy Manager and Chapter 13, ACLs.
Sample ACL Policies
The following are sample policies that you can apply to restrict Telnet access.
In the following example named MyAccessProfile.pol, the switch permits connections from
the subnet 10.203.133.0/24 and denies connections from all other addresses:

Chapter 3. Managing the Switch

|

59

NETGEAR 8800 User Manual

MyAccessProfile.pol
entry

AllowTheseSubnets {

if

{
source-address 10.203.133.0 /24;

} then {
permit;
}
}

In the following example named MyAccessProfile.pol, the switch permits connections from
the subnets 10.203.133.0/24 or 10.203.135.0/24 and denies connections from all other
addresses:
MyAccessProfile.pol
entry

AllowTheseSubnets {

if match any {
source-address 10.203.133.0 /24;
source-address 10.203.135.0 /24;
} then {
permit;
}
}

In the following example named MyAccessProfile_2.pol, the switch does not permit
connections from the subnet 10.203.133.0/24 but accepts connections from all other
addresses:
MyAccessProfile_2.pol
entry dontAllowTheseSubnets {
if {
source-address 10.203.133.0 /24;
} then {
deny;
}
}
entry

AllowTheRest {

if

{
; #none specified

} then {
permit;
}
}

In the following example named MyAccessProfile_2.pol, the switch does not permit
connections from the subnets 10.203.133.0/24 or 10.203.135.0/24 but accepts connections
from all other addresses:
MyAccessProfile_2.pol
entry dontAllowTheseSubnets {
if match any {

60 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

source-address 10.203.133.0 /24;
source-address 10.203.135.0 /24;
} then {
deny;
}
}
entry
if

AllowTheRest {
{
; #none specified

} then {
permit;
}
}

Configuring Telnet to Use ACL Policies
This section assumes that you have already loaded the policy on the switch. For more
information about creating and implementing ACLs and policies, see Chapter 12, Policy
Manager and Chapter 13, ACLs.
To configure Telnet to use an ACL policy to restrict Telnet access, use the following
command:
configure telnet access-profile [ | none]

Use the none option to remove a previously configured ACL.
In the ACL policy file for Telnet, the source-address field is the only supported match
condition. Any other match conditions are ignored.

Note: Do not also apply the policy to the access list. Applying a policy to
both an access profile and an access list is neither necessary nor
recommended.

Viewing Telnet Information
To display the status of Telnet, including the current TCP port, the virtual router used to
establish a Telnet session, and whether ACLs are controlling Telnet access, use the following
command:
show management

Disabling and Enabling Telnet
You can choose to disable Telnet by using the following command:
disable telnet

To re-enable Telnet on the switch, use the following command:

Chapter 3. Managing the Switch

|

61

NETGEAR 8800 User Manual

enable telnet

You must be logged in as an administrator to configure the virtual router(s) used by Telnet
and to enable or disable Telnet.

Disconnecting a Telnet Session
A person with an administrator level account can disconnect a Telnet management session. If
this happens, the user logged in by way of the Telnet connection is notified that the session
has been terminated.
To terminate a Telnet session:
1. Log in to the switch with administrator privileges.
2. Determine the session number of the session you want to terminate by using the following
command:
show session {{detail} {}} {history}

3. Terminate the session by using the following command:
clear session [history |  | all]

Using Secure Shell 2
Secure Shell 2 (SSH2) is a feature of the XCM8800 software that allows you to encrypt
session data between a network administrator using SSH2 client software and the switch or
send encrypted data from the switch to an SSH2 client on a remote system. Configuration,
image, public key, and policy files can be transferred to the switch using the Secure Copy
Protocol 2 (SCP2) or the Secure File Transfer Protocol (SFTP).
The XCM8800 SSH2 switch application works with the following clients: Putty, SSH2 (version
2.x or later) from SSH Communication Security, and OpenSSH (version 2.5 or later).
OpenSSH uses the RCP protocol, which has been disabled from the XCM8800 software for
security reasons. Therefore, OpenSSH SCP does not work with the XCM8800 SSH
implementation. You can use OpenSSH SFTP instead.
The switch accepts IPv6 connections.
Up to eight active SSH2 sessions can run on the switch concurrently. If you enable the idle
timer using the enable idletimeout command, the SSH2 connection times out after 20
minutes of inactivity by default. If you disable the idle timer using the disable idletimeout
command, the SSH2 connection times out after 61 minutes of inactivity. If a connection to an
SSH2 session is lost inadvertently, the switch terminates the session within 61 minutes.
For detailed information about SSH2, see Chapter 17, Security.

Using the Trivial File Transfer Protocol
XCM8800 supports the Trivial File Transfer Protocol (TFTP) based on RFC 1350. TFTP is a
method used to transfer files from one network device to another. The XCM8800 TFTP client

62 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

is a command line application used to contact an external TFTP server on the network. For
example, XCM8800 uses TFTP to download software image files, switch configuration files,
and ACLs from a server on the network to the switch.
Up to eight active TFTP sessions can run on the switch concurrently.
NETGEAR recommends using a TFTP server that supports blocksize negotiation (as
described in RFC 2348, TFTP Blocksize Option), to enable faster file downloads and larger
file downloads.
For additional information about TFTP, see the following:
•

For information about downloading software image files, BootROM files, and switch
configurations, see Appendix B, Software Upgrade and Boot Options.

•

For information about downloading ACL (and other) policy files, see Chapter 12, Policy
Manager.

•

For information about using TFTP to transfer files to and from the switch, see Chapter 4,
Managing the XCM8800 Software.

•

For information about configuring core dump files and managing the core dump files
stored on your switch, see Appendix C, Troubleshooting. If configured, you can transfer
core dump (debug) files from either the internal memory card or the removable external
compact flash card. You can install a removable external compact flash card in only a
modular switch.

Connecting to Another Host Using TFTP
You can TFTP from the current CLI session to another host to transfer files using the
following command:
tftp [ | ] {-v } [-g | -p] [{-l [internal-memory
 | memorycard  | } {-r } |
{-r } {-l [internal-memory  | memorycard
 | ]}]

Note: User-created VRs are supported only on the platforms listed for this
feature in Appendix A, XCM8800 Software Licenses.

The TFTP session defaults to port 69. If you do not specify a virtual router, VR-Mgmt is used.
For example, to connect to a remote TFTP server with an IP address of 10.123.45.67 and
“get” or retrieve an XCM8800 configuration file named XOS1.cfg from that host, use the
following command:
tftp 10.123.45.67 -g -r XOS1.cfg

When you “get” the file via TFTP, the switch saves the file to the primary MSM/MM. If the
switch detects a backup MSM/MM in the running state, the file is replicated to the backup
MSM/MM.

Chapter 3. Managing the Switch

|

63

NETGEAR 8800 User Manual

To view the files you retrieved, enter the ls command at the command prompt.
In addition to the tftp command, the following two commands are available for transferring
files to and from the switch:
•

tftp get [ | ] {-vr } [{[internal-memory
 | memorycard  | } {} |
{} {[internal-memory  | memorycard
 | ]}] {force-overwrite}

Note: User-created VRs are supported only on the platforms listed for this
feature in Appendix A, XCM8800 Software Licenses.

By default, if you transfer a file with a name that already exists on the system, the switch
prompts you to overwrite the existing file. For more information, see the tftp get
command in the NETGEAR 8800 Chassis Switch CLI Manual.
•

tftp put [ | ] {-vr } [{[internal-memory
 | memorycard  | } {} |
{} {[internal-memory  | memorycard
 | ]}]

Note: User-created VRs are supported only on the platforms listed for this
feature in Appendix A, XCM8800 Software Licenses.

Understanding System Redundancy
If you install two MSMs/MMs in the chassis, one assumes the role of primary (also called
“master”) and the other assumes the role of backup. The primary MSM/MM provides all of the
switch management functions including bringing up and programming the I/O modules,
running the bridging and routing protocols, and configuring the switch. The primary MSM/MM
also synchronizes the backup MSM/MM in case it needs to take over the management
functions if the primary MSM/MM fails.
This section describes the following topics:
•

Node Election on page 65

•

Replicating Data Between Nodes on page 66

•

Viewing Node Status on page 68

64 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

Node Election
Node election is based on leader election between the MSMs/MMs installed in the chassis.
By default, the MSM/MM installed in slot A has primary status. Each node uses health
information about itself together with a user configured priority value to compute its node role
election priority. Nodes exchange their node role election priorities. During the node election
process, the node with the highest node role election priority becomes the master or primary
node, and the node with the second highest node role election priority becomes the backup
node. All other nodes (if any) remain in STANDBY state.
The primary node runs the switch management functions, and the backup node is fully
prepared to become the primary node if the primary fails. Standby nodes configured to be
master-capable elect a new backup node from among themselves after a failover has
occurred.

Determining the Primary Node
The following parameters determine the primary node:
•

Node state—The node state must be STANDBY to participate in leader election and be
selected as primary. If the node is in the INIT, DOWN, or FAIL states, it cannot participate
in leader election. For more information about the node states, see Viewing Node Status
on page 68.

•

Configuration priority—This is a user assigned priority. The configured priority is
compared only after the node meets the minimum thresholds in each category for it to be
healthy. Required processes and devices must not fail.

•

Software health—This represents the percent of processes available.

•

Health of secondary hardware components—This represents the health of the switch
components, such as power supplies, fans, and so forth.

•

Slot ID—The MSM/MM slot where the node is installed (MSM-A or MSM-B).

Configuring the Node Priority on a Modular Switch
To configure the priority of an MSM/MM node, use the following command:
configure node slot  priority 

If you do not configure any priorities, MSM-A has a higher priority than MSM-B. For the
slot_id parameter, enter A for the MSM/MM installed in slot A or B for the MSM/MM installed
in slot B. By default, the priority is 0 and the node priority range is 1 through 100. The higher
the value, the higher the priority.

Relinquishing Primary Status
Before relinquishing primary status and initiating failover, review the section Synchronizing
Nodes on Modular Switches on page 825 to confirm that your platform and both installed
MSMs/MMs or master-capable nodes are running software that supports the synchronize
command.

Chapter 3. Managing the Switch

|

65

NETGEAR 8800 User Manual

You can cause the primary to failover to the backup, thereby relinquishing its primary status.
To cause the failover:
1. Use the show switch {detail} command on the primary or the backup node to confirm
that the nodes are synchronized and have identical software and switch configurations
before failover. The output displays the status of the nodes, with the primary node
showing MASTER and the backup node showing BACKUP (InSync).
A node may not be synchronized because checkpointing did not occur, incompatible
software is running on the primary and backup, or the backup is down.
•

If the nodes are not synchronized and both nodes are running a version of XCM8800
that supports synchronization, proceed to step 2.

•

If the nodes are synchronized, proceed to step 3.

2. If the nodes are not synchronized because of incompatible software, use the synchronize
command to ensure that the backup has the same software in flash as the primary.
The synchronize command:
•

Reboots the backup node to prepare it for synchronizing with the primary node

•

Copies both the primary and secondary software images

•

Copies both the primary and secondary configurations

•

Reboots the backup node after replication is complete

After you confirm the nodes are synchronized, proceed to step 3.
3. If the nodes are synchronized, use the run failover {force} command to initiate failover
from the primary node to the backup node. The backup node then becomes the primary
node and the original primary node reboots.

Replicating Data Between Nodes
XCM8800 replicates configuration and run-time information between the primary node and
the backup node so that the system can recover if the primary fails. This method of
replicating data is known as checkpointing. Checkpointing is the process of automatically
copying the active state from the primary to the backup, which allows for state recovery if the
primary fails.
Replicating data consists of the following three steps:
1. Configuration synchronization—Relays current and saved configuration information from
the primary to the backup
2. Bulk checkpoint—Ensures that each individual application running on the system is
synchronized with the backup
3. Dynamic checkpoint—Checkpoints any new state changes from the primary to the backup
To monitor the checkpointing status, use the show checkpoint-data {} command.
Data is not replicated from the primary to the standby nodes.

66 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

Relaying Configuration Information
To facilitate a failover from the primary node to the backup node, the primary transfers its
active configuration to the backup. Relaying configuration information is the first level of
checkpointing. During the initial switch boot-up, the primary’s configuration takes effect.
During the initialization of a node, its configuration is read from the local flash. After the
primary and backup nodes have been elected, the primary transfers its current active
configuration to the backup. After the primary and backup nodes are synchronized, any
configuration change you make to the primary is relayed to the backup and incorporated into
the backup’s configuration copy.

Note: To ensure that all of the configuration commands in the backup’s
flash are updated, issue the save command after you make any
changes.

If a failover occurs, the backup node continues to use the primary’s active configuration. If the
backup determines that it does not have the primary’s active configuration because a
run-time synchronization did not happen, the switch reboots. Because the backup always
uses the primary’s active configuration, the active configuration remains in effect regardless
of the number of failovers.

Note: If you issue the reboot command before you save your
configuration changes, the switch prompts you to save your
changes. To keep your configuration changes, save them before you
reboot the switch.

Bulk Checkpointing
Bulk checkpointing causes the primary and backup run-time states to be synchronized. Since
XCM8800 runs a series of applications, an application starts checkpointing only after all of
the applications it depends on have transferred their run-time states to the backup MSM/MM
node.
After one application completes bulk checkpointing, the next application proceeds with its
bulk checkpointing.
To monitor the checkpointing status, use the show checkpoint-data {} command.
To see if bulk checkpointing is complete, that is, to see if the backup node is fully
synchronized (In Sync) with the primary node, use the show switch {detail} command.
If a failover occurs before bulk checkpointing is complete, the switch reboots. However, once
bulk checkpointing is complete, failover is possible without a switch reboot.

Chapter 3. Managing the Switch

|

67

NETGEAR 8800 User Manual

Dynamic Checkpointing
After an application transfers its saved state to the backup node, dynamic checkpointing
requires that any new configuration information or state changes that occur on the primary be
immediately relayed to the backup. This ensures that the backup has the most up-to-date
and accurate information.

Viewing Checkpoint Statistics
To view and check the status of one or more processes being copied from the primary to the
backup node, use the following command:
show checkpoint-data {}

This command is also helpful in debugging synchronization problems that occur at run time.
This command displays, in percentages, the amount of copying completed by each process
and the traffic statistics between the process on both the primary and the backup nodes.

Viewing Node Status
XCM8800 allows you to view node statistical information. Each node in a NETGEAR 8800
installed in your system is self-sufficient and runs the management applications. By reviewing
this output, you can see the general health of the system along with other node parameters.
To view node status, use the following command:
show node {detail}

Table 11 lists the node status collected by the switch.
Table 11. Node States
Node State

Description

BACKUP

In the backup state, this node becomes the primary node if the primary fails or enters the DOWN
state. The backup node also receives the checkpoint state data from the primary.

DOWN

In the down state, the node is not available to participate in leader election. The node enters this
state during any user action, other than a failure, that makes the node unavailable for
management. Examples of user actions are:
• Upgrading the software
• Rebooting the system using the reboot command
• Initiating an MSM/MM failover using the run msm-failover command
• Synchronizing the MSM/MM software and configuration in non-volatile storage using the
synchronize command

FAIL

In the fail state, the node has failed and needs to be restarted or repaired. The node reaches this
state if the system has a hardware or software failure.

INIT

In the initial state, the node is being initialized. A node stays in this state when it is coming up and
remains in this state until it has been fully initialized. Being fully initialized means that all of the
hardware has been initialized correctly and there are no diagnostic faults.

68 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

Table 11. Node States (Continued)
Node State

Description

MASTER

In the primary (master) state, the node is responsible for all switch management functions.

STANDBY

In the standby state, leader election occurs—the primary and backup nodes are elected. The
priority of the node is only significant in the standby state.

Understanding Hitless Failover Support
The term hitless failover has slightly different meanings on a modular chassis. On a modular
chassis, MSMs/MMs do not directly control customer ports; such ports are directly controlled
by separate processors. When a modular chassis MSM/MM failover occurs, all of the ports in
the chassis are under the control of separate processors which can communicate with the
backup MSM/MM, so all ports continue to function.
As described in the section Understanding System Redundancy on page 64, if you install two
MSMs/MMs (nodes) in a chassis, one assumes the role of primary and the other assumes
the role of backup. The primary node provides all of the switch management functions
including bringing up and programming the I/O modules, running the bridging and routing
protocols, and configuring the switch. The primary node also synchronizes the backup node
in case it needs to take over the management functions if the primary node fails.
The configuration is one of the most important pieces of information checkpointed to the
backup node. Each component of the system needs to checkpoint whatever runtime data is
necessary to allow the backup node to take over as the primary node if a failover occurs,
including the protocols and the hardware dependent layers. For more information about
checkpointing data and relaying configuration information, see Replicating Data Between
Nodes on page 66.
Not all protocols support hitless failover; see Table 12 for a detailed list of protocols and their
support. Layer 3 forwarding tables are maintained for pre-existing flows, but subsequent
behavior depends on the routing protocols used. Static Layer 3 configurations and routes are
hitless. You must configure OSPF graceful restart for OSPF routes to be maintained, and you
must configure BGP graceful restart for BGP routes to be maintained. For more information
about OSPF, see Chapter 24, OSPF, and for more information about BGP, see Chapter 26,
BGP. For routing protocols that do not support hitless failover, the new primary node
removes and re-adds the routes.

Protocol Support for Hitless Failover
Table 12 summarizes the protocol support for hitless failover. Unless otherwise noted, the
behavior is the same for all modular switches.
If a protocol indicates support for hitless failover, additional information is also available in
that particular chapter. For example, for information about network login support of hitless
failover, see Chapter 16, Network Login.

Chapter 3. Managing the Switch

|

69

NETGEAR 8800 User Manual

Table 12. Protocol Support for Hitless Failover
Protocol

Behavior

Border Gateway Protocol If you configure BGP graceful restart, by default the route manager does
(BGP)
not delete BGP routes until 120 seconds after failover occurs. There is no
traffic interruption. However, after BGP comes up after restart, BGP
re-establishes sessions with its neighbors and relearns routes from all of
them. This causes an increase in control traffic onto the network.
If you do not configure graceful restart, the route manager deletes all BGP
routes 1 second after the failover occurs, which results in a traffic
interruption in addition to the increased control traffic.

Hitless
Yes

Connectivity Fault
Management (IEEE
802.1ag)

An XCM8800 process running on the active MSM/MM should continuously Yes
send the MEP state changes to the backup. Replicating the protocol
packets from an active MSM/MM to a backup may be a huge overhead if
CCMs are to be initiated/received in the CPU and if the CCM interval is in
the order of milliseconds.
RMEP timeout does not occur on a remote node during the hitless failover.
RMEP expiry time on the new master node in case of double failures, when
the REMP expiry timer is already in progress, is as follows: 
RMEP Expiry Time = elapsed expiry time on the master node + 3.5 *
ccmIntervaltime + MSM convergence time.

Link Aggregation Control
Protocol (LACP)

If the backup node becomes the primary node, there is no traffic disruption. Yes

Link Layer Discovery
Protocol (LLDP)

Since LLDP is more of a tool than a protocol, there is no hitless failover
support. LLDP is also a MIB interface to query the information learned.
After a failover, it takes 30 seconds or greater before the MIB database is
fully populated again.

No

Multicast Source
Discovery Protocol
(MSDP)

If the active MSM/MM fails, the MSDP process loses all state information
and the standby MSM/MM becomes active. However, the failover from the
active MSM/MM to the standby MSM/MM causes MSDP to lose all state
information and dynamic data, so it is not a hitless failover.

No

Network Login

802.1x Authentication
Authenticated clients continue to remain authenticated after failover.
However, 1 second after failover, all authenticated clients are forced to
re-authenticate themselves.
Information about unauthenticated clients is not checkpointed so any such
clients that were in the process of being authenticated at the instant of
failover must go through the authentication process again from the
beginning after failover.

Yes

Network Login Continued MAC-Based Authentication
Yes
Authenticated clients continue to remain authenticated after failover so the
failover is transparent to them. Information about unauthenticated clients is
not checkpointed so any such clients that were in the process of being
authenticated at the instant of failover must go through the authentication
process again from the beginning after failover.
In the case of MAC-Based authentication, the authentication process is
very short with only a single packet being sent to the switch so it is
expected to be transparent to the client stations.

70 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

Table 12. Protocol Support for Hitless Failover (Continued)
Protocol

Behavior

Hitless

Network Login Continued Web-Based Authentication
Web-based Netlogin users continue to be authenticated after a failover.

Yes

Open Shortest Path First
(OSPF)

If you configure OSPF graceful restart, there is no traffic interruption.
Yes
However, after OSPF comes up after restart, OSPF re-establishes sessions
with its neighbors and relearns Link State Advertisements (LSAs) from all of
the neighbors. This causes an increase in control traffic onto the network.
If you do not configure graceful restart, the route manager deletes all OSPF
routes 1 second after the failover occurs, which results in a traffic
interruption in addition to the increased control traffic.

Open Shortest Path First
v3 (OSPFv3)

OSPFv3 does not support graceful restart, so the route manager deletes all No
OSPFv3 routes 1 second after the failover occurs. This results in a traffic
interruption.
After OSPFv3 comes up on the new primary node, it relearns the routes
from its neighbors. This causes an increase in control traffic onto the
network.

Power over Ethernet
(PoE)

The PoE configuration is checkpointed to the backup node. This ensures
Yes
that if the backup takes over, all ports currently powered stay powered after
the failover and the configured power policies are still in place.

Protocol Independent
Multicast (PIM)

After a failover, all hardware and software caches are cleared and learning No
from the hardware is restarted. This causes a traffic interruption since it is
the same as if the switch rebooted for all Layer 3 multicast traffic.

Routing Information
Protocol (RIP)

RIP does not support graceful restart, so the route manager deletes all RIP No
routes 1 second after the failover occurs. This results in a traffic interruption
as well as an increase in control traffic as RIP 
re-establishes its database.

Routing Information
Protocol next generation
(RIPng)

RIPng does not support graceful restart, so the route manager deletes all
No
RIPng routes 1 second after the failover occurs. This results in a traffic
interruption.
After RIPng comes up on the new primary node, it relearns the routes from
its neighbors. This causes an increase in control traffic onto the network.

Spanning Tree Protocol
(STP)

STP supports hitless failover including catastrophic failure of the primary
Yes
node without interruption. There should be no discernible network event
external to the switch. The protocol runs in lock step on both master and
backup nodes and the backup node is a hot spare that can take over at any
time with no impact on the network.

Virtual Router
Redundancy Protocol
(VRRP)

VRRP supports hitless failover. The primary node replicates VRRP PDUs to Yes
the backup, which allows the primary and backup nodes to run VRRP in
parallel. Although both nodes receive VRRP PDUs, only the primary
transmits VRRP PDUs to neighboring switches and participates in VRRP.

Dynamic Host
Configuration Protocol
server

A DHCP server continues to maintain the IP addresses assigned to various Yes
clients and the lease times even after failover. When a failover happens, all
the clients work as earlier.

Chapter 3. Managing the Switch

|

71

NETGEAR 8800 User Manual

Table 12. Protocol Support for Hitless Failover (Continued)
Protocol

Behavior

Hitless

Dynamic Host
Configuration Protocol
client

The IP addresses learned on all DHCP enabled VLANs are retained on the Yes
backup node after failover.

Bootstrap Protocol Relay

All bootprelay statistics (including option 82 statistics) are available on the
backup node also

Yes

Simple Network Time
Protocol Client

SNTP client will keep the backup node updated about the last server from
which a valid update was received, the time at which the last update was
received, whether the SNTP time is currently good or not and all other
statistics.

Yes

Hitless Failover Caveats
This section describes the caveats for hitless failover. Check the latest version of the
XCM8800 release notes for additional information.

Caveat for NETGEAR 8800 Series Switches
The following summary describes the hitless failover caveat for NETGEAR 8800 series
switches:
•

I/O modules not yet in the Operational state are powered off and the card state machine
is restarted to bring them to the Operational state. This results in a delay in the I/O
module becoming Operational.

Understanding Power Supply Management
This section describes how XCM8800 manages power consumption on the switch:
•

Using Power Supplies on page 72

•

Displaying Power Supply Information on page 76

Using Power Supplies
XCM8800 monitors and manages power consumption on the switch by periodically checking
the power supply units (PSUs) and testing them for failures. To determine the health of the
PSU, the XCM8800 checks the voltage, current, and temperature of the PSU.
The power management capability of the XCM8800:
•

Protects the system from overload conditions

•

Monitors all installed PSUs, even installed PSUs that are disabled

•

Enables and disables PSUs as required

•

Powers up or down I/O modules based on available power and required power resources

72 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

•

Logs power resource changes, including power budget, total available power,
redundancy, and so on

•

Detects and isolates faulty PSUs

The switch includes two power supply controllers that collect data from the installed PSUs
and report the results to the MSM/MM modules. When you first power on the switch, the
power supply controllers enable a PSU. As part of the power management function, the
power controller disables the PSU if an unsafe condition arises. For more information about
the power supply controller, see the hardware documentation listed in Chapter 1, Overview.
If you have an XCM88P series Power over Ethernet (PoE) module installed in a NETGEAR
8800 series switch, there are specific power budget requirements and configurations
associated with PoE that are not described in this section. For more detailed information
about PoE, see Chapter 7, PoE.
XCM8800 includes support for the 600/900 W AC PSU for the NETGEAR 8806 switch. You
can mix existing 700/1200 W AC PSUs and 600/900 W AC PSUs in the same chassis. If you
install the 600/900 W AC PSU in a chassis other than the NETGEAR 8806, XCM8800
provides enough power to boot-up the chassis, display a warning message in the log, and
disable the PSU. If this occurs, you see a message similar to the following:
MSM-A:Power supply in slot 6 is not supported and is
being disabled.

When a combination of 700/1200 W AC PSUs and 600/900 W AC PSUs are powered on in
the same NETGEAR 8806 chassis, all 700/1200 W AC PSUs are budgeted “down” to match
the lower powered 600/900 W AC output values to avoid PSU shutdown. For more
information about the 600/900 W AC PSU, see the hardware documentation listed in Chapter
1, Overview.
This section describes the following power management topics:
•

Initial System Boot-Up on page 73

•

Power Redundancy on page 74

•

Power Management Guidelines on page 74

•

Overriding Automatic Power Supply Management on page 75

Initial System Boot-Up
When XCM8800 boots up, it reads and analyzes the installed I/O modules. XCM8800
considers the I/O modules for power up from the lowest numbered slot to the highest
numbered slot, based on their power requirements and the available system power. If the
system does not have enough power, some I/O modules are not powered up. For example,
XCM8800:
•

Collects information about the PSUs installed to determine how many are running and
how much power each can supply.

•

Checks for PSU failures.

Chapter 3. Managing the Switch

|

73

NETGEAR 8800 User Manual

•

Calculates the number of I/O modules to power up based on the available power budget
and the power requirements of each I/O module, including PoE requirements for the
NETGEAR 8800 series PoE I/O module.

•

Reserves the amount of power required to power up a second MSM/MM if only one
MSM/MM is installed.

•

Reserves the amount of power required to power all fans and chassis components.

•

Calculates the current power surplus or shortfall.

•

Logs and sends SNMP traps for transitions in the overall system power status, including
whether the available amount of power is:
•

Redundant or N+1—Power from a single PSU can be lost and no I/O modules are
powered down.

•

Sufficient, but not redundant—Power from a single PSU is lost, and one or more I/O
modules are powered down.

•

Insufficient—One or more modules are not powered up due to a shortfall of available
power.

By reading the PSU information, XCM8800 determines the power status and the total amount
of power available to the system. The total power available determines which I/O modules
can be powered up.

Power Redundancy
In simple terms, power redundancy (N+1) protects the system from shutting down. With
redundancy, if the output of one PSU is lost for any reason, the system remains fully
powered. In this scenario, N is the minimum number of power supplies needed to keep the
system fully powered and the system has N+1 PSUs powered.
If the system power status is not redundant, the removal of one PSU, the loss of power to one
PSU, or a degradation of input voltage results in insufficient power to keep all of the I/O
modules powered up. If there is not enough power, XCM8800 powers down the I/O modules
from the highest numbered slot to the lowest numbered slot until the switch has enough
power to continue operation.
If you install or provide power to a new PSU, I/O modules powered down due to earlier
insufficient power are considered for power up from the lowest slot number to the highest slot
number, based on the I/O module’s power requirements.
Whenever the system experiences a change in power redundancy, including a change in the
total available power, degraded input voltage, or a return to redundant power, the switch
sends messages to the syslog.

Power Management Guidelines
The following list describes some key issues to remember when identifying your power needs
and installing PSUs:
•

If you disable a slot, the I/O module installed in that slot is always powered down
regardless of the number of PSUs installed.

74 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

•

If a switch has PSUs with a mix of both 220V AC and 110V AC inputs, XCM8800
maximizes system power by automatically taking one of two possible actions:
•

If all PSUs are enabled then all PSUs must be budgeted at 110V AC to prevent
overload of PSUs with 110V AC inputs.

OR
•

If the PSUs with 110V AC inputs are disabled, then the PSUs with 220V AC inputs
can be budgeted with a higher output per PSU.

XCM8800 computes the total available power using both methods and automatically uses
the PSU configuration that provides the greatest amount of power to the switch. Table 13
lists combinations where XCM8800 maximizes system power by disabling the PSUs with
110V AC inputs.
Table 13. PSU Combinations Where 110V PSUs Are Disabled
Number of PSUs with Number of PSUs with
220V AC Inputs
110V AC Inputs
2

1

3

1

3

2

4

1

4

2

5

1

For all other combinations of 220V AC and 110V AC PSUs, XCM8800 maximizes system
power by enabling all PSUs and budgeting each PSU at 110V AC.
NETGEAR 8806 switch only—When a combination of 700/1200 W AC PSUs and
600/900 W AC PSUs are powered on in the same BlackDiamond 8806 chassis, all
700/1200 W AC PSUs are budgeted “down” to match the lower powered 600/900 W AC
output values to avoid PSU shutdown.

Overriding Automatic Power Supply Management
You can override automatic power supply management to enable a PSU with 110V AC inputs
that XCM8800 disables if the need arises, such as for a planned maintenance of 220V AC
circuits. If the combination of AC inputs represents one of those listed in Table 13, you can
turn on a disabled PSU using the following command:
configure power supply  on

Chapter 3. Managing the Switch

|

75

NETGEAR 8800 User Manual

Note: If you override automatic power supply management, you may
reduce the available power and cause one or more I/O modules to
power down.

To resume using automatic power supply management on a PSU, use the configure power
supply  auto command. The setting for each PSU is stored as part of the switch
configuration.
To display power supply status and power budget information, use the show power and show
power budget commands.

Displaying Power Supply Information
To display the status of the currently installed power supplies on all switches, use the
following command:
show power {} {detail}

On modular switches, the following commands provide additional power supply information.
To view the system power status and the amount of available and required power, use the
following command:
show power budget

To display the status of the currently installed power supply controllers on modular switches,
use the following command:
show power controller {}

Using the Simple Network Management Protocol
Any network manager program running the Simple Network Management Protocol (SNMP)
can manage the switch, provided the Management Information Base (MIB) is installed
correctly on the management station. Each network manager program provides its own user
interface to the management facilities.

Note: When using a network manager program to create a VLAN,
NETGEAR does not support the SNMP create and wait operation.
To create a VLAN with SNMP, use the create and go operation.

The following sections describe how to get started if you want to use an SNMP manager. It
assumes you are already familiar with SNMP management. If not, see the following
publication:

76 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

The Simple Book 
by Marshall T. Rose
ISBN 0-13-8121611-9
Published by Prentice Hall.
This section describes the following SNMP topics:
•

Enabling and Disabling SNMPv1/v2c and SNMPv3 on page 77

•

Accessing Switch Agents on page 78

•

Supported MIBs on page 78

•

Configuring SNMPv1/v2c Settings on page 79

•

Displaying SNMP Settings on page 80

•

SNMPv3 on page 81

•

Message Processing on page 82

•

SNMPv3 Security on page 82

•

SNMPv3 MIB Access Control on page 86

•

SNMPv3 Notification on page 87

Enabling and Disabling SNMPv1/v2c and SNMPv3
XCM8800 can concurrently support SNMPv1/v2c and SNMPv3. The default is both types of
SNMP enabled. Network managers can access the device with either SNMPv1/v2c methods
or SNMPv3.
To allow support for all SNMP access, or SNMPv1/v2c access only, or SNMPv3 access only,
use the following command:
enable snmp access {snmp-v1v2c | snmpv3}

To prevent support for all SNMP access, or SNMPv1/v2c access only, or SNMPv3 access
only, use the following command:
disable snmp access {snmp-v1v2c | snmpv3}

Most of the commands that support SNMPv1/v2c use the keyword snmp; most of the
commands that support SNMPv3 use the keyword snmpv3.
After a switch reboot, all slots must be in the “Operational” state before SNMP can manage
and access the slots. To verify the current state of the slot, use the show slot command.

Understanding Safe Defaults Mode and SNMP
The safe defaults mode runs an interactive script that allows you to enable or disable SNMP,
Telnet, and switch ports. When you set up your switch for the first time, you must connect to
the console port to access the switch. After logging in to the switch, you enter safe defaults
mode. Although SNMP, Telnet, and switch ports are enabled by default, the script prompts
you to confirm those settings.

Chapter 3. Managing the Switch

|

77

NETGEAR 8800 User Manual

If you choose to keep the default setting for SNMP—the default setting is enabled—the
switch returns the following interactive script:
Since you have chosen less secure management methods, please remember to
increase the security of your network by taking the following actions:
* change your admin password
* change your SNMP public and private strings
* consider using SNMPv3 to secure network management traffic

For more detailed information about safe defaults mode, see Safe Defaults Setup Method on
page 38.

Enabling and Disabling SNMP Access on Virtual Routers.
Beginning with 12.4.2 software, you can enable and disable SNMP access on any or all VRs.
By default, SNMP access is enabled on all VRs.
When SNMP access is disabled on a VR, incoming SNMP requests are dropped and the
following message is logged:
SNMP is currently disabled on VR  Hence dropping the SNMP requests on
this VR.

To enable SNMP access on a VR, use the following command:
enable snmp access vr [ | all]

To disable SNMP access on a VR, use the following command:
disable snmp access vr [ | all]

To display the SNMP configuration and statistics on a VR, use the following command:
show snmp {vr} 

SNMP access for a VR has global SNMP status that includes all SNMPv1v2c, SNMPv3
default users and default group status. However, trap receiver configuration and trap
enabling/disabling are independent of global SNMP access and are still forwarded on a VR
that is disabled for SNMP access.

Accessing Switch Agents
To access the SNMP agent residing in the switch, at least one VLAN must have an assigned
IP address. XCM8800 supports either IPv4 or IPv6 addresses to manage the switch.
By default, SNMP access and SNMPv1/v2c traps are enabled. SNMP access and SNMP
traps can be disabled and enabled independently—you can disable SNMP access but still
allow SNMP traps to be sent, or vice versa.

Supported MIBs
In addition to private MIBs, the switch supports the standard MIBs listed in Appendix D,
Supported Protocols, MIBs, and Standards.

