2. Agenda
• Speed/duplex auto negotiation
• Flow Control
• Back pressure
• MDI/MDIX
• Storm Control
• Port Security
• Port Mirroring
• Combo Ports
• VCT
Marvell Confidential
4. Auto Negotiation
• The purpose of auto negotiation is to allow a
device to advertise modes of operation.
• User can set the speed, duplex mode and flow
control advertisement
• Speed-duplex capabilities to be advertised can be
any combination of the following: 10h, 10f, 100h,
100f, 1000f
Marvell Confidential
5. CLI – Auto negotiation
• Use the following interface mode command to allow auto
negotiation on a given interface or to advertise link
capabilities. Use the no form of this command to disable
negotiation:
negotiation {10h} {10f} {100h} {100f} {1000f}
no negotiation
console(config)# interface ethernet 1/e1
console(config-if)# negotation
console(config-if)# negotation 10h
Marvell Confidential
6. CLI – Show advertisement
• Use the following show command to view:
– device interface advertisement
– Connected link partner advertisement
– resolution
console# show interfaces advertise ethernet 1/e1
Port: 1/e1
Type: 100M-Copper
Link state: Up
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
..... ..... .... .... ... ...
Admin Local link Advertisement no no no no no yes
Oper Local link Advertisement no no no no no yes
Oper Remote link Advertisement no no yes yes yes yes
Priority Resolution - - - - - yes
Marvell Confidential
7. CLI – Speed and Duplex
• Use the following interface mode command to define the
speed of an interface, when auto-negotiation is disabled.
Use the no form of this command to return to default:
speed {10|100|1000}
no speed
• Use the following interface mode command to define the
duplex mode (full/half)of an interface, when auto-
negotiation is disabled. Use the no form of this command to
return to default (full duplex):
duplex {half|full}
no duplex
console(config)# interface ethernet 1/e1
console(config-if)# no negotiation
console(config-if)# speed 100
console(config-if)# duplex full
Marvell Confidential
9. Flow Control
• The system supports flow control on all ports including
Aggregate Links.
• Default state on all ports is flow control set to OFF.
• The user may enable or disable this feature on a per-port
basis.
Marvell Confidential
10. CLI - Flow Control
• Use the following interface mode command to configure the
flow control of a given interface. To restore the default (flow
control off), use the no form of this command.
flowcontrol { auto | on | off}
no flowcontrol
– auto Auto negotiation
– on Enable
– off Disable
console(config-if)# flowcontrol auto
Marvell Confidential
12. Back Pressure
• The system supports backpressure on all ports (when in
half duplex mode).
• The user may enable or disable this feature on a per-port
basis.
• Default status on all ports is set to OFF.
Marvell Confidential
13. CLI - Back Pressure
• Use the following interface mode command to enable the
back pressure of a given interface. To disable it, use the no
form of this command.
back-pressure
no back-pressure
console(config-if)# back-pressure
Marvell Confidential
15. MDI/MDIX - Preview
• Normally, Twisted Pair ports must be connected so that the
Transmit pair on one end is connected to the Receive pair
on the other end, and vice versa.
• Hubs and switches are deliberately wired opposite to the
way end stations are wired, so that when a hub or switch is
connected to an end station, a "straight through" Ethernet
cable can be used, and the pairs will match up properly.
• When two hubs/switches are connected to each other, or
two end stations are connected to each other, a
"crossover" cable is used to make sure that the correct
pairs are connected.
• The standard wiring for end stations is known as MDI
(Media Dependent Interface), and the standard wiring for
hubs and switches is known as MDIX (Media Dependent
Interface with Crossover)
Marvell Confidential
16. MDI/MDIX
• The device can automatically correct errors in cable
selection, and make the distinction between a "straight
through" cable and a "crossover" cable irrelevant. This
capability is known as Auto Cross.
• Auto MDI/MDIX works only on copper ports.
• Port can be set to either MDI, MDIX or automatic crossover
• Auto-crossover is the default setting for all ports.
