Allied Telesis AT-9000/28 User Manual Download Page 737 | Manualshive

Page: 737 / 1278

background image

AT-9000 Switch Command Line User’s Guide

Section VIII: Port Security

737

Guidelines

Here are the general guidelines to this feature:



Ports operating under port-based access control do not support
dynamic MAC address learning.



A port that is connected to a RADIUS authentication server must not
be set to the authenticator role because an authentication server
cannot authenticate itself.



The authentication method of an authenticator port can be either
802.1x username and password combination or MAC address-based,
but not both.



A supplicant connected to an authenticator port set to the 802.1x
username and password authentication method must have 802.1x
client software.



A supplicant does not need 802.1x client software if the authentication
method of an authenticator port is MAC address-based.



Authenticator ports set to the multiple supplicant mode can support up
to a maximum of 320 authenticated supplicants at one time.



The maximum number of supplicants supported on authenticator ports
set to the multiple supplicant mode is 320. An authenticator port stops
accepting new clients after the maximum number is reached.



The maximum number of authenticated clients on the entire switch is
0. New supplicants are rejected once the maximum number is
reached. New clients are accepted as supplicants log out or are timed
out.



An 802.1x username and password combination is not tied to the MAC
address of an end node. This allows end users to use the same
username and password when working at different workstations.



After a client has successfully logged on, the MAC address of the end
node is added to the switch’s MAC address table as an authenticated
address. It remains in the table until the client logs off the network or
fails to reauthenticate, at which point the address is removed. The
address is not timed out, even if the node becomes inactive.

Note

End users of 802.1x port-based network access control should be
instructed to always log off when they are finished with a work
session. This can prevent unauthorized individuals from accessing
the network through unattended network workstations.



Authenticator and supplicant ports must be untagged ports. They
cannot be tagged ports.

«
...
735
736
737
738
739
...
»

Summary of Contents for AT-9000/28

Page 1: ...25R 26R 27R 28R PWR SYS MODE COL SPD DUP ACT AT 9000 28 Gigabit Ethernet Switch with 4 Combo SFP Ports SELECT RS 232 CONSOLE 2323 AT 9000 52 Gigabit Ethernet Switch with 4 SFP Ports SELECT PWR SYS 49...

Page 2: ...ng University of Posts and Telecommunications All rights reserved Copyright c 2003 by Fabasoft R D Software GmbH Co KG All rights reserved Copyright c 2004 2006 by Internet Systems Consortium Inc ISC...

Page 3: ...esis logo are trademarks of Allied Telesis Incorporated Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation All other product names company names logos or other designat...

Page 4: ......

Page 5: ...count 42 AlliedWare Plus Command Modes 43 Moving Down the Hierarchy 46 ENABLE Command 46 CONFIGURE TERMINAL Command 46 CLASS MAP Command 46 LINE CONSOLE 0 Command 47 LINE VTY Command 47 POLICY MAP Com...

Page 6: ...Command Line Management Commands 77 Question Mark Key 79 CLEAR SCREEN 81 CONFIGURE TERMINAL 82 COPY RUNNING CONFIG STARTUP CONFIG 83 DISABLE 84 DO 85 ENABLE 86 END 87 EXIT 88 LENGTH 89 LOGOUT 91 QUIT...

Page 7: ...Configuration 147 Enabling or Disabling Ports 148 Enabling or Disabling Backpressure 149 Enabling or Disabling Flow Control 150 Resetting Ports 153 Configuring Threshold Limits for Ingress Packets 15...

Page 8: ...16 Adding an IPv6 Management Address 216 Adding an IPv6 Default Gateway Address 217 Deleting an IPv6 Management Address and Default Gateway 218 Displaying an IPv6 Management Address and Default Gatewa...

Page 9: ...85 Overview 286 Command and Member Switches 286 Common VLAN 286 Guidelines 287 General Steps 287 Configuring the Command Switch 289 Configuring a Member Switch 291 Managing the Member Switches of an E...

Page 10: ...345 NO SWITCHPORT BLOCK EGRESS MULTICAST 346 NO SWITCHPORT BLOCK INGRESS MULTICAST 347 SWITCHPORT BLOCK EGRESS MULTICAST 348 SWITCHPORT BLOCK INGRESS MULTICAST 349 Section III File System 351 Chapter...

Page 11: ...odem 394 Downloading Files with Enhanced Stacking 396 Downloading New Management Software with Enhanced Stacking 396 Chapter 27 File Transfer Commands 399 COPY FILENAME ZMODEM 400 COPY FLASH TFTP 401...

Page 12: ...ds 458 Guidelines 458 Creating New Aggregators 460 Setting the Load Distribution Method 461 Adding Ports to Aggregators 462 Removing Ports from Aggregators 463 Deleting Aggregators 464 Displaying Aggr...

Page 13: ...tocol 523 Configuring the Switch Parameters 524 Setting the Forward Time Hello Time and Max Age 524 Setting the Bridge Priority 525 Enabling or Disabling BPDU Guard 525 Configuring the Port Parameters...

Page 14: ...N Example 570 Creating VLANs 572 Adding Untagged Ports to VLANs 573 Adding Tagged Ports to VLANs 575 Removing Untagged Ports from VLANs 577 Removing Tagged Ports from VLANs 578 Deleting VLANs 579 Disp...

Page 15: ...n Switches 639 VLAN Hierarchy 640 Guidelines 641 General Steps 642 Creating MAC Address based VLANs 643 Adding MAC Addresses to VLANs and Designating Egress Ports 644 Removing MAC Addresses 645 Deleti...

Page 16: ...STACKING 697 Section VIII Port Security 699 Chapter 52 MAC Address based Port Security 701 Overview 702 Static Versus Dynamic Addresses 702 Intrusion Actions 702 Guidelines 703 Configuring Ports 704 E...

Page 17: ...Access Control on the Switch 745 Displaying Authenticator Ports 746 Displaying EAP Packet Statistics 747 Chapter 55 802 1x Port based Network Access Control Commands 749 AAA AUTHENTICATION DOT1X DEFA...

Page 18: ...NO SNMP SERVER ENABLE TRAP 809 NO SNMP SERVER ENABLE TRAP AUTH 810 NO SNMP SERVER HOST 811 NO SNMP SERVER VIEW 813 NO SNMP TRAP LINK STATUS 814 SHOW RUNNING CONFIG SNMP 815 SHOW SNMP SERVER 816 SHOW...

Page 19: ...l LLDP TLVs 879 Optional LLDP MED TLVs 881 Enabling LLDP and LLDP MED on the Switch 884 Configuring Ports to Only Receive LLDP and LLDP MED TLVs 885 Configuring Ports to Send Only Mandatory LLDP TLVs...

Page 20: ...W LLDP INTERFACE 953 SHOW LLDP LOCAL INFO INTERFACE 955 SHOW LLDP NEIGHBORS DETAIL 957 SHOW LLDP NEIGHBORS INTERFACE 961 SHOW LLDP STATISTICS 963 SHOW LLDP STATISTICS INTERFACE 965 SHOW LOCATION 967 C...

Page 21: ...20 SHOW RMON STATISTICS 1022 Chapter 67 Advanced Access Control Lists ACLs 1023 Overview 1024 Filtering Criteria 1024 Actions 1024 ID Numbers 1025 How Ingress Packets are Compared Against ACLs 1025 Gu...

Page 22: ...Special Password 1097 Deactivating Command Mode Restriction and Deleting the Special Password 1098 Activating or Deactivating Password Encryption 1099 Displaying the Local Manager Accounts 1100 Chapt...

Page 23: ...l Port Number 1150 Disabling the Web Browser Server 1151 Displaying the Web Browser Server 1152 Chapter 78 Non secure HTTP Web Browser Server Commands 1153 SERVICE HTTP 1154 IP HTTP PORT 1155 NO SERVI...

Page 24: ...S and TACACS Client Commands 1203 AAA ACCOUNTING LOGIN 1205 AAA AUTHENTICATION ENABLE TACACS 1207 AAA AUTHENTICATION LOGIN 1209 IP RADIUS SOURCE INTERFACE 1211 LOGIN AUTHENTICATION 1213 NO LOGIN AUTHE...

Page 25: ...t Settings 1258 RADIUS Client 1259 Remote Manager Account Authentication 1260 RMON 1261 Secure Shell Server 1262 sFlow Agent 1263 Simple Network Management Protocol SNMPv1 SNMPv2c and SNMPv3 1264 Simp...

Page 26: ...Contents 26...

Page 27: ...MAC Address Table Commands 273 Table 23 SHOW MAC ADDRESS TABLE Command Unicast Addresses 283 Table 24 SHOW MAC ADDRESS TABLE Command Multicast Addresses 283 Table 25 Enhanced Stacking Commands 299 Ta...

Page 28: ...IEW Command 819 Table 77 SNMPv3 Commands 829 Table 78 sFlow Agent Commands 865 Table 79 SHOW COLLECTOR Command 875 Table 80 Mandatory LLDP TLVs 879 Table 81 Optional LLDP TLVs 879 Table 82 Optional LL...

Page 29: ...CLs Example 1045 Table 122 Assigning Numbered IP ACLs to VTY Lines Example 1046 Table 123 Assigning MAC ACLs to VTY Lines Example 1047 Table 124 Removing Numbered IP ACLs from VTY Lines Example 1049 T...

Page 30: ...Tables 30...

Page 31: ...3 Contacting Allied Telesis on page 34 Caution The software described in this documentation contains certain cryptographic functionality and its export is restricted by U S law As of this writing it h...

Page 32: ...s Note Notes provide additional information Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data Warning Warnings inform you that pe...

Page 33: ...Guide 33 Where to Find Web based Guides The installation and user guides for all of the Allied Telesis products are available for viewing in portable document format PDF from our web site at www allie...

Page 34: ...nty information refer to the Allied Telesis web site at www alliedtelesis com support Returning Products Products for return or repair must first be assigned a return materials authorization RMA numbe...

Page 35: ...ns the following chapters Chapter 1 AlliedWare Plus Command Line Interface on page 37 Chapter 2 Starting a Management Session on page 59 Chapter 3 Basic Command Line Management on page 71 Chapter 4 Ba...

Page 36: ...36 Section I Getting Started...

Page 37: ...on page 38 Management Interfaces on page 41 Local Manager Account on page 42 AlliedWare Plus Command Modes on page 43 Moving Down the Hierarchy on page 46 Moving Up the Hierarchy on page 51 Port Numbe...

Page 38: ...e a terminal or a PC with a terminal emulator program and the management cable that comes with the switch Note The initial management session of the switch must be from a local management session Remo...

Page 39: ...t sessions in that it gives you access to the same command line interface and the same functions But where they differ is SSH management sessions are secure against snooping because the packets are en...

Page 40: ...Line Interface 40 Section I Getting Started Remote Network MIB RFC 1757 Allied Telesis managed switch MIBs The Allied Telesis managed switch MIBs atistackinfo mib and atistackswitch mib are available...

Page 41: ...itch has two management interfaces AlliedWare Plus command line Web browser windows The AlliedWare Plus command line is available from local management sessions and remote Telnet and Secure Shell mana...

Page 42: ...anagement modes and commands The default manager account is referred to as local because the switch authenticates the user name and password itself If more manager accounts are needed you can add up t...

Page 43: ...ore To perform a management function you first have to move to the mode that has the appropriate commands For instance to configure the speeds and wiring configurations of the ports you have to move t...

Page 44: ...switch settings Lists the files in the file system Pings remote systems Sets the date and time Saves the current configuration Downloads new versions of the management software Restores the default se...

Page 45: ...f Service policies Port Interface mode config if Configures port settings Disables and enables ports Configures the port mirror Configures 802 1x port based network access control Creates static port...

Page 46: ...u use this command to move from the User Exec mode to the Privileged Exec mode The format of the command is enable Figure 2 ENABLE Command CONFIGURE TERMINAL Command You use this command to move from...

Page 47: ...ty line_id The range of the LINE_ID parameter is 0 to 9 For information on the VTY lines refer to VTY Lines on page 62 This example enters the Virtual Terminal Line mode for VTY line 2 Figure 6 LINE V...

Page 48: ...can configure more than one port at a time This example enters the Port Interface mode for ports 11 to 15 and 22 Figure 10 INTERFACE PORT Command Multiple Ports The INTERFACE PORT command is also loc...

Page 49: ...mple enters the VLAN Interface mode for a VLAN that has the VID 12 Figure 13 INTERFACE VLAN Command Note A VLAN must be identified in this command by its VID and not by its name INTERFACE TRUNK Comman...

Page 50: ...LDP civic location entry Figure 15 LLDP LOCATION CIVIC LOCATION Command LOCATION COORD LOCATION Command You use this command to move from the Global Configuration mode to the Coordinate Location mode...

Page 51: ...ll probably want to return to the User Exec mode or Privileged Exec mode after you have configured a feature to verify your changes with the appropriate SHOW command And while you could step back thro...

Page 52: ...he Privileged Exec mode use the DISABLE command Figure 19 Returning to the User Exec Mode with the DISABLE Command Privileged Executive Mode User Executive Mode Global Configuration Mode Class Map Mod...

Page 53: ...networking modules It is used to identify the networking modules by their slot numbers This number should always be 0 for AT 9000 Series switches because they are not modular switches Port number Thi...

Page 54: ...an also combine individual ports and port ranges in the same command as illustrated in these commands which enter the Port Interface mode for ports 5 to 11 and ports 16 and 18 awplus enable awplus con...

Page 55: ...n SFP module is installed but does not have a link to a network device The twisted pair port automatically changes to the redundant status mode when an SFP module establishes a link with a network dev...

Page 56: ...ons This manual uses the following command format conventions screen text font This font illustrates the format of a command and command examples Brackets indicate optional parameters Vertical line se...

Page 57: ...Initializing System done Initializing Board done Initializing Serial Interface done Initializing Timer Library done Initializing IPC done Initializing Event Log done Initializing Switch Models done In...

Page 58: ...LAN done Initializing ENCO done Initializing PKI done Initializing PortAccess done Initializing PAAcctRcv done Initializing SSH done Initializing IFM done Initializing IFMV6 done Initializing RTM done...

Page 59: ...ections Starting a Local Management Session on page 60 Starting a Remote Telnet or SSH Management Session on page 62 What to Configure First on page 64 Ending a Management Session on page 69 Note The...

Page 60: ...nagement Cable to the Console Port 2 Connect the other end of the cable to an RS 232 port on a terminal or PC with a terminal emulator program 3 Configure the terminal or terminal emulator program as...

Page 61: ...he initial management session of the switch enter manager as the user name friend as the password The user name and password are case sensitive The local management session has started when the Allied...

Page 62: ...nfigure First on page 64 or Chapter 9 IPv4 and IPv6 Management Addresses on page 207 For remote SSH management you must create an encryption key pair and configure the SSH server on the switch For ins...

Page 63: ...ve your workstation unattended during a management session For instructions on how to set this timer refer to Configuring the Management Session Timers on page 107 Number of SHOW command scroll lines...

Page 64: ...ts shipping container the file when you create it will be nearly empty The quickest and easiest way to create a new boot configuration file and to designate it as the active file is with the BOOT CONF...

Page 65: ...username manager password clearsky2a Note Write down the new password and keep it in a safe and secure location If you forget the manager password you will not be able to manage the switch if there ar...

Page 66: ...Ns refer to Chapter 41 Port based and Tagged VLANs on page 559 The network devices i e syslog servers TFTP servers etc must be members of the same subnet as a management IP address or have access to i...

Page 67: ...interface vlan1 Use the INTERFACE VLAN command to move to the VLAN Interface mode of the Default_VLAN awplus config if ip address 149 82 112 72 24 Assign the management IPv4 address to the switch usi...

Page 68: ...6 port1 0 23 Enter the Port Interface mode for ports 5 6 and 23 awplus config if switchport access vlan 5 Add the ports as untagged ports to the VLAN with the SWITCHPORT ACCESS VLAN command awplus co...

Page 69: ...Management Session To end a management session from below the Privileged Exec mode return to the Privileged Exec mode and enter EXIT awplus config exit awplus exit To end a management session from th...

Page 70: ...Chapter 2 Starting a Management Session 70 Section I Getting Started...

Page 71: ...mmand Line Management This chapter contains the following sections Clearing the Screen on page 72 Displaying the On line Help on page 73 Saving Your Configuration Changes on page 75 Ending a Managemen...

Page 72: ...ith commands you can start fresh by entering the CLEAR SCREEN command in the User Exec or Privileged Exec mode If you re in a lower mode you ll have to move up the mode hierarchy to one of these modes...

Page 73: ...he available parameters for the FLOWCONTROL command in the Port Interface mode Figure 27 Displaying Subsequent Keywords of a Keyword Note You must type a space between the keyword and the question mar...

Page 74: ...ment 74 Section I Getting Started Figure 28 Displaying the Class of a Parameter awplus enable awplus configure terminal awplus config hostname STRING sysName awplus enable awplus configure terminal aw...

Page 75: ...the COPY RUNNING CONFIG STARTUP CONFIG command both of which are found in the Privileged Exec mode When you enter either of these command the switch copies its running configuration into the active bo...

Page 76: ...on I Getting Started Ending a Management Session To end a management session from the Privileged Exec mode enter the EXIT command awplus config exit awplus exit To end a management session from the Us...

Page 77: ...h the current settings from the switch DISABLE on page 84 Privileged Exec Returns you to the User Exec mode from the Privileged Exec mode DO on page 85 Global Configuration Performs commands in the Pr...

Page 78: ...oves you up one mode TERMINAL LENGTH on page 93 Privileged Exec Specifies the maximum number of lines that the SHOW commands display at one time on the screen WRITE on page 94 Privileged Exec Updates...

Page 79: ...displays the available parameters Note You must type a space between a keyword and the question mark Otherwise the on line help returns the previous keyword Typing after a keyword or parameter that re...

Page 80: ...t Commands 80 Section I Getting Started This example displays the class of the value for the SPANNING TREE HELLO TIME command in the Global Configuration mode awplus enable awplus configure terminal a...

Page 81: ...and Line User s Guide Section I Getting Started 81 CLEAR SCREEN Syntax clear screen Parameters None Modes User Exec and Privileged Exec modes Description Use this command to clear the screen Example a...

Page 82: ...ion I Getting Started CONFIGURE TERMINAL Syntax configure terminal Parameters None Mode Privileged Exec mode Description Use this command to move from the Privileged Exec mode to the Global Configurat...

Page 83: ...anent storage When you enter the command the switch copies its parameter settings into the active boot configuration file The switch saves only those parameters that are not at their default settings...

Page 84: ...agement Commands 84 Section I Getting Started DISABLE Syntax disable Parameters None Mode Privileged Exec mode Description Use this command to return to the User Exec mode from the Privileged Exec mod...

Page 85: ...None Mode Global Configuration mode Description Use this command to perform commands in the Privileged Exec mode from the Global Configuration mode Example This example performs the SHOW INTERFACE co...

Page 86: ...ne Management Commands 86 Section I Getting Started ENABLE Syntax enable Parameters None Mode User Exec mode Description Use this command to move from the User Exec mode to the Privileged Exec mode Ex...

Page 87: ...User s Guide Section I Getting Started 87 END Syntax end Parameters None Mode All modes below the Global Configuration mode Description Use this command to return to the Privileged Exec mode Example...

Page 88: ...Getting Started EXIT Syntax exit Parameters None Mode All modes except the User Exec and Privileged Exec modes Description Use this command to move up one mode in the mode hierarchy This command is id...

Page 89: ...t methods To set this parameter for local management sessions enter the command in the Console Line mode To set this parameter for the ten VTY lines for remote Telnet and SSH sessions enter the same c...

Page 90: ...Chapter 4 Basic Command Line Management Commands 90 Section I Getting Started awplus config line console 0 awplus config line no length...

Page 91: ...LOGOUT Syntax logout Parameters None Mode User Exec mode Description Use this command to end a management session Example This example shows the sequence of commands to logout starting from the Globa...

Page 92: ...Getting Started QUIT Syntax quit Parameters None Mode All modes except the User Exec and Privileged Exec modes Description Use this command to move up one mode in the mode hierarchy This command is id...

Page 93: ...t want the SHOW commands to pause Mode Privileged Exec mode Description Use this command to specify the maximum number of lines the SHOW commands display at one time on the screen during local managem...

Page 94: ...ter the command the switch copies its parameter settings into the active boot configuration file The switch saves only those parameters that are not at their default settings Note Parameter changes th...

Page 95: ...dress Commands on page 221 Chapter 11 Simple Network Time Protocol SNTP Client on page 245 Chapter 12 SNTP Client Commands on page 253 Chapter 13 MAC Address Table on page 265 Chapter 14 MAC Address T...

Page 96: ...96 Section II Basic Operations...

Page 97: ...gs on page 100 Manually Setting the Date and Time on page 101 Pinging Network Devices on page 102 Resetting the Switch on page 103 Restoring the Default Settings to the Switch on page 104 Setting the...

Page 98: ...n mode A name can have up to 39 alphanumeric characters Special characters except for spaces and quotation marks are allowed This example assigns the name Switch12 to the switch awplus enable awplus c...

Page 99: ...s in length Spaces and special characters are allowed To view the information use the SHOW SYSTEM command in the User Exec and Privileged Exec modes Here is an example that assigns the switch this con...

Page 100: ...rivileged Exec mode The settings which are displayed in their equivalent command line commands are limited to just those parameters that have been changed from their default values The information inc...

Page 101: ...rth day of the month is 04 mm Use this variable to specify the month The month must be specified in two digits Include a zero for the first nine months of the year For example June is 06 yyyy Use this...

Page 102: ...instructs the switch to send ICMP Echo Requests to a network device known by the IP address 149 122 14 15 awplus enable awplus ping 149 122 14 15 The results of the ping are displayed on the screen No...

Page 103: ...network traffic may be lost The reset can take from thirty seconds to two minutes depending on the number and complexity of the commands in the active boot configuration file Note Any configuration ch...

Page 104: ...s enable awplus delete Sales_unit cfg awplus reboot If you do not know the name of the active boot configuration file you can display it with the SHOW BOOT command in the Privileged Exec mode Figure 2...

Page 105: ...figuration file you want to rename The FILENAME2 parameter is the file s new name The extensions of the files must be cfg For example if the name of the active boot configuration file is Sales_unit cf...

Page 106: ...serial terminal port on the switch This example sets the baud rate of the Console port on the switch to 57600 bps awplus enable awplus configure terminal awplus config conf baud rate set 57600 To disp...

Page 107: ...set The timer for local management sessions is set in the Line Console mode which is accessed using the LINE CONSOLE 0 command from the Global Configuration mode This example of the commands sets the...

Page 108: ...one person can manage the unit at a time You set the maximum number of sessions with the SERVICE MAXMANAGER command in the Global Configuration mode The default is three manager sessions This example...

Page 109: ...ver you use the CLEAR SCREEN command to clear the screen The banners are not displayed by web browser management sessions The commands for setting the banners are located in the Global Configuration m...

Page 110: ...able awplus configure terminal awplus config banner login Type CTRL D to finish This switch is located in building 2A wiring closet 4M awplus config Here is an example of the BANNER EXEC command awplu...

Page 111: ...Exec Restores the default settings to all the parameter settings on the switch EXEC TIMEOUT on page 119 Line Console Sets the console timer which is used to end inactive management sessions HOSTNAME...

Page 112: ...n file SHOW SWITCH on page 133 Privileged Exec Displays general information about the switch SHOW SYSTEM on page 135 User Exec Displays general information about the switch SHOW USERS on page 136 Priv...

Page 113: ...inish is displayed on your screen Enter a banner message of up to 256 characters Spaces and special characters are allowed When you are finished hold down the CTRL key and type D Web browser managemen...

Page 114: ...rompt Type CTRL D to finish is displayed on your screen Enter a login message of up to 4 000 characters Spaces and special characters are allowed When you are finished hold down the CTRL key and type...

Page 115: ...n your screen Enter a message of the day banner of up to 256 characters Spaces and special characters are allowed When you are finished hold down the CTRL key and type D Web browser management session...

Page 116: ...ions of the switch Note If you change the baud rate of the serial terminal port during a local management session your session will be interrupted To resume the session you must change the speed of yo...

Page 117: ...st be specified in two digits Include a zero for the first nine months of the year For example June is 06 year Specifies the year The year must be specified in four digits for example 2011 or 2012 Mod...

Page 118: ...ings Caution The switch will not forward network traffic while it initializes its management software Some network traffic may be lost To resume managing the switch after restoring the default setting...

Page 119: ...is deemed inactive by the switch if there is no management activity for the duration of a timer Local management sessions which are conducted through the Console port on the switch and remote Telnet...

Page 120: ...t Commands 120 Section II Basic Operations This example sets the session timer for the first vty 0 Telnet or SSH session to 5 minutes awplus enable awplus configure terminal awplus config line vty 0 a...

Page 121: ...contain special characters except for spaces and quotation marks Mode Global Configuration mode Description Use this command to assign the switch a name The switch displays the name in the command li...

Page 122: ...Parameters None Mode Global Configuration mode Description Use this command to enter the Line Console mode to set the session timer and to activate or deactivate remote authentication for local manage...

Page 123: ...command to enter the Virtual Terminal Line mode for a VTY line to set the session timer or to activate or deactivate remote authentication for Telnet or SSH management sessions Refer to EXEC TIMEOUT...

Page 124: ...s None Mode Global Configuration mode Description Use this command to delete the switch s name without assigning a new name Example This example deletes the current name of the switch without assignin...

Page 125: ...k device such as a RADIUS server or a Telnet client to troubleshoot communication problems Note To send ICMP Echo Requests the switch must have a management IP address For background information refer...

Page 126: ...it initializes its management software Some network traffic may be lost The reset can take from 10 seconds to two minutes depending on the number and complexity of the commands in the active boot conf...

Page 127: ...rk traffic while it initializes its management software Some network traffic may be lost The reset can take from 10 seconds to two minutes depending on the number and complexity of the commands in the...

Page 128: ...Chapter 6 Basic Switch Management Commands 128 Section II Basic Operations Example The following example resets the switch awplus enable awplus reload...

Page 129: ...mode Description Use this command to set the maximum number of manager sessions that can be open on the switch simultaneously This feature makes it possible for more than one person to manage the unit...

Page 130: ...e port used for local management sessions of the switch Here is an example of the information Figure 32 SHOW BAUD RATE Command To set the baud rate refer to BAUD RATE SET on page 116 Note The baud rat...

Page 131: ...II Basic Operations 131 SHOW CLOCK Syntax show clock Parameters None Modes User Exec mode Description Use this command to display the system s current date and time Example This example displays the...

Page 132: ...mmand line commands The command displays only the settings that have been changed from their default values and includes those values that have not yet been saved in the active boot configuration file...

Page 133: ...e Version v1 0 0 Application Software Build date May 2010 10 24 12 MAC Address 00 15 77 CC E2 42 Console Disconnect Timer Interval 10 minute s Telnet Server status Enabled MAC address aging time 300 s...

Page 134: ...119 Telnet Server Status The status of the Telnet server The switch can be remotely managed from a Telnet client on your network when the server is enabled When the server is disabled the switch cann...

Page 135: ...n Figure 34 SHOW SYSTEM Command Example This example displays general information about the switch awplus show system Switch System Status Fri 16 Sep 2011 00 37 26 Board ID Bay Board Name Rev Serial N...

Page 136: ...the device with a web browser application or an SNMP application are not displayed by this command Figure 35 is an example of the information Figure 35 SHOW USERS Command The columns are described in...

Page 137: ...er to whom the account belongs to entered a command on the switch The value will always be zero for the account you are currently using to manage the switch Location The network device from which the...

Page 138: ...nd to add contact information to the switch The contact information is usually the name of the person who is responsible for managing the unit To remove the current contact information without adding...

Page 139: ...escription Use this command to add location information to the switch To remove the current location information without adding new information use the NO form of this command Confirmation Command SHO...

Page 140: ...a europe Europe japan Japan korea Korea nz New Zealand usa USA Mode Global Configuration mode Description Use this command to specify the territory of the switch The territory setting is not currently...

Page 141: ...AT 9000 Switch Command Line User s Guide Section II Basic Operations 141 awplus configure terminal awplus config no system territory...

Page 142: ...Chapter 6 Basic Switch Management Commands 142 Section II Basic Operations...

Page 143: ...Enabling or Disabling Ports on page 148 Enabling or Disabling Backpressure on page 149 Enabling or Disabling Flow Control on page 150 Resetting Ports on page 153 Configuring Threshold Limits for Ingr...

Page 144: ...paces and special characters are allowed You can assign a description to more than one port at a time To remove the current description from a port without assigning a new description use the NO form...

Page 145: ...iation for duplex mode You should review the following information before configuring the ports Auto Negotiation may be activated separately for speed and duplex mode on a port For instance you may ac...

Page 146: ...onfig interface port1 0 2 port1 0 4 awplus config if speed 10 awplus config if duplex full This example sets the speed on port 15 to Auto Negotiation and the duplex mode to half duplex awplus enable a...

Page 147: ...configuration is the POLARITY command in the Port Interface mode Here is the format of the command polarity auto mdi mdix The AUTO setting activates auto MDI MDIX which enables a port to detect the wi...

Page 148: ...ork device To disable ports use the SHUTDOWN command in the Port Interface mode To enable ports again use the NO SHUTDOWN command This example disables ports 1 to 4 awplus enable awplus configure term...

Page 149: ...eeds and duplex modes manually If you enable backpressure the default setting a port initiates backpressure when it needs to prevent a buffer overrun from packet congestion If you disable backpressure...