78 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

Configuring SNMPv1/v2c Settings
The following SNMPv1/v2c parameters can be configured on the switch:
•

Authorized trap receivers—An authorized trap receiver can be one or more network
management stations on your network. The switch sends SNMPv1/v2c traps to all
configured trap receivers. You can specify a community string and UDP port individually
for each trap receiver. All community strings must also be added to the switch using the
configure snmp add community command.
To configure a trap receiver on a switch, use the following command:
configure snmp add trapreceiver [ | ] community [[hex
] | ] {port } {from
[ | ]} {vr } {mode }
To delete a trap receiver on a switch, use the following command:
configure snmp delete trapreceiver [[ | ]
{} | all]

Entries in the trap receiver list can also be created, modified, and deleted using the
RMON2 trapDestTable MIB table, as described in RFC 2021.
•

SNMP access control—This feature allows the administrator to restrict SNMP
access by using the access control list (ACL) and implementing an ACL policy. The
administrator can configure an ACL policy to either permit or deny a specific list of
IP address and subnet masks. There are four subcommands for enacting access
control:
•

To configure SNMP to use an ACL policy, use the following command:
configure snmp access-profile 

By default, SNMP supports the read/write option.
•

To configure SNMP to remove a previously configured ACL policy, use the following
command:
configure snmp access-profile none

•

To configure SNMP to use an ACL policy and support the read-only option, use the
following command:
configure snmp access-profile  readonly

•

To configure SNMP to use an ACL policy and support the read/write option explicitly,
use the following command:
configure snmp access-profile  readwrite

In the ACL policy file for SNMP, the source-address field is the only supported match
condition. Any other match conditions are ignored.
•

Community strings—The community strings allow a simple method of authentication
between the switch and the remote network manager. There are two types of community
strings on the switch:

Chapter 3. Managing the Switch

|

79

NETGEAR 8800 User Manual

•

Read community strings provide read-only access to the switch. The default read-only
community string is public.

•

Read-write community strings provide read- and-write access to the switch. The
default read-write community string is private.

•

System contact (optional)—The system contact is a text field that enables you to enter
the name of the person(s) responsible for managing the switch.

•

System name (optional)—The system name enables you to enter a name that you have
assigned to this switch. The default name is the model name of the switch (for example,
XCM8806-1.2).

•

System location (optional)—Using the system location field, you can enter the location
of the switch.

Displaying SNMP Settings
To display the SNMP settings configured on the switch, use the following command:
show management

This command displays the following information:
•

Enable/disable state for Telnet and SNMP access

•

Login statistics
•

Enable/disable state for idle timeouts

•

Maximum number of CLI sessions

•

SNMP community strings

•

SNMP trap receiver list

•

SNMP trap receiver source IP address

•

SNMP statistics counter

•

SSH access states of enabled, disabled, and module not loaded

•

CLI configuration logging

•

SNMP access states of v1, v2c disabled and v3 enabled

•

Enable/disable state for Remote Monitoring (RMON)

•

Access-profile usage configured via Access Control Lists (ACLs) for additional Telnet and
SSH2 security

•

CLI scripting settings

•

•

Enable/disable state

•

Error message setting

•

Persistence mode

Dropped SNMP packet counter.

80 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

SNMPv3
SNMPv3 is an enhanced standard for SNMP that improves the security and privacy of SNMP
access to managed devices and provides sophisticated control of access to the device MIB.
The prior standard versions of SNMP, SNMPv1, and SNMPv2c, provided no privacy and little
security.
The following RFCs provide the foundation for the NETGEAR implementation of SNMPv3:
•

RFC 3410, Introduction to version 3 of the Internet-standard Network Management
Framework, provides an overview of SNMPv3.

•

RFC 3411, An Architecture for Describing SNMP Management Frameworks, talks about
SNMP architecture, especially the architecture for security and administration.

•

RFC 3412, Message Processing and Dispatching for the Simple Network Management
Protocol (SNMP), talks about the message processing models and dispatching that can
be a part of an SNMP engine.

•

RFC 3413, SNMPv3 Applications, talks about the different types of applications that can
be associated with an SNMPv3 engine.

•

RFC 3414, The User-Based Security Model for Version 3 of the Simple Network
Management Protocol (SNMPv3), describes the User-Based Security Model (USM).

•

RFC 3415, View-based Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP), talks about VACM as a way to access the MIB.

•

RFC 3826 - The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP
User-based Security Model

Note: 3DES, AES 192 and AES 256 bit encryption are proprietary
implementations and may not work with some SNMP Managers.

The SNMPv3 standards for network management were driven primarily by the need for
greater security and access control. The new standards use a modular design and model
management information by cleanly defining a message processing (MP) subsystem, a
security subsystem, and an access control subsystem.
The MP subsystem helps identify the MP model to be used when processing a received
Protocol Data Unit (PDU), which are the packets used by SNMP for communication. The MP
layer helps in implementing a multilingual agent, so that various versions of SNMP can
coexist simultaneously in the same network.
The security subsystem features the use of various authentication and privacy protocols with
various timeliness checking and engine clock synchronization schemes. SNMPv3 is
designed to be secure against:
•

Modification of information, where an in-transit message is altered

•

Masquerades, where an unauthorized entity assumes the identity of an authorized entity

•

Message stream modification, where packets are delayed and/or replayed

Chapter 3. Managing the Switch

|

81

NETGEAR 8800 User Manual

•

Disclosure, where packet exchanges are sniffed (examined) and information is learned
about the contents

The access control subsystem provides the ability to configure whether access to a managed
object in a local MIB is allowed for a remote principal. The access control scheme allows you
to define access policies based on MIB views, groups, and multiple security levels.
In addition, the SNMPv3 target and notification MIBs provide a more procedural approach for
generating and filtering of notifications.
SNMPv3 objects are stored in non-volatile memory unless specifically assigned to volatile
storage. Objects defined as permanent cannot be deleted.

Note: In SNMPv3, many objects can be identified by a human-readable
string or by a string of hexadecimal octets. In many commands, you
can use either a character string, or a colon-separated string of
hexadecimal octets to specify objects. To indicate hexadecimal
octets, use the keyword hex in the command.

Message Processing
A particular network manager may require messages that conform to a particular version of
SNMP. The choice of the SNMPv1, SNMPv2c, or SNMPv3 MP model can be configured for
each network manager as its target address is configured. The selection of the MP model is
configured with the mp-model keyword in the following command:
configure snmpv3 add target-params [[hex ] | ] user
[[hex ] | ] mp-model [snmpv1 | snmpv2c | snmpv3]
sec-model [snmpv1 | snmpv2c | usm] {sec-level [noauth | authnopriv | priv]}
{volatile}

SNMPv3 Security
In SNMPv3 the User-Based Security Model (USM) for SNMP was introduced. USM deals
with security related aspects like authentication, encryption of SNMP messages, and defining
users and their various access security levels. This standard also encompasses protection
against message delay and message replay.

USM Timeliness Mechanisms
A NETGEAR switch has one SNMPv3 engine, identified by its snmpEngineID. The first four
octets are fixed to 80:00:11:AE, which represents the NETGEAR vendor ID. By default, the
additional octets for the snmpEngineID are generated from the device MAC address.
Every SNMPv3 engine necessarily maintains two objects: SNMPEngineBoots, which is the
number of reboots the agent has experienced and SNMPEngineTime, which is the local time
since the engine reboot. The engine has a local copy of these objects and the

82 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

latestReceivedEngineTime for every authoritative engine it wants to communicate with.
Comparing these objects with the values received in messages and then applying certain
rules to decide upon the message validity accomplish protection against message delay or
message replay.
In a chassis, the snmpEngineID is generated using the MAC address of the MSM/MM with
which the switch boots first.
The snmpEngineID can be configured from the command line, but when the snmpEngineID is
changed, default users revert back to their original passwords/keys, and non-default users
are reset to the security level of no authorization, no privacy. To set the snmpEngineID, use
the following command:
configure snmpv3 engine-id 

SNMPEngineBoots can also be configured from the command line. SNMPEngineBoots can
be set to any desired value but will latch on its maximum, 2147483647. To set the
SNMPEngineBoots, use the following command:
configure snmpv3 engine-boots <(1-2147483647)>

Users, Groups, and Security
SNMPv3 controls access and security using the concepts of users, groups, security models,
and security levels.
Users
Users are created by specifying a user name. Depending on whether the user will be using
authentication and/or privacy, you would also specify an authentication protocol (MD5 or
SHA) with password or key, and/or privacy (DES, 3DES, AES) password or key.
Before using the AES, 3DES users, you must install the SSH module and restart the
snmpMaster process. See Installing a Modular Software Package on page 806 for
information on installing the SSH module.
To create a user, use the following command:
configure snmpv3 add user [[hex ] | ] {authentication
[md5 | sha] [hex  | ]} {privacy {des | 3des |
aes {128 | 192 | 256}} [[hex ] | ]}
}{volatile}

A number of default users are initially available. These user names are: admin, initial,
initialmd5, initialsha, initialmd5Priv, initialshaPriv. The default password for admin is
password. For the other default users, the default password is the user name.
To display information about a user, or all users, use the following command:
show snmpv3 user {[[hex ] | ]}

Enabling the SNMPv3 default-user access allows an end user to access the MIBs using
SNMPv3 default-user. To enable default-user, use the following command:
enable snmpv3 default-user

Chapter 3. Managing the Switch

|

83

NETGEAR 8800 User Manual

By disabling default-users access, the end-user is not able to access the switch/MIBs using
SNMPv3 default-user. To disable default-user, use the following command:
disable snmpv3 default-user

To delete a user, use the following command:
configure snmpv3 delete user [all-non-defaults | [[hex ] |
]]

Note: The SNMPv3 specifications describe the concept of a security
name. In the XCM8800 implementation, the user name and security
name are identical. In this manual, both terms are used to refer to
the same thing.

Groups
Groups are used to manage access for the MIB. You use groups to define the security model,
the security level, and the portion of the MIB that members of the group can read or write. To
underscore the access function of groups, groups are defined using the following command:
configure snmpv3 add access [[hex ] | ] {sec-model
[snmpv1 | snmpv2c | usm]} {sec-level [noauth | authnopriv | priv]} {read-view
[[hex ] | ]} {write-view [[hex
]] | ]} {notify-view [[hex
]} {volatile}

The security model and security level are discussed in Security Models and Levels on
page 85. The view names associated with a group define a subset of the MIB (subtree) that
can be accessed by members of the group. The read view defines the subtree that can be
read, write view defines the subtree that can be written to, and notify view defines the subtree
that notifications can originate from. MIB views are discussed in SNMPv3 MIB Access
Control on page 86.
A number of default groups are already defined. These groups are: admin, initial, v1v2c_ro,
v1v2c_rw. To display information about the access configuration of a group or all groups, use
the following command:
show snmpv3 access {[[hex ] | ]}

Enabling SNMPv3 default-group access activates the access to an SNMPv3 default group
and the user- created SNMPv3-user part of default group. To enable default-group, use the
following command:
enable snmpv3 default-group

Disabling SNMPv3 default-group access removes access to default-users and user-created
users who are part of the default-group. The user-created authenticated SNMPv3 users (who
are part of a user-created group) are able to access the switch. To disable a default-group,
use the following command:

84 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

disable snmpv3 default-group

Users are associated with groups using the following command:
configure snmpv3 add group [[hex ] | ] user [[hex
] | ] {sec-model [snmpv1| snmpv2c | usm]} {volatile}

To show which users are associated with a group, use the following command:
show snmpv3 group {[[hex ] | ] {user [[hex
] | ]}}

To delete a group, use the following command:
configure snmpv3 delete access [all-non-defaults | {[[hex ] |
] {sec-model [snmpv1 | snmpv2c | usm] sec-level [noauth |
authnopriv | priv]}}]

When you delete a group, you do not remove the association between the group and users of
the group. To delete the association between a user and a group, use the following
command:
configure snmpv3 delete group {[[hex ] | ]} user
[all-non-defaults | {[[hex ] | ] {sec-model
[snmpv1|snmpv2c|usm]}}]

Security Models and Levels
For compatibility, SNMPv3 supports three security models:
•

SNMPv1—no security

•

SNMPv2c—community strings based security

•

SNMPv3—USM security

The default is USM. You can select the security model based on the network manager in your
network.
The three security levels supported by USM are:
•

noAuthnoPriv—No authentication, no privacy. This is the case with existing SNMPv1/v2c
agents.

•

AuthnoPriv—Authentication, no privacy. Messages are tested only for authentication.

•

AuthPriv—Authentication, privacy. This represents the highest level of security and
requires every message exchange to pass the authentication and encryption tests.

When a user is created, an authentication method is selected, and the authentication and
privacy passwords or keys are entered.
When MD5 authentication is specified, HMAC-MD5-96 is used to achieve authentication with
a 16-octet key, which generates a 128-bit authorization code. This authorization code is
inserted in the msgAuthenticationParameters field of SNMPv3 PDUs when the security level
is specified as either AuthnoPriv or AuthPriv. Specifying SHA authentication uses the
HMAC-SHA protocol with a 20-octet key for authentication.

Chapter 3. Managing the Switch

|

85

NETGEAR 8800 User Manual

For privacy, the user can select any one of the following supported privacy protocols: DES,
3DES, AES 128/192/256. In the case of DES, a 16-octet key is provided as input to
DES-CBS encryption protocol which generates an encrypted PDU to be transmitted. DES
uses bytes 1-7 to make a 56 bit key. This key (encrypted itself) is placed in
msgPrivacyParameters of SNMPv3 PDUs when the security level is specified as AuthPriv.

SNMPv3 MIB Access Control
SNMPv3 provides a fine-grained mechanism for defining which parts of the MIB can be
accessed. This is referred to as the View-Based Access Control Model (VACM).
MIB views represent the basic building blocks of VACM. They are used to define a subset of
the information in the MIB. Access to read, to write, and to generate notifications is based on
the relationship between a MIB view and an access group. The users of the access group
can then read, write, or receive notifications from the part of the MIB defined in the MIB view
as configured in the access group.
A view name, a MIB subtree/mask, and an inclusion or exclusion define every MIB view. For
example, there is a System group defined under the MIB-2 tree. The Object Identifier (OID)
for MIB-2 is 1.3.6.1.2, and the System group is defined as MIB-2.1.1, or directly as
1.3.6.1.2.1.1.
To define a MIB view which includes only the System group, use the following subtree/mask
combination:
1.3.6.1.2.1.1/1.1.1.1.1.1.1.0

The mask can also be expressed in hex notation (this is used for the XCM8800 CLI):
1.3.6.1.2.1.1/fe

To define a view that includes the entire MIB-2, use the following subtree/mask:
1.3.6.1.2.1.1/1.1.1.1.1.0.0.0

which, in the CLI, is:
1.3.6.1.2.1.1/f8

When you create the MIB view, you can choose to include the MIB subtree/mask or to
exclude the MIB subtree/mask. To create a MIB view, use the following command:
configure snmpv3 add mib-view [[hex ] | ] subtree
 {/} {type [included | excluded]} {volatile}

After the view has been created, you can repeatedly use the configure snmpv3 add mib-view
command to include and/or exclude MIB subtree/mask combinations to precisely define the
items you want to control access to.
In addition to the user-created MIB views, there are three default views. They are
defaultUserView, defaultAdminView, and defaultNotifyView. To show MIB views, use the
following command:
show snmpv3 mib-view {[[hex ] | ] {subtree
}}

86 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

To delete a MIB view, use the following command:
configure snmpv3 delete mib-view [all-non-defaults | {[[hex ] |
] {subtree }}]

MIB views that are used by security groups cannot be deleted.

SNMPv3 Notification
SNMPv3 can use either SNMPv1 traps or SNMPv2c notifications to send information from an
agent to the network manager. The terms trap and notification are used interchangeably in
this context. Notifications are messages sent from an agent to the network manager, typically
in response to some state change on the agent system. With SNMPv3, you can define
precisely which traps you want sent, to which receiver by defining filter profiles to use for the
notification receivers.
To configure notifications, you configure a target address for the target that receives the
notification, a target parameters name, and a list of notification tags. The target parameters
specify the security and MP models to use for the notifications to the target. The target
parameters name also points to the filter profile used to filter the notifications. Finally, the
notification tags are added to a notification table so that any target addresses using that tag
will receive notifications.

Target Addresses
A target address is similar to the earlier concept of a trap receiver. To configure a target
address, use the following command:
configure snmpv3 add target-addr [[hex ] | ] param
[[hex ] | ] ipaddress [ [  |
 ] | [  |  ]] {transport-port
} {from [ | ]} {vr }
{tag-list } {volatile}

In configuring the target address you supply an address name that identifies the target
address, a parameters name that indicates the MP model and security for the messages sent
to that target address, and the IP address and port for the receiver. The parameters name
also is used to indicate the filter profile used for notifications. The target parameters is
discussed in Target Parameters, next.
The from option sets the source IP address in the notification packets.
The tag-list option allows you to associate a list of tags with the target address. The tag
defaultNotify is set by default. Tags are discussed in the section Notification Tags on page 89.
To display target addresses, use the following command:
show snmpv3 target-addr {[[hex ] | ]}

To delete a single target address or all target addresses, use the following command:
configure snmpv3 delete target-addr [{[[hex ] | ]} |
all]

Chapter 3. Managing the Switch

|

87

NETGEAR 8800 User Manual

Target Parameters
Target parameters specify the MP model, security model, security level, and user name
(security name) used for messages sent to the target address. See Message Processing on
page 82 and Users, Groups, and Security on page 83 for more details on these topics. In
addition, the target parameter name used for a target address points to a filter profile used to
filter notifications. When you specify a filter profile, you associate it with a parameter name,
so you must create different target parameter names if you use different filters for different
target addresses.
To create a target parameter name and to set the message processing and security settings
associated with it, use the following command:
configure snmpv3 add target-params [[hex ] | ] user
[[hex ] | ] mp-model [snmpv1 | snmpv2c | snmpv3]
sec-model [snmpv1 | snmpv2c | usm] {sec-level [noauth | authnopriv | priv]}
{volatile}

To display the options associated with a target parameters name or all target parameters
names, use the following command:
show snmpv3 target-params {[[hex ] | ]}

To delete one or all the target parameters, use the following command:
configure snmpv3 delete target-params [{[[hex ] |
]} | all]

Filter Profiles and Filters
A filter profile is a collection of filters that specifies which notifications should be sent to a
target address. A filter is defined by a MIB subtree and mask and by whether that subtree and
mask is included or excluded from notification.
When you create a filter profile, you are associating only a filter profile name with a target
parameter name. The filters that make up the profile are created and associated with the
profile using a different command.
To create a filter profile, use the following command:
configure snmpv3 add filter-profile [[hex ] | ]
param [[hex ]] | ] {volatile}

After the profile name has been created, you associate filters with it using the following
command:
configure snmpv3 add filter [[hex ] | ] subtree
 {/} type [included | excluded] {volatile}

The MIB subtree and mask are discussed in SNMPv3 MIB Access Control on page 86, as
filters are closely related to MIB views. You can add filters together, including and excluding
different subtrees of the MIB until your filter meets your needs.
To display the association between parameter names and filter profiles, use the following
command:

88 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

show snmpv3 filter-profile {[[hex ] | ]} {param
[[hex ] | ]}

To display the filters that belong a filter profile, use the following command:
show snmpv3 filter {[[hex ] | ] {{subtree}
}

To delete a filter or all filters from a filter profile, use the following command:
configure snmpv3 delete filter [all | [[hex ] |
] {subtree }]]

To remove the association of a filter profile or all filter profiles with a parameter name, use the
following command:
configure snmpv3 delete filter-profile [all |[[hex ] |
] {param [[hex ] | }]]

Notification Tags
When you create a target address, either you associate a list of notification tags with the
target or by default, the defaultNotify tag is associated with the target. When the system
generates notifications, only those targets associated with tags currently in the standard MIB
table, called snmpNotifyTable, are notified.
To add an entry to the table, use the following command:
configure snmpv3 add notify [[hex ] | ] tag [[hex
] | ] {volatile}

Any targets associated with tags in the snmpNotifyTable are notified, based on the filter
profile associated with the target.
To display the notifications that are set, use the following command:
show snmpv3 notify {[[hex ] | ]}

To delete an entry from the snmpNotifyTable, use the following command:
configure snmpv3 delete notify [{[[hex ] | ]} |
all-non-defaults]

Configuring Notifications
Because the target parameters name points to a number of objects used for notifications,
configure the target parameter name entry first. You can then configure the target address,
filter profiles and filters, and any necessary notification tags.

Using the Simple Network Time Protocol
The XCM8800 supports the client portion of the Simple Network Time Protocol (SNTP)
Version 3 based on RFC1769. SNTP can be used by the switch to update and synchronize
its internal clock from a Network Time Protocol (NTP) server. After SNTP has been enabled,
the switch sends out a periodic query to the indicated NTP server, or the switch listens to

Chapter 3. Managing the Switch

|

89

NETGEAR 8800 User Manual

broadcast NTP updates. In addition, the switch supports the configured setting for Greenwich
Mean time (GMT) offset and the use of Daylight Saving Time.

Configuring and Using SNTP
To use SNTP:
1. Identify the host(s) that are configured as NTP server(s). Additionally, identify the
preferred method for obtaining NTP updates. The options are for the NTP server to send
out broadcasts or for switches using NTP to query the NTP server(s) directly. A
combination of both methods is possible. You must identify the method that should be
used for the switch being configured.
2. Configure the Greenwich Mean Time (GMT) offset and Daylight Saving Time preference.
The command syntax to configure GMT offset and usage of Daylight Saving Time is as
follows:
configure timezone {name }  
{autodst {name } {} 
{begins [every  | on ] {at 
} 
{ends [every  | on ] {at 
}}}

By default beginning in 2007, Daylight Saving Time is assumed to begin on the second
Sunday in March at 2:00 AM, and end the first Sunday in November at 2:00 AM and to be
offset from standard time by one hour. If this is the case in your time zone, you can set up
automatic daylight saving adjustment with the command:
configure timezone  autodst

If your time zone uses starting and ending dates and times that differ from the default, you
can specify the starting and ending date and time in terms of a floating day, as follows:
configure timezone name MET 60 autodst name MDT begins every last sunday march at
1 30 ends every last sunday october at 1 30

You can also specify a specific date and time, as shown in the following command:
configure timezone name NZST 720 autodst name NZDT 60 begins every first sunday
october at 2 00 ends on 3 16 2004 at 2 00

The optional time zone IDs are used to identify the time zone in display commands such
as show switch {detail}.
Table 14 describes the command options in detail.
Table 14. Time Zone Configuration Command Options
tz_name

Specifies an optional name for this timezone specification. May be up to six characters
in length. The default is an empty string.

GMT_offset

Specifies a Greenwich Mean Time (GMT) offset, in + or - minutes.

autodst

Enables automatic Daylight Saving Time.

90 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

Table 14. Time Zone Configuration Command Options (Continued)
dst_timezone_ID

Specifies an optional name for this Daylight Saving Time specification. May be up to six
characters in length. The default is an empty string.

dst_offset

Specifies an offset from standard time, in minutes. Value is in the range of 1 to 60.
Default is 60 minutes.

floatingday

Specifies the day, week, and month of the year to begin or end Daylight Saving Time
each year. Format is:
   where:
•  is specified as [first | second | third | fourth | last]
•  is specified as [sunday | monday | tuesday | wednesday | thursday | friday |
saturday]
•  is specified as [january | february | march | april | may | june | july | august
| september | october | november | december]
Default for beginning is second sunday march; default for ending is first sunday
november.

absoluteday

Specifies a specific day of a specific year on which to begin or end DST. Format is:
   where:
•  is specified as 1-12
•  is specified as 1-31
•  is specified as 1970 - 2035
The year must be the same for the begin and end dates.

time_of_day_hour

Specifies the time of day to begin or end Daylight Saving Time. May be specified as an
hour (0-23). Default is 2.

time_of_day_minutes

Specify the minute to begin or end Daylight Saving Time. May be specified as a minute
(0-59).

noautodst

Disables automatic Daylight Saving Time.

Automatic Daylight Saving Time changes can be enabled or disabled. The default setting
is enabled. To disable automatic Daylight Saving Time, use the command:
configure timezone {name }  noautodst

3. Enable the SNTP client using the following command:
enable sntp-client

After SNTP has been enabled, the switch sends out a periodic query to the NTP servers
defined in step 4 (if configured) or listens to broadcast NTP updates from the network.
The network time information is automatically saved into the onboard real-time clock.
4. If you would like this switch to use a directed query to the NTP server, configure the switch
to use the NTP server(s). An NTP server can be an IPv4 address or an IPv6 address or a
hostname. If the switch listens to NTP broadcasts, skip this step. To configure the switch to
use a directed query, use the following command:
configure sntp-client [primary | secondary]  {vr }

The following two examples use an IPv6 address as an NTP server and a hostname as
an NTP server:

Chapter 3. Managing the Switch

|

91

NETGEAR 8800 User Manual

configure sntp-client primary fd98:d3e2:f0fe:0:54ae:34ff:fecc:892
configure sntp-client primary ntpserver.mydomain.com

NTP queries are first sent to the primary server. If the primary server does not respond
within 1 second, or if it is not synchronized, the switch queries the secondary server (if
one is configured). If the switch cannot obtain the time, it restarts the query process.
Otherwise, the switch waits for the sntp-client update interval before querying again.
5. Optionally, the interval for which the SNTP client updates the real-time clock of the switch
can be changed using the following command:
configure sntp-client update-interval 

The default sntp-client update-interval value is 64 seconds.
6. You can verify the configuration using the following commands:
• show sntp-client
This command provides configuration and statistics associated with SNTP and its
connectivity to the NTP server.
•

show switch {detail}

This command indicates the GMT offset, the Daylight Saving Time configuration and
status, and the current local time.
NTP updates are distributed using GMT time. To properly display the local time in logs and
other time-stamp information, the switch should be configured with the appropriate offset to
GMT based on geographical location. Table 15 lists GMT offsets.
Table 15. Greenwich Mean Time Offsets
GMT
Offset in
Hours

GMT Offset Common Time Zone References
in Minutes

Cities

+0:00

+0

GMT - Greenwich Mean
UT or UTC - Universal (Coordinated)
WET - Western European

London, England; Dublin, Ireland;
Edinburgh, Scotland; Lisbon, Portugal;
Reykjavik, Iceland; Casablanca,
Morocco

-1:00

-60

WAT - West Africa

Cape Verde Islands

-2:00

-120

AT - Azores

Azores

-3:00

-180

-4:00

-240

AST - Atlantic Standard

Caracas; La Paz

-5:00

-300

EST - Eastern Standard

Bogota, Columbia; Lima, Peru; New
York, NY, Trevor City, MI USA

-6:00

-360

CST - Central Standard

Mexico City, Mexico

-7:00

-420

MST - Mountain Standard

Saskatchewan, Canada

Brasilia, Brazil; Buenos Aires,
Argentina; Georgetown, Guyana

92 | Chapter 3. Managing the Switch

NETGEAR 8800 User Manual

Table 15. Greenwich Mean Time Offsets (Continued)
GMT
Offset in
Hours

GMT Offset Common Time Zone References
in Minutes

Cities

-8:00

-480

PST - Pacific Standard

Los Angeles, CA, Santa Clara, CA, 
Seattle, WA USA

-9:00

-540

YST - Yukon Standard

-10:00

-600

AHST - Alaska-Hawaii Standard
CAT - Central Alaska
HST - Hawaii Standard

-11:00

-660

NT - Nome

-12:00

-720

IDLW - International Date Line West

+1:00

+60

CET - Central European
FWT - French Winter
MET - Middle European
MEWT - Middle European Winter
SWT - Swedish Winter

Paris France; Berlin, Germany;
Amsterdam, The Netherlands;
Brussels, Belgium; Vienna, Austria;
Madrid, Spain; Rome, Italy; Bern,
Switzerland; Stockholm, Sweden;
Oslo, Norway

+ 2:00

+120

EET - Eastern European, Russia Zone 1

Athens, Greece; Helsinki, Finland;
Istanbul, Turkey; Jerusalem, Israel;
Harare, Zimbabwe

+3:00

+180

BT - Baghdad, Russia Zone 2

Kuwait; Nairobi, Kenya; Riyadh, Saudi
Arabia; Moscow, Russia; Tehran, Iran

+4:00

+240

ZP4 - Russia Zone 3

Abu Dhabi, UAE; Muscat; Tblisi;
Volgograd; Kabul

+5:00

+300

ZP5 - Russia Zone 4

+5:30

+330

IST - India Standard Time

+6:00

+360

ZP6 - Russia Zone 5

+7:00

+420

WAST - West Australian Standard

+8:00

+480

CCT - China Coast, Russia Zone 7

+9:00

+540

JST - Japan Standard, Russia Zone 8

+10:00

+600

EAST - East Australian Standard
GST - Guam Standard
Russia Zone 9

+11:00

+660

+12:00

+720

IDLE - International Date Line East
NZST - New Zealand Standard
NZT - New Zealand

New Delhi, Pune, Allahabad, India

Wellington, New Zealand; Fiji, Marshall
Islands

Chapter 3. Managing the Switch

|

93

NETGEAR 8800 User Manual

SNTP Example
In this example, the switch queries a specific NTP server and a backup NTP server. The
switch is located in Cupertino, California, and an update occurs every 20 minutes. The
commands to configure the switch are as follows:
configure timezone -480 autodst
configure sntp-client update-interval 1200
enable sntp-client
configure sntp-client primary 10.0.1.1
configure sntp-client secondary 10.0.1.2

94 | Chapter 3. Managing the Switch

4.

Managing the XCM8800 Software

4

This chapter includes the following sections:
•

Overview on page 95

•

Using the XCM8800 File System on page 96

•

Managing the Configuration File on page 104

•

Managing XCM8800 Processes on page 106

•

Understanding Memory Protection on page 109

•

Monitoring CPU Utilization on page 110

Overview
The XCM8800 software platform is a distributed software architecture. The distributed
architecture consists of separate binary images organized into discrete software modules with
messaging between them. The software and system infrastructure subsystem form the basic
framework of how the XCM8800 applications interact with each other, including the system
startup sequence, memory allocation, and error events handling. Redundancy and data
replication is a built-in mechanism of XCM8800. The system infrastructure provides basic
redundancy support and libraries for all of the XCM8800 applications.

Note: For information about downloading and upgrading a new software
image, saving configuration changes, and upgrading the BootROM,
see Appendix B, Software Upgrade and Boot Options.

Like any advanced operating system, XCM8800 gives you the tools to manage your switch and
create your network configurations. The following enhancements and functionality are included
in the switch operating system:
•

File system administration

•

Configuration file management

•

Process control

•

Memory protection

Chapter 4. Managing the XCM8800 Software

|

95

NETGEAR 8800 User Manual

•

CPU monitoring

File system administration—With the enhanced file system, you can move, copy, and delete
files from the switch. The file system structure allows you to keep, save, rename, and
maintain multiple copies of configuration files on the switch. In addition, you can manage
other entities of the switch such as policies and access control lists (ACLs).
Configuration file management—With the enhanced configuration file management, you can
oversee and manage multiple configuration files on your switch. In addition, you can upload,
download, modify, and name configuration files used by the switch.
Process control—With process control, you can stop and start processes, restart failed
processes, and update the software for a specific process or set of processes.
Memory protection—With memory protection, each function can be bundled into a single
application module running as a memory protected process under real-time scheduling. In
essence, XCM8800 protects each process from every other process in the system. If one
process experiences a memory fault, that process cannot affect the memory space of
another process.
CPU monitoring—With CPU monitoring, you can monitor CPU utilization for Management
Modules (MSMs/MMs) and the individual processes running on the switch. Monitoring the
workload of the CPU allows you to troubleshoot and identify suspect processes.
The following sections describe in more detail how to manage the software.

Using the XCM8800 File System
The file system in XCM8800 is the structure by which files are organized, stored, and named.
The switch can store multiple user-defined configuration and policy files, each with its own
name.
Using a series of commands, you can manage the files on your system. For example, you
can rename or copy a configuration file on the switch, display a comprehensive list of the
configuration and policy files on the switch, or delete a policy file from the switch.

Note: Filenames are case-sensitive. For information on filename
restrictions, see the specific command in the NETGEAR 8800
Chassis Switch CLI Manual.

You can also download configuration and policy files from the switch to a network Trivial File
Transfer Protocol (TFTP) server using TFTP. For detailed information about downloading
switch configurations, see Appendix B, Software Upgrade and Boot Options. For detailed
information about downloading policies and ACLs, see Chapter 12, Policy Manager.
With guidance from NETGEAR Technical Support personnel, you can configure the switch to
capture core dump files, which contain debugging information that is useful in troubleshooting

96 | Chapter 4. Managing the XCM8800 Software

NETGEAR 8800 User Manual

situations. For more information about configuring core dump files and managing the core
dump files stored on your switch, see Appendix C, Troubleshooting.
This section describes the following file management topics:
•

Moving or Renaming Files on the Switch on page 97

•

Copying Files on the Switch on page 98

•

Displaying Files on the Switch on page 100

•

Transferring Files to and from the Switch on page 101

•

Deleting Files from the Switch on page 103

Moving or Renaming Files on the Switch
To move or rename an existing configuration, policy, or if configured, core dump file in the
system, use the following command:
mv [internal-memory  internal-memory  |
internal-memory  memorycard  |
memorycard  memorycard  | memorycard
  |  memorycard 
|  ]

Where the following is true:
•

internal-memory—Specifies

the internal memory card. Specify internal-memory if you
configured core dumps and are sending debug files to the internal memory.

•

old-name-internal—Specifies the current name of the core dump file located on the
internal memory card.

•

new-name-internal—Specifies

the new name of the core dump file located on the internal

memory card.
•

memorycard—Specifies the removable external compact flash memory card. (This
parameter is available only on modular switches.)

•

old-name-memorycard—Specifies

the current name of the file located on the external
compact flash memory card. Depending on your switch configuration, you can have
configuration, policy, or core dump files stored in this card. (This parameter is available
only on modular switches.)

•

new-name-memorycard—Specifies

the new name of the file located on the external
compact flash memory card. (This parameter is available only on modular switches.)

•

old-name—Specifies

the current name of the configuration or policy file.

•

new-name—Specifies

the new name of the configuration or policy file.

XML-formatted configuration files have a .cfg file extension. The switch runs only .cfg files.
ASCII-formatted configuration files have an .xsf file extension. For more information, see
ASCII-Formatted Configuration Files on page 819. Policy files have a .pol file extension.
When you rename a file, make sure the renamed file uses the same file extension as the
original file. If you change the file extensions, the file may be unrecognized by the system.

Chapter 4. Managing the XCM8800 Software

|

97

NETGEAR 8800 User Manual

For example, if you have an existing configuration file named test.cfg, the new filename must
include the .cfg file extension.
When you rename a file on the switch, a message similar to the following appears:
Rename config test.cfg to config megtest.cfg on switch? (y/n)

Enter y to rename the file on your system. Enter n to cancel this process and keep the
existing filename.
If you attempt to rename an active configuration file (the configuration currently selected the
boot the switch), the switch displays an error similar to the following:
Error: Cannot rename current selected active configuration.

For more information about configuring core dump files and managing the core dump files
stored on your switch, see Appendix C, Troubleshooting.
This command also replicates the action from the primary node to the backup node. For
example, if you rename a file on the primary node, the same file on the backup node is
renamed.
For the memorycard option, this command can move files between the external memory card
and the switch. If you use the memorycard option for both the old-name and the new-name, this
command only renames a file on the external memory card.