• MDI/MDIX setting is separate to that of the speed/Duplex
auto-negotiation
Marvell Confidential
17. CLI - MDI/MDIX
• Use mdix command to enable cable crossover on a given
interface. To disable cable crossover, use the no form of this
command.
mdix {on | auto}
no mdix
– on - Manual MDIX
– Auto - Auto MDI/MDIX
– No – manual MDI
console(config-if)# mdix auto
Marvell Confidential
19. Storm Control – broadcast Rate
Limiting
• The device can measure the rate of incoming broadcast
frames on each port separately, and discard frames when
the rate exceeds a user-set desired rate.
• Storm control feature is enabled/disabled separately for
each port.
• The desired broadcast rate limit in is applied separately to
each port.
• Rate is set in Kbits/sec. The default is 100Kbps
• User can define if storm control will be applied only to
Broadcast packets or to multicast (and unknown) as well
Marvell Confidential
20. CLI - Storm Control
• Use the following Interface Configuration Mode command to
enable broadcast rate limiting on a certain interface. Use the no
form of this command to return to default (rate limiting disabled).
port storm-control broadcast enable
no port storm-control broadcast enable
console(config)# interface ethernet 1/e3
console(config-if)# port storm-control broadcast enable
console(config-if)#
Marvell Confidential
21. CLI - Storm Control
• Use the following Interface Configuration Mode command to set
the maximum rate of broadcast. Use the no form of this command
to return to default .
port storm-control broadcast rate rate
no port storm-control broadcast rate
console(config)# interface ethernet 1/e5
console(config-if)# port storm-control broadcast rate 70000
• Use the following interface Configuration Mode command to
count multicast (and unknown unicast) packets in the port storm-
control broadcast rate command. Use the no form the command
to disable counting of multicasts
port storm-control include-multicast [unknown-unicast]
no port storm-control include-multicast
console(config-if)# port storm-control include-multicast unknown-unicast
Marvell Confidential
22. Show - Storm Control
• Use the following EXEC Mode command to see the storm control
configutation on the device .
Show ports storm-control
console# show ports storm-control
Port State Rate [Kbits/Sec] Included
-------- -------- ---------------- -------------------------------------
1/e1 Disabled 100 Broadcast
1/e2 Disabled 100 Broadcast
1/e3 Enabled 100 Broadcast
1/e4 Disabled 100 Broadcast
1/e5 Enabled 70000 Broadcast, Multicast, Unknown unicast
1/e6 Disabled 100 Broadcast
1/e7 Disabled 100 Broadcast
1/e8 Disabled 100 Broadcast
Marvell Confidential
24. Port Security
• A control mechanism which monitors received and learned
packets on a port.
• Packets received on a locked port, whose source address
was not found in MAC forwarding table (not learned
previously dynamically or not entered statically), are treated
in one of the following ways, which can be configured per
port
– Forward (Frame is forwarded, but its address is not
learned)
– Discard
– Discard and and disable the port
– send an SNMP trap (together with one of the
previous options)
• When a port becomes a locked port, all the current
addresses that were learned dynamically by the switch on
that specific port, are transformed to a “secure” status.
They are kept after reset if running config was copied to
Marvell Confidential startup
25. Port Security – Number of MACs
• A port security feature to increase security by limiting
access on a specific port to a limited user-defined number
of hosts
• A frame with a new Source MAC arriving on port after limit
is reached invokes the port lock mechanism
• Addresses learned on port are still subject to aging.
• A port can be defined either with classic port lock or with
number of MAC port lock
Marvell Confidential
26. Port security - Configuration
• Port security can be enabled only on ports which have been
define as dot1x multiple hosts.
• Define type of port security
– Regular lock
– Number of MAC based lock (and the value)
• Define the per-port action to be carried out once intrusion
detection has been discovered, as defined above.