Page 150: ...on off The FLOWCONTROL SEND command controls whether or not a port sends pause packets during periods of packet congestion If you set it to ON the port sends pause packets when it reaches the point o...

Page 151: ...disable flow control use the NO FLOWCONTROL command in the Port Interface mode This example disables flow control on ports 22 and 23 awplus enable awplus configure terminal awplus config interface po...

Page 152: ...Chapter 7 Port Parameters 152 Section II Basic Operations If flow control isn t configured on a port this message is displayed Flow control is not set on interface port1 0 2...

Page 153: ...SET command in the Port Interface mode This command performs a hardware reset The port parameter settings are retained The reset takes just a second or two to complete This example resets ports 16 and...

Page 154: ...rameter the acronym for database lookup failure is for unknown unicast packets The VALUE parameter specifies the maximum permitted number of ingress packets per second a port will accept The range is...

Page 155: ...lus config if no storm control broadcast This example disables unknown unicast rate limiting on port 5 6 and 15 awplus enable awplus configure terminal awplus config interface port1 0 5 port1 0 6 port...

Page 156: ...s accomplished with the RENEGOTIATE command in the Port Interface mode The command does not have any parameters A port must already be set to Auto Negotiation before you can use this command This exam...

Page 157: ...e default settings on a port use the PURGE command in the Port Interface mode This example returns ports 12 13 and 15 to their default settings awplus enable awplus configure terminal awplus config in...

Page 158: ...d duplex mode settings for ports 18 and 20 awplus show interface port1 0 18 port1 0 20 status Here is an example of the information the command displays Figure 37 SHOW INTERFACE STATUS Command The col...

Page 159: ...an example of the display Figure 39 SHOW RUNNING CONFIG INTERFACE Command For a description of the command see SHOW RUNNING CONFIG INTERFACE on page 202 Interface port1 0 1 Link is UP administrative s...

Page 160: ...at of the command show platform table port port counters This example displays the statistics for ports 23 and 24 awplus show platform table port port1 0 23 port1 0 24 counter The statistics are descr...

Page 161: ...0 Port Interface Sets a limit on the amount of traffic that can be transmitted per second from the port FCTRLLIMIT on page 171 Port Interface Specifies threshold levels for flow control FLOWCONTROL on...

Page 162: ...W INTERFACE STATUS on page 193 Privileged Exec Displays the speed and duplex mode settings of the ports SHOW PLATFORM TABLE PORT on page 195 Privileged Exec Displays packet statistics for the individu...

Page 163: ...This prevents a buffer overrun and the subsequent loss and retransmission of network packets A port initiates backpressure by transmitting on the shared link to cause a data collision which causes it...

Page 164: ...is example configures ports 8 and 21 to 100 Mbps half duplex mode with backpressure disabled awplus enable awplus configure terminal awplus config interface port1 0 8 port1 0 21 awplus config if speed...

Page 165: ...o 7935 cells The default value is 7935 cells Mode Port Interface mode Description Use this command to specify a threshold level for backpressure on a port Confirmation Command SHOW RUNNING CONFIG on p...

Page 166: ...ou want to clear You can specify more than one port at a time in the command Mode User Exec mode and Privileged Exec mode Description Use this command to clear the packet counters of the ports To disp...

Page 167: ...be easier to identify if they have descriptions Use the NO form of this command to remove descriptions from ports without assigning new descriptions Confirmation Command SHOW INTERFACE on page 190 Ex...

Page 168: ...lex can both send and receive packets simultaneously Note To avoid a duplex mode mismatch between switch ports and network devices do not select Auto Negotiation on ports that are connected to network...

Page 169: ...mode on port 11 half duplex awplus enable awplus configure terminal awplus config interface port1 0 11 awplus config if duplex half This example configures the duplex mode with Auto Negotiation on po...

Page 170: ...00 000 kilobits per second Mode Port Interface mode Description Use this command to set a limit on the amount of traffic that can be transmitted per second from the port Confirmation Command SHOW RUNN...

Page 171: ...nge is 1 to 7935 cells The default value is 7935 cells Mode Port Interface mode Description Use this command to specify threshold levels for flow control on the ports Confirmation Command SHOW RUNNING...

Page 172: ...s experiencing traffic congestion initiates flow control by sending pause packets These packets instruct the link partner to stop transmitting packets A port continues to issue pause packets so long a...

Page 173: ...0 19 awplus config if speed 100 awplus config if duplex full awplus config if flowcontrol send on awplus config if flowcontrol receive on This example configures ports 18 to 21 and 24 to 10 Mbps full...

Page 174: ...Chapter 8 Port Parameter Commands 174 Section II Basic Operations awplus config if duplex full awplus config if flowcontrol send off awplus config if flowcontrol receive on...

Page 175: ...nner An oversubscribed port can prevent other ports from forwarding packets to each other because ingress packets on a port are buffered in a First In First Out FIFO manner If a port has at the head o...

Page 176: ...e oversubscribed port For example referring to the figure above when the utilization of the storage capacity of port D exceeds the threshold the switch signals the other ports to discard packets desti...

Page 177: ...hange in its link state To disable link traps on a port refer to NO LINKTRAP on page 180 Note For the switch to send SNMP traps you must activate SNMP and specify one or more trap receivers For instru...

Page 178: ...rt Interface mode Description Use this command to disable egress rate limiting on the ports Confirmation Command SHOW RUNNING CONFIG on page 132 Example This example disable egress rate limiting on th...

Page 179: ...ter None Mode Port Interface mode Description Use this command to disable flow control on ports Confirmation Command SHOW FLOWCONTROL INTERFACE on page 188 Example This example disables flow control o...

Page 180: ...raps on the ports of the switch The switch does not send traps when a port on which link trap is disabled experiences a change in its link state i e goes up or down Confirmation Command SHOW INTERFACE...

Page 181: ...Interface mode Description Use this command to enable ports so that they forward packets again This is the default setting for a port Confirmation Command SHOW RUNNING CONFIG on page 132 Example This...

Page 182: ...NING CONFIG on page 132 Examples This example removes the threshold limit for broadcast packets on port 12 awplus enable awplus configure terminal awplus config interface port1 0 12 awplus config if n...

Page 183: ...as MDI medium dependent interface and MDI X medium dependent interface crossover To forward traffic a port on the switch and a port on a network device must have different settings For instance the wi...

Page 184: ...rameter Commands 184 Section II Basic Operations This example activates auto MDI MDIX on ports 1 to 3 awplus enable awplus configure terminal awplus config interface port1 0 1 port1 0 3 awplus config...

Page 185: ...default settings to these port parameters Enabled status NO SHUTDOWN Description Speed Duplex mode MDI MDI X Flow control Backpressure Head of line blocking threshold Backpressure cells Example This...

Page 186: ...egotiate its speed and duplex mode with its network device You might use this command if you believe that a port and a network device did not establish the highest possible common settings during the...

Page 187: ...ion Use this command to perform a hardware reset on the ports The ports retain their parameter settings The reset takes only a second or two to complete You might reset a port if it is experiencing a...

Page 188: ...elds are described in Table 9 Port Send Receive RxPause TxPause admin admin 1 0 13 yes yes 6520 7823 Table 9 SHOW FLOWCONTROL INTERFACE Command Parameter Description Port Port number Send admin Whethe...

Page 189: ...asic Operations 189 Example This command displays the flow control settings for port 2 awplus show flowcontrol interface port1 0 2 TxPause The number of transmitted pause packets Table 9 SHOW FLOWCONT...

Page 190: ...state is UP Address is 0015 77cc e243 Description index 1 mtu 9198 Unknown Ingress Multicast Blocking Disabled Unknown Egress Multicast Blocking Disabled SNMP link status traps Enabled Suppressed in 0...

Page 191: ...ort Description The port s description To set the description refer to DESCRIPTION on page 167 Index mtu The maximum packet size of the ports The ports have a maximum packet size of 9198 bytes This is...

Page 192: ...Section II Basic Operations Examples This command displays the current operational state of all the ports awplus show interface This command displays the current operational state of ports 1 to 4 awpl...

Page 193: ...Command The fields are described in Table 11 Port Name Status Vlan Duplex Speed Type port1 0 1 Port_01 down 3 half 100 10 100 1000Base T port1 0 2 Port_02 up 11 auto auto 10 100 1000Base T port1 0 2...

Page 194: ...and 18 awplus show interface port1 0 17 port1 0 18 status Duplex The duplex mode setting of the port The setting can be half full or auto for Auto Negotiation To set the duplex mode refer to DUPLEX on...

Page 195: ...ter displays the statistics for all the ports The statistics are described in Table 12 To clear the packet counters refer to CLEAR PORT COUNTER on page 166 Table 12 SHOW PLATFORM TABLE PORT COUNTERS C...

Page 196: ...signals the port has encountered UnsupportOpcode Number of MAC Control frames with unsupported opcode UndersizePkts Number of frames that were less than the minimum length as specified in the IEEE 80...

Page 197: ...kets that were discarded prior to transmission because of an error ipInHdrErrors Number of ingress packets that were discarded because of a hardware error Miscellaneous Counters MAC TxErr Number of fr...

Page 198: ...command to display information about the SFP modules in the switch Figure 44 SHOW SYSTEM PLUGGABLE Command Example This example displays SFP module information awplus show system pluggable System Plu...

Page 199: ...on page 198 Figure 45 SHOW SYSTEM PLUGGABLE DETAIL Command The OM1 field specifies the link length supported by the pluggable transceiver using 62 5 micron multi mode fiber The OM2 field specifies th...

Page 200: ...igure 46 shows an example of the information when you enter the following command awplus show storm control port1 0 15 Figure 46 SHOW STORM CONTROL Command See Table 13 for a description of the table...

Page 201: ...m control This command displays the settings of ports 15 and 18 awplus show storm control port1 0 15 port1 0 18 DlfLevel Indicates the maximum number of unknown unicast packets destination lookup fail...

Page 202: ...displays only the settings that have been changed from their default values and includes those values that have not yet been saved in the active boot configuration file See Figure 47 for an example d...

Page 203: ...isable ports that are unused to secure them from unauthorized use or that are having problems with network cables or their link partners The default setting for the ports is enabled To reactivate a po...

Page 204: ...n Mode Port Interface mode Description Use this command to manually set the speeds of the twisted pair ports or to activate Auto Negotiation Confirmation Commands Configured speed SHOW INTERFACE STATU...

Page 205: ...esholds for the ingress packets on the ports Ingress packets that exceed the thresholds are discarded by the ports Thresholds can be set independently for broadcast packets multicast packets and unkno...

Page 206: ...wplus enable awplus configure terminal awplus config interface port1 0 4 awplus config if storm control multicast level 100000 This example sets the threshold level of 200 000 packets per second for i...

Page 207: ...Management Addresses This chapter contains the following information Overview on page 208 Assigning an IPv4 Management Address and Default Gateway on page 211 Assigning an IPv6 Management Address and...

Page 208: ...address Table 14 Features that Require an IP Management Address Feature Description Supported by IPv4 Address Supported by IPv6 Address 802 1x port based network access control Used for port security...

Page 209: ...your network for storage yes TACACS client Used for remote management authentication using a TACACS server on your network yes Telnet client Used to manage other network devices from the switch yes T...

Page 210: ...ent address can be assigned manually or from a DHCP server on your network To learn the switch s MAC address to add to a DHCP server refer to SHOW SWITCH on page 133 An IPv6 address must be assigned m...

Page 211: ...mmand ip address ipaddress mask dhcp The IPADDRESS parameter is the IPv4 management address to be assigned the switch The address is specified in this format nnn nnn nnn nnn Each NNN is a decimal numb...

Page 212: ...awplus configure terminal Enter the Global Configuration mode awplus config vlan database Use the VLAN DATABASE command to enter the VLAN Configuration mode awplus config vlan vlan 17 name Tech_suppor...

Page 213: ...r of the same subnet as the management IPv4 address The command for assigning the default gateway is the IP ROUTE command in the Global Configuration mode Here is the format ip route 0 0 0 0 0 ipaddre...

Page 214: ...DDRESS DHCP command This example of the command deletes the management address assigned by a DHCP server from a VLAN on the switch with the VID of 23 awplus enable awplus configure terminal awplus con...

Page 215: ...xec mode awplus show ip interface Here is an example of the information from the command Figure 49 SHOW IP INTERFACE Command The columns are defined in Table 16 on page 239 Destination Mask NextHop In...

Page 216: ...r instructions refer to Chapter 41 Port based and Tagged VLANs on page 559 If the switch already has an IPv4 address the IPv6 address must be assigned to the same VLAN as that address Here is the form...

Page 217: ...nterface vlan8 awplus config vlan ipv6 address 1857 80cf d54 1a 8f57 64 awplus config vlan exit Note You cannot use a DHCP server to assign the switch a dynamic IPv6 address The switch supports only a...

Page 218: ...V6 ADDRESS command in the VLAN Interface mode in which the current address is assigned This example of the command deletes the address from a VLAN with the VID 21 awplus enable awplus configure termin...

Page 219: ...s is with the SHOW IPV6 INTERFACE command shown here awplus show ipv6 interface Here is an example of the information from the command Figure 51 SHOW IPV6 INTERFACE Command The columns are defined in...

Page 220: ...Chapter 9 IPv4 and IPv6 Management Addresses 220 Section II Basic Operations...

Page 221: ...address IPV6 ADDRESS on page 230 VLAN Interface Assigns the switch a static IPv6 management address IPV6 ROUTE on page 232 Global Configuration Assigns the switch an IPv6 default gateway address NO IP...

Page 222: ...Operations SHOW IPV6 INTERFACE on page 242 Privileged Exec Displays the IPv4 management address SHOW IPV6 ROUTE on page 243 Privileged Exec Displays the IPv6 management address and default gateway Ta...

Page 223: ...R IPV6 NEIGHBORS Syntax clear ipv6 neighbors Parameters none Mode Privileged Exec mode Description Use this command to clear all of the dynamic IPv6 neighbor entries Example This example clears all of...

Page 224: ...alent to masks 255 255 0 0 and 255 255 255 0 respectively Mode VLAN Interface mode Description Use this command to manually assign the switch an IPv4 management address You must perform this command f...

Page 225: ...efault_VLAN which has the VID 1 awplus enable awplus configure terminal awplus config interface vlan1 awplus config vlan ip address 142 35 78 21 24 This example assigns the switch the IPv4 management...

Page 226: ...the VLAN to which you want to assign the address The switch must have a management IPv4 address to support the features listed in Table 14 on page 208 The switch can have only one IPv4 address and it...

Page 227: ...This example activates the DHCP client so that the switch obtains its IPv4 management address from a DHCP server on your network The address is applied to a VLAN with the VID 4 awplus enable awplus co...

Page 228: ...nagement network devices such as Telnet clients and syslog servers that are not members of the same subnet as its IPv4 address You must assign the switch a default gateway address if both of the follo...

Page 229: ...Line User s Guide Section II Basic Operations 229 Example This example assigns the switch the IPv4 default gateway address 143 87 132 45 awplus enable awplus configure terminal awplus config ip route...

Page 230: ...ubnet mask of the address The mask is a decimal number that represents the number of bits from left to right that constitute the network portion of the address For example an address whose network des...

Page 231: ...TE on page 243 Examples This example assigns the IPv6 management address 4c57 17a9 11 190 a1d4 64 to the Default_VLAN which has the VID 1 awplus enable awplus configure terminal awplus config interfac...

Page 232: ...t gateway is an address of an interface on a router or other Layer 3 device It defines the first hop to reaching the remote subnets or networks where the network devices are located You must assign th...

Page 233: ...User s Guide Section II Basic Operations 233 Example This example assigns the switch the IPv6 default gateway address 45ab 672 934c 78 17cb awplus enable awplus configure terminal awplus config ipv6 r...

Page 234: ...rform this command from the VLAN Interface mode of the VLAN to which the address is attached Note The switch uses the IPv4 management address to perform the features listed Table 14 on page 208 If you...

Page 235: ...the address is attached This command also disables the DHCP client Note The switch uses the IPv4 management address to perform the features listed Table 14 on page 208 If you delete it the switch wil...

Page 236: ...ault gateway Mode Global Configuration mode Description Use this command to delete the current IPv4 default gateway The command must include the current default gateway Confirmation Command SHOW IP RO...

Page 237: ...which the address is attached Note The switch uses the IPv6 management address to perform the features listed Table 14 on page 208 If you delete it the switch will not support the features unless it a...

Page 238: ...de Global Configuration mode Description Use this command to delete the current IPv6 default gateway from the switch The command must include the current default gateway Confirmation Command SHOW IPV6...

Page 239: ...E Command The fields are described in Table 16 Example The following example displays the management IP address assigned to a switch awplus show ip interface Interface IP Address Status Protocol VLAN1...

Page 240: ...Protocol RIPMetric 149 102 34 0 255 255 255 0 149 102 34 198 VLAN14 0 INTERFACE 1 0 0 0 0 0 0 0 0 149 102 34 212 VLAN14 0 STATIC 1 Table 17 SHOW IP ROUTE Command Parameter Description Destination Not...

Page 241: ...mple The following example displays the management IP address and the default gateway on the switch awplus show ip route Protocol Not applicable to the AT 9000 Switch RIPMetric Not applicable to the A...

Page 242: ...INTERFACE Command The fields are described in Table 18 Example The following example displays the IPv6 management address awplus show ipv6 interface Interface IPv6 Address Status Protocol VLAN3 0 832a...

Page 243: ...t gateway on the switch Figure 55 is an example of the information The default route is display first followed by the management address Figure 55 SHOW IPV6 ROUTE Command Example The following example...

Page 244: ...Chapter 10 IPv4 and IPv6 Management Address Commands 244 Section II Basic Operations...

Page 245: ...tion Overview on page 246 Activating the SNTP Client and Specifying the IP Address of an NTP or SNTP Server on page 247 Configuring Daylight Savings Time and UTC Offset on page 248 Disabling the SNTP...

Page 246: ...Daylight Savings Time For instructions refer to Configuring Daylight Savings Time and UTC Offset on page 248 You must specify the offset of the switch from Coordinated Universal Time UTC For instruct...

Page 247: ...P address of an NTP or SNTP server use the NTP PEER command in the Global Configuration mode You can specify the IP address of only one server This example of the command specifies 1 77 122 54 as the...

Page 248: ...ying the IP Address of an NTP or SNTP Server on page 247 This table lists the commands you use to configure the daylight savings time and UTC offset The commands are located in the Global Configuratio...

Page 249: ...AT 9000 Switch Command Line User s Guide Section II Basic Operations 249 awplus config no clock summer time awplus config clock timezone 02 45...

Page 250: ...sic Operations Disabling the SNTP Client To disable the SNTP client so that the switch doesn t obtain its date and time from an NTP or SNTP server use the NO PEER command in the Global Configuration m...

Page 251: ...yed Figure 56 SHOW NTP ASSOCIATIONS Command The fields are described in Table 21 on page 261 To learn whether the switch has synchronized its time with the designated NTP or SNTP server use the SHOW N...

Page 252: ...e Network Time Protocol SNTP Client 252 Section II Basic Operations Displaying the Date and Time To display the date and time use the SHOW CLOCK command in the User Exec mode or Privileged Exec mode a...

Page 253: ...ctivates Daylight Savings Time and enables Standard Time NO NTP PEER on page 257 Global Configuration Disables the NTP client NTP PEER on page 258 Global Configuration Specifies the IP address of the...

Page 254: ...f the switch is in a locale that uses DST you must remember to enable this in April when DST begins and disable it in October when DST ends If the switch is in a locale that does not use DST set this...

Page 255: ...he default is 00 00 Mode Global Configuration mode Description Use this command to set the UTC offset which is used by the switch to convert the time from an SNTP or NTP server into local time You mus...

Page 256: ...r time Parameters None Mode Global Configuration mode Description Use this command to disable Daylight Savings Time DST and activate Standard Time ST on the SNTP client Confirmation Command SHOW NTP A...

Page 257: ...to deactivate the SNTP client on the switch When the client is disabled the switch does not obtain its date and time from an SNTP or NTP server the next time it is reset or power cycled Confirmation...

Page 258: ...witch and to specify the IP address of the SNTP or NTP server from which it is to obtain its date and time You can specify only one SNTP or NTP server After you enter this command the switch automatic...

Page 259: ...Mode Global Configuration mode Description Use this command to disable the SNTP client delete the IP address of the SNTP or NTP server and restore the client settings to the default values Confirmatio...

Page 260: ...ommands 260 Section II Basic Operations SHOW CLOCK Syntax show clock Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to display the switch s date and time Ex...

Page 261: ...ed here SNTP Configuration Status Enabled Server 172 17 118 15 UTC Offset 2 Daylight Savings Time DST Enabled Table 21 SHOW NTP ASSOCIATIONS Command Parameter Description Status The status of the SNTP...

Page 262: ...C and local time The range is 12 to 12 hours The default is 0 hours This value is set with CLOCK TIMEZONE on page 255 Daylight Savings Time DST The status of the daylight savings time setting The stat...

Page 263: ...he switch has synchronized its time with the specified NTP or SNTP server An example of the information is shown in Figure 59 Figure 59 SHOW NTP STATUS Command The IP address is the address of the NTP...

Page 264: ...Chapter 12 SNTP Client Commands 264 Section II Basic Operations...

Page 265: ...Table This chapter discusses the following topics Overview on page 266 Adding Static MAC Addresses on page 268 Deleting MAC Addresses on page 269 Setting the Aging Timer on page 271 Displaying the MAC...

Page 266: ...s the packet to all its ports excluding the port where the packet was received If the ports are grouped into virtual LANs the switch floods the packet only to those ports that belong to the same VLAN...

Page 267: ...seconds 5 minutes You can also enter addresses manually into the table These addresses are referred to as static addresses Static MAC addresses remain in the table indefinitely and are never deleted e...

Page 268: ...d You can specify just one port vlan name or VID Use this variable to specify the name or the ID number of the VLAN of the port of the address This information is optional in the command This example...

Page 269: ...and xx xx xx xx xx xx interface You can use this parameter to delete all of the static or dynamic addresses on a particular port You can specify more than one port at a time vlan You can use this para...

Page 270: ...static addresses added to ports 2 to 5 awplus enable awplus clear mac address table static interface port1 0 2 port1 0 5 This example deletes all of the dynamic addresses learned on the ports of the V...

Page 271: ...work devices are inactive To set the aging timer use the MAC ADDRESS TABLE AGEING TIME command in the Global Configuration mode Here is the format of the command mac address table ageing time value Th...

Page 272: ...ed on port 2 awplus show mac address table interface port1 0 2 This example displays the addresses learned on the ports in a VLAN with the VID 8 awplus show mac address table vlan 8 Aging Interval 300...

Page 273: ...EING TIME on page 276 Global Configuration Sets the aging timer which is used by the switch to identify inactive dynamic MAC addresses for deletion from the table MAC ADDRESS TABLE STATIC on page 278...

Page 274: ...ress Specifies the port the MAC addresses to be deleted was learned on You can specify more than one port vlan Deletes MAC addresses learned on a specific VLAN macaddress Specifies the VID of the VLAN...

Page 275: ...all of the dynamic addresses learned on ports 17 to 20 awplus enable awplus clear mac address table dynamic interface port1 0 17 port1 0 20 This example deletes all of the static addresses added to po...

Page 276: ...nsidered inactive if no packets are sent to or received from the corresponding node for the duration of the timer Setting the aging timer to 0 disables the timer No dynamic MAC addresses are aged out...

Page 277: ...mmand Line User s Guide Section II Basic Operations 277 This example returns the aging timer to its default setting of 300 seconds awplus enable awplus configure terminal awplus config no mac address...

Page 278: ...s is to be assigned A unicast MAC address can be added to just one port vlan name Specifies the name of the VLAN where the node designated by the MAC address is a member vid Specifies the ID number of...

Page 279: ...terface port1 0 4 vlan Production This example adds the static MAC address 00 A0 D2 18 1A 11 to port 7 in the Default_VLAN which has the VID 1 The port discards the packets from the specified node awp...

Page 280: ...ed source MAC address port Specifies the port s where the MAC address is assigned vlan name Specifies the name of the VLAN where the node of the MAC address is a member This parameter is optional vid...

Page 281: ...rding packets of the owner of the address awplus enable awplus configure terminal awplus config no mac address table static 00 A0 D2 18 1A 11 forward interface port1 0 12 vlan 1 This example deletes t...

Page 282: ...a particular port or VLAN An example of the table is shown in Figure 61 Figure 61 SHOW MAC ADDRESS TABLE Command Aging Interval 300 second s Switch Forwarding Database Total Number of MAC Addresses 12...

Page 283: ...he port is an untagged member Port The port where the address was learned or assigned The MAC address with port 0 is the address of the switch MAC The dynamic or static unicast MAC address learned on...

Page 284: ...he entire MAC address table awplus show mac address table This example displays the MAC addresses learned on ports 1 to 4 awplus show mac address table interface port1 0 1 port1 0 4 This example displ...

Page 285: ...wing topics Overview on page 286 Configuring the Command Switch on page 289 Configuring a Member Switch on page 291 Managing the Member Switches of an Enhanced Stack on page 293 Changing the Enhanced...

Page 286: ...witches in the stack are known as member switches They can be managed either through the command switch with enhanced stacking or from local or remote management sessions Common VLAN The switches of a...

Page 287: ...igning groups of AT 9000 Switches to different common VLANs The enhanced stacking feature on the AT 9000 Switch is not compatible with the same feature on other Allied Telesis switches such as the AT...

Page 288: ...anage the stack from management workstations that are not members of the same subnet as the switch assign the command switch a default gateway that defines the first hop to reaching the subnet of the...

Page 289: ...e not in the same subnet as the command switch 1 This step creates the common VLAN awplus enable Enter the Privileged Exec mode from the User Exec mode awplus configure terminal Enter the Global Confi...

Page 290: ...LAN awplus config if ip address 149 22 88 5 24 Assign the VLAN the management IP address 149 22 88 5 and the subnet mask 255 255 255 0 awplus config if exit Return to the Global Configuration mode awp...

Page 291: ...he member mode because that is the default setting awplus enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mode awplus c...

Page 292: ...nd in the Privileged Executive mode 4 Connect the switches together using ports of the common VLAN awplus config estack run Activate enhanced stacking on the switch awplus config exit Return to the Pr...

Page 293: ...here Figure 62 SHOW ESTACK REMOTELIST Command 3 Use the RCOMMAND command in the Global Configuration mode to redirect the management session from the command switch to one of the member switches in t...

Page 294: ...from the User Exec mode or Privileged Exec mode to return the management session to the command switch 7 To manage another member switch in the enhanced stack repeat this procedure starting with step...

Page 295: ...member switch will not allow you to change its mode to the command mode if it is part of an active stack The easiest way to determine whether the switch is part of an active stack is to use the SHOW E...

Page 296: ...r to command with the ESTACK COMMAND SWITCH command 3 On the original command switch restart enhanced stacking with the ESTACK RUN command and if desired reestablish its command mode with the ESTACK C...

Page 297: ...may only use the command when you are managing a switch directly from a local management session or a remote Telnet SSH or web browser session When you disable enhanced stacking on a command switch yo...

Page 298: ...Chapter 15 Enhanced Stacking 298 Section II Basic Operations...

Page 299: ...Configuration Disables enhanced stacking on the switch RCOMMAND on page 304 Global Configuration Redirects the management session to a different switch in the enhanced stack REBOOT ESTACK MEMBER on p...

Page 300: ...N on page 301 A switch that is a member of an active enhanced stack cannot be changed to the command mode You must first disable enhanced stacking on the current command switch in the stack You cannot...

Page 301: ...301 ESTACK RUN Syntax estack run Parameter None Mode Global Configuration mode Description Use this command to activate enhanced stacking on the switch Confirmation Command SHOW ESTACK on page 307 Exa...

Page 302: ...the mode to command mode and now want to return it to member mode Enhanced stacking must be activated on the switch for you to use the command To activate enhanced stacking refer to ESTACK RUN on pag...

Page 303: ...k When you disable enhanced stacking on the command switch its mode is reset to member mode Consequently you must set it back again to the command mode if you reactivate enhanced stacking Note You sho...

Page 304: ...tch to a member switch in the enhanced stack The member switch is identified by its ID number displayed with SHOW ESTACK REMOTELIST on page 310 You can manage only one member switch at a time Note You...

Page 305: ...y reboot individual member switches or all of the member switches of a stack You must perform SHOW ESTACK REMOTELIST on page 310 prior to this command to determine the ID numbers of the switches Cauti...

Page 306: ...his example reboots a member switch that has the ID number 3 awplus enable awplus show estack remotelist awplus reboot estack member 3 This example reboots all of the member switches of the enhanced s...

Page 307: ...is an example of the information the command displays Figure 64 SHOW ESTACK Command The fields are described in Table 26 on page 307 Enhanced Stacking mode Member 1 MAC address 00 15 77 CC E2 42 Mode...

Page 308: ...e number is the switch s stack ID number If the brackets are empty the switch did not detect a command switch on the common VLAN and so does not consider itself part of an enhanced stack Disabled Enha...

Page 309: ...hanced stacking information about the command switch This command is equivalent to issuing the SHOW ESTACK command on the command switch Figure 65 is an example of the information the command displays...

Page 310: ...The default is MAC address An example is shown in Figure 66 Figure 66 SHOW ESTACK REMOTELIST Command The list does not include the command switch on which you entered the command Note This command on...