Examples
The following example renames the configuration file named Test.cfg to Final.cfg:
mv Test.cfg Final.cfg

On a modular switch, the following command moves the configuration file named test1.cfg
from the switch to the external memory card:
mv test1.cfg memorycard test1.cfg

Copying Files on the Switch
The copy function allows you to make a copy of an existing file before you alter or edit the file.
By making a copy, you can easily go back to the original file if needed.
To copy an existing configuration or policy file on your switch, use the following command:
cp [internal-memory  internal-memory  |
internal-memory  memorycard  |
memorycard  memorycard  | memorycard
  |  memorycard 
|  ]

Where the following is true:
•

internal-memory—Specifies the internal memory card. Specify internal-memory if you
configured core dumps and are sending debug files to the internal memory.

98 | Chapter 4. Managing the XCM8800 Software

NETGEAR 8800 User Manual

•

old-name-internal—Specifies

the name of the core dump file located on the internal
memory card that you want to copy.

•

new-name-internal—Specifies the name of the newly copied core dump file located on
the internal memory card.

•

memorycard—Specifies

the removable external compact flash memory card. (This
parameter is available only on modular switches.)

•

old-name-memorycard—Specifies the name of the file located on the external compact
flash memory card that you want to copy. Depending on your switch configuration, you
can have configuration, policy, or core dump files stored in this card. (This parameter is
available only on modular switches.)

•

new-name-memorycard—Specifies the name of the newly copied file located on the external

compact flash memory card. (This parameter is available only on modular switches.)
•

old-name—Specifies

the name of the configuration or policy file that you want to copy.

•

new-name—Specifies

the name of the copied configuration or policy file.

XML-formatted configuration files have a .cfg file extension. The switch runs .cfg files only.
ASCII-formatted configuration files have an .xsf file extension. For more information, see
ASCII-Formatted Configuration Files on page 819. Policy files have a .pol file extension.
When you copy a configuration or policy file from the system, make sure you specify the
appropriate file extension. For example, if you want to copy a policy file, specify the filename
and .pol.
When you copy a file on the switch, a message similar to the following appears:
Copy config test.cfg to config test1.cfg on switch? (y/n)

Enter y to copy the file. Enter n to cancel this process and not copy the file.
When you enter y, the switch copies the file with the new name and keeps a backup of the
original file with the original name. After the switch copies the file, use the ls command to
display a complete list of files.
For more information about configuring core dump files and managing the core dump files
stored on your switch, see Appendix C, Troubleshooting.
This command also replicates the action from the primary node to the backup node. For
example, when you copy a file on the primary node, the same file is copied to the backup
node.
For the memorycard option, the source and/or destination is the memorycard. You must mount
the memory card for this operation to succeed. This command copies a file from the switch to
the external memory card or a file already on the card. If you copy a file from the switch to the
external memory card, and the new filename is identical to the source file, you do not need to
re-enter the filename.

Example
The following example copies an existing configuration file named test.cfg and names the
copied configuration file test_rev2.cfg:

Chapter 4. Managing the XCM8800 Software

|

99

NETGEAR 8800 User Manual

cp test.cfg test_rev2.cfg

On a modular switch, the following command makes a copy of a configuration file named
primary.cfg from the switch to the external memory card with the same name, primary.cfg:
cp primary.cfg memorycard

Displaying Files on the Switch
To display a list of the configuration, policy, or if configured, core dump files stored on your
switch, use the following command:
ls {[internal-memory | memorycard]} {}

Where the following is true:
•

internal-memory—Lists

the core dump files that are present and saved in the internal

memory card.
If the switch is not configured to save debug files or has not saved any debug files, no
files are displayed.
•

memorycard—Lists all files that are stored in the external compact flash memory card.
(This parameter is available only on modular switches.)

•

file-name—Lists

all the files that match the wildcard.

When you do not specify a parameter, this command lists all of the files stored on your
switch.
Output from this command includes the file size, date and time the file was last modified, and
the file name.
For more information about configuring core dump files and managing the core dump files
stored on your switch, see Appendix C, Troubleshooting.

Example
The following command displays all of the configuration and policy files stored on your
switch:
ls

The following is sample output from this command:
total 424
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--

1
1
1
1
1
1

root
root
root
root
root
root

root
root
root
root
root
root

50
94256
100980
35
100980
94256

Jul
Jul
Sep
Jun
Sep
Jun

30
23
23
29
23
30

14:19
14:26
09:16
06:42
09:17
17:10

hugh.pol
hughtest.cfg
megtest.cfg
newpolicy.pol
primary.cfg
roytest.cfg

On a modular switch, the following command displays all of the configuration and policy files
stored on the external memory card:

100 | Chapter 4. Managing the XCM8800 Software

NETGEAR 8800 User Manual

ls memorycard

The following is sample output from this command:
-rwxr-xr-x
-rwxr-xr-x
-rwxr-xr-x
-rwxr-xr-x
-rwxr-xr-x

1
1
1
1
1

root
root
root
root
root

0
0
0
0
0

15401865
10
10
10
223599

Mar
Mar
Apr
Mar
Mar

30
31
4
31
31

00:03
09:41
09:15
09:41
10:02

bd10K-11.2.0.13.xos
test-1.pol
test.pol
test_1.pol
v11_1_3.cfg

Transferring Files to and from the Switch
TFTP allows you to transfer files to and from the switch, internal memory card, and on a
modular switch, the external memory card. This section describes the commands used to
transfer files to and from the switch.
To transfer a configuration or policy file from a TFTP server, internal memory card, or external
memory card to the switch, use the tftp and tftp get commands:
•

tftp [ | ] {-v } [-g | -p] [{-l [internal-memory
 | memorycard  | } {-r } |
{-r } {-l [internal-memory  | memorycard
 | ]}]

•

tftp get [ | ] {-vr } [{[internal-memory
 | memorycard  | } {} |
{} {[internal-memory  | memorycard
 | ]}] {force-overwrite}

Where the following is true:
•

host-name—Specifies

the name of the remote host on the network.

•

ip-address—Specifies

•

vr_name—Specifies

the IP address of the TFTP server on the network.

the name of the virtual router.

Note: User-created VRs are supported only on the platforms listed for this
feature in Appendix A, XCM8800 Software Licenses.

•

-g—Gets the specified file from the TFTP server and copies it to the local host. (This
parameter is available only on the tftp command.)

•

get—Gets the specified file from the TFTP server and copies it to the local host. (This is
part of the tftp get command.)

•

internal-memory—Specifies

•

the internal memory card.

local-file-internal—Specifies

the name of the core dump file located on the internal

memory card.
•

memorycard—Specifies

the removable external compact flash memory card. (This
parameter is available only on modular switches.)

Chapter 4. Managing the XCM8800 Software

|

101

NETGEAR 8800 User Manual

•

local-file-memcard—Specifies the name of the file on the external compact flash
memory card. (This parameter is available only on modular switches.)

•

local-file—Specifies

•

remote-file—Specifies

•

force-overwrite—Specifies the switch to automatically overwrite an existing file. (This
parameter is available only on the tftp get command.)

the name of the file (configuration file, policy file) on the local host.
the name of the file on the remote host.

Note: By default, if you transfer a file with a name that already exists on
the system, the switch prompts you to overwrite the existing file. For
more information, see the tftp get command in the NETGEAR
8800 Chassis Switch CLI Manual.

To transfer a configuration or policy file from the switch to a TFTP server, internal memory
card, or external memory card, use the tftp and tftp put commands:
•

tftp [ | ] {-v } [-g | -p] [{-l [internal-memory
 | memorycard  | } {-r } |
{-r } {-l [internal-memory  | memorycard
 | ]}]

•

tftp put [ | ] {-vr } [{[internal-memory
 | memorycard  | } {} |
{} {[internal-memory  | memorycard
 | ]}]

Where the following is true:
•

host-name—Specifies

the name of the remote host on the network.

•

ip-address—Specifies

•

vr_name—Specifies

the IP address of the TFTP server on the network.

the name of the virtual router.

Note: User-created VRs are supported only on the platforms listed for this
feature in Appendix A, XCM8800 Software Licenses.

•

the specified file from the local host and copies it to the TFTP server. (This
parameter is available only on the tftp command.)

•

put—Puts the specified file from the local host and copies it to the TFTP server. (This is
part of the tftp put command.)

•

internal-memory—Specifies

•

-p—Puts

the internal memory card.

local-file-internal—Specifies

the name of the core dump file located on the internal

memory card.

102 | Chapter 4. Managing the XCM8800 Software

NETGEAR 8800 User Manual

•

memorycard—Specifies

the removable external compact flash memory card. (This
parameter is available only on modular switches.)

•

local-file-memcard—Specifies the name of the file on the external compact flash
memory card. (This parameter is available only on modular switches.)

•

local-file—Specifies

•

remote-file—Specifies

the name of the file (configuration file, policy file) on the local host.
the name of the file on the remote host.

For more information about TFTP, see Chapter 3, Managing the Switch. For detailed
information about downloading software image files, BootROM files, and switch
configurations, see Appendix B, Software Upgrade and Boot Options. For more information
about configuring core dump files and managing the core dump files stored on your switch,
see Appendix C, Troubleshooting.
For the memorycard option, this command transfers an existing file to or from the external
compact flash memory card.

Example
The following example uses the tftp command to download the configuration file named
XOS1.cfg from the TFTP server:
tftp 10.123.45.67 -g -r XOS1.cfg

The following example uses the tftp get command to download the configuration file from
the TFTP server:
tftp get 10.123.45.67 XOS1.cfg

The following example uses the tftp put command to upload the configuration file from the
switch to the TFTP server:
tftp put 10.123.45.67 XOS1.cfg

Note: On a modular switch, you can transfer files to and from the switch
and an installed external compact flash memory card.

Deleting Files from the Switch
To delete a configuration, policy, or if configured, core dump file from your system, use the
following command:
rm {internal-memory | memorycard} 

Where the following is true:
•

internal-memory—Specifies

the internal memory card.

•

memorycard—Specifies the removable external compact flash memory card. (This
parameter is available only on modular switches.)

•

file-name—Specifies

the name of the configuration or policy file to delete.

Chapter 4. Managing the XCM8800 Software

|

103

NETGEAR 8800 User Manual

When you delete a configuration or policy file from the system, make sure you specify the
appropriate file extension. For example, when you want to delete a policy file, specify the
filename and .pol. After you delete a file, it is unavailable to the system.
When you delete a file from the switch, a message similar to the following appears:
Remove testpolicy.pol from switch? (y/n)

Enter y to remove the file from your system. Enter n to cancel the process and keep the file
on your system.
If you attempt to delete an active configuration file (the configuration currently selected to
boot the switch), the switch displays an error similar to the following:
Error: Cannot remove current selected active configuration.

For more information about configuring core dump files and managing the core dump files
stored on your switch, see Appendix C, Troubleshooting.
This command also replicates the action from the primary node to the backup node. For
example, when you delete a file on the primary node, the same file on the backup node is
deleted.
For the memorycard option, this command removes/deletes an existing file on the external
memory card.

Example
The following example removes the policy file named newpolicy.pol from the system:
rm newpolicy.pol

On a modular switch with an external memory card installed, the following command
removes the policy file named test.pol from the external memory card:
rm memorycard test.pol

Managing the Configuration File
The configuration is the customized set of parameters that you have selected to run on the
switch. Table 16 describes some of the key areas of configuration file management in
XCM8800.

104 | Chapter 4. Managing the XCM8800 Software

NETGEAR 8800 User Manual

Table 16. Configuration File Management
Task

Behavior

Configuration file database

XCM8800 supports saving a configuration file into any named file and
supports more than two saved configurations.
For example, you can download a configuration file from a network TFTP
server and save that file as primary, secondary, or with a user-defined name.
You also select where to save the configuration: primary or secondary
partition, or another space.
The file names primary and secondary exist for backward compatibility.

Downloading configuration files

XCM8800 uses the tftp and tftp get commands to download
configuration files from the network TFTP server to the switch.
For more information about downloading configuration files, see Using TFTP
to Download the Configuration on page 824.

Uploading configuration files

XCM8800 uses the tftp and tftp put commands to upload configuration
files from the switch to the network TFTP server.
For more information about uploading configuration files, see Using TFTP to
Upload the Configuration on page 822.

Managing configuration files,
The following commands allow you to manage configuration files:
including listing, copying, deleting, • ls—Lists all of the configuration files in the system
and renaming
• cp—Makes a copy of an existing configuration file in the system
• rm—Removes/deletes an existing configuration file from the system
• mv—Renames an existing configuration file
Configuration file type

XCM8800 configuration files are saved in Extensible Markup Language
(XML) format. Use the show configuration command to view on the CLI
your currently running switch configuration.

ASCII-formatted configuration file

You can upload your current configuration in ASCII format to a network
TFTP server. The uploaded ASCII file retains the CLI format.
To view your configuration in ASCII format, save the configuration with the
.xsf file extension (known as the CLI script file). This saves the XML-based
configuration in an ASCII format readable by a text editor.
XCM8800 uses the upload configuration command to upload the
ASCII-formatted configuration file from the switch to the network TFTP
server.
XCM8800 uses the tftp and tftp get commands to download
configuration files from the network TFTP server to the switch.
For more information about ASCII-formatted configuration files, see
ASCII-Formatted Configuration Files on page 819.

XML configuration mode

Indicated by (xml) at the front of the switch prompt. Do not use. Use the
command disable xml-mode to disable this mode.

Displaying configuration files

You can also see a complete list of configuration files by entering the ls
command followed by the Tab key.

For more information about saving, uploading, and downloading configuration files, see
Saving the Configuration on page 822.

Chapter 4. Managing the XCM8800 Software

|

105

NETGEAR 8800 User Manual

Managing XCM8800 Processes
The XCM8800 consists of a number of cooperating processes running on the switch. With
process control, under certain conditions, you can stop and start processes, restart failed
processes, examine information about the processes, and update the software for a specific
process or set of processes.
This section describes the following topics:
•

Displaying Process Information on page 106

•

Stopping a Process on page 107

•

Starting a Process on page 108

Displaying Process Information
To display information about the processes in the system, use the following command:
show process {} {detail} {description} {slot }

Where the following is true:
•

name—Specifies

the name of the process.

•

detail—Specifies more detailed process information, including memory usage statistics,
process ID information, and process statistics.

•

description—Describes the name of all of the processes or the specified process
running on the switch.

•

slotid—On a modular chassis, specifies

the slot number of the MSM/MM. A specifies the
MSM/MM installed in slot A. B specifies the MSM/MM installed in slot B. The number is a
value from 1 to 8. (This parameter is available only on modular switches.)

The show process and show process slot  commands display the following
information in a tabular format:
•

Card—The name of the module where the process is running (modular switches only).

•

Process Name—The name of the process.

•

Version—The version number of the process. Options are:
•

Version number—A series of numbers that identify the version number of the process.
This is helpful to ensure that you have version-compatible processes and if you
experience a problem.

•

Not Started—The process has not been started. This can be caused by not having the
appropriate license or for not starting the process.

•

Restart—The number of times the process has been restarted. This number increments
by one each time a process stops and restarts.

•

State—The current state of the process. Options are:
•

No License—The process requires a license level that you do not have. For example,
you have not upgraded to that license, or the license is not available for your platform.

106 | Chapter 4. Managing the XCM8800 Software

NETGEAR 8800 User Manual

•

•

Ready—The process is running.

•

Stopped—The process has been stopped.

Start Time—The current start time of the process. Options are:
•

Day/Month/Date/Time/Year—The date and time the process began. If a process
terminates and restarts, the start time is also updated.

•

Not Started—The process has not been started. This can be caused by not having the
appropriate license or for not starting the process.

When you specify the detail keyword, more specific and detailed process information is
displayed. The show process detail and show process slot  detail commands
display the following information in a multi-tabular format:
•

Detailed process information

•

Memory usage configurations

•

Recovery policies

•

Process statistics

•

Resource usage

Stopping a Process
If recommended by NETGEAR Technical Support personnel, you can stop a running
process. To stop a running process, use the following command:
terminate process  [forceful | graceful] {msm }

Where the following is true:
•

name—Specifies

the name of the process.

•

forceful—Specifies

that the software quickly terminate a process. Unlike the graceful
option, the process is immediately shutdown without any of the normal process cleanup.

•

graceful—Specifies that the process shutdown gracefully by closing all opened
connections, notifying peers on the network, and other types of process cleanup.

•

slot—For

a modular chassis, specifies the slot number of the MSM/MM. A specifies the
MSM/MM installed in slot A. B specifies the MSM/MM installed in slot B. The number is a
value from 1 to 8.

Note: Do not terminate a process that was installed since the last reboot
unless you have saved your configuration. If you have installed a
software module and you terminate the newly installed process
without saving your configuration, your module may not be loaded
when you attempt to restart the process with the start process
command.

To preserve a process’s configuration during a terminate and
(re)start cycle, save your switch configuration before terminating the

Chapter 4. Managing the XCM8800 Software

|

107

NETGEAR 8800 User Manual

process. Do not save the configuration or change the configuration
during the process terminate and re(start) cycle. If you save the
configuration after terminating a process, and before the process
(re)starts, the configuration for that process is lost.

You can also use a single command to stop and restart a running process during a software
upgrade on the switch. By using the single command, there is less process disruption and it
takes less time to stop and restart the process. To stop and restart a process during a
software upgrade, use the following command:
restart process [class  |  {msm }]

Where the following is true:
•

cname—Specifies that the software terminates and restarts all instances of the process
associated with a specific routing protocol on all VRs.

•

name—Specifies

the name of the process.

Starting a Process
To start a process, use the following command:
start process  {msm }

Where the following is true:
•

name—Specifies

•

slot—For

the name of the process.

a modular chassis, specifies the slot number of the MSM/MM. A specifies the
MSM/MM installed in slot A. B specifies the MSM/MM installed in slot B. The number is a
value from 1 to 8.

You are unable to start a process that is already running. If you try to start a currently running
process, for example telnetd, an error message similar to the following appears:
Error: Process

telnetd already exists!

Note: After you stop a process, do not change the configuration on the
switch until you start the process again. A new process loads the
configuration that was saved prior to stopping the process. Changes
made between a process termination and a process start are lost.
Else, error messages can result when you start the new process.

As described in the section Stopping a Process on page 107, you can use a single command,
rather than multiple commands, to stop and restart a running process. To stop and restart a
process during a software upgrade, use the following command:
restart process [class  |  {msm }]

108 | Chapter 4. Managing the XCM8800 Software

NETGEAR 8800 User Manual

For more detailed information, see the previous section or the NETGEAR 8800 Chassis
Switch CLI Manual.omm

Understanding Memory Protection
The XCM8800 provides memory management capabilities. Each process runs in a protected
memory space. This infrastructure prevents one process from overwriting or corrupting the
memory space of another process. For example, if one process experiences a loop condition,
is under some type of attack, or is experiencing some type of problem, that process cannot
take over or overwrite another processes’ memory space.
Memory protection increases the robustness of the system. By isolating and having separate
memory space for each individual process, you can more easily identify the process or
processes that experience a problem.
To display the current system memory and that of the specified process, use the following
command:
show memory process  {slot }

Where the following is true:
•

name—Specifies

the name of the process.

•

slot—On a modular chassis, specifies the slot number of the MSM/MM. A specifies the
MSM/MM installed in slot A. B specifies the MSM/MM installed in slot B. The number is a
value from 1 to 8. (This parameter is available only on modular switches.)

The show memory process command displays the following information in a tabular format:
•

System memory information (both total and free)

•

Current memory used by the individual processes

The current memory statistics for the individual process also includes the following:
•

The module (MSM A or MSM B) and the slot number of the MSM/MM (modular switches
only)

•

The name of the process

You can also use the show memory {slot [slotid | a | b]} command to view the system
memory and the memory used by the individual processes, even for all processes on all
MSMs/MMs installed in modular switches. The slot parameter is available only on modular
switches.
In general, the free memory count for an MSM/MM decreases when one or more running
processes experiences an increase in memory usage. If you have not made any system
configuration changes, and you observe a continued decrease in free memory, this might
indicate a memory leak.
The information from these commands may be useful for your technical support
representative if you experience a problem.

Chapter 4. Managing the XCM8800 Software

|

109

NETGEAR 8800 User Manual

Monitoring CPU Utilization
You can monitor the CPU utilization and history for all of the processes running on the switch.
By viewing this history on a regular basis, you can see trends emerging and identify
processes with peak utilization. Monitoring the workload of the CPU allows you to
troubleshoot and identify suspect processes before they become a problem. By default, the
switch monitors CPU utilization every 5 seconds. In addition, when CPU utilization of a
process exceeds 90% of the regular operating basis, the switch logs an error message
specifying the process name and the current CPU utilization for the process.

Disabling CPU Monitoring
To disable CPU monitoring, use the following command:
disable cpu-monitoring

This command disables CPU monitoring on the switch; however, it does not clear the
monitoring interval. Therefore, if you altered the monitoring interval, this command does not
return the monitoring interval to 5 seconds. The next time you enable CPU monitoring, the
switch uses the existing configured interval.

Enabling CPU Monitoring
To enable CPU monitoring, use the following command:
enable cpu-monitoring {interval } {threshold }

Where the following is true:
•

seconds—Specifies the monitoring interval. The default interval is 5 seconds, and the
range is 5 to 60 seconds. NETGEAR recommends the default setting for most network
environments.

•

threshold—Specifies the CPU threshold value. CPU usage is measured in percentages.
The default is 90%, and the range is 0% to 100%.

By default, CPU monitoring is enabled and occurs every 5 seconds. The default CPU
threshold value is 90%.

Displaying CPU Utilization History
To display the CPU utilization history of one or more processes, use the following command:
show cpu-monitoring {process } {slot }

Where the following is true:
•

name—Specifies

the name of the process.

110 | Chapter 4. Managing the XCM8800 Software

NETGEAR 8800 User Manual

•

slot—For

a modular chassis, specifies the slot number of the MSM/MM. A specifies the
MSM installed in slot A. B specifies the MSM installed in slot B. The number is a value
from 1 to 8.

Output from this command includes the following information:
•

Card—The location (MSM A or MSM B) where the process is running on a modular
switch.

•

Process—The name of the process.

•

Range of time (5 seconds, 10 seconds, and so forth)—The CPU utilization history of the
process or the system. The CPU utilization history goes back only 1 hour.

•

Total User/System CPU Usage—The amount of time recorded in seconds that the
process spends occupying CPU resources. The values are cumulative meaning that the
values are displayed as long as the system is running. You can use this information for
debugging purposes to see where the process spends the most amount of time: user
context or system context.

The following is sample truncated output from a modular switch:
show cpu-monitoring
CPU Utilization Statistics - Monitored every 5 seconds
------------------------------------------------------------------------------Card

Process

5

10

30

1

5

secs secs secs min

30

1

Max

mins mins hour

User/System

util util util util util util util util
(%)

(%)

(%)

(%)

(%)

(%)

(%)

Total
CPU Usage

(%)

(secs)

------------------------------------------------------------------------------MSM-A

System

0.0

0.0

0.1

0.0

0.0

0.0

0.0

0.9

MSM-B

System

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_cpuif

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_ctrlif

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_esmi

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_fabric

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_mac_10g

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_pbusmux

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_pktengine 0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_pktif

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

GNSS_switch

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

0.0

MSM-A

aaa

0.0

0.0

0.0

0.0

0.0

0.0

0.0

8.4

0.82

0.56

MSM-A

acl

0.0

0.0

0.0

0.0

0.0

0.0

0.0

7.5

0.37

0.33

MSM-A

bgp

0.0

0.0

0.0

0.0

0.0

0.0

0.0

5.2

0.27

0.42

MSM-A

cfgmgr

0.0

0.9

0.3

3.7

1.2

1.2

1.3

27.3 7.70

7.84

Chapter 4. Managing the XCM8800 Software

|

111

NETGEAR 8800 User Manual

MSM-A

cli

0.0

0.0

0.0

48.3 9.6

2.5

2.1

48.3 0.51

0.37

MSM-A

devmgr

0.0

0.0

0.0

0.9

0.3

0.2

0.2

17.1 2.22

2.50

MSM-A

dirser

0.0

0.0

0.0

0.0

0.0

0.0

0.0

9.5

0.0

0.0

MSM-A

dosprotect

0.0

0.0

0.0

0.0

0.0

0.0

0.0

3.8

0.20

0.26

MSM-A

ems

0.0

0.0

0.0

0.0

0.0

0.0

0.0

12.2 1.1

1.16

MSM-A

epm

0.0

0.0

0.0

0.9

0.1

0.2

0.2

4.7

4.18

MSM-A

etmon

0.9

0.4

0.6

1.2

1.1

1.0

1.0

23.3 21.84

...

112 | Chapter 4. Managing the XCM8800 Software

2.6

7.24

5.

Configuring Slots and Ports on a Switch

5

This chapter describes the following sections:
•

Overview on page 113

•

Configuring Slots on NETGEAR 8800 Switches on page 114

•

Configuring Ports on a Switch on page 116

•

Jumbo Frames on page 122

•

Link Aggregation on the Switch on page 124

•

Mirroring on page 138

•

Remote Mirroring on page 141

•

Software-Controlled Redundant Port and Smart Redundancy on page 146

•

Displaying Port Information on page 148

Overview
This chapter describes the processes for enabling, disabling, and configuring individual and
multiple ports and displaying port statistics.

Chapter 5. Configuring Slots and Ports on a Switch

|

113

NETGEAR 8800 User Manual

Configuring Slots on NETGEAR 8800 Switches
This section describes how to configure slots on the NETGEAR 8800’s modular switches.
If a slot has not been configured for a particular type of module, then any type of module is
accepted in that slot, and a default port and VLAN configuration is automatically generated.
After any port on the module has been configured (for example, a VLAN association, a VLAN
tag configuration, or port parameters), all the port information and the module type for that
slot must be saved to non-volatile storage. Otherwise, if the modular switch is rebooted or the
module is removed from the slot, the port, VLAN, and module configuration information is not
saved.

Note: For information on saving the configuration, see Appendix B,
Software Upgrade and Boot Options.

You configure the modular switch with the type of input/output (I/O) module that is installed in
each slot. To do this, use the following command:
configure slot  module 

You can also preconfigure the slot before inserting the module. This allows you to begin
configuring the module and ports before installing the module in the chassis.
If a slot is configured for one type of module, and a different type of module is inserted, the
inserted module is put into a mismatch state and is not brought online. To use the new
module type in a slot, the slot configuration must be cleared or configured for the new module
type. To clear the slot of a previously assigned module type, use the following command:
clear slot 

All configuration information related to the slot and the ports on the module is erased. If a
module is present when you issue this command, the module is reset to default settings.
To display information about a particular slot, use the following command:
show slot {} {detail}

Information displayed includes:
•

Module type, part number and serial number

•

Current state (power down, operational, diagnostic, mismatch)

•

Port information

If no slot is specified, information for all slots is displayed.
All slots on the modular switches are enabled by default. To disable a slot, use the following
CLI command:
disable slot

114 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

To re-enable slot, use the following CLI command:
enable slot

You can configure the number of times that a slot can be restarted on a failure before it is
shut down. To set the restart-limit, use the following command:
configure slot  restart-limit 

Details on I/O Ports
On the NETGEAR 8810 switch, the XCM88S1 with XCM888F installed has eight 1 Gbps fiber
SFP-GBIC data ports. You configure these ports exactly as you do any other ports on the
switch.
Additionally, one slot on the NETGEAR 8810 switch is dedicated to XCM88S1 use—slot A, or
slot 5. Slot B, or slot 6, is a dual-purpose slot; it can be used for a secondary XCM88S1 or for
a module consisting solely of data, or I/O, ports.
The primary XCM88S1 must be in slot A in the NETGEAR 8810 switch, which is referred to
as slot 5 when working with the data ports. If you have a secondary XCM88S1, that one goes
into slot B, which is slot 6 when you work with the data ports. So, when you work with the
data ports on the XCM88S1, you specify slot 5 if you have one XCM88S1, and slot 5 or 6 if
you have two MSMs in the switch.
When you issue any slot commands specifying a slot that contains an XCM88S1 (slot 5 with
one XCM88S1 and slots 5 and 6 with two MSMs) on the NETGEAR 8810 switch, those
commands affect only the data ports on that slot; the MSMs remain unaffected. When you
issue most msm commands on this switch, those commands affect only the XCM88S1 host
CPU subsystem; the I/O ports remain unaffected. The sole exception is that the reboot msm
command reboots both the XCM88S1 and the I/O ports on that module.
On the NETGEAR 8806 switch, the XCM88S1 module also has eight 1 Gbps fiber SFP GBIC
data, or I/O, ports. You configure these ports exactly as you do any other ports on the switch.
Additionally, one slot on the NETGEAR 8806 switch is dedicated to XCM88S1 use—slot A, or
slot 3. Slot B, or slot 4, is a dual-purpose slot; it can be used for a secondary XCM88S1 or for
a module consisting solely of data, or I/O, ports.
The primary XCM88S1 must be in slot A in the NETGEAR 8806 switch, which is referred to
as slot 3 when working with the data ports. If you have a secondary XCM88S1, that one goes
into slot B, which is slot 4 when you work with the data ports. So, when you work with the
data ports on the XCM88S1, you specify slot 3 if you have one XCM88S1, and slot 3 or 4 if
you have two MSMs in the switch.
When you issue any slot commands specifying a slot that contains an XCM88S1 (slot 3 with
one XCM88S1 and slots 3 and 4 with two MSMs) on the 8806 switch, those commands affect
only the data ports on that slot; the MSMs remain unaffected. When you issue most msm
commands on this switch, those commands affect only the XCM88S1 host CPU subsystem;
the I/O ports remain unaffected. The sole exception is that the reboot msm command reboots
both the XCM88S1 and the I/O ports on that module.

Chapter 5. Configuring Slots and Ports on a Switch

|

115

NETGEAR 8800 User Manual

On the NETGEAR 8806 switch, the XCM88S1 with XCM888F installed has eight 1 Gbps fiber
SFP-GBIC data ports

Configuring Ports on a Switch
Note: A port can belong to multiple virtual routers (VRs). For more
information on VRs, see Chapter 11, Virtual Routers.

This section describes the following topics of configuring ports on a switch:
•

Port Numbering on page 116

•

Enabling and Disabling Switch Ports on page 117

•

Configuring Switch Port Speed and Duplex Setting on page 117

Port Numbering
XCM8800 runs on both stand-alone and modular switches, and the port numbering scheme
is slightly different on each.
On a NETGEAR 8800 switch, the port number is a combination of the slot number and the
port number. The nomenclature for the port number is as follows:
slot:port

For example, if an I/O module that has a total of four ports is installed in slot 2 of the chassis,
the following ports are valid:
•

2:1

•

2:2

•

2:3

•

2:4

You can also use wildcard combinations (*) to specify multiple modular slot and port
combinations. The following wildcard combinations are allowed:
•
•

slot:*—Specifies

all ports on a particular I/O module or stack node

slot:x-slot:y—Specifies

a contiguous series of ports on multiple I/O modules or stack

nodes
•

slot:x-y—Specifies

a contiguous series of ports on a particular I/O module or stack node

•

slota:x-slotb:y—Specifies a contiguous series of ports that begin on one I/O module or
stack node and end on another I/O module or stack node

116 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

Enabling and Disabling Switch Ports
By default, all ports are enabled. To enable or disable one or more ports on a switch, use the
following commands:
enable port [ | all]
disable port [ | all]

For example, to disable slot 7, ports 3, 5, and 12 through 15 on a modular switch, use the
following command:
disable port 7:3,7:5,7:12-7:15

You have the flexibility to receive or not to receive SNMP trap messages when a port
transitions between up and down. To receive these SNMP trap messages, use the following
command:
enable snmp traps port-up-down ports [ | all]

To stop receiving these messages, use the following command:
disable snmp traps port-up-down ports [ | all]

For information on displaying link status, see Displaying Port Information on page 148.

Configuring Switch Port Speed and Duplex Setting
Note: For information on displaying port speed, duplex, autonegotiation,
and flow control settings, see Displaying Port Information on
page 148.

XCM8800 supports the following port types:
•

10 Gbps ports

•

10/100/1000 Mbps copper ports

•

10/100/1000 Mbps copper ports with Power over Ethernet (PoE)—only on the XCM8848T
with XCM88P installed

•

1 Gbps small form factor pluggable (SFP) gigabit Ethernet interface converter (GBIC)
fiber ports

Autonegotiation determines the port speed and duplex setting for each port (except 10 Gbps
ports). You can manually configure the duplex setting and the speed of 10/100/1000 Mbps
ports.
The 10/100/1000 Mbps ports can connect to either 10BASE-T, 100BASE-T, or 1000BASE-T
networks. By default, the ports autonegotiate port speed. You can also configure each port
for a particular speed (either 10 Mbps or 100 Mbps).

Chapter 5. Configuring Slots and Ports on a Switch

|

117

NETGEAR 8800 User Manual

Note: With autonegotiation turned off, you cannot set the speed to 1000
Mbps.

In general, SFP gigabit Ethernet ports are statically set to 1 Gbps, and their speed cannot be
modified.
The 10 Gbps ports always run at full duplex and 10 Gbps.
To configure port speed and duplex setting, use the following command:
configure ports  {medium [copper | fiber]} auto off speed 
duplex [half | full]

To configure the system to autonegotiate, use the following command:
configure ports  {medium [copper|fiber]} auto on {[{speed }
{duplex [half | full]}] | [{duplex [half | full]} {speed }]}

Note: The keyword medium is used to select the configuration medium for
combination ports. If port_list contains any non-combination ports,
the command is rejected.

XCM8800 does not support turning off autonegotiation on the management port.
Table 17 lists the support for autonegotiation, speed, and duplex setting for the various types
of ports.
Table 17. Support for Autonegotiation on Various Ports
Port

Autonegotiation

Speed

Duplex

10 Gbps

Off

10000 Mbps

Full duplex

1 Gbps fiber SFP GBIC

On (default)
Off


1000 Mbps


Full duplex

10/100/1000 Mbps

On (default)
Off

10 Mbps
100 Mbps

Full/half duplex
Full/half duplex

Flow control on Gigabit Ethernet ports is enabled or disabled as part of autonegotiation (see
IEEE 802.3x). If autonegotiation is set to Off on the ports, flow control is disabled. When
autonegotiation is turned On, flow control is enabled.
With NETGEAR devices, the 1 Gbps ports and the 10 Gbps ports implement flow control as
follows:
•

1 Gbps ports
•

Autonegotiation enabled

118 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

•

•

•

Advertise support for pause frames

•

Respond to pause frames

•

Do not transmit pause frames

Autonegotiation disabled
•

Do not advertise support for pause frames

•

Do not respond to pause frames

•

Do not transmit pause frames

10 Gbps ports for the NETGEAR 8800 series switch modules:
•

Autonegotiation always disabled
•

Do not advertise support for pause frames

•

Respond to pause frames

•

Do not transmit pause frames

Flow Control
As shown above, with autonegotiation enabled, NETGEAR 8800 series switches advertise
the ability to support pause frames. This includes receiving, reacting to (stopping
transmission), and transmitting pause frames. However, the switch does not actually transmit
pause frames unless it is configured to do so, as described below.
IEEE 802.3x flow control provides the ability to configure different modes in the default
behaviors. Ports can be configured to transmit pause frames when congestion is detected,
and the behavior of reacting to received pause frames can be disabled.
TX
You can configure ports to transmit link-layer pause frames upon detecting congestion. The
goal of IEEE 802.3x is to backpressure the ultimate traffic source to eliminate or significantly
reduce the amount of traffic loss through the network. This is also called lossless switching
mode.
The following limitations apply to the TX flow control feature:
•

Flow control is applied on an ingress port basis which means that a single stream
ingressing a port and destined to a congested port can stop the transmission of other
data streams ingressing the same port which are destined to other ports.