• Set the frequency of SNMP traps sent
• To release a port disabled by port security:
– Either use the exec mode “set interface active” command, or
– Reload (reboot) device
Marvell Confidential
27. CLI - Port Security
• Use the following interface configuration mode command to allow
multiple hosts on a certain interface. The “no” form of commands
disables multiple hosts (the default)
dot1x multiple-hosts
no dot1x multiple-hosts
console(config)# interface ethernet 1/e1
console(config-if)# dot1x multiple-hosts
Marvell Confidential
28. CLI – Basic Port Security
• Use the following interface mode command to lock learning
of new addresses on an interface. Use the no form of this
command to enable learning of new addresses.
port security [ forward | discard | discard-shutdown ] [trap
seconds]
no port security
console(config)# interface ethernet 1/e1
console(config-if)# port security discard-shutdown
Marvell Confidential
29. CLI – Lock Port Addresses
console# show bridge address-table
Aging time is 300 sec
Vlan Mac Address Port Type
-------- --------------------- ------ ----------
1 00:00:09:00:00:00 1/e1 secure //locked port addresses
1 00:00:09:00:00:01 1/e1 secure
1 00:00:09:00:00:02 1/e1 secure
1 00:00:09:00:00:03 1/e1 secure
1 00:00:09:00:00:04 1/e1 secure
1 00:00:09:00:00:05 1/e1 secure
1 00:00:09:00:00:06 1/e1 secure
1 00:00:09:00:00:07 1/e1 secure
1 00:00:09:00:00:08 1/e1 secure
1 00:00:09:00:00:09 1/e1 secure
g13 00:00:e2:86:f4:f2 1/e13 dynamic //regular learned address
Marvell Confidential
30. CLI – Enabling a Port Shutdown
• Use the following Privileged EXEC mode command to enable a
port that was shut down by port security feature:
set interface active {ethernet interface | port-channel port-
channel-number}
//sending traffic with new addresses to locked port
console# 01-Jan-2000 02:15:43 %LINK-W-Down: 1/e1
console# sh interfaces status
Flow Link Back Mdix
Port Type Duplex Speed Neg ctrl State Pressure Mode
........ ............ ...... ..... ........ .... ........... ........ .......
1/e1 100M-Copper -- -- -- -- Down* -- --
1/e2 100M-Copper Full 100 Enabled Off Up Disabled On
…
*: The interface was suspended by the system.
console#
Marvell Confidential
31. CLI – Enabling a Port Shutdown (cont’)
• …Enabling a port that was shut down by port security feature
console# set interface active ethernet 1/e1
console# 01-Jan-2000 01:50:27 %LINK-I-Up: 1/e1
console# show interfaces status
Flow Link Back Mdix
Port Type Duplex Speed Neg ctrl State Pressure Mode
........ ............ ...... ..... ........ .... ........... ........ .......
1/e1 100M-Copper Full 100 Enabled Off Up Disabled On
1/e2 100M-Copper Full 100 Enabled Off Up Disabled On
1/e3 100M-Copper Full 100 Enabled Off Up Disabled On
……
Marvell Confidential
32. CLI – port security mode
• Use the following Interface Configuration mode command to
configure the port security mode.
• To return to the default configuration, use the no form of this
command.
port security mode {lock | max-addresses}
no port security mode
console(config-if)# port security mode max-addresses
Marvell Confidential
33. CLI – port security max
• The following Interface Configuration mode command
configures the maximum number of addresses that can be
learned on the port while the port is in port security mode.
• To return to the default configuration, use the no form of this
command.
port security max max
no port security max
console(config-if)# port security max 23
Marvell Confidential
34. CLI – port security routed secure-address
• Use the following interface configuration mode command
to adds a MAC-layer secure address to a routed port:
port security routed secure-address mac-address
Console(config)# interface ethernet 1/e1
Console(config-if)# ip address dhcp
Console(config-if)# port security routed secure-address 66:66:66:66:66:66
Marvell Confidential
35. CLI – Show Port Security
• Use the following privilege EXEC mode command to view
port security settings:
show ports security [ethernet interface | port-channel port-
channel-number]
console# show ports security
Port status Learning Action Maximum Trap Frequency
------- -------- ------------- ----------------- --------- -------- ---------
1/e1 Disabled Max-addresses - 23 - -
1/e2 Disabled Lock - 1 - -
Marvell Confidential
37. Port Mirroring
• One session of traffic monitoring is supported system-wide (tx and
rx).