Page 311: ...ns 311 This example sorts the switches by host name awplus enable awplus configure terminal awplus config show estack remotelist name This example sorts the switches by model series awplus enable awpl...

Page 312: ...Chapter 16 Enhanced Stacking Commands 312 Section II Basic Operations...

Page 313: ...his chapter discusses the following topics Overview on page 314 Creating the Port Mirror or Adding New Source Ports on page 315 Removing Source Ports or Deleting the Port Mirror on page 316 Displaying...

Page 314: ...ion port The source ports are the ports whose packets are to be mirrored and monitored The destination port is the port where the packets from the source ports are copied and where the network analyze...

Page 315: ...awplus configure terminal awplus config interface port1 0 5 awplus config if mirror interface port1 0 3 direction receive The switch immediately begins to copy the monitored traffic from the source po...

Page 316: ...mirror The destination port is port 11 awplus enable awplus configure terminal awplus config interface port1 0 11 awplus config if no mirror interface port1 0 2 To completely stop port mirroring and t...

Page 317: ...ror In this example of the information the port mirror is enabled and the ingress and egress packets on ports 1 and 3 as well as the egress traffic on ports 11 to 13 are being copied to destination po...

Page 318: ...Chapter 17 Port Mirror 318 Section II Basic Operations...

Page 319: ...Interface Creates the port mirror and adds ports to the port mirror NO MIRROR on page 321 Port Interface Stops port mirroring completely NO MIRROR INTERFACE on page 322 Port Interface Removes source p...

Page 320: ...ource port Mode Port Interface mode Description Use this command to create the port mirror or to add ports to the port mirror You must issue this command from the Port Interface mode of the destinatio...

Page 321: ...deletes all the source ports from the port mirror You should enter this command in the Port Interface mode of the destination port of the port mirror Confirmation Command SHOW MIRROR on page 323 Exam...

Page 322: ...n the Port Interface mode of the destination port of the port mirror To delete the port mirror and to return the destination port to normal operations use the NO MIRROR command Confirmation Command SH...

Page 323: ...e Enabled Mirror To Destination Port 22 Ingress Rx Mirror Source Ports 1 3 Egress Tx Mirror Source Ports 1 3 11 13 Table 28 SHOW MIRROR Command Parameter Description Mirror Test Port Name The destinat...

Page 324: ...Chapter 18 Port Mirror Commands 324 Section II Basic Operations Example awplus show mirror...

Page 325: ...ing This chapter discusses the following topics Overview on page 326 Host Node Topology on page 328 Configuring the IGMP Snooping Parameters on page 329 Enabling IGMP Snooping on page 330 Disabling IG...

Page 326: ...he router has no nodes that want to be members of multicast groups the router does not send multicast packets out the port This improves network performance by restricting the multicast packets only t...

Page 327: ...eives multicast packets it floods the packets out all its ports except the port on which it received the packets Such flooding of packets can negatively impact network performance The switch maintains...

Page 328: ...sent leave requests or have timed out The switch responds by immediately ceasing the transmission of additional multicast packets out the ports Multiple hosts Per Port The multiple hosts per port set...

Page 329: ...out 50 awplus config ip igmp snooping mrouter interface port1 0 4 This example reactivates the auto detection of multicast router ports by removing the static router port 4 awplus enable awplus config...

Page 330: ...ooping on the switch is the IP IGMP SNOOPING command in the Global Configuration mode After you enter the command the switch begins to build its multicast table as queries from the multicast router an...

Page 331: ...MP snooping on the switch is the NO IP IGMP SNOOPING command in the Global Configuration mode To disable IGMP snooping awplus enable awplus configure terminal awplus config no ip igmp snooping When IG...

Page 332: ...scribed in Table 31 on page 343 IGMP Snooping Configuration IGMP Snooping Status Enabled Querier Admin Disabled Host Topology Single Host Port Edge Host Router Timeout Interval 260 seconds Maximum IGM...

Page 333: ...dentify inactive host nodes and multicast routers IP IGMP SNOOPING on page 337 Global Configuration Enables IGMP snooping on the switch IP IGMP SNOOPING MROUTER on page 338 Global Configuration Manual...

Page 334: ...AR IP IGMP Syntax clear ip igmp Parameters None Mode Privileged Exec mode Description Use this command to clear all IGMP group membership records on all VLANs Example This example clears all IGMP grou...

Page 335: ...resses Mode Global Configuration mode Description Use this command to specify the maximum number of multicast addresses the switch can learn If your network has a large number of multicast groups you...

Page 336: ...MP reports from it for the duration of the timer The switch stops transmitting multicast packets from a port of an inactive host node if there are no additional host nodes A multicast router is deemed...

Page 337: ...NOOPING Syntax ip igmp snooping Parameters None Mode Global Configuration mode Description Use this command to activate IGMP snooping on the switch Confirmation Command SHOW IP IGMP SNOOPING on page 3...

Page 338: ...nually specify ports that are connected to multicast routers Manually specifying multicast router ports deactivates auto detect To reactivate auto detect remove all static multicast router ports For i...

Page 339: ...n one host node Mode Global Configuration mode Description Use this command to specify the IGMP host node topology For background information refer to Host Node Topology on page 328 Confirmation Comma...

Page 340: ...figuration mode Description Use this command to deactivate IGMP snooping on the switch When IGMP snooping is disabled the switch floods multicast packets on all ports except on ports that receive the...

Page 341: ...outer port Mode Global Configuration mode Description Use this command to remove static multicast router ports Removing all multicast router ports activates auto detect Confirmation Command SHOW IP IG...

Page 342: ...ping Status Enabled Querier Admin Disabled Host Topology Single Host Port Edge Host Router Timeout Interval 260 seconds Maximum IGMP Multicast Groups 64 Router Port s Auto Detect Router List VLAN Port...

Page 343: ...the default setting multihost This is the multiple host per port topology This topology is appropriate when there is more than one host node per port on the switch To set this parameter refer to IP I...

Page 344: ...it Host List Number of IGMP Multicast Groups The number of IGMP multicast groups that have active host nodes on the switch Multicast Group The multicast addresses of the groups ID The ID numbers of t...

Page 345: ...mes forwarding unknown egress multicast packets on ports NO SWITCHPORT BLOCK INGRESS MULTICAST on page 347 Port Interface Resumes forwarding unknown ingress multicast packets on ports SWITCHPORT BLOCK...

Page 346: ...terface mode Description Use this command to resume forwarding of unknown egress multicast packets on ports Confirmation Command SHOW INTERFACE on page 190 Example This example resumes forwarding of u...

Page 347: ...face mode Description Use this command to resume forwarding of unknown ingress multicast packets on ports Confirmation Command SHOW INTERFACE on page 190 Example This example resumes forwarding of unk...

Page 348: ...ticast packets on ports Note This feature does not block multicast packets that have reserved multicast addresses in the range of 01 80 C2 00 00 00 to 01 80 C2 00 00 0F Confirmation Command SHOW INTER...

Page 349: ...ess multicast packets on ports Note This feature does not block multicast packets that have reserved multicast addresses in the range of 01 80 C2 00 00 00 to 01 80 C2 00 00 0F Confirmation Command SHO...

Page 350: ...Chapter 21 Multicast Commands 350 Section II Basic Operations...

Page 351: ...rs Chapter 22 File System on page 353 Chapter 23 File System Commands on page 361 Chapter 24 Boot Configuration Files on page 369 Chapter 25 Boot Configuration File Commands on page 375 Chapter 26 Fil...

Page 352: ...352 Section III File System...

Page 353: ...s Overview on page 354 Copying Boot Configuration Files on page 355 Renaming Boot Configuration Files on page 356 Deleting Boot Configuration Files on page 357 Displaying the Specifications of the Fil...

Page 354: ...iles Encryption key pairs The file system has a flat directory structure All the files are stored in the root directory The file system does not support subdirectories Table 33 File Extensions and Fil...

Page 355: ...parameter specifies the name of the boot configuration file you want to copy The DESTINATIONFILE parameter specifies the name of the new copy The name can be up to 16 alphanumeric characters and must...

Page 356: ...aracters This example renames the Sales2sw cfg boot configuration file to unit12a cfg awplus enable awplus move Sales2sw cfg unit12a cfg Note If you rename the active boot configuration file you will...

Page 357: ...le deletes the configuration file unit2a cfg awplus delete unit2a cfg Note If you delete the active boot configuration file you will have to designate another active boot configuration file before the...

Page 358: ...free space and the amount of space used by the files currently stored in the file system It is the SHOW FILE SYSTEMS command Here is an example of the information Figure 71 SHOW FILE SYSTEMS Command...

Page 359: ...s Guide Section III File System 359 Listing the Files in the File System To view the names of the files in the file system of the switch use the DIR command in the Privileged Exec mode awplus dir The...

Page 360: ...Chapter 22 File System 360 Section III File System...

Page 361: ...DELETE on page 363 Privileged Exec Deletes boot configuration files from the file system DELETE FORCE on page 364 Privileged Exec Deletes boot configuration files from the file system DIR on page 365...

Page 362: ...iption Use this command to create copies of boot configuration files in the file system of the switch Creating copies of the active boot configuration file is an easy way to maintain a history of the...

Page 363: ...em in the switch This command is equivalent to DELETE FORCE on page 364 Note If you delete the active configuration file the switch recreates it the next time you issue the WRITE command or the COPY R...

Page 364: ...switch This command is equivalent to DELETE on page 363 Note If you delete the active configuration file the switch recreates it the next time you issue the WRITE command or the COPY RUNNING CONFIG S...

Page 365: ...Line User s Guide Section III File System 365 DIR Syntax dir Parameter None Mode Privileged Exec mode Description Use this command to list the names of the files stored in the file system on the swit...

Page 366: ...eged Exec mode Description Use this command to rename boot configuration files in the switch s file system Note If you rename the active boot configuration file the switch recreates it the next time y...

Page 367: ...Type Flags Prefixes S D V Lcl Ntwk 16 8 flash rw None Static local Y Table 35 SHOW FILE SYSTEMS Command Parameter Description Size B The total amount of flash memory in the switch The amount is given...

Page 368: ...s S D W The memory type static virtual or dynamic Lcl Ntwk Whether the memory is located locally or via a network connection For the AT 9000 Switches this is always Local Y N Whether the memory is acc...

Page 369: ...les This chapter discusses the following topics Overview on page 370 Specifying the Active Boot Configuration File on page 371 Creating a New Boot Configuration File on page 373 Displaying the Active...

Page 370: ...parameter settings every time you power off or reset the unit The switch as part of its initialization process whenever it is powered on or reset automatically refers to this file to set its paramete...

Page 371: ...having to enter the WRITE command or the COPY RUNNING CONFIG STARTUP CONFIG command In fact you probably will not want to enter either of those commands after you specify a new active boot configurati...

Page 372: ...nally marks it as the active boot configuration file The file is now ready to store any new parameter settings you might make to the switch In this example the settings of the switch are configured us...

Page 373: ...cters not including the extension cfg If you specify the name of an existing file the new file overwrites the existing file It is important to understand that this command does not change the switch s...

Page 374: ...is the command awplus show boot Here is an example of the information Figure 73 SHOW BOOT Command The Current boot config field displays the name of the active boot configuration file which for the sw...

Page 375: ...e switch s current configuration to the active boot configuration file ERASE STARTUP CONFIG on page 380 Privileged Exec Returns the switch to its default settings NO BOOT CONFIG FILE on page 381 Globa...

Page 376: ...tive boot configuration file enter a new filename in the command The command automatically creates the file updates it with the current settings of the switch and designates it as the active boot conf...

Page 377: ...e sw12a cfg as the switch s active configuration file The example assumes that the file already exists in the file system of the switch and that you want to reconfigure the switch according to the set...

Page 378: ...ion files Stored in the file system on the switch the files contain the current settings of the switch You might use this command to create a backup copy of the switch s current configuration This com...

Page 379: ...torage When you enter the command the switch copies its parameter settings into the active boot configuration file The switch saves only those parameters that have been changed from their default sett...

Page 380: ...boot configuration file To return the active configuration file to the default settings you must enter the WRITE or COPY RUNNING CONFIG STARTUP CONFIG command after the switch reboots and after you h...

Page 381: ...oftware it uses the BOOT CFG file to configure its parameter settings To overwrite the settings in the active boot configuration file with the switch s current settings enter the WRITE or COPY RUNNING...

Page 382: ...urrent boot image v2 1 1 Backup boot image Not set Default boot config cfg boot cfg Current boot config cfg switch2 cfg file exists Table 37 SHOW BOOT Command Field Description Current software The ve...

Page 383: ...AT 9000 Switch Command Line User s Guide Section III File System 383 Example awplus show boot...

Page 384: ...384 Section III File System SHOW STARTUP CONFIG Syntax show startup config Parameter None Mode Privileged Exec mode Description Use this command to display the contents of the active boot configurati...

Page 385: ...mand the switch copies its parameter settings into the active boot configuration file The switch saves only those parameters that have been changed from their default settings Note Parameter changes t...

Page 386: ...Chapter 25 Boot Configuration File Commands 386 Section III File System...

Page 387: ...s This chapter discusses the following topics Overview on page 388 Uploading or Downloading Files with TFTP on page 389 Uploading or Downloading Files with Zmodem on page 393 Downloading Files with En...

Page 388: ...o Chapter 79 Secure HTTPS Web Browser Server on page 1159 Here are the files you can upload from the switch Boot configuration files CA certificate requests Technical support text files Refer to SHOW...

Page 389: ...Downloading New Management Software with TFTP To use TFTP to download new management software to the switch Caution This procedure causes the switch to reset The switch does not forward network traffi...

Page 390: ...Wait for the switch to write the new management software to flash memory 6 To resume managing the switch start a new management session after the switch has reset 7 To confirm the new management softw...

Page 391: ...e terminal awplus config boot config file switch1a cfg 6 At this point do one of the following To configure the switch using the settings in the newly designated active boot configuration file reset t...

Page 392: ...the file to be uploaded from the switch to the TFTP server The filename can not contain spaces and must include the appropriate extension This example of the command uploads the boot configuration fil...

Page 393: ...For instructions refer to Starting a Local Management Session on page 60 3 Enter this command in the Privileged Exec mode awplus copy zmodem You will see this prompt Waiting to receive 4 Use your term...

Page 394: ...e HTTPS Web Browser Server on page 1159 Technical support text files Refer to SHOW TECH SUPPORT on page 1242 To upload a file from the switch using Zmodem 1 Start a local management session on the swi...

Page 395: ...enter the command the switch displays this message Waiting to send 4 Use your terminal or terminal emulator program to begin the upload The upload must be Zmodem The upload should take only a few mom...

Page 396: ...one of the previous procedures in this chapter 2 After you ve updated the management software on the command switch start a new local or remote session on it 3 Issue the SHOW ESTACK REMOTELIST comman...

Page 397: ...This prompt is displayed Do you want confirmation before downloading each switch Yes No 7 Type Y for yes if you want the command switch to prompt you before it downloads its management software to ea...

Page 398: ...Chapter 26 File Transfers 398 Section III File System...

Page 399: ...ged Exec Uses TFTP to upload files from the switch COPY TFTP FLASH on page 402 Privileged Exec Uses TFTP to download new versions of the management software boot configuration files or CA certificates...

Page 400: ...er with a Zmodem utility to upload boot configuration files from the file system in the switch to your terminal or computer This command must be performed from a local management session For instructi...

Page 401: ...fy just one filename Mode Privileged Exec mode Description Use this command to upload configuration files from the file system in the switch to a TFTP server on your network You can perform the comman...

Page 402: ...the management software boot configuration files or CA certificates to the switch from a TFTP server on your network You may perform the command from a local management session or a remote Telnet or...

Page 403: ...em 403 awplus enable awplus copy tftp flash 149 22 121 45 at9000_app img This example downloads the boot configuration file sw12a cfg to the switch from a TFTP server with the IP address 112 141 72 11...

Page 404: ...t session For instructions on how to use this command refer to Downloading Files to the Switch with Zmodem on page 393 Note You may not use Zmodem to download new versions of the management software t...

Page 405: ...on enhanced stacking refer to Chapter 15 Enhanced Stacking on page 285 For instructions on how to use this command refer to Downloading New Management Software with Enhanced Stacking on page 396 Caut...

Page 406: ...Chapter 27 File Transfer Commands 406 Section III File System...

Page 407: ...vent Messages This section contains the following chapters Chapter 28 Event Log on page 409 Chapter 29 Event Log Commands on page 413 Chapter 30 Syslog Client on page 423 Chapter 31 Syslog Client Comm...

Page 408: ...408 Section IV Event Messages...

Page 409: ...409 Chapter 28 Event Log This chapter covers the following topics Overview on page 410 Displaying the Event Log on page 411 Clearing the Event Log on page 412...

Page 410: ...ormally or what happened when a problem occurred The operation of the switch can be monitored by viewing the event messages generated by the device These events and the vital information about system...

Page 411: ...he messages are displayed one screen at a time To cancel the log type q for quit Here is an example of the log Figure 76 SHOW LOG Command The columns are described in Table 41 on page 417 If you happe...

Page 412: ...t Log 412 Section II Basic Operations Clearing the Event Log To clear all the messages from the event log use the CLEAR LOG BUFFERED command in the Privileged Exec mode Here is the command awplus clea...

Page 413: ...the event log LOG BUFFERED on page 415 Global Configuration Specifies the types of event messages to be stored in the event log SHOW LOG on page 417 Privileged Exec Displays the event messages from ol...

Page 414: ...ntax clear log buffered Parameters None Mode Privileged Exec mode Description Use this command to delete the event messages in the event log Confirmation Command SHOW LOG on page 417 Example The follo...

Page 415: ...fy more than one module separate the modules with commas Mode Global Configuration mode Description Use this command to specify the types of event messages to be stored in the event log You can specif...

Page 416: ...wplus configure terminal awplus config log buffered program igmpsnooping lacp pconfig This example configures the event log to save only those event messages that have a minimum severity level of 4 an...

Page 417: ...d here date time facility severity program pid message 2010 Jan 15 14 39 04 user information awplus stp Set Configuration succeeded 2010 Jan 15 14 39 04 user information awplus stp Set Configuration s...

Page 418: ...Management Software Modules Module Name Description ACL Port access control list CFG Switch configuration CLASSIFIER Classifiers used by ACL and QoS CLI Command line interface commands ENCO Encryption...

Page 419: ...authentication protocol RTC Real time clock SNMP SNMP SSH Secure Shell protocol SSL Secure Sockets Layer protocol STP Spanning Tree and Rapid Spanning protocols SYSTEM Hardware status manager and oper...

Page 420: ...d here OutputID Type Status Details 1 Temporary Enabled Wrap on Full Table 43 SHOW LOG CONFIG Command Parameter Description Output ID The ID number of the event log The event log has the ID 1 Type The...

Page 421: ...This command is also used to view the configuration of the syslog client For information refer to SHOW LOG CONFIG on page 435 in Chapter 31 Syslog Client Commands on page 431 Example The following co...

Page 422: ...and the SHOW LOG command display the same messages but in different order The SHOW LOG command displays the messages from oldest to newest To cancel the display type q for quit You cannot filter the l...

Page 423: ...423 Chapter 30 Syslog Client Overview on page 424 Creating Syslog Server Definitions on page 425 Deleting Syslog Server Definitions on page 428 Displaying the Syslog Server Definitions on page 429...

Page 424: ...ding a Management IP Address on page 66 or Chapter 9 IPv4 and IPv6 Management Addresses on page 207 The syslog servers must be members of the same subnet as the management IP address of the switch or...

Page 425: ...mitted to the server For example specifying level 4 for a syslog server definition causes the switch to transmit levels 0 and 4 messages If you omit this parameter messages of all severity levels are...

Page 426: ...ontrol PCFG Port configuration PKI Public Key Infrastructure PMIRR Port mirroring PSEC MAC address based port security PTRUNK Static port trunking QOS Quality of Service RADIUS RADIUS authentication p...

Page 427: ...definition that sends messages from the RADIUS spanning tree protocols and static port trunks to a syslog server that has the IP address 156 74 134 76 awplus enable awplus configure terminal awplus co...

Page 428: ...ost ipaddress To view the IP addresses of the syslog servers of the definitions use the SHOW LOG CONFIG command You can delete just one definition at a time with this command The switch stops sending...

Page 429: ...ion Figure 79 SHOW LOG CONFIG Command Definition 1 relates to the event log and can be ignored Syslog server definitions start at 2 The columns in the display are described is Table 47 on page 435 The...

Page 430: ...Chapter 30 Syslog Client 430 Section IV Event Messages...

Page 431: ...able 46 Syslog Client Commands Command Mode Description LOG HOST on page 432 Global Configuration Creates syslog server definitions NO LOG HOST on page 434 Global Configuration Deletes syslog server d...

Page 432: ...les are sent to the syslog server The modules are listed in Table 42 on page 418 You can specify more than one feature Separate multiple features with commas Omit this parameter to send messages from...

Page 433: ...yslog server that has the IP address 149 152 122 143 The definition sends only those messages that have a minimum severity level of 4 and that are generated by the RADIUS client RADIUS and static port...

Page 434: ...a syslog server Mode Global Configuration mode Description Use this command to delete syslog server definitions from the switch Confirmation Command SHOW LOG CONFIG on page 435 Example This example de...

Page 435: ...OutputID Type Status Details 1 Temporary Enabled Wrap on Full 2 Syslog Enabled 169 55 55 55 3 Syslog Enabled 149 88 88 88 Table 47 SHOW LOG CONFIG Command Parameter Description Output ID The ID numbe...

Page 436: ...displays the action of the log when it reaches maximum capacity Wrap on Full means that the log adds new entries by deleting old entries when it reaches maximum capacity This cannot be changed For sys...

Page 437: ...section contains the following chapters Chapter 32 Static Port Trunks on page 439 Chapter 33 Static Port Trunk Commands on page 449 Chapter 34 Link Aggregation Control Protocol LACP on page 455 Chapte...

Page 438: ...438 Section V Port Trunks...

Page 439: ...view on page 440 Creating New Static Port Trunks or Adding Ports To Existing Trunks on page 444 Specifying the Load Distribution Method on page 445 Removing Ports from Static Port Trunks or Deleting T...

Page 440: ...a link is lost on a port in a static port trunk the trunk s total bandwidth is reduced Although the traffic carried by a lost link is shifted to one of the remaining ports in the trunk the bandwidth r...

Page 441: ...ues of the last three bits of a MAC or IP address Assume you selected source MAC address as the load distribution method and that the switch needed to transmit over the trunk a packet with a source MA...

Page 442: ...unk s efficiency and performance Guidelines Here are the guidelines to using static port trunks A static trunk can have up to eight ports The switch supports up to a total of 32 static port trunks and...

Page 443: ...agged members of the same VLAN A trunk cannot consist of untagged ports from different VLANs The switch selects the lowest numbered port in the trunk to handle broadcast packets and packets of unknown...

Page 444: ...le that creates a new trunk of ports 22 to 23 and the ID number 1 awplus enable awplus configure terminal awplus config interface port1 0 22 port1 0 23 awplus config if static channel group 1 If a sta...

Page 445: ...stination MAC address src ip Specifies source IP address dst ip Specifies destination IP address src dst ip Specifies source address destination IP address To enter the Static Port Trunk Interface mod...

Page 446: ...interface port1 0 4 port1 0 5 awplus config if no static channel group To delete a static port trunk remove all its member ports This example deletes a trunk that consists of member ports 15 to 17 an...

Page 447: ...mode or Privileged Exec mode awplus show static channel group Here is an example of the information Figure 82 SHOW STATIC CHANNEL GROUP Command To view the load distribution methods of static port tru...

Page 448: ...Chapter 32 Static Port Trunks 448 Section V Port Trunks...

Page 449: ...om existing static port trunks and deletes trunks from the switch PORT CHANNEL LOAD BALANCE on page 451 Static Port Trunk Interface Sets the load distribution methods of static port trunks SHOW STATIC...

Page 450: ...do not remove ports from a static port trunk without first disconnecting their network cable Network loops can result in broadcast storms that can adversely affect network performance Note You cannot...

Page 451: ...ommand to specify the load distribution methods of static port trunks The load distribution methods determine the manner in which the switch distributes packets among the ports of a trunk This command...

Page 452: ...orts of static port trunks on the switch An example of the command is shown in Figure 83 Figure 83 SHOW STATIC CHANNEL GROUP Command To view the load distribution methods of static port trunks display...

Page 453: ...er in the range of 1 to 32 This number is used by the switch to identify trunks and to assign trunk names A name of a trunk consists of the prefix sa followed by an ID number For instance if you assig...

Page 454: ...ting ports in the trunk Consequently you check to see if its settings are appropriate prior to adding it to the trunk If the port will not be the lowest numbered port its settings are changed to match...

Page 455: ...erview on page 456 Creating New Aggregators on page 460 Setting the Load Distribution Method on page 461 Adding Ports to Aggregators on page 462 Removing Ports from Aggregators on page 463 Deleting Ag...

Page 456: ...tch with ports 11 to 18 as the active ports and ports 19 and 20 as the reserve ports If an active port loses its link the switch automatically activates one of the reserve ports to maintain maximum ba...

Page 457: ...switch would activate all six links because it can handle up to eight active links in a trunk at one time while the other device would activate only four ports But by giving the other 802 3ad device t...

Page 458: ...hat is part of an aggregator does not receive LACPDU packets it functions as a normal Ethernet port and forwards network packets along with LACPDU packets Load Distribution Methods The load distributi...

Page 459: ...oad Distribution Methods on page 440 To function as a member of an aggregator a port must receive LACPDU packets from a remote network device A port that does not receive LACPDU packets while it is a...

Page 460: ...number If the ports of a new aggregator are already members of other aggregators the switch automatically removes them from their current assignments before adding them to the new aggregator Caution...

Page 461: ...enter the mode use the INTERFACE PO command from the Global Configuration mode in this format interface poid_number You specify the intended aggregator by adding its ID number as a suffix to PO Here...

Page 462: ...and specify the ID number of the existing aggregator to which the new ports are to be assigned If you do not know the ID number use the SHOW ETHERCHANNEL DETAIL command If the new ports of an aggregat...

Page 463: ...first disconnecting the network cable Leaving the network cable connected may result in a network loop which can cause a broadcast storm Note You cannot remove the base port of an aggregator The base...

Page 464: ...de Caution Do not delete an aggregator without first disconnecting the network cables from its ports Leaving the network cables connected may result in a network loop which can cause a broadcast storm...

Page 465: ...ERCHANNEL DETAIL The only information the SHOW ETHERCHANNEL DETAIL command doesn t include is the LACP system priority value That value can been seen with the SHOW LACP SYS ID command also in the Priv...

Page 466: ...an example of the information Figure 85 SHOW LACP SYS ID Command it should be mentioned that while the system priority value is set as an integer with the LACP SYSTEM PRIORITY command this command dis...

Page 467: ...s and deletes aggregators PORT CHANNEL LOAD BALANCE on page 472 LACP Port Trunk Interface Sets the load distribution method SHOW ETHERCHANNEL on page 474 Privileged Exec Displays the ports of the aggr...

Page 468: ...isting aggregator that consists of ports 7 to 12 You have to delete and recreate an aggregator to change its base port To review the guidelines to creating or modifying aggregators refer to Guidelines...

Page 469: ...e User s Guide Section V Port Trunks 469 This example adds port 15 to an existing aggregator that has the ID number 4 awplus enable awplus configure terminal awplus config interface port1 0 15 awplus...

Page 470: ...o set the LACP priority of the switch The switch uses the LACP priority to resolve conflicts with other network devices when it creates aggregate trunks Confirmation Command SHOW LACP SYS ID on page 4...

Page 471: ...leting and recreating the aggregator Caution To prevent creating a loop in your network topology you should not remove ports from an aggregator without first disconnecting their network cables Network...

Page 472: ...ss Mode LACP Port Trunk Interface mode Description Use this command to set the load distribution methods of aggregators An aggregator can have only one load distribution method The load distribution m...

Page 473: ...t Trunks 473 Example This example sets the load distribution method to source MAC address for the LACP trunk that has the ID number 22 awplus enable awplus configure terminal awplus config interface p...

Page 474: ...se this command to display the ports of specific aggregators on the switch Figure 86 illustrates the information Figure 86 SHOW ETHERCHANNEL Command Example This example displays the ports of the aggr...

Page 475: ...gator 1 po1 Mac address 00 15 77 D8 43 60 0000 Admin Key 0xff01 Oper Key 0x0101 Receive link count 4 Transmit link count 4 Individual 0 Ready 0 Distribution Mode MACBoth Partner LAG 0080 00 A0 D2 00 9...

Page 476: ...re 88 illustrates the information Figure 88 SHOW ETHERCHANNEL SUMMARY Command Example awplus show etherchannel summary Aggregator 2 po2 Admin Key 0xff01 Oper Key 0x0101 Link Port1 0 2 sync Link Port1...

Page 477: ...command to display the LACP priority value and MAC address of the switch Figure 88 illustrates the information Figure 89 SHOW LACP SYS ID Command Note The LACP priority value is set as an integer with...

Page 478: ...e 90 SHOW PORT ETHERCHANNEL Command Example awplus show port etherchannel port1 0 5 Port 05 Aggregator LACP sw22 Receive machine state Default Periodic Transmission machine state Fast periodic Mux mac...

Page 479: ...llowing chapters Chapter 36 Spanning Tree and Rapid Spanning Tree Protocols on page 481 Chapter 37 Spanning Tree Protocol STP on page 501 Chapter 38 STP Commands on page 509 Chapter 39 Rapid Spanning...