•

High volume packets destined to the CPU can cause flow control to trigger. This includes
protocol packets such as VRRP and OSPF.

•

When flow control is applied to the fabric ports, there can be a performance limitation. For
example, a single 1G port being congested could backpressure a high-speed fabric port
and reduce its effective throughput significantly.

To configure a port to allow the transmission of IEEE 802.3x pause frames, use the following
command:
enable flow-control tx-pause ports

Chapter 5. Configuring Slots and Ports on a Switch

|

119

NETGEAR 8800 User Manual

Note: To enable TX flow-control, RX flow-control must first be enabled. If
you attempt to enable TX flow-control with RX flow-control disabled,
an error message is displayed.

To configure a port to return to the default behavior of not transmitting pause frames, use the
following command:
disable flow-control tx-pause ports

RX
You can configure the switch to disable the default behavior of responding to received pause
frames. Disabling rx-pause processing avoids dropping packets in the switch and allows for
better overall network performance in some scenarios where protocols such as TCP handle
the retransmission of dropped packets by the remote partner.
To configure a port to disable the processing of IEEE 802.3x pause frames, use the following
command:
disable flow-control rx-pause ports

Note: To disable RX flow-control, TX flow-control must first be disabled. If
you attempt to disable RX flow-control with TX flow-control enabled,
an error message is displayed.

To configure a port to return to the default behavior of enabling the processing of pause
frames, use the following command:
enable flow-control rx-pause ports

Turning Off Autonegotiation on a Gigabit Ethernet Port
In certain interoperability situations, you need to turn autonegotiation off on a fiber gigabit
Ethernet port. Although a gigabit Ethernet port runs only at full duplex, you must specify the
duplex setting.
The following example turns autonegotiation off for port 1 (a 1 Gbps Ethernet port) on a
module located in slot 1 of a modular switch:
configure ports 1:1 auto off speed 1000 duplex full

The 10 Gbps ports do not autonegotiate; they always run at full duplex and 10 Gbps speed.

Running Link Fault Signal
The 10 Gbps ports support the Link Fault Signal (LFS) function. This function, which is
always enabled, monitors the 10 Gbps ports and indicates either a remote fault or a local

120 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

fault. The system then stops transmitting or receiving traffic from that link. After the fault has
been alleviated, the system puts the link back up and the traffic automatically resumes.
The NETGEAR implementation of LFS conforms to the IEEE standard 802.3ae-2002.
Although the physical link remains up, all Layer 2 and above traffic stops. The system sends
LinkDown and LinkUp traps when these events occur. Additionally, the system writes one or
more information messages to the syslog, as shown in the following example for a
NETGEAR 8800 series switch:
09/09/2004 14:59:08.03  MSM-A: Port 4:3 link up at
10 Gbps speed and full-duplex 
09/09/2004 14:59:08.02  MSM-A: 4:3 - remote fault
recovered.
09/09/2004 14:59:05.56  MSM-A: Port 4:3 link down
due to remote fault
09/09/2004 14:59:05.56  MSM-A: 4:3 - remote fault.
09/09/2004 15:14:12.22  MSM-A: 4:3 - local fault
recovered. 
09/09/2004 15:14:11.35  MSM-A: Port 4:3 link up at
10 Gbps speed and full-duplex
09/09/2004 15:13:33.56  MSM-A: Port 4:3 link down
due to local fault
09/09/2004 15:13:33.56  MSM-A: 4:3 - local fault. 
09/09/2004 15:13:33.49  MSM-A: Port 4:3 link down
due to local fault

Turning off Autopolarity
The autopolarity feature allows the system to detect and respond to the Ethernet cable type
(straight-through or crossover cable) used to make the connection to the switch port. This
feature applies to only the 10/100/1000 BASE-T ports on the switch.
When the autopolarity feature is enabled, the system causes the Ethernet link to come up
regardless of the cable type connected to the port. When the autopolarity feature is disabled,
you need a crossover cable to connect other networking equipment and a straight-through
cable to connect to endstations. The autopolarity feature is enabled by default.
To disable or enable autopolarity detection, use the following command:
configure ports [ | all] auto-polarity [off | on]

Where the following is true:
•

port_list—Specifies

one or more ports on the switch

•

all—Specifies

all of the ports on the switch

•

off—Disables

the autopolarity detection feature on the specified ports

•

on—Enables

the autopolarity detection feature on the specified ports

Chapter 5. Configuring Slots and Ports on a Switch

|

121

NETGEAR 8800 User Manual

Under certain conditions, you might opt to turn autopolarity off on one or more ports. The
following example turns autopolarity off for ports 5 to 7 on an XCM8806 series switch:
configure ports 6:5-6:7 auto-polarity off

When autopolarity is disabled on one or more Ethernet ports, you can verify that status using
the command:
show ports information detail

Jumbo Frames
Jumbo frames are Ethernet frames that are larger than 1522 bytes, including four bytes used
for the cyclic redundancy check (CRC). NETGEAR products support switching and routing of
jumbo frames at wire-speed on all ports. The configuration for jumbo frames is saved across
reboots of the switch.
Jumbo frames are used between endstations that support larger frame sizes for more
efficient transfers of bulk data. Both endstations involved in the transfer must be capable of
supporting jumbo frames. The switch only performs IP fragmentation, or participates in
maximum transmission unit (MTU) negotiation on behalf of devices that support jumbo
frames.

Guidelines for Jumbo Frames
For information on displaying jumbo frame status, see Displaying Port Information on
page 148.

Enabling Jumbo Frames per Port
You can enable jumbo frames per port.
When you configure vMANs on NETGEAR 8800 series switches, you can enable or disable
jumbo frames for individual ports before configuring the vMANs.

Enabling Jumbo Frames
Note: Some network interface cards (NICs) have a configured maximum
MTU size that does not include the additional 4 bytes of CRC.
Ensure that the NIC maximum MTU size is at or below the maximum
MTU size configured on the switch. Frames that are larger than the
MTU size configured on the switch are dropped at the ingress port.

122 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

To enable jumbo frame support, enable jumbo frames on the desired ports. To set the
maximum jumbo frame size, use the following command:
configure jumbo-frame-size 

The jumbo frame size range is 1523 to 9216. This value describes the maximum size of the
frame in transit (on the wire), and includes 4 bytes of CRC plus another 4 bytes if 802.1Q
tagging is being used.
Set the MTU size for the VLAN by using the following command:
configure ip-mtu  vlan 

Next, enable support on the physical ports that will carry jumbo frames using the following
command:
enable jumbo-frame ports [all | ]

Path MTU Discovery
NETGEAR 8800 switches support path MTU discovery.
Using path MTU discovery, a source host assumes that the path MTU is the MTU of the first
hop (which is known). The host sends all datagrams on that path with the “don’t fragment”
(DF) bit set which restricts fragmentation. If any of the datagrams must be fragmented by a
NETGEAR switch along the path, the NETGEAR switch discards the datagrams and returns
an ICMP Destination Unreachable message to the sending host, with a code meaning
“fragmentation needed and DF set”. When the source host receives the message
(sometimes called a “Datagram Too Big” message), the source host reduces its assumed
path MTU and retransmits the datagrams.
The path MTU discovery process ends when one of the following is true:
•

The source host sets the path MTU low enough that its datagrams can be delivered
without fragmentation.

•

The source host does not set the DF bit in the datagram headers.

If it is willing to have datagrams fragmented, a source host can choose not to set the DF bit in
datagram headers. Normally, the host continues to set DF in all datagrams, so that if the
route changes and the new path MTU is lower, the host can perform path MTU discovery
again.

IP Fragmentation with Jumbo Frames
The NETGEAR 8800 series switches support fragmentation of IP packets.
The switch supports the fragmenting of IP packets. If an IP packet originates in a local
network that allows large packets and those packets traverse a network that limits packets to
a smaller size, the packets are fragmented instead of discarded.
This feature is designed to be used in conjunction with jumbo frames. Frames that are
fragmented are not processed at wire-speed within the switch fabric.

Chapter 5. Configuring Slots and Ports on a Switch

|

123

NETGEAR 8800 User Manual

Note: Only jumbo frame-to-normal frame fragmentation is supported.
Jumbo frame-to-jumbo frame fragmentation is not supported.

To configure VLANs for IP fragmentation:
1. Enable jumbo frames on the incoming port.
2. Add the port to a VLAN.
3. Assign an IP address to the VLAN.
4. Enable ipforwarding on the VLAN.
5. Set the MTU size for the VLAN, using the following command:
configure ip-mtu  vlan 

The ip-mtu value ranges between 1500 and 9194, with 1500 the default.

Note: To set the MTU size greater than 1500, all ports in the VLAN must
have jumbo frames enabled.

IP Fragmentation within a VLAN
The NETGEAR 8800 supports IP fragmentation within a VLAN. This feature does not require
you to configure the MTU size. To use IP fragmentation within a VLAN:
1. Enable jumbo frames on the incoming port.
2. Add the port to a VLAN.
3. Assign an IP address to the VLAN.
4. Enable ipforwarding on the VLAN.
If you leave the MTU size configured to the default value, when you enable jumbo frame
support on a port on the VLAN you will receive a warning that the ip-mtu size for the VLAN is
not set at maximum jumbo frame size. You can ignore this warning if you want IP
fragmentation within the VLAN, only. However, if you do not use jumbo frames, IP
fragmentation can be used only for traffic that stays within the same VLAN. For traffic that is
sent to other VLANs, to use IP fragmentation, all ports in the VLAN must be configured for
jumbo frame support.

Link Aggregation on the Switch
The link aggregation (also known as load sharing) feature allows you to increase bandwidth
and availability by using a group of ports to carry traffic in parallel between switches. Load
sharing, link aggregation, and trunking are terms that have been used interchangeably in
NETGEAR documentation to refer to the same feature, which allows multiple physical ports

124 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

to be aggregated into one logical port, or link aggregation group (LAG). See IEEE 802.3ad for
more information on this feature. The advantages to link aggregation include an increase in
bandwidth and link redundancy.
This section describes the following topics:
•

Link Aggregation Overview on page 125

•

Dynamic Versus Static Load Sharing on page 126

•

Load-Sharing Algorithms on page 126

•

LACP on page 127

•

Health Check Link Aggregation on page 130

•

Guidelines for Load Sharing on page 131

•

Configuring Switch Load Sharing on page 132

•

Load-Sharing Examples on page 135

•

Displaying Switch Load Sharing on page 137

Link Aggregation Overview
Note: All ports in a LAG must be running at the same speed and duplex
setting. Each port can belong to only one LAG.

Load sharing allows the switch to use multiple ports as a single logical port, or LAG. For
example, VLANs see the LAG as a single logical port. And, although you can only reference
the master port of a LAG to a Spanning Tree Domain (STPD), all the ports of the LAG
actually belong to the specified STPD. Most load-sharing algorithms guarantee packet
sequencing between clients.
Link aggregation, or load sharing, is disabled by default.
If a port in a load-sharing group (or LAG) fails, traffic is redistributed to the remaining ports in
the LAG. If the failed port becomes active again, traffic is redistributed to include that port.

Note: Load sharing must be enabled on both ends of the link, or a network
loop may result.

Link aggregation is most useful when:
•

The egress bandwidth of traffic exceeds the capacity of a single link.

•

Multiple links are used for network resiliency.

In both situations, the aggregation of separate physical links into a single logical link
multiplies total link bandwidth in addition to providing resiliency against individual link failures.

Chapter 5. Configuring Slots and Ports on a Switch

|

125

NETGEAR 8800 User Manual

In modular switches, XCM8800 supports LAGs across multiple modules, so resiliency is also
provided against individual module failures.
The software supports control protocols across the LAGs, both static and dynamic. If you add
protocols to the port and then create a LAG on that port, you may experience a slight
interruption in the protocol operation. To seamlessly add or delete bandwidth when running
control protocols, NETGEAR recommends that you create a LAG consisting of only one port.
Then add your protocols to that port and add other ports as needed.
You can run the Link Layer Discovery Protocol (LLDP) on ports in a LAG.

Dynamic Versus Static Load Sharing
XCM8800 software supports two broad categories of load sharing, or link aggregation:
•

Dynamic load sharing—Dynamic load sharing includes the Link Aggregation Control
Protocol (LACP) and Health Check Link Aggregation. The Link Aggregation Control
Protocol is used to dynamically determine if link aggregation is possible and then to
automatically configure the aggregation. LACP is part of the IEEE 802.3ad standard and
allows the switch to dynamically reconfigure the link aggregation groups (LAGs). The
LAG is enabled only when LACP detects that the remote device is also using LACP and
is able to join the LAG. Health Check Link Aggregation is used to create a link
aggregation group that monitors a particular TCP/IP address and TCP port.

•

Static load sharing—Static load sharing is a grouping of ports specifically configured to
load share. The switch ports at each end must be specifically configured as part of a
load-sharing group.

Note: The platform-related load-sharing algorithms apply to LACP (as well
as static load sharing).

Load-Sharing Algorithms
Load-sharing, or link aggregation, algorithms select an egress link for each packet forwarded
to egress LAG. The XCM8800 software supports the following types of load sharing
algorithms:
•

Port based—The egress link is chosen based on the ingress port number.

•

Address based—The egress link is chosen based on egress packet contents.

The XCM8800 software provides multiple addressed-based algorithms. For some types of
traffic, the algorithm is fixed and cannot be changed. For other types of traffic, you can
configure an algorithm. Algorithm selection is not intended for use in predictive traffic
engineering.

126 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

Note: Always reference the master logical port of the load-sharing group
when configuring or viewing VLANs. VLANs configured to use other
ports in the LAG will have those ports deleted from the VLAN when
link aggregation is enabled.

Link Aggregation Algorithms
The NETGEAR 8800 supports address-based load sharing and distributes packets across all
members of a LAG.
Following are the types of traffic to which addressed-based algorithms apply and the traffic
components used to select egress links:
•

•

IPv4 and IPv6 packets—Load sharing is based on the configured options supported:
•

L2 algorithm—Layer 2 source and destination MAC addresses.

•

L3 algorithm—Layer 3 source and destination IP addresses.

•

L3_L4 algorithm—Layer 3 and Layer 4, the combined source and destination IP
addresses and source and destination TCP and UDP port numbers.

Non-IP traffic—The source and destination MAC addresses.

You control the field examined by the switch for address-based load sharing when the
load-sharing group is created by using the following command:
enable sharing  grouping  {algorithm [port-based |
address-based {L2 | L3 | L3_L4 | custom}]} {lacp | health-check}

LACP
Note: LACP fails over hitlessly in the event of a failover to a duplicate
MSM/MM in a modular switch.

You can run the Link Aggregation Control Protocol (LACP) on NETGEAR devices. LACP
enables dynamic load sharing and hot standby for link aggregation links, in accordance with
the IEEE 802.3ad standard. All third-party devices supporting LACP run with NETGEAR
devices.
The addition of LACP provides the following enhancements to static load sharing, or link
aggregation:
•

Automatic configuration

•

Rapid configuration and reconfiguration

•

Deterministic behavior

•

Low risk of duplication or misordering

Chapter 5. Configuring Slots and Ports on a Switch

|

127

NETGEAR 8800 User Manual

After you enable load-sharing, the LACP protocol is enabled by default. You configure
dynamic link aggregation by first assigning a primary, or logical, port to the group, or LAG and
then specifying the other ports you want in the LAG.
LACP, using an automatically generated key, determines which links can aggregate. Each
link can belong to only one LAG. LACP determines which links are available. The
communicating systems negotiate priority for controlling the actions of the entire trunk (LAG),
using LACP, based on the lowest system MAC number. You can override this automatic
prioritization by configuring the system priority for each LAG.
After you enable and configure LACP, the system sends PDUs (LACPDUs) on the LAG ports.
The LACPDUs inform the remote system of the identity of the sending system, the
automatically generated key of the link, and the desired aggregation capabilities of the link. If
a key from a particular system on a given link matches a key from that system on another
link, those links are aggregatable. After the remote system exchanges LACPDUs with the
LAG, the system determines the status of the ports and whether to send traffic on which
ports.
Among those ports deemed aggregatable by LACP, the system uses those ports with the
lowest port number as active ports; the remaining ports aggregatable to that LAG are put into
standby status. Should an active link fail, the standby ports become active, also according to
the lowest port number. (See Configuring LACP on page 133 for the number of active and
standby LACP links supported per platform.)
All ports configured in a LAG begin in an unselected state. Based on the LACPDUs
exchanged with the remote link, those ports that have a matching key are moved into a
selected state. If there is no matching key, the ports in the LAG remain in the unselected
state.
However if more ports in the LAG are selected than the aggregator can handle because of
the system hardware, those ports that fall out of the hardware’s capability are moved into
standby state. The lowest numbered ports are the first to be automatically added to the
aggregator; the rest go to standby. As the name implies, these ports are available to join the
aggregator if one of the selected ports should go offline.
You can configure the port priority to ensure the order that ports join the aggregator. However,
that port must first be added to the LAG before you can configure the LACP settings. Again, if
more than one port is configured with the same priority, the lowest-numbered port joins the
aggregator first.
After the ports in the LAG move into the selected state, LACP uses the mux portion of the
protocol to determine which ports join the aggregator and can collect and distribute traffic. A
few seconds after a port is selected, it moves into the mux state of waiting, and then into the
mux state of attached. The attached ports then send their own LACP sync messages
announcing that they are ready to receive traffic.
The protocol keeps sending and receiving LACPDUs until both sides of the link have echoed
back each other’s information; the ends of the link are then considered synchronized. After
the sync messages match up on each end, that port is moved into the aggregator (into the
mux state of collecting-distributing) and is able to collect and distribute traffic.

128 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

The protocol then enables the aggregated link for traffic and monitors the status of the links
for changes that may require reconfiguration. For example, if one of the links in a LAG goes
down and there are standby links in that LAG, LACP automatically moves the standby port
into selected mode and that port begins collecting and distributing traffic.
The marker protocol portion of LACP ensures that all traffic on a link has been received in the
order in which it was sent and is used when links must be dynamically moved between
aggregation groups. The NETGEAR LACP implementation responds to marker frames but
does not initiate these frames.

Note: Always verify the LACP configuration by issuing the show ports
sharing command; look for the ports specified as being in the
aggregator. You can also display the aggregator count by issuing the
show lacp lag command.

You can configure additional parameters for the LACP protocol and the system sends certain
SNMP traps in conjunction with LACP. The system sends a trap when a member port is
added to or deleted from an aggregator.
The system now detects and blocks loopbacks; that is, the system does not allow a pair of
ports that are in the same LAG but are connected to one another by the same link to select
the same aggregator. If a loopback condition exists between two ports, they cannot
aggregate. Ports with the same MAC address and the same admin key cannot aggregate;
ports with the same MAC address and a different admin key can belong to the same LAG.
The system sends an error message if a LAG port is configured and up but still not attached
to the aggregator or in operation within 60 seconds. Use the show lacp member-port 
detail command to display the churn on both sides of the link. If the Churn value is shown
as True in the display, check your LACP configuration. The issue may be either on your end
or on the partner link, but you should check your configuration. The display shows as True
until the aggregator forms, when it changes to display as False.
A LAG port moves to expired and then to the defaulted state when it fails to receive an
LACPDU from its partner for a specified time. You can configure this timeout value as long,
which is 90 seconds, or short, which is 3 seconds; the default is long. Use the show lacp lag
 detail command to display the timeout value for the LAG.
There are two LACP activity modes: active and passive. In LACP active mode, the switch
periodically sends LACPDUs; in passive mode, the switch sends LACPDUs only when it
receives one from the other end of the link. The default is active mode. Use the show lacp
lag  detail command to display the LACP mode for the LAG.

Note: One side of the link must be in active mode in order to pass traffic. If
you configure your side in the passive mode, ensure that the partner
link is in LACP active mode.

Chapter 5. Configuring Slots and Ports on a Switch

|

129

NETGEAR 8800 User Manual

A LAG port moves into a defaulted state after the timeout value expires with no LACPDUs
received for the other side of the link. You can configure whether you want this defaulted LAG
port removed from the aggregator or added back into the aggregator. If you configure the
LAG to remove ports that move into the default state, those ports are removed from the
aggregator and the port state is set to unselected. The default configuration for defaulted
ports is to be removed, or deleted, from the aggregator.

Note: To force the LACP trunk to behave like a static sharing trunk, use the
configure sharing lacp defaulted-state-action command to add
ports to the aggregator.

If you configure the LAG to add the defaulted port into the aggregator, the system takes
inventory of the number of ports currently in the aggregator. If there are fewer ports in the
aggregator than the maximum number allowed, the system adds the defaulted port to the
aggregator (port set to selected and collecting-distributing). If the aggregator has the
maximum ports, the system adds the defaulted port to the standby list (port set to standby).
Use the show lacp lag  {detail} command to display the defaulted action set for
the LAG.

Note: If the defaulted port is assigned to standby, that port automatically
has a lower priority than any other port in the LAG (including those
already in standby).

Health Check Link Aggregation
The Health Check LAG application allows you to create a link aggregation group where
individual member links can monitor a particular TCP/IP address and TCP port. When
connectivity to the TCP/IP address and TCP port fails, the member link is removed from the
link aggregation group.
Establishing the status of a TCP connectivity is based on standard TCP socket connections.
As long as the switch can establish a TCP connection to the target switch and TCP port, the
connection is considered up. The TCP connection will retry based on the configured
frequency and miss settings.
A typical use case for this application is when a user wishes to connect each member link to
a Security Server to validate traffic. Each member link of the Health Check LAG is connected
to an individual Security Server. The LAG is added to a VLAN on the same subnet as the
Security Server IP addresses they wish to monitor. Each member port is configured to
monitor a particular IP address and TCP port. The Health Check LAG application attempts to
do a TCP connect to each IP/TCP port through each member port. The Health Check LAG,
by virtue of the sharing algorithm, will load balance traffic across the member links. If a TCP
connection cannot be established through the member link, the port is removed from the

130 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

aggregator and traffic through that particular link is redistributed to the other LAG member
links.
Figure 1 displays an example of a Health Check LAG:
Server1
192.168.1.101
HEALTH CHECK LAG Application
controls this LAG or Trunk Group
Server2
192.168.1.102

1:1
ExtremeXOS

1:2
1:3

1:10

1:3 removed from LAG
Server3
192.168.1.103

1:4
vlan1
192.168.1.1
No response
from specified
TCP port

Connect and monitor
TCP port on each
individual link

Server4
192.168.1.104

Note: The default port to monitor is port 80 (HTTP).
EX_Ports_0045

Figure 1. Health Check LAG Example

Guidelines for Load Sharing
The following sections provide guidelines for load sharing:
•

Load Sharing Guidelines for NETGEAR 8800 Series Switches on page 131

•

Load Sharing Rules and Restrictions for All Switches on page 132

Load Sharing Guidelines for NETGEAR 8800 Series Switches
The following rules apply to load sharing on NETGEAR 8800 series switches:
•

One static LAG can contain up to 8 ports.

•

One LACP LAG can contain up to 16 links per LAG, which includes up to 8 selected links
and 8 standby links.

•

One Health Check LAG can contain up to 8 ports.

•

The maximum number of LAGs is 128.

Chapter 5. Configuring Slots and Ports on a Switch

|

131

NETGEAR 8800 User Manual

Note: See Configuring LACP on page 133 for the maximum number of
links, selected and standby, per LACP.

Load Sharing Rules and Restrictions for All Switches
Additionally, the following rules apply to load sharing on all switches:
•

The ports in the LAG do not need to be contiguous.

•

A LAG that spans multiple modules must use ports that have the same maximum
bandwidth capability, with one exception—you can mix media type on 1 Gbps ports.

•

On both ingress and egress direction on NETGEAR 8800 series switches, when you
configure an ACL to a LAG group, you must configure each of the member ports
exclusively.

Configuring Switch Load Sharing
Note: See Guidelines for Load Sharing on page 131 for specific
information on load sharing for each specific device.

To set up a switch for load sharing, or link aggregation, among ports, you must create a
load-sharing group of ports, also known as a link aggregation group (LAG). The first port in
the load-sharing group is configured to be the master logical port. This is the reference port
used in configuration commands and serves as the LAG group ID. It can be thought of as the
logical port representing the entire port group.
All the ports in a load-sharing group must have the same exact configuration, including
autonegotiation, duplex setting, and so on. All the ports in a load-sharing group must also be
of the same bandwidth class.
The following sections describe common load sharing configuration tasks:
•

Creating and Deleting Load Sharing Groups on page 132

•

Adding and Deleting Ports in a Load-Sharing Group on page 133

•

Configuring the Load Sharing Algorithm on page 133

•

Configuring LACP on page 133

•

Configuring Health Check Link Aggregation on page 134

Creating and Deleting Load Sharing Groups
To define a load-sharing group, or LAG, you assign a group of ports to a single, logical port
number. To enable or disable a load-sharing group, use the following commands:

132 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

enable sharing  grouping  {algorithm [port-based |
address-based {L2 | L3 | L3_L4 | custom}]} {lacp | health-check}
disable sharing 

Note: All ports that are designated for the LAG must be removed from all
VLANs prior to configuring the LAG.

Adding and Deleting Ports in a Load-Sharing Group
Ports can be added or deleted dynamically in a load-sharing group, or LAG. To add or delete
ports from a load-sharing group, use the following commands:
configure sharing  add ports 
configure sharing  delete ports 

Note: See Configuring LACP on page 133 for the maximum number of
links, selected and standby, per LACP.

Configuring the Load Sharing Algorithm
For some traffic on selected platforms, you can configure the load sharing algorithm as
described in Load-Sharing Algorithms on page 126. The commands for configuring load
sharing algorithms are:
enable sharing  grouping  {algorithm [port-based |
address-based {L2 | L3 | L3_L4 | custom}]} {lacp | health-check}

Configuring LACP
To configure LACP, you must, again, first create a LAG. The first port in the LAG serves as
the logical port for the LAG. This is the reference port used in configuration commands. It can
be thought of as the logical port representing the entire port group, and it serves as the LAG
Group ID.
To create a LAG for LACP:
1. Create a LAG, using the following command:
enable sharing  grouping  {algorithm [port-based | address-based {L2 |
L3 | L3_L4 | custom}]} {lacp | health-check}
The port you assign using the first parameter becomes the logical port for the link
aggregation group and the LAG Group ID when using LACP. This logical port must also
be included in the port list of the grouping itself.
2. If you want to override the default prioritization in LACP for a specified LAG, use the
following command:

Chapter 5. Configuring Slots and Ports on a Switch

|

133

NETGEAR 8800 User Manual

configure sharing  lacp system-priority 
This step is optional; LACP handles prioritization using system MAC addresses.
3. Add or delete ports to the LAG as desired, using the following command:
configure sharing  add ports 
4. If you want to override the ports selection for joining the LAG by configuring a priority for a
port within a LAG, issue the following command:
configure lacp member-port  priority 
5. If you want to change the expiry timer, use the following command:
configure sharing  lacp timeout [long | short]
The default value for the timeout is long, or 90 seconds.
6. If you want to change the activity mode, use the following command:
configure sharing  lacp activity-mode [active | passive]
The default value for the activity mode is active.
7. If you want to configure the action the switch takes for defaulted LAG ports, use the following
command:
configure sharing  lacp defaulted-state-action [add | delete]
The default value for defaulted LAG ports is delete the default ports.

Note: Always verify the LACP configuration by issuing the show ports
sharing command; look for the ports listed as being in the
aggregator.

Configuring Health Check Link Aggregation
To configure Health Check link aggregation you must first create a LAG. One port in the LAG
serves as the logical port for the LAG and is the reference port used in configuration
commands.
When you create the LAG, no monitoring is initially configured. The LAG is created in the
same way that a static LAG is created and if no monitoring is ever created, this LAG behaves
like a static LAG.
1. Create a LAG using the following command:
enable sharing  grouping  {algorithm [port-based |
address-based {L2 | L3 | L3_L4 | custom}]} {lacp | health-check}

The port you assign using the  parameter becomes the logical port for the link
aggregation group and the LAG Group ID when using Health Check link aggregation.
This logical port must also be included in the port list of the grouping itself.
2. Configure monitoring for each member port using the following command:

134 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

configure sharing health-check member-port  add tcp-tracking  {tcp-port  frequency  misses }

If the TCP-port, frequency, or misses are not specified, the defaults described in the
NETGEAR 8800 Chassis Switch CLI Manual are used.
3. Add the LAG to a VLAN whose subnet is the same as the configured tracking IP addresses.
configure vlan  add port  [tagged | untagged]

All of the tracking IP addresses must be in the same subnet in which the LAG belongs.

Note: VLANs to which Health Check LAG ports are to be added must be
configured in loopback mode. This is to prevent the VLAN interface
from going down if all ports are removed from the Health Check
LAG. In a normal LAG when all ports are removed from the
aggregator, the trunk is considered DOWN. As a consequence, if
this were the only port in the VLAN, the VLAN interface would be
brought DOWN as well. In the Health Check LAG situation, this
would cause the TCP monitoring to fail because the L3 vlan
interface used by TCP monitoring would no longer send or receive
TCP data.

The following commands are used to modify the configured Health Check LAG.
1. Delete the monitoring configuration for a member port using the following command:
configure sharing health-check member-port  delete tcp-tracking  {tcp-port }

2. Enable or disable monitoring for a member port in the Health Check LAG using the following
command:
configure sharing health-check member-port  [disable | enable]
tcp-tracking

Load-Sharing Examples
This section provides examples of how to define load sharing, or link aggregation, on
stand-alone and modular switches, as well has defining dynamic link aggregation.

Load Sharing on a Stand-alone Switch
The following example defines a static load-sharing group that contains ports 9 through 12,
and uses the first port in the group as the master logical port 9:
enable sharing 9 grouping 9-12

In this example, logical port 9 represents physical ports 9 through 12.
When using load sharing, you should always reference the master logical port of the
load-sharing group (port 9 in the previous example) when configuring or viewing VLANs; the

Chapter 5. Configuring Slots and Ports on a Switch

|

135

NETGEAR 8800 User Manual

logical port serves as the LAG Group ID. VLANs configured to use other ports in the
load-sharing group will have those ports deleted from the VLAN when load sharing becomes
enabled.

Cross-Module Load Sharing on a NETGEAR 8800 Switch
The following example defines a static load-sharing group on modular switches that contains
ports 9 through 12 on slot 3, ports 7 through 10 on slot 5, and uses port 7 in the slot 5 group
as the primary logical port, or LAG Group ID:
enable sharing 5:7 grouping 3:9-3:12, 5:7-5:10

In this example, logical port 5:7 represents physical ports 3:9 through 3:12 and 5:7 through
5:10.
When using load sharing, you should always reference the LAG Group ID of the load-sharing
group (port 5:7 in the previous example) when configuring or viewing VLANs. VLANs
configured to use other ports in the load-sharing group will have those ports deleted from the
VLAN when load sharing becomes enabled.
Address-based load sharing can also span modules.

Single-Module Load Sharing on a NETGEAR 8800 Switch
The following example defines a static load-sharing, or link aggregation, group that contains
ports 9 through 12 on slot 3 and uses the first port as the master logical port 9, or LAG group
ID:
enable sharing 3:9 grouping 3:9-3:12

In this example, logical port 3:9 represents physical ports 3:9 through 3:12.

LACP Example
The following configuration example:
•

Creates a dynamic LAG with the logical port (LAG Group ID) of 10 that contains ports 10
through 12.

•

Sets the system priority for that LAG to 3.

•

Adds port 5 to the LAG.

enable sharing 10 grouping 10-12 lacp
configure sharing 10 lacp system-priority 3
configure sharing 10 add port 5

Health Check LAG Example
The following example creates a Health Check LAG of 4 ports:
create vlan v1
configure v1 ip 192.168.1.1/24
enable sharing 5 grouping 5-8 health-check

136 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

enable loopback-mode v1
configure v1 add port 5
configure sharing health-check member-port 5 add track-tcp 192.168.1.101
tcp-port 8080
configure sharing health-check member-port 6 add track-tcp 192.168.1.102
tcp-port 8080
configure sharing health-check member-port 7 add track-tcp 192.168.1.103
tcp-port 8080
configure sharing health-check member-port 8 add track-tcp 192.168.1.104
tcp-port 8080

Displaying Switch Load Sharing
You can display static and dynamic load sharing. In the link aggregation displays, the types
are shown by the following aggregation controls:
•

Static link aggregation—static

•

Link Aggregation Control Protocol—LACP

•

Health check link aggregation—hlth-chk

To verify your configuration, use the following command:
show ports sharing

To verify LACP configuration, use the following command:
show lacp

To display information for the specified LAG, use the following command:
show lacp lag  {detail}

To display LACP information for a specific port that is a member of a LAG, use the following
command:
show lacp member-port  {detail}

See Displaying Port Information on page 148 for information on displaying summary
load-sharing information.
To clear the counters, use the following command:
clear lacp counters

You can display the LCAP counters for all member ports in the system. To display the LACP
counters, use the following command:
show lacp counters

To display information for a health check LAG, use the following command:
show sharing health-check

Chapter 5. Configuring Slots and Ports on a Switch

|

137

NETGEAR 8800 User Manual

Mirroring
Note: You can accomplish port mirroring using ACLs. See Chapter 13,
ACLs for more information.

Mirroring configures the switch to copy all traffic associated with one or more ports, VLANs,
or virtual ports. A virtual port is a combination of a VLAN and a port. The monitor port or ports
can then be connected to a network analyzer or RMON probe for packet analysis. The
system uses a traffic filter that copies a group of traffic to the monitor port(s). You can have
only one monitor port or port list on the switch. This feature allows you to mirror multiple ports
or VLANs to a monitor port, while preserving the ability of a single protocol analyzer to track
and differentiate traffic within a broadcast domain (VLAN) and across broadcast domains (for
example, across VLANs when routing).

Note: The mirroring filter limits discussed in this chapter do not apply when
you are working with Sentriant devices.

Up to 16 mirroring filters and 1 monitor port or 1 monitor port list can be configured. A monitor
port list may contain up to 16 ports.

Note: On NETGEAR 8800 series switches, you can mirror up to 16 VLANs
on a given port.

Mirroring is disabled by default.

Note: Frames that contain errors are not mirrored.

Guidelines for Mirroring
The guidelines for mirroring are hardware dependent. Find your hardware type in this section
for your specific guidelines.

NETGEAR 8800 Series Switches
The traffic filter on NETGEAR 8800 series switches can be defined based on one of the
following criteria:

138 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

•

Physical port—All data that traverses the port, regardless of VLAN configuration, is
copied to the monitor port(s). You can specify which traffic the port mirrors:
•

Ingress—Mirrors traffic received at the port.

•

Egress—Mirrors traffic sent from the port.

•

Ingress and egress—Mirrors traffic either received at the port or sent from the port.
(If you omit the optional parameters, all traffic is forwarded; the default for port-based
mirroring is ingress and egress).

•

VLAN—All data to a particular VLAN, regardless of the physical port configuration, is
copied to the monitor port(s).

•

Virtual port—All data specific to a VLAN on a specific port is copied to the monitor
port(s).

•

The NETGEAR 8800 supports up to 16 mirror filters where each filter can be a port, a
VLAN, or a port + VLAN.

•

The NETGEAR 8800 supports up to 16 monitor ports for one-to-many mirroring.

•

Only traffic ingressing a VLAN can be monitored; you cannot specify ingressing or
egressing traffic when mirroring VLAN traffic.