• User can choose if to mirror only RX traffic, only Tx frames or both.
• At ingress - the frames arriving at the target port are copies of the
frames passing through the source port at ingress, prior to any in-
switch action.
• It is possible to specify up to 8 ports to be monitored by a single
target port. However, in these cases, any excess traffic will silently
be discarded (and user will not know which).
• Port Mirroring is only relevant to Physical ports. In LAGs, the
member ports have to be specified individually as sources.
• It is possible to specify up to 24 source ports to be monitored by a
single target port .
• The user may set the monitored traffic to be send tagged or
untagged.
Marvell Confidential
38. Port Mirroring
• Target ports:
– Cannot be a member of a LAG.
– Cannot be a source of a mirror session.
– Cannot be a member of a VLAN (except for default VLAN)
– Cannot be GVRP enabled
– Cannot be configured with IP address
• Port monitor is supported across the stack
Marvell Confidential
39. CLI - Configuring Port Mirroring
• Use the following Interface mode command to
define port mirroring (interface mode is that of the
target port). Use the “no” form of command to
remove monitor session(s):
port monitor src-interface [rx | tx]
no port monitor src-interface
• Use the following EXEC mode command to view port monitor
settings:
show ports monitor
Marvell Confidential
40. CLI - Configuring Port Mirroring
• Use the following Interface Configuration mode command to
transmit tagged ingress mirrored packets.
• To transmit untagged ingress mirrored packets, use the no
form of this command.
port monitor vlan-tagging
no port monitor vlan-tagging
Marvell Confidential
42. Combo Ports Overview
• A single logical port that has two physical connections:
a) RJ45 Connector
b) SFP port.
• Only one of the two physical connections may be used at a
time.
• Some port features and port controls available for user are
affected by the actual physical connection used.
• The system will automatically detect the media that is in
use on a combo port, and will utilize this knowledge in all
operations and control interfaces.
Marvell Confidential
43. Combo Ports
• If both RJ45 and SFP are present (link up in both
connections), the SFP will be active, and the RJ45 physical
port will be disabled and ignored.
• It is possible to switch from the RJ45 to the SFP (or vice-
versa) without a system reboot or reset.
• When the link changes from copper to fiber and vice-versa,
or the SFP module is exchanged, the system attempts to
configure the new link as the “old” one was. If this
configuration fails for any reason, the ports are configured
with factory default values.
Marvell Confidential
45. VCT - Functional description
• Virtual Cable Test (VCT) technology provides the
mechanism to detect and report potential cabling issues,
such as cable open circuit, cable short circuit, Etc.
• Cable analysis is available only on Copper Cables.
• Cable analysis can only be done when the link is down.
• Cable Length, on the other hand, can be measured only
when the link is up.
• The following parameters are detected:
1) Cable Type/Status
2) Cable length – per cable (50 Meter minimum; 30 meter
resolution)
3) Fault–Distance, in case of fault (may deviate 1-2
meters)
• Only short circuits across wires within a pair are reported.
Marvell Confidential
46. CLI - VCT Configuration
• Use the following EXEC privilege mode command to
activate VCT on a certain port:
test copper-port tdr interface
console(config)# interface ethernet 1/e9
console(config-if)# shutdown
01-Jan-2000 01:48:56 %LINK-W-Down: Vlan 1
console(config-if)# 01-Jan-2000 01:48:56 %LINK-W-Down: 1/e9
console(config-if)# exit
console(config)# exit
console# test copper-port tdr 1/e9
..
Cable on port 1/e9 is good
console#
Marvell Confidential
47. CLI - VCT Show command
• Use the following EXEC privilege mode command to show
VCT results:
Show copper-port tdr interface
console# show copper-ports tdr 1/e9
Port Result Length [meters] Date
----------- ----------- ---------------- --------------------------
1/e9 Open cable 01-Apr-2004
01:57:14
console#
Marvell Confidential