Page 480: ...480 Section VI Spanning Tree Protocols...

Page 481: ...on page 483 Path Costs and Port Costs on page 484 Port Priority on page 485 Forwarding Delay and Topology Changes on page 486 Hello Time and Bridge Protocol Data Units BPDU on page 487 Point to Point...

Page 482: ...ty by activating backup redundant paths One of the primary differences between the two protocols is in the time each takes to complete the process referred to as convergence When a change is made to t...

Page 483: ...the root bridge If two or more bridges have the same bridge priority number of those bridges the one with the lowest MAC address is designated as the root bridge You can change the bridge priority num...

Page 484: ...aths must determine which path will be the primary active path and which path s will be placed in the standby blocking mode This is accomplished by an determination of path costs The path offering the...

Page 485: ...es must select a preferred path In some instances this can involve the use of the port priority parameter This parameter is used as a tie breaker when two paths have the same cost The port priority ha...

Page 486: ...ated to change from blocking to forwarding passes through two additional states listening and learning before beginning to forward frames The amount of time a port spends in these states is set by the...

Page 487: ...root bridge has already been selected in the network and if not whether it has the lowest bridge priority number of all the bridges and should therefore become the root bridge The root bridge periodi...

Page 488: ...e connected with one data link With the link operating in full duplex the ports are point to point ports Figure 91 Point to Point Ports If a port is operating in half duplex mode and is not connected...

Page 489: ...mining whether a bridge port is point to point edge or both can be a bit confusing For that reason do not change the default values for this RSTP feature unless you have a good grasp of the concept In...

Page 490: ...a network they operate together to create a single spanning tree domain Given this if you decide to activate spanning tree on the switch there is no reason not to use RSTP even if the other switches...

Page 491: ...Figure 94 Two VLANs Sales and Production span two switches Two links consisting of untagged ports connect the separate parts of each VLAN If STP or RSTP is activated on the switches one of the links...

Page 492: ...Section VI Spanning Tree Protocols You can avoid this problem by not activating spanning tree or by connecting VLANs using tagged instead of untagged ports For information about tagged and untagged po...

Page 493: ...ng state skipping the intermediate listening and learning states Edge ports however can leave a spanning tree domain vulnerable to unwanted topology changes This can happen if someone connects a RSTP...

Page 494: ...rts of the switch and any fiber optic transceivers installed in the unit Note A port disabled by the BPDU guard feature remains in that state until you enable it with the management software If a port...

Page 495: ...nitoring the ports on the switch for BPDUs from the other RSTP devices If a port stops receiving BPDUs without a change to its link state that is the link on a port stays up the switch assumes that th...

Page 496: ...tions in a network of three switches that have been connected to form a loop To block the loop switch 3 designates port 14 as an alternate port and places it in the blocking or discarding state Figure...

Page 497: ...rates how loop guard works to maintain a loop free topology by keeping alternate ports in the blocking state when they stop receiving BPDUs Loop guard can also work on root and designated ports that a...

Page 498: ...itch 3 transitions to the forwarding state from the blocking state to become the new root port for the switch The result is a network loop Figure 98 Loop Guard Example 4 But if loop guard is active on...

Page 499: ...3 Port 4 Loop guard changes the port to the blocking state from the forwarding state 50 49 50R 49R AT 8100S 48 CONSOLE S2 S1 LINK ACT 50 49 50R 49R AT 8100S 48 CONSOLE S2 S1 LINK ACT 50 49 50R 49R AT...

Page 500: ...Chapter 36 Spanning Tree and Rapid Spanning Tree Protocols 500 Section VI Spanning Tree Protocols...

Page 501: ...ion Designating STP as the Active Spanning Tree Protocol on page 502 Enabling the Spanning Tree Protocol on page 503 Setting the Switch Parameters on page 504 Setting the Port Parameters on page 506 D...

Page 502: ...pports other spanning tree protocols in addition to STP but only one of them can be active at a time on the device To designate STP as the active spanning tree protocol on the switch use the SPANNING...

Page 503: ...otocol To enable STP on the switch use the SPANNING TREE STP ENABLE command in the Global Configuration mode Here is the command awplus enable awplus configure terminal awplus config spanning tree stp...

Page 504: ...ime 5 awplus config spanning tree max age 20 If you want the switch to be the root bridge of the spanning tree domain assign it a low priority number with the SPANNING TREE PRIORITY command The bridge...

Page 505: ...ommand Line User s Guide Section VI Spanning Tree Protocols 505 This example of the command sets the switch s priority value to 8 192 awplus enable awplus configure terminal awplus config spanning tre...

Page 506: ...g interface port1 0 4 port1 0 18 awplus config if spanning tree path cost 40 This example of the SPANNING TREE PRIORITY command assigns a priority value of 32 awplus enable awplus configure terminal a...

Page 507: ...rminal awplus config no spanning tree stp enable Note Before disabling the spanning tree protocol on the switch display the STP states of the ports and disconnect the network cables from any ports tha...

Page 508: ...sing The words Spanning Tree in the first line signal whether spanning tree is enabled or disabled not which spanning tree protocol is activated on the switch For that you have to use the SHOW RUNNING...

Page 509: ...the switch sends spanning tree configuration information when it is the root bridge or is trying to become the root bridge SPANNING TREE MAX AGE on page 514 Global Configuration Sets the maximum age p...

Page 510: ...the switch display the STP states of the ports and disconnect the network cables from any ports that are in the discarding state Ports that are in the discarding state begin to forward traffic again...

Page 511: ...displays the STP settings for all the ports awplus show spanning tree This command displays the STP settings for ports 1 and 4 awplus show spanning tree interface port1 0 1 port1 0 4 Default Bridge up...

Page 512: ...e only if the switch is acting as the root bridge of the spanning tree domain Switches that are not acting as the root bridge use a dynamic value supplied by the root bridge The forward time max age a...

Page 513: ...bridge or is trying to become the root bridge The forward time max age and hello time parameters should be set according to the following formulas as specified in IEEE Standard 802 1d max age 2 x for...

Page 514: ...nits BPDUs are stored by the switch before they are deleted The forward time max age and hello time parameters should be set according to the following formulas as specified in IEEE Standard 802 1d ma...

Page 515: ...ve spanning tree protocol on the switch You must select STP as the active spanning tree protocol before you can enable it or configure its parameters Only one spanning tree protocol can be active on t...

Page 516: ...specify the cost of a port to the root bridge This cost is combined with the costs of the other ports in the path to the root bridge to determine the total path cost The lower the numeric value the hi...

Page 517: ...ecomes the root bridge If two or more devices have the same priority value the device with the numerically lowest MAC address becomes the root bridge The range is 0 to 61 440 in increments of 4 096 Th...

Page 518: ...s a tie breaker when two or more ports have equal costs to the root bridge The range is 0 to 240 in increments of 16 The priority values can be set only in increments of 16 The default is 128 Use the...

Page 519: ...e STP on the switch You must designate STP as the active spanning tree protocol on the switch before you can enable it or configure its parameters For instructions refer to SPANNING TREE MODE STP on p...

Page 520: ...Chapter 38 STP Commands 520 Section VI Spanning Tree Protocols...

Page 521: ...ating RSTP as the Active Spanning Tree Protocol on page 522 Enabling the Rapid Spanning Tree Protocol on page 523 Configuring the Switch Parameters on page 524 Configuring the Port Parameters on page...

Page 522: ...l This is accomplished with the SPANNING TREE MODE RSTP command in the Global Configuration mode Afterwards you can configure its settings and enable the protocol Here is the command awplus enable awp...

Page 523: ...nd in the Global Configuration mode Here is the command awplus enable awplus configure terminal awplus config spanning tree rstp enable After you enter the command the switch immediately begins to par...

Page 524: ...nning tree max age 10 Table 53 RSTP Switch Parameters To Use This Command Range Specify how long the ports remain in the listening and learning states before they transition to the forwarding state SP...

Page 525: ...The range of the parameter is 0 to 61 440 in increments of 4 096 The priority values can be set only in increments of 4 096 This example assigns the switch the low priority number 4 096 to increase t...

Page 526: ...Spanning Tree Protocols To disable the BPDU guard feature on the switch use the NO SPANNING TREE BPDU GUARD command in the Global Configuration mode Here is the command awplus enable awplus configure...

Page 527: ...Parameters To Use This Command Range Specify port costs SPANNING TREE PATH COST path cost 6 to 40 Assign a priority value to be used as a tie breaker when two or more paths have equal costs to the ro...

Page 528: ...orts This example designates ports 11 to 23 as point to point ports awplus enable awplus configure terminal awplus config interface port1 0 11 port1 0 23 awplus config if spanning tree link type point...

Page 529: ...nfig if spanning tree loop guard A port disabled by this feature remains disabled until it starts to receive BPDU packets again or the switch is reset To disable the loop guard feature use the NO SPAN...

Page 530: ...matically reactivates disabled ports after the specified period of time This example activates the timer and sets it to 1000 seconds awplus enable awplus configure terminal awplus config spanning tree...

Page 531: ...stp enable To view the current status of RSTP refer to Displaying RSTP Settings on page 532 Note Before disabling the spanning tree protocol on the switch display the RSTP states of the ports and disc...

Page 532: ...or RSTP Edge ports BPDU loop guard feature BPDU guard feature Force STP compatible version Port link type point to point or shared ports To view these parameters use the SHOW RUNNING CONFIG command in...

Page 533: ...h NO SPANNING TREE RSTP ENABLE on page 540 Global Configuration Disables RSTP on the switch SHOW SPANNING TREE on page 541 User Exec and Privileged Exec Displays the RSTP settings on the switch SPANNI...

Page 534: ...as the active spanning tree protocol on the switch SPANNING TREE PATH COST on page 551 Port Interface Specifies the costs of the ports to the root bridge SPANNING TREE PORTFAST on page 552 Port Interf...

Page 535: ...meters None Mode Port Interface mode Description Use this command to remove ports as edge ports on the switch Confirmation Command SHOW RUNNING CONFIG on page 132 Example This example removes port 21...

Page 536: ...Use this command to deactivate the timer for the RSTP BPDU guard feature When the timer is deactivated ports that the feature disables because they receive BPDU packets remain disabled until you manu...

Page 537: ...default setting is disabled Note Ports that are disabled by the loop guard feature do not forward traffic again when you disable the feature They only forward traffic if they start to receive BPDUs a...

Page 538: ...s None Mode Port Interface mode Description Use this command to remove ports as edge ports on the switch This command is equivalent to NO SPANNING TREE on page 535 Example This example removes port 21...

Page 539: ...mode Description Use this command to disable the BPDU guard feature on the switch Note Edge ports disabled by the BPDU guard feature remain disabled until you enable them with the management software...

Page 540: ...play the RSTP states of the ports and disconnect the network cables from any ports that are in the discarding state Ports that are in the discarding state begin to forward traffic again when RSTP is d...

Page 541: ...e STP compatible version Port link type point to point or shared ports To view these parameters refer to SHOW RUNNING CONFIG on page 132 Default Bridge up Spanning Tree Enabled Default Bridge Priority...

Page 542: ...Chapter 40 RSTP Commands 542 Section VI Spanning Tree Protocols Example awplus show spanning tree...

Page 543: ...U guard feature The BPDU guard feature prevents unnecessary RSTP domain convergences by disabling edge ports if they receive BPDUs When the timer is activated the switch will automatically reactivate...

Page 544: ...lt is 300 seconds Mode Global Configuration mode Description Use this command to specify the number of seconds that must elapse before the switch automatically enables ports that are disabled by the R...

Page 545: ...he learning state and from the learning state to the forwarding state This parameter is active only if the switch is acting as the root bridge Switches that are not acting as the root bridge use a dyn...

Page 546: ...ion information when it is the root bridge or is trying to become the root bridge The forward time max age and hello time parameters should be set according to the following formulas as specified in I...

Page 547: ...ub with multiple switches connected to it Mode Port Interface mode Description Use this command to designate point to point ports and shared ports Confirmation Command SHOW RUNNING CONFIG on page 132...

Page 548: ...packets the switch automatically disables it A port that has been disabled by the feature remains in that state until it begins to receive BPDU packets again or the switch is reset The default settin...

Page 549: ...switch retains bridge protocol data units BPDUs before it deletes them The forward time maximum age and hello time parameters should be set according to the following formulas as specified in IEEE St...

Page 550: ...rotocol you can enable or disable the spanning tree protocol and set the switch or port parameters RSTP is active on the switch only after you have designated it as the active spanning tree with this...

Page 551: ...ommand to specify the cost of a port to the root bridge This cost is combined with the costs of the other ports in the path to the root bridge to determine the total path cost The lower the numeric va...

Page 552: ...connected to spanning tree devices or to LANs that have spanning tree devices As a consequence edge ports do not receive BPDUs If an edge port starts to receive BPDUs it is no longer considered an edg...

Page 553: ...itch monitors edge ports and disables them if they receive BPDU packets Note To enable an edge port that was disabled by the BPDU guard feature use the NO SHUTDOWN command For instructions refer to NO...

Page 554: ...g tree domain becomes the root bridge If two or more devices have the same priority value the device with the numerically lowest MAC address becomes the root bridge The range is 0 to 61 440 in increme...

Page 555: ...used as a tie breaker when two or more ports have equal costs to the root bridge The range is 0 to 240 in increments of 16 The priority values can be set only in increments of 16 The default is 128 U...

Page 556: ...ion mode Description Use this command to enable the Rapid Spanning Tree Protocol on the switch You cannot enable RSTP until you have activated it with SPANNING TREE MODE RSTP on page 550 Confirmation...

Page 557: ...ration Protocol on page 601 Chapter 44 GARP VLAN Registration Protocol Commands on page 617 Chapter 45 MAC Address based VLANs on page 635 Chapter 46 MAC Address based VLAN Commands on page 651 Chapte...

Page 558: ...558 Section VII Virtual LANs...

Page 559: ...N Overview on page 562 Tagged VLAN Overview on page 568 Creating VLANs on page 572 Adding Untagged Ports to VLANs on page 573 Adding Tagged Ports to VLANs on page 575 Removing Untagged Ports from VLAN...

Page 560: ...VLAN traffic stays within the VLANs The nodes of a VLAN receive traffic only from nodes of the same VLAN This reduces the need for nodes to handle traffic not destined for them and frees up bandwidth...

Page 561: ...ore than one switch This makes it possible to create VLANs of end nodes that are connected to switches located in different physical locations The switch supports the following types of VLANs you can...

Page 562: ...hernet switches Note The switch is preconfigured with one port based VLAN called the Default_VLAN All ports on the switch are members of this VLAN The parts that make up a port based VLAN are VLAN nam...

Page 563: ...e is another type of VLAN where VLAN membership is determined by information within the frames themselves rather than by a port s PVID This type of VLAN is explained in Tagged VLAN Overview on page 56...

Page 564: ...an change its untagged VLAN assignment After the VLAN assignment is made the port s role can be changed back again to authenticator or supplicant if desired You cannot delete the Default VLAN from the...

Page 565: ...have been assigned PVID values A port s PVID is assigned automatically by the switch when you create the VLANs The PVID of a port is the same as the VID in which the port is an untagged member In the...

Page 566: ...n two switches Figure 105 Port based VLAN Example 2 WAN 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 25 26 27 28 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 25 26...

Page 567: ...cted to ports 9 to 13 on the top switch and ports 16 18 to 20 and 22 on the bottom switch Because this VLAN spans multiple switches it needs a direct connection between its various parts to provide a...

Page 568: ...nes the requirements and standards for tagging The device must be able to process the tagged information on received frames and add tagged information to transmitted frames The benefit of a tagged VLA...

Page 569: ...ANs the PVID of a port determines the VLAN where the port is an untagged member Because a tagged port determines VLAN membership by examining the tagged header within the frames that it receives and n...

Page 570: ...mple of a Tagged VLAN WAN 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 25 26 27 28 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 25 26 27 28 Router Sales VLAN VID 2...

Page 571: ...the lower switch These ports have been made tagged members of the Sales and Engineering VLANs so that they can carry traffic from both VLANs simultaneously These ports provide a common connection tha...

Page 572: ...an one switch should be assigned the same VID number on each switch Here is the format of the command vlan vid name name This example creates the Engineering VLAN and assigns it the VID 5 awplus enabl...

Page 573: ...an untagged member of a VLAN Here is the format of the command switchport access vlan vid The VID parameter is the VLAN to which you want to add the untagged port If you don t know the number use the...

Page 574: ...Chapter 41 Port based and Tagged VLANs 574 Section VII Virtual LANs awplus config interface port1 0 11 port1 0 18 awplus config if switchport access vlan 4...

Page 575: ...nd has the format shown here switchport mode trunk ingress filter enable disable For an explanation of the optional INGRESS FILTER parameter refer to SWITCHPORT MODE TRUNK on page 591 Once a port is l...

Page 576: ...hat particular VLAN A port can have only one native VLAN The command for setting the native VLAN of tagged ports is the SWITCHPORT TRUNK NATIVE VLAN command in the Port interface mode Here is the comm...

Page 577: ...o the Default_VLAN You can remove more than one port at a time from a VLAN and the same command can be used to remove untagged ports from different VLANs This example removes untagged port 5 from its...

Page 578: ...LANs from which the port is to be removed This example removes tagged ports 18 and 19 from the VLAN with the VID 7 awplus enable awplus configure terminal awplus config interface port1 0 18 port1 0 19...

Page 579: ...on mode You can delete only one VLAN at a time and you cannot delete the Default_VLAN The untagged ports of deleted VLANs are automatically returned back to the Default_VLAN Here is the format of the...

Page 580: ...le of the information is shown in Figure 107 Figure 107 SHOW VLAN ALL Command The information is described in Table 58 on page 586 VLAN ID Name Type State Member ports u Untagged t Tagged 1 default ST...

Page 581: ...ed ports NO VLAN on page 585 VLAN Configuration Deletes VLANs from the switch SHOW VLAN on page 586 User Exec and Privileged Exec Displays all the VLANs on the switch SWITCHPORT ACCESS VLAN on page 58...

Page 582: ...the Default_VLAN if they are set to the authenticator role for 802 1x port based network access control You must first remove the authenticator role For instructions refer to NO DOT1X PORT CONTROL on...

Page 583: ...o VLANs once the trunk mode has been removed Note You must first remove a port from all tagged VLAN assignments before you can remove its tagged designation For instructions refer to SWITCHPORT TRUNK...

Page 584: ...N for ingress and egress untagged packets A tagged port can have only one native VLAN Note This command will not work if the tagged port is already a tagged member of the Default_VLAN because a port c...

Page 585: ...ed VLAN to the Default_VLAN as untagged ports Static addresses assigned to the ports of a deleted VLAN become obsolete and should be deleted from the MAC address table For instructions refer to NO MAC...

Page 586: ...e 108 Figure 108 SHOW VLAN Command The columns in the table are described here VLAN ID Name Type State Member ports u Untagged t Tagged 1 default STATIC ACTIVE 1 u 20 u 21 u 22 u 23 u 26 u 27 u 28 u 5...

Page 587: ...show vlan State The states of the VLANs A VLAN has an Active state if it has at least one tagged or untagged port and an Inactive state if it does not have any ports Member Ports The untagged u and ta...

Page 588: ...witch automatically removes it from its current untagged VLAN assignment before moving it to its new assignment For example if you add port 4 as an untagged port to a VLAN the switch automatically rem...

Page 589: ...wplus config interface port1 0 5 port1 0 7 awplus config if switchport access vlan 12 This example returns port 15 as an untagged port to the Default_VLAN which has the VID 1 awplus enable awplus conf...

Page 590: ...untagged ports to VLANs The second command is SWITCHPORT ACCESS VLAN on page 588 The access mode is the default setting for all ports on the switch Consequently you only need to perform this command f...

Page 591: ...PORT TRUNK ALLOWED VLAN on page 593 The INGRESS FILTER parameter controls whether the tagged port accepts or rejects tagged packets containing VIDs that do not match any of its tagged VIDs If ingress...

Page 592: ...rtual LANs This example designates port 18 as a tagged port and disables ingress filtering so that it accepts all tagged packets awplus enable awplus configure terminal awplus config interface port1 0...

Page 593: ...d Adds the port as a tagged port to all the VLANs on the switch except for the designated VLAN You can specify more than one VID remove vid Removes the port as a tagged port from the designated VLAN Y...

Page 594: ...nd SHOW VLAN on page 586 Examples of Adding Tagged Ports to VLANs This example designates port 5 as a tagged port and adds it to the VLAN with the VID 22 awplus enable awplus configure terminal awplus...

Page 595: ...Tagged Ports from VLANs This example removes tagged port 17 from the VLAN with the VID 8 awplus enable awplus configure terminal awplus config interface port1 0 17 awplus config if switchport trunk al...

Page 596: ...to designate native VLANs for tagged ports The native VLAN of a tagged port specifies the appropriate VLAN for ingress untagged packets A tagged port can have only one native VLAN and the VLAN must a...

Page 597: ...VII Virtual LANs 597 This example reestablishes the Default_VLAN as the native VLAN for tagged ports 18 and 20 awplus enable awplus configure terminal awplus config interface port1 0 18 port1 0 20 aw...

Page 598: ...uld assign the Sales VLAN on each switch the same VID value name Specifies a name for a new VLAN A name can be from 1 to 20 characters in length The first character must be a letter it cannot be a num...

Page 599: ...nal awplus config vlan database awplus config vlan vlan 5 name Engineering This example creates a new VLAN with the VID 17 and the name Manufacturing awplus enable awplus configure terminal awplus con...

Page 600: ...Chapter 42 Port based and Tagged VLAN Commands 600 Section VII Virtual LANs...

Page 601: ...Intermediate Switches on page 607 Enabling GVRP on the Switch on page 608 Enabling GIP on the Switch on page 609 Enabling GVRP on the Ports on page 610 Setting the GVRP Timers on page 611 Disabling GV...

Page 602: ...t it It then does the following If the PDU contains a VID of a VLAN that does not exist on the switch it creates the designated VLAN and adds the port that received the PDU as a tagged member of the V...

Page 603: ...from port 3 containing all the VIDs of the VLANs on the switch including the new GVRP_VLAN_11 with its VID of 11 Note that port 3 is not yet a member of the VLAN Ports are added to VLANs when they rec...

Page 604: ...he PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN There is now a communications path for the end nodes of the Sales VLAN on switches 1 and 3 GVRP c...

Page 605: ...all dynamic GVRP VLANs and dynamic GVRP port assignments The dynamic assignments are relearned by the switch as PDUs arrive on the ports from other switches GVRP has three timers join timer leave tim...

Page 606: ...ake the port a member of the VLANs giving the intruder access to restricted areas of your network Here are a couple suggestions to protect against this type of network intrusion Activating GVRP only o...

Page 607: ...that it receives from the GVRP active switches GVRP PDUs are management frames intended for the switch s CPU In all likelihood a GVRP inactive switch will discard the PDUs because it will not recogni...

Page 608: ...n the Global Configuration mode It is the GVRP ENABLE command After the command is entered the switch immediately begins to transmit PDUs from those ports where GVRP is enabled and to learn dynamic GV...

Page 609: ...rately from GVRP on the switch GIP must be enabled if the switch is using GVRP The command for activating GIP is the GVRP APPLICANT STATE ACTIVE command in the Global Configuration mode Here is the co...

Page 610: ...Because the default setting for GVRP on the ports is enabled you should only need to use this command if you want to enable GVRP after disabling it on a port This example of the command activates GVR...

Page 611: ...equation Join Timer 2 x Leave Timer The commands for setting the timers are in the Global Configuration mode They are gvrp timer join value gvrp timer leave value gvrp timer leaveall value The timers...

Page 612: ...on the ports use the GVRP REGISTRATION NONE command in the Port Interface mode This example of the command deactivates GVRP on ports 4 and 5 awplus enable awplus configure terminal awplus config inte...

Page 613: ...st be enabled if the switch is using GVRP There is never any reason to disable GIP Even if the switch is not performing GVRP you can still leave GIP enabled The command for disabling GIP is GVRP APPLI...

Page 614: ...o disable GVRP to stop the switch from learning any further dynamic VLANs or GVRP ports use the NO GVRP ENABLE command in the Global Configuration mode Here is the command awplus enable awplus configu...

Page 615: ...g the GVRP Default Settings To disable GVRP and to return the timers to their default settings use the PURGE GVRP command in the Global Configuration mode awplus enable awplus configure terminal awplu...

Page 616: ...the switch and the three timer settings Here is the command awplus show gvrp timer Here is an example of the information the command provides Figure 110 SHOW GVRP TIMER Command For reference informati...

Page 617: ...imer GVRP TIMER LEAVE on page 624 Global Configuration Sets the GARP Leave Timer GVRP TIMER LEAVEALL on page 625 Global Configuration Sets the GARP Leave All timer NO GVRP ENABLE on page 626 Global Co...

Page 618: ...s SHOW GVRP STATISTICS on page 631 User Exec and Privileged Exec Displays GARP packet and message counters SHOW GVRP TIMER on page 633 User Exec and Privileged Exec Displays the GARP time values Table...

Page 619: ...TE ACTIVE Syntax gvrp applicant state active Parameters None Mode Global Configuration mode Description Use this command to enable GIP on the switch GIP must be enabled for GVRP to operate properly Ex...

Page 620: ...yntax gvrp applicant state normal Parameters None Mode Global Configuration mode Description Use this command to disable GIP Note Do not disable GIP if the switch is running GVRP GIP is required for p...

Page 621: ...Section VII Virtual LANs 621 GVRP ENABLE Syntax gvrp enable Parameters None Mode Global Configuration mode Description Use this command to enable GVRP on the switch Example awplus enable awplus confi...

Page 622: ...command to enable or disable GVRP on a port A port where GVRP is enabled transmits GVRP PDUs A port where GVRP is disabled does not send GVRP PDUs Examples This example enables GVRP on ports 5 and 6...

Page 623: ...fault is 20 centiseconds Mode Global Configuration mode Description Use this command to set the GARP Join Timer This timer must be set in relation to the GVRP Leave Timer according to the following eq...

Page 624: ...one hundredths of a second The range is 30 to 180 centiseconds The default is 60 centiseconds Mode Global Configuration mode Description Use this command to set the GARP Leave Timer Note The setting f...

Page 625: ...The range is 500 to 3000 centiseconds The default is 1000 centiseconds Mode Global Configuration mode Description Use this command to set the GARP Leave All timer Note The settings for this timer must...

Page 626: ...s 626 Section VII Virtual LANs NO GVRP ENABLE Syntax no gvrp enable Parameters None Mode Global Configuration mode Description Use this command to disable GVRP on the switch Example awplus enable awpl...

Page 627: ...Ns 627 PURGE GVRP Syntax purge gvrp Parameters None Mode Global Configuration mode Description Use this command to disable GVRP on the switch and to return the timers to their default values Example a...

Page 628: ...s SHOW GVRP APPLICANT Syntax show gvrp applicant Parameter None Modes Privileged Exec mode Description Use this command to display the following parameters for the GIP connected ring for the GARP appl...

Page 629: ...ation Parameters None Modes Privileged Exec mode Description Use this command to display the following parameters for the internal database for the GARP application Each attribute is represented by a...

Page 630: ...rameter None Modes Privileged Exec mode Description Use this command to display the following parameters for the GID state machines for the GARP application The output is shown on a per GID index basi...

Page 631: ...P Packets Receive Discarded GARP Disabled Receive DIscarded Port Not Listening Transmit Discarded Port Not Sending Receive Discarded Invalid Port Receive Discarded Invalid Protocol Receive Discarded I...

Page 632: ...egistration Protocol Commands 632 Section VII Virtual LANs Receive GARP Messages Empty Transmit GARP Messages Empty Receive GARP Messages Bad Message Receive GARP Messages Bad Attribute Example awplus...

Page 633: ...er Parameter None Modes Privileged Exec mode Description Use this command to display the current values for the following GARP application parameters GARP application protocol GVRP status GVRP GIP sta...

Page 634: ...Chapter 44 GARP VLAN Registration Protocol Commands 634 Section VII Virtual LANs...

Page 635: ...lines on page 641 General Steps on page 642 Creating MAC Address based VLANs on page 643 Adding MAC Addresses to VLANs and Designating Egress Ports on page 644 Removing MAC Addresses on page 645 Delet...

Page 636: ...with the same resources regardless of the points at which they access the network If you employed port based or tagged VLANs for roaming users you might have to constantly reconfigure the VLANs moving...

Page 637: ...ress based VLANs relieves you from having to map each address to its corresponding egress port Instead you only need to be sure that all the egress ports in a MAC address based VLAN are assigned to at...

Page 638: ...he VLANs will be flooded out port 4 This means that whatever device is connected to the port receives the flooded traffic form all three VLANs If security is a major concern for your network you might...

Page 639: ...addresses Figure 111 illustrates an example of a MAC address based VLAN that spans two AT 9000 28SP Switches The VLAN consists of three nodes on each switch Table 62 on page 640 lists the details of...

Page 640: ...e device If there is a match the switch considers the packet as a member of the corresponding MAC address based VLAN and not the port based VLAN and forwards it out the egress ports defined for the co...

Page 641: ...ss based VLAN and an untagged member of a port based VLAN Given that there is no way for the switch to determine the VLAN to which the broadcast packet belongs it floods the packet on all ports of all...