•

When routing between VLANs, ingress mirrored traffic is presented to the monitor port(s)
as modified for routing. This is the default behavior and the behavior when you use the
command configure mirroring mode standard. When you use the command configure
mirroring mode enhanced, ingress traffic is mirrored as it is received (on the wire).

•

When using standard mode mirroring, a packet which matches both an ingress mirroring
filter and an egress mirroring filter can only be ingress mirrored. The behavior depends
on the location of the ingress port, egress port and monitor port within the switch as well
as the type of module on which the packet ingresses. When using enhanced mode
mirroring, two packets are mirrored when a packet encounters both an ingress and
egress mirroring filter.

•

You cannot include the monitor port or ports for NETGEAR 8800 series switches in a
load-sharing group.

•

You can run mirroring and sFlow on the same device.

•

Tagged and untagged traffic is mirrored slightly differently depending on the module that
the mirrored port and the monitor port or ports are on.

•

On NETGEAR 8800 series switches, when traffic is modified by hardware on egress,
egress mirrored packets may not be transmitted out of the monitor port as they egressed
the port containing the egress mirroring filter. In addition, IP multicast packets which are
egress mirrored contain the source MAC address and VLAN ID of the unmodified packet.

•

Enhanced mirroring mode must be configured if you are going to configure a remote
mirroring tag. Enhanced mirroring mode is configured using the following command:
configure mirroring mode enhanced

•

The configuration of remote-tag does not require the creation of a VLAN with the same
tag; on these platforms the existence of a VLAN with the same tag as a configured
remote-tag is prevented. This combination is allowed so that an intermediate remote
mirroring switch can configure remote mirroring using the same remote mirroring tag as

Chapter 5. Configuring Slots and Ports on a Switch

|

139

NETGEAR 8800 User Manual

other source switches in the network. Make sure that VLANs meant to carry normal user
traffic are not configured with a tag used for remote mirroring.
•

When a VLAN is created with remote-tag, that tag is locked and a normal VLAN cannot
have that tag. The tag is unique across the switch. Similarly if you try to create a
remote-tag VLAN where remote-tag already exists in a normal VLAN as a VLAN tag, you
cannot use that tag and the VLAN creation fails.

Mirroring Rules and Restrictions
This section summarizes the rules and restrictions for configuring mirroring:
•

When you disable mirroring, all the filters are unconfigured.

•

To change monitor ports, you must first remove all the filters.

•

You cannot mirror the monitor port.

•

The mirroring configuration is removed when you:
•

Delete a VLAN (for all VLAN-based filters).

•

Delete a port from a VLAN (for all VLAN-, port-based filters).

•

Unconfigure a slot (for all port-based filters on that slot).

•

Any mirrored port can also be enabled for load sharing (or link aggregation); however,
each individual port of the load-sharing group must be explicitly configured for mirroring.

•

The monitor port is automatically removed from all VLANs; you cannot add it to a VLAN.

•

The mirroring filters are not confined to a single module; they can have ports that span
multiple modules.

•

You cannot use the management port at all in mirroring configurations.

•

With one-to-many mirroring, you need to enable jumbo frame support in the mirror-to port
and loopback port, if you need to mirror tagged packets of length 1519 to 1522.

•

The loopback port is dedicated for mirroring and hence cannot be used for other
configuration and that is indicated through glowing LED.

•

Due to certain restrictions, the following packet types will not be egress mirrored using
egress VLAN or virtual port-based mirroring:

•

•

CPU generated packets

•

L2 multicast traffic

As traffic approaches line rate, mirroring rate may decrease. Since mirroring makes
copies of traffic, the bandwidth available will be devoted mostly to regular traffic instead of
mirrored traffic when the load is high.

Mirroring Examples
Mirroring is disabled by default. To enable mirroring on a single port, the following command
can be used:
enable mirroring to port 

140 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

To enable mirroring on multiple ports, use the following command:
enable mirroring to port-list  loopback-port 

The port-list is a list of monitor ports which will transmit identical copies of mirrored packets.
The loopback-port is an otherwise unused port required when mirroring to a port-list. The
loopback-port is not available for switching user data traffic.
To disable mirroring, use the following command:
disable mirroring

Note: When you change the mirroring configuration, the switch stops
sending egress packets from the monitor port until the change is
complete. The ingress mirroring traffic to the monitor port and
regular traffic are not affected.

NETGEAR 8800 Series Switches
The following example selects slot 3, port 4 on a modular switch as the monitor port and
sends all traffic received at slot 6, port 5 to the monitor port:
enable mirroring to port 3:4
configure mirroring add port 6:5 ingress

The following example selects slot 3, port 4 on a modular switch as the monitor port and
sends all traffic sent from slot 6, port 5 to the monitor port:
enable mirroring to port 3:4
configure mirroring add port 6:5 egress

The following example selects ports 5, 6, and 7 on slot 2 on a modular switch as the monitor
ports and sends all traffic received at slot 6, port 5 to the monitor ports. Slot 3, port 1 is an
unused port selected as the loopback port.
enable mirroring to port-list 2:5-2:7 loopback-port 3:1
configure mirroring add port 6:5 ingress

Verifying the Mirroring Configuration
The screen output resulting from the show mirroring command lists the ports that are
involved in mirroring and identifies the monitor port. The display differs slightly depending on
the platform.

Remote Mirroring
Remote mirroring enables the user to mirror traffic to remotely connected switches. Remote
mirroring allows a network administrator to mirror traffic from several different remote

Chapter 5. Configuring Slots and Ports on a Switch

|

141

NETGEAR 8800 User Manual

switches to a port at a centralized location. Remote mirroring is accomplished by reserving a
dedicated VLAN throughout the network for carrying the mirrored traffic.
Figure 2 shows a typical remote mirroring topology. Switch A is the source switch that
contains ports, VLANs, and/or virtual ports to be remotely mirrored. Port 25 is the local
monitor port on Switch A. Switch B is the intermediate switch. Switch C is the destination
switch, which is connected to the network analyzer.
Network Analyser

Port 2

Switch C

Port 2
Switch B

Port 25
Switch A
EX_ports_0044

Figure 2. Remote Mirroring Topology

All the mirrored packets are tagged with the the remote-tag specified by the source switch,
whether the packet is already tagged or not. The intermediate switches forward the
remote-tagged mirrored packets to the adjacent intermediate/destination switch, as these
ports are added as tagged. The port connected to the network analyzer is added as untagged
in the destination switch. This causes the destination switch to remove the remote-tag, and
the mirrored packet reaches the network analyzer as the source switch sent it.
Unlike basic mirroring, remote mirroring does not remove VLAN membership from the local
monitor ports. This allows remote mirroring to use the existing network topology to transport
remote mirrored packets to a destination switch.

Configuration Details
This section describes in detail the configuration details for the topology shown in Figure 2.

Configuration on Source Switch
The remote-tag keyword followed by the tag is added in the command to enable mirroring.
For example, you can use the following command to establish ports 24 and 25 as monitor
ports, from which any mirrored packets are transmitted with an additional VLAN tag
containing a VLAN ID of 1000:
enable mirroring to port-list 4:24,4:25 loopback-port 1 remote-tag 1000

142 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

The show mirroring output displays the remote tag when remote mirroring is configured.
In NETGEAR 8800 series switches, remote mirroring can also be enabled to a single port,
without the port-list and loopback-port keywords. For instance, to enable remote mirroring to
port 25, you can use the following command:
enable mirroring to port 25 remote-tag 1000

Configuration on Intermediate Switch
When you enable mirroring with remote-tag 1000, you need to reserve a VLAN with tag 1000
in all the intermediate switches for remote mirroring. The remote mirroring VLAN in the
intermediate switches is used for carrying the mirroring traffic to the destination switch. The
ports connecting the source and destination switches are added as tagged in the
intermediate switches.
You may add the remote-mirroring keyword when you configure the tag to differentiate a
normal VLAN from the remote mirroring VLAN.
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 1,2 tagged

Using the remote-mirroring keyword automatically disables learning and IGMP snooping on
the VLAN.
Another way to configure a remote mirroring VLAN is to create a normal VLAN and disable
learning on the VLAN. IGMP snooping must be disabled on that VLAN for you to remotely
mirror multicast packets through the switch.
You may use the following configuration for creating the remote mirroring VLAN:
create vlan remote_vlan
configure vlan remote_vlan tag 1000
disable learning vlan remote_vlan
disable igmp snooping remote_vlan

Configuration on Destination Switch
The configuration on the destination switch is same as that of the intermediate switches,
except that the port connected to the network analyzer is added as untagged whereas all the
other ports connected to the switches are added as tagged.
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 1 tagged
configure vlan remote_vlan add ports 2 untagged

For a remote mirroring VLAN, the configured tag displayed by the show vlan output is remote
tag instead of the normal tag.

Chapter 5. Configuring Slots and Ports on a Switch

|

143

NETGEAR 8800 User Manual

Guidelines
The following are guidelines for remote mirroring:
•

Configurations of remote mirroring, which might cause protocol packets to be remotely
mirrored, are not recommended. Since all packet types are mirrored when you configure
remote mirroring, remotely mirrored protocol packets may have undesirable affects on
intermediate and destination switches.

•

In the NETGEAR 8800 series switches, remote mirroring can be enabled only when the
enhanced mode is enabled for mirroring.

Use of Remote Mirroring with Redundancy Protocols
You can use remote mirroring with one-to-many mirroring to provide a redundant path from
the source switch to the destination switch. Using Spanning Tree can provide remote
mirroring packets a redundant loop-free path through the network. You should perform the
configuration of Spanning Tree before adding mirroring filters on the source switch to prevent
looping.

Remote Mirroring with STP
In Figure 3, the traffic from switch A is mirrored to the two ports 8:2 and 1:48 to connect to
the destination switch. Using the configuration shown in Figure 3, remote mirrored packets
have a loop-free redundant path through the network using STP.

Figure 3. Remote Mirroring with STP

The configuration for the topology in Figure 3 is given in the following sections.

Switch A Configuration
configure mirroring mode enhanced
enable mirroring to port-list 8:2,1:48 loopback-port 8:1 remote-tag 1000
configure mirroring add port 8:35
create vlan v1
configure vlan v1 tag 1001
configure vlan v1 add ports 8:2,1:48 tag
create stp stp1

144 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

configure stp1 mode dot1w
configure stp1 add v1 ports all
configure stp1 tag 1001
configure stp1 add vlan internalMirrorLoopback ports 8:2,1:48
enable stp1
enable stpd

Switch B Configuration
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 19,9 tag
create vlan v1
configure vlan v1 tag 1001
configure vlan v1 add ports 19,9 tag
create stp stp1
configure stp1 mode dot1w
configure stp1 add v1 ports all
configure stp1 tag 1001
configure stp1 add vlan remote_vlan ports all
enable stp1
enable stpd

Switch C Configuration
create vlan remote_vlan
configure vlan remote_vlan tag 1000 remote-mirroring
configure vlan remote_vlan add ports 31,45 tag
configure vlan remote_vlan add ports 1
create vlan v1
configure vlan v1 tag 1001
configure vlan v1 add ports 31,45 tag
create stp stp1
configure stp1 mode dot1w
configure stp1 add v1 ports all
configure stp1 tag 1001
configure stp1 add vlan remote_vlan ports 31,45
enable stp1
enable stpd

Chapter 5. Configuring Slots and Ports on a Switch

|

145

NETGEAR 8800 User Manual

Software-Controlled Redundant Port and
Smart Redundancy
Using the software-controlled redundant port feature you can back up a specified Ethernet
port (primary) with a redundant, dedicated Ethernet port; both ports are on the same switch. If
the primary port fails, the switch will establish a link on the redundant port and the redundant
port becomes active. Only one side of the link must be configured as redundant because the
redundant port link is held in standby state on both sides of the link. This feature provides
very fast path or network redundancy.

Note: You cannot have any Layer 2 protocols configured on any of the
VLANs that are present on the ports.

Smart Redundancy is a feature that allows control over how the failover from a redundant
port to the primary port is managed. If this feature is enabled, which is the default setting, the
switch attempts to revert to the primary port as soon as it can be recovered. If the feature is
disabled, the switch attempts only to recover the primary port to active if the redundant port
fails.
A typical configuration of software-controlled redundant ports is a dual-homed
implementation (Figure 4). This example maintains connectivity only if the link between
switch A and switch B remains open; that link is outside the scope of the software-controlled
port redundancy on switch C.
Switch A

Switch B

Primary
Link

Redundant
Link

Switch C
XOS002

Figure 4. Dual-Homed Implementation for Switch C

In normal operation, the primary port is active and the software redundant switch (switch C in
Figure 4) blocks the redundant port for all traffic, thereby avoiding a loop in the network. If the
switch detects that the primary port is down, the switch unblocks the redundant port and
allows traffic to flow through that redundant port.

Note: The primary and redundant ports must have identical VLAN
membership.

146 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

You configure the software-controlled redundant port feature either to have the redundant link
always physically up but logically blocked or to have the link always physically down. The
default value is to have the link physically down, or Off.
By default, Smart Redundancy is always enabled. If you enable Smart Redundancy, the
switch automatically fails over to the redundant port and returns traffic to the primary port
after connectivity is restored on that port. If you do not want the automatic restoration of the
primary link when it becomes active, disable Smart Redundancy.

Guidelines for Software-Controlled Redundant Ports and Port
Groups
Software-controlled redundant ports and port groups have the following limitations:
•

You cannot have any Layer 2 protocols configured on any of the VLANs that are present
on the ports. (You will see an error message if you attempt to configure software
redundant ports on ports with VLANs running Layer 2 protocols.)

•

The primary and redundant ports must have identical VLAN membership.

•

The master port is the only port of a load-sharing group that can be configured as either a
primary or redundant port. Also, all ports on the load-sharing group must fail before the
software-controlled redundancy is triggered.

•

You must disable the software redundancy on the master port before enabling or
disabling load sharing.

•

You can configure only one redundant port for each primary port.

•

Recovery may be limited by FDB aging on the neighboring switch for unidirectional traffic.
For bi-directional traffic, the recovery is immediate.

Configuring Software-Controlled Redundant Ports
When provisioning software-controlled redundant ports, configure only one side of the link as
redundant. In Figure 4 only the ports on switch C would be configured as redundant.

Note: To enable the software-controlled redundant port feature, the
primary and redundant ports must have identical VLAN
membership.

To configure a software-controlled redundant port, use the following command:
configure ports  redundant  {link [on | off]}

The first port specified is the primary port. The second port specified is the redundant port.
To unconfigure a software-controlled redundant port, use the following command and enter
the primary port(s):
unconfigure ports  redundant

Chapter 5. Configuring Slots and Ports on a Switch

|

147

NETGEAR 8800 User Manual

To configure the switch for the Smart Redundancy feature, use the following command:
enable smartredundancy 

To disable the Smart Redundancy feature, use the following command:
disable smartredundancy 

Verifying Software-Controlled Redundant Port Configurations
You can verify the software-controlled redundant port configuration by issuing a variety of CLI
commands.
To display the redundant ports as well as which are active or members of load-sharing
groups, use the following command:
show ports redundant

To display information on which ports are primary and redundant software-controlled
redundancy ports, use the following command:
show ports {mgmt | } information {detail}

See Displaying Port Information for more information on the show ports information
command.

Displaying Port Information
You display summary port configuration information using the show ports {mgmt |
} configuration {no-refresh} and show ports {mgmt | }
information {detail} commands.
The show ports configuration command shows you either summary configuration
information on all the ports, or more detailed configuration information on specific ports. If you
specify the no-refresh parameter, the system displays a snapshot of the data at the time you
issue the command.
The show ports information command shows you either summary information on all the
ports, or more detailed information on specific ports. The output from the command differs
very slightly depending on the platform you are using.
You can display real-time port utilization information, by issuing the following command:
show ports {mgmt |  | stack-ports } utilization
{bandwidth | bytes | packets}

When you use a parameter (packets, byte, or bandwidth) with the above command, the
display for the specified type shows a snapshot per port when you issued the command.
Digital Diagnostic Monitoring Interface (DDMI) provides critical information about the installed
optic module and is supported on all NETGEAR 8800 blades that use 10G XFP optic
modules. To display basic or detailed system information about XFP optic modules, use the
following commands:

148 | Chapter 5. Configuring Slots and Ports on a Switch

NETGEAR 8800 User Manual

show port  transceiver information
or
show port  transceiver information detail

Chapter 5. Configuring Slots and Ports on a Switch

|

149

6.

LLDP

6

This chapter includes the following sections:
•

Overview on page 150

•

LLDP Packets on page 152

•

Transmitting LLDP Messages on page 153

•

Receiving LLDP Messages on page 154

•

Managing LLDP on page 155

•

Supported TLVs on page 156

•

Configuring LLDP on page 164

•

Displaying LLDP Settings on page 170

Overview
The software supports the Link Layer Discovery Protocol (LLDP). LLDP is a Layer 2 protocol
(IEEE standard 802.1ab) that is used to determine the capabilities of devices such as repeaters,
bridges, access points, routers, and wireless stations. LLDP support enables devices to
advertise their capabilities and media-specific configuration information and to learn the same
information from the devices connected to it.
The information is represented in Type Length Value (TLV) format for each data item. The
802.1ab specification provides detailed TLV information. The TLV information is contained and
transmitted in an LLDP protocol data unit (LLDPDU). Certain TLVs are mandatory and are
always sent after LLDP is enabled; other TLVs are optionally configured. LLDP defines a set of
common advertisement messages, a protocol for transmitting the advertisements, and a method
for storing the information contained in received advertisements. The switch can receive and
record certain TLVs but not transmit these TLVs; they are TLVs originating from the power over
Ethernet (PoE) powered device (PD) connected to a port and certain inventory management
TLVs.
LLDP provides a standard method of discovering and representing the physical network
connections of a given network management domain. It works independently. The LLDP
neighbor discovery protocol allows you to discover and maintain accurate network topologies in
a multivendor environment.

Chapter 6. LLDP

|

150

NETGEAR 8800 User Manual

The information distributed using LLDP is stored by its recipients in a standard Management
Information Base (MIB), making it possible for the information to be accessed by a Network
Management System (NMS) using a management protocol such as the Simple Network
Management Protocol (SNMP).
LLDP transmits periodic advertisements containing device information and media-specific
configuration information to neighbors attached to the same network. LLDP agents cannot
solicit information from other agents by way of this protocol. The switch can transmit and
receive LLDP media endpoint discovery (MED) TLVs. Once enabled, the LLDP MED TLVs
messages are sent only after a neighbor is detected sending out LLDP MED TLVs; the LLDP
MED TLVs are transmitted only after the switch receives an LLDP MED TLV from a neighbor.
For this reason, two connected switches will never exchange LLDP MED TLVs.

Note: Network connectivity devices wait to detect LLDP MED TLVs from
endpoints before they send out LLDP MED TLVs; so 2 network
connectivity devices will not exchange LLDP MED messages.

The TLV format with link layer control frames is used to communicate with other LLDP
agents. LLDP agents also receive link layer control frames, extract the information from
TLVs, and store them in LLDP MIB objects.
If the information values from the device change at any time, the LLDP agent is notified. The
agent then sends an update with the new values, which is referred to as a triggered update. If
the information for multiple elements changes in a short period, the changes are bundled
together and sent as a single update to reduce network load.
You configure LLDP per port, and each port can store received information for a maximum of
four neighbors.

Note: LLDP runs with link aggregation.

The device can also support the following types of LLDP TLVs:
•

Avaya-NETGEAR Networks proprietary TLVs

•

LLDP media endpoint discovery (MED) TLVs

The software supports several TLVs that are proprietary to Avaya and NETGEAR
(avaya-NETGEAR TLVs). These TLVs primarily advertise and receive information for Avaya
voice over IP (VoIP) telephones. Some of these TLVs primarily concern the PD; the PD
receives these TLVs, but does not transmit them. (See Table 19 for a listing of the proprietary
TLVs that are only received by the switch.) These proprietary LLDPs are transmitted and
received as soon as you enable LLDP and configure the specified TLVs.
LLDP MED TLVs are sent only after the device detects a neighbor transmitting LLDP MED
TLVs; and the LLDP MED TLVs must be configured and enabled prior to the detection. You
must enable the LLDP-MED capabilities TLV before configuring and enabling any other LLDP

Chapter 6. LLDP

|

151

NETGEAR 8800 User Manual

MED TLVs. Likewise, when disabling the LLDP MED TLVs, you must disable the LLDP-MED
capabilities TLVs only after you have disabled all other LLDP MED TLVs.
The LLDP MED protocol extension introduces a new feature called MED fast start, which is
automatically enabled when the LLDP MED capabilities TLV is enabled. When a new
MED-capable device is detected, the detecting switch sends out an LLDPDU each 1 second
for the configured number of times (called the repeat count). By default, the switch sends out
the LLDPDU each 1 second 3 times; you can change this repeat count between 1 and 0
seconds 10 times. Once the repeat count is reached, the configured transmit interval value is
used between LLDPDUs. Use the following command to configure the repeat count:
configure lldp med fast-start repeat-count 

Note: The fast-start feature is automatically enabled, at the default level of
3, when you enable the LLDP MED capabilities TLV on the port.

You must enable SNMP traps separately for the LLDP MED traps; they are disabled by
default. To enable the LLDP MED SNMP traps, issue the following command:
enable snmp traps lldp-med {ports [all | ]}

In addition, the switch can receive, but not transmit, the LLDP MED inventory management
TLVs. (See Table 19 for a listing of these inventory management TLVs.)

LLDP Packets
You can configure the device to transmit messages, to receive messages, or both.
LLDP is enabled and configured per port.
Multiple advertisements messages (or TLVs) are transmitted in one LAN packet, the LLDPDU
(Figure 5). The LLDP packet contains the destination multicast address, the source MAC
address, the LLDP EtherType, the LLDPDU data, and a frame check sequence (FCS). The
LLDP multicast address is defined as 01:80:C2:00:00:0E, and the EtherType is defined as
0x88CC.
DA

LLDP_Multicast
Address
6

SA

Source MAC
Address
6

Ethertype

Data + Pad

88-CC

LLDPDU

FCS

2

1500

4

Octets
XOS005

Figure 5. LLDP Packet Format

The following characteristics apply to LLDP packets:
•

They are IEEE 802.3 Ethernet frames.

152 | Chapter 6. LLDP

NETGEAR 8800 User Manual

•

The frames are sent as untagged frames.

•

The frames are sent with a link-local-assigned multicast address as destination address.

•

The Spanning Tree Protocol (STP) state of the port does not affect the transmission of
LLDP frames.

The length of the packet cannot exceed 1500 bytes. As you add TLVs, you increase the
length of the LLDP frame. When you reach 1500 bytes, the remaining TLVs are dropped.
NETGEAR recommends that you advertise information regarding only one or two VLANs on
the LLDP port, to avoid dropped TLVs.
If the system drops TLVs because of exceeded length, the system logs a message to the
EMS and the show lldp statistics commands shows this information under the Tx Length
Exceeded field.

Note: The LLDPDU has a maximum of 1500 bytes, even with jumbo
frames enabled. TLVs that exceed this limit are dropped.

Transmitting LLDP Messages
In transmit mode, the NETGEAR switch periodically sends out an untagged LLDPDU frame
that contains the mandatory LLDP TLVs as well as the configured optional TLVs. The LLDP
agent running on the NETGEAR switch passes serially through the list of ports that are
enabled for LLDP and periodically transmits an LLDP frame containing the mandatory TLVs
and any configured optional TLVs. The mandatory TLVs and the system description TLV are
automatically transmitted after you enable LLDP.
The following information, when configured, can be sent at regular intervals:
•

Chassis ID (mandatory)

•

Port ID (mandatory)

•

Time-to-live (mandatory)

•

Port description

•

System name

•

System description (sent by default)

•

System capabilities

•

Management address

•

802.1-specific information

•

•

VLAN name

•

Port VLAN ID

•

Port and protocol VLAN ID

802.3-specific information
•

MAC/PHY

Chapter 6. LLDP

|

153

NETGEAR 8800 User Manual

•

•

•

Power via MDI

•

Link aggregation

•

Maximum frame size

Avaya-NETGEAR Networks proprietary information
•

Power conservation request

•

Call server

•

File server

•

802.1Q framing information

MED extensions (Once enabled, these are sent only when the switch detects a neighbor
on the port that transmits at least one MED TLV)
•

MED capabilities

•

Network policy

•

Location ID

•

Extended information on Power via MDI

This information is obtained from memory objects such as standard MIBs or from system
management information.

Receiving LLDP Messages
The LLDP agent running on an NETGEAR switch receives LLDPDUs, parses the messages,
and stores the information in a remote device database. Unrecognized TLVs are also stored
in the remote device database, in order of TLV type. The information is purged after the
configured timeout interval, unless it is refreshed by the remote LLDP agent.
You access the messages from the neighbors with SNMP or the CLI. To access this
information with the CLI, use the show lldp neighbors detailed command. (You must use
the detailed variable to display this information.)
Each port can store LLDP information from a maximum of four neighbors.
The software receives several TLVs that it does not transmit, as follows:
•

•

Avaya-NETGEAR proprietary information
•

PD conservation level support (includes the PD’s current conservation level, typical
power value, and maximum power value, as well as power conservation levels
available to that PD)

•

Endpoint IP address (including the mask and gateway addresses)

Inventory management LLDP MED TLVs:
•

Hardware revision

•

Firmware revision

•

Software revision

•

Serial number

154 | Chapter 6. LLDP

NETGEAR 8800 User Manual

•

Manufacturer name

•

Model name

•

Asset ID

Managing LLDP
LLDP is disabled by default. LLDP information is transmitted periodically and stored for a
finite period. You access the information using SNMP. A port configured to receive LLDP
messages can store information for up to four neighbors.
You manage LLDP using the CLI and SNMP. (See NETGEAR 8800 Chassis Switch CLI
Manual for complete information on configuring, managing, and displaying LLDP.)
The LLDP MED TLVs begin transmission only after detecting LLDP MED TLVs transmitted by
a neighbor. After you enable LLDP, you can set a variety of time periods for the transmission
and storage of the LLDP messages (or you can use the default values), as follows:
•

Reinitialization period (default is 2 seconds)

•

Delay between LLDP transmissions (default is 2 seconds)—applies to triggered updates,
or updates that are initiated by a change in the topology

•

Transmit interval (default is 30 seconds)—applies to messages sent periodically as part
of protocol

•

Time-to-live (TTL) value (default is 2 minutes)—time that the information remains in the
recipient’s LLDP database

Note: Once the LLDP MED TLVs begin transmitting (after detecting LLDP
MED TLVs from a connected endpoint), those TLVs are also
controlled by these timers.

Each time a device receives an LLDP advertisement packet, the device stores the
information and initializes a timer that is compared to the TTL value of the packet. If the timer
reaches the TTL value, the LLDP agent deletes the stored information. This action ensures
that only valid information is stored in the LLDP agent.
After you enable LLDP, you can enable the LLDP-specific SNMP traps; the traps are disabled
by default. After you enable the LLDP-specific traps, the systems send all LLDP traps to the
configured trap receivers. You configure the period between the system sending SNMP
notifications; the default interval is 5 seconds. LLDP configurations are saved across reboots
when you issue the save configuration command.
The system logs EMS messages regarding LLDP, including when optional TLVs exceeding
the 1500-byte limit are dropped and more than 4 neighbors are detected on a port.
When both IEEE 802.1x and LLDP are enabled on the same port, LLDP packets are not sent
until one or more clients authenticate a port. Also, incoming LLDP packets are only accepted
if one or more clients are authenticated.

Chapter 6. LLDP

|

155

NETGEAR 8800 User Manual

You can configure an optional TLV to advertise or not to advertise the device’s management
address information to the port’s neighbors. With XCM8800, when enabled, this TLV sends
out the IPv4 address configured on the management VLAN. If you have not configured an
IPv4 address on the management VLAN, the software advertises the system’s MAC address.
LLDP does not send out IPv6 addresses in this field.

Supported TLVs
The TLVs are contained in the LLDPDU portion of the LLDP packet, and the LLDPDU cannot
exceed 1500 bytes. Some TLVs are mandatory according to the 802.1ab standard, and the
rest are optional. The mandatory and system description TLVs are included by default as
soon as you enable LLDP. The system description TLV is enabled by default on the
XCM8800 LLDP implementation. Additionally some TLVs can be repeated in one LLDP.

Note: To avoid exceeding the 1500-byte limit, NETGEAR recommends
sending information on only one or two VLANs on the LLDP port.
Any TLVs that exceed the limit are dropped.

The following TLVs are enabled by default when LLDP transmit is enabled on a port:
•

Chassis ID

•

Port ID

•

Time to live

•

System description

•

End-of-LLDP PDU

All of these TLVs that are sent by default are mandatory for the protocol and cannot be
disabled, except the system description. You can configure the system not to advertise the
system description when LLDP is enabled; the other four TLVs cannot be configured not to
advertise. Table 18 lists all the defined TLVs, if they are included by default after you enable
LLDP, if they can be configured, if they are mandatory or optional, and if you can repeat that
TLV in one LLDP packet.

156 | Chapter 6. LLDP

NETGEAR 8800 User Manual

Note: See NETGEAR 8800 Chassis Switch CLI Manual for complete
information on configuring LLDP using the CLI.

Table 18. Available TLVs for Transmission
Name

Included by
default

User
configurable

Chassis ID

X

Mandatory TLV

Port ID

X

Mandatory TLV

Time to live (TTL)

X

Mandatory TLV

Port description

X

System name

X

System description

X

Repeatable

Comments

X

System capabilities

X

Management address

X

X

VLAN name

X

X

Port VLAN ID

X

Port and protocol VLAN ID

X

Protocol identity

X
X

MAC/PHY configuration/status

X

Power via MDI

X

Link aggregation

X

Maximum frame size

X

LLDP MED capabilities

X

Network policy

X

XCM8800 sends only 1
TLV

Not supported

Must be enabled before
any other MED TLV, and
must be disabled after all
other MED TLVs
MED TLVs transmit only
after detecting a neighbor
transmitting MED TLVs
X

Content cannot be
configured by SNMP
MED TLVs transmit only
after detecting a neighbor
transmitting MED TLVs

Chapter 6. LLDP

|

157

NETGEAR 8800 User Manual

Table 18. Available TLVs for Transmission (Continued)
Name

Included by
default

User
configurable

Repeatable

Comments

Location ID

X

MED TLVs transmit only
after detecting a neighbor
transmitting MED TLVs

Extended power via MDI

X

Can be enabled only on a
PoE-capable port
MED TLVs transmit only
after detecting a neighbor
transmitting MED TLVs

End-of-LLDP PDU

X

Mandatory TLV

Note: See the NETGEAR 8800 Chassis Switch CLI Manual for complete
information on configuring LLDP using the CLI.

Table 19 lists the TLVs that the switch can receive, but not transmit. To receive any of these
TLVs, the port must be enabled for LLDP. After you enable LLDP receiving on the switch, all
TLVs are received (even if the LLDP MED capabilities TLV is not enabled). To display these
received messages, use the show lldp neighbor detailed CLI command.
Table 19. Available TLVs for Reception
Name

Type

Hardware revision

MED

Firmware revision

MED

Software revision

MED

Serial number

MED

Manufacturer name

MED

Model name

MED

Asset ID

MED

Comments

Mandatory TLVs
This section describes the following mandatory TLVs, which are automatically enabled after
you enable LLDP on a port:
•

Chassis ID TLV on page 159

•

Port ID TLV on page 159

158 | Chapter 6. LLDP

NETGEAR 8800 User Manual

•

TTL TLV on page 159

•

End-of-LLDPDU TLV on page 159

Chassis ID TLV
This mandatory TLV is sent by default after you enable LLDP on the port. It is not
configurable.
XCM8800 software uses the system’s MAC address to uniquely identify the device.

Port ID TLV
This mandatory TLV is sent by default after you enable LLDP on the port; you cannot
configure this TLV. The port ID TLV is used to uniquely identify the port within the device.
The software uses the ifName object for this TLV, so it is the port number on stand-alone
switches and the combination of slot and port number on modular switches.

TTL TLV
The TTL TLV is mandatory, sent by default after LLDP is enabled, and nonconfigurable. This
TLV indicates how long the record should be maintained in the LLDP database. The default
value is 120 seconds (or 2 minutes).
A value of 0 in the TTL TLV means the client is shutting down and that record should be
deleted from the database. When you disable an LLDP port, the triggered update LLDPU
from that port contains a TTL TLV of 0.
The TTL TLV is mandatory and is sent by default after LLDP is enabled. Although,
technically, you do not configure the TTL TLV, you can configure the transmit hold value,
which is used to calculate the TTL TLV. (See Configuring LLDP Timers on page 165 for more
information on transmit hold value and TTL.)

End-of-LLDPDU TLV
The end-of-LLDPDU TLV marks the end of the data. The system automatically adds this TLV
to the LLDPDU after you enable LLDP.

Optional TLVs
All the optional TLVs are configurable using the CLI and/or SNMP.
This section describes the optional TLVs, under the following categories:
•

Standards-based TLVs on page 160

•

LLDP MED TLVs on page 163

Chapter 6. LLDP

|

159

NETGEAR 8800 User Manual

Standards-based TLVs
Note: The system description TLV is automatically enabled after you
enable LLDP and is always sent as part of the LLDPDU. Although
this TLV is not mandatory according to the standard, XCM8800
software includes this TLV in all LLDPDUs by default; you can
configure the system not to advertise this TLV.

This section describes the following optional standards-based TLVs:
•

Port description TLV on page 160

•

System name TLV on page 160

•

System description TLV on page 160

•

System capabilities TLV on page 161

•

Management address TLV on page 161

•

VLAN name TLV on page 161

•

Port VLAN ID TLV on page 161

•

Port and protocol VLAN ID TLV on page 162

•

MAC/PHY configuration/status TLV on page 162

•

Power via MDI TLV on page 162

•

Link aggregation TLV on page 162

•

Maximum frame size TLV on page 163

Port description TLV
You configure this TLV to be advertised or not advertised. The port description TLV contains
the ifDescr object, which is the ASCII string you entered using the configure ports
display-string command. If you have not configured this parameter, the TLV carries an
empty string.
System name TLV
You configure this TLV to be advertised or not advertised. The system name TLV contains the
device’s configured system name, if previously configured using SNMP. This is the sysName
as defined in RFC 3418, which you define using the configure snmp sysname command.
System description TLV
This is the only TLV that is enabled by default but not mandatory according to the standard.
The XCM8800 implementation sends this TLV, by default, whenever you enable LLDP on a
port. You can disable sending this TLV after you enable LLDP; but, by default, the system
sends this TLV.