Page 642: ...AN Configuration mode to assign a name and a VID to the new VLAN and to designate the VLAN as a MAC address based VLAN 2 Use the VLAN SET MACADDRESS command in the Global Configuration mode to assign...

Page 643: ...094 The VID of the VLAN must be unique from all other VLANs on the switch The name of a VLAN can be up to 20 characters It cannot contain any spaces and the first character must be a letter not a numb...

Page 644: ...ddress based VLAN to which the address is to be added and the MAC ADDRESS parameter is the address which has to be entered in this format xx xx xx xx xx xx The MACADDRESS and DESTADDRESS keywords are...

Page 645: ...awplus config interface port1 0 6 port1 0 8 awplus config if no vlan 23 macaddress 11 8a 92 ce 76 28 Before MAC addresses can be completely removed from this type of VLAN you must first remove them f...

Page 646: ...VLANs from the switch use the NO VLAN command in the VLAN Configuration mode You can delete only one VLAN at a time Here is the format of the command no vlan vid This example deletes the VLAN with th...

Page 647: ...re described in Table 64 on page 656 VLAN 5 MAC Associations Total number of associated MAC addresses 5 MAC Address Ports 5A 9E 84 31 23 85 port1 0 13 port1 0 18 1A 87 9B 52 36 D5 port1 0 18 26 72 9A...

Page 648: ...vlan vlan 21 name Sales type macaddress Use the VLAN MACADDRESS to assign the name Sales and the VID 21 to the new VLAN and to designate it as a MAC address based VLAN awplus config vlan exit Return t...

Page 649: ...84 22 67 17 awplus config if vlan set 21 macaddress 00 30 84 78 75 1c awplus config if vlan set 21 macaddress 00 30 79 7a 11 10 awplus config if vlan set 21 macaddress 00 30 42 53 10 3a awplus config...

Page 650: ...ACADDRESS command in the Port Interface mode to assign the ports one MAC address awplus config if end Return to the Privileged Exec mode awplus show vlan macaddress Confirm the configuration with the...

Page 651: ...tion Removes MAC addresses from VLANs NO VLAN MACADDRESS Port Interface Mode on page 654 Port Interface Removes MAC addresses from egress ports SHOW VLAN MACADDRESS on page 655 Privileged Exec Display...

Page 652: ...ID Mode VLAN Configuration mode Description Use this command to delete MAC address based VLANs from the switch You can delete only one VLAN at a time with this command Confirmation Command SHOW VLAN M...

Page 653: ...figuration mode Description Use this command to remove MAC addresses from MAC address based VLANs You can remove only one address at a time with this command The command does not accept ranges or wild...

Page 654: ...n Use this command to remove MAC addresses from egress ports in MAC address based VLANs Confirmation Command SHOW VLAN MACADDRESS on page 655 Examples This example removes the MAC address 00 30 84 32...

Page 655: ...Figure 113 SHOW VLAN MACADDRESS Command VLAN 11 MAC Associations Total number of associated MAC addresses 5 MAC Address Ports 5A 9E 84 31 23 85 port1 0 4 port1 0 8 1A 87 9B 52 36 D5 port1 0 4 26 72 9...

Page 656: ...vlan macaddress Table 64 SHOW VLAN MACADDRESS Command Parameter Description VLAN VID MAC Associations The VID of the MAC address based VLAN Total Number of Associate MAC Addresses Total number of MAC...

Page 657: ...first character of the name must be a letter it cannot be a number VLANs will be easier to identify if their names reflect the functions of their subnetworks or workgroups for example Sales or Accoun...

Page 658: ...658 Section VII Virtual LANs Example This example creates a MAC address based VLAN that has the name Sales and the VID 3 awplus enable awplus configure terminal awplus config vlan database awplus con...

Page 659: ...escription Use this command to add MAC addresses to MAC address based VLANs You can add only one address at a time with this command You cannot use ranges or wildcards The specified VLAN must already...

Page 660: ...AN Commands 660 Section VII Virtual LANs This example adds the MAC address 00 30 84 32 76 1A to a MAC address based VLAN with the VID 12 awplus enable awplus configure terminal awplus config vlan set...

Page 661: ...d to assign MAC addresses to egress ports for MAC address based VLANs The specified MAC address must already be assigned to the VLAN For instructions refer to VLAN SET MACADDRESS Global Configuration...

Page 662: ...Chapter 46 MAC Address based VLAN Commands 662 Section VII Virtual LANs awplus config interface port1 0 1 port1 0 4 awplus config if vlan set 24 macaddress 00 30 84 75 11 b2...

Page 663: ...ANs This chapter provides the following topics Overview on page 664 Guidelines on page 665 Creating Private VLANs on page 666 Adding Host and Uplink Ports on page 667 Deleting VLANs on page 668 Displa...

Page 664: ...of one or more host ports and an uplink port Host Ports The host ports of a private port VLAN can only forward traffic to and receive traffic from an uplink port and are prohibited from forwarding tr...

Page 665: ...The host and uplink ports of private port VLANs are untagged ports and as such transmit only untagged traffic The switch can support private port based tagged and MAC address based VLANs at the same...

Page 666: ...number has the range of 2 to 4094 The VID of a private port VLAN must be unique from all other VLANs on the switch You cannot assign names to private port VLANs This example assigns the VID 26 to a ne...

Page 667: ...the switch Private VLANs are created with the PRIVATE VLAN command explained in Creating Private VLANs on page 666 This example of the command adds ports 2 to 7 as host ports of a private port VLAN t...

Page 668: ...rt VLANs are automatically returned by the switch to the Default_VLAN Here is the format of the command no vlan vid The VID parameter is the VID of the private port VLAN you want to delete The command...

Page 669: ...TE VLAN command in the Privileged Exec mode displays the private port VLANs currently existing on the switch along with their host and uplink ports Here is the command awplus show vlan private vlan He...

Page 670: ...Chapter 47 Private Port VLANs 670 Section VII Virtual LANs...

Page 671: ...letes VLANs from the switch PRIVATE VLAN on page 673 VLAN Configuration Creates private port VLANs SHOW VLAN PRIVATE VLAN on page 674 Privileged Exec Displays the private port VLANs on the switch SWIT...

Page 672: ...st one VID Mode VLAN Configuration mode Description Use this command to delete private port VLANs from the switch You can delete one VLAN at a time with this command Confirmation Command SHOW VLAN PRI...

Page 673: ...ode VLAN Configuration mode Description Use this command to create new private port VLANs You can create just one VLAN at a time Refer to SWITCHPORT MODE PRIVATE VLAN HOST on page 675 to add host port...

Page 674: ...how vlan private vlan Parameters None Mode Privileged Exec mode Description Use this command to display the private port VLANs on the switch Here is an example of the information Figure 115 SHOW VLAN...

Page 675: ...Mode Port Interface mode Description Use this command to add host ports to private port VLANs Devices connected to host ports in a private port VLAN can only communicate with the uplink port Confirmat...

Page 676: ...uplink port Mode Port Interface mode Description Use this command to add an uplink port to a private port VLAN A private port VLAN can have only one uplink port Confirmation Command SHOW VLAN PRIVATE...

Page 677: ...8 Port Interface Removes ports from voice VLANs SWITCHPORT VOICE DSCP on page 679 Port Interface Assigns an DSCP value to a port in a VLAN that carries voice traffic SWITCHPORT VOICE VLAN on page 680...

Page 678: ...mmand to remove a port from a voice VLAN A port retains the CoS priority and DSCP values that were assigned to it as a voice VLAN member Confirmation Command SHOW VLAN on page 586 Example This example...

Page 679: ...rt can have only one DSCP value A port however can have both voice VLAN DSCP and CoS values Use the NO form of this command to remove a DSCP value from a port without replacing it with a new value Con...

Page 680: ...in turn sends its packets using this VLAN ID A port can be a member of just one voice VLAN at a time A port that is already a member of a voice VLAN is removed from its current assignment before it i...

Page 681: ...uide Section VII Virtual LANs 681 Example This example adds ports 5 to 16 to a voice VLAN that has the VID 12 awplus enable awplus configure terminal awplus config interface port1 0 5 port1 0 16 awplu...

Page 682: ...this CoS value A port can have only one CoS value A port however can have both voice VLAN CoS and DSCP values Use the NO form of this command to remove a CoS value from a port without replacing it wi...

Page 683: ...683 Chapter 50 VLAN Stacking This chapter provides the following topics Overview on page 684 Components on page 686 VLAN Stacking Process on page 687 Example of VLAN Stacking on page 688...

Page 684: ...ative headers is that different customers are likely to use the same VIDs in their networks And requiring that customers reconfigure their VLANs by assigning unique VIDs not used by other customers is...

Page 685: ...eted at the point the packets leave the metro network and reenter the customer networks Figure 117 Metro Provider 802 1Q Header in Untagged Packets Note To maintain the best performance of a network i...

Page 686: ...ot handle tagged packets But with VLAN stacking customer ports may handle tagged or untagged packets The extra 802 1Q headers are added to or deleted from the packets at the customer ports The action...

Page 687: ...etwork is received by the customer port on switch A 2 The customer port adds the new 802 1Q header giving it the same VID number as the VLAN in which the customer port is a member 3 The modified packe...

Page 688: ...er the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mode awplus config vlan database Enter the VLAN Configuration mode awplus config...

Page 689: ...t access vlan 79 Add the ports as untagged ports to the VLAN with the SWITCHPORT ACCESS VLAN command awplus config if switchport vlan stacking customer edge port Use the SWITCHPORT VLAN STACKING comma...

Page 690: ...awplus show vlan Use the SHOW VLAN command again to confirm the configuration of the ABC_Inc VLAN TPID INTERFACES c Customer Edge Port p Provider Port 0x8100 port1 0 5 c 0x8100 port1 0 6 c 0x8100 port...

Page 691: ...value to 0x8100 with the PLATFORM VLAN STACKING TPID command awplus exit Return to the Privileged Exec mode awplus show vlan vlan stacking Use the SHOW VLAN VLAN STACKING command to confirm the change...

Page 692: ...Chapter 50 VLAN Stacking 692 Section VII Virtual LANs...

Page 693: ...Interface Removes ports from VLAN stacking PLATFORMVLAN STACKING TPID on page 695 Global Configuration Specifies the Tag Protocol Identifier TPID value SHOW VLAN VLAN STACKING on page 696 Privileged E...

Page 694: ...rt Interface mode Description Use this command to remove ports from VLAN stacking Confirmation Command SHOW VLAN VLAN STACKING on page 696 Example This example removes ports 3 to 16 and 21 from VLAN s...

Page 695: ...t one TPID value The value must be entered in hexadecimal format Mode Global Configuration mode Description Use this command to specify the Tag Protocol Identifier TPID value that applies to all frame...

Page 696: ...to display the port assignments of VLAN stacking Here is an example of the information Figure 119 SHOW VLAN VLAN STACKING Command Example awplus enable awplus show vlan vlan stacking TPID INTERFACES c...

Page 697: ...r edge port or provider port This is sometimes referred to as VLAN double tagging nested VLANs or QinQ Confirmation Command SHOW VLAN VLAN STACKING on page 696 Examples awplus enable awplus configure...

Page 698: ...Chapter 51 VLAN Stacking Commands 698 Section VII Virtual LANs...

Page 699: ...chapters Chapter 52 MAC Address based Port Security on page 701 Chapter 53 MAC Address based Port Security Commands on page 709 Chapter 54 802 1x Port based Network Access Control on page 721 Chapter...

Page 700: ...700 Section VIII Port Security...

Page 701: ...This chapter contains the following topics Overview on page 702 Configuring Ports on page 704 Enabling MAC Address based Security on Ports on page 706 Disabling MAC Address based Security on Ports on...

Page 702: ...as dynamic addresses can learn new addresses when addresses are timed out from the table by the switch The addresses are aged out according to the aging time of the MAC address table Note For backgrou...

Page 703: ...security and 802 1x port based access control on the same port To configure a port as an Authenticator or Supplicant in 802 1x port based access control you must remove MAC address based port securit...

Page 704: ...the MAC address table The intrusion action is set to protect so that the ports discard packets with unknown MAC addresses after they ve learned the maximum number of addresses but the switch doesn t s...

Page 705: ...ecurity aging awplus config if switchport port security violation restrict This example configures ports 8 and 20 to learn up to five MAC addresses each The addresses are stored as static addresses in...

Page 706: ...u are ready to activate the feature on the ports This is accomplished with the SWITCHPORT PORT SECURITY command in the Port Interface mode This example of the command activates port security on ports...

Page 707: ...s use the NO SWITCHPORT PORT SECURITY command in the Port Interface mode This example of the command removes port security from port 23 awplus enable awplus configure terminal awplus config interface...

Page 708: ...E Command The fields are defined in Table 71 on page 712 If you are interested in viewing just the number of packets the ports have discarded because they had invalid source MAC addresses you can use...

Page 709: ...page 712 Privileged Exec Displays the security mode settings of the ports SHOW PORT SECURITY INTRUSION INTERFACE on page 715 Privileged Exec Displays the number of packets the ports have discarded SW...

Page 710: ...nd to remove MAC address based security from the ports Note To activate ports that were disabled by the shutdown intrusion action refer to NO SHUTDOWN on page 181 Confirmation Command SHOW PORT SECURI...

Page 711: ...atic addresses are never deleted from the table ports that learn their maximum numbers of source MAC addresses cannot learn new addresses even when the source nodes of the learned addresses are inacti...

Page 712: ...ORT SECURITY INTERFACE Command The fields are described in Table 71 Port Security Configuration Port1 0 15 Security Enabled YES Port Status ENABLED Violation Mode PROTECT Aging NO Maximum MAC Addresse...

Page 713: ...ns are Protect Protect intrusion action Restrict Restrict intrusion action Disable Shutdown intrusion action Aging The status of MAC address aging on the port If the aging status is No the MAC address...

Page 714: ...arned on the port Lock Status Whether or not the port has learned its maximum number of MAC addresses The port will have a Locked status if it has learned its maximum number of MAC addresses and an Un...

Page 715: ...discard because the packets had unknown source MAC addresses The ports begin to discard packets after learning their maximum number of source MAC addresses This information is also available with SHOW...

Page 716: ...ace mode Description Use this command to activate MAC address based security on ports Confirmation Command SHOW PORT SECURITY INTERFACE on page 712 Example This example activates MAC address based sec...

Page 717: ...as dynamic MAC address in the MAC address table Ports that learn their maximum numbers of addresses can learn new addresses as inactive addresses are deleted from the table Confirmation Command SHOW P...

Page 718: ...specify the maximum number of dynamic MAC addresses that ports can learn Ports that learn their maximum numbers of MAC addresses discard ingress packets with unknown MAC addresses Use the no form of t...

Page 719: ...ingress frames that have unknown source MAC addresses The no form of this command NO SWITCHPORT PORT SECURITY VIOLATION returns the value to protect which is the default setting Confirmation Command S...

Page 720: ...curity violation restrict This example sets the intrusion action on port 2 to shutdown The switch disables the port and sends an SNMP trap if the port learns its maximum number of MAC addresses and th...

Page 721: ...page 727 Supplicant and VLAN Associations on page 731 Guest VLAN on page 734 RADIUS Accounting on page 735 General Steps on page 736 Guidelines on page 737 Enabling 802 1x Port Based Network Access Co...

Page 722: ...87 then you know that you can also use the RADIUS client software on the switch along with a RADIUS server on your network to create new remote manager accounts Note RADIUS with Extensible Authenticat...

Page 723: ...ith an EAPOL Start packet to which the authenticator responds with a EAP Request Identity packet The supplicant responds with an EAP Response Identity packet to the authentication server via the authe...

Page 724: ...nnot authenticate itself and must communicate with the switch through a port that is set to the none role Authenticator Role The authenticator role activates port access control on a port Ports in thi...

Page 725: ...ts who have been assigned valid combinations Another advantage is that the authentication is not tied to any specific computer or node An end user can log on from any system and still be verified by t...

Page 726: ...places the port in the authorized state without any authentication exchange required The port transmits and receives normal traffic without authenticating the client Note A supplicant connected to an...

Page 727: ...his mode permits multiple clients on an authenticator port An authenticator mode forwards packets from all clients once one client has successfully logged on This mode is typically used in situations...

Page 728: ...method one client must have 802 1x client firmware and must provide a username and password during authentication The other clients do not need 802 1x client firmware to forward traffic through the p...

Page 729: ...provide each client with a separate username and password combination and the clients must provide their combinations to forward traffic through a switch port If the authentication method is MAC addr...

Page 730: ...tiple Supplicant Mode AT 9000 28 Gigabit Ethernet Switch with 4 Combo SFP Ports PWR SYS MODE SELECT COL SPD DUP ACT RS 232 CONSOLE 1451 RADIUS Authentication Server Port 6 Role Authenticator Operating...

Page 731: ...ce requirements and security levels The problem with a port based VLAN is that VLAN membership is determined by the port on the switch to which the device is connected If a different device that needs...

Page 732: ...DIUS server for example the VID of a nonexistent VLAN it leaves the port in the unauthorized state to deny access to the port Multiple Supplicant Mode The initial authentication on an authenticator po...

Page 733: ...Tunnel Medium Type The transport medium to be used for the tunnel specified by Tunnel Private Group Id The only supported value is 802 6 Tunnel Private Group ID The ID of the tunnel the authenticated...

Page 734: ...he port is not required to log on and has full access to the resources of the Guest VLAN If the switch receives 802 1x packets on the port signalling that a supplicant is logging on it moves the port...

Page 735: ...The event information the switch sends to the RADIUS server includes The port number where an event occurred The date and time when an event occurred The number of packets transmitted and received by...

Page 736: ...alphanumeric characters and spaces An account for a supplicant connected to an authenticator port set to the MAC address based authentication mode must use the MAC address of the node as both the use...

Page 737: ...set to the multiple supplicant mode is 320 An authenticator port stops accepting new clients after the maximum number is reached The maximum number of authenticated clients on the entire switch is 0 N...

Page 738: ...1 and 2 If only server 3 responds then all future requests go to all three servers You cannot change the untagged VLAN assignment of a port after it has been designated as an authenticator port To cha...

Page 739: ...r the AAA AUTHENTICATION DOT1X DEFAUT GROUP RADIUS command The command has no parameters Here is the command awplus enable awplus configure terminal awplus config aaa authentication dot1x default grou...

Page 740: ...ve network interrupts network operations because the designated ports stop forwarding traffic until the clients log on If your switch is part of an active network the DOT1X PORT CONTROL FORCE UNAUTHOR...

Page 741: ...connected to a single node Multiple host mode For authenticator ports that are connected to multiple nodes The ports forward all traffic after just one supplicant successfully logs on Multiple suppli...

Page 742: ...example configures ports 16 to 19 to use the MAC address authentication method and the multiple supplicant mode so that the nodes are authenticated individually awplus enable awplus configure termina...

Page 743: ...22 so that the clients must reauthenticate every 12 hours 43200 seconds awplus enable awplus configure terminal awplus config interface port1 0 21 port1 0 22 awplus config if dot1x port control auto...

Page 744: ...ator role so that they forward traffic without authenticating clients go to the Port Interface mode of the ports and enter the NO DOT1X PORT CONTROL command This example removes the authenticator role...

Page 745: ...orward packets without authentication go to the Global Configuration mode and enter the NO AAA AUTHENTICATION DOT1X DEFAULT GROUP RADIUS command Here is the command awplus enable awplus configure term...

Page 746: ...thenticator settings for port 2 awplus show dot1x interface port1 0 2 Here is an example of what you will see Figure 127 SHOW DOT1X INTERFACE Command Authentication Info for interface port1 0 2 portEn...

Page 747: ...d display the same information Here is an example of the information Figure 128 SHOW DOT1X STATISTICS INTERFACE Command Authentication Statistics for interface port1 0 2 EAPOL Frames Rx 0 EAPOL Frames...

Page 748: ...Chapter 54 802 1x Port based Network Access Control 748 Section VIII Port Security...

Page 749: ...ace Sets the operating modes on authenticator ports AUTH REAUTHENTICATION on page 758 Port Interface Activates reauthentication on the authenticator ports AUTH TIMEOUT QUIET PERIOD on page 759 Port In...

Page 750: ...771 Port Interface Sets ports to the authenticator role DOT1X PORT CONTROL FORCE AUTHORIZED on page 772 Port Interface Configures ports to the 802 1X port based authenticator role in the forced autho...

Page 751: ...CANT INTERFACE on page 784 Privileged Exec Displays the number and types of supplicants on authenticator ports SHOW DOT1X on page 785 Privileged Exec Displays whether 802 1 port based network access c...

Page 752: ...etwork access control on the switch The default setting for this feature is disabled Note You should activate and configure the RADIUS client software on the switch before activating port based access...

Page 753: ...AN Associations on page 731 Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SHOW DOT1X INTERFACE on page 786 Examples This example activates dynamic VLAN assignment on authenticator port 1...

Page 754: ...t based Network Access Control Commands 754 Section VIII Port Security their VLAN assignments awplus enable awplus configure terminal awplus config interface port1 0 4 awplus config if auth dynamic vl...

Page 755: ...a guest VLAN until a supplicant successfully logs on at which point it is moved to the VLAN specified in a supplicant s account on the RADIUS server A port must already be designated as an authentica...

Page 756: ...nt logs on This is referred to as piggy backing multi supplicant Specifies the multiple supplicant operating mode An authenticator port set to this mode requires that all clients log on Mode Port Inte...

Page 757: ...ogs on awplus enable awplus configure terminal awplus config interface port1 0 8 awplus config if auth host mode multi host This example configures authenticator ports 12 and 13 to the multiple suppli...

Page 758: ...on on the authenticator ports The clients must periodically reauthenticate according to the time interval set with AUTH TIMEOUT REAUTH PERIOD on page 760 Confirmation Command SHOW AUTH MAC INTERFACE o...

Page 759: ...he default value is 60 seconds Mode Port Interface mode Description Use this command to set the number of seconds that an authenticator port waits after a failed authentication with a client before ac...

Page 760: ...ify the time interval for reauthentication of clients on an authenticator port Reauthentication must be enabled on a authenticator port for the timer to work Reauthentication on a port is activated wi...

Page 761: ...o 600 seconds The default value is 30 seconds Mode Port Interface mode Description Use this command to set the amount of time the switch waits for a response from a RADIUS authentication server Confir...

Page 762: ...value is 30 seconds Mode Port Interface mode Description Use this command to set the retransmission time for EAP request frames from authenticator ports Confirmation Command SHOW AUTH MAC INTERFACE on...

Page 763: ...itial frames from a supplicant and automatically sends it as the supplicant s username and password to the authentication server This authentication method does not require 802 1x client software on s...

Page 764: ...n Use this command to force ports that are using MAC address authentication into the unauthorized state You might use this command to reauthenticate the nodes on authenticator ports Example This examp...

Page 765: ...in the unauthorized state Generally authenticator ports that are in the unauthorized state discard all ingress and egress traffic until a client logs on There are however two exceptions one of which...

Page 766: ...broadcast or multicast packets until at least one client has logged on Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SHOW DOT1X INTERFACE on page 786 Examples This example configures au...

Page 767: ...tagged and untagged ports in the same VLAN as the ingress port Mode Global Configuration mode Description Use this command to control the action of the switch to EAP packets when 802 1x authentication...

Page 768: ...ntrol Commands 768 Section VIII Port Security This example configures the switch to forward EAP packets only to untagged ports in the VLANs of the ingress ports awplus enable awplus configure terminal...

Page 769: ...iption Use this command to force authenticator ports into the unauthorized state You might use this command to force supplicants on authenticator ports to reauthenticate themselves again by logging in...

Page 770: ...0 retransmissions The default value is 2 Mode Port Interface mode Description Use this command to specify the maximum number of times the switch transmits EAP Request packets to a client before it tim...

Page 771: ...the unauthorized state forwarding only EAPOL frames until a client has successfully logged on For background information refer to Operational Settings for Authenticator Ports on page 726 Confirmation...

Page 772: ...the authorized state without any authentication exchanges required The ports transmit and receive traffic normally without 802 1X based authentication of the clients For background information refer...

Page 773: ...role the switch blocks all authentication on the ports which means that no clients can log on and forward packets through them For background information refer to Operational Settings for Authenticato...

Page 774: ...1 to 65 535 seconds Mode Port Interface mode Description Use this command to set the amount of time that an authenticator port on the switch waits for a reply from a client to an EAP request identity...

Page 775: ...ers None Mode Global Configuration mode Description Use this command to disable 802 1x port based network access control on the switch All authenticator ports forward packets without any authenticatio...

Page 776: ...disable dynamic VLAN assignments of authentication ports For background information refer to Supplicant and VLAN Associations on page 731 Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SH...

Page 777: ...ption Use this command to remove the VID of a guest VLAN from an authenticator port Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SHOW DOT1X INTERFACE on page 786 Example This example re...

Page 778: ...t have to periodically reauthenticate after the initial authentication Reauthentication is still required if there is a change to the status of the link between a client and the switch or the switch i...

Page 779: ...authenticator ports but authentication is based on the usernames and passwords provided by the supplicants and not on the MAC addresses of the nodes To completely remove authentication from ports ref...

Page 780: ...ption Use this command to remove ports from the authenticator role so that they forward traffic without authentication Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SHOW DOT1X INTERFACE...

Page 781: ...T1X INTERFACE Command on page 786 An example is shown in Figure 129 Figure 129 SHOW AUTH MAC INTERFACE Command Example awplus show auth mac interface port1 0 1 port1 0 4 Authentication Info for interf...

Page 782: ...nd to display session status information of authenticator ports This command is equivalent to SHOW DOT1X SESSIONSTATISTICS INTERFACE Command on page 787 An example is shown in Figure 130 Figure 130 SH...

Page 783: ...t to SHOW DOT1X STATISTICS INTERFACE Command on page 788 An example is shown in Figure 131 Figure 131 SHOW AUTH MAC STATISTICS INTERFACE Command Example awplus show auth mac statistics interface port1...

Page 784: ...upplicants on authenticator ports This command is equivalent to SHOW DOT1X SUPPLICANT INTERFACE Command on page 789 An example is shown in Figure 132 Figure 132 SHOW AUTH MAC SUPPLICANT INTERFACE Comm...

Page 785: ...work access control is enabled or disabled on the switch and the IP address of the RADIUS server Only the first IP address in the server table on the switch is displayed To view all the server IP addr...

Page 786: ...nt to SHOW AUTH MAC INTERFACE on page 781 An example is shown in Figure 134 Figure 134 SHOW DOT1X INTERFACE Command Example awplus show dot1x interface port1 0 1 port1 0 4 Authentication Info for inte...

Page 787: ...isplay session status information of authenticator ports This command is equivalent to SHOW AUTH MAC SESSIONSTATISTICS INTERFACE on page 782 An example is shown in Figure 135 Figure 135 SHOW DOT1X SES...

Page 788: ...is equivalent to SHOW AUTH MAC STATISTICS INTERFACE on page 783 An example is shown in Figure 136 Figure 136 SHOW DOT1X STATISTICS INTERFACE Command Example awplus show dot1x statistics interface por...

Page 789: ...ommand is equivalent to SHOW AUTH MAC SUPPLICANT INTERFACE Command on page 784 An example is shown in Figure 137 Figure 137 SHOW DOT1X SUPPLICANT INTERFACE Command The BRIEF parameter displays an abbr...

Page 790: ...Chapter 55 802 1x Port based Network Access Control Commands 790 Section VIII Port Security...

Page 791: ...Simple Network Management Protocols This section contains the following chapters Chapter 56 SNMPv1 and SNMPv2c on page 793 Chapter 57 SNMPv1 and SNMPv2c Commands on page 805 Chapter 58 SNMPv3 Command...

Page 792: ...792 Section IX Simple Network Management Protocols...

Page 793: ...on page 794 Enabling SNMPv1 and SNMPv2c on page 796 Creating Community Strings on page 797 Adding or Removing IP Addresses of Trap or Inform Receivers on page 798 Deleting Community Strings on page 8...

Page 794: ...available from the Allied Telesis web site at www alliedtelesis com A community string must be assigned an access level The levels are Read and Read Write A community string that has an access level o...

Page 795: ...nd the messages The format can be either SNMPv1 or SNMPv2c For inform messages the format is always SNMPv2c For instructions refer to Adding or Removing IP Addresses of Trap or Inform Receivers on pag...

Page 796: ...mode The command has no parameters The switch begins to send trap and inform messages to the receivers and permits remote management from SNMP workstations as soon as you enter the command This assume...

Page 797: ...mmand The COMMUNITY parameter is the name of the new string It can be up to 15 alphanumeric characters and is case sensitive Spaces are not allowed The RW and RO options define the access levels of ne...

Page 798: ...he format of the trap messages The switch can send trap messages in either SNMPv1 or SNMPv2c format Inform messages can only be sent in SNMPv2c format Note SNMP must be activated on the switch for you...

Page 799: ...2c format awplus enable awplus configure terminal awplus config snmp server host 143 154 76 17 informs version 2c st_bldg2 To remove IP addresses of trap or inform receivers from community strings use...

Page 800: ...mand Here is the format no snmp server community community You can delete only one community string at a time with the command which is found in the Global Configuration mode The COMMUNITY parameter i...

Page 801: ...isable SNMP on the switch use the NO SNMP SERVER command You cannot remotely manage the switch with an SNMP application when SNMP is disabled Furthermore the switch stops transmitting trap and inform...

Page 802: ...VER COMMUNITY Command The information that the command provides for each community string includes the community name and the access level of read write or read only There is also a view field which f...

Page 803: ...on the command shows you Figure 140 SHOW RUNNING CONFIG SNMP Command snmp server no snmp server enable trap auth snmp server community sw12eng1 rw snmp server community sw12eng1limit rw snmp server co...

Page 804: ...Chapter 56 SNMPv1 and SNMPv2c 804 Section X Simple Network Management Protocols...

Page 805: ...uthentication traps NO SNMP SERVER HOST on page 811 Global Configuration Removes the IP addresses of trap and inform receivers from the community strings NO SNMP SERVER VIEW on page 813 Global Configu...

Page 806: ...hentication traps which are activated separately SNMP SERVER ENABLE TRAP AUTH on page 823 Global Configuration Activates the transmission of SNMP authentication traps SNMP SERVER HOST on page 824 Glob...

Page 807: ...figuration mode Description Use this command to disable SNMPv1 SNMPv2c and SNMPv3 on the switch The switch does not permit remote management from SNMP applications when SNMP is disabled It also does s...

Page 808: ...SNMPv2c community strings from the switch Deleting community strings with this command also deletes any IP addresses of SNMP trap or inform receivers assigned to the community strings You can delete o...

Page 809: ...ap Parameters None Mode Global Configuration mode Description Use this command to disable the transmission of all SNMP traps except for link status and authentication traps which are disabled separate...

Page 810: ...P AUTH Syntax no snmp server enable trap auth Parameters None Mode Global Configuration mode Description Use this command to disable the transmission of SNMP traps Confirmation Command SHOW RUNNING CO...

Page 811: ...he IP address of an inform message receiver community_string Specifies the SNMP community string to which the IP address of the trap or inform receiver is assigned This parameter is case sensitive Mod...

Page 812: ...102 of a trap receiver from the community string station12a awplus enable awplus configure terminal awplus config no snmp server host 115 124 187 4 traps version 2c station12a This example removes th...

Page 813: ...case sensitive oid Specifies the OID of the view Mode Global Configuration mode Description Use this command to delete SNMP views You can delete just one view at a time with this command Confirmation...

Page 814: ...to disable the transmission of SNMP link status notifications traps when ports establish links linkUp or lose links linkDown to network devices Confirmation Command SHOW INTERFACE on page 190 Example...

Page 815: ...hown in Figure 142 Figure 141 SHOW RUNNING CONFIG SNMP Command Example awplus show running config snmp snmp server no snmp server enable trap auth snmp server community sw12eng1 rw snmp server communi...

Page 816: ...displays whether SNMP is enabled or disabled on the switch You can remotely manage the switch with SNMPv1 or v2c when the server is enabled Remote management is not possible when the server is disable...

Page 817: ...e described in Table 75 SNMP community information Community Name private Access Read Write View None Community Name public Access Read only View None Table 75 SHOW SNMP SERVER COMMUNITY Command Param...

Page 818: ...Chapter 57 SNMPv1 and SNMPv2c Commands 818 Section IX Simple Network Management Protocols Example awplus show snmp server community...

Page 819: ...ch Here is an example of the display Figure 144 SHOW SNMP SERVER VIEW Command The fields in the entries are described in Table 76 Example awplus show snmp server view SNMP View information View Name s...

Page 820: ...ion mode Description Use this command to activate SNMPv1 SNMPv2c and SNMPv3 on the switch The switch permits remote management from SNMP applications when SNMP is enabled The switch also sends SNMP me...

Page 821: ...rw ro Specifies the access level of a new community string of read write RW or read only RO Mode Global Configuration mode Description Use this command to create new SNMPv1 and SNMPv2c community stri...

Page 822: ...Parameters None Mode Global Configuration mode Description Use this command to activate the transmission of all SNMP traps except for link status and authentication traps which are activated separatel...

Page 823: ...Syntax snmp server enable trap auth Parameters None Mode Global Configuration mode Description Use this command to activate the transmission of SNMP authentication failure traps Confirmation Command S...

Page 824: ...ommunity Specifies an SNMP community string This parameter is case sensitive Mode Global Configuration mode Description Use this command to specify IP addresses of network devices to receive trap and...

Page 825: ...ing tlpaac78 The traps are sent in the SNMPv1 format awplus enable awplus configure terminal awplus config snmp server host 152 34 32 18 traps version 1 tlpaac78 This example assigns the IPv6 address...

Page 826: ...rmits access to the part of the MIB tree specified by the OID Mode Global Configuration mode Description Use this command to create SNMPv1 and SNMPv2c views on the switch Views are used to restrict th...

Page 827: ...his example creates the new view AlliedTelesis that limits the available MIB objects to those in the OID 1 3 6 1 4 1 207 awplus enable awplus configure terminal awplus config snmp server view AlliedTe...

Page 828: ...to transmit link status notifications traps when ports establish links linkUp or lose links linkDown to network devices Confirmation Command SHOW INTERFACE on page 190 Example This example configures...

Page 829: ...age 835 Global Configuration Deletes SNMPv3 users from the switch NO SNMP SERVER VIEW on page 836 Global Configuration Deletes SNMPv3 views from the switch SHOW SNMP SERVER on page 837 Privileged Exec...

Page 830: ...Configuration Creates SNMPv3 groups SNMP SERVER HOST on page 846 Global Configuration Creates SNMPv3 host entries SNMP SERVER USER on page 847 Global Configuration Creates SNMPv3 users SNMP SERVER VIE...

Page 831: ...onfiguration mode Description Use this command to disable SNMPv1 v2c and v3 on the switch The switch does not permit remote management from SNMP applications when SNMP is disabled It also does not sen...

Page 832: ...l Parameters None Mode Global Configuration mode Description Use this command to return the SNMP engine ID value to the default value Confirmation Command SHOW SNMP SERVER on page 837 Example This exa...

Page 833: ...minimum security level of the group to be deleted The options are auth Authentication but no privacy noauth No authentication or privacy priv Authentication and privacy Mode Global Configuration mode...

Page 834: ...th priv Specifies the minimum security level of the user associated with this entry The options are noauth No authentication nor privacy auth Authentication but no privacy priv Authentication and priv...

Page 835: ...u want to delete from the switch The name is case sensitive Mode Global Configuration mode Description Use this command to delete SNMPv3 users You can delete just one user at a time with this command...

Page 836: ...ch The name is case sensitive OID Specifies the OID of the subtree of the view to be deleted Mode Global Configuration mode Description Use this command to delete SNMPv3 views from the switch Confirma...

Page 837: ...displays whether SNMP is enabled or disabled on the switch You can remotely manage the switch with SNMPv1 or v2c when the server is enabled Remote management is not possible when the server is disabl...

Page 838: ...tion IX Simple Network Management Protocols SHOW SNMP SERVER GROUP Syntax show snmp server group Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 groups Exa...

Page 839: ...ction IX Simple Network Management Protocols 839 SHOW SNMP SERVER HOST Syntax show snmp server host Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 host en...

Page 840: ...ection IX Simple Network Management Protocols SHOW SNMP SERVER USER Syntax show snmp server user Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 users Exam...

Page 841: ...on IX Simple Network Management Protocols 841 SHOW SNMP SERVER VIEW Syntax show snmp server view Parameter None Mode Privileged Exec mode Description Use this command to display the SNMPv3 views on th...

Page 842: ...n mode Description Use this command to activate SNMPv1 v2c and v3 on the switch The switch permits remote management from SNMP applications when SNMP is enabled The switch also sends SNMP messages to...

Page 843: ...ription Use this command to configure the SNMPv3 engine ID Note Changing the SNMPv3 engine ID from its default value is not recommended because the SNMP server on the switch may fail to operate proper...

Page 844: ...n but no privacy noauth No authentication or privacy priv Authentication and privacy readview Specifies the name of an existing SNMPv3 view that specifies the MIB objects the members of the group can...

Page 845: ...te private This example creates a group called swengineering with a minimum security level of authentication and privacy The group has the read view internet and the write view ATI awplus enable awplu...

Page 846: ...iv Specifies the minimum security level of the user associated with this entry The options are noauth No authentication nor privacy auth Authentication but no privacy priv Authentication and privacy u...

Page 847: ...md5 The MD5 Message Digest Algorithms authentication protocol sha The SHA Secure Hash Algorithms authentication protocol auth_password Specifies a password for authentication A password can have up t...

Page 848: ...ntication or privacy awplus enable awplus configure terminal awplus config snmp server user dcraig This example creates the user bjones The user is assigned authentication using SHA and the authentica...

Page 849: ...by the OID Mode Global Configuration mode Description Use this command to create SNMPv3 views on the switch Views are used to restrict the MIB objects that network managers can access through SNMPv3 g...

Page 850: ...s 850 Section IX Simple Network Management Protocols awplus enable awplus configure terminal awplus config snmp server view AlliedTelesis 1 3 6 1 excluded awplus config snmp server view AlliedTelesis...

Page 851: ...61 LLDP and LLDP MED on page 877 Chapter 62 LLDP and LLDP MED Commands on page 911 Chapter 63 Address Resolution Protocol ARP on page 969 Chapter 64 Address Resolution Protocol ARP Commands on page 9...

Page 852: ...852 Section X Network Management...

Page 853: ...lowing topics Overview on page 854 Configuring the sFlow Agent on page 856 Configuring the Ports on page 857 Enabling the sFlow Agent on page 859 Disabling the sFlow Agent on page 860 Displaying the s...

Page 854: ...rts This value defines the average number of ingress packets from which the agent samples one packet For example a sampling rate of 1000 on a port prompts the agent to send one packet from an average...

Page 855: ...port the agent depending on its internal dynamics may send the information to the collector before five minutes have actually elapsed Guidelines Here are the guidelines to the sFlow agent You can spe...

Page 856: ...lector ip ipaddress port udp_port The IPADDRESS parameter specifies the IP address of the collector and the UDP_PORT parameter its UDP port This example specifies the IP address of the sFlow collector...

Page 857: ...ferent ports can have different rates The packet sampling rate is controlled with the SFLOW SAMPLING RATE command in the Port Interface mode Here is the format of the command sflow sampling rate value...

Page 858: ...rt can have just one polling rate but different ports can have different settings The command to set this value is the SFLOW POLLING INTERVAL command in the Port Interface mode Here is the format of t...

Page 859: ...awplus config sflow enable This command assumes that you have already performed these steps Added the IP address of the collector to the sFlow agent with the SFLOW COLLECTOR IP command Used the SFLOW...

Page 860: ...the sFlow agent from collecting performance data on the ports on the switch and from sending the data to the collector on your network use the NO SFLOW ENABLE command in the Global Configuration mode...

Page 861: ...LOW command in the Global Configuration mode Here is the command awplus config show sflow Here is an example of what you ll see Figure 146 SHOW SFLOW Command The fields are described in Table 79 on pa...

Page 862: ...ss of the collector before configuring the polling and sampling rates of the ports The next series of commands configures the sFlow settings of the ports awplus enable Enter the Privileged Executive m...

Page 863: ...g if sflow sampling rate 50000 Use the SFLOW SAMPLING RATE command to set the sampling rate of the ports to 1 packet for every 50000 packets awplus config if sflow polling interval 1800 Use the SFLOW...

Page 864: ...tes and polling intervals there may be long periods of time in which the agent on the switch does not send any information to the collectors For instance if there is little or no traffic on port 23 in...

Page 865: ...to the sFlow agent on the switch SFLOW ENABLE on page 869 Global Configuration Activates the sFlow agent on the switch SFLOW POLLING INTERVAL on page 870 Port Interface Sets the polling intervals tha...

Page 866: ...sFlow collector Mode Global Configuration mode Description Use this command to delete the IP address of an sFlow collector from the switch Confirmation Command SHOW SFLOW DATABASE on page 874 Example...

Page 867: ...None Mode Global Configuration mode Description Use this command to disable the sFlow agent to stop the switch from transmitting sample and counter data to the sFlow collector on your network Confirm...

Page 868: ...ort of an sFlow collector on your network The packet sampling data and the packet counters from the ports are sent by the switch to the specified collector You can specify just one collector If the IP...

Page 869: ...ption Use this command to activate the sFlow agent on the switch The switch uses the agent to gather packet sampling data and packet counters from the designated ports and to transmit the data to the...

Page 870: ...the ports by the sFlow agent The ports can have different polling intervals To remove sFlow monitoring from a port enter the NO form of this command NO SFLOW POLLING INTERVAL You must disable the sFl...

Page 871: ...AT 9000 Switch Command Line User s Guide Section X Network Management 871 awplus config interface port1 0 21 awplus config if no sflow polling interval...

Page 872: ...o the sFlow collector For example a sample rate of 700 on a port means that one sample packet is taken for every 700 ingress packets The ports can have different sampling rates To disable packet sampl...

Page 873: ...mand Line User s Guide Section X Network Management 873 This example disables packet sampling on port 7 awplus enable awplus configure terminal awplus config interface port1 0 7 awplus config if no sf...

Page 874: ...the Global Configuration mode You can enter either SHOW SFLOW or SHOW SFLOW DATABASE to display the same information Description Use this command to display the settings of the sFlow agent on the swi...

Page 875: ...r of ports configured to be sampled or polled Port The port number Sample rate The rate of ingress packet sampling on the port For example a rate of 500 means that one in every 500 packets is sent to...

Page 876: ...Chapter 60 sFlow Agent Commands 876 Section X Network Management Example awplus enable awplus configure terminal awplus config show sflow database...

Page 877: ...uring Ports to Send LLDP MED Civic Location TLVs on page 891 Configuring Ports to Send LLDP MED Coordinate Location TLVs on page 895 Configuring Ports to Send LLDP MED ELIN Location TLVs on page 899 R...

Page 878: ...rotocol That is the information transmitted in LLDP advertisements flows in one direction only from one device to its neighbors and the communication ends there Transmitted advertisements do not solic...

Page 879: ...that transmitted the advertisements Time to Live TTL The length of time in seconds for which the information received in the advertisements remains valid If the value is greater than zero the informa...

Page 880: ...N identifiers This is not supported on the AT 9000 Switch VLAN names The names of the VLANs in which the transmitting port is either an untagged or tagged member Protocol IDs List of protocols that ar...

Page 881: ...cy location hardware configuration and for Power over Ethernet capable devices power management LLDP MED TLVs unlike the other TLVs are only sent if the switch detects that an LLDP MED activated devic...

Page 882: ...n Identification Number ELIN Extended power management The following PoE information Power Type field Power Sourcing Entity PSE Power Source field current power source either Primary Power Source or B...

Page 883: ...ventory management The current hardware platform and the software version identical on every port on the switch Hardware Revision Firmware Revision Software Revision Serial Number Manufacturer Name Mo...

Page 884: ...egins to transmit advertisements from those ports that are configured to send TLVs and begins to populate its neighbor information table as advertisements from the neighbors arrive on the ports The co...

Page 885: ...lus enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mode awplus config interface port1 0 4 port1 0 18 Enter the Port In...

Page 886: ...ace port1 0 16 port1 0 20 Enter the Port Interface mode for ports 16 to 20 awplus config if lldp transmit receive Configure the ports to accept and send TLVs to their neighbors awplus config if no lld...

Page 887: ...figure the ports to send the TLVs Table 83 Optional LLDP TLVs TLV Designator Description port description Port description system name System name system description System description system capabili...

Page 888: ...TLVs from the ports with the NO LLDP MED TLV SELECT command awplus config if lldp tlv select port description awplus config if lldp tlv select link aggregation awplus config if lldp tlv select mac phy...

Page 889: ...enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mode awplus config interface port1 0 3 port1 0 4 Enter the Port Interf...

Page 890: ...se the SHOW LLDP INTERFACE command to confirm the configuration Optional TLVs Enabled for Tx Port Rx Tx Notif Management Addr Base 802 1 802 3 MED 3 Rx Tx 0 0 0 0 McNp 4 Rx Tx 0 0 0 0 McNp Transmit op...

Page 891: ...orts on the switch and then configure the ports to send it as their civic location TLV Here are the main steps to creating civic location TLVs 1 Starting in the Global Configuration mode use the LOCAT...

Page 892: ...state CA street suffix Blvd unit A11 Table 84 Abbreviated List of LLDP MED Civic Location Entry Parameters Parameter Example awplus enable Enter the Privileged Executive mode from the User Executive...

Page 893: ...et Suffix Avenue Postal Code 95132 Building 1020 Primary Road Name North Hacienda awplus configure terminal Enter the Global Configuration mode awplus config interface port1 0 14 Enter the Port Interf...

Page 894: ...e the SHOW LLDP INTERFACE command to confirm the port is configured to send the location entry ID Element Type Element 8 Country US State CA City San Jose Street Suffix Avenue Postal Code 95132 Buildi...

Page 895: ...The parameters are listed in Table 85 Table 85 LLDP MED Coordinate Location Entry Parameters Parameter Value latitude Latitude value in decimal degrees The range is 90 0 to 90 0 The parameter accepts...

Page 896: ...e ID number 16 Latitude 37 29153547 Longitude 121 91528320 Datum nad83 navd Altitude 10 25 meters The example is assigned to port 15 altitude meters Altitude in meters The range is 2097151 0 to 209715...

Page 897: ...number 16 awplus config_coord latitude 37 29153547 awplus config_coord longitude 121 91528320 awplus config_coord datum nad83 navd awplus config_coord altitude 10 25 meters Use the parameter commands...

Page 898: ...eged Exec mode awplus show location coord location interface port1 0 15 Use the SHOW LOCATION command to confirm the configuration awplus show lldp interface port1 0 15 Use the SHOW LLDP INTERFACE com...

Page 899: ...ED TLV SELECT command to configure the ports to send the TLV in their advertisements Here is an example of how to create an ELIN location entry and apply it to a port The specifications of the entry a...

Page 900: ...ID number 3 to the port awplus config_if lldp med tlv select location Use the LLDP MED TLV SELECT command to configure the port to send the location entry in its advertisements awplus config_if end R...

Page 901: ...s example stops ports 4 and 5 from including the system capabilities and the management address TLVs in their advertisements awplus enable awplus configure terminal awplus config interface port1 0 4 p...

Page 902: ...ich is located in the Port Interface mode This example stops ports 6 and 11 from sending the location and inventory management TLVs in their advertisements awplus enable awplus configure terminal awpl...

Page 903: ...can delete just one entry at a time and must include both the type and the ID number of the location entry to be deleted This example deletes the civic location ID 22 awplus enable awplus configure te...

Page 904: ...switch use the NO LLDP RUN command in the Global Configuration mode The command has no parameters After the protocols are disabled the switch neither sends advertisements to nor collects information f...

Page 905: ...nd awplus show lldp Here is an example of the information Figure 148 SHOW LLDP Command The fields are defined in Table 90 on page 951 LLDP Global Configuration Default Values LLDP Status Enabled Disab...

Page 906: ...on Abbreviations RC LLDP Remote Tables Change TC LLDP MED Topology Change TLV Abbreviations Base Pd Port Description Sn System Name Sd System Description Sc System Capabilities Ma Management Address 8...

Page 907: ...mple of the summary information The fields are defined in Table 92 on page 961 To view all the neighbor information use the SHOW LLDP NEIGHBORS DETAIL command The command has this format show lldp nei...

Page 908: ...mple clears the information the switch has received from all the neighbors awplus enable awplus clear lldp table This example clears the information the switch has received from the neighbor connected...

Page 909: ...e ports such as after you ve configured the ports or if you believe that ports are not sending the correct information The command has this format show lldp local info interface port To view the TLVs...

Page 910: ...same statistics for individual ports use this command show lldp statistics interface port You can view the statistics of more than one port at a time as demonstrated in this example which displays th...

Page 911: ...s on the switch LLDP MANAGEMENT ADDRESS on page 919 Port Interface Replaces the default management IP address TLV on the ports LLDP MED NOTIFICATIONS on page 921 Port Interface Configures the switch t...

Page 912: ...the value of the transmission delay timer which is the minimum time interval between transmissions of LLDP advertisements due to a change in LLDP local information LOCATION CIVIC LOCATION on page 935...

Page 913: ...the LLDP port settings SHOW LLDP LOCAL INFO INTERFACE on page 955 Privileged Exec Displays the current configurations of the LLDP advertisements that the ports on the switch can transmit to LLDP comp...

Page 914: ...is parameter specifies all the ports Mode Privileged Exec mode Description Use this command to clear the LLDP statistics packet and event counters on the ports You can delete the statistics from all p...

Page 915: ...this command to clear the LLDP and LLDP MED information the switch has received from its neighbors You can delete all the information the switch has amassed or just the information from neighbors on s...

Page 916: ...mode Description Use this command to set the holdtime multiplier value The transmit interval is multiplied by the holdtime multiplier to give the Time To Live TTL the switch advertises to the neighbor...

Page 917: ...se this command to add LLDP MED location information to the ports on the switch The same command is used to add civic coordinate and ELIN locations The specified location entry must already exist To r...

Page 918: ...his example adds the ELIN location ID 27 to port 21 awplus enable awplus configure terminal awplus config interface port1 0 21 awplus config_if lldp location elin location id 27 This example removes t...

Page 919: ...P address if present Here are the possible default values for a port A port that belongs to the same VLAN as the management IP address uses the address as its TLV default value A port that belongs to...

Page 920: ...its management IP address TLV awplus enable awplus configure terminal awplus config interface port1 0 2 awplus config if lldp management address 149 122 54 2 This example returns the management IP ad...

Page 921: ...d to or disconnected from the specified ports To prevent the switch from transmitting topology change notifications refer to NO LLDP NOTIFICATIONS on page 945 Confirmation Command SHOW LLDP INTERFACE...

Page 922: ...ch inventory management Specifies the inventory management TLV Mode Port Interface mode Description Use this command to specify the LLDP MED TLVs the ports are to transmit to their neighbors The defau...

Page 923: ...923 This example configures port 2 to send the capabilities and the location TLVs to its neighbor awplus enable awplus configure terminal awplus config interface port1 0 2 awplus config if lldp med t...

Page 924: ...rd order Use the NO form of this command to configure the switch to accept only advertisements with TLVs that adhere to the correct order Advertisements in which the TLVs are not in the standard order...

Page 925: ...re ports to send LLDP SNMP notifications traps To prevent ports from transmitting LLDP SNMP notifications refer to NO LLDP NOTIFICATIONS on page 945 Confirmation Command SHOW LLDP INTERFACE on page 95...

Page 926: ...val The range is 5 to 3600 seconds Mode Global Configuration mode Description Use this command to set the notification interval This is the minimum interval between LLDP SNMP notifications traps Confi...

Page 927: ...0 seconds Mode Global Configuration mode Description Use this command to set the reinitialization delay This is the number of seconds that must elapse after LLDP is disabled on a port before it can be...

Page 928: ...tion mode Description Use this command to activate LLDP on the switch Once you have activated LLDP the switch begins to transmit and accept advertisements on its ports To deactivate LLDP refer to NO L...

Page 929: ...Description Use this command to set the transmit interval This is the interval between regular transmissions of LLDP advertisements The transmit interval must be at least four times the transmission...

Page 930: ...y one TLV in a command To select all the TLVs use the ALL option The optional TLVs are listed in Table 87 Table 87 Optional TLVs TLV Description all Sends all optional TLVs link aggregation mac phy co...

Page 931: ...Descriptions on page 144 or DESCRIPTION on page 167 port vlan Sends the ID number VID of the port based or tagged VLAN where the port is an untagged member power management Transmits Power over Ethern...

Page 932: ...transmit the optional LLDP port description port vlan and system description TLVs awplus enable awplus configure terminal awplus config interface port1 0 14 port1 0 22 awplus config if lldp tlv selec...

Page 933: ...y TLVs and any optional LLDP TLVs they have been configured to send Ports configured to receive LLDP advertisements accept all advertisements from their neighbors Confirmation Command SHOW LLDP INTERF...

Page 934: ...ssion delay timer This is the minimum time interval between transmissions of LLDP advertisements due to a change in LLDP local information The transmission delay timer cannot be greater than a quarter...

Page 935: ...r Mode Global Configuration mode Description Use this command to create or modify LLDP MED civic location entries on the switch This command moves you to the Civic Location mode which contains the par...

Page 936: ...bine any of the parameters in a single location entry To remove parameters from a location entry use the NO forms of the parameter commands for example NO UNIT leading street direction West name J Smi...

Page 937: ...entifier 5 awplus config_civic country US awplus config_civic city San Jose awplus config_civic state CA awplus config_civic building 100 awplus config_civic primary road name New Adams awplus config_...

Page 938: ...switch This command moves you to the Coordinate Location mode which contains the parameters you use to define the entries The parameters are listed in Table 89 Table 89 LLDP MED Coordinate Location E...

Page 939: ...d between the two keywords as shown here altitude n floors altitude meters Altitude in meters The range is 2097151 0 to 2097151 0 meters The parameter accepts up to eight digits to the right of the de...

Page 940: ...tion coord location identifier 16 awplus config_coord latitude 37 29153547 awplus config_coord longitude 121 91528320 awplus config_coord datum nad83 navd awplus config_coord altitude 10 25 meters awp...

Page 941: ...and coordinate entries You can specify just one ID number Mode Global Configuration mode Description Use this command to create or modify LLDP MED ELIN location entries on the switch To create a new E...

Page 942: ...end LLDP MED topology change notifications when devices are connected to or disconnected from the specified ports Confirmation Command SHOW LLDP INTERFACE on page 953 Example This example configures t...

Page 943: ...t ext Specifies the extended power via MDI TLV This TLV does not apply to the AT 9000 Switches inventory management Specifies the inventory management TLV Mode Port Interface mode Description Use this...

Page 944: ...stops ports 2 and 16 from transmitting the LLDP MED capabilities and network policy TLVs awplus enable awplus configure terminal awplus config interface port1 0 2 port1 0 16 awplus config if no lldp...

Page 945: ...rt Interface mode Description Use this command to prevent ports from sending LLDP SNMP notifications traps Confirmation Command SHOW LLDP INTERFACE on page 953 Example This example prevents port 14 fr...

Page 946: ...ription Use this command to disable LLDP and LLDP MED on the switch The switch when LLDP and LLDP MED are disabled neither sends advertisements to nor collects information from its neighbors The LLDP...

Page 947: ...isted in Table 87 on page 930 To stop ports from transmitting LLDP MED TLVs refer to NO LLDP MED TLV SELECT on page 943 Confirmation Command SHOW LLDP INTERFACE on page 953 Examples This example confi...

Page 948: ...om transmitting and or accepting LLDP and LLDP MED advertisements to or from their neighbors Confirmation Command SHOW LLDP INTERFACE on page 953 Examples This example stops ports 12 from transmitting...

Page 949: ...tion entry at a time Mode Global Configuration mode Description Use this command to delete LLDP MED location entries from the switch The same command is used to remove civic locations coordinate locat...

Page 950: ...ED Commands 950 Section X Network Management This example removes the ELIN location IDs 3 and 4 awplus enable awplus configure terminal awplus config no location elin location id 3 awplus config no lo...

Page 951: ...Enabled Disabled Notification Interval 5 secs 5 Tx Timer Interval 30 secs 30 Hold time Multiplier 4 4 Computed TTL value 120 secs Reinitialization Delay 2 secs 2 Tx Delay 2 secs 2 Fast Start Count 3...

Page 952: ...nitialization delay This is the minimum time that must elapse after LLDP has been disabled before it can be initialized again Tx Delay The transmission delay This is the minimum time interval between...

Page 953: ...P MED Topology Change TLV Abbreviations Base Pd Port Description Sn System Name Sd System Description Sc System Capabilities Ma Management Address 802 1 Pv Port VLAN ID Pp Port And Protocol VLAN ID Vn...

Page 954: ...X Network Management Examples This example displays the LLDP settings for all the ports on the switch awplus show lldp interface This example displays the LLDP settings for ports 5 6 and 11 awplus sh...

Page 955: ...933 or that have not established links with their LLDP counterparts cannot be displayed with this command Here is an example of the information Figure 153 SHOW LLDP LOCAL INFO INTERFACE Command LLDP...

Page 956: ...port1 0 23 Power Via MDI PoE Not Supported Link Aggregation Supported Disabled Maximum Frame Size 1522 Octets LLDP MED Device Type Network Connectivity LLDP MED Capabilities LLDP MED Capabilities Net...

Page 957: ...d LLDP Detailed Neighbor Information Neighbors table last updated 0 hrs 0 mins 20 secs ago Chassis ID Type MAC address Chassis ID 0015 77d8 4360 Port ID Type Port component Port ID 25 TTL 120 secs Por...

Page 958: ...rted Inventory Information Hardware Revision A Firmware Revision v1 0 0 Software Revision v1 0 0 Serial Number A04161H09020007 Manufacturer Name ATI Model Name AT 9000 52 Asset ID not advertised Table...

Page 959: ...List of protocols that are accessible through the neighbor s port Extended Power Via MDI PoE Not supported on the AT 9000 Switch Inventory Information Hardware Revision The hardware revision number o...

Page 960: ...P and LLDP MED Commands 960 Section X Network Management This example displays the information from all of the neighbors that are connected to ports 1 and 4 awplus show lldp neighbors interface port1...

Page 961: ...92 Total number of neighbors on these ports 1 System Capability Codes O Other P Repeater B Bridge W WLAN Access Point R Router T Telephone C DOCSIS Cable Device S Station Only LLDP MED Device Class an...

Page 962: ...w lldp neighbors interface This example displays a summary of the information from the neighbors connected to ports 1 and 4 awplus show lldp neighbors interface port1 0 1 port1 0 4 Neighbor System Nam...