160 | Chapter 6. LLDP

NETGEAR 8800 User Manual

When enabled, the system sends the image information (from the show version command) in
the system description TLV:
XCM8800 version 11.2.0.12 v1120b12 by release-manager
on Fri Mar 18 16:01:08 PST 2005

System capabilities TLV
You configure this TLV to be advertised or not advertised. The system capabilities TLV
indicates the device’s capabilities and which of these are enabled.
The XCM8800 software advertises bridge and router capabilities. When configured to
advertise the system capabilities, NETGEAR devices advertise bridging capabilities. After at
least one VLAN on the device has IP forwarding enabled, the system automatically
advertises router capabilities.
Management address TLV
You configure this TLV to be advertised or not advertised. The management address TLV
supplies the management entity for the device.
XCM8800 advertises only one management TLV. That management TLV is the IP address of
the management VLAN. If the management VLAN does not have an assigned IP address,
the management address TLV advertises the system’s MAC address. LLDP does not
recognize IPv6 addresses in this field.
VLAN name TLV
You configure this TLV to be advertised or not advertised. This TLV can be repeated several
times within one LLDPDU.
The XCM8800 software allows you to advertise VLAN name information to neighboring
devices. This TLV associates a VLAN name to the IEEE 802.1Q tag assigned to that VLAN.
You can enable this TLV for tagged and untagged VLANs. When you enable this TLV for
tagged VLANs, the TLV advertises the IEEE 802.1Q tag for that VLAN. (For untagged
VLANs, the internal tag is advertised.) You can specify exactly which VLANs to advertise.
By default, after you configure this TLV, the system sends all VLAN names on the port.
However, each VLAN name requires 32 bits and the LLDPDU cannot exceed 1500 bytes, so
you should configure the port to advertise only the specified VLANs.
Port VLAN ID TLV
You configure this TLV to be advertised or not advertised. The port VLAN ID advertises the
untagged VLAN on that port. Thus, only one port VLAN ID TLV can exist in the LLDPDU.
If you configure this TLV and there is no untagged VLAN on the particular port, this TLV is not
included in the LLDPDU.

Chapter 6. LLDP

|

161

NETGEAR 8800 User Manual

Port and protocol VLAN ID TLV
You configure this TLV to be advertised or not advertised. This TLV can be repeated several
times within one LLDPDU.
When configured, this TLV allows the port to advertise VLANs and whether the port supports
protocol-based VLANs or not. If no protocol-based VLANs are configured on the port, the TLV
still advertises the port’s capability and sets the VLAN ID value to 0.
As NETGEAR devices are always capable of supporting protocol-based VLANs, after you
configure this TLV, the system always advertises support for this type of VLAN.
By default, after you configure this TLV, the system sends information for all VLANs on the
port. However, as VLAN TLV requires space and the LLDPDU cannot exceed 1500 bytes,
you should configure the port to advertise only specified VLANs.
MAC/PHY configuration/status TLV
You configure this TLV to be advertised or not advertised. After configured, this TLV
advertises autonegotiation and physical layer capabilities of the port. The system adds
information about the speed rate, duplex setting, bit rate, physical interface, and
autonegotiation support and status.
Power via MDI TLV
You configure this TLV to be advertised or not advertised. When enabled, this TLV is included
in the LLDPDU only for those ports that support supplying power over Ethernet (PoE).
This TLV allows network management to advertise and discover the power-via-MDI
capabilities of the sending 802.3 LAN station. The device type field contains a binary value
that represents whether an LLDP-MED device transmitting the LLDPDU is a power sourcing
entity (PSE) or power device (PD), as listed in Table 20.
Table 20. Power Management TLV Device Information
Value

Power source

0

PSE device

1

PD device

2-3

Reserved

Additional PoE information is advertised as well, including the power status, power class, and
pin pairs used to supply power.
Link aggregation TLV
You configure this TLV to be advertised or not advertised. When enabled, this TLV advertises
information on the port’s load-sharing (link aggregation) capabilities and status.

162 | Chapter 6. LLDP

NETGEAR 8800 User Manual

Maximum frame size TLV
You configure this TLV to be advertised or not advertised. This TLV allows the port to
advertise its maximum supported frame size to its neighbors.
When jumbo frames are not enabled on the specified port, the TLV reports a value of 1518
after you configure it to advertise. If jumbo frames are enabled, the TLV inserts the configured
value for the jumbo frames.

LLDP MED TLVs
This section describes the optional LLDP media endpoint discovery (MED) TLVs that you can
configure the switch to transmit.

Note: You must configure the LLDP MED capabilities TLV before any of
the other MED TLVs can be enabled. Also, this TLV must be set to
no-advertise after all other MED TLVs are set to no-advertise.

The switch sends all MED TLVs only after it detects a MED-capable device on the port. The
switch does not automatically send any MED TLVs after it is enabled; the switch must first
detect a MED-capable device on the port.
Network connectivity devices wait for LLDP MED TLVs from endpoints before they send out
LLDP MED TLVs; so two network connectivity devices will not exchange LLDP MED
messages.
The following LLEP MED extension TLVs can be transmitted by the switch:
•

LLDP MED capabilities TLV on page 163

•

Network policy TLV on page 164

•

Location identification TLV on page 164

•

Extended power-via-MDI TLV on page 164

Note: You display the values for these TLVs using the show lldp
neighbors detailed command.

LLDP MED capabilities TLV
This TLV allows LLDP MED network connectivity devices to determine that specified
endpoints support LLDP MED, and if so, to discover which LLDP MED TLVs the particular
endpoint device supports and what device class it belongs to.
This TLV must be enabled before any of the other LLDP MED TLVs can be enabled.

Chapter 6. LLDP

|

163

NETGEAR 8800 User Manual

Network policy TLV
You configure this MED TLV to allow both network connectivity devices and endpoint devices
to advertise VLAN configuration and associated Layer 2 and Layer 3 attributes that apply for
a specific set of applications on that port.
You configure this TLV per port/VLAN. Each application can exist only once on each port. You
can configure a maximum of 8 TLVs, each with its own DSCP value and/or priority tag. This
TLV tells the endpoint the specific VLAN to use for the specific application.
Location identification TLV
You configure this TLV to advertise or not advertise a maximum of three different location
identifiers, each with a different format, as follows:
•

Coordinate based, using a 16-byte hexadecimal string

•

Civic-based, using a hexadecimal string with a minimum of 6 bytes

•

ECS ELIN, using a numerical string with a range of 10 to 25 characters.

Extended power-via-MDI TLV
Use this TLV to advertise fine-grained power requirement details, including the power status
of the PD and the port. You can enable this TLV only on PoE-capable ports; the switch
returns an error message if you attempt to transmit this LLDP TLV over a non-PoE-capable
port.

Configuring LLDP
You configure LLDP per port. To configure LLDP:
1. Enable LLDP on the desired port(s).
2. If desired, configure the system not to advertise the system description TLV.
3. If you want to change any default values, configure the following values:
a. Reinitialize period
b. Transmit interval
c. Transmit delay
d. Transmit hold
4. Enable the SNMP traps and configure the notification interval.
5. Configure any optional TLV advertisements,that you want included in the LLDPDU.
6. If you want to send or receive MED extension TLVs, configure the LLDP MED capabilities
TLV.
7. If you want to change the default value of 3 for the fast-start feature for LLDP MED,
configure the LLDP MED fast-start TLVs.
8. If you want SNMP traps for the LLDP MED extension TLVs, enable these traps.

164 | Chapter 6. LLDP

NETGEAR 8800 User Manual

This section describes how to configure LLDP using the CLI. See the NETGEAR 8800
Chassis Switch CLI Manual for complete information on configuring LLDP. You can also
reference the IEEE 892.1ab standard.

Enabling and Disabling LLDP
LLDP is disabled on all ports by default. When you enable LLDP on the ports, you select
whether the ports will only transmit LLDP messages, only receive the messages, or both
transmit and receive LLDP messages.
To enable LLDP, use the following command:
enable lldp ports [all | ] {receive-only | transmit-only}

After you enable LLDP, the following TLVs are automatically added to the LLDPDU:
•

Chassis ID

•

Port ID

•

TTL

•

System description

•

End of LLDPDU

All of these, except the system description, are mandated by the 802.1ab standard. Similarly,
none of these, except the system description, can be configured to advertise or not to
advertise.
To disable LLDP, use the following command:
disable lldp ports [all | ] {receive-only | transmit-only}

Configuring the System Description TLV Advertisement
If you have not configured the system description using SNMP sysName before enabling
LLDP, the system sends the following information in the system description TLV:
XCM8800 version 11.2.0.12 v1120b12 by release-manager
on Fri Mar 18 16:01:08 PST 2005

To disable the default advertisement of the system description, use the following command:
configure lldp ports [all | ] no-advertise system-description

Configuring LLDP Timers
After you enable LLDP, the timer values assume the default values. However, if you want to
change any of these default values, use the CLI to configure the relevant timer.

Chapter 6. LLDP

|

165

NETGEAR 8800 User Manual

Note: The LLDP timers apply to the entire device and are not configurable
by port.

When LLDP is disabled or if the link goes down, LLDP is reinitialized. The reinitialize delay is
the number of seconds the port waits to restart LLDP state machine; the default is 2 seconds.
To change the default reinitialize delay period, use the following command:
configure lldp reinitialize-delay 

LLDP messages are transmitted at a set interval; this interval has a default value of every 30
seconds. To change this default value, use the following command:
configure lldp transmit-interval 

The time between triggered update LLDP messages is referred to as the transmit delay, and
the default value is 2 seconds. You can change the default transmit delay value to a specified
number of seconds or to be automatically calculated by multiplying the transmit interval by
0.25. To change the value for the transmit delay, use the following command:
configure lldp transmit-delay [ auto | ]

Each LLDP message contains a TTL value. The receiving LLDP agent discards all LLDP
messages that surpass the TTL value; the default value is 120 seconds.
The TTL is calculated by multiplying the transmit interval value and the transmit hold value;
the default transmit hold value is 4. To change the default transmit hold value, use the
following command:
configure lldp transmit-hold 

Configuring SNMP for LLDP
You can send SNMP traps regarding LLDP; the software supports the LLDP MIB. By default,
SNMP LLDP traps are disabled on all ports; to enable LLDP SNMP traps, use the following
command:
enable snmp traps lldp {ports [all | ]}

The traps are only sent for those ports that are both enabled for LLDP and have LLDP traps
enabled.
To disable the LLDP SNMP traps, use the following command:
disable snmp traps lldp {ports [all | ]}

The default value for the interval between SNMP LLDP trap notifications is 5 seconds. To
change this interval for the entire switch for LLDP traps, use the following command:
configure lldp snmp-notification-interval 

166 | Chapter 6. LLDP

NETGEAR 8800 User Manual

Note: If you want to send traps for LLDP MED, you must configure it
separately. Use the enable snmp traps lldp-med {ports
[all | ]} command to enable these traps.

Configuring Optional TLV Advertisements
By default, all optional TLVs are not added to the LLDPDU, or not advertised.
You can add optional TLVs to the LLDPDU but be aware that the total LLDPDU cannot
exceed 1500 bytes, including the mandatory TLVs. Any optional added TLVs that exceed the
1500-byte limit are dropped. You can see if you have dropped TLVs from your LLDPDU by
referring to the EMS log or by issuing the show lldp statistics command.

Note: NETGEAR recommends that you advertise only one or two VLANS
on specified ports to avoid dropping TLVs from the LLDPDU.

This section describes the following types of optional TLVs:
•

Configuring Standards-based Optional TLVs on page 167

•

Configuring LLDP MED Optional TLVs on page 169

Configuring Standards-based Optional TLVs
You configure LLDP ports to advertise any of the following optional TLVs:
•

Port description TLV

•

System name TLV

•

System capabilities TLV

•

Management address TLV

•

VLAN name TLV (repeatable TLVs)

•

Port VLAN ID TLV

•

Port and protocol VLAN ID TLV (repeatable TLVs)

•

MAC/PHY configuration/status TLV

•

Power via MDI TLV

•

Link aggregation TLV

•

Maximum frame size TLV

See Standards-based TLVs on page 160 for complete information on each optional TLV.
To advertise the optional port description information, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
port-description

Chapter 6. LLDP

|

167

NETGEAR 8800 User Manual

To advertise the system name, use the following command:
configure lldp ports [all | ] [advertise | no-advertise] system-name

To advertise the system capabilities, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
system-capabilities

To advertise the IP address of the management VLAN (or the system MAC address if IP is
not configured), use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
management-address

You can advertise more than one VLAN name per LLDP-enabled port. To do so, add one
optional VLAN name TLV for each VLAN you want to advertise. If you do not specify VLAN
names, the system sends an advertisement for all VLANs on the port.
To advertise VLAN names, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific dot1 vlan-name {vlan [all | ]}

Note: The total LLPDU size is 1500 bytes; any TLVs after that limit are
dropped.

You can advertise the untagged, port-based VLAN for the LLDP-enabled port using the port
VLAN ID TLV. To configure the port VLAN ID TLV, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific dot1 port-vlan-ID

You can advertise more than one protocol-based VLAN per LLDP-enabled port. To do so,
add one optional port and protocol VLAN ID TLV for each VLAN you want to advertise. To
advertise these VLANs, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific dot1 port-protocol-vlan-ID {vlan [all | ]}

Note: The total LLPDU size is 1500 bytes; any TLVs after that limit are
dropped.

You can advertise the speed capabilities, autonegotiation support and status and physical
interface of the LLDP-enabled port using the MAC/PHY configuration/status TLV. To
advertise this information, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific dot3 mac-phy

168 | Chapter 6. LLDP

NETGEAR 8800 User Manual

Configure the power via MDI TLV to advertise the PoE capabilities of the LLDP-enabled port.
To advertise the PoE capabilities and status, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific dot3 power-via-mdi

You advertise the load-sharing capabilities and status of the LLDP-enabled port by
configuring the link aggregation TLV. To advertise load-sharing capabilities, use the following
command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific dot3 link-aggregation

You advertise the maximum frame size available on the LLDP-enabled port using the
maximum frame size TLV. To advertise the maximum frame size, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific dot3 max-frame-size

Configuring LLDP MED Optional TLVs
After you enable an LLDP MED TLV, the switch waits until it detects a MED-capable device
before it begins transmitting the configured LLDP MED TLVs. The switch does not transmit
the MED TLVs as soon as they are enabled; it must first detect an MED-capable device.
Because network connectivity devices wait to detect LLDP MED TLVs from endpoints before
they send out LLDP MED TLVs 2 network connectivity devices will not exchange LLDP MED
messages.
To receive SNMP traps on the LLDP MED, you must enable these separately from the other
LLDP traps. For more information, see Configuring SNMP for LLDP on page 166.
You must configure the LLDP MED capabilities TLV before you configure any other LLDP
MED TLVs. Finally, the fast-start feature allows you to increase the learning speed of the
switch for LLDP MED TLVs. The fast-start feature is automatically enabled once you enable
the LLDP MED capabilities TLV; you can change the configuration from the default setting of
3.
See LLDP MED TLVs on page 163 for complete information on each optional TLV.
This section describes configuring the following LLDP MED TLVs:
•

LLDP MED capabilities TLV

•

LLDP fast-start TLV

•

Network policy TLV

•

Location identification TLV

•

Extended power-via-MDI TLV

To enable configuration and transmission of any other LLDP MED TLV and to determine the
LLDP MED capabilities of endpoint devices, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific med capabilities

To configure the LLDP fast-start feature, use the following command:

Chapter 6. LLDP

|

169

NETGEAR 8800 User Manual

configure lldp med fast-start repeat-count 

To advertise VLAN as associated Layer 2 and Layer 3 attributes for a specified application,
use the network policy TLV with the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific med policy application [voice | voice-signaling |guest-voice |
guest-voice-signaling | softphone-voice | video-conferencing | streaming-video
| video-signaling] vlan  dscp  {priority-tagged}

To advertise location information, use the following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific med location-identification [coordinate-based  |
civic-based  | ecs-elin ]

To advertise power requirement details, use the extended power-via-MDI TLV with the
following command:
configure lldp ports [all | ] [advertise | no-advertise]
vendor-specific med power-via-mdi

Unconfiguring LLDP
To unconfigure LLDP, use the following command:
unconfigure lldp

This command only returns the LLDP timers to default values; LLDP remains enabled, and all
the configured TLVs are still advertised.
To leave LLDP enabled, but reset the advertised TLVs to the five default TLVs, use the
following command, and specify the affected ports:
unconfigure lldp port [all | ]

Displaying LLDP Settings
The system displays information on the LLDP status and statistical counters of the ports, as
well as about the LLDP advertisements received and stored by the system. You can display
information on the LLDP port configuration and on the LLDP neighbors detected on the port.

Note: See NETGEAR 8800 Chassis Switch CLI Manual for complete
information on displaying LLDP settings.

Displaying LLDP Port Configuration Information and Statistics
To display LLDP port configuration information, use the show lldp command; to display
detailed LLDP information, add the detailed option.

170 | Chapter 6. LLDP

NETGEAR 8800 User Manual

To display the statistical counters related to the LLDP port, use the show lldp statistics
command.

Displaying LLDP Information Detected from Neighboring Ports
To display information from LLDP neighbors detected on the port, use the show lldp
neighbors command. You must use the detailed option to display information on the LLDP
MED TLVs.

Chapter 6. LLDP

|

171

7.

PoE

7

This chapter includes the following sections:
•

Overview on page 172

•

NETGEAR Networks PoE Devices on page 172

•

Summary of PoE Features on page 173

•

Power Checking for PoE Module on page 173

•

Power Delivery on page 174

•

Configuring PoE on page 179

•

Displaying PoE Settings and Statistics on page 186

Overview
Power over Ethernet (PoE) is an effective method of supplying 48 VDC power to certain types of
powered devices (PDs) through Category 5 or Category 3 twisted pair Ethernet cables. PDs
include wireless access points, IP telephones, laptop computers, web cameras, and other
devices. With PoE, a single Ethernet cable supplies power and the data connection, reducing
costs associated with separate power cabling and supply.
The system supports hitless failover for PoE in a system with two Management Switch Fabric
Modules (MSMs). Hitless failover means that if the primary MSM fails over to the backup MSM,
all port currently powered will maintain power after the failover and all the power configurations
remain active.

NETGEAR Networks PoE Devices
The XCM8848T module (with daughter card) for the NETGEAR 8800 series switch supports
PoE.

Chapter 7. PoE

|

172

NETGEAR 8800 User Manual

Note: PoE capability for the XCM8848T modules are available only with
the addition of an optional PoE Daughter Module. See Adding an
XCM88P Daughter Card to an Existing Configuration on page 184
for more information.

Summary of PoE Features
The NETGEAR 8800 implementation of PoE supports the following features:
•

Configuration and control of the power distribution for PoE at the system, slot, and port
levels

•

Real-time discovery and classification of IEEE 802.3af-compliant PDs and many legacy
devices

•

Monitor and control of port PoE fault conditions including exceeding configured class
limits and power limits and short-circuit detection

•

Support for configuring and monitoring PoE status at the system, slot, and port levels

•

Management of an over-subscribed power budget

•

Port LED control for indicating the link state

•

Support for hitless failover in a chassis with two MSMs

For detailed information on using the PoE commands to configure, manage, and display PoE
settings, see the NETGEAR 8800 Chassis Switch CLI Manual.

Power Checking for PoE Module
PoE modules require more power than other I/O modules. When a chassis containing a PoE
module is booted or a new PoE module is inserted, the power drain is calculated. Before the
PoE module is powered up, the chassis calculates the power budget and powers up the PoE
module only if there is enough power. The chassis powers up as many I/O modules as
possible with lower-numbered slots having priority.

Note: If your chassis has an inline power module and there is not enough
power to supply the configured inline power for the slot, that slot will
not power on; the slot will not function in data-only mode without
enough power for inline power.

If a PoE module is inserted into a chassis, the chassis calculates the power budget and only
powers up the PoE module if there is enough power. Installed modules are not affected.
However, if you reboot the chassis, power checking proceeds as described in the previous

Chapter 7. PoE

|

173

NETGEAR 8800 User Manual

paragraph. If there is now enough power, I/O modules that were not powered up previously
are powered up.
If you lose power or the overall available power decreases, the system removes power to the
I/O modules beginning with the highest numbered slots until enough power is available. Inline
power reserved for a slot that is not used cannot be used by other PoE slots (inline power is
not shared among PoE modules).
Before you install your PoE module, consult your sales team to determine the required power
budget.

Power Delivery
This section describes how the system provides power to the PDs.

Enabling PoE to the Switch
You enable or disable inline power to the entire switch, or per slot or per port.
If you are working on a NETGEAR 8800 switch chassis, you must reserve power for each
PoE slot. By default, 50 watts of inline power is provided to each slot. (See Power Reserve
Budget on page 174 for information on reserving power on these devices.)
To enable inline power to the switch, slot, or port, use the following commands:
enable inline-power

To disable inline power to the switch, use the following command:
disable inline-power

Disabling inline power removes power immediately to all connected PDs. The default value is
enabled.

Power Reserve Budget
On modular switches, the power budget is provided on a per slot basis, not switchwide. You
reserve power for each slot, or PoE module. Power reserved for a specific PoE module
cannot be used by any other slot regardless of how much power is actually consumed on the
specified slot. The default power budget reserved for each PoE module is 50 W. The
minimum power you can assign to a slot is 37 W, or 0 W if the slot is disabled. The maximum
possible for each slot is 768 W.
To reduce the chances of ports fluctuating between powered and non-powered states, newly
inserted PDs are not powered when the actual delivered power for the module or switch is
within approximately 19 W of the configured inline power budget for that slot. However, actual
aggregate power can be delivered up to the configured inline power budget for the slot or
switch (for example, when delivered power from ports increases or when the configured inline
power budget for the slot is reduced).

174 | Chapter 7. PoE

NETGEAR 8800 User Manual

Note: NETGEAR recommends that, when using a modular switch, you
fully populate a single PoE module with PDs until the power usage is
just below the usage threshold, instead of spacing PDs evenly
across PoE modules.

If you disable a slot with a PoE module, the reserved power budget remains with that slot
until you unconfigure or reconfigure the power budget. Also, you can reconfigure the
reserved power budget for a PoE module without disabling the device first; you can
reconfigure dynamically. These settings are preserved across reboots and other
power-cycling conditions.
The total of all reserved slot power budgets cannot be larger than the total available power to
the switch. If the base module power requirements plus the reserved PoE power for all
modules exceeds the unallocated power in the system, the lowest numbered slots have
priority in getting power and one or more modules in higher-numbered slots will be powered
down.

Note: On modular switches, PoE modules are not powered-up at all, even
in data-only mode, if the reserved PoE power cannot be allocated to
that slot.

To reset the reserved power budget for a slot to the default value of 50 W, use the following
command:
unconfigure inline-power budget slot 

PD Disconnect Precedence
After a PD is discovered and powered on a modular PoE switch, the actual power drain is
continuously measured. If the usage for power by PDs is within 19 W of the reserved power
budget for the PoE switch or module, the system begins denying power to PDs.
To supply power to all PDs, you can reconfigure the reserved power budget for the switch or
slot, so that enough power is available to power all PDs. You reconfigure the reserved power
budget dynamically; you do not have to disable the device to reconfigure the power budget.
You configure the switch to handle a request for power that exceeds the power budget
situation in one of two ways, called the disconnect precedence:
•

Disconnect PDs according to the configured PoE port priority for each PD.

•

Deny power to the next PD requesting power, regardless of that port’s PoE priority.

On modular switches, this is a switchwide configuration that applies to each slot; you cannot
configure this disconnect precedence per slot.

Chapter 7. PoE

|

175

NETGEAR 8800 User Manual

The default value is deny-port. So, if you do not change the default value and the switch’s or
slot’s power is exceeded, the next PD requesting power is not connected (even if that port
has a higher configured PoE port priority than those ports already receiving power). When
you configure the deny-port value, the switch disregards the configured PoE port priority and
port numbering.
When the switch is configured for lowest-priority mode, PDs are denied power based on the
individual port’s configured PoE priority. If the next PD requesting power is of a higher
configured PoE priority than an already powered port, the lower-priority port is disconnected
and the higher-priority port is powered.
To configure the disconnect precedence for the switch, use the following command:
configure inline-power disconnect-precedence [deny-port | lowest-priority]

To reset the disconnect precedence value to the default value of deny port to the switch, use
the following command:
unconfigure inline-power disconnect-precedence

PoE Port Priority
On the NETGEAR 8800 switches, you can configure the PoE priority for each port as low,
high, or critical; the default value is low. If you configure the disconnect precedence of the
switch as lowest priority, the switch disconnects those PDs with lower PoE port priorities
when the reserved switch or slot power budget is exceeded; the system continues supplying
power to PDs with higher PoE port priorities.
To set the PoE port priority, use the following command:
configure inline-power priority [critical | high | low] ports 

To reset the PoE priority of the ports to the default value of low, use the following command:
unconfigure inline-power priority ports [all | ]

If several PDs have the same configured PoE port priority, the priority is determined by the
port number. The highest port number has the lowest PoE priority.
The switch withdraws power (or disconnects) those ports with the highest port number (s).
That is, the highest port number is the lowest PoE priority.

Port Disconnect or Fault
On modular PoE switches, when a port is disconnected, the power is removed from that port
and can be used only by ports on the same slot. The power from the disconnected port is not
redistributed to any other slot.
On all PoE devices, when a port enters a fault state because of a class violation or if you set
the operator limit lower than the amount requested by the PD, the system removes power
from that port. The power removed is, again, available only to other ports on the same slot or
stand-alone switch; it cannot be redistributed to other slots on modular switches. The port

176 | Chapter 7. PoE

NETGEAR 8800 User Manual

stays in the fault state until you disable that port, or disconnect the attached PD, or
reconfigure the operator limit to be high enough to satisfy the PD requirements.
To display the status of PoE ports, including disconnected or faulted ports, use the following
command:
show inline-power info ports

When a port is disconnected or otherwise moves into a fault state, SNMP generates an event
(after you configure SNMP and a log message is created).

Port Power Reset
You can set ports to experience a power-down, discover, power-up cycle.
On the NETGEAR 8800 PoE switches, this power-cycling occurs without returning the power
to the slot’s reserved power budget. This function allows you to reset PDs without losing their
claim to the reserved power budget.
To power cycle specified ports, use the following commands:
reset inline-power ports 

Ports are immediately depowered and repowered, maintaining current power allocations on
modular switches.

PoE Usage Threshold
The system generates an SNMP event when any slot or stand-alone switch has consumed a
specified percentage of that slot’s reserved power budget or of the entire power for the
stand-alone switch. The default value is 70%; you can configure this threshold to generate
events from 1% to 99% consumption of the reserved power budget. You can also configure
the system to log an Event Management System (EMS) message when the usage threshold
is crossed (see Chapter 8, Status Monitoring and Statistics for more information on EMS). On
modular switches, this threshold percentage is set to be the same for each PoE slot; you
cannot configure it differently for each PoE module.
On modular switches, although the threshold percentage of measured to budgeted power
applies to all PoE modules, the threshold measurement applies only to the percentage per
slot of measured power to budgeted power use; it does not apply to the amount of power
used switchwide.
To configure the threshold percentage of budgeted power used on a slot or the total power on
a stand-alone switch that causes the system to generate an SNMP event and EMS message,
use the following command:
configure inline-power usage-threshold 

To reset the threshold that causes the system to generate an SNMP event and EMS
message per slot to 70% for measured power compared to budgeted power, use the
following command:
unconfigure inline-power usage-threshold

Chapter 7. PoE

|

177

NETGEAR 8800 User Manual

Legacy Devices
XCM8800 software allows the use of non-standard PDs with the switch. These are PDs that
do not comply with the IEEE 802.3af standard.
The system detects non-standard PDs using a capacitance measurement. You must enable
the switch to detect legacy devices; the default value is disabled. You configure the detection
of legacy PoE devices per slot.
Detecting a PD through capacitance is used only if the following two conditions are both met:
•

Legacy PD detection is enabled.

•

The system unsuccessfully attempted to discover the PD using the standard resistance
measurement method.

To enable the switch to use legacy PDs on a modular switch, use the following command:
enable inline-power legacy slot 

To enable the switch to use legacy PDs on a stand-alone switch, use the following command:
enable inline-power legacy

To disable the non-standard power detection method that allows the switch to use legacy PDs
on a modular switch, use the following command:
disable inline-power legacy slot 

To disable the non-standard power detection method that allows the switch to use legacy PDs
on a stand-alone switch, use the following command:
disable inline-power legacy

PoE Operator Limits
You set the power limit that a PD can draw on the specified ports. The range is 3000 to 16800
mW, and the default value is 15400 mW.
You set the operator limit on specified ports, which limits how much power a PD can draw
from that port by using the following command:
configure inline-power operator-limit  ports [all |]

If the measured power for a specified port exceeds the port’s operator limit, the power is
withdrawn from that port and the port moves into a fault state.
To reset the power limit allowed for PDs to the default value of 15.4 W per port, use the
following command:
unconfigure inline-power operator-limit ports [all |]

If you attempt to set an operator-limit outside the accepted range, the system returns an error
message.

178 | Chapter 7. PoE

NETGEAR 8800 User Manual

Configuring PoE
PoE supports a full set of configuration and monitoring commands that allow you to
configure, manage, and display PoE settings at the system, slot, and port level. See the
NETGEAR 8800 Chassis Switch CLI Manual for complete information on using the CLI
commands.
To enable inline power, or PoE, you must have a powered switch or chassis and module.

Note: On a module switch, if your chassis has an inline power module and
there is not enough power to supply a slot, that slot will not power
on; the slot will not function in data-only mode without enough power
for inline power.

To configure inline power, or PoE, you must complete the following tasks:
•

Enable inline power to the system, slot, and/or port.

•

On NETGEAR 8800 switches, reserve power to the switch or slot using a power budget.

•

On NETGEAR 8800 switches, configure the disconnect precedence for the PDs in the
case of excessive power demands.

•

Configure the threshold for initiating system alarms on power usage.

Additionally, you can configure the switch to use legacy PDs, apply specified PoE limits to
ports, apply labels to PoE ports, and configure the switch to allow you to reset a PD without
losing its power allocation.

Enabling Inline Power
You enable inline power to the switch, slot, or port using the following commands:
enable inline-power
enable inline-power slot 
enable inline-power ports [all | ]

Note: On modular switches, if your chassis has an inline power module
and there is not enough power to supply a slot, that slot will not
power on; the slot will not function in data-only mode without enough
power for inline power.

To disable inline power to the switch, slot (on modular switches), or port, use the following
commands:
disable inline-power

Chapter 7. PoE

|

179

NETGEAR 8800 User Manual

disable inline-power slot 
disable inline-power ports [all | ]

Disabling the inline power to a PD immediately removes power from the PD.
To display the configuration for inline power, use the following command:
show inline-power

Reserving Power
On modular PoE switches, you reserve power for a given slot. The power reserved for a
given slot cannot be used by any other PoE slots, even if the assigned power is not entirely
used. To reallocate power among the slots, you must reconfigure each slot for the power
budget you want; the power is not dynamically reallocated among PoE modules.
You do not have to disable the PoE devices to reconfigure the power budgets.
On NETGEAR 8800 switches, the default power budget is 50 W per slot, and the maximum is
768 W. The minimum reserved power budget you can configure is 37 W for an enabled slot. If
inline power on the slot is disabled, you can configure a power budget of 0.

Note: NETGEAR recommends that you fully populate a single PoE
module with PDs until the power usage is just below the usage
threshold, instead of spacing PDs evenly across PoE modules.

To reset the power budget for a PoE module to the default value of 50 W, use the following
command:
unconfigure inline-power budget slot 

To display the reserved power budget for the PoE modules, use the following command:
show inline-power slot 

Setting the Disconnect Precedence
Note: The switch generates an SNMP event if a PD goes offline, and the
port’s state moves from Power to Searching. You must configure
SNMP to generate this event.

When the actual power used by the PDs on a switch or slot exceeds the power budgeted for
that switch or slot, the switch refuses power to PDs. There are two methods used by the
switch to refuse power to PDs, and whichever method is in place applies to all PoE slots in

180 | Chapter 7. PoE

NETGEAR 8800 User Manual

the switch. This is called the disconnect precedence method, and you configure one method
for the entire switch.
The available disconnect precedence methods are:
•

Deny port

•

Lowest priority

The default value is deny port. Using this method, the switch simply denies power to the next
PD requesting power from the slot, regardless of that port’s PoE priority or port number.
Using the lowest priority method of disconnect precedence, the switch disconnects the PDs
connected to ports configured with lower PoE priorities. (See Configuring the PoE Port
Priority for information on port priorities.)
When several ports have the same PoE priority, the lower port numbers have higher PoE
priorities. That is, the switch withdraws power (or disconnects) those ports with the highest
port number(s).
The system keeps dropping ports, using the algorithm you selected with the disconnect ports
command, until the measured inline power for the slot is lower than the reserved inline power.
To configure the disconnect precedence for the switch, use the following command:
configure inline-power disconnect-precedence [deny-port | lowest-priority]

To return the disconnect precedence to the default value of deny port, use the following
command:
unconfigure inline-power disconnect-precedence

To display the currently configured disconnect precedence, use the following command:
show inline-power

To reduce the chances of ports fluctuating between powered and non-powered states, newly
inserted PDs are not powered when the actual delivered power for the switch or module is
within approximately 19 W of the configured inline power budget for that switch or slot.
However, actual aggregate power can be delivered up to the configured inline power budget
for the switch or slot (for example, when delivered power from ports increases or when the
configured inline power budget for the slot is reduced).

Configuring the PoE Port Priority
You can configure the PoE port priority to be low, high, or critical. The default value is low.
If you configure the disconnect precedence as lowest priority and the PDs request power in
excess of the switch’s or slot’s reserved power budget, the system allocates power to those
ports with the highest priorities first.
If several ports have the same PoE priority, the lower port numbers have higher PoE
priorities. That is, the switch withdraws power (or disconnects) those ports with the highest
port number(s).
To configure PoE port priority, use the following command:

Chapter 7. PoE

|

181

NETGEAR 8800 User Manual

configure inline-power priority [critical | high | low] ports 

To reset the port priority to the default value of low, use the following command:
unconfigure inline-power priority ports [all | ]

To display the PoE port priorities, use the following command:
show inline-power configuration ports 

Configuring the Usage Threshold
The system generates an SNMP event after a preset percentage of the reserved power for
any slot or total power for a stand-alone switch is actually used by a connected PD. This
preset percentage is called the usage threshold and is the percentage of the measured
power to the budgeted power for each slot or total power for a stand-alone switch.
On modular switches, although the percentage of used to budgeted power is measured by
each PoE module, you set the threshold for sending the event for the entire switch. That is,
after any PoE module passes the configured threshold, the system sends an event.
The default value for this usage threshold is 70%. You can configure the usage threshold to
be any integer between 1% and 99%.
To configure the usage threshold, use the following command:
configure inline-power usage-threshold 

To reset the usage threshold to 70%, use the following command:
unconfigure inline-power usage-threshold

To display the currently configured usage threshold, use the following command:
show inline-power

Configuring the Switch to Detect Legacy PDs
The PoE device can detect non-standard, legacy PDs, which do not conform to the IEEE
802.3af standard, using a capacitance measurement. However, you must specifically enable
the switch to detect these non-standard PDs; the default value for this detection method is
disabled.
This configuration applies to the entire switch; you cannot configure the detection method per
slot.
The switch detects PDs through capacitance only if both of the following conditions are met:
•

The legacy detection method is enabled.

•

The switch unsuccessfully attempted to discover the PD using the standard resistance
measurement method.

To enable the switch to detect legacy, non-standard PDs, use the following command:
enable inline-power legacy slot 

182 | Chapter 7. PoE

NETGEAR 8800 User Manual

To reset the switch to the default value, which does not detect legacy PDs, use the following
command:
disable inline-power legacy slot 

To display the status of legacy detection, use the following command:
show inline-power

Configuring the Operator Limit
You configure the maximum amount of power that the specified port can deliver to the
connected PD, in milliwatts (mW). The default value is 15400 mW, and the range is 3000 to
16800 mW.
If the operator limit for a specified port is less than the power drawn by the legacy PD, the
legacy PD is denied power.
To configure the operator limit, use the following command:
configure inline-power operator-limit  ports [all |]

To reset the operator limit to the default value of 15.4 W, use the following command:
unconfigure inline-power operator-limit ports [all |]

To display the current operator limit on each port, use the following command:
show inline-power configuration ports 

Configuring PoE Port Labels
You can assign labels to a single or group of PoE ports using a string of up to 15 characters.
To assign a label to PoE ports, use the following command:
configure inline-power label  ports 

To rename a port or to return it to a blank label, reissue the command.
To display the PoE port labels, use the following command:
show inline-power configuration ports 

Power Cycling Connected PDs
To power cycle a connected PD without losing the power allocated to its port, use the
following command:
reset inline-power ports 

Chapter 7. PoE

|

183

NETGEAR 8800 User Manual

Adding an XCM88P Daughter Card to an Existing
Configuration
XCM8848T I/O Modules for the NETGEAR 8800 Series Switches
This section describes how to add an XCM88P daughter card to a NETGEAR 8800 switch
configuration that has already been saved without PoE capabilities.
The following output displays the results of the show slot command with slot 4 configured:
* XCM8806.2 #
* XCM8806.2 # show slot
Slots

Type

Configured

State

Ports

Flags

------------------------------------------------------------------------------Slot-1

XCM8824F

Slot-2
Slot-3

XCM888F

XCM8824F

Operational

24

XCM8824F

Empty

24

XCM888F

Operational

8

Empty

0

Slot-4

MB
MB

Slot-5

XCM8808X

XCM8808X

Operational

8

MB

Slot-6

XCM8848T

XCM8848T

Operational

48

MB

MSM-A

XCM88S1

Operational

0

MSM-B

XCM88S1

Operational

0

Flags : M - Backplane link to Master is Active
B - Backplane link to Backup is also Active
D - Slot Disabled
I - Insufficient Power (refer to "show power budget")

To configure a module for the PoE daughter card:
1. Remove the XCM8848T module.
2. Attach the PoE daughter card to the XCM8848T module (as described in installation
document provided with the daughter card).
3. Re-insert the XCM8848T module with the PoE daughter card attached. The following output
displays the results of the show slot command after the card is attached:

* XCM8806.2 #
* XCM8806.2 # show slot
Slots

Type

Configured

State

Ports

Flags

------------------------------------------------------------------------------Slot-1

XCM8824F

XCM8824F

Operational

24

XCM8824F

Empty

24

XCM888F

XCM888F

Operational

8

Empty

0

XCM8808X

XCM8808X

Operational

8

Slot-2
Slot-3
Slot-4
Slot-5

184 | Chapter 7. PoE

MB
MB
MB

NETGEAR 8800 User Manual

Slot-6

XCM8848T(P)

MSM-A
MSM-B

XCM8848T

Operational

48

XCM88S1

Operational

0

XCM88S1

Operational

0

MB

Flags : M - Backplane link to Master is Active
B - Backplane link to Backup is also Active
D - Slot Disabled
I - Insufficient Power (refer to "show power budget")

You can expect to see the following log messages generated by the system after you
have attached the card:
 MSM-A: Powering on mismatch card - cfg: XCM8848T actual:
XCM8848T(P)
 MSM-B: Powering on mismatch card - cfg: XCM8848T actual:
XCM8848T(P)

4. Change the slot module type to include POE by executing the command 
configure slot 4 module XCM8848T (PoE).

Note: You must configure the slot as (PoE) before the power feature is
accessible or enabled.

The following output displays the results of the show slot command after this command
has been executed:
XCM8806.2 # show slot
Slots

Type

Configured

State

Ports

Flags

------------------------------------------------------------------------------Slot-1

XCM8824F

Slot-2
Slot-3

XCM888F

XCM8824F

Operational

24

XCM8824F

Empty

24

XCM888F

Operational

8

Empty

0

Slot-4

MB
MB

Slot-5

XCM8808X

XCM8808X

Operational

8

MB

Slot-6

XCM8848T(P)

XCM8848T(P)

Operational

48

MB

MSM-A

XCM88S1

Operational

0

MSM-B

XCM88S1

Operational

0

Flags : M - Backplane link to Master is Active
B - Backplane link to Backup is also Active
D - Slot Disabled
I - Insufficient Power (refer to "show power budget")

5. Save the configuration by executing the command save configuration.

Chapter 7. PoE

|

185

NETGEAR 8800 User Manual

Displaying PoE Settings and Statistics
You can display the PoE status, configuration, and statistics for the system, slot, and port
levels.

Clearing Statistics
You can clear the PoE statistics for specified ports or for all ports. To clear the statistics and
reset the counters to 0, use the following command:
clear inline-power stats ports [all | ]

Displaying System Power Information
You can display the status of the inline power for the system and, for additional information,
display the power budget of the switch.

Displaying System PoE Status
To display the PoE status for the switch, use the following command:
show inline-power

The command provides status for the following areas:
•

Configured inline power status—The status of the inline power for the switch: enabled or
disabled.

•

System power surplus—The surplus amount of power on the system, in watts, available
for budgeting.

•

Redundant power surplus—The amount of power on the system, in watts, available for
budgeting if one power supply is lost.

•

System power usage threshold—The configured power usage threshold for each slot,
shown as a percentage of budgeted power. After this threshold has been passed on any
slot, the system sends an SNMP event and logs a message.

•

Disconnect precedence—The method of denying power to PDs if the budgeted power on
any slot is exceeded.

•

Legacy mode—The status of the legacy mode, which allows detection of non-standard
PDs.

The output indicates the following inline power status information for each slot:
•

•

Inline power status—The status of inline power. The status conditions are:
•

Enabled

•

Disabled

Firmware status—The operational status of the slot. The status conditions are:
•

Operational

186 | Chapter 7. PoE

NETGEAR 8800 User Manual

•

Not operational

•

Disabled

•

Subsystem failure

•

Card not present

•

Slot disabled

•

Budgeted power—The amount of inline power, in watts, that is reserved and available to
the slot.

•

Measured power—The amount of power, in watts, that is currently being used by the slot.

Displaying System Power Data
Additionally, you can view the distribution of power, as well as currently required and
allocated power, on the entire modular switch including the power supplies by using the
following command:
show power budget

Displaying Slot PoE Information on NETGEAR 8800 Switches
You can display PoE status and statistics per slot.

Displaying Slot PoE Status
To display PoE status for each slot, use the following command:
show inline-power slot 

The command provides the following information:
•

•

Inline power status—The status of inline power. The status conditions are:
•

Enabled

•

Disabled

Firmware status—The operational status of the slot. The status conditions are:
•

Operational

•

Not operational

•

Disabled

•

Subsystem failure

•

Card not present

•

Slot disabled

•

Budgeted power—The amount of power, in watts, that is available to the slot.

•

Measured power—The amount of power, in watts, that is currently being used by the slot.

Displaying Slot PoE Statistics on NETGEAR Switches
To display the PoE statistics for each slot, use the following command:

Chapter 7. PoE

|

187

NETGEAR 8800 User Manual

show inline-power stats slot 

The command provides the following information:
•

Firmware status—Displays the firmware state:
•

Operational

•

Not operational

•

Disabled

•

Subsystem failure

•

Card not present

•

Slot disabled

•

Firmware revision—Displays the revision number of the PoE firmware

•

Total ports powered—Displays the number of ports powered on specified slot

•

Total ports awaiting power—Displays the number of remaining ports in the slot that are
not powered

•

Total ports faulted—Displays the number of ports in a fault state

•

Total ports disabled—Displays the number of ports in a disabled state

Displaying Port PoE Information
You can display the PoE configuration, status, and statistics per port.

Displaying Port PoE Configuration
To display PoE configuration for each port, use the following command:
show inline-power configuration ports 

This command provides the following information:
•

Config—Indicates whether the port is enabled to provide inline power:
•

Enabled: The port can provide inline power.

•

Disabled: The port cannot provide inline power.

•

Operator Limit—Displays the configured limit, in milliwatts, for inline power on the port.

•

Label—Displays a text string, if any, associated with the port (15 characters maximum).

Displaying Port PoE Status
To display the PoE status per port, use the following command:
show inline-power info {detail} ports 

This command provides the following information:
•

State—Displays the port power state:
•

Disabled

•

Searching

188 | Chapter 7. PoE

NETGEAR 8800 User Manual

•

•

Delivering

•

Faulted

•

Disconnected

•

Other

•

Denied

PD’s power class—Displays the class type of the connected PD:
•

“-----”: disabled or searching

•

“class0”: class 0 device

•

“class1”: class 1 device

•

“class2”: class 2 device

•

“class3”: class 3 device

•

“class4”: class 4 device

•

Volts—Displays the measured voltage. A value from 0 to 2 is valid for ports that are in a
searching or discovered state.

•

Curr—Displays the measured current, in milliamperes, drawn by the PD.

•

Power—Displays the measured power, in watts, supplied to the PD.

•

Fault—Displays the fault value:
•

None

•

UV/OV fault

•

UV/OV spike

•

Over current

•

Overload

•

Undefined

•

Underload

•

HW fault

•

Discovery resistance fail

•

Operator limit violation

•

Disconnect

•

Discovery resistance, A2D failure

•

Classify, A2D failure

•

Sample, A2D failure

•

Device fault, A2D failure

•

Force on error

The detail command lists all inline power information for the selected ports. Detail output
displays the following information:
•

Configured Admin State

•

Inline Power State

Chapter 7. PoE

|

189

NETGEAR 8800 User Manual

•

MIB Detect Status

•

Label

•

Operator Limit

•

PD Class

•

Max Allowed Power

•

Measured Power

•

Line Voltage

•

Current

•

Fault Status

•

Detailed Status

•

Priority

Displaying Port PoE Statistics
To display the PoE statistics for each port, use the following command:
show inline-power stats ports 

The command provides the following information:
•

•

State—Displays the port power state:
•

Disabled

•

Searching

•

Delivering

•

Faulted

•

Disconnected

•

Other

•

Denied

PD’s power class—Displays the class type of the connected PD:
•

“-----”: disabled or searching

•

“class0”: class 0 device

•

“class1”: class 1 device

•

“class2”: class 2 device

•

“class3”: class 3 device

•

“class4”: class 4 device

•

Absent—Displays the number of times the port was disconnected

•

InvSig—Displays the number of times the port had an invalid signature

•

Denied—Displays the number of times the port was denied

•

Over-current—Displays the number of times the port entered an overcurrent state

•

Short—Displays the number of times the port entered undercurrent state

190 | Chapter 7. PoE

NETGEAR 8800 User Manual

Chapter 7. PoE

|

191

8.

Status Monitoring and Statistics

8

This chapter includes the following sections:
•

Overview on page 192

•

Viewing Port Statistics on page 193

•

Viewing Port Errors on page 193

•

Using the Port Monitoring Display Keys on page 195

•

Viewing VLAN Statistics on page 196

•

Performing Switch Diagnostics on page 197

•

Using the System Health Checker on page 202

•

Setting the System Recovery Level on page 205

•

Viewing Fan Information on page 212

•

Viewing the System Temperature on page 213

•

Using the Event Management System/Logging on page 214

•

Using sFlow on page 228

•

Using RMON on page 233

Viewing statistics on a regular basis allows you to see how well your network is performing. If
you keep simple daily records, you can see trends emerging and notice problems arising before
they cause major network faults. In this way, statistics can help you get the best out of your
network.

Overview
The status monitoring facility provides information about the switch. This information may be
useful for your technical support representative if you have a problem. XCM8800 software
includes many command line interface (CLI) show commands that display information about
different switch functions and facilities.

Note: For more information about show commands for a specific XCM8800
feature, see the appropriate chapter in this guide.

Chapter 8. Status Monitoring and Statistics

|

192

NETGEAR 8800 User Manual

Viewing Port Statistics
XCM8800 software provides a facility for viewing port statistical information. The summary
information lists values for the current counter for each port on each operational module in
the system. The switch automatically refreshes the display (this is the default behavior).
You can also display a snapshot of the real-time port statistics at the time you issue the
command and view the output in a page-by-page mode. This setting is not saved; therefore,
you must specify the no-refresh parameter each time you want a snapshot of the port
statistics.
Values are displayed to nine digits of accuracy.
To view port statistics, use the following command:
show ports { | stack-ports } statistics
{no-refresh}

The switch collects the following port statistical information:
•

Link State—The current state of the link. Options are:
•

Active (A)—The link is present at this port.

•

Ready (R)—The port is ready to accept a link.

•

Loopback (L)—The port is configured for WANPHY loopback.

•

Not Present (NP)—The port is configured, but the module is not installed in the slot
(modular switches only).

•

Transmitted Packet Count (TX Pkt Count)—The number of packets that have been
successfully transmitted by the port.

•

Transmitted Byte Count (TX Byte Count)—The total number of data bytes successfully
transmitted by the port.

•

Received Packet Count (RX Pkt Count)—The total number of good packets that have
been received by the port.

•

Received Byte Count (RX Byte Count)—The total number of bytes that were received by
the port, including bad or lost frames. This number includes bytes contained in the Frame
Check Sequence (FCS), but excludes bytes in the preamble.

•

Received Broadcast (RX Bcast)—The total number of frames received by the port that
are addressed to a broadcast address.

•

Received Multicast (RX Mcast)—The total number of frames received by the port that are
addressed to a multicast address.

Viewing Port Errors
The switch keeps track of errors for each port and automatically refreshes the display (this is
the default behavior).

Chapter 8. Status Monitoring and Statistics

|

193

NETGEAR 8800 User Manual

You can also display a snapshot of the port errors at the time you issue the command and
view the output in a page-by-page mode. This setting is not saved; therefore, you must
specify the no-refresh parameter each time you want a snapshot of the port errors.
To view port transmit errors, use the following command:
show ports { | stack-ports } txerrors
{no-refresh}

The switch collects the following port transmit error information:
•

Port Number—The number of the port.

•

Link State—The current state of the link. Options are:
•

Active (A)—The link is present at this port.

•

Ready (R)—The port is ready to accept a link.

•

Loopback (L)—The port is configured for WANPHY loopback.

•

Not Present (NP)—The port is configured, but the module is not installed in the slot
(modular switches only).

•

Transmit Collisions (TX Coll)—The total number of collisions seen by the port, regardless
of whether a device connected to the port participated in any of the collisions.

•

Transmit Late Collisions (TX Late Coll)—The total number of collisions that have occurred
after the port’s transmit window has expired.

•

Transmit Deferred Frames (TX Deferred)—The total number of frames that were
transmitted by the port after the first transmission attempt was deferred by other network
traffic.

•

Transmit Errored Frames (TX Errors)—The total number of frames that were not
completely transmitted by the port because of network errors (such as late collisions or
excessive collisions).

•

Transmit Lost Frames (TX Lost)—The total number of transmit frames that do not get
completely transmitted because of buffer problems (FIFO underflow).

•

Transmit Parity Frames (TX Parity)—The bit summation has a parity mismatch.

To view port receive errors, use the following command:
show ports { | stack-ports } rxerrors
{no-refresh}

The switch collects the following port receive error information:
•

Port Number

•

Link State—The current state of the link. Options are:
•

Active (A)—The link is present at this port.

•

Ready (R)—The port is ready to accept a link.

•

Not Present (NP)—The port is configured, but the module is not installed in the slot
(modular switches only).

•

Loopback (L)—The port is in Loopback mode.

194 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

•

Receive Bad CRC Frames (RX CRC)—The total number of frames received by the port
that were of the correct length but contained a bad FCS value.

•

Receive Oversize Frames (RX Over)—The total number of good frames received by the
port greater than the supported maximum length of 1,522 bytes.

•

Receive Undersize Frames (RX Under)—The total number of frames received by the port
that were less than 64 bytes long.

•

Receive Fragmented Frames (RX Frag)—The total number of frames received by the
port that were of incorrect length and contained a bad FCS value.

•

Receive Jabber Frames (RX Jabber)—The total number of frames received by the port
that were greater than the support maximum length and had a Cyclic Redundancy Check
(CRC) error.

•

Receive Alignment Errors (RX Align)—The total number of frames received by the port
with a CRC error and not containing an integral number of octets.

•

Receive Frames Lost (RX Lost)—The total number of frames received by the port that
were lost because of buffer overflow in the switch.

Using the Port Monitoring Display Keys
Table 21 describes the keys used to control the displays that appear if you use any of the
show ports commands without specifying the no-refresh parameter (this is the default
behavior).
Table 21. Port Monitoring Display Keys with Auto-Refresh Enabled
Key(s)

Description

U

Displays the previous page of ports.

D

Displays the next page of ports.

[Esc]

Exits from the screen.

0

Clears all counters.

[Space]

Cycles through the following screens:
• Packets per second
• Bytes per second
• Percentage of bandwidth
Note: Available only using the show ports utilization
command.

Table 22 describes the keys used to control the displays that appear if you use any of the
show ports commands and specify the no-refresh parameter.

Chapter 8. Status Monitoring and Statistics

|

195

NETGEAR 8800 User Manual

Table 22. Port Monitoring Display Keys with Auto-Refresh Disabled
Key

Description

Q

Exits from the screen.

[Space]

Displays the next page of ports.

Viewing VLAN Statistics
XCM8800 software provides the facility for viewing VLAN statistics at the port level.
To configure the switch to start counting VLAN statistics, use the following commands:
clear counters
configure ports monitor vlan

Up to four VLANs can be monitored on the same port by issuing the command up to four
times.
To view VLAN statistics at the port level, use the following command:
show ports vlan statistics

The switch collects and displays the following statistics:
•

Port—The designated port.

•

VLAN—The associated VLANs.

•

Rx Frames Count—The total number of frames successfully received by the port.

•

Rx Byte Count—The total number of bytes that were received by the port.

•

Tx Total Frames—The total number of frames that were transmitted by the port.

•

Tx Byte Count—The total number of bytes that were transmitted by the port.

To view VLAN statistics at the VLAN level, use the following command:
show vlan statistics

The switch collects and displays the following statistics:
•

VLAN—The designated VLAN.

•

Rx Frames Count—The total number of frames successfully received by the port.

•

Rx Byte Count—The total number of bytes that were received by the port.

•

Tx Total Frames—The total number of frames that were transmitted by the port.

•

Tx Byte Count—The total number of bytes that were transmitted by the port.

To stop counting VLAN statistics use the following command:
unconfigure ports monitor vlan

196 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

Performing Switch Diagnostics
The switch provides a facility for running normal or extended diagnostics. In simple terms, a
normal routine performs a simple ASIC and packet loopback test on all ports, and an
extended routine performs extensive ASIC, ASIC-memory, and packet loopback tests. By
running and viewing the results from diagnostic tests, you can troubleshoot and resolve
network issues.
On NETGEAR 8800 series switches, you can run the diagnostic routine on Input/Output (I/O)
modules or management modules (MSMs/MMs) without affecting the operation of the rest of
the system.

Note: Before running diagnostics, you must power on the External Power
Supply (EPS) when it is connected to the switch.

When you run diagnostics on an I/O module, an MSM/MM, the switch verifies that the:
•

Registers can be written to and read from correctly.

•

Memory addresses are accessed correctly.

•

Application-Specific Integrated Circuit (ASICs) and Central Processing Unit (CPUs)
operate as required.

•

Data and control fabric connectivity is active (modular switches only).

•

External ports can send and receive packets.

•

Sensors, hardware controllers, and LEDs are working correctly.

Note: Before running slot diagnostics on a modular switch, you must have
at least one MSM/MM installed in the chassis.

The remainder of this section describes the following topics:
•

Running Diagnostics on page 197

•

Observing LED Behavior During a Diagnostic Test on page 199

•

Displaying Diagnostic Test Results on page 201

Running Diagnostics
If you run the diagnostic routine on an I/O module, that module is taken offline while the
diagnostic test is performed. Traffic to and from the ports on that I/O module is temporarily
unavailable. When the diagnostic test is complete, the I/O module is reset and becomes
operational again.

Chapter 8. Status Monitoring and Statistics

|

197

NETGEAR 8800 User Manual

If you run diagnostics on an MSM/MM, that module is taken offline while the diagnostics test
is performed. When the diagnostic test is complete, the MSM/MM reboots and becomes
operational again.
If you run diagnostics on the primary MSM/MM, the backup MSM/MM assumes the role of the
primary and takes over switch operation. After the MSM/MM completes the diagnostic routine
and reboots, you can initiate failover from the new primary MSM/MM to the original primary
MSM/MM. Before initiating failover, confirm that both MSMs/MMs are synchronized using the
show switch command. If the MSMs/MMs are synchronized, initiate failover using the run
msm-failover command. For more detailed information about system redundancy and
MSM/MM failover, see Understanding System Redundancy on page 64.
Run diagnostics on one MSM/MM at a time. After you run the diagnostic routine on the first
MSM/MM, use the show switch command to confirm that both MSMs/MMs are up, running,
and synchronized before running diagnostics on the second MSM/MM.
After the switch runs the diagnostic routine, test results are saved in the module’s EEPROM
and messages are logged to the syslog.
To run diagnostics on I/O or MSM/MM modules, use the following command:
run diagnostics [extended | normal | stack-port] {slot [ | A | B]}

Where the following is true:
•

extended—Takes the switch fabric and ports offline and performs extensive ASIC,
ASIC-memory, and packet loopback tests. Extended diagnostic tests take a maximum of
15 minutes. The CPU is not tested. Console access is available during extended
diagnostics.

If you have a Power over Ethernet (PoE) module installed, the switch also performs an
extended PoE test, which tests the functionality of the inline power adapter.
•

normal—Takes the switch fabric and ports offline and performs a simple ASIC and packet
loopback test on all ports.

•

—Specifies the slot number of an I/O module. When the diagnostic test is
complete, the system attempts to bring the I/O module back online.

Note: To run diagnostics on the management portion of the master MSM,
specify slot A or B. If an I/O subsystem is present on the MSM, then
that I/O subsystem will be non-operational until diagnostics are
completed.

•

A | B—Specifies the slot letter of the primary MSM. The diagnostic routine is performed
when the system reboots. Both switch fabric and management ports are taken offline
during diagnostics.

Before running diagnostics on a module, you can use the disable slot  {offline}
command to force the module to enter the offline state which takes the switch fabric and ports
offline. If you run diagnostics on a module that is not offline, the switch automatically takes

198 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

the switch fabric and ports offline when you use the run diagnostics [extended | normal |
stack-port] {slot [ | A | B]} command.
After the diagnostic routine has finished, use the enable slot  command to bring the
module back online and operational.

Observing LED Behavior During a Diagnostic Test
Whether you run a diagnostic test on an I/O module or MSM/MM, LED activity occurs during
and immediately following the test. The LED behavior described in this section relates only to
the behavior associated with a diagnostic test. For more detailed information about all of the
I/O module, MSM/MM, and switch LEDs, see the hardware documentation listed in Related
Publications on page 24.

I/O Module LED Behavior
Table 23 describes the NETGEAR 8800 series switch I/O module LED behavior during a
diagnostic test.
Table 23. NETGEAR 8800 Series Switch I/O Module LED Behavior
LED

Color

Indicates

DIAG

Amber blinking

Diagnostic test in progress.

Amber

Diagnostic failure has occurred.

Green

Diagnostic test has passed.

Amber blinking

Configuration error, code version error, diagnostic failure, or other severe module
error.

Off

Diagnostic test in progress, or diagnostic failure has occurred.

Stat

After the I/O module completes the diagnostic test, or the diagnostic test is terminated, the
DIAG and the Status LEDs are reset. During normal operation, the DIAG LED is off and the
Status LED blinks green.

MSM LED Behavior
This section describes the MSM behavior during a diagnostic test.
LED behavior during a diagnostict test on the primary MSM
Table 24 describes the NETGEAR 8800 series switch XCM88S1 LED behavior during a
diagnostic test on the primary MSM.

Chapter 8. Status Monitoring and Statistics

|

199

NETGEAR 8800 User Manual

Table 24. NETGEAR 8800 Series Switch MSM-48 LED Behavior During Diagnostic Test on
Primary MSM
MSM

LED

Color

Indicates

Primary

ERR

Off

Depending on the situation, this state indicates:
• Diagnostic test in progress on the primary MSM.
• Diagnostic test has passed.
• Diagnostic failure has occurred.

ENV

Off

Depending on the situation, this state indicates:
• Diagnostic test has passed.
• Diagnostic failure has occurred.

Amber blinking

Diagnostic test is in progress on the primary MSM.

Green/Off

Diagnostic failure has occurred.

Off/Green

Depending the situation, this state indicates:
• Diagnostic test in progress on the primary MSM.
• Diagnostic test has passed.

Off/Off

Depending on the situation, this state indicates:
• Diagnostic test in progress on the primary MSM.
• Diagnostic test has passed.

Amber/Green
blinking

Diagnostic failure has occurred.

ERR

Off

Depending on the situation, this state indicates:
• Diagnostic test in progress on the primary MSM.
• Diagnostic test has passed.
• Diagnostic failure has occurred.

ENV

Off

Depending on the situation, this state indicates:
• Diagnostic test in progress on the primary MSM.
• Diagnostic test has passed.
• Diagnostic failure has occurred.

Mstr/Diag

Off/Off

Diagnostic failure has occurred.

Green/Green

Diagnostic test in progress on the primary MSM.

Green/Off

Diagnostic test has passed.

Off/Green blinking

Diagnostic test has passed.

Off/Off

Diagnostic test in progress on the primary MSM.

Amber/Green
blinking

Diagnostic failure has occurred.

Mstr/Diag

Sys/Stat

Backup

Sys/Stat

200 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

LED behavior during a diagnostict test on the backup MSM
Table 25 describes the NETGEAR 8800 series switch XCM88S1 LED behavior during a
diagnostic test on the backup MSM.
Table 25. NETGEAR 8800 Series Switch XCM88S1 LED Behavior During Diagnostic Test on
Backup MSM
MSM

LED

Color

Indicates

Backup

ERR

Off

Depending on the situation, this state indicates:
• Diagnostic test in progress on the backup MSM.
• Diagnostic test has passed.

ENV

Off

Depending on the situation, this state indicates:
• Diagnostic test in progress on the backup MSM.
• Diagnostic test has passed.

Mstr/Diag

Off/Green

Depending on the situation, this state indicates:
• Diagnostic test in progress on the backup MSM.
• Diagnostic test has passed.

Sys/Stat

Off/Green

Diagnostic test in progress on the backup MSM.

Off/Off

Diagnostic test has passed.

ERR

Amber

Depending on the situation, this state indicates:
• Diagnostic test in progress on the backup MSM.
• Diagnostic test has passed.

ENV

Off

Depending on the situation, this state indicates:
• Diagnostic test in progress on the backup MSM.
• Diagnostic test has passed.

Mstr/Diag

Green/Off

Depending on the situation, this state indicates:
• Diagnostic test in progress on the backup MSM.
• Diagnostic test has passed.

Sys/Stat

Off/Green blinking

Depending on the situation, this state indicates:
• Diagnostic test in progress on the backup MSM.
• Diagnostic test has passed.

Primary

Displaying Diagnostic Test Results
To display the status of the last diagnostic test run on the switch, use the following command:
show diagnostics {slot [ | A | B]}

Note: The slot, A, and B parameters are available only on modular
switches.

Chapter 8. Status Monitoring and Statistics

|

201

NETGEAR 8800 User Manual

Using the System Health Checker
The system health checker is a useful tool to monitor the overall health of your system.
Depending on your platform, the software performs a proactive, preventive search for
problems by polling and reporting the health of system components, including I/O and
management module processes, power supplies, power supply controllers, and fans. By
isolating faults to a specific module, backplane connection, control plane, or component, the
system health checker notifies you of a possible hardware fault.
This section describes the system health check functionality of the NETGEAR 8800. This
section also describes the following topics:
•

Enabling Diagnostic Packets on NETGEAR 8800 Switches on page 203

•

Configuring Diagnostic Packets on the Switch on page 203

•

Disabling Diagnostic Packets on the Switch on page 203

•

Displaying the System Health Check Setting on page 203

Understanding the System Health Checker
On NETGEAR 8800 series switches, the system health checker tests the backplane, the
CPUs on the MSM modules, the I/O modules, the processes running on the switch, and the
power supply controllers by periodically forwarding packets and checking for the validity of
the forwarded packets.
Two modes of health checking are available: polling (also known as control plane health
checking) and backplane diagnostic packets (also known as data plane health checking).
These methods are briefly described in the following:
•

Polling is always enabled on the system and occurs every 5 seconds by default. The
polling value is not a user-configured parameter. The system health checker polls the
control plane health between MSMs and I/O modules, monitors memory levels on the I/O
module, monitors the health of the I/O module, and checks the health of applications and
processes running on the I/O module. If the system health checker detects an error, the
health checker notifies the MSM.

•

Backplane diagnostic packets are disabled by default. If you enable this feature, the
system health checker tests the data link for a specific I/O module every 5 seconds by
default. The MSM sends and receives diagnostic packets from the I/O module to
determine the state and connectivity.
If you disable backplane diagnostics, the system health checker stops sending backplane
diagnostic packets.
For more information about enabling and configuring backplane diagnostics, see the
following sections:
•

Enabling Diagnostic Packets on NETGEAR 8800 Switches on page 203

•

Configuring Diagnostic Packets on the Switch on page 203

202 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

System health check errors are reported to the syslog. If you see an error, contact NETGEAR
Technical Support.

Enabling Diagnostic Packets on NETGEAR 8800 Switches
To enable diagnostic packets, use the following command:
enable sys-health-check slot 

By default, the system health checker tests the data link or the 10 Gbps links every 5 seconds
for the specified slot.

Note: Enabling backplane diagnostic packets increases CPU utilization
and competes with network traffic for resources.

Configuring Diagnostic Packets on the Switch
To configure the frequency of sending backplane diagnostic packets, use the following
command:
configure sys-health-check interval 

Note: NETGEAR does not recommend configuring an interval of less than
the default interval. Doing so can cause excessive CPU utilization.

Disabling Diagnostic Packets on the Switch
To disable diagnostic packets, use the following command:
disable sys-health-check slot 

By default, the system health checker discontinues sending backplane diagnostic packets to
the specified slot. Only polling is enabled.

Displaying the System Health Check Setting
To display the system health check setting, including polling and how XCM8800 software
handles faults on the switch, use the following command:
show switch

As previously described, polling is always enabled on the switch.
The system health check setting, displayed as SysHealth check, shows the polling setting
and how XCM8800 handles faults. The polling setting appears as Enabled, and the fault

Chapter 8. Status Monitoring and Statistics

|

203

NETGEAR 8800 User Manual

handling setting appears in parenthesis next to the polling setting. For more information
about the fault handling setting, see Configuring Module Recovery on page 206.
In the following truncated output from a NETGEAR 8810 switch, the system health check
setting appears as SysHealth check: Enabled (Normal):
SysName:

TechPubs Lab

SysName:

XCM8810

SysLocation:
SysContact:

support@netgear.com

System MAC:

00:04:96:1F:A2:60

SysHealth check:

Enabled (Normal)

Recovery Mode:

None

System Watchdog:

Enabled

System Health Check Examples: Diagnostics
This section provides examples for using the system health checker on the NETGEAR 8800
series switches. For more detailed information about the system health check commands,
see the chapter on commands for status monitoring and statistics in the NETGEAR 8800
Chassis Switch CLI Manual.

Example on the NETGEAR 8800 Series Switch
This section describes a series of two examples for:
•

Enabling and configuring backplane diagnostics

•

Disabling backplane diagnostics

Enabling and Configuring Backplane Diagnostics
The following example:
•

Enables backplane diagnostic packets on slot 3

•

Configures backplane diagnostic packets to be sent every 7 seconds

1. Enable backplane diagnostic packets on slot 3 using the following command:
enable sys-health-check slot 3

When you enable backplane diagnostic packets on slot 3, the timer runs at the default
rate of 5 seconds.
2. Configure backplane diagnostic packets to be sent every 7 seconds using the following
command:
configure sys-health-check interval 7

204 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

Note: NETGEAR does not recommend configuring an interval of less than
5 seconds. Doing this can cause excessive CPU utilization.

Disabling Backplane Diagnostics
Building upon the previous example, the following example disables backplane diagnostics
on slot 3:
disable sys-health-check slot 3

Backplane diagnostic packets are no longer sent, but the configured interval for sending
backplane diagnostic packets remains at 7 seconds. The next time you enable backplane
diagnostic packets, the health checker sends the backplane diagnostics packets every
7 seconds.
To return to the "default" setting of 5 seconds, configure the frequency of sending backplane
diagnostic packets to 5 seconds using the following command:
configure sys-health-check interval 5

Setting the System Recovery Level
Depending on your switch model, you can configure the switch, MSM/MM, or I/O module to
take action if a fault detection exception occurs. The following sections describe how to set
the software and hardware recovery levels on the switch, MSM/MM, and I/O modules.
This section describes the following topics:
•

Configuring Software Recovery on page 205

•

Configuring Module Recovery on page 206

Configuring Software Recovery
You can configure the system to either take no action or to automatically reboot the switch
after a software task exception, using the following command:
configure sys-recovery-level [all | none]

Where the following is true:
•

all—Configures

XCM8800 to log an error to the syslog and automatically reboot the
system after any software task exception.
On modular switches, this command sets the recovery level only for the MSMs/MMs. The
MSM/MM should reboot only if there is a software exception that occurs on the MSM/MM.
The MSM/MM should not reboot if a software exception occurs on an I/O module.

•

none—Configures the system to take no action if a software task exception occurs. The
system does not reboot, which can cause unexpected switch behavior.

Chapter 8. Status Monitoring and Statistics

|

205

NETGEAR 8800 User Manual

Note: Use this parameter only with guidance by NETGEAR’s Technical
Support personnel.

The default setting and behavior is all. NETGEAR strongly recommends using the default
setting.

Displaying the Software Recovery Setting
To display the software recovery setting on the switch, use the following command:
show switch

This command displays general switch information, including the software recovery level.
SysName:

XCM8806

SysLocation:
SysContact:
System MAC:

00:04:96:3F:0C:40

System Type:

XCM8806

SysHealth check:

Enabled (Normal)

Recovery Mode:

All

System Watchdog:

Enabled

Configuring Module Recovery
You can configure the MSMs/MMs or I/O modules installed in NETGEAR 8800 series
switches to take no action, take ports offline in response to errors, automatically reset,
shutdown, or if dual MSMs/MMs are installed, failover to the other MSM/MM if the switch
detects a hardware fault. This enhanced level of recovery detects faults in the ASICs as well
as packet buses.
To configure module recovery, use the following command:
configure sys-recovery-level slot [all | ] [none | reset |
shutdown]

Where the following is true:
•

none—Configures the MSM/MM or I/O module to maintain its current state regardless of
the detected fault. The offending MSM/MM or I/O module is not reset. XCM8800 logs fault
and error messages to the syslog and notifies you that the errors are ignored. This does
not guarantee that the module remains operational; however, the switch does not reboot
the module.

206 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

Note: When the sys-recovery-level is set to none, running msm-failover
does not reboot the current MSM.

•

reset—Configures the offending MSM/MM or I/O module to reset upon fault detection.
XCM8800 logs fault, error, system reset, and system reboot messages to the syslog.

•

shutdown—Configures the switch to shut down all slots/modules configured for shutdown
upon fault detection. On the modules configured for shutdown, all ports in the slot are
taken offline in response to the reported errors; however, the MSMs/MMs remain
operational for debugging purposes only. You must save the configuration, using the save
configuration command, for it to take effect. XCM8800 logs fault, error, system reset,
system reboot, and system shutdown messages to the syslog.

The default setting is reset.
Depending on your configuration, the switch resets the offending MSM/MM or I/O module if a
hardware fault detection occurs. An offending MSM/MM is reset any number of times and is
not permanently taken offline. On NETGEAR 8800 series switches, an offending I/O module
is reset a maximum of five times. After the maximum number of resets, the I/O module is
permanently taken offline. For more information, see Module Recovery Actions on page 208.
You can configure how XCM8800 handles a detected fault based on the configuration of the
configure sys-recovery-level slot [all | ] [none | reset | shutdown] command.
To configure how XCM8800 handles faults, use the configure sys-health-check all level
[normal | strict] command. For detailed information about this command, see the
NETGEAR 8800 Chassis Switch CLI Manual.
To view the system health check settings on the switch, use the show switch command as
described in Displaying the System Health Check Setting on page 203.

Confirmation Messages Displayed
If you configure the hardware recovery setting to either none (ignore) or shutdown, the switch
prompts you to confirm this action. The following is a sample shutdown message:
Are you sure you want to shutdown on errors? (y/n)

Enter y to confirm this action and configure the hardware recovery level. Enter n or press
[Enter] to cancel this action.

Understanding the Shut Down Recovery Mode
You can configure the switch to shut down one or more I/O modules upon fault detection by
specifying the shutdown option. If you configure one or more slots to shut down and the switch
detects a hardware fault, all ports in all of the configured shut down slots are taken offline in
response to the reported errors. (MSMs/MMs are available for debugging purposes only.)
The affected I/O module remains in the shutdown state across additional reboots or power
cycles until you explicitly clear the shutdown state. If a module enters the shutdown state, the
module actually reboots and the show slot command displays the state of the slot as

Chapter 8. Status Monitoring and Statistics

|

207

NETGEAR 8800 User Manual

Initialized; however, the ports are shut down and taken offline. For more information about
clearing the shutdown state, see Clearing the Shutdown State on page 211.

Messages Displayed at the Startup Screen
If you configure the shutdown feature and a hardware error is detected, the system displays
an explanatory message on the startup screen. The following truncated sample output shows
the startup screen if any of the slots in a modular switch are shut down as a result of the
system recovery configuration:
The I/O modules in the following slots are shut down: 1,3
Use the "clear sys-recovery-level" command to restore I/O modules

When an exclamation point (!) appears in front of the command line prompt, it indicates that
one or more slots shut down as a result of your system recovery configuration and a switch
error.

Module Recovery Actions
Table 26 describes the actions module recovery takes based on your module recovery
setting. For example, if you configure a module recovery setting of reset for an I/O module,
the module is reset a maximum of five times before it is taken permanently offline.
From left to right, the columns display the following information:
•

Module Recovery Setting—This is the parameter used by the configure
command to distinguish the module recovery behavior.

sys-recovery-level slot

•

Hardware—This indicates the hardware that you may have installed in your switch.

•

Action Taken—This describes the action the hardware takes based on the module
recovery setting.

Table 26. Module Recovery Actions for the NETGEAR 8800 Series Switches
Module Recovery Setting Hardware

Action Taken

none
Single MSM

The MSM remains powered on in its current state.
This does not guarantee that the module remains operational;
however, the switch does not reboot the module.

Dual MSM

The MSM remains powered on in its current state.
This does not guarantee that the module remains operational;
however, the switch does not reboot the module.

I/O Module

The I/O module remains powered on in its current state. The switch
sends error messages to the log and notifies you that the errors are
ignored.
This does not guarantee that the module remains operational;
however, the switch does not reboot the module.

208 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

Table 26. Module Recovery Actions for the NETGEAR 8800 Series Switches (Continued)
Module Recovery Setting Hardware

Action Taken

reset
Single MSM

Resets the MSM.

Dual MSM

Resets the primary MSM and fails over to the backup MSM.

I/O Module

Resets the I/O module a maximum of five times. After the fifth time,
the I/O module is permanently taken offline.

Single MSM

The MSM is available for debugging purposes only (the I/O ports
also go down); however, you must clear the shutdown state using
the clear sys-recovery-level command for the MSM to
become operational.
After you clear the shutdown state, you must reboot the switch.
For more information see, Clearing the Shutdown State on
page 211.

Dual MSM

The MSMs are available for debugging purposes only (the I/O ports
also go down); however, you must clear the shutdown state using
the clear sys-recovery-level command for the MSM to
become operational.
After you clear the shutdown state, you must reboot the switch.
For more information see, Clearing the Shutdown State on
page 211.

I/O Module

Reboots the I/O module. When the module comes up, the ports
remain inactive because you must clear the shutdown state using
the clear sys-recovery-level command for the I/O module
to become operational.
After you clear the shutdown state, you must reset each affected
I/O module or reboot the switch.
For more information see, Clearing the Shutdown State on
page 211.

shutdown

Displaying the Module Recovery Setting
To display the module recovery setting, use the following command:
show slot

The show slot output includes the shutdown configuration. If you configure the module
recovery setting to shut down, the output displays an “E” flag that indicates any errors
detected on the slot disables all ports on the slot. The “E” flag appears only if you configure
the module recovery setting to shut down.

Chapter 8. Status Monitoring and Statistics

|

209

NETGEAR 8800 User Manual

Note: If you configure one or more slots for shut down and the switch
detects a hardware fault on one of those slots, all of the configured
slots enter the shutdown state and remain in that state until explicitly
cleared.

If you configure the module recovery setting to none, the output displays an “e” flag that
indicates no corrective actions will occur for the specified MSM/MM or I/O module. The “e”
flag appears only if you configure the module recovery setting to none.
The following sample output displays the module recovery action. In this example, notice the
flags identified for slot 8:
* XCM8810.2 # show slot
Slots

Type

Configured

State

Ports

Flags

------------------------------------------------------------------------------Slot-1

Empty

0

Slot-2

Empty

0

Slot-3

Empty

0

Slot-4

XCM8824F

XCM8824F

Operational

24

M

Slot-5

XCM888F

XCM888F

Operational

8

M

Slot-7

XCM8848T(P)

XCM8848T(P)

Operational

48

Slot-8

XCM8808X

XCM8808X

Operational

8

Empty

0

Empty

0

Operational

0

Empty

0

Slot-6

Empty

Slot-9
Slot-10
MSM-A

XCM88S1

MSM-B

0
M
M E

Flags : M - Backplane link to Master is Active
B - Backplane link to Backup is also Active
D - Slot Disabled
I - Insufficient Power (refer to "show power budget")

Displaying Detailed Module Recovery Information
To display the module recovery setting for a specific port on a module, including the current
recovery mode, use the following command:
show slot 

In addition to the information displayed with show slot, this command displays the module
recovery setting configured on the slot. The following truncated output displays the module
recovery setting (displayed as Recovery Mode) for the specified slot:
Slot-8 information:
State:

Operational

210 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

Download %:

100

Flags:

M E

Restart count:

0 (limit 5)

Serial number:

800424-00-02 1104G-02442

Hw Module Type:

XCM8808X

SW Version:

12.4.3.5

SW Build:

v1243b5-patch1-3

Configured Type:

XCM8808X

Ports available:

8

Recovery Mode:

Reset

Flags : M - Backplane link to Master is Active
B - Backplane link to Backup is also Active
D - Slot Disabled, S - Slot Secured
I - Insufficient Power (refer to "show power budget")

Clearing the Shutdown State
If you configure one or more modules to shut down upon detecting a hardware fault, and the
switch enters the shutdown state, you must explicitly clear the shutdown state and reset the
affected modules for the switch to become functional. To clear the shutdown state, use the
following command:
clear sys-recovery-level

The switch prompts you to confirm this action. The following is a sample confirmation
message:
Are you sure you want to clear sys-recovery-level? (y/n)

Enter y to confirm this action and clear the shutdown state. Enter n or press [Enter] to cancel
this action.
After using the clear sys-recovery-level command, you must reset each affected module.
If you configured only a few I/O modules to shutdown, reset each affected I/O module as
follows:
1. Disable the slot using the disable slot  command.
2. Re-enable the slot using the enable slot  command.

Note: You must complete this procedure for each module that enters the
shutdown state.

If you configured all I/O modules or one or more MSM/MMs to shutdown, use the reboot
command to reboot the switch and reset all affected I/O modules.

Chapter 8. Status Monitoring and Statistics

|

211

NETGEAR 8800 User Manual

After you clear the shutdown state and reset the affected module, each port is brought offline
and then back online before the module and the entire system is operational.

Troubleshooting Module Failures
If you experience an I/O module failure, use the following troubleshooting methods when you
can bring the switch offline to solve or learn more about the problem:
•

Restarting the I/O module—Use the disable slot  command followed by the
command to restart the offending I/O module. By issuing these
commands, the I/O module and its associated fail counter is reset. If the module does not
restart, or you continue to experience I/O module failure, contact NETGEAR Technical
Support.

enable slot 

•

Running diagnostics—Use the run diagnostics normal  command to run
diagnostics on the offending I/O module to ensure that you are not experiencing a
hardware issue. If the module continues to enter the failed state, contact NETGEAR
Technical Support. For more information about switch diagnostics, see Performing Switch
Diagnostics on page 197.

If you experience an MSM/MM failure, contact NETGEAR Technical Support.

Viewing Fan Information
You can view detailed information about the fans installed in your switch. Depending on your
switch model, different information may be displayed.
To view detailed information about the health of the fans, use the following command:
show fans

The switch collects and displays the following fan information:
•

State—The current state of the fan. Options are:
•

Empty: There is no fan installed.

•

Failed: The fan failed.

•

Operational: The fan is installed and working normally.

•

NumFan—The number of fans in the fan tray.

•

Fan Name, displayed as Fan-1, Fan-2, and so on (modular switches also include a
description of the location, for example, Upper or Upper-Right)—Specifies the individual
state for each fan in a fan tray and its current speed in revolutions per minute (rpm).

On modular switches, the output also includes the following information:
•

PartInfo—Information about the fan tray, including the:
•

Serial number—A collection of numbers and letters, that make up the serial number of
the fan. This is the first series of numbers and letters in the display.

•

Part number—A collection of numbers and letters, that make up the part number of
the fan. This is the second series of numbers and letters in the display.

212 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

•

Revision—The revision number of the fan.

•

Odometer—Specifies the power-on date and how long the fan tray has been operating
since it was first powered-on.

Viewing the System Temperature
Depending on your switch model, you can view the temperature in Celsius of the I/O
modules, management modules, power controllers, power supplies, and fan trays installed in
your switch. In addition, depending on the software version running on your switch, additional
or different temperature information might be displayed.
This section describes the following topics:
•

System Temperature Output on page 213

•

Power Supply Temperature on page 214

To view the system temperature, use the following command:
show temperature

System Temperature Output
Modular Switches Only
On a modular switch, the output includes the current temperature and operating status of the
I/O modules, management modules, and power controllers.
The following output shows a sample display of the current temperature and operating status
of the installed modules and power controllers:
XCM8810.4 # show temperature
Field Replaceable Units

Temp (C)

Status

Min

Normal

Max

-------------------------------------------------------------------------Slot-1

:

Slot-2

:

Slot-3

:

Slot-4

: XCM8824F

23.00

Normal

-10

0-50

60

Slot-5

: XCM888F

25.00

Normal

-10

0-50

60

Slot-6

:

Slot-7

: XCM8848T(P)

28.50

Normal

-10

0-50

60

Slot-8

: XCM8808X

31.00

Normal

-10

0-50

60

Slot-9

:

Slot-10

:

MSM-A

: XCM88S1

29.00

Normal

-10

0-50

60

MSM-B

:

PSUCTRL-1

:

35.71

Normal

-10

0-50

60

Chapter 8. Status Monitoring and Statistics

|

213

NETGEAR 8800 User Manual

PSUCTRL-2

:

30.50

Normal

-10

0-50

60

The switch monitors the temperature of each component and generates a warning if the
temperature exceeds the normal operating range. If the temperature exceeds the
minimum/maximum limits, the switch shuts down the overheated module.

Power Supply Temperature
To view the current temperature of the power supplies installed in the NETGEAR 8800 series
switches, use the following command:
show power {} {detail}

The following is sample output of temperature information:
PowerSupply 1 information:
...
Temperature:

30.1 deg C

...

Using the Event Management System/Logging
We use the general term, event, for any type of occurrence on a switch that could generate a
log message or require an action. For example, a link going down, a user logging in, a
command entered on the command line, or the software executing a debugging statement,
are all events that might generate a log message. The system for saving, displaying, and
filtering events is called the Event Management System (EMS). With EMS, you have many
options about which events generate log messages, where the messages are sent, and how
they are displayed.
Using EMS you can:
•

Send event messages to a number of logging targets (for example, syslog host and
NVRAM)

•

Filter events per target, by:
•

Component, subcomponent, or specific condition (for example, BGP messages,
IGMP.Snooping messages, or the IP.Forwarding.SlowPathDrop condition)

•

Match expression (for example, any messages containing the string “user5”)

•

Matching parameters (for example, only messages with source IP addresses in the
10.1.2.0/24 subnet)

•

Severity level (for example, only messages of severity critical, error, or warning)

•

Change the format of event messages (for example, display the date as “12-May-2005” or
“2005-05-12”)

•

Display log messages in real time and filter the messages that are displayed, both on the
console and from Telnet sessions

•

Display stored log messages from the memory buffer or NVRAM

214 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

•

Upload event logs stored in memory buffer or NVRAM to a TFTP server

•

Display counts of event occurrences, even those not included in filter

•

Display debug information using a consistent configuration method

EMS supports IPv6 as a parameter for filtering events.

Sending Event Messages to Log Targets
You can specify seven types of targets to receive log messages:
•

Console display

•

Current session (Telnet or console display)

•

Memory buffer (can contain 200 to 20,000 messages)

•

NVRAM (messages remain after reboot)

•

Primary MSM/MM (for modular systems)

•

Backup MSM/MM (for modular systems)

•

Syslog host

The first six targets exist by default; but before enabling any syslog host, you must add the
host’s information to the switch using the configure syslog command. NETGEAR EPICenter
can be a syslog target.
By default, the memory buffer and NVRAM targets are already enabled and receive
messages. To start sending messages to the targets, use the following command:
enable log target [console | memory-buffer | nvram | primary-msm |primary-node|
backup-msm | backup-node| session | syslog [all |  | ] {vr
} [local0 ... local7]]]

After you enable this feature, the target receives the messages it is configured for. See Target
Configuration on page 216 for information on viewing the current configuration of a target.
The memory buffer can contain only the configured number of messages, so the oldest
message is lost when a new message arrives, when the buffer is full.
To stop sending messages to the target, use the following command:
disable log target [console | memory-buffer | nvram | primary-msm | primary-node
| backup-msm | backup-node | session | syslog [all |  | ] {vr
} [local0 ... local7]]]

Note: See your UNIX documentation for more information about the
syslog host facility.

Primary and Backup Systems
A system with dual MSMs/MMs (modular switches) keeps the two systems synchronized by
executing the same commands on both. However, the full data between the EMS servers is

Chapter 8. Status Monitoring and Statistics

|

215

NETGEAR 8800 User Manual

not synchronized. The reason for this design decision is to make sure that the control channel
is not overloaded when a high number of log messages are generated.
To capture events generated by the primary node onto the backup node, two additional
targets are shown in the target commands—one called primary-msm (modular switches) and
one called backup-msm (modular switches). The first target is active only on the non-primary
(backup) EMS server and is used to send matching events to the primary EMS server. The
other target is active only on the primary EMS server and is used to send matching events to
all other EMS servers.
If the condition for the backup target is met by a message generated on the primary node, the
event is sent to the backup node. When the backup node receives the event, it detects if any
of the local targets (NVRAM, memory, or console) are matched. If so that event gets
processed. The session and syslog targets are disabled on the backup node, as they are
handled on the primary. If the condition for the primary target is met by a message generated
on the backup, the event is sent to the primary node.
Note that the backup target is active only on the primary node, and the primary target is
active only on the backup node.

Filtering Events Sent to Targets
Not all event messages are sent to every enabled target. Each target receives only the
messages that it is configured for.

Target Configuration
To specify the messages to send to an enabled target, you set a message severity level, a
filter name, and a match expression. These items determine which messages are sent to the
target. You can also configure the format of the messages in the targets. For example, the
console display target is configured to get messages of severity info and greater, the NVRAM
target gets messages of severity warning and greater, and the memory buffer target gets
messages of severity debug-data and greater. All the targets are associated by default with a
filter named DefaultFilter that passes all events at or above the default severity threshold. All
the targets are also associated with a default match expression that matches any messages
(the expression that matches any message is displayed as Match : (none) from the
command line). And finally, each target has a format associated with it.
To display the current log configuration of the targets, use the following command:
show log configuration target {console | memory-buffer | nvram | primary-msm |
primary-node | backup-msm | backup-node | session | syslog { |
 | vr } {[local0 ... local7]}}

To configure a target, you use specific commands for severity, filters, and formats. In addition,
you can configure the source IP address for a syslog target. Configuring the source IP
address allows the management station or syslog server to identify from which switch it
received the log messages. To configure the source IP address for a syslog target, use the
following command:

216 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

configure log target syslog [all |  | ] {vr }
{local0 ... local7} from 

The following sections describe the commands required for configuring filters, formats, and
severity.

Severity
Messages are issued with one of the following severity levels: Critical, Error, Warning, Notice,
Info, Debug-Summary, Debug-Verbose, or Debug-Data. When a message is sent to a syslog
target, the severity is mapped to a corresponding syslog priority value (see RFC 3164).
The three severity levels for extended debugging—Debug-Summary, Debug-Verbose, and
Debug-Data—require that log debug mode be enabled (which may cause a performance
degradation). See Displaying Debug Information on page 228 for more information about
debugging.
Table 27. Severity Levels Assigned by the Switch
Level

Description

Critical

A serious problem has been detected that is compromising the operation of the system;
the system cannot function as expected unless the situation is remedied. The switch may
need to be reset.

Error

A problem has been detected that is interfering with the normal operation of the system;
the system is not functioning as expected.

Warning

An abnormal condition, not interfering with the normal operation of the system, has been
detected that indicate that the system or the network in general may not be functioning as
expected.

Notice

A normal but significant condition has been detected, which signals that the system is
functioning as expected.

Info (Informational)

A normal but potentially interesting condition has been detected, which signals that the
system is functioning as expected; this level simply provides potentially detailed
information or confirmation.

Debug-Summary

A condition has been detected that may interest a developer seeking the reason
underlying some system behavior.

Debug-Verbose

A condition has been detected that may interest a developer analyzing some system
behavior at a more verbose level than provided by the debug summary information.

Debug-Data

A condition has been detected that may interest a developer inspecting the data
underlying some system behavior.

You can use more than one command to configure the severity level of the messages sent to
a target. The most direct way to set the severity level of all the sent messages is to use the
following command:
configure log target [console | memory-buffer | nvram | primary-msm |
primayr-node | backup-msm | backup-node | session | syslog [all |  |
 {vr } [local0 ... local7]]] {severity  {only}}

Chapter 8. Status Monitoring and Statistics

|

217

NETGEAR 8800 User Manual

When you specify a severity level, messages of that severity level and greater are sent to the
target. If you want only those messages of the specified severity to be sent to the target, use
the keyword only. For example, specifying severity warning will send warning, error, and
critical messages to the target, but specifying severity warning only sends only warning
messages.
You can also use the following command to configure severity levels, which associate a filter
with a target:
configure log target [console | memory-buffer | primary-msm | primary-node |
backup-msm | backup-node | nvram | session | syslog [all |  |
 {vr } [local0 ... local7]]] filter  {severity
 {only}}

When you specify a severity level as you associate a filter with a target, you further restrict
the messages reaching that target. The filter may allow only certain categories of messages
to pass. Only the messages that pass the filter and then pass the specified severity level
reach the target.
Finally, you can specify the severity levels of messages that reach the target by associating a
filter with a target. The filter can specify exactly which message it will pass. Constructing a
filter is described in Filtering By Components and Conditions on page 220.

Components and Conditions
The event conditions detected by XCM8800 are organized into components and
subcomponents. To get a listing of the components and subcomponents in your release of
XCM8800, use the following command:
show log components {} {version}

For example, to get a list of the components and subcomponents in your system, use the
following command:
show log components

The following is partial output from this command:
Severity
Component

Title

Threshold

------------------- ---------------------------------------------- ------------...
...
STP

Spanning-Tree Protocol (STP)

Error

InBPDU

STP In BPDU subcomponent

Warning

OutBPDU

STP Out BPDU subcomponent

Warning

System

STP System subcomponent

Error

...
...

The display above lists the components, subcomponents, and the severity threshold
assigned to each. In EMS, you use a period (.) to separate component, subcomponent, and

218 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

condition names. For example, you can refer to the InBPDU subcomponent of the STP
component as STP.InBPDU. On the CLI, you can abbreviate or TAB complete any of these.
A component or subcomponent typically has several conditions associated with it. To see the
conditions associated with a component, use the following command:
show log events [ | [all | ] {severity
 {only}}] {details}

For example, to see the conditions associated with the STP.InBPDU subcomponent, use the
following command:
show log events stp.inbpdu

The following is sample output from this command:
Comp

SubComp

Condition

Severity

Parameters

------- ----------- ----------------------- ------------- ---------STP

InBPDU

Drop

Error

2 total

STP

InBPDU

Dump

Debug-Data

3 total

STP

InBPDU

Trace

Debug-Verbose

2 total

STP

InBPDU

Ign

Debug-Summary

2 total

STP

InBPDU

Mismatch

Warning

2 total

The display above lists the five conditions contained in the STP.InBPDU component, the
severity of the condition, and the number of parameters in the event message. In this
example, the severities of the events in the STP.InBPDU subcomponent range from error to
debug-summary.
When you use the details keyword, you see the message text associated with the
conditions. For example, if you want to see the message text and the parameters for the
event condition STP.InBPDU.Trace, use the following command:
show log events stp.inbpdu.trace details

The following is sample output from this command:
Comp

SubComp

Condition

Severity

Parameters

------- ----------- ----------------------- ------------- ---------STP

InBPDU

Trace

Debug-Verbose

2 total
0 - string
1 - string (printf)

Port=%0%: %1%

The Comp heading shows the component name, the SubComp heading shows the
subcomponent (if any), the Condition heading shows the event condition, the Severity
heading shows the severity assigned to this condition, the Parameters heading shows the
parameters for the condition, and the text string shows the message that the condition will
generate. The parameters in the text string (for example, %0% and %1% above) will be replaced
by the values of these parameters when the condition is encountered and displayed as the
event message.

Chapter 8. Status Monitoring and Statistics

|

219

NETGEAR 8800 User Manual

Filtering By Components and Conditions
You may want to send the messages that come from a specific component that makes up
XCM8800 or to send the message generated by a specific condition. For example, you might
want to send only those messages that come from the STP component, or send the message
that occurs when the IP.Forwarding.SlowPathDrop condition occurs. Or you may want to
exclude messages from a particular component or event. To do this, you construct a filter that
passes only the items of interest, and you associate that filter with a target.
The first step is to create the filter using the create log filter command. You can create a
filter from scratch, or copy another filter to use as a starting point. (It may be easiest to copy
an existing filter and modify it.) To create a filter, use the following command:
create log filter  {copy }

If you create a filter from scratch, that filter initially blocks all events until you add events
(either the events from a component or a specific event condition) to pass. You might create a
filter from scratch if you want to pass a small set of events and to block most events. If you
want to exclude a small set of events, use the default filter that passes events at or above the
default severity threshold (unless the filter has been modified), named DefaultFilter, that you
can copy to use as a starting point for your filter.
After you create your filter, you configure filter items that include or exclude events from the
filter. Included events are passed; excluded events are blocked. To configure your filter, use
the following command:
configure log filter  [add | delete] {exclude} events [ |
[all | ] {severity  {only}}]

For example, if you create the filter myFilter from scratch, use the following command to
include events:
configure log filter myFilter add events stp

All STP component events of at least the default threshold severity passes myFilter (for the
STP component, the default severity threshold is error). You can further modify this filter by
specifying additional conditions.
For example, assume that myFilter is configured as before, and assume that you want to
exclude the STP.CreatPortMsgFail event. To add that condition, use the following command:
configure log filter myFilter add exclude events stp.creatportmsgfail

You can also add events and subcomponents to the filter. For example, assume that myFilter
is configured as before, and you want to include the STP.InBPDU subcomponent. To add that
condition, use the following command:
configure log filter myFilter add events stp.inbpdu

You can continue to modify this filter by adding more filter items. The filters process events by
comparing the event with the most recently configured filter item first. If the event matches
this filter item, the incident is either included or excluded, depending on whether the exclude
keyword was used. if necessary, subsequent filter items on the list are compared. If the list of
filter items is exhausted with no match, the event is excluded and is blocked by the filter.

220 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

To view the configuration of a filter, use the following command:
show log configuration filter {}

The following is sample output from this command (for the earlier filter):
Log Filter Name: myFilter
I/

Severity

E

Comp.

-

------- ----------- ----------------------- --------

Sub-comp.

Condition

CEWNISVD

I

STP

E

STP

I

STP

InBPDU

-------CreatPortMsgFail

-E-------------

Include/Exclude: I - Include,

E - Exclude

Component Unreg: * - Component/Subcomponent is not currently registered
Severity Values: C - Critical,

E - Error,

Debug Severity : S - Debug-Summary,

W - Warning,

V - Debug-Verbose,

N - Notice,

I - Info

D - Debug-Data

+ - Debug Severities, but log debug-mode not enabled
If Match parameters present:
Parameter Flags: S - Source,
I - Ingress,

D - Destination, (as applicable)
E - Egress,

B - BGP

Parameter Types: Port - Physical Port list,

Strict Match

MAC

- MAC address,

VID

- Virtual LAN ID (tag),

L4

- Layer-4 Port #,

Nbr

- Neighbor, Rtr

Slot - Physical Slot #

IP - IP Address/netmask,
Num

Mask - Netmask

VLAN - Virtual LAN name
- Number,

Str

- String

- Routerid, Proc - Process Name

: Y - every match parameter entered must be present in the event
N - match parameters need not be present in the event

The show log configuration filter command shows each filter item, in the order that it will
be applied and whether it will be included or excluded. The above output shows the three
filter items, one including events from the STP.InBPDU component, one excluding the event
STP.CreatPortMsgFail, and the next including the remaining events from the STP
component. The severity value is shown as “*”, indicating that the component’s default
severity threshold controls which messages are passed. The Parameter(s) heading is empty
for this filter because no match is configured for this filter. Matches are described in Matching
Expressions next.
Each time a filter item is added to or deleted from a given filter, the specified events are
compared against the current configuration of the filter to try to logically simplify the
configuration. Existing items will be replaced by logically simpler items if the new item
enables rewriting the filter. If the new item is already included or excluded from the currently
configured filter, the new item is not added to the filter.

Chapter 8. Status Monitoring and Statistics

|

221

NETGEAR 8800 User Manual

Matching Expressions
You can configure the switch so messages reaching the target match a specified match
expression. The message text is compared with the configured match expression to
determine whether to pass the message on. To require that messages match a match
expression, use the following command:
configure log target [console | memory-buffer | nvram | primary-msm |
primary-node| backup-msm | backp-node | session | syslog [all |  |
 {vr } [local0 ... local7]]] match [any |]

The messages reaching the target will match the match-expression, a simple regular
expression. The formatted text string that makes up the message is compared with the match
expression and is passed to the target if it matches. This command does not affect the filter in
place for the target, so the match expression is compared only with the messages that have
already passed the target’s filter. For more information on controlling the format of the
messages, see Formatting Event Messages on page 225.
Simple Regular Expressions
A simple regular expression is a string of single characters including the dot character (.),
which are optionally combined with quantifiers and constraints. A dot matches any single
character, while other characters match only themselves (case is significant). Quantifiers
include the star character (*) that matches zero or more occurrences of the immediately
preceding token. Constraints include the caret character (^) that matches at the beginning of
a message and the currency character ($) that matches at the end of a message. Bracket
expressions are not supported. There are a number of sources available on the Internet and
in various language references describing the operation of regular expressions. Table 28
shows some examples of regular expressions.
Table 28. Simple Regular Expressions
Regular Expression

Matches

Does Not Match

port

port 2:3
import cars
portable structure

poor
por
pot

..ar

baar
bazaar
rebar

bar

port.*vlan

port 2:3 in vlan test
add ports to vlan
port/vlan

myvlan$

delete myvlan
error in myvlan

222 | Chapter 8. Status Monitoring and Statistics

myvlan port 2:3
ports 2:4,3:4 myvlan link down

NETGEAR 8800 User Manual

Matching Parameters
Rather than using a text match, EMS allows you to filter more efficiently based on the
parameter values of the message. In addition to event components and conditions and
severity levels, each filter item can also use parameter values to further limit which messages
are passed or blocked. The process of creating, configuring, and using filters has already
been described in Filtering By Components and Conditions on page 220, so this section
describes matching parameters with a filter item.
To configure a parameter match filter item, use the following command:
configure log filter  [add | delete] {exclude} events [
| [all | ] {severity  {only}}] [match |
strict-match]  

Each event in XCM8800 is defined with a message format and zero or more parameter
types. The show log events all command can be used to display event definitions (the
event text and parameter types). Only those parameter types that are applicable given the
events and severity specified are exposed on the CLI. The syntax for the parameter types
(represented by  in the command syntax above) is:
[address-family [ipv4-multicast | ipv4-unicast | ipv6-multicast | ipv6-unicast]
| bgp-neighbor 
| bgp-routerid 
| {destination | source} [ipaddress  | L4-port |
mac-address ]
| {egress | ingress} [slot  | ports ]
| ipaddress 
| L4-port 
| mac-address 
| netmask 
| number 
| port 
| process 
| slot 
| string 
| vlan 
| vlan tag ]

You can specify the ipaddress type as IPv4 or IPv6, depending on the IP version. The
following examples show how to configure IPv4 addresses and IPv6 addresses:
•

IPv4 address
To configure an IP address, with a mask of 32 assumed, use the following command:
configure log filter myFilter add events all match ipaddress 12.0.0.1

To configure a range of IP addresses with a mask of 8, use the following command:
configure log filter myFilter add events all match ipaddress 12.0.0.0/8

•

IPv6 address
To configure an IPv6 address, with a mask of 128 assumed, use the following command:

Chapter 8. Status Monitoring and Statistics

|

223

NETGEAR 8800 User Manual

configure log filter myFilter add events all match ipaddress 3ffe::1

To configure a range of IPv6 addresses with a mask of 16, use the following command:
configure log filter myFilter add events all match ipaddress 3ffe::/16

•

IPv6 scoped address
IPv6 scoped addresses consist of an IPv6 address and a VLAN. The following examples
identify a link local IPv6 address.
To configure a scoped IPv6 address, with a mask of 128 assumed, use the following
command:
configure log filter myFilter add events all match ipaddress fe80::1%Default

To configure a range of scoped IPv6 addresses with a mask of 16, use the following
command:
configure log filter myFilter add events all match ipaddress
fe80::/16%Default

To configure a scoped IPv6 address with any VLAN, use the following command:
configure log filter myFilter add events all match ipaddress fe80::/16%*

To configure any scoped IPv6 address with a specific VLAN, use the following command:
configure log filter myFilter add events all match ipaddress fe80::/0%Default

Note: In the previous example, if you specify the VLAN name, it must be a
full match; wild cards are not allowed.

The  depends on the parameter type specified. As an example, an event may contain
a physical port number, a source MAC address, and a destination MAC address. To allow
only those RADIUS incidents, of severity notice and above, with a specific source MAC
address, use the following command:
configure log filter myFilter add events aaa.radius.requestInit severity notice
match source mac-address 00:01:30:23:C1:00

The string type is used to match a specific string value of an event parameter, such as a user
name. The exact string is matched with the given parameter and no regular expression is
supported.
Match Versus Strict-Match
The match and strict-match keywords control the filter behavior for those incidents with
event definition that does not contain all the parameters specified in a configure log filter
events match command.
This is best explained with an example. Suppose an event in the XYZ component, named
XYZ.event5, contains a physical port number, a source MAC address, but no destination

224 | Chapter 8. Status Monitoring and Statistics

NETGEAR 8800 User Manual

MAC address. If you configure a filter to match a source MAC address and a destination
MAC address, XYZ.event5 will match the filter when the source MAC address matches
regardless of the destination MAC address because the event contains no destination MAC
address. If you specify the strict-match keyword, then the filter will never match event
XYZ.event5 because this event does not contain the destination MAC address.
In other words, if the match keyword is specified, an incident will pass a filter so long as all
parameter values in the incident match those in the match criteria, but all parameter types in
the match criteria need not be present in the event definition.

Formatting Event Messages
Event messages are made up of a number of items. The individual items can be formatted;
however, EMS does not allow you to vary the order of the items. To format the messages for
a particular target, use the following command:
configure log target [console | memory-buffer | nvram | session | syslog [all |
 | ] {vr } {local0 ... local7}]] format [timestamp
[seconds | hundredths | none] | date [dd-mm-yyyy | dd-Mmm-yyyy | mm-dd-yyyy |
Mmm-dd | yyyy-mm-dd | none] | severity | event-name [component | condition |
none | subcomponent] | host-name | priority | process-name | process-slot |
source-line

Using the default format for the session target, an example log message might appear as:
06/25/2004 22:49:10.63  MSM-A: PowerSupply:4 Powered On

If you set the current session format using the following command:
configure log target session format timestamp seconds date mm-dd-yyyy
event-name component

The same example would appear as:
06/25/2004 22:49:10  PowerSupply:4 Powered On

To provide some detailed information to technical support, set the current session format
using the following command:
configure log target session format timestamp hundredths date mmm-dd event-name
condition process-name source-line

The same example then appears as:
Jun 25 22:49:10.63  devmgr: (dm.c:134) PowerSupply:4 Powered On

Displaying Real-Time Log Messages
You can configure the system to maintain a running real-time display of log messages on the
console display or on a (Telnet) session. To turn on the log display on the console, use the
following command:
enable log target console

Chapter 8. Status Monitoring and Statistics

|

225

NETGEAR 8800 User Manual

This setting may be saved to the FLASH configuration and is restored on boot-up (to the
console display session).
To turn on log display for the current session, use the following command:
enable log target session

This setting only affects the current session and is lost when you log off the session.
The messages that are displayed depend on the configuration and format of the target. For
information on message filtering, see Filtering Events Sent to Targets on page 216. For
information on message formatting, see Formatting Event Messages on page 225.

Displaying Event Logs
The log stored in the memory buffer and the NVRAM can be displayed on the current session
(either the console display or Telnet). To display the log, use the following command:
show log {messages [memory-buffer | nvram]} {events { |
]} {severity  {only}} {starting [date  time
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
Author                          : rsilva
Create Date                     : 2011:04:17 14:41:50Z
Modify Date                     : 2011:04:17 14:46:46-07:00
Language                        : en-US
Tagged PDF                      : Yes
XMP Toolkit                     : Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18
Format                          : application/pdf
Title                           : XCM8800_UG.book
Creator                         : rsilva
Creator Tool                    : FrameMaker 9.0
Metadata Date                   : 2011:04:17 14:46:46-07:00
Producer                        : Acrobat Distiller 9.4.2 (Windows)
Document ID                     : uuid:b288bc2d-df22-4799-87a9-7909a358bcaf
Instance ID                     : uuid:467c89ad-748d-4d7f-a9bd-43878899c1cf
Page Mode                       : UseOutlines
Page Count                      : 968
EXIF Metadata provided by EXIF.tools

Navigation menu