Page 963: ...ommand The information the command displays is explained in Table 93 Global LLDP Packet and Event counters Frames Out 345 In 423 In Errored 0 In Dropped 0 TLVs Unrecognized 0 Discarded 0 Neighbors New...

Page 964: ...nserted into the neighbor table Neighbors Deleted Entries Number of times the information advertised by neighbors has been removed from the neighbor table Neighbors Dropped Entries Number of times the...

Page 965: ...e information Figure 159 SHOW LLDP STATISTICS INTERFACE Command The information the command displays is explained in Table 94 LLDP Packet and Event counters Port 2 Frames Out 15 In 12 In Errored 0 In...

Page 966: ...ort Neighbors New Entries Number of times the information advertised by the neighbor on the port has been inserted into the neighbor table Neighbors Deleted Entries Number of times the information adv...

Page 967: ...his command to display the civic coordinate and ELIN location entries on the switch Here is an example of a civic location entry Figure 160 SHOW LOCATION Command for a Civic Location The information t...

Page 968: ...plays all the coordinate location entries awplus show location coord location The following example displays just coordinate location entry 16 awplus show location coord location identifier 16 The fol...

Page 969: ...l ARP This chapter contains the following topics Overview on page 970 Adding Static ARP Entries on page 972 Deleting Static and Dynamic ARP Entries on page 973 Enabling and Disabling Proxy ARP on page...

Page 970: ...t gateway as the destination MAC address Proxy ARP allows the hosts that do not support routing or do not have knowledge of the network structure to determine the physical addresses of hosts on other...

Page 971: ...nto the ARP table in the ARP cache On the AT 9000 switches the dynamic ARP entries are time stamped and set to time out in 300 seconds Static ARP Entries A manually entered ARP entry is called a stati...

Page 972: ...pology By creating fixed routes statically you can reduce ARP broadcasting requests To add a static ARP entry use the ARP command in the Global Configuration mode Here is the format of the command arp...

Page 973: ...ce The following example deletes all of the dynamic ARP entries in the ARP cache awplus enable awplus configure terminal awplus config clear arp cache You can delete one static ARP entry with the NO A...

Page 974: ...XY ARP command in the VLAN Interface mode Proxy ARP is disabled by default The following example enables Proxy ARP on VLAN 4 awplus enable awplus configure terminal awplus config interface vlan4 awplu...

Page 975: ...awplus show arp An example is shown in Figure 161 Figure 161 SHOW ARP Command The fields are described in Table 98 on page 983 IP ARP ARP Cache Timeout 300 seconds Total ARP Entries 215 IP Address MAC...

Page 976: ...Chapter 63 Address Resolution Protocol ARP 976 Section X Network Management...

Page 977: ...CACHE on page 979 Global Configuration Deletes all dynamic ARP entries from the ARP cache IP PROXY ARP on page 980 VLAN Interface Enables Proxy ARP on a VLAN interface NO ARP IP ADDRESS on page 981 Gl...

Page 978: ...t to the ARP cache The ARP entry must not already exist in the ARP cache The switch can support up to 512 static ARP entries Note The switch must have an management IP address to support static ARP en...

Page 979: ...e Global Configuration mode Description Use this command to delete all dynamic ARP entries from the ARP cache on the switch Confirmation Command SHOW ARP on page 983 Example The following example dele...

Page 980: ...nfiguration mode Description Use this command to enable Proxy ARP on a VLAN interface Proxy ARP is disabled by default Confirmation Command SHOW RUNNING CONFIG on page 132 Example The following exampl...

Page 981: ...n mode Description Use this command to delete a static ARP entry from the ARP cache Static ARP entries do not expire and you must remove them manually This command can delete only one ARP entry at a t...

Page 982: ...ne Mode VLAN Interface mode Description Use this command to disable Proxy ARP on a VLAN interface Proxy ARP is disabled by default Confirmation Command SHOW ARP on page 983 Example The following examp...

Page 983: ...ARP Cache Timeout 300 seconds Total ARP Entries 215 IP Address MAC Address Interface Port Type 149 122 34 4 00 06 5B B2 44 21 vlan2 2 Dynamic 149 122 34 12 00 A0 D2 18 EE A1 vlan2 3 Dynamic 149 122 3...

Page 984: ...switch awplus show arp Type Indicates the type of entry The type is one of the following Static Static entry added with the ARP IP ADDRESS MAC ADDRESS command Dynamic Dynamic entry learned from ARP re...

Page 985: ...985 Chapter 65 RMON This chapter contains the following topics Overview on page 986 RMON Port Statistics on page 987 RMON Histories on page 989 RMON Alarms on page 992...

Page 986: ...ort statistics to identify traffic trends or patterns For instructions refer to RMON Histories on page 989 Alarm group This group is used to create alarms that trigger event log messages or SNMP traps...

Page 987: ...s the format of the command rmon collection stats stats_id owner owner The STATS_ID parameter is the ID number of the new group The range is 1 to 65535 The groups will be easier to identify if their I...

Page 988: ...lus show rmon statistics Here is an example of the information Figure 163 SHOW RMON STATISTICS Command The fields are described in Table 105 on page 1022 Deleting Statistics Groups To delete RMON stat...

Page 989: ...ing History Groups on page 990 Deleting History Groups on page 991 Adding History Groups The command for creating history groups is the RMON COLLECTION HISTORY command This command is in the Port Inte...

Page 990: ...story group of three buckets the switch deletes the first bucket when it adds the fourth bucket To stop a history from gathering any more statistics you must delete it This example configures the swit...

Page 991: ...oups from the switch The switch stops collecting port statistic histories as soon as you enter the command This example of the command deletes the history group with the ID 2 on port 2 awplus enable a...

Page 992: ...port must have an RMON statistics group if it is to have an alarm When you create an alarm you specify the port to which it is to be assigned not by the port number but rather by the ID number of the...

Page 993: ...d SNMP traps and enter messages in the event log rmon event event_id log trap community_string description description owner owner The EVENT_ID parameter is a value from 1 to 65535 that uniquely ident...

Page 994: ...variable is the ID number of the statistics group on the port the alarm is to monitor The port is specified indirectly in the command by the ID number of the statistics group For example if the alarm...

Page 995: ...essage in the event log if the ingress traffic on the port exceeds 20000 packets per minute or falls below 1000 packets The first sequence of steps adds an RMON statistics group to port 22 The alarm w...

Page 996: ...onfigure terminal Enter the Global Configuration mode awplus config rmon event 3 log description Enter_log_message Create the event with the RMON EVENT LOG command awplus config exit Return to the Pri...

Page 997: ...sses of the host nodes and activate SNMP on the switch awplus show rmon alarm Use the SHOW RMON ALARM command to verify the configuration of the new alarm Alarm Index 1 Variable etherStatsPkts 22 Inte...

Page 998: ...unity string with the SHOW RUNNING CONFIG command SNMP Server Enabled IP Protocol IPv4 SNMPv3 Engine ID Configured Not set SNMPv3 Engine ID actual 0x80001f8880241d7f08386d438e SNMP Host information Co...

Page 999: ...g if end Return to the Privileged Exec mode awplus show rmon statistics Use the SHOW RMON STATISTICS command to verify the configuration of the new group Stats Index 20 Data source ifindex 20 Owner Ag...

Page 1000: ...interval 60 delta rising threshold 10000 event 2 falling threshold 1000 event 2 Create the alarm with the RMON ALARM command awplus config exit Return to the Privileged Exec mode awplus show rmon alar...

Page 1001: ...RMON COLLECTION HISTORY on page 1010 Port Interface Creates history groups on the ports RMON COLLECTION STATS on page 1012 Port Interface Creates statistics groups on the ports RMON EVENT LOG on page...

Page 1002: ...Commands 1002 Section X Network Management SHOW RMON STATISTICS on page 1022 Privileged Exec Displays the statistics groups that are assigned to the ports Table 100 RMON Commands Continued Command Mo...

Page 1003: ...er of the alarm you want to delete You can delete only one alarm at a time The range is 1 to 65535 Mode Global Configuration mode Description Use this command to delete alarms from the switch Confirma...

Page 1004: ...u can delete only one group at a time The range is 1 to 65535 Mode Port Interface mode Description Use this command to delete history groups from ports on the switch Confirmation Command SHOW RMON HIS...

Page 1005: ...roup you want to delete The range is 1 to 65535 Mode Port Interface mode Description Use this command to delete statistics groups from ports on the switch Confirmation Command SHOW RMON STATISTICS on...

Page 1006: ...you want to delete from the switch You can delete only one event at a time The range is 1 to 65535 Mode Global Configuration mode Description Use this command to delete events from the switch Confirma...

Page 1007: ...ready exist For more information on the OID and STATS_ID variables refer to Creating RMON Alarms on page 994 interval Specifies the polling interval in seconds The range is 1 to 65535 seconds delta Sp...

Page 1008: ...987 or RMON COLLECTION STATS on page 1012 The port of an alarm is specified indirectly in the command You use the STATS_ID parameter to specify the ID number of the RMON statistics group you added to...

Page 1009: ...of RMON alarms refer to RMON Alarms on page 992 etherStatsMulticastPkts 1 3 6 1 2 1 16 1 1 1 7 stats_id etherStatsCRCAlignErrors 1 3 6 1 2 1 16 1 1 1 8 stats_id etherStatsUndersizePkts 1 3 6 1 2 1 16...

Page 1010: ...orts over time You can view the snapshots with an SNMP program to look for trends or patterns in the numbers or types of ingress packets on the ports A history group can be applied to just one port an...

Page 1011: ...vals in two hours The group is assigned the ID number 1 awplus enable awplus configure terminal awplus config interface port1 0 14 awplus config if rmon collection history 1 buckets 8 interval 900 Thi...

Page 1012: ...statistics groups on the ports of the switch The groups are used to view RMON port statistics from SNMP workstations on your network and to create RMON alarms A port can have only one RMON statistics...

Page 1013: ...are not allowed owner Specifies an owner of up to 20 alphanumeric characters for the event Spaces and special characters are not allowed Mode Global Configuration mode Description Use this command to...

Page 1014: ...of up to 20 alphanumeric characters for the event Spaces and special characters are not allowed owner Specifies an owner of up to 20 alphanumeric characters for the event Spaces and special character...

Page 1015: ...escription Specifies a description of up to 20 alphanumeric characters for the event Spaces and special characters are not allowed owner Specifies an owner of up to 20 alphanumeric characters for the...

Page 1016: ...The fields are described in Table 102 Alarm Index 2 Variable etherStatsBroadcastPkts 2 Interval 80 Alarm Type rising and falling Rising Threshold 1000 Event Index 5 Falling Threshold 100 Event Index...

Page 1017: ...and falling meaning the alarm has both a rising threshold and a falling threshold Rising Threshold The rising threshold Event Index The ID number of the event the alarm performs if the rising threshol...

Page 1018: ...bed in Table 103 Event index 2 Description broadcast_packets Event type log trap Event community name wkst12a Last Time Sent 0 Owner Agent Event index 3 Description port24_traffic Event type log Event...

Page 1019: ...event log and sends an SNMP trap Event community name The SNMP community string used to send SNMP traps Last Time Sent The number of seconds the switch had been operating when it last sent the event t...

Page 1020: ...re 167 SHOW RMON HISTORY Command The fields are described in Table 104 History Index 1 Data source ifindex 2 Buckets requested 50 Buckets granted 50 Interval 800 Owner William History Index 4 Data sou...

Page 1021: ...ts granted The number of buckets allocated by the switch for the history group The value in this field will be less than the value in the buckets requested field if the switch did not have sufficient...

Page 1022: ...8 SHOW RMON STATISTICS Command The fields are described in Table 105 Example awplus show rmon statistics Stats Index 5 Data source ifindex 5 Owner Agent Stats Index 16 Data source ifindex 16 Owner Age...

Page 1023: ...llowing sections Overview on page 1024 Creating ACLs on page 1027 Assigning ACLs to Ports on page 1042 Removing ACLs from Ports on page 1044 Restricting Remote Access on page 1046 Unrestricting Remote...

Page 1024: ...date or time to begin filtering Numbered IPv4 ACLs are only compatible with IPv4 addresses They are not compatible with IPv6 addresses Filtering Criteria All types of ACLs identify packets using filte...

Page 1025: ...match Since ports forward all ingress packets unless they have deny ACLs permit ACLs are only necessary in situations where you want a port to forward packets that are a subset of a larger traffic flo...

Page 1026: ...ts As a result you must apply ACLs to the ingress ports of the designated traffic flows ACLs for static port trunks or LACP trunks must be assigned to the individual ports of the trunks A port that ha...

Page 1027: ...Numbered IPv4 ACL with TCP Port Packets Example on page 1035 Numbered IPv4 ACL with UDP Port Packets Example on page 1037 Table 107 ACCESS LIST Commands for Creating ACLs To Do This Task Use This Com...

Page 1028: ...pter 17 Port Mirror on page 313 The SRC_IPADDRESS and DST_IPADDRESS parameters specify the source and destination IP addresses Choose from the following options any Matches any IP address ipaddress ma...

Page 1029: ...ID number 3015 specifies the packets from the permitted subnet while the deny ACL with the ID number 3011 specifies all traffic Table 108 Blocking Ingress Packets Example Command Description awplus e...

Page 1030: ...rst Table 110 Creating a Permit ACL Followed by a Deny ACL Example Command Description awplus enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter th...

Page 1031: ...e ACCESS LIST command awplus config access list 3018 deny ip any any Create the deny ACL awplus config interface port1 0 21 port1 0 22 Move to the Port Interface mode for ports 21 and 22 awplus config...

Page 1032: ...ng the filtering criteria of the ACL Here are the possible actions permit Forwards all ingress packets that match the ACL Ports by default accept all ingress packets Consequently a permit ACL is only...

Page 1033: ...The IP address and the mask are separated by a slash for example 149 11 11 0 24 host ipaddress Matches packets with a specified IP address and is an alternative to the IPADRESS MASK variable for addr...

Page 1034: ...be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 The protocol_number parameter specifies a protocol number You can specify one protocol number per command...

Page 1035: ...ny order The ACTION parameter specifies the action that the port performs on packets matching the filtering criteria of the ACL Here are the possible actions permit Forwards all ingress packets that m...

Page 1036: ...rameter matches packets that are less than the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter The gt parameter matches packets that are greater than the TCP port number specif...

Page 1037: ...ward a subset of packets that are otherwise discarded deny Discards all ingress packets that match the ACL copy to mirror Copies all ingress packets that match the ACL to the destination port of the m...

Page 1038: ...ter matches packets that are less than the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter The gt parameter matches packets that are greater than the TCP port number specified...

Page 1039: ...that match the ACL Ports by default accept all ingress packets Consequently a permit ACL is only necessary when you want a port to forward a subset of packets that are otherwise discarded deny Discar...

Page 1040: ...ecifies the destination MAC address of the ingress packets Here are the possible options dst_mac_address Specifies the destination MAC address of the packets The address must be entered in hexadecimal...

Page 1041: ...00 00 00 00 ff ff Defines ACL 4012 to deny any MAC addresses with the source MAC address of a4 54 86 12 00 00 00 00 00 ff ff awplus config interface port1 0 19 Access the Port Interface mode for port...

Page 1042: ...UP command in the Port Interface mode Using this command you can add one Numbered IP ACL to a port or several ports The ACL must exist on the switch Here is the format of the command access group id_n...

Page 1043: ...C addresses starting with 45 2A B5 and assigns it to port 7 awplus config_if access group 3075 Apply the ACL to the ports with the ACCESS GROUP command Table 118 Assigning Numbered IP ACLs Continued C...

Page 1044: ...see ACCESS GROUP on page 1057 You can remove one ACL at a time See Table 120 The following example removes an ACL with an ID number of 3082 from port 15 Removing MAC Address ACLs To remove a MAC ACL...

Page 1045: ...le 121 Removing MAC Address ACLs Example Command Description awplus enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mod...

Page 1046: ...ge 1046 Assigning MAC ACLs to VTY Lines on page 1047 Assigning Numbered IP ACLs to VTY Lines The following example creates two Numbered IP ACLs The first ACL created with an ID of 3000 permits IP addr...

Page 1047: ...sses access to the switch awplus config line vty 0 9 Access the LINE VTY mode for lines 0 through 9 awplus config line access class 3000 Assigns ACL 3000 to VTY lines 0 through 9 awplus config line ac...

Page 1048: ...er of 4001 that denies all IP addresses access to the switch awplus config line vty 0 9 Access the LINE VTY mode for lines 0 through 9 awplus config line access class 4000 Assigns ACL 4000 to VTY line...

Page 1049: ...3001 are removed from VTY Lines 0 through 9 See Table 124 Table 124 Removing Numbered IP ACLs from VTY Lines Example Command Description awplus enable Enter the Privileged Executive mode from the User...

Page 1050: ...with ID numbers 3018 and 3019 from the switch The following example deletes a MAC ACL with ID number 4415 from the switch Table 125 Deleting Numbered IP ACLs Example 1 Command Description awplus enab...

Page 1051: ...ax followed by an example display awplus show access list Figure 169 SHOW ACCESS LIST Command As you can see from the example the SHOW ACCESS LIST command doesn t display which if any ports the ACLs a...

Page 1052: ...Use the SHOW RUNNING CONFIG command to display the ACLs assigned to VTY lines Here is the format of the command awplus show running config See Figure 171 for an example of the display that pertains to...

Page 1053: ...ACLs that filter packets based on source and destination IP addresses ACCESS LIST PROTO on page 1070 Global Configuration Creates ACLs that identify packets based on protocol numbers and source and de...

Page 1054: ...ent SHOW ACCESS LIST on page 1087 Privileged Exec Displays the ACLs on the switch SHOW INTERFACE ACCESS GROUP on page 1088 Privileged Exec Displays the port assignments of the ACLs Table 127 Access Co...

Page 1055: ...e switch via Telnet Web SNMP or SSH access You can add one ACL to multiple VTY lines with this command Note Allied Telesis recommends specifying all ten of the VTY lines with the ACCESS LIST command b...

Page 1056: ...tch All other IP addresses are denied remote access to the switch awplus enable awplus configure terminal awplus config interface vlan10 awplus config if ip address 10 0 0 20 24 awplus config if quit...

Page 1057: ...as they are assigned ACLs This command works for all ACLs except for MAC address ACLs which are added to ports with the MAC ACCESS GROUP command See MAC ACCESS GROUP on page 1083 Note If a port is to...

Page 1058: ...D of 3022 to port 15 awplus enable awplus configure terminal awplus config interface port1 0 15 awplus config if access group 3022 This example removes an IP ACL with an ID of 3001 from port 7 awplus...

Page 1059: ...ress packets that match the ACL copy to mirror Copies all ingress packets that match the ACL to the destination port of the mirror port This action must be used together with the port mirror feature e...

Page 1060: ...address of the packets The address must be entered in hexadecimal in this format xx xx xx xx xx xx any Matches any destination MAC address dst_mac_mask Specifies the destination MAC address mask The...

Page 1061: ...awplus show interface port1 0 3 access group This example configures port 7 to accept only those packets that have source MAC addresses starting with 45 2A B5 awplus enable awplus configure terminal a...

Page 1062: ...ination port of the port mirror This action must be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 scr_ipaddress Specifies the source IP address of the ingr...

Page 1063: ...ts that have a destination IP address of a specific subnet or end node host ipaddress Matches packets with a destination IP address of a specific end node The HOST keyword indicates that the address i...

Page 1064: ...st is assigned the ID number 3094 awplus enable awplus configure terminal awplus config access list 3094 deny icmp 152 12 45 0 24 any awplus config interface port1 0 4 port1 0 5 awplus config_if acces...

Page 1065: ...ingress IGMP packets with a VID of 12 from ports 12 to 20 awplus enable awplus configure terminal awplus config access list 3156 deny icmp any any vlan 12 awplus config interface port1 0 12 port1 0 2...

Page 1066: ...port This action must be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 scr_ipaddress Specifies the source IP address of the ingress packets the access list...

Page 1067: ...kets that have a destination IP address of a specific subnet or end node host ipaddress Matches packets with a destination IP address of a specific end node The HOST keyword indicates that the address...

Page 1068: ...list 3095 deny ip any 149 112 2 0 24 awplus config interface port1 0 11 port1 0 13 awplus config_if access group 3095 awplus config_if end awplus show access list awplus show interface port1 0 11 port...

Page 1069: ...inal awplus config access list 3011 permit ip any 149 124 47 0 24 awplus config access list 3012 deny ip any any awplus config interface port1 0 22 port1 0 23 awplus config_if access group 3011 awplus...

Page 1070: ...st be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 protocol_number Specifies a protocol number You can specify one protocol number Refer to Table 128 Prot...

Page 1071: ...hat have a destination IP address of a specific subnet or end node host ipaddress Matches packets with a destination IP address of a specific end node The HOST keyword indicates that the address is of...

Page 1072: ...IANA 11 Network Voice Protocol RFC741 17 UDP User Datagram Protocol RFC768 20 Host monitoring RFC869 27 RDP Reliable Data Protocol RFC908 28 IRTP Internet Reliable Transaction Protocol RFC938 29 ISO...

Page 1073: ...list 3016 deny proto 28 any any awplus config interface port1 0 2 60 Destination Options for IPv6 RFC1883 88 EIGRP Enhanced Interior Gateway Routing Protocol 89 OSPFIGP RFC1583 97 Ethernet within IP E...

Page 1074: ...t1 0 5 port1 0 6 awplus config_if access group 3011 awplus config_if end awplus show access list awplus show interface port1 0 5 port1 0 6 access group This example configures port 18 to accept untagg...

Page 1075: ...he destination port of the mirror port This action must be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 src_ipaddress Specifies the source IP address of t...

Page 1076: ...ameter ne Matches packets that are not equal to the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter range Matches packets with TCP port numbers within the range Separate the nu...

Page 1077: ...CP port numbers Confirmation Commands SHOW ACCESS LIST on page 1087 and SHOW INTERFACE ACCESS GROUP on page 1088 Examples This example creates an ACL ID number 3045 that discards all untagged ingress...

Page 1078: ...TCP port numbers The list is assigned the ID number 3255 awplus enable awplus configure terminal awplus config access list 3255 deny tcp any any vlan 27 awplus config interface port1 0 14 awplus conf...

Page 1079: ...the destination port of the mirror port This action must be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 src_ipaddress Specifies the source IP address of...

Page 1080: ...ameter ne Matches packets that are not equal to the UDP port number specified by the SRC_UDP_PORT or DST_UDP_PORT parameter range Matches packets with UDP port numbers within the range Separate the nu...

Page 1081: ...8 Examples This example creates a Numbered IPv4 ACL with an ID number of 3118 that discards all untagged ingress UDP packets on ports 18 and 19 awplus enable awplus configure terminal awplus config ac...

Page 1082: ...access group 3078 awplus config_if end awplus show access list awplus show interface port1 0 18 access group This example configures port 21 to forward tagged UDP port 67 to 87 packets only if they ar...

Page 1083: ...Use the no version of this command NO MAC ACCESS LIST to remove a MAC address ACL from a switch Note If a port is to have both permit and deny ACLs you must add the permit ACLs first because ingress...

Page 1084: ...e Description Use this command to delete ACLs from the switch ACLS must first be removed from their port assignments before they can be deleted For instructions refer to NO ACCESS GROUP on page 1085 a...

Page 1085: ...Description Use this command to remove ACLs from ports on the switch This command works for all ACLs except for MAC address ACLs which are removed with NO MAC ACCESS GROUP on page 1086 Confirmation Co...

Page 1086: ...port at a time with this command Mode Port Interface mode Description Use this command to remove MAC address ACLs from ports on the switch Confirmation Commands SHOW INTERFACE ACCESS GROUP on page 10...

Page 1087: ...IP ACLs on the switch If you do not specify an option all three ACL types are displayed To display the port assignments of the ACLs refer to SHOW INTERFACE ACCESS GROUP on page 1088 Example This examp...

Page 1088: ...e Privileged Exec mode Description Use this command to display the port assignments of the ACLs Here is an example of the information Figure 173 SHOW INTERFACE ACCESS GROUP Command Example This exampl...

Page 1089: ...1119 Chapter 74 Telnet Client Commands on page 1123 Chapter 75 Secure Shell SSH Server on page 1127 Chapter 76 SSH Server Commands on page 1139 Chapter 77 Non secure HTTP Web Browser Server on page 1...

Page 1090: ...1090 Section XI Management Security...

Page 1091: ...on page 1095 Deleting Local Manager Accounts on page 1096 Activating Command Mode Restriction and Creating the Special Password on page 1097 Deactivating Command Mode Restriction and Deleting the Spec...

Page 1092: ...ation refer to Chapter 81 RADIUS and TACACS Clients on page 1187 Privilege Levels Manager accounts have privilege levels that determine where in the command mode structure managers can go and conseque...

Page 1093: ...ining the special password is the ENABLE PASSWORD command in the Global Configuration mode For instructions on how to use the command refer to Activating Command Mode Restriction and Creating the Spec...

Page 1094: ...the switch searches the running configuration for plaintext passwords and encrypts them It also automatically encrypts the plaintext passwords of new manager accounts When you deactivate password enc...

Page 1095: ...ic characters including special characters Spaces are not allowed To enter an encrypted password precede it with the number 8 This example of the command creates an account for the user john The privi...

Page 1096: ...it to manage the switch If you delete the account with which you logged on to the switch your current management session is not interrupted But you will not be able to use that account again to log i...

Page 1097: ...l Configuration mode The switch can have only one special password Here is the format of the command enable password 8 password The PASSWORD parameter specifies the special password You can enter the...

Page 1098: ...the special password is the NO ENABLE PASSWORD command in the Global Configuration mode When command mode restriction is deactivated manager accounts with a privilege level of 15 do not have to enter...

Page 1099: ...awplus configure terminal awplus config service password encryption When password encryption is activated the switch searches the running configuration for plaintext passwords and encrypts them It al...

Page 1100: ...132 to display the running configuration Here is an example of several accounts Figure 176 Displaying the Local Manager Accounts in the Running Configuration username manager privilege 15 password We...

Page 1101: ...assword NO ENABLE PASSWORD on page 1103 Global Configuration Deactivates command mode restriction on the switch NO SERVICE PASSWORD ENCRYPTION on page 1104 Global Configuration Disables password encry...

Page 1102: ...ssword When command mode restriction is active managers with a privilege level of 15 must enter the password to move to the Privileged Exec mode from the User Exec mode Managers who do not know the pa...

Page 1103: ...s command to deactivate command mode restriction on the switch to allow managers who have the privilege level 15 to access all of the command modes without having to enter the special password Confirm...

Page 1104: ...in the running configuration file unless they are entered in their encrypted forms in the USERNAME command Also the switch decrypts all of the passwords of the current manager accounts in the running...

Page 1105: ...rom the switch Note You can delete the default manager account from the switch Caution Do not delete all of the local manager accounts that have the privilege level 15 if the switch does not have any...

Page 1106: ...nd to activate password encryption This feature encrypts all of the manager account passwords in the running configuration of the switch and the passwords of new manager accounts This is the default s...

Page 1107: ...ccess to all of the command modes unless command mode restriction is activated Manager accounts with the privilege level 1 are restricted to the User Exec mode 8 Specifies that the password is encrypt...

Page 1108: ...is activated The password is laf238pl awplus enable awplus configure terminal awplus config username allen privilege 15 password laf238pl This example creates a manager account for the user sjones Th...

Page 1109: ...ter 71 Telnet Server This chapter provides the following topics Overview on page 1110 Enabling the Telnet Server on page 1111 Disabling the Telnet Server on page 1112 Displaying the Telnet Server on p...

Page 1110: ...e access to it through routers or other Layer 3 devices If the Telnet clients are not members of the same subnet as the switch s management IP address the switch must have a default gateway This is th...

Page 1111: ...mand Here is the command awplus enable awplus configure terminal awplus config service telnet Once the server is started you can conduct remote management sessions over your network from Telnet client...

Page 1112: ...al awplus config no service telnet Note If you disable the server from a remote Telnet management session your session ends To resume managing the unit establish a local management session or remote w...

Page 1113: ...lnet Server To display the status of the Telnet server use the SHOW TELNET command in the User Exec mode or Privileged Exec mode Here is the command awplus show telnet Here is the information the comm...

Page 1114: ...Chapter 71 Telnet Server 1114 Section XI Management Security...

Page 1115: ...et Server Commands Command Mode Description NO SERVICE TELNET on page 1116 Global Configuration Disables the Telnet server SERVICE TELNET on page 1117 Global Configuration Enables the Telnet server SH...

Page 1116: ...et server is enabled Note Your management session ends if you disable the server from a remote Telnet session To resume managing the unit establish a local management session or remote web browser ses...

Page 1117: ...hat you can remotely manage the switch with a Telnet application protocol The default setting for the Telnet server is enabled Note The switch must have a management IP address for remote Telnet manag...

Page 1118: ...de User Exec mode and Privileged Exec mode Description Use this command to display the status of the Telnet server on the switch The status of the server can be either enabled or disabled Here is the...

Page 1119: ...1119 Chapter 73 Telnet Client This chapter provides the following topics Overview on page 1120 Starting a Remote Management Session with the Telnet Client on page 1121...

Page 1120: ...switch must have a management IP address that is of the same type IPv4 or IPv6 as the addresses on the remote devices For example the switch must have an IPv6 address for you to remotely manage devic...

Page 1121: ...l port number of the Telnet client The default is 23 For example if the IPv4 address of the remote device is 149 174 154 12 you enter awplus enable awplus telnet 149 174 154 12 You should now see the...

Page 1122: ...Chapter 73 Telnet Client 1122 Section XI Management Security...

Page 1123: ...131 Table 131 Telnet Client Commands Command Mode Description TELNET on page 1124 Privileged Exec Starts Telnet management sessions on remote devices that have IPv4 addresses TELNET6 on page 1125 Pri...

Page 1124: ...the protocol port number of the Telnet client The default value is 23 Mode Privileged Exec mode Description Use this command to start Telnet management sessions on network devices that have IPv4 addre...

Page 1125: ...protocol port number of the Telnet client The default value is 23 Mode Privileged Exec mode Description Use this command to start Telnet management sessions on network devices that have IPv6 addresse...

Page 1126: ...Chapter 74 Telnet Client Commands 1126 Section XI Management Security...

Page 1127: ...erview on page 1128 Support for SSH on page 1129 SSH and Enhanced Stacking on page 1131 Creating the Encryption Key Pair on page 1133 Enabling the SSH Server on page 1134 Disabling the SSH Server on p...

Page 1128: ...hm You can choose from three available algorithms to create the key for SSH RSA RSA1 DSA The algorithms are for different versions of SSH The RSA algorithm is used with SSH2 RSA1 with SSH1 and DSA wit...

Page 1129: ...SSH options and features are not supported IDEA or Blowfish encryption Nonencrypted Secure Shell sessions Tunnelling of TCP IP traffic Guidelines Here are the guidelines to using SSH to manage the sw...

Page 1130: ...configure SSH server on the command switch not on the member switches Note If your switch is in a network that is protected by a firewall you may need to configure the firewall to permit SSH connectio...

Page 1131: ...s Consequently there is no encryption between a command switch and a member switch The result is that SSH encryption only occurs between your workstation and the command switch not between your workst...

Page 1132: ...Management Security Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a member switch you configure SSH only on the command switch of a st...

Page 1133: ...he other keys because you can specify a length in bits by using the VALUE parameter in the command The other keys have a fixed key length of 1024 bits The range is 768 to 20 bits Entering the length i...

Page 1134: ...s the SERVICE SSH command in the Global Configuration mode Here is the command awplus enable awplus configure terminal awplus config service ssh After you enter the command the switch searches its dat...

Page 1135: ...h with SSH enter the following commands awplus enable awplus configure terminal awplus config no ssh service Note If you disable the server during a remote SSH management session your session ends To...

Page 1136: ...ring a remote SSH management session your session ends To resume managing the unit with the manager account you must wait for the console timer on the switch to expire and then establish a local manag...

Page 1137: ...d Line User s Guide Section XI Management Security 1137 Displaying the SSH Server To display the current settings of the server enter this command in the Privileged Exec or Global Configuration mode a...

Page 1138: ...Chapter 75 Secure Shell SSH Server 1138 Section XI Management Security...

Page 1139: ...STKEY on page 1141 Global Configuration Creates encryption keys NO SERVICE SSH on page 1143 Global Configuration Disables the SSH server SERVICE SSH on page 1144 Global Configuration Activates the SSH...

Page 1140: ...removed by the switch when you enter this command You do not have to enter the WRITE command or the COPY RUNNING CONFIG STARTUP CONFIG command Confirmation Command SHOW CRYPTO KEY HOSTKEY on page 114...

Page 1141: ...and SHOW CRYPTO KEY HOSTKEY on page 1145 Description Use this command to create the encryption key for the Secure Shell server You must create the key before activating the server The switch can have...

Page 1142: ...ected or unwanted switch behavior create a key during periods of low network activity Examples This example creates a DSA key awplus enable awplus configure terminal awplus config crypto key generate...

Page 1143: ...server is disabled Note Your management session of the switch ends if you disable the server from a remote SSH management session To resume managing the switch from a local management session or a rem...

Page 1144: ...abling the server For instructions refer to CRYPTO KEY GENERATE HOSTKEY on page 1141 If the switch has more than one key it chooses the active pair based on this order RSA RSA1 DSA For example if the...

Page 1145: ...SA1 key Mode Global Configuration mode Description Use this command to display the encryption keys Here is an example of the information for an RSA key Figure 180 SHOW CRYPTO KEY HOSTKEY Command Examp...

Page 1146: ...cription Use this command to display the current status of the SSH server Versions supported Server Status Server Port Host Key ID Host Key Bits size of host key in bits Server Key ID Server Key Bits...

Page 1147: ...This chapter provides the following topics Overview on page 1148 Enabling the Web Browser Server on page 1149 Setting the Protocol Port Number on page 1150 Disabling the Web Browser Server on page 11...

Page 1148: ...individual captures the management packet that contains your user name and password he or she could use that information to access the switch and make unauthorized changes to its configuration settin...

Page 1149: ...a management IP address For instructions refer to Chapter 9 IPv4 and IPv6 Management Addresses on page 207 If the web browser server is already configured for secure HTTPS and you are changing it back...

Page 1150: ...ault setting of port 80 for the protocol port of the HTTP web server can be adjusted with the IP HTTP PORT command in the Global Configuration mode This example of the command changes the protocol por...

Page 1151: ...the NO SERVICE HTTP command in the Global Configuration mode awplus enable awplus configure terminal awplus config no service http No further web browser management session are permitted by the switch...

Page 1152: ...e HTTP web server is enabled or disabled on the switch issue the SHOW IP HTTP command in the Privileged Exec mode The command also displays the protocol port number if the server is enabled Here is th...

Page 1153: ...Server Commands Command Mode Description SERVICE HTTP on page 1154 Global Configuration Enables the HTTP web browser server IP HTTP PORT on page 1155 Global Configuration Sets the protocol port number...

Page 1154: ...one Mode Global Configuration mode Description Use this command to activate the HTTP web browser server on the switch The switch supports non secure HTTP web browser management sessions when the serve...

Page 1155: ...umber for the HTTP web server listens on The range is 0 to 65535 Mode Global Configuration mode Description Use this command to set the TCP port for the web browser server Confirmation Command SHOW IP...

Page 1156: ...n the switch to prevent any further remote management with a web browser Any active web browser management session are interrupted and are not allowed to continue You might disable the server to preve...

Page 1157: ...IP HTTP Syntax show ip http Parameters None Mode Privileged Exec mode Description Use this command to display the status of the HTTP server on the switch Here is an example of the information Figure...

Page 1158: ...Chapter 78 Non secure HTTP Web Browser Server Commands 1158 Section XI Management Security...

Page 1159: ...s Overview on page 1160 Creating a Self signed Certificate on page 1163 Configuring the HTTPS Web Server for a Certificate Issued by a CA on page 1166 Enabling the Web Browser Server on page 1170 Disa...

Page 1160: ...ertificate is a distinguished name that identifies the owner of the certificate which in the case of a certificate for your switch is the switch itself and your company The switch does not come with a...

Page 1161: ...tself and your company The name of the owner is entered in the form of a distinguished name which has six parts Common name cn This is the IP address or name of the switch Organizational unit ou This...

Page 1162: ...wser applications must be members of the same network as the management IP address of the switch or they must have access to it through routers or other Layer 3 devices The web browser server cannot o...

Page 1163: ...onsists of 4 to 20 alphanumeric characters that are used to used to export the certificate in PKCS12 file format Although the switch doesn t allow you to export certificates you re still required to i...

Page 1164: ...les Organization Jones_Industries Location San_Jose State California Country US Duration 365 days awplus enable Enter the Privileged Exec mode from the User Exec mode awplus configure terminal Enter t...

Page 1165: ...the HTTPS server with SERVICE HTTPS on page 1180 awplus config exit Return to the Privileged Exec mode awplus show ip https Confirm the confirmation with SHOW IP HTTPS on page 1184 HTTPS server enabl...

Page 1166: ...s command must be exactly the same as the corresponding values from the CRYPTO CERTIFICATE GENERATE command used to create the self signed certificate This includes the ID_NUMBER parameter Any differe...

Page 1167: ...these specifications ID number 1 Key length 512 Passphrase hazeltime Common name 124 201 76 54 This is the IP address of the switch Organizational unit Production Organization ABC_Industries Location...

Page 1168: ...age 387 awplus config crypto certificate 1 import Import the new certificate into the certificate database with CRYPTO CERTIFICATE IMPORT on page 1177 awplus config ip https certificate 1 Designate th...

Page 1169: ...re HTTP web browser server is enabled on the unit disabled it with NO SERVICE HTTP on page 1156 awplus config service https Enable the HTTPS server with SERVICE HTTPS on page 1180 awplus config exit R...

Page 1170: ...P address For instructions refer to Chapter 9 IPv4 and IPv6 Management Addresses on page 207 The switch should have a HTTPS certificate If the HTTP mode is enabled you must disable it with the NO HTTP...

Page 1171: ...he NO SERVICE HTTPS command in the Global Configuration mode awplus enable awplus configure terminal awplus config no service https No further web browser management session are permitted by the switc...

Page 1172: ...splays the protocol port number if the server is enabled Here is the command awplus enable awplus show ip https Here is an example of the display Figure 183 SHOW IP HTTPS Command The fields are descri...

Page 1173: ...rts certificates from public or private CAs into the certificate database on the switch CRYPTO CERTIFICATE REQUEST on page 1178 Global Configuration Creates certificate enrollment requests for submitt...

Page 1174: ...ion mode Description Use this command to delete unused certificates from the switch You can delete just one certificate at a time with this command Entering the WRITE or COPY RUNNING CONFIG STARTUP CO...

Page 1175: ...export of certificates a passphrase is still required in the command common_name Specifies a common name for the certificate This should be the IP address or fully qualified URL designation of the swi...

Page 1176: ...ificates are not stored in the active boot configuration file Note Generating a certificate is CPU intensive It should be performed before the switch is connected to your network or during periods of...

Page 1177: ...ate CAs into the certificate database of the switch A certificate has to be residing in the file system on the switch before you can import it into the certificate database Entering the WRITE or COPY...

Page 1178: ...epartment such as Network Support or IT This parameter can have up to 64 characters Spaces and special characters are not allowed organization Specifies the name of a company This parameter can have u...

Page 1179: ...ation Command DIR on page 365 Example This example creates a certificate enrollment request that has these specifications ID number 2 Common name 167 214 121 45 Organizational unit Sales Organization...

Page 1180: ...S web browser management sessions when the server is activated Here are the preconditions to activating the server The non secure HTTP server on the switch must be disabled For instructions refer to N...

Page 1181: ...S web server The switch can have only one active certificate The certificate which must already exist on the switch can be a self signed certificate that the switch created itself or a certificate tha...

Page 1182: ...he secure HTTPS web server on the switch The switch rejects secure HTTPS web browser management sessions when the server is deactivated You might disable the server to prevent remote web browser manag...

Page 1183: ...tax show crypto certificate id_number Parameters id_number Specifies a certificate ID number Mode Privileged Exec mode Description Use this command to display detailed information about the certificat...

Page 1184: ...ds are defined in Table 135 HTTPS server enabled Port 443 Certificate 1 is active Issued by self signed Valid from 5 17 2010 to 5 16 2011 Subject C US ST California L San_Jose O Jones_Industries OU Sa...

Page 1185: ...active status indicates that the certificate was designated with IP HTTPS CERTIFICATE on page 1181 as the active certificate for the HTTPS server The switch can have just one active certificate Valid...

Page 1186: ...Chapter 80 Secure HTTPS Web Browser Server Commands 1186 Section XI Management Security...

Page 1187: ...nd TACACS Clients Overview on page 1188 Remote Manager Accounts on page 1189 Managing the RADIUS Client on page 1192 Managing the TACACS Client on page 1196 Configuring Remote Authentication of Manage...

Page 1188: ...s This feature lets you add more manager accounts to the switch by transferring the task of authenticating the accounts from the switch to an authentication server on your network This feature is desc...

Page 1189: ...tch and an authentication server when a manager logs on 1 The switch uses its RADIUS or TACACS client to transmit the user name and password to an authentication server on the network 2 The server che...

Page 1190: ...ctive on the switch a manager account with a privilege level of 0 is restricted to the User Exec mode while an account with a privilege level of 15 has access to all the command modes For RADIUS the m...

Page 1191: ...e not members of the same subnet as the management IP address the switch must have a default gateway The default gateway defines the IP address of the first hop to reaching the remote subnet of the se...

Page 1192: ...three Also when you remove an IP address from the switch the place holder is retained For example if you make the following assignments server one is 186 178 11 154 server two is 186 178 11 156 serve...

Page 1193: ...Configuration mode to enter a global encryption key in the client The format of the command is radius server key secret This example specifies 4tea23 as the global encryption key of the RADIUS servers...

Page 1194: ...sables accounting messages The GROUP parameter indicates the user server group Specify the RADIUS server The LOCAL parameter indicates that authentication using the password provided in the ENABLE PAS...

Page 1195: ...list of RADIUS servers awplus enable awplus configure terminal awplus config no radius server host 211 132 123 12 Displaying the RADIUS Client To display the settings of the RADIUS client use the SHOW...

Page 1196: ...m the switch the place holder is retained For example if you make the following assignments server one is 186 178 11 154 server two is 186 178 11 156 server three is 186 178 11 158 Then you delete ser...

Page 1197: ...indicates a start accounting message is sent at the beginning of a session and a stop accounting message is sent at the end of the session The STOP ONLY parameter indicates a stop accounting message...

Page 1198: ...ress 122 124 15 7 from the TACACS client awplus enable awplus configure terminal awplus config no tacacs server host 122 114 15 7 Displaying the TACACS Client To display the settings of the TACACS cli...

Page 1199: ...onfig aaa authentication login tacacs After you activate the feature all future log on attempts by managers are forwarded by the switch to the designated authentication servers for authentication To d...

Page 1200: ...sole 0 awplus config line no login authentication Now even though remote authentication is activated the switch uses its local manager accounts to authenticate the user name and password whenever some...

Page 1201: ...awplus config line vty 0 awplus config line no login authentication Now the switch uses the local manager accounts instead of the remote accounts to authenticate the user name and password when an adm...

Page 1202: ...Chapter 81 RADIUS and TACACS Clients 1202 Section XI Management Security...

Page 1203: ...le Line and Virtual Terminal Line Activates remote authentication for local management sessions and remote Telnet and SSH sessions NO LOGIN AUTHENTICATION on page 1215 Console Line and Virtual Termina...

Page 1204: ...on page 1224 Privileged Exec Displays the configuration settings of the TACACS client TACACS SERVER HOST on page 1226 Global Configuration Adds IP addresses of TACACS servers to the TACACS client in...

Page 1205: ...owing radius Uses all RADIUS servers tacacs Uses all TACACS servers Mode Global Configuration mode Description This command configures RADIUS or TACACS accounting for all login shell sessions This com...

Page 1206: ...config aaa accounting login default start stop group radius To reset the configuration of the default accounting list use the following commands awplus enable awplus configure terminal awplus config n...

Page 1207: ...mmand is attempted if a TACACS server is not available For information about this command see ENABLE PASSWORD on page 1102 This is an optional parameter Mode Global Configuration mode Description Use...

Page 1208: ...d in the ENABLE PASSWORD command is attempted if a TACACS server is not available use the following commands awplus enable awplus configure terminal awplus config aaa authentication enable default gro...

Page 1209: ...For information about this command see ENABLE PASSWORD on page 1102 This is an optional parameter Mode Global Configuration mode Description Use this command to enable RADIUS or TACACS on the switch...

Page 1210: ...Examples To enable RADIUS servers on the switch use the following commands awplus enable awplus configure terminal awplus config aaa authentication login default group radius local To enable TACACS se...

Page 1211: ...AN ID The RADIUS client uses the specified IP address on every outgoing RADIUS packet Use the no version of this command NO IP RADIUS SOURCE INTERFACE to remove the RADIUS source lP address from the c...

Page 1212: ...nd TACACS Client Commands 1212 Section XI Management Security This example removes the RADIUS source IP address from the RADIUS client awplus enable awplus configure terminal awplus config no ip radiu...

Page 1213: ...sole Line mode while remote authentication for remote Telnet and SSH management sessions is activated in the Virtual Terminal Line mode Note If the switch is unable to communicate with the authenticat...

Page 1214: ...4 Section XI Management Security This example activates remote authentication for remote Telnet and SSH management sessions that use VTY line 0 awplus enable awplus configure terminal awplus config li...

Page 1215: ...emote Telnet and SSH sessions Confirmation Command SHOW RUNNING CONFIG on page 132 Examples This example deactivates remote authentication for local management sessions awplus enable awplus configure...

Page 1216: ...list Mode Global Configuration mode Description Use this command to delete IP addresses of RADIUS servers from the list of authentication servers on the switch You can delete only one IP address at a...

Page 1217: ...delete just one address at a time with this command Mode Global Configuration mode Description Use this command to delete IP addresses of TACACS servers from the client You can delete only one IP addr...

Page 1218: ...g The default UDP port for accounting is 1813 auth port Specifies the UDP destination port for RADIUS authentication requests If 0 is specified the server is not used for authentication The default UD...

Page 1219: ...ch The accounting port is 1811 and the UDP port is 1815 The encryption key is kieran7 awplus enable awplus configure terminal awplus config radius server host 176 225 15 23 acct port 1811 auth port 18...

Page 1220: ...n key To define two or three servers that use different encryption keys do not enter a global encryption key with this command Instead define the individual keys when you add the IP addresses of the s...

Page 1221: ...rom a RADIUS server for an authentication request If the timeout expires without a response the client queries the next server in the list If there are no further servers in the list to query the swit...

Page 1222: ...Interface 192 168 3 97 Timeout 5 sec Server Host 192 168 1 75 Authentication Port 1812 Accounting Port 1813 Table 137 SHOW RADIUS Command Parameter Description Source Interface An IP address assigned...

Page 1223: ...ent Security 1223 Example awplus show radius Authentication Port The authentication protocol port Accounting Port The accounting protocol port Encryption Keys The server encryption keys if defined Tab...

Page 1224: ...ibed in Table 138 TACACS Global Configuration Timeout 5 sec Server Host 149 123 154 12 Server Status Alive Server Host 149 123 154 26 Server Status Dead Table 138 SHOW TACACS Command Parameter Descrip...

Page 1225: ...Server Status Indicates the status of the server host One of the following options is displayed Alive Indicates the server is working correctly The sockets are successful Dead Indicates the server has...

Page 1226: ...ode Global Configuration mode Description Use this command to add IP addresses of TACACS servers to the TACACS client in the switch The list can have up to three TACACS authentication servers but you...

Page 1227: ...agement Security 1227 This example adds the IP address 149 11 24 5 as the second TACACS authentication server in the list The server has the key mit762 awplus enable awplus configure terminal awplus c...

Page 1228: ...n key To define two or three servers that use different encryption keys do not enter a global encryption key with this command Instead define the individual keys when you add the IP addresses of the s...

Page 1229: ...rom a TACACS server for an authentication request If the timeout expires without a response the client queries the next server in the list If there are no further servers in the list to query the swit...

Page 1230: ...Chapter 82 RADIUS and TACACS Client Commands 1230 Section XI Management Security...

Page 1231: ...ION on page 1236 Privileged Exec Displays the memory allocations used by the processes SHOW MEMORY HISTORY on page 1237 Privileged Exec Displays a graph showing historical memory usage SHOW MEMORY POO...

Page 1232: ...processes sleep Sorts the list by the average sleeping times thrds Sorts the list by the number of threads Mode Privileged Exec mode Description Use this command to display a list of running processe...

Page 1233: ...e User s Guide 1233 SHOW CPU HISTORY Syntax show cpu history Parameters None Mode Privileged Exec mode Description Use this command to display graphs of historical CPU utilization of the switch Exampl...

Page 1234: ...s 1234 SHOW CPU USER THREADS Syntax show cpu user threads Parameters None Mode Privileged Exec mode Description Use this command to display a list of CPU utilization and status of the user threads Exa...

Page 1235: ...the peak amounts of memory the processes are currently using stk Sorts the list by the stack sizes of the processes Mode Privileged Exec mode Description Use this command to display the memory consum...

Page 1236: ...stem process Mode Privileged Exec mode Description Use this command to display the memory allocations used by the processes Examples This example displays the memory allocations used by all the proces...

Page 1237: ...ne User s Guide 1237 SHOW MEMORY HISTORY Syntax show memory history Parameters None Mode Privileged Exec mode Description Use this command to display a graph showing historical memory usage Example aw...

Page 1238: ...ring Commands 1238 SHOW MEMORY POOLS Syntax show memory pools Parameters None Mode Privileged Exec mode Description Use this command to display a list of memory pools used by the processes Example awp...

Page 1239: ...ry utilization Mode Privileged Exec mode Description Use this command to display a summary of the current running processes Examples This example lists the running processes by ID number awplus show p...

Page 1240: ...tax show system serialnumber Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to display the serial number of the switch The serial number is also displayed w...

Page 1241: ...system interrupts Parameters None Mode Privileged Exec mode Description Use this command to display the number of interrupts for each IRQ Interrupt Request used to interrupt input lines on a PIC Progr...

Page 1242: ...name tech support followed by a string of numbers and the extension txt After performing the command upload the file from the switch using TFTP or Zmodem and email it to Allied Telesis technical suppo...

Page 1243: ...43 With the ALL option the command performs the previous commands and these additional commands SHOW ARP SHOW INTERFACE SHOW IP INTERFACE SHOW IPV6 INTERFACE SHOW MAC ADDRESS TABLE Examples awplus sho...

Page 1244: ...Chapter System Monitoring Commands 1244...

Page 1245: ...P MED on page 1253 MAC Address based Port Security on page 1254 MAC Address Table on page 1255 Management IP Address on page 1256 Manager Account on page 1257 Port Settings on page 1258 RADIUS Client...

Page 1246: ...Appendix B Management Software Default Settings 1246 Boot Configuration File The following table lists the names of the default configuration files Boot Configuration File Default Switch boot cfg...

Page 1247: ...1247 Class of Service The following table lists the default mappings of the IEEE 802 1p priority levels to the egress port priority queues IEEE 802 1p Priority Level Port Priority Queue 0 Q2 1 Q0 lowe...

Page 1248: ...1248 Console Port The following table lists the default settings for the Console port The baud rate is the only adjustable parameter on the port Console Port Setting Default Data Bits 8 Stop Bits 1 P...

Page 1249: ...etwork Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Roles None Authentication Port 1812 Authenticator Port Setting Default Authentication Mode 802...

Page 1250: ...Appendix B Management Software Default Settings 1250 Enhanced Stacking The following table lists the enhanced stacking default setting Enhanced Stacking Setting Default Switch State Member...

Page 1251: ...ine User s Guide 1251 GVRP This section provides the default settings for GVRP GVRP Setting Default Status Disabled GIP Status Enabled Join Timer 20 centiseconds Leave Timer 60 centiseconds Leave All...

Page 1252: ...lowing table lists the IGMP Snooping default settings IGMP Snooping Setting Default IGMP Snooping Status Disabled Multicast Host Topology Single Host Port Edge Host Router Timeout Interval 260 seconds...

Page 1253: ...following table lists the default settings for LLDP and LLDP MED LLDP an LLDP MED Default Status Disabled Notification Interval 5 seconds Transmit Interval 30 seconds Holdtime Multiplier 4 Reinitiali...

Page 1254: ...tings 1254 MAC Address based Port Security The following table lists the MAC address based port security default settings MAC Address based Port Security Setting Default Status Disabled Intrusion Acti...

Page 1255: ...9000 Switch Command Line User s Guide 1255 MAC Address Table The following table lists the default setting for the MAC address table MAC Address Table Setting Default MAC Address Aging Time 300 secon...

Page 1256: ...Default Settings 1256 Management IP Address The following table lists the default settings for the management IP address Management IP Address Setting Default Management IP Address 0 0 0 0 Subnet Mas...

Page 1257: ...owing table lists the manager account default settings Note Login names and passwords are case sensitive Manager Account Setting Default Manager Login Name manager Manager Password friend Console Disc...

Page 1258: ...iation MDI MDI X Auto MDI MDIX Threshold Limits for Ingress Packets Disabled Broadcast Multicast or Unknown Unicast Packet Filtering Storm control 33 554 431 packets per second Override Priority No ov...

Page 1259: ...IUS configuration default settings RADIUS Configuration Setting Default Global Encryption Key ATI Global Server Timeout Period 30 seconds RADIUS Server 1 Configuration 0 0 0 0 RADIUS Server 2 Configur...

Page 1260: ...tings 1260 Remote Manager Account Authentication The following table describes the remote manager account authentication default settings Authentication Setting Default Server based Authentication Dis...

Page 1261: ...lowing table lists the default settings for RMON collection histories There are no default settings for alarms or events RMON Setting Default History Buckets 50 History Polling Interval 1800 seconds O...

Page 1262: ...ell Server The following table lists the SSH default settings The SSH port number is not adjustable SSH Setting Default Status Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Exp...

Page 1263: ...ide 1263 sFlow Agent The default settings for the sFlow agent are listed in this table sFlow Agent Setting Default sFlow Agent Status Disabled sFlow Collector IP Address 0 0 0 0 UDP Port 6343 Port Sam...

Page 1264: ...s 1264 Simple Network Management Protocol SNMPv1 SNMPv2c and SNMPv3 The following table describes the default settings for SNMPv1 SNMPv2c and SNMPv3 SNMP Communities Setting Default SNMP Status Disabl...

Page 1265: ...uide 1265 Simple Network Time Protocol The following table lists the SNTP default settings SNTP Setting Default System Time Sat 01 Jan 2000 00 00 00 SNTP Status Disabled SNTP Server 0 0 0 0 UTC Offset...

Page 1266: ...d Spanning Tree Protocol The following table describes the RSTP default settings Spanning Tree Setting Default Spanning Tree Status Enabled Active Protocol Version RSTP STP Setting Default Bridge Prio...

Page 1267: ...AT 9000 Switch Command Line User s Guide 1267 BPDU Guard Disabled BPDU Guard Timeout Status Disabled BPDU Guard Timeout Interval 300 seconds RSTP Setting Default...

Page 1268: ...Appendix B Management Software Default Settings 1268 System Name The default setting for the system name is listed in this table System Name Setting Default System Name awplus...

Page 1269: ...9 TACACS Client The following table lists the TACACS client configuration default settings TACACS Client Configuration Setting Default TAC Server 1 0 0 0 0 TAC Server 2 0 0 0 0 TAC Server 3 0 0 0 0 TA...

Page 1270: ...tware Default Settings 1270 Telnet Server The default settings for the Telnet server are listed in this table The Telnet port number is not adjustable Telnet Server Setting Default Telnet Server Enabl...

Page 1271: ...s Guide 1271 VLANs This section provides the VLAN default settings VLAN Setting Default Default VLAN Name Default_VLAN all ports Management VLAN ID 1 Default_VLAN VLAN Type Port based Member Ports All...

Page 1272: ...t Software Default Settings 1272 Web Server The following table lists the web server default settings Web Server Configuration Setting Default Status Disabled Operating Mode HTTP HTTP Port Number 80 H...

Page 1273: ...CLASS MAP command 46 CLEAR ARP CACHE command 979 CLEAR IP IGMP command 334 CLEAR IPV6 NEIGHBORS command 223 CLEAR LLDP STATISTICS command 914 CLEAR LLDP TABLE command 907 915 CLEAR LOG BUFFERED comma...

Page 1274: ...mmand 921 LLDP MED TLV SELECT command 889 892 896 899 922 LLDPNON STRICT MED TLV ORDER CHECKcommand 924 LLDP NOTIFICATION INTERVAL command 926 LLDP NOTIFICATIONS command 925 LLDP REINIT command 927 LL...

Page 1275: ...OCAL command 832 NO SNMP SERVER GROUP command 833 NO SNMP SERVER HOST command 798 811 834 NO SNMP SERVER USER command 835 NO SNMP SERVER VIEW command 813 836 NO SPANNING TREE command 527 535 NO SPANNI...

Page 1276: ...d 307 SHOW ESTACK COMMAND SWITCH command 309 SHOW ESTACK REMOTELIST command 293 310 396 SHOW ETHERCHANNEL command 474 SHOW ETHERCHANNEL DETAIL command 475 SHOW ETHERCHANNEL SUMMARY command 476 SHOW FI...

Page 1277: ...UARD ROOT command 524 SPANNING TREE HELLO TIME command 504 513 524 546 SPANNING TREE LINK TYPE command 527 547 SPANNING TREE LOOP GUARD command 527 548 SPANNING TREE MAX AGE command 504 514 524 549 SP...

Page 1278: ...Index 1278 Configuration mode 644 659 VLAN SET MACADDRESS command Port Interface mode 644 661 W WRITE command 75 94 385...

Reviews:

No comments

Related manuals for AT-9000/28

AllShare Cast Dongle

Brand: Samsung Pages: 2

Brand: D-Link Pages: 14

Brand: D-Link Pages: 7

Brand: D-Link Pages: 41

Brand: Parker Pages: 344

3CR860-95 - OfficeConnect Secure Router

Brand: 3Com Pages: 2

Brand: 3Com Pages: 26

Brand: 3xLogic Pages: 2

Brand: Rain Bird Pages: 17

Brand: H3C Pages: 16

Brand: H3C Pages: 24

Brand: Alcad Pages: 6

Brand: Supero Pages: 68

DHI-NVR2104-P-4KS2

Brand: Dahua Pages: 23

Brand: Fracarro Pages: 12

MultiConnect SE MTS2EA

Brand: Multitech Pages: 2

AXP-100H MUSCLE

Brand: Thermalright Pages: 36

Brand: Moxa Technologies Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands