manualshive.com logo in svg

Cisco 300 Series, Cli Manual

The Bosch 300 Series is a high-performance appliance designed to simplify your household chores. Complete with a comprehensive Use And Care Manual, this manual can be easily downloaded for free from manualshive.com. Discover the full potential of your Bosch 300 Series and keep it operating at its best.

Share
Download
background image

Denial of Service (DoS) Commands

375

OL-32830-01 Command Line Interface Reference Guide

16

User Guidelines

On ports in which an ACL is defined (user-defined ACL etc.), this feature cannot block TCP SYN 
packets. In case the protection mode is block but SYN Traffic cannot be blocked, a relevant 
SYSLOG message will be created, e.g.: “port gi11 is under TCP SYN attack. TCP SYN traffic 
cannot be blocked on this port since the port is bound to an ACL.”

Examples

Example 1: 

The following example sets the TCP SYN protection feature to report 

TCP SYN attack on ports in case an attack is identified from these ports.

switchxxxxxx(config)# 

security-suite syn protection mode report

01-Jan-2012 05:29:46: 

A TCP SYN Attack was identified on port 

gi1

1

s

Example 2: 

The following example sets the TCP SYN protection feature to block 

TCP SYN attack on ports in case an attack is identified from these ports.

switchxxxxxx(config)# 

security-suite syn protection mode block

01-Jan-2012 05:29:46: 

A TCP SYN Attack was identified on port 

gi1

1. TCP SYN 

traffic destined to the local system is automatically blocked for 100 

seconds.

16.10 security-suite syn protection recovery

To set the time period for the SYN Protection feature to block an attacked 
interface, use the security-suite syn protection period Global Configuration mode 
command.

To set the time period to its default value, use the no form of this command.

Syntax

security-suite syn protection recovery timeout

no security-suite syn protection recovery

Summary of Contents for 300 Series

Page 1: ...Cisco 300 Series Stackable Managed Switches Command Line Interface Reference Guide Release 1 4 CLI GUIDE ...

Page 2: ......

Page 3: ... re authenticate 64 dot1x reauthentication 65 dot1x system auth control 65 dot1x timeout quiet period 66 dot1x timeout reauth period 67 dot1x timeout server timeout 68 dot1x timeout silence period 69 dot1x timeout supp timeout 70 dot1x timeout tx period 71 dot1x traps authentication failure 72 dot1x traps authentication quiet 73 dot1x traps authentication success 74 dot1x unlock client 75 dot1x vi...

Page 4: ...ess list 126 permit MAC 127 deny MAC 129 service acl input 130 time range 132 absolute 133 periodic 134 show time range 136 show access lists 136 show interfaces access lists 137 clear access lists counters 138 show interfaces access lists trapped packets 139 5 Address Table Commands 141 bridge multicast filtering 141 bridge multicast mode 142 bridge multicast address 144 bridge multicast forbidde...

Page 5: ...ss table 176 show bridge multicast address table static 179 show bridge multicast filtering 182 show bridge multicast unregistered 183 show ports security 184 show ports security addresses 185 bridge multicast reserved address 186 show bridge multicast reserved addresses 188 6 Auto Update and Auto Configuration 189 boot host auto config 189 boot host auto update 190 show boot 191 ip dhcp tftp serv...

Page 6: ...229 clock source 230 clock summer time 231 clock timezone 233 periodic 234 sntp anycast client enable 235 sntp authenticate 236 sntp authentication key 237 sntp broadcast client enable 238 sntp client enable 239 sntp client enable interface 240 sntp server 241 sntp source interface 242 sntp source interface ipv6 243 sntp trusted key 244 sntp unicast client enable 245 sntp unicast client poll 246 s...

Page 7: ...mmands 279 address DHCP Host 279 address DHCP Network 280 bootfile 281 clear ip dhcp binding 282 client name 283 default router 284 dns server 284 domain name 285 ip dhcp excluded address 286 ip dhcp pool host 287 ip dhcp pool network 288 ip dhcp server 289 lease 290 netbios name server 291 netbios node type 292 next server 293 next server name 294 option 295 show ip dhcp 297 show ip dhcp allocate...

Page 8: ...e guard inactive 325 show ip source guard statistics 326 ip arp inspection 327 ip arp inspection vlan 328 ip arp inspection trust 329 ip arp inspection validate 330 ip arp inspection list create 331 ip mac 331 ip arp inspection list assign 332 ip arp inspection logging interval 333 show ip arp inspection 334 show ip arp inspection list 335 show ip arp inspection statistics 335 clear ip arp inspect...

Page 9: ...tection mode 374 security suite syn protection recovery 375 security suite syn protection threshold 376 show security suite configuration 377 show security suite syn protection 378 17 EEE Commands 380 eee enable global 380 eee enable interface 381 eee lldp enable 381 show eee 382 18 Ethernet Configuration Commands 388 interface 388 interface range 389 shutdown 389 operation time 391 description 39...

Page 10: ...stics 425 gvrp enable Global 426 gvrp enable Interface 426 gvrp registration forbid 427 gvrp vlan creation forbid 428 show gvrp configuration 429 show gvrp error statistics 430 show gvrp statistics 431 21 IGMP Snooping Commands 433 ip igmp snooping Global 433 ip igmp snooping vlan 433 ip igmp snooping vlan mrouter 434 ip igmp snooping vlan mrouter interface 435 ip igmp snooping vlan forbidden mrou...

Page 11: ...467 ip redirects 467 ip route 468 show ip route 469 show ip route summary 472 24 IP System Management Commands 474 ping 474 telnet 477 traceroute 480 25 IPv6 First Hop Security 484 address config 485 address prefix validation 486 clear ipv6 first hop security counters 487 clear ipv6 first hop security error counters 488 clear ipv6 neighbor binding prefix table 488 clear ipv6 neighbor binding table...

Page 12: ...v6 nd raguard managed config flag 530 ipv6 nd raguard other config flag 531 ipv6 nd raguard policy 532 ipv6 nd raguard router preference 534 ipv6 neighbor binding 536 ipv6 neighbor binding address config 537 ipv6 neighbor binding address prefix 539 ipv6 neighbor binding address prefix validation 541 ipv6 neighbor binding attach policy port mode 542 ipv6 neighbor binding attach policy VLAN mode 544...

Page 13: ...89 show ipv6 neighbor binding table 590 show ipv6 source guard 592 show ipv6 source guard policy 592 trusted port IPv6 Source Guard 594 validate source mac 595 26 IPv6 Prefix List Commands 597 clear ipv6 prefix list 597 ipv6 prefix list 598 show ipv6 prefix list 602 27 IPv6 Commands 606 clear ipv6 neighbors 606 ipv6 address 606 ipv6 address autoconfig 608 ipv6 address eui 64 609 ipv6 address link ...

Page 14: ... 651 lldp med network policy global 652 lldp med network policy interface 654 lldp med network policy voice auto 655 lldp notifications 656 lldp notifications interval 657 lldp optional tlv 658 lldp optional tlv 802 1 659 lldp run 660 lldp receive 660 lldp reinit 661 lldp timer 662 lldp transmit 663 lldp tx delay 664 show lldp configuration 665 show lldp local 667 show lldp local tlvs overloading ...

Page 15: ...ipv6 mld snooping vlan mrouter 710 ipv6 mld snooping vlan mrouter interface 711 ipv6 mld snooping vlan forbidden mrouter 712 ipv6 mld snooping vlan static 713 ipv6 mld snooping vlan immediate leave 714 show ipv6 mld snooping groups 714 show ipv6 mld snooping interface 716 show ipv6 mld snooping mrouter 717 35 PHY Diagnostics Commands 719 test cable diagnostics tdr 719 show cable diagnostics tdr 72...

Page 16: ...8 class 749 show policy map 750 trust 751 set 753 police 754 service policy 755 qos aggregate policer 756 show qos aggregate policer 758 police aggregate 759 wrr queue cos map 760 wrr queue bandwidth 761 priority queue out num of queues 763 traffic shape 764 traffic shape queue 765 rate limit Ethernet 766 rate limit VLAN 767 qos wrr queue wrtd 768 show qos wrr queue wrtd 769 show qos interface 769...

Page 17: ...table 799 show rmon alarm 800 rmon event 801 show rmon events 803 show rmon log 804 rmon table size 805 show rmon statistics 806 rmon collection stats 808 show rmon collection stats 809 show rmon history 810 42 Router Resources Commands 813 system router resources 813 show system router resources 815 43 RSA and Certificate Commands 817 crypto key generate dsa 818 crypto key generate rsa 820 crypto...

Page 18: ...nt Protocol SNMP Commands 858 snmp server community 858 snmp server community group 860 snmp server server 861 snmp server source interface 862 snmp server source interface ipv6 863 snmp server view 864 snmp server group 866 show snmp views 867 show snmp groups 868 snmp server user 869 show snmp users 872 snmp server filter 874 show snmp filters 875 snmp server host 876 snmp server engineID local ...

Page 19: ...tree mst cost 905 spanning tree mst configuration 907 instance MST 907 name MST 908 revision MST 909 show MST 910 exit MST 911 abort MST 911 show spanning tree 912 show spanning tree bpdu 923 spanning tree loopback guard 924 47 SSD Commands 926 ssd config 926 passphrase 926 ssd rule 928 show SSD 930 ssd session read 932 show ssd session 933 ssd file passphrase control 934 ssd file integrity contro...

Page 20: ... 965 logging origin id 965 show logging 966 show logging file 968 show syslog servers 969 50 System Management Commands 971 disable ports leds 971 hostname 972 reload 972 resume 974 service cpu input rate 975 service cpu utilization 976 set system 976 show cpu input rate 979 show cpu utilization 979 show environment 980 show inventory 982 show reload 982 show sessions 983 show system 984 show syst...

Page 21: ...5 ip ssh server 1006 ip ssh port 1006 ip ssh password auth 1007 ip ssh pubkey auth 1008 crypto key pubkey chain ssh 1009 user key 1010 key string 1012 show ip ssh 1013 show crypto key pubkey chain ssh 1014 53 IPv6 Tunnel Commands 1016 interface tunnel 1016 tunnel isatap solicitation interval 1017 tunnel isatap robustness 1017 tunnel isatap router 1018 tunnel mode ipv6ip 1019 tunnel source 1021 sho...

Page 22: ...d port 1058 show interfaces protected ports 1059 switchport community 1060 switchport mode 1061 switchport access vlan 1062 switchport trunk allowed vlan 1063 switchport trunk native vlan 1064 switchport general allowed vlan 1065 switchport general pvid 1066 switchport general ingress filtering disable 1068 switchport general acceptable frame type 1068 switchport customer vlan 1069 map mac macs gr...

Page 23: ...how voice vlan 1091 show voice vlan local 1095 voice vlan state 1097 voice vlan refresh 1100 voice vlan id 1101 voice vlan vpt 1102 voice vlan dscp 1103 voice vlan oui table 1104 voice vlan cos mode 1106 voice vlan cos 1106 voice vlan aging timeout 1107 voice vlan enable 1108 58 Web Server Commands 1110 ip https certificate 1110 ip http port 1111 ip http server 1111 ip http secure server 1112 ip h...

Page 24: ... Interface Naming Conventions System Modes Loopback Interface Auto Negotiation Port Speed PHY Diagnostics Overview The CLI is divided into various command modes Each mode includes a group of commands These modes are described in CLI Command Modes Users are assigned privilege levels Each user privilege level can access specific CLI modes User levels are described in the section below User Privilege...

Page 25: ...asswords for each level are set by an administrator using the following command enable password level privilege level password encrypted encrypted password Using these passwords you can raise your user level by entering the command enable and the password for level 7 or 15 You can go from level 1 to level 7 or directly to level 15 The higher level holds only for the current session The disable com...

Page 26: ...EC mode Privileged EXEC mode Global Configuration mode Interface Configuration mode Each command mode has its own unique console prompt and set of CLI commands Entering a question mark at the console prompt displays a list of available commands for the current mode and for the level of the user Specific commands are used to switch from one mode to another Users are assigned privilege levels that d...

Page 27: ...and when prompted the password for level 15 To return from the Privileged EXEC mode to the User EXEC mode use the disable command Global Configuration Mode The Global Configuration mode is used to run commands that configure features at the system level as opposed to the interface level Only users with command level of 7 or 15 can access this mode To access Global Configuration mode from Privilege...

Page 28: ...Configuration mode for that interface The following example enters Interface Configuration mode for ports gi1 5 and then sets their speed The exit command returns to Global Configuration mode The following submodes are available Interface Contains commands that configure a specific interface port VLAN port channel or tunnel or range of interfaces The Global Configuration mode command interface is ...

Page 29: ...nds used to configure port channels for example assigning ports to a port channel Most of these commands are the same as the commands in the Ethernet interface mode and are used to manage the member ports as a single entity The interface port channel Global Configuration mode command is used to enter the Port Channel Interface Configuration mode QoS Contains commands related to service definitions...

Page 30: ...ect connection to a computer s serial port using a standard DB 9 null modem or crossover cable After the computer and switch are connected run a terminal application to access the CLI The terminal emulator must be configured to databits 8 and parity none Click Enter twice so that the device sets the serial port speed to match the PC s serial port speed When the CLI appears enter cisco at the User ...

Page 31: ...ayed CLI Command Conventions When entering commands there are certain command entry standards that apply to all commands The following table describes the command conventions Convention Description In a command line square brackets indicate an optional entry In a command line curly brackets indicate a selection of compulsory parameters separated the character One option must be selected For exampl...

Page 32: ... is entered in place of a command A list of all valid commands and corresponding help messages are is displayed press key Names of keys to be pressed are shown in bold Ctrl F4 Keys separated by the character are to be pressed simultaneously on the keyboard Screen Display Fixed width font indicates CLI prompts CLI commands entered by the user and system messages displayed on the console all When a ...

Page 33: ...cross device resets By default the history buffer system is enabled but it can be disabled at any time For more information on enabling or disabling the history buffer refer to the history command There is a standard default number of commands that are stored in the buffer The standard number of 10 commands can be increased to 216 By configuring 0 the effect is the same as disabling the history bu...

Page 34: ... for the system to identify a single matching command press to display the available commands matching the characters already entered Keyboard Shortcuts The CLI has a range of keyboard shortcuts to assist in editing the CLI commands The following table describes the CLI shortcuts Keyboard Key Description Up arrow Recalls commands from the history buffer beginning with the most recent command Repea...

Page 35: ...ed into the device except for encrypted passwords where the keyword encrypted is used before the encrypted data for instance in the enable password command Interface Naming Conventions Interface ID Within the CLI interfaces are denoted by concatenating the following elements Type of Interface The following types of interfaces are found on the various types of devices For supporting devices only Fa...

Page 36: ...nnel number last port channel number tunnel first tunnel number last tunnel number vlan first vlan id last vlan id A sample of this command is shown in the example below Interface List A combination of interface types can be specified in the interface range command in the following format range list interface range range list interface range Up to five ranges can be included switchxxxxxx config in...

Page 37: ...ess The format is ipv6 link local address egress interface where egress interface also known as zone vlan vlan id po number tunnel number port number 0 If the egress interface is not specified the default interface is selected Specifying egress interface 0 is equal to not defining an egress interface The following combinations are possible ipv6_address egress interface Refers to the IPv6 address o...

Page 38: ...te is configured In Router system mode the switch routes traffic between IP VLANs and bridges traffic within VLANs When the switch operates in Router system mode the following features are not supported Protocol based VLANs MAC based VLANs DVA Multicast TV VLAN Per flow policing Loopback Interface When an IP application on a router wants to communicate with a remote IP application it must select t...

Page 39: ...ove rules are replaced by the following ones This is the definition of the IP configuration when the device is in layer 2 mode Only one loopback interface is supported Two IPv4 interfaces can be configured one on a VLAN and one on the loopback interface If the IPv4 address was configured on the default VLAN and the default VLAN is changed the switch moves the IPv4 address to the new default VLAN T...

Page 40: ... 10 10 10 1 should be configured with the following static route ip route 172 25 13 2 32 10 10 10 2 Switch configure terminal Switch config interface vlan 1 Switch config if ip address 10 10 10 2 24 default gateway 10 10 10 1 Switch config if exit Switch config interface loopback 1 Switch config if ip address 172 25 13 2 32 Switch config if ipv6 address 2001 DB8 2222 7272 72 128 Switch config if e...

Page 41: ...ipv6 route 2001 DB8 2222 7272 72 128 2001 DB8 2222 7270 2312 Switch configure terminal Switch config interface vlan 1 Switch config if ip address 10 10 10 2 24 Switch config if ipv6 address 2001 DB8 2222 7270 2312 64 Switch config if exit Switch config interface vlan 2 Switch config if ip address 10 11 11 2 24 Switch config if ipv6 address 2001 DB8 3333 7271 2312 64 Switch config if exit Switch co...

Page 42: ...interface The other routers need static routes for 172 25 13 2 32 because the route is advertised by RIP Switch configure terminal Switch config interface vlan 1 Switch config if ip address 10 10 10 2 24 Switch config if exit Switch config interface vlan 2 Switch config if ip address 10 11 11 2 24 Switch config if exit Switch config interface loopback 1 Switch config if ip address 172 25 13 2 32 S...

Page 43: ...onfigured with auto negotiation Switch configure terminal Switch config interface vlan 1 Switch config if ip address 10 10 10 2 24 Switch config if exit Switch config interface vlan 2 Switch config if ip address 10 11 11 2 24 Switch config if exit Switch config interface loopback 1 Switch config if ip address 172 25 13 2 32 Switch config if exit Switch config router rip Switch config rip network 1...

Page 44: ... on SG300 52 cannot be configured with auto negotiation PHY Diagnostics The following exceptions exist Copper Ports PHY diagnostics are only supported on copper ports FE ports Only basic tests are supported no cable length 10G ports TDR test is supported when the operational port speed is 10G Cable length resolution is 20 meters ...

Page 45: ...n mode does not support Guest VLAN RADIUS VLAN attributes and WEB Based authentication in Sx300 in router mode List of Commands 2 1 aaa authentication dot1x Use the aaa authentication dot1x Global Configuration mode command to specify which servers are used for authentication when 802 1X authentication is enabled Use the no form of this command to restore the default configuration Syntax aaa authe...

Page 46: ...ample sets the 802 1X authentication mode to RADIUS server authentication Even if no response was received authentication succeeds switchxxxxxx config aaa authentication dot1x default radius none 2 2 authentication open To enable open access monitoring mode on this port use the authentication open command in interface configuration mode To disable open access on this port use the no form of this c...

Page 47: ...rface gi11 switchxxxxxx config interface gi11 switchxxxxxx config if authentication open 2 3 clear dot1x statistics Use the clear dot1x statistics Privileged EXEC mode command to clear 802 1X statistics Syntax clear dot1x statistics interface id Parameters interface id Specify an Ethernet port ID Default Configuration Statistics on all ports are cleared Command Mode Privileged EXEC mode User Guide...

Page 48: ... command should not be entered or edited manually unless using copy paste It is a part of the configuration file produced by the switch A user can only customize the web based authentication pages by using the WEB interface Examples Example 1 The following example shows a partial web based page customization configuration switchxxxxxx config dot1x page customization switchxxxxxx config web page da...

Page 49: ...ion VLAN mode command to enable unauthorized devices access to a VLAN Use the no form of this command to disable access to a VLAN Syntax dot1x auth not req no dot1x auth not req Parameters N A Default Configuration Access is enabled Command Mode Interface VLAN Configuration mode User Guidelines A VLAN cannot be defined as an unauthenticated VLAN if it is an access VLAN or it is the native VLAN for...

Page 50: ...ace vlan 5 switchxxxxxx config if dot1x auth not req 2 6 dot1x authentication Use the dot1x authentication Interface Configuration mode command to enable authentication methods on a port Use the no format of the command to return to the default Syntax dot1x authentication 802 1x mac web no dot1x authentication Parameters 802 1x Enables authentication based on 802 1X 802 1X based authentication mac...

Page 51: ...oving a dynamic MAC address authenticated by the MAC based authentication causes its re authentication Example The following example enables authentication based on 802 1x and the station s MAC address on port gi11 switchxxxxxx config interface gi11 switchxxxxxx config if dot1x authentication 802 1x mac 2 7 dot1x guest vlan Use the dot1x guest vlan Interface Configuration VLAN mode command to defi...

Page 52: ...est VLAN The guest VLAN cannot be configured on a monitoring port Example The following example defines VLAN 2 as a guest VLAN switchxxxxxx config interface vlan 2 switchxxxxxx config if dot1x guest vlan 2 8 dot1x guest vlan enable Use the dot1x guest vlan enable Interface Configuration mode command to enable unauthorized users on the access interface to the guest VLAN Use the no form of this comm...

Page 53: ...gged traffic and tagged traffic not belonging to the unauthenticated VLANs from unauthorized hosts are mapped to the guest VLAN If 802 1X is disabled the port static configuration is reset See the User Guidelines of the dot1x host mode command for more information Example The following example enables unauthorized users on gi11 to access the guest VLAN switchxxxxxx config interface gi11 switchxxxx...

Page 54: ... or port up to the time the device adds the port to the guest VLAN Example The following example sets the delay between enabling 802 1X and adding a port to a guest VLAN to 60 seconds switchxxxxxx config dot1x guest vlan timeout 60 2 10 dot1x host mode Use the dot1x host mode Interface Configuration mode command to allow a single host client or multiple hosts on an IEEE 802 1X authorized port Use ...

Page 55: ... during the authentication process In this case tagged traffic is dropped unless the VLAN tag is the RADIUS assigned VLAN or the unauthenticated VLANs See the dot1x radius attributes vlan command to enable RADIUS VLAN assignment at a port The switch removes from FDB all MAC addresses learned on a port when its authentication status is changed from authorized to unauthorized Multi Host Mode The mul...

Page 56: ...to unauthorized If the dot1x host mode command changes the port mode to multi session when authentication is enabled the state of all attached hosts is set to unauthorized To change the port mode to single host or multi host set the port dot1x port control to force unauthorized change the port mode to single host or multi host and set the port to authorization auto In Sx300 multi sessions mode can...

Page 57: ...ot1x max hosts Parameters count Specifies the maximum number of authorized hosts allowed on the interface May be any 32 bits positive number Default Configuration No limitation Command Mode Interface Ethernet Configuration mode User Guidelines By default the number of authorized hosts allowed on an interface is not limited To limit the number of authorized hosts allowed on an interface use the dot...

Page 58: ...ite numbers of attempts The valid range is 3 10 Default Configuration Unlimited Command Mode Interface Ethernet Configuration mode User Guidelines By default the switch does not limit the number of failed login attempts To specify the number of allowed fail login attempts use this command After this number of failed login attempts the switch does not allow the host to be authenticated for a period...

Page 59: ...arameters count Specifies the maximum number of times that the device sends an EAP request identity frame before restarting the authentication process Range 1 10 Default Configuration The default maximum number of attempts is 2 Command Mode Interface Ethernet Configuration mode User Guidelines The default value of this command should be changed only to adjust to unusual circumstances such as unrel...

Page 60: ...eb Based Page Customization Configuration mode User Guidelines The command should not be entered or edited manually unless when using copy paste It is a part of the configuration file produced by the switch A user must customize the web based authentication pages by using the browser Interface Example The following example shows part of a web based page customization configuration switchxxxxxx con...

Page 61: ...t any authentication exchange required The port sends and receives traffic without 802 1X based client authentication force unauthorized Denies all access through this port by forcing it to transition to the unauthorized state and ignoring all attempts by the client to authenticate The device cannot provide authentication services to the client through this port time range time range name Specifie...

Page 62: ...ased VLAN assignment Use the no form of this command to disable RADIUS based VLAN assignment Syntax dot1x radius attributes vlan reject static no dot1x radius attributes vlan Parameters reject If the RADIUS server authorized the supplicant but did not provide a supplicant VLAN the supplicant is rejected If the parameter is omitted this option is applied by default static If the RADIUS server autho...

Page 63: ...AN using TCAM If the last authorized host assigned to a VLAN received from RADIUS connected to a port in the multi sessions mode changes its status to unauthorized the port is removed from the VLAN if it is not in the static configuration See the User Guidelines of the dot1x host mode command for more information If 802 1X is disabled the port static configuration is reset If the reject keyword is...

Page 64: ...ver authorized the supplicant but did not provide a supplicant VLAN the supplicant is accepted and the static VLAN configurations is used switchxxxxxx config interface gi11 switchxxxxxx config if dot1x radius attributes static switchxxxxxx config if exit 2 17 dot1x re authenticate The dot1x re authenticate Privileged EXEC mode command manually initiates re authentication of all 802 1X enabled port...

Page 65: ...he client Use the no form of this command to return to the default setting Syntax dot1x reauthentication no dot1x reauthentication Parameters N A Default Configuration Periodic re authentication is disabled Command Mode Interface Ethernet Configuration mode Example switchxxxxxx config interface gi11 switchxxxxxx config if dot1x reauthentication 2 19 dot1x system auth control Use the dot1x system a...

Page 66: ...se the dot1x timeout quiet period Interface Configuration mode command to set the time interval that the device remains in a quiet state following a failed authentication exchange for example if the client provided an invalid password Use the no form of this command to restore the default configuration Syntax dot1x timeout quiet period seconds no dot1x timeout quiet period Parameters seconds Speci...

Page 67: ...tion the number of failed logins is 1 For WEB based authentication the quite period is applied after a number of failed attempts This number is configured by the dot1x max login attempts command For 802 1x based and MAC based authentication methods the quite period is applied after each failed attempt Example The following example sets the time interval that the device remains in the quiet state f...

Page 68: ... interface gi11 switchxxxxxx config if dot1x timeout reauth period 5000 2 22 dot1x timeout server timeout Use the dot1x timeout server timeout Interface Configuration mode command to set the time interval during which the device waits for a response from the authentication server Use the no form of this command to restore the default configuration Syntax dot1x timeout server timeout seconds no dot...

Page 69: ... example sets the time interval between retransmission of packets to the authentication server to 3600 seconds switchxxxxxx config interface gi11 switchxxxxxx config if dot1x timeout server timeout 3600 2 23 dot1x timeout silence period To set the authentication silence time use the dot1x timeout silence period command in Interface Configuration mode The silence time is the number of seconds that ...

Page 70: ...config if dot1x timeout silence period 100 2 24 dot1x timeout supp timeout Use the dot1x timeout supp timeout Interface Configuration mode command to set the time interval during which the device waits for a response to an Extensible Authentication Protocol EAP request frame from the client before resending the request Use the no form of this command to restore the default configuration Syntax dot...

Page 71: ...conds switchxxxxxx config interface gi11 switchxxxxxx config if dot1x timeout supp timeout 3600 2 25 dot1x timeout tx period Use the dot1x timeout tx period Interface Configuration mode command to set the time interval during which the device waits for a response to an Extensible Authentication Protocol EAP request identity frame from the client before resending the request Use the no form of this...

Page 72: ...or a response to an EAP request identity frame to 60 seconds switchxxxxxx config interface gi11 switchxxxxxx config if dot1x timeout tx period 60 2 26 dot1x traps authentication failure Use the dot1x traps authentication failure Global Configuration mode command to enable sending traps when an 802 1X authentication method failed Use the no form of this command to return to the default Syntax dot1x...

Page 73: ... be authorized by the 802 1X mac authentication access control switchxxxxxx config dot1x traps authentication failure 802 1x 2 27 dot1x traps authentication quiet Use the dot1x traps authentication quiet Global Configuration mode command to enable sending traps when a host state is set to the quiet state after failing the maximum sequential attempts of login Use the no form of this command to disa...

Page 74: ...xxxxx config dot1x traps authentication quiet 2 28 dot1x traps authentication success Use the dot1x traps authentication success Global Configuration mode command to enable sending traps when a host is successfully authorized by an 802 1X authentication method Use the no form of this command to disable the traps Syntax dot1x traps authentication success 802 1x mac web no dot1x traps authentication...

Page 75: ...traps authentication success mac 2 29 dot1x unlock client Use the dot1x unlock client Privileged EXEC mode command to unlock a locked in the quiet period client Syntax dot1x unlock client interface id mac address Parameters interface id Interface ID where the client is connected to mac address Client MAC address Default Configuration The client is locked until the silence interval is over Command ...

Page 76: ...ct Generates a trap when a station whose MAC address is not the supplicant MAC address attempts to access the interface The minimum time between the traps is 1 second Those frames are forwarded but their source addresses are not learned protect Discard frames with source addresses that are not the supplicant address shutdown Discard frames with source addresses that are not the supplicant address ...

Page 77: ...tion mode protect 2 31 show dot1x Use the show dot1x Privileged EXEC mode command to display the 802 1X interfaces or specified interface status Syntax show dot1x interface interface id detailed Parameters interface id Specifies an Ethernet port detailed Displays information for non present ports in addition to present ports Default Configuration Display for all ports If detailed is not used only ...

Page 78: ...t mode multi sessions Authentication methods 802 1x mac Port Adminstrated status auto Guest VLAN enabled VLAN Radius Attribute enabled static Open access disabled Time range name work_hours Active now Server timeout 30 sec Maximum Hosts unlimited Maximum Login Attempts 3 Reauthentication is enabled Reauthentication period 3600 sec Silence period 1800 sec Quiet Period 60 sec Interfaces 802 1X Based...

Page 79: ...ting Server Radius Applied Authentication method 802 1x Session Time HH MM SS 00 25 22 MAC Address 00 08 78 32 98 66 Username Bob Violation Mode restrict Trap enabled Trap Min Interval 20 sec Violations were detected 9 Reauthentication is enabled Reauthentication period 3600 sec Silence period 1800 sec Quiet Period 60 sec Interfaces 802 1X Based Parameters Tx period 30 sec Supplicant timeout 30 se...

Page 80: ...ication method 802 1x Session Time HH MM SS 00 25 22 MAC Address 00 08 78 32 98 66 Username Bob Violation Mode restrict Trap enabled Trap Min Interval 20 sec Violations were detected 0 Reauthentication is enabled Reauthentication period 3600 sec Silence period 1800 sec Quiet Period 60 sec Interfaces 802 1X Based Parameters Tx period 30 sec Supplicant timeout 30 sec max req 2 Authentication success...

Page 81: ...urrent user If the port is Unauthorized it displays the last user authorized successfully Quiet period Number of seconds that the device remains in the quiet state following a failed authentication exchange for example the client provided an invalid password Silence period Number of seconds that If an authorized client does not send traffic during the silence period specified by the command the st...

Page 82: ...m the Authentication Server Authentication fails Number of times the state machine received a Failure message from the Authentication Server 2 32 show dot1x locked clients Use the show dot1x locked clients Privileged EXEC mode command to display all clients who are locked and in the quiet period Syntax show dot1x locked clients Parameters N A Command Mode Privileged EXEC mode User Guidelines Use t...

Page 83: ...istics interface interface id Parameters interface id Specifies an Ethernet port Default Configuration N A Command Mode Privileged EXEC mode Example The following example displays 802 1X statistics for gi11 switchxxxxxx show dot1x statistics interface gi11 EapolFramesRx 11 EapolFramesTx 12 EapolStartFramesRx 1 EapolLogoffFramesRx 1 Port gi11 gi11 gi12 MAC Address 0008 3b79 8787 0008 3b89 3128 0008...

Page 84: ...apolStartFramesRx Number of EAPOL Start frames that have been received by this Authenticator EapolLogoffFramesRx Number of EAPOL Logoff frames that have been received by this Authenticator EapolRespIdFramesRx Number of EAP Resp Id frames that have been received by this Authenticator EapolRespFramesRx Number of valid EAP Response frames other than Resp Id frames that have been received by this Auth...

Page 85: ...60 characters Default Configuration Display all users Command Mode Privileged EXEC mode Examples The following commands displays all 802 1x users switchxxxxxx show dot1x users EapLengthErrorFramesR x Number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid LastEapolFrameVersion Protocol version number carried in the most recently receive...

Page 86: ...nterface Reference Guide 86 2 Port gi11 gi12 gi12 Username Bob Allan John MAC Address 0008 3b71 1 111 0008 3b79 8 787 0008 3baa 0 022 Auth Method 802 1x MAC WBA Auth Server Remote Remote Remote Session Time 09 01 00 00 11 12 00 27 16 VLAN 1020 ...

Page 87: ...hod list when a user logs in this list is unnamed list name Specifies a name of a list of authentication methods activated when a user logs in Length 1 12 characters method1 method2 Specifies a list of methods that the authentication algorithm tries in the given sequence Each additional authentication method is used only if the previous method returns an error not if it fails To ensure that the au...

Page 88: ...eated with this command are used with the login authentication command no aaa authentication login list name deletes a list name only if it has not been referenced by another command Example The following example sets the authentication login methods for the console switchxxxxxx config aaa authentication login authen list radius local none switchxxxxxx config line console switchxxxxxx config line ...

Page 89: ...turns an error not if it fails Specify none as the final method in the command line to ensure that the authentication succeeds even if all methods return an error Select one or more methods from the following list Default Configuration The enable password command defines the default authentication login method This is the same as entering the command aaa authentication enable default enable On a c...

Page 90: ...tered for login authentication The additional methods of authentication are used only if the previous method returns an error not if it fails Specify none as the final method in the command line to ensure that the authentication succeeds even if all methods return an error no aaa authentication enable list name deletes list name if it has not been referenced Example The following example sets the ...

Page 91: ... switchxxxxxx config line console switchxxxxxx config line login authentication default Example Example 2 The following example sets the authentication login methods for the console as a list of methods switchxxxxxx config aaa authentication login authen list radius local none switchxxxxxx config line console switchxxxxxx config line login authentication authen list 3 4 enable authentication The e...

Page 92: ...od as the default method when accessing a higher privilege level from a console switchxxxxxx config line console switchxxxxxx config line enable authentication default Example 2 The following example sets a list of authentication methods for accessing higher privilege levels switchxxxxxx config aaa authentication enable enable list radius none switchxxxxxx config line console switchxxxxxx config l...

Page 93: ...ds even if all methods return an error Select one or more methods from the following list Default Configuration The local user database is the default authentication login method This is the same as entering the ip http authentication local command Command Mode Global Configuration mode User Guidelines The command is relevant for HTTP and HTTPS server users Example The following example specifies ...

Page 94: ...ays information about the authentication methods Syntax show authentication methods Parameters N A Default Configuration N A Command Mode Privileged EXEC mode Example The following example displays the authentication configuration switchxxxxxx show authentication methods Login Authentication Method Lists Default Radius Local Line Console_Login Line None Enable Authentication Method Lists Default R...

Page 95: ...command to return to the default password Syntax password password encrypted no password Parameters password Specifies the password for this line Length 0 159 characters encrypted Specifies that the password is encrypted and copied from another device configuration Default Configuration No password is defined Command Mode Line Configuration Mode Example The following example specifies the password...

Page 96: ...rd Password for this level Range 0 159 chars password encrypted encrypted password Specifies that the password is encrypted Use this keyword to enter a password that is already encrypted for instance that you copied from another the configuration file of another device Range 1 40 Default Configuration Default for level is 15 Passwords are encrypted by default Command Mode Global Configuration mode...

Page 97: ... an unencrypted password for level 7 it will be encrypted in the configuration file switchxxxxxx config enable password level 7 let me in 3 9 service password recovery Use the service password recovery Global Configuration mode command to enable the password recovery mechanism This mechanism allows an end user with physical access to the console port of the device to enter the boot menu and trigge...

Page 98: ...n files and user files are removed If a device is configured to protect its sensitive data with a user defined passphrase for Secure Sensitive Data then the user cannot trigger the password recovery from the boot menu even if password recovery is enabled If a device is configured to protect its sensitive data with a user defined passphrase for Secure Sensitive Data then the user cannot trigger the...

Page 99: ...required for this user to log in password Specifies the password for this username Range 1 64 unencrypted password The authentication password for the user Range 1 159 encrypted encrypted password Specifies that the password is MD5 encrypted Use this keyword to enter a password that is already encrypted for instance that you copied from another the configuration file of another device Range 1 40 p...

Page 100: ... for user jerry level 15 that has already been encrypted It will be copied to the configuration file just as it is entered To use it the user must know its unencrypted form switchxxxxxx config username jerry privilege 15 encrypted 4b529f21c93d4706090285b0c10172eb073ffebc4 3 11 show users accounts The show users accounts Privileged EXEC mode command displays information about the users local databa...

Page 101: ...vice management sessions Use the no form of this command to disable accounting Syntax aaa accounting login start stop group radius tacacs no aaa accounting login start stop group radius tacacs Parameters group radius Uses a RADIUS server for accounting group tacacs Uses a TACACS server for accounting Default Configuration Disabled switchxxxxxx show users accounts Username Bob Robert Smith Privileg...

Page 102: ...S TACACS server The following table describes the supported RADIUS accounting attributes values and in which messages they are sent by the switch Name Start Messag e Stop Message Description User Name 1 Yes Yes User s identity NAS IP Address 4 Yes Yes The switch IP address that is used for the session with the RADIUS server Class 25 Yes Yes Arbitrary value is included in all accounting packets for...

Page 103: ...g dot1x Global Configuration mode command Use the no form of this command to disable accounting Syntax aaa accounting dot1x start stop group radius no aaa accounting dot1x start stop group radius Parameters N A Default Configuration Disabled Command Mode Global Configuration mode Name Description Start Message Stop Message task_id A unique accounting session identifier Yes Yes user username that i...

Page 104: ...ple hosts mode dot1x multiple hosts the software sends start stop messages only for the supplicant that has been authenticated The software does not send start stop messages if the port is force authorized The software does not send start stop messages for hosts that are sending traffic on the guest VLAN or on the unauthenticated VLANs The following table describes the supported Radius accounting ...

Page 105: ...bled on the switch Syntax show accounting Parameters N A Default Configuration N A Command Mode User EXEC mode Example The following example displays information about the accounting status Acct Authentic 45 Yes Yes Indicates how the supplicant was authenticated Acct Session Time 46 No Yes Indicates how long the supplicant was logged in Acct Terminate Cause 49 No Yes Reports why the session was te...

Page 106: ...le no passwords complexity enable Parameters N A Default Configuration Enabled Command Mode Global Configuration mode User Guidelines If password complexity is enabled the user is forced to enter a password that Has a minimum length of 8 characters Contains characters from at least 3 character classes uppercase letters lowercase letters numbers and special characters available on a standard keyboa...

Page 107: ...ve switchxxxxxx config passwords complexity enable switchxxxxxx show passwords configuration Passwords aging is enabled with aging time 180 days Passwords complexity is enabled with the following attributes Minimal length 3 characters Minimal classes 3 New password must be different than the current Enabled Maximum consecutive same characters 3 New password must be different than the user name Ena...

Page 108: ... number of characters in the new password that can be repeated consecutively Zero specifies that there is no limit on repeated characters Range 0 16 not username Specifies that the password cannot repeat or reverse the user name or any variant reached by changing the case of the characters not manufacturer name Specifies that the password cannot repeat or reverse the manufacturer s name or any var...

Page 109: ... to disable aging Range 0 365 Default Configuration 180 Command Mode Global Configuration mode User Guidelines Aging is relevant only to users of the local database with privilege level 15 and to enable a password of privilege level 15 To disable password aging use passwords aging 0 Using no passwords aging sets the aging time to the default Example The following example configures the aging time ...

Page 110: ...s configuration Passwords aging is enabled with aging time 180 days Passwords complexity is enabled with the following attributes Minimal length 3 characters Minimal classes 3 New password must be different than the current Enabled Maximum consecutive same characters 3 New password must be different than the user name Enabled New password must be different than the manufacturer name Enabled Enable...

Page 111: ...commands The service acl input command is used to attach this ACL to an interface Use the no form of this command to remove the access list Syntax ip access list extended acl name no ip access list extended acl name Parameters acl name Name of the IPv4 access list Range 1 32 characters Default Configuration No IPv4 access list is defined Command Mode Global Configuration mode User Guidelines An IP...

Page 112: ...ldcard any destination destination wildcard igmp type ace priority priority dscp number precedence number time range time range name log input permit tcp any source source wildcard any source port port range any destination destination wildcard any destination port port range ace priority priority dscp number precedence number match all list of flags time range time range name log input permit udp...

Page 113: ...icmp eigrp ospf ipinip pim l2tp isis To match any protocol use the ip keyword Range 0 255 source Source IP address of the packet source wildcard Wildcard bits to be applied to the source IP address Use ones in the bit position that you want to be ignored destination Destination IP address of the packet destination wildcard Wildcard bits to be applied to the destination IP address Use ones in the b...

Page 114: ...37 uucp 117 whois 43 www 80 For UDP enter a number or one of the following values biff 512 bootpc 68 bootps 67 discard 9 dnsix 90 domain 53 echo 7 mobile ip 434 nameserver 42 netbios dgm 138 netbios ns 137 on500 isakmp 4500 ntp 123 rip 520 snmp 161 snmptrap 162 sunrpc 111 syslog 514 tacacs ds 49 talk 517 tftp 69 time 37 who 513 xdmcp 177 Range 0 65535 source port Specifies the UDP TCP source port ...

Page 115: ...ent ACL 20 The ACE priority must be unique per ACL If the user types already existed priority then the command is rejected Example switchxxxxxx config ip access list extended server switchxxxxxx config ip al permit ip 176 212 0 0 00 255 255 any 4 3 deny IP Use the deny IP Access list Configuration mode command to set deny conditions for IPv4 access list Deny conditions are also known as access con...

Page 116: ...pe any icmp code dscp number precedence number time range time range name disable port log input no deny igmp any source source wildcard any destination destination wildcard igmp type dscp number precedence number time range time range name disable port log input no deny tcp any source source wildcard any source port port range any destination destination wildcard any destination port port range d...

Page 117: ... for filtering ICMP packets Range 0 255 igmp type IGMP packets can be filtered by IGMP message type Enter a number or one of the following values host query host report dvmrp pim cisco trace host report v2 host leave v2 host report v3 Range 0 255 destination port Specifies the UDP TCP destination port You can enter range of ports by using hyphen E g 20 21 For TCP enter a number or one of the follo...

Page 118: ...e logged Default Configuration No IPv4 access list is defined Command Mode IP Access list Configuration mode User Guidelines The number of TCP UDP ranges that can be defined in ACLs is limited If a range of ports is used for a source port in ACE it is not counted again if it is also used for source port in another ACE If a range of ports is used for destination port in ACE it is not counted again ...

Page 119: ...access list is defined Command Mode Global Configuration mode User Guidelines IPv6 ACL is defined by a unique name IPv4 ACL IPv6 ACL MAC ACL or policy maps cannot have the same name Every IPv6 ACL has an implicit permit icmp any any nd ns any permit icmp any any nd na any and deny ipv6 any any statements as its last match conditions The former two match conditions allow for ICMPv6 neighbor discove...

Page 120: ...number precedence number time range time range name log input permit tcp any source prefix length any source port port range any destination prefix length any destination port port range ace priority priority dscp number precedence number match all list of flags time range time range name log input permit udp any source prefix length any source port port range any destination prefix length any des...

Page 121: ...gth The destination IPv6 network or class of networks about which to set permit conditions This argument must be in the form documented in RFC 3513 where the address is specified in hexadecimal using 16 bit values between colons priority Specify the priority of the access control entry ACE in the access control list ACL 1 value represents the highest priority and 2147483647 number represents the l...

Page 122: ... Available options are urg ack psh rst syn fin urg ack psh rst syn and fin The flags are concatenated to a one string For example fin ack time range name Name of the time range that applies to this permit statement Range 1 32 log input Specifies sending an informational SYSLOG message about the packet that matches the entry Because forwarding dropping is done in hardware and logging is done in sof...

Page 123: ...tax deny protocol any source prefix length any destination prefix length ace priority priority dscp number precedence number time range time range name disable port log input deny icmp any source prefix length any destination prefix length any icmp type any icmp code ace priority priority dscp number precedence number time range time range name disable port log input deny tcp any source prefix len...

Page 124: ...itions This argument must be in the format documented in RFC 3513 where the address is specified in hexadecimal using 16 bit values between colons destination prefix length The destination IPv6 network or class of networks about which to set permit conditions This argument must be in the format documented in RFC 3513 where the address is specified in hexadecimal using 16 bit values between colons ...

Page 125: ... destination port parameter Range 0 65535 match all list of flags List of TCP flags that should occur If a flag should be set it is prefixed by If a flag should be unset it is prefixed by Available options are urg ack psh rst syn fin urg ack psh rst syn and fin The flags are concatenated to a one string For example fin ack time range name Name of the time range that applies to this permit statemen...

Page 126: ... ipv6 access list server switchxxxxxx config ipv6 al deny tcp 3001 2 64 any any 80 4 7 mac access list Use the mac access list Global Configuration mode command to define a Layer 2 access list ACL based on source MAC address filtering and to place the device in MAC Access list Configuration mode All commands after this command refer to this ACL The rules ACEs for this ACL are defined in the permit...

Page 127: ...e the no form of the command to remove the access control entry Syntax permit any source source wildcard any destination destination wildcard ace priority priority eth type 0 aarp amber dec spanning decnet iv diagnostic dsm etype 6000 vlan vlan id cos cos cos wildcard time range time range name log input no permit any source source wildcard any destination destination wildcard eth type 0 aarp ambe...

Page 128: ...ches the entry Because forwarding dropping is done in hardware and logging is done in software if a large number of packets match an ACE containing a log input keyword the software might not be able to match the hardware processing rate and not all packets will be logged User Guidelines A MAC ACL is defined by a unique name IPv4 ACL IPv6 ACL MAC ACL or policy maps cannot have the same name If ace ...

Page 129: ... bits to be applied to the source MAC address Use ones in the bit position that you want to be ignored destination Destination MAC address of the packet destination wildcard Wildcard bits to be applied to the destination MAC address Use 1s in the bit position that you want to be ignored priority Specify the priority of the access control entry ACE in the access control list ACL 1 value represents ...

Page 130: ...tem sets the rule s priority to the current highest priority ACE in the current ACL 20 The ACE priority must be unique per ACL If the user types already existed priority then the command is rejected Example switchxxxxxx config mac access list extended server1 switchxxxxxx config mac al deny 00 00 00 00 00 01 00 00 00 00 00 ff any 4 10 service acl input Use the service acl input command in Interfac...

Page 131: ...t Two ACLs of the same type cannot be bound to a port An ACL cannot be bound to a port that is already bound to an ACL without first removing the current ACL Both ACLs must be mentioned at the same time in this command MAC ACLs that include a VLAN as match criteria cannot be bound to a VLAN ACLs with time based configuration on one of its ACEs cannot be bound to a VLAN ACLs with the action Shutdow...

Page 132: ...mmand to remove the time range from the device Syntax time range time range name no time range time range name Parameters time range name Specifies the name for the time range Range 1 32 characters Default Configuration No time range is defined Command Mode Global Configuration mode User Guidelines After adding the name of a time range with this command use the absolute and periodic commands to ac...

Page 133: ...nge is defined it can be used in the following commands dot1x port control power inline operation time permit IP deny IP permit IPv6 deny IPv6 permit MAC deny MAC Example switchxxxxxx config time range http allowed console config time range periodic mon 12 00 to wed 12 00 4 12 absolute Use the absolute Time range Configuration mode command to specify an absolute time when a time range is in effect...

Page 134: ...Range 1 31 month Month first three letters by name Range Jan Dec year Year no abbreviation Range 2000 2097 Default Configuration There is no absolute time when the time range is in effect Command Mode Time range Configuration mode Example switchxxxxxx config time range http allowed switchxxxxxx config time range absolute start 12 00 1 jan 2005 switchxxxxxx config time range absolute end 12 00 31 d...

Page 135: ...g hours minutes military format that the associated time range is in effect The second occurrence is the ending hours minutes military format the associated statement is in effect The second occurrence can be at the following day see description in the User Guidelines Range 0 23 mm 0 59 list day of the week1 Specifies a list of days that the time range is in effect Default Configuration There is n...

Page 136: ...existing time range Command Mode User EXEC mode Example switchxxxxxx show time range http allowed absolute start 12 00 1 Jan 2005 end 12 00 31 Dec 2005 periodic Monday 12 00 to Wednesday 12 00 4 15 show access lists Use the show access lists Privileged EXEC mode command to display access control lists ACLs configured on the switch Syntax show access lists name show access liststime range active na...

Page 137: ... priority 40 time range weekdays switchxxxxxx show access lists time range active Extended IP access list ACL1 permit 234 172 30 40 1 0 0 0 0 any priority 20 permit 234 172 30 8 8 0 0 0 0 any priority 40 Extended IP access list ACL2 permit 234 172 30 19 1 0 0 0 255 any priority 20time range weekdays switchxxxxxx show access lists ACL1 Extended IP access list ACL1 permit 234 172 30 40 1 0 0 0 0 any...

Page 138: ...face ACLs gi11 blockcdp blockvtp gi12 Ingress server1 4 17 clear access lists counters Use the clear access lists counters Privileged EXEC mode command to clear access lists ACLs counters Syntax clear access lists counters interface id Parameters interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel Command Mode Privileged EXEC mode...

Page 139: ...channel number VLAN Parameters interface id Specifies an interface ID the interface ID is an Ethernet port port channel port channel Specifies a port channel VLAN Specifies a VLAN Command Mode Privileged EXEC mode User Guidelines This command shows whether packets were trapped from ACE hits with logging enable on an interface Examples Example 1 switchxxxxxx show interfaces access lists trapped pac...

Page 140: ...ACL Commands OL 32830 01 Command Line Interface Reference Guide 140 4 Example 2 switchxxxxxx show interfaces access lists trapped packets gi11 Packets were trapped on interface gi11 ...

Page 141: ...ast filtering Parameters This command has no arguments or keywords Default Configuration Multicast address filtering is disabled All Multicast addresses are flooded to all ports Command Mode Global Configuration mode User Guidelines When this feature is enabled unregistered Multicast traffic as opposed to registered will still be flooded All registered Multicast addresses will be forwarded to the ...

Page 142: ...that Multicast bridging is based on the packet s VLAN and MAC address ipv4 group Specifies that Multicast bridging is based on the packet s VLAN and MAC address for non IPv4 packets and on the packet s VLAN and IPv4 destination address for IPv4 packets ipv4 src group Specifies that Multicast bridging is based on the packet s VLAN and MAC address for non IPv4 packets and on the packet s VLAN IPv4 d...

Page 143: ...y exist that belong to the requested group It is recommended to set the FDB mode to ipv4 group or mac group for IGMP version 2 If an application on the device requests G the operating FDB mode is changed to ipv4 group Example The following example configures the Multicast bridging mode as an mac group on VLAN 2 switchxxxxxx config interface vlan 2 switchxxxxxx config if bridge multicast mode mac g...

Page 144: ...he group remove Optional Removes ports from the group ethernet interface list Optional Specifies a list of Ethernet ports Separate nonconsecutive Ethernet ports with a comma and no spaces Use a hyphen to designate a range of ports port channel port channel list Optional Specifies a list of port channels Separate nonconsecutive port channels with a comma and no spaces use a hyphen to designate a ra...

Page 145: ...01 00 5e 02 02 03 add gi11 2 5 4 bridge multicast forbidden address To forbid adding or removing a specific Multicast address to or from specific ports use the bridge multicast forbidden address IInterface VLAN Configuration mode command To restore the default configuration use the no form of this command Syntax bridge multicast forbidden address mac multicast address ipv4 multicast address add re...

Page 146: ...tion mode User Guidelines Before defining forbidden ports the Multicast group should be registered using bridge multicast address You can execute the command before the VLAN is created Example The following example forbids MAC address 0100 5e02 0203 on port gi14 within VLAN 8 switchxxxxxx config interface vlan 8 switchxxxxxx config if bridge multicast address 0100 5e02 0203 switchxxxxxx config if ...

Page 147: ... designate a range of ports port channel port channel list Optional Specifies a list of port channels Separate nonconsecutive port channels with a comma and no spaces Use a hyphen to designate a range of port channels Default Configuration No Multicast addresses are defined Default option is add Command Mode Interface VLAN Configuration mode User Guidelines To register the group in the bridge data...

Page 148: ... command Syntax bridge multicast forbidden ip address ip multicast address add remove ethernet interface list port channel port channel list no bridge multicast forbidden ip address ip multicast address Parameters ip multicast address Specifies the group IP Multicast address add Optional Forbids adding ports to the group remove Optional Forbids removing ports from the group ethernet interface list...

Page 149: ...ulticast source group To register a source IP address Multicast IP address pair to the bridge table and statically add or remove ports to or from the source group use the bridge multicast source group Interface VLAN Configuration mode command To unregister the source group pair use the no form of this command Syntax bridge multicast source ip address group ip multicast address add remove ethernet ...

Page 150: ...can execute the command before the VLAN is created Example The following example registers a source IP address Multicast IP address pair to the bridge table switchxxxxxx config interface vlan 8 switchxxxxxx config if bridge multicast source 13 16 1 1 group 239 2 2 2 5 8 bridge multicast forbidden source group To forbid adding or removing a specific IP source address Multicast address pair to or fr...

Page 151: ... list Optional Specifies a list of port channels Separate nonconsecutive port channels with a comma and no spaces use a hyphen to designate a range of port channels Default Configuration No forbidden addresses are defined Command Mode Interface VLAN Configuration mode User Guidelines Before defining forbidden ports the Multicast group should be registered You can execute the command before the VLA...

Page 152: ... ipv6 mode Parameters mac group Specifies that Multicast bridging is based on the packet s VLAN and MAC destination address ip group Specifies that Multicast bridging is based on the packet s VLAN and IPv6 destination address for IPv6 packets ip src group Specifies that Multicast bridging is based on the packet s VLAN IPv6 destination address and IPv6 source address for IPv6 packets Default Config...

Page 153: ...ted group If an application on the device requests G the operating FDB mode is changed to ip group You can execute the command before the VLAN is created Example The following example configures the Multicast bridging mode as an ip group on VLAN 2 switchxxxxxx config interface vlan 2 switchxxxxxx config if bridge multicast ipv6 mode ip group FDB Mode CLI Commands mac group bridge multicast address...

Page 154: ...6 multicast address add Optional Adds ports to the group remove Optional Removes ports from the group ethernet interface list Optional Specifies a list of Ethernet ports Separate nonconsecutive Ethernet ports with a comma and no spaces use a hyphen to designate a range of ports port channel port channel list Optional Specifies a list of port channels Separate nonconsecutive port channels with a co...

Page 155: ...FF00 0 0 0 4 4 4 1 add gi11 2 5 11 bridge multicast ipv6 forbidden ip address To forbid adding or removing a specific IPv6 Multicast address to or from specific ports use the bridge multicast ipv6 forbidden ip address Interface VLAN Configuration mode command To restore the default configuration use the no form of this command Syntax bridge multicast ipv6 forbidden ip address ipv6 multicast addres...

Page 156: ... Before defining forbidden ports the Multicast group should be registered You can execute the command before the VLAN is created Example The following example registers an IPv6 Multicast address and forbids the IPv6 address on port gi14 within VLAN 8 switchxxxxxx config interface vlan 8 switchxxxxxx config if bridge multicast ipv6 ip address FF00 0 0 0 4 4 4 1 switchxxxxxx config if bridge multica...

Page 157: ...e specific source IPv6 address ethernet interface list Optional Specifies a list of Ethernet ports Separate nonconsecutive Ethernet ports with a comma and no spaces Use a hyphen to designate a range of ports port channel port channel list Optional Specifies a list of port channels Separate nonconsecutive port channels with a comma and no spaces Use a hyphen to designate a range of port channels De...

Page 158: ...bidden source ipv6 address group ipv6 multicast address Parameters ipv6 source address Specifies the source IPv6 address ipv6 multicast address Specifies the group IPv6 Multicast address add Forbids adding ports to the group for the specific source IPv6 address remove Forbids removing ports from the group for the specific source IPv6 address ethernet interface list Specifies a list of Ethernet por...

Page 159: ... 1 switchxxxxxx config if bridge multicast forbidden source 2001 0 0 0 4 4 4 1 group FF00 0 0 0 4 4 4 1 add gi14 5 14 bridge multicast unregistered To configure forwarding unregistered Multicast addresses use the bridge multicast unregistered Interface Ethernet Port Channel Configuration mode command To restore the default configuration use the no form of this command Syntax bridge multicast unreg...

Page 160: ...orwarding all multicast packets for a range of ports or port channels use the bridge multicast forward all Interface VLAN Configuration mode command To restore the default configuration use the no form of this command Syntax bridge multicast forward all add remove ethernet interface list port channel port channel list no bridge multicast forward all Parameters add Forces forwarding of all Multicas...

Page 161: ...Interface VLAN Configuration mode command To restore the default configuration use the no form of this command Syntax bridge multicast forbidden forward all add remove ethernet interface list port channel port channel list no bridge multicast forbidden forward all Parameters add Forbids forwarding of all Multicast packets remove Does not forbid forwarding of all Multicast packets ethernet interfac...

Page 162: ...g of all Multicast packets to gi11 within VLAN 2 switchxxxxxx config interface vlan 2 switchxxxxxx config if bridge multicast forbidden forward all add ethernet gi11 5 17 bridge unicast unknown To enable egress filtering of Unicast packets where the destination MAC address is unknown to the device use the bridge unicast unknown Interface Ethernet Port Channel Configuration mode command To restore ...

Page 163: ...hxxxxxx config if bridge unicast unknown filtering 5 18 show bridge unicast unknown To display the unknown Unicast filtering configuration use the show bridge unicast unknown Privileged EXEC mode command Syntax show bridge unicast unknown interface id Parameters interface id Optional Specify an interface ID The interface ID can be one of the following types Ethernet port or port channel Command Mo...

Page 164: ...lan id Parameters mac address MAC address Range Valid MAC address vlan id Specify the VLAN interface id Specify an interface ID The interface ID can be one of the following types Ethernet port or port channel Range valid ethernet port valid port channel permanent Optional The permanent static MAC address The keyword is applied by the default delete on reset Optional The delete on reset static MAC ...

Page 165: ...ally added by the command with the following keywords specifying its time of live permanent delete on reset delete on timeout A static MAC address may be added in any port mode secure A MAC address added manually or learned in a secure mode Use the mac address table static command with the secure keyword to add a secure MAC address The MAC address cannot be relearned A secure MAC address may be ad...

Page 166: ...d 45 5a b2 vlan 1 interface gi11 secure 5 20 clear mac address table To remove learned or secure entries from the forwarding database FDB use the clear mac address table Privileged EXEC mode command Syntax clear mac address table dynamic interface interface id clear mac address table secure interface interface id Parameters dynamic interface interface id Delete all dynamic learned addresses on the...

Page 167: ...ample 2 Delete all secure entries from the FDB learned on secure port gi11 switchxxxxxx clear mac address table secure interface gi11 5 21 mac address table aging time To set the aging time of the address table use the mac address table aging time Global configuration command To restore the default use the no form of this command Syntax mac address table aging time seconds no mac address table agi...

Page 168: ...ned source addresses but does not learn the address discard Optional Discards packets with unlearned source addresses discard shutdown Optional Discards packets with unlearned source addresses and shuts down the port trap seconds Optional Sends SNMP traps and specifies the minimum time interval in seconds between consecutive traps Range 1 1000000 Default Configuration The feature is disabled by de...

Page 169: ... a mode use the port security command to set an action that the switch should perform on a frame which source MAC address cannot be learned Example The following example forwards all packets to port gi11 without learning addresses of packets from unknown sources and sends traps every 100 seconds if a packet with an unknown source address is received switchxxxxxx config interface gi14 switchxxxxxx ...

Page 170: ...secure delete on reset Secure mode with limited learning secure MAC addresses with the delete on reset time of live The static and secure MAC addresses may be added on the port manually by the mac address table static command Default Configuration The default port security mode is lock Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines The default port mode is called r...

Page 171: ... Interface Ethernet Port Channel Configuration mode command To restore the default configuration use the no form of this command Syntax port security max max addr no port security max Parameters max addr Specifies the maximum number of addresses that can be learned on the port Range 0 256 Default Configuration This default maximum number of addresses is 1 Command Mode Interface Ethernet Port Chann...

Page 172: ...ce Ethernet Port Channel Configuration mode command To delete a MAC address from a routed port use the no form of this command Syntax port security routed secure address mac address no port security routed secure address mac address Parameters mac address Specifies the MAC address Default Configuration No addresses are defined Command Mode Interface Ethernet Port Channel Configuration mode It cann...

Page 173: ...cure vlan vlan interface interface id address mac address Parameters dynamic Optional Displays only dynamic MAC address table entries static Optional Displays only static MAC address table entries secure Optional Displays only secure MAC address table entries vlan Optional Displays entries for a specific VLAN interface interface id Optional Displays entries for a specific interface ID The interfac...

Page 174: ...ing the specified MAC address switchxxxxxx show mac address table address 00 3f bd 45 5a b1 Aging time is 300 sec VLAN MAC Address Port Type 1 00 3f bd 45 5a b1 static gi14 5 27 show mac address table count To display the number of addresses present in the Forwarding Database use the show mac address table count Privileged EXEC mode command Syntax show mac address table count vlan vlan interface i...

Page 175: ...Privileged EXEC mode Example switchxxxxxx show mac address table count This may take some time Capacity 16384 Free 16379 Used 5 Secure 0 Dynamic 2 Static 2 Internal 1 console 5 28 show bridge multicast mode To display the Multicast bridging mode for all VLANs or for a specific VLAN use the show bridge multicast mode Privileged EXEC mode command Syntax show bridge multicast mode vlan vlan id Parame...

Page 176: ...ess mac multicast address format ip mac show bridge multicast address table vlan vlan id address ipv4 multicast address source ipv4 source address show bridge multicast address table vlan vlan id address ipv6 multicast address source ipv6 source address Parameters vlan id vlan id Optional Display entries for specified VLAN ID address Optional Display entries for specified Multicast address The pos...

Page 177: ...ess ipv6 address Optional Specifies the source IPv6 address Default Configuration If the format is not specified it defaults to mac only if mac multicast address was entered If VLAN ID is not entered entries for all VLANs are displayed If MAC or IP address is not supplied entries for all addresses are displayed Command Mode Privileged EXEC mode User Guidelines A MAC address can be displayed in IP ...

Page 178: ...r Multicast addresses Vlan MAC Address Ports 8 01 00 5e 02 02 03 gi14 Multicast address table for VLANs in IPv4 GROUP bridging mode Vlan MAC Address Type Ports 1 224 0 0 251 Dynamic gi12 Forbidden ports for Multicast addresses Vlan MAC Address Ports 1 232 5 6 5 1 233 22 2 6 Multicast address table for VLANs in IPv4 SRC GROUP bridging mode Vlan Group Address Source address Type Ports 1 224 2 2 251 ...

Page 179: ...ce address Type Ports 8 ff02 4 4 4 Static gi11 2 gi13 Po1 8 ff02 4 4 4 fe80 200 7ff Static fe00 200 Forbidden ports for Multicast addresses Vlan Group Address Source address Ports 8 ff02 4 4 4 gi14 8 ff02 4 4 4 fe80 200 7ff f gi14 e00 200 5 30 show bridge multicast address table static To display the statically configured Multicast addresses use the show bridge multicast address table static Privi...

Page 180: ... mac multicast address Optional Specifies the MAC Multicast address ipv4 multicast address Optional Specifies the IPv4 Multicast address ipv6 multicast address Optional Specifies the IPv6 Multicast address source Optional Specifies the source address The possible values are ipv4 address Optional Specifies the source IPv4 address ipv6 address Optional Specifies the source IPv6 address Default Confi...

Page 181: ...1 MAC Address 0100 9923 8787 Ports gi11 gi12 Forbidden ports for multicast addresses Vlan MAC Address Ports IPv4 GROUP Table Vlan 1 19 IP Address 231 2 2 3 231 2 2 8 Ports gi11 gi12 gi12 3 Forbidden ports for multicast addresses Vlan 1 19 IP Address 231 2 2 3 231 2 2 8 Ports gi14 gi13 IPv4 SRC GROUP Table Vlan Group Address Source address Ports Forbidden ports for multicast addresses Vlan Group Ad...

Page 182: ...ast filtering vlan id Parameters vlan id Specifies the VLAN ID Range Valid VLAN Default Configuration None Vlan 191 IP Address FF12 8 Ports gi11 4 Forbidden ports for multicast addresses Vlan 11 191 IP Address FF12 3 FF12 8 Ports gi14 gi14 IPv6 SRC GROUP Table Vlan 192 Group Address FF12 8 Source address FE80 201 C9A9 FE40 8988 Ports gi11 4 Forbidden ports for multicast addresses Vlan 192 Group Ad...

Page 183: ...show bridge multicast unregistered Privileged EXEC mode command Syntax show bridge multicast unregistered interface id Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration Display for all interfaces Command Mode Privileged EXEC mode switchxxxxxx show bridge multicast filtering 1 Filtering E...

Page 184: ...ional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Default Configuration Display for all interfaces If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Example The following example displays the port lock stat...

Page 185: ...show ports security addresses interface id detailed Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Field Description Port The port number Status The port security status The possible values are Enabled or Disabled Act...

Page 186: ...14 Disabled Lock 0 1 5 35 bridge multicast reserved address To define the action on Multicast reserved address packets use the bridge multicast reserved address Global Configuration mode command To revert to default use the no form of this command Syntax bridge multicast reserved address mac multicast address ethernet v2 ethtype llc sap llc snap pid discard bridge no bridge multicast reserved addr...

Page 187: ...fies a protocol supported on the device called Peer the default action discard or bridge is determined by the protocol If not the default action is as follows For MAC addresses in the range 01 80 C2 00 00 00 01 80 C2 00 00 02 01 80 C2 00 00 0F the default is discard For MAC addresses in the range 00 80 C2 00 00 10 01 80 C2 00 00 2F the default is bridge Command Mode Global Configuration mode User ...

Page 188: ...t reserved addresses To display the Multicast reserved address rules use the show bridge multicast reserved addresses Privileged EXEC mode command Syntax show bridge multicast reserved addresses Command Mode Privileged EXEC mode Example switchxxxxxx show bridge multicast reserved addresses MAC Address Frame Type Protocol Action 01 80 C2 00 00 00 LLC SNAP 00 00 0C 01 29 Bridge ...

Page 189: ...P protocol is used by auto configuration scp Only the SCP protocol is used by auto configuration auto Default Auto configuration uses the TFTP or SCP protocol depending on the configuration file s extension If this option is selected the extension parameter may be specified or if not the default extension is used extension The SCP file extension When no value is specified scp is used Range 1 16 ch...

Page 190: ...ocol will be used switchxxxxxx boot host auto config scp 6 2 boot host auto update Use the boot host auto update Global Configuration mode command to enable the support of auto update via DHCP Use the no form of this command to disable DHCP auto configuration Syntax boot host auto update tftp scp auto extension no boot host auto update Parameters tftp Only the TFTP protocol is used by auto update ...

Page 191: ...file Examples Example 1 The following example specifies the auto mode and specifies scon as the SCP extension switchxxxxxx boot host auto update auto scon Example 2 The following example specifies the auto mode and does not provide an SCP extension In this case scp is used switchxxxxxx boot host auto update auto Example 3 The following example specifies that only the SCP protocol will be used swit...

Page 192: ...ad Protocol auto SCP protocol will be used for files with extension scp Configuration file auto save enabled Auto Config State Finished successfully Server IP address 1 2 20 2 Configuration filename config configfile1 cfg Auto Update Image Download via DHCP enabled switchxxxxxx show boot Auto Config Config Download via DHCP enabled Download Protocol scp Configuration file auto save enabled Auto Co...

Page 193: ...onfig State Downloading configuration file Auto Update Image Download via DHCP enabled switchxxxxxx show boot Auto Config Config Download via DHCP enabled Download Protocol tftp Configuration file auto save enabled Auto Config State Searching device hostname in indirect file Auto Update Image Download via DHCP enabled switchxxxxxx show boot Auto Config Config Download via DHCP enabled Download Pro...

Page 194: ...ver as the default address used by a switch when it has not been received from the DHCP server Use the no form of the command to return to default Syntax ip dhcp tftp server ip address ip addr no ip dhcp tftp server ip address Parameters ip addr IPv4 Address or IPv6 Address or DNS name of TFTP or SCP server Default Configuration No IP address Command Mode Global Configuration mode User Guidelines ...

Page 195: ...er file Global Configuration mode command to set the full file name of the configuration file to be downloaded from the backup server when it has not been received from the DHCP server Use the no form of this command to remove the name Syntax ip dhcp tftp server file file path no ip dhcp tftp server file Parameters file path Full file path and name of the configuration file on the server Default C...

Page 196: ... to remove the file name Syntax ip dhcp tftp server image file file path no ip dhcp tftp server image file Parameters file path Full indirect file path and name of the configuration file on the server Default Configuration No file name Command Mode Global Configuration mode User Guidelines The backup server can be a TFTP server or a SCP server Examples switchxxxxxx ip dhcp tftp server image file i...

Page 197: ...ers N A Default Configuration N A Command Mode User EXEC mode User Guidelines The backup server can be a TFTP server or a SCP server Example show ip dhcp tftp server server address active 1 1 1 1 from sname manual 2 2 2 2 file path on server active conf conf file from option 67 manual conf conf file1 ...

Page 198: ...our globally Syntax bonjour enable no bonjour enable Default Configuration Enable Command Mode Global Configuration mode Examples switchxxxxxx config bonjour enable 7 2 bonjour interface range Use the bonjour interface range Global Configuration mode command to add L2 interfaces to the Bonjour L2 interface list Use the no format of the command to remove L2 interfaces from this list Syntax bonjour ...

Page 199: ...ion mode User Guidelines This command can only be used in router mode Examples switchxxxxxx config bonjour interface range VLAN 100 103 7 3 show bonjour Use the show bonjour Privileged EXEC mode command to display Bonjour information Syntax show bonjour interface id Parameters interface list Specifies a list of interfaces which can be of the following types Ethernet port Port channel and VLAN Comm...

Page 200: ...e Admin Status Oper Status csco sb enabled enabled http enabled enabled https enabled disabled ssh enabled disabled telnet enabled disabled In router mode switchxxxxxx show bonjour Bonjour global status enabled Bonjour L2 interfaces list vlans 1 Service Admin Status Oper Status csco sb enabled enabled http enabled enabled https enabled disabled ssh enabled disabled telnet enabled disabled ...

Page 201: ... devices are not directly connected and are separated with CDP LLDP incapable devices the CDP LLDP capable devices may be able to receive the advertisement from other device s only if the CDP LLDP incapable devices flood the CDP LLDP packets they receives If the CDP LLDP incapable devices perform VLAN aware flooding then CDP LLDP capable devices can hear each other only if they are in the same VLA...

Page 202: ...erface The no format of the CLI command disables CDP on an interface Syntax cdp enable Parameters N A Default Configuration Enabled Command Mode Interface Ethernet Configuration mode User Guidelines For CDP to be enabled on an interface it must first be enabled globally using cdp run Example switchxxxxxx config cdp run switchxxxxxx config if interface gi11 switchxxxxxx config if cdp enable ...

Page 203: ...P is globally disabled CDP packets are bridged as regular data packets forwarded based on VLAN flooding Specify that when CDP is globally disabled CDP packets are flooded to all the ports in the product that are in STP forwarding state ignoring the VLAN filtering rules Default Configuration bridging Command Mode Global Configuration mode User Guidelines When CDP is globally enabled CDP packets are...

Page 204: ...ise v2 no cdp advertise v2 Parameters N A Default Configuration Version 2 Command Mode Global Configuration mode Example switchxxxxxx config cdp run switchxxxxxx config cdp advertise v2 8 5 cdp appliance tlv enable The cdp appliance tlv enable Global Configuration mode command enables sending of the Appliance TLV The no format of this command disables the sending of the Appliance TLV Syntax cdp ap...

Page 205: ... packets transmitting through this port contain Appliance VLAN ID TLV with value of 4095 VoIP and related packets are expected to be sent and received untagged without an 802 1p priority 4096 The CDP packets transmitting through this port do not include Appliance VLAN ID TLV or if the VVID is not supported on the port this MIB object will not be configurable and will return 4096 Example switchxxxx...

Page 206: ...alidation 8 7 cdp source interface The cdp source interface Global Configuration mode command specifies the CDP source port used for source IP address selection The no format of this command deletes the source interface Syntax cdp source interface interface id no cdp source interface Parameters interface id Source port used for Source IP address selection Default Configuration No CDP source interf...

Page 207: ...ace Configuration mode command to enable validating that the duplex status of a port received in a CDP packet matches the ports actual configuration If not a SYSLOG duplex mismatch message is generated The no format of the CLI command disables the generation of the SYSLOG messages Syntax cdp log mismatch duplex no cdp log mismatch duplex Parameters N A Default Configuration The switch reports dupl...

Page 208: ... voip no cdp log mismatch voip Parameters N A Default Configuration The switch reports VoIP mismatches from all ports Command Mode Global Configuration mode Interface Ethernet Configuration mode Example switchxxxxxx config interface gi11 switchxxxxxx config if cdp log mismatch voip 8 10 cdp log mismatch native Use the cdp log mismatch native Global and Interface Configuration mode command to enabl...

Page 209: ...1 switchxxxxxx config if cdp log mismatch native 8 11 cdp device id format The cdp device id format Global Configuration mode command specifies the format of the Device ID TLV The no format of this command returns to default Syntax cdp device id format mac serial number hostname no cdp device id format Parameters mac Specifies that the Device ID TLV contains the device s MAC address serial number ...

Page 210: ...rmat serial number 8 12 cdp timer The cdp timer Global Configuration mode command specifies how often CDP packets are transmitted The no format of this command returns to default Syntax cdp timer seconds no cdp timer Parameters seconds Value of the Transmission Timer in seconds Range 5 254 seconds Default Configuration 60 seconds Command Mode Global Configuration mode Example switchxxxxxx config c...

Page 211: ...ldtime Parameters seconds Value of the Time to Live field in seconds The value should be greater than the value of the Transmission Timer The value range is 10 255 Default Configuration 180 seconds Command Mode Global Configuration mode Example switchxxxxxx config cdp holdtime 100 8 14 clear cdp counters The clear cdp counters Global Configuration mode command resets the CDP traffic counters to 0 ...

Page 212: ... the global counters Use the clear cdp counters interface id command to clear the counters of the given interface Examples Example 1 The example clears all the CDP counters switchxxxxxx clear cdp couters Example 2 The example clears the CDP global counters switchxxxxxx clear cdp couters global Example 3 The example clears the CDP counters of Ethernet port gi11 switchxxxxxx clear cdp couters interf...

Page 213: ...between advertisements the number of seconds the advertisements are valid and version of the advertisements Syntax show cdp Parameters N A Command Mode Privileged EXEC mode Example switchxxxxxx show cdp Global CDP information cdp is globally enabled cdp log duplex mismatch is globally enabled cdp log voice VLAN mismatch is globally enabled cdp log native VLAN mismatch is globally disabled Mandator...

Page 214: ... displays information about specific neighbor Display can be limited to protocol or version information Syntax show cdp entry device name protocol version Parameters Specifies all neighbors device name Specifies the name of the neighbor protocol Limits the display to information about the protocols enabled on neighbors version Limits the display to information about the version of software running...

Page 215: ...Mon 07 Apr 97 19 51 by dschwart switchxxxxxx show cdp entry device cisco com protocol Protocol information for device cisco com IP address 192 168 68 18 CLNS address 490001 1111 1111 1111 00 DECnet address 10 1 switchxxxxxx show cdp entry device cisco com version Version information for device cisco com Cisco Internetwork Operating System Software IOS tm 4500 Software C4500 J M Version 11 1 10 4 M...

Page 216: ...match Globally is disabled Per interface is enabled gi11 is Down CDP is enabled Sending CDP packets every 60 seconds Holdtime is 180 seconds 8 19 show cdp neighbors The show cdp neighbors Privileged EXEC mode command displays information about neighbors kept in the main or secondary cache Syntax show cdp neighbors interface id detail secondary Parameters interface id Displays the neighbors attache...

Page 217: ...to save received CDP messages main cache secondary cache The main cache contains the full received CDP messages about limited number of the neighbors The secondary cache contains partially information about all neighbors Use the show cdp neighbors interface id detail command to display the main cache Use the show cdp neighbors interface id secondary command to display the Secondary cache Example s...

Page 218: ... M ESW 540 8P g9 003106131611 gi48 2 143 S I Company fa2 1 XX 23R E 001828100211 gi48 2 173 S I Company fa2 2 XX 23R E c47d4fed9302 gi48 2 137 S I Company fa2 5 XX 23R E switchxxxxxx show cdp neighbors detail Device ID lab 7206 Advertisement version 2 Entry address es IP address 172 19 169 83 Platform company x5660 Capabilities Router Interface Ethernet0 Port ID outgoing port gi10 Time To Live 123...

Page 219: ... CDP being used for CDP advertisements Capabilities The device type of the neighbor This device can be a router a bridge a transparent bridge a source routing bridge a switch a host an IGMP device or a repeater COS for Untrusted Ports The COS value with which all packets received on an untrusted port should be marked by a simple switching device which cannot itself classify individual packets Devi...

Page 220: ...MTU of the interface via which the CDP packet is sent Native VLAN The ID number of the VLAN on the neighbor device Physical Location A character string indicating the physical location of a connector which is on or physically connected to the interface over which the CDP packet containing this TLV is sent Platform The product name and number of the neighbor device In the case of the Secondary Cach...

Page 221: ...hbor device Voice VLAN ID The Voice VLAN ID VTP Management Domain A string that is the name of the collective group of VLANs associated with the neighbor device 8 20 show cdp tlv The show cdp tlv Privileged EXEC mode command displays information about TLVs sent by CDP on all ports or on a specific port Syntax show cdp tlv interface id Parameters interface id Interface ID Default Configuration TLVs...

Page 222: ...ally is enabled Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater P VoIP Phone M Remotely Managed Device C CAST Phone Port W Two Port MAC Relay Interface TLV gi12 CDP is disabled on gi12 Example 3 In this example CDP is globally enabled and enabled on the port but the port is down and no information is displayed switchxxxxxx show cdp tlv interface gi1...

Page 223: ...DP is enabled Ethernet gi11 is up Device ID TLV type is MAC address Value is 00 11 22 22 33 33 44 44 Address TLV IPv4 1 2 2 2 IPv6 Port_ID TLV gi11 Capabilities S I Version TLV 1 and 2 Platform TLV VSD Ardd Native VLAN TLV 1 Full Half Duplex TLV full duplex Appliance VLAN_ID TLV Appliance ID is 1 VLAN ID is 100 COS for Untrusted Ports TLV 1 sysName a switch Power Available TLV Request ID is 1 Powe...

Page 224: ...type is MAC address Value is 00 11 22 22 33 33 44 44 Address TLV IPv4 1 2 2 2 IPv6 Port_ID TLV gi11 Capabilities S I Version TLV 1 and 2 Platform TLV VSD Ardd Native VLAN TLV 1 Full Half Duplex TLV full duplex Appliance VLAN_ID TLV Appliance ID is 1 VLAN ID is 100 COS for Untrusted Ports TLV 1 sysName a switch Power Available TLV Request ID is 1 Power management ID is 1 Available Power is 10 Manag...

Page 225: ...e User Guidelines Use the command show cdp traffic without parameters to display all the counters Use the show cdp traffic global to display only the global counters Use the show cdp traffic interface id command to display the counters of the given port Example switchxxxxxx show cdp traffic CDP Global counters Total packets output 81684 Input 81790 Hdr syntax 0 Chksum error 0 Encaps 0 No memory 0 ...

Page 226: ...dvertisements input fields Hdr syntax The number of CDP advertisements with bad headers received by the local device Chksum error The number of times the checksum verifying operation failed on incoming CDP advertisements No memory The number of times the local device did not have enough memory to store the CDP advertisements in the advertisement cache table when the device was attempting to assemb...

Page 227: ...ny statement of the associated function going into effect If no start time and date are specified the function is in effect immediately end Absolute time and date that the permit or deny statement of the associated function is no longer in effect If no end time and date are specified the function is in effect indefinitely hh mm Time in hours military format and minutes Range 0 23 mm 0 5 day Day by...

Page 228: ...ck dhcp timezone command in Global Configuration mode To restore the default configuration use the no form of this command Syntax clock dhcp timezone no clock dhcp timezone Parameters N A Default Configuration Disabled Command Mode Global Configuration mode User Guidelines The TimeZone taken from the DHCP server has precedence over the static TimeZone The Summer Time taken from the DHCP server has...

Page 229: ... where the DHCP TimeZone option was taken clears the dynamic Time Zone and Summer Time configuration Example switchxxxxxx config clock dhcp timezone 9 3 clock set To set the system clock manually use the clock set command in Privileged EXEC mode Syntax clock set hh mm ss day month month day year Parameters hh mm ss Specifies the current time in hours military format minutes and seconds Range hh 0 ...

Page 230: ...e no form of this command Syntax clock source sntp browser no clock source Parameters sntp Optional Specifies that an SNTP server is the external clock source browser Optional Specifies that if the system clock is not already set either manually or by SNTP and a user login to the device using a WEB browser either via HTTP or HTTPS the system clock will be set according to the browser s time inform...

Page 231: ...2013 Time source is sntp Time from Browser is enabled 9 5 clock summer time To configure the system to automatically switch to summer time Daylight Saving Time use the clock summer time command in Global Configuration mode To restore the default configuration use the no form of this command Syntax clock summer time zone recurring usa eu week day month hh mm week day month hh mm offset clock summer...

Page 232: ...ar no abbreviation Range 2000 2097 hh mm Time military format in hours and minutes Range hh mmhh 0 23 mm 0 59 offset Optional Number of minutes to add during summer time default is 60 Range 1440 Default Configuration Summer time is disabled Command Mode Global Configuration mode User Guidelines In both the date and recurring forms of the command the first part of the command specifies when summer ...

Page 233: ...tchxxxxxx config clock summer time abc date apr 1 2010 09 00 aug 2 2010 09 00 9 6 clock timezone To set the time zone for display purposes use the clock timezone command in Global Configuration mode To restore the default configuration use the no form of this command Syntax clock timezone zone hours offset minutes offset no clock timezone Parameters zone The acronym of the time zone Range Up to 4 ...

Page 234: ...ck timezone abc 2 minutes 32 9 7 periodic To specify a recurring weekly time range for functions that support the time range feature use the periodic command in Time range Configuration mode To restore the default configuration use the no form of this command Syntax periodic day of the week hh mm to day of the week hh mm no periodic day of the week hh mm to day of the week hh mm periodic list hh m...

Page 235: ...llowing day see description in the User Guidelines Range 0 23 mm 0 59 list day of the week1 Specifies a list of days that the time range is in effect Default Configuration There is no periodic time when the time range is in effect Command Mode Time range Configuration mode User Guidelines The second occurrence of the day can be at the following week e g Thursday Monday means that the time range is...

Page 236: ...NTP Anycast clients are enabled Default Configuration The SNTP anycast client is disabled Command Mode Global Configuration mode User Guidelines Use this command to enable the SNTP Anycast client Example The following example enables SNTP Anycast clients switchxxxxxx config sntp anycast client enable 9 9 sntp authenticate To enable authentication for received SNTP traffic from servers use the sntp...

Page 237: ...g sntp trusted key 8 9 10 sntp authentication key To define an authentication key for Simple Network Time Protocol SNTP use the sntp authentication key command in Global Configuration mode To restore the default configuration use the no form of this command Syntax sntp authentication key key number md5 key value encrypted sntp authentication key key number md5 encrypted key value no sntp authentic...

Page 238: ... 11 sntp broadcast client enable To enable SNTP Broadcast clients use the sntp broadcast client enable command in Global Configuration mode To restore the default configuration use the no form of this command Syntax sntp broadcast client enable both ipv4 ipv6 no sntp broadcast client enable Parameters both Optional Specifies the IPv4 and IPv6 SNTP Broadcast clients are enabled If the parameter is ...

Page 239: ...ot synchronize with Broadcast servers Example The following example enables SNTP Broadcast clients switchxxxxxx config sntp broadcast client enable 9 12 sntp client enable To enable the SNTP Broadcast and Anycast client use the sntp client enable command in Global Configuration mode To restore the default configuration use the no form of this command Syntax In switch mode sntp client enable no snt...

Page 240: ... SNTP Broadcast and Anycast clients on VLAN 100 switchxxxxxx config sntp client enable vlan 100 9 13 sntp client enable interface To enable the SNTP Broadcast and Anycast client on an interface use the sntp client enable command in Interface Configuration mode To restore the default configuration use the no form of this command Syntax sntp client enable no sntp client enable Parameters N A Default...

Page 241: ...ified server meaning to accept system time from an SNTP server use the sntp server command in Global Configuration mode To remove a server from the list of SNTP servers use the no form of this command Syntax sntp server ip address hostname poll key keyid no sntp server ip address hostname Parameters ip address Specifies the server IP address This can be an IPv4 IPv6 or IPv6z address hostname Speci...

Page 242: ...traffic from the server on 192 1 1 1 with polling switchxxxxxx config sntp server 192 1 1 1 poll 9 15 sntp source interface To specify the source interface whose IPv4 address will be used as the source IPv4 address for communication with IPv4 SNTP servers use the sntp source interface command in Global Configuration mode To restore the default configuration use the no form of this command Syntax s...

Page 243: ...e The following example configures the VLAN 10 as the source interface switchxxxxxx config sntp source interface vlan 10 9 16 sntp source interface ipv6 To specify the source interface whose IPv6 address will be used ad the Source IPv6 address for communication with IPv6 SNTP servers use the sntp source interface ipv6 command in Global Configuration mode To restore the default configuration use th...

Page 244: ... IPv6 address is applied If there is no available IPv6 source address a SYSLOG message is issued when attempting to communicate with an IPv6 SNTP server Example The following example configures the VLAN 10 as the source interface switchxxxxxx config sntp source interface ipv6 vlan 10 9 17 sntp trusted key To define the trusted key use the sntp trusted key command in Global Configuration mode To re...

Page 245: ... config sntp authentication key 8 md5 ClkKey switchxxxxxx config sntp trusted key 8 switchxxxxxx config sntp authenticate 9 18 sntp unicast client enable To enable the device to use Simple Network Time Protocol SNTP Unicast clients use the sntp unicast client enable command in Global Configuration mode To disable the SNTP Unicast clients use the no form of this command Syntax sntp unicast client e...

Page 246: ...client poll To enable polling for the SNTP Unicast clients use the sntp unicast client poll command in Global Configuration mode To disable the polling use the no form of this command Syntax sntp unicast client poll no sntp unicast client poll Parameters N A Default Configuration Polling is disabled Command Mode Global Configuration mode User Guidelines The polling interval is 1024 seconds Example...

Page 247: ...nes Before the time there is displayed either a star period or blank star The clock is invalid period The clock was set manually or by Browser blank The clock was set by SNTP Examples Example 1 The following example displays the system time and date switchxxxxxx show clock 15 29 03 PDT UTC 7 Jun 17 2002 Time source is SNTP Time from Browser is enabled Example 2 The following example displays the s...

Page 248: ...very year Begins at first Sunday of Apr at 02 00 Ends at first Tuesday of Sep at 02 00 Offset is 60 minutes Summertime Static Acronym is GMT Recurring every year Begins at first Sunday of Mar at 10 00 Ends at first Sunday of Sep at 10 00 Offset is 60 minutes DHCP timezone Enabled 9 21 show sntp configuration To display the SNTP configuration on the device use the show sntp configuration command in...

Page 249: ...iguration SNTP port 123 Polling interval 1024 seconds MD5 Authentication Keys 2 John123 3 Alice456 Authentication is not required for synchronization No trusted keys Unicast Clients enabled Unicast Clients Polling enabled Server 1 1 1 121 Polling disabled Encryption Key disabled Server 3001 1 1 1 Polling enabled Encryption Key disabled Server dns_server1 comapany com Polling enabled Encryption Key...

Page 250: ...NTP servers status use the show sntp status command in Privileged EXEC mode Syntax show sntp status Parameters N A Default Configuration N A Command Mode Privileged EXEC mode Example The following example displays the SNTP servers status switchxxxxxx show sntp status Clock is synchronized stratum 4 reference is 176 1 1 8 unicast Reference time is afe2525e 70597b34 00 10 22 438 PDT Jul 5 1993 Unica...

Page 251: ...9mSec Server 3001 1 1 1 Source DHCPv6 on VLAN 2 Status Unknown Last response Offset mSec Delay mSec Server dns1 company com Source DHCPv6 on VLAN 20 Status Unknown Last response Offset mSec Delay mSec Anycast servers Server 176 1 11 8 Interface VLAN 112 Status Up Last response 9 53 21 789 PDT Feb 19 2005 Stratum Level 10 Offset 9 98mSec Delay 289 19mSec Broadcast servers Server 3001 1 12 Interface...

Page 252: ...w time range http allowed absolute start 12 00 1 Jan 2005 end 12 00 31 Dec 2005 periodic Monday 12 00 to Wednesday 12 00 9 24 time range To define time ranges and to enter to Time range Configuration mode use the time range command to define time ranges and to enter to Time range Configuration mode in Global Configuration mode To restore the default configuration use the no form of this command Sy...

Page 253: ...d If a time range command has both absolute and periodic values specified then the periodic items are evaluated only after the absolute start time is reached and are not evaluated again after the absolute end time is reached All time specifications are interpreted as local time To ensure that the time range entries take effect at the desired times the software clock should be set by the user or by...

Page 254: ...0 characters exclude Do not include sensitive data in the file being copied Include encrypted Include sensitive data in its encrypted form include plaintext Include sensitive data in its plaintext form The following URL options are supported running config Currently running configuration file startup config flash startup config Startup configuration file image flash image Image file If specified a...

Page 255: ...filename The host can be either the IP address or hostname The default on the switch is SSH authentication by password with username and password anonymous The SSH authentication parameters can be reconfigured to match the SSH SCP server s parameters xmodem Source for the file from a serial connection that uses the Xmodem protocol Default Configuration Sensitive data is excluded if no method was s...

Page 256: ...e following table describes the characters displayed by the system when copy is being run Various Copy Options Guidelines Copying an Image File from a Server to Flash Memory Use the copy source url flash image command to copy an image file from a server to flash memory When the administrator copies an image file from the server to a device the image file is saved to the inactive image To use this ...

Page 257: ...n url command to copy the current configuration file to a network server using TFTP Use the copy startup config destination url command to copy the startup configuration file to a network server Saving the Running Configuration to the Startup Configuration Use the copy running config startup config command to copy the running configuration to the startup configuration file Restoring the Mirror Con...

Page 258: ...a Server to Flash Memory The following example copies a system image named file1 from the TFTP server with an IP address of 172 16 101 101 to a non active image file switchxxxxxx copy tftp 172 16 101 101 file1 flash image Accessing file file1 on 172 16 101 101 Loading file1 from 172 16 101 101 OK Copy took 0 01 11 hh mm ss Example 3 Copying the mirror config file to the startup configuration file ...

Page 259: ...ged EXEC mode command to save the running configuration to the startup configuration file Syntax write memory Parameters This command has no arguments or keywords Command Mode Privileged EXEC mode Examples The following example shows how to overwrite the startup config file with the running config file with the write command switchxxxxxx write Overwrite file startup config Yes press any key for no...

Page 260: ...Mode Privileged EXEC mode User Guidelines The following keywords and URL prefixes are supported flash URL of the FLASH file startup config Startup configuration file WORD Name of file e g backup config mirror config sys prv image 1 and image 2 files cannot be deleted Example The following example deletes the file called backup config from the flash memory switchxxxxxx delete flash backup config De...

Page 261: ...ecifies the real size in the FLASH occupied by the file switchxxxxxx dir Directory of flash File Name Permission Flash Size Data Size Modified image 1 rw 10485760 10485760 01 Jan 2010 06 10 23 image 2 rw 10485760 10485760 01 Jan 2010 05 43 54 mirror config rw 524288 104 01 Jan 2010 05 35 04 dhcpsn prv 262144 01 Jan 2010 05 25 07 syslog1 sys r 524288 01 Jan 2010 05 57 00 syslog2 sys r 524288 01 Jan...

Page 262: ...XEC mode User Guidelines The following keywords and URL prefixes are supported flash URL of the FLASH file startup config Startup configuration file WORD Name of file e g backup config Files are displayed in ASCII format except for the images which are displayed in a hexadecimal format prv files cannot be displayed Example The following example displays the running configuration file contents swit...

Page 263: ...and has no arguments or keywords Command Mode Privileged EXEC mode User Guidelines The following keywords and URL prefixes are supported flash URL of the FLASH file startup config Startup configuration file WORD Name of file e g backup config mirror config sys and prv files cannot be renamed Example The following example renames the configuration backup file switchxxxxxx rename backup config m con...

Page 264: ...ommand to display the active image Example The following example specifies that image 1 is the active system image file loaded by the device at startup The results of this command is displayed in show bootvar switchxxxxxx boot system image 1 10 8 show running config Use the show running config privileged EXEC command to display the contents of the currently running configuration file show running ...

Page 265: ...e Privileged EXEC mode Examples The following example displays the running configuration file contents switchxxxxxx show running config config file header AA307 02 v1 2 5 76 R750_NIK_1_2_584_002 CLI v1 0 file SSD indicator encrypted ssd control start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd control end cb0a3fdb1f3a1af4e4430033719968c0 no spanning tree i...

Page 266: ...tax show startup config interface interface id list Parameters interface interface id list Specifies a list of interface IDs The interface IDs can be one of the following types Ethernet port port channel or VLAN Command Mode Privileged EXEC mode Examples The following example displays the startup configuration file contents switchxxxxxx show startup config config file header AA307 02 v1 2 5 76 R75...

Page 267: ...00 exit no lldp run interface vlan 1 ip address 1 1 1 1 255 0 0 0 exit line console exec timeout 0 exit switchxxxxxx 10 10 show bootvar Use the show bootvar EXEC mode command to display the active system image file that was loaded by the device at startup and to display the system image file that will be loaded after rebooting the switch Syntax show bootvar show bootvar unit unit id Parameters Thi...

Page 268: ... Not active 2 image 2 1 1 0 73 19 Jun 2011 18 10 49 Active designates that the image was selected for the next boot 10 11 service mirror configuration Use the service mirror configuration Global Configuration mode command to enable the mirror configuration service Use no service mirror configuration command to disable the service Syntax service mirror configuration no service mirror configuration ...

Page 269: ... The following example disables the mirror configuration service switchxxxxxx config no service mirror configuration This operation will delete the mirror config file if exists Do you want to continue Y N N Example 2 The following example enables the mirror configuration service switchxxxxxx config service mirror configuration Service is enabled Note that the running configuration must be first co...

Page 270: ...ands OL 32830 01 Command Line Interface Reference Guide 270 10 Example The following example displays the status of the mirror configuration service switchxxxxxx show mirror configuration service Mirror configuration service is enabled ...

Page 271: ...enable the DHCP relay feature on the device Use the no form of this command to disable the DHCP relay feature Syntax ip dhcp relay enable no ip dhcp relay enable Parameters N A Default Configuration DHCP relay feature is disabled Command Mode Global Configuration mode Example The following example enables the DHCP relay feature on the device switchxxxxxx config ip dhcp relay enable ...

Page 272: ...ble Parameters N A Default Configuration Disabled Command Mode Interface Configuration mode User Guidelines The operational status of DHCP Relay on an interface is active if one of the following conditions exist DHCP Relay is globally enabled and there is an IP address defined on the interface Or DHCP Relay is globally enabled there is no IP address defined on the interface the interface is a VLAN...

Page 273: ...ifies the DHCP server IP address Up to 8 servers can be defined Default Configuration No server is defined Command Mode Global Configuration mode User Guidelines Use the ip dhcp relay address command to define a global DHCP Server IP address To define a few DHCP Servers use the command a few times To remove a DHCP Server use the no form of the command with the ip address argument The no form of th...

Page 274: ... address Specifies the DHCP server IP address Up to 8 servers can be defined Default Configuration No server is defined Command Mode Interface Configuration mode User Guidelines Use the ip dhcp relay address command to define a DHCP Server IP address per the interface To define multiple DHCP Servers use the command multiple times To remove a DHCP server use the no form of the command with the ip a...

Page 275: ...n 82 is Disabled Maximum number of supported VLANs without IP Address is 256 Number of DHCP Relays enabled on VLANs without IP Address is 0 DHCP relay is not configured on any port DHCP relay is not configured on any vlan No servers configured Example 2 Option 82 is supported disabled switchxxxxxx show ip dhcp relay DHCP relay is globally disabled Option 82 is disabled Maximum number of supported ...

Page 276: ...HCP Relays enabled on VLANs without IP Address 2 DHCP relay is enabled on Ports gi11 po1 2 Active gi11 Inactive po1 2 DHCP relay is enabled on VLANs 1 2 4 5 Active 1 2 4 5 Inactive Global Servers 1 1 1 1 2 2 2 2 Example 3 Option 82 is supported enabled and there DHCP Servers defined per interface switchxxxxxx show ip dhcp relay DHCP relay is globally enabled Option 82 is enabled Maximum number of ...

Page 277: ... information option Global Configuration command to enable DHCP option 82 data insertion Use the no form of this command to disable DHCP option 82 data insertion Syntax ip dhcp information option no ip dhcp information option Parameters N A Default Configuration DHCP option 82 data insertion is disabled Command Mode Global Configuration mode User Guidelines DHCP option 82 would be enabled only if ...

Page 278: ...ation option EXEC mode command displays the DHCP Option 82 configuration Syntax show ip dhcp information option Parameters N A Default Configuration N A Command Mode User EXEC mode Example The following example displays the DHCP Option 82 configuration switchxxxxxx show ip dhcp information option Relay agent Information option is Enabled ...

Page 279: ...ecifies the client IP address mask Specifies the client network mask prefix length Specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the client network mask The prefix length must be preceded by a forward slash unique identifier Specifies the distinct client identification in dotted hexadecimal notation Each byte in a hexadecimal character...

Page 280: ... identifier 01b7 0813 8811 66 switchxxxxxx config dhcp exit switchxxxxxx config ip dhcp pool host bbbb switchxxxxxx config dhcp address 10 12 1 88 255 255 255 0 hardware address 00 01 b7 08 13 88 switchxxxxxx config dhcp exit switchxxxxxx config 12 2 address DHCP Network To configure the subnet number and mask for a DHCP address pool on a DHCP server use the address command in DHCP Pool Network Co...

Page 281: ...nfigured If the low address is not specified it defaults to the first IP address in the network If the high address is not specified it defaults to the last IP address in the network Command Mode DHCP Pool Network Configuration mode Example The following example configures the subnet number and mask for a DHCP address pool on a DHCP server switchxxxxxx config dhcp address 10 12 1 0 255 255 255 0 1...

Page 282: ... switchxxxxxx config dhcp bootfile boot_image_file 12 4 clear ip dhcp binding To delete the dynamic address binding from the DHCP server database use the clear ip dhcp binding command in Privileged EXEC mode Syntax clear ip dhcp binding address Parameters address Specifies the binding address to delete from the DHCP database Clears all dynamic bindings Command Mode Privileged EXEC mode User Guidel...

Page 283: ...ame command in DHCP Pool Host Configuration mode To remove the client name use the no form of this command Syntax client name name no client name Parameters name Specifies the client name using standard ASCII characters The client name should not include the domain name For example the name Mars should not be specified as mars yahoo com Length 1 32 characters Command Mode DHCP Pool Host Configurat...

Page 284: ...ip address8 Specifies the IP addresses of default routers Up to eight addresses can be specified in one command line Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No default router is defined User Guidelines The router IP address should be on the same subnet as the client subnet Example The following example specifies 10 12 1 99 as the de...

Page 285: ...P Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No DNS server is defined User Guidelines If DNS IP servers are not configured for a DHCP client the client cannot correlate host names to IP addresses Example The following example specifies 10 12 1 99 as the client domain name server IP address switchxxxxxx config dhcp dns server 10 12 1 99 12 8 domain name ...

Page 286: ...le specifies yahoo com as the DHCP client domain name string switchxxxxxx config dhcp domain name yahoo com 12 9 ip dhcp excluded address To specify IP addresses that a DHCP server must not assign to DHCP clients use the ip dhcp excluded address command in Global Configuration mode To remove the excluded IP addresses use the no form of this command Syntax ip dhcp excluded address low address high ...

Page 287: ...le The following example configures an excluded IP address range from 172 16 1 100 through 172 16 1 199 switchxxxxxx config ip dhcp excluded address 172 16 1 100 172 16 1 199 12 10 ip dhcp pool host To configure a DHCP static address on a DHCP server and enter the DHCP Pool Host Configuration mode use the ip dhcp pool host command in Global Configuration mode To remove the address pool use the no ...

Page 288: ...igures station as the DHCP address pool switchxxxxxx config ip dhcp pool host station switchxxxxxx config dhcp 12 11 ip dhcp pool network To configure a DHCP address pool on a DHCP Server and enter DHCP Pool Network Configuration mode use the ip dhcp pool network command in Global Configuration mode To remove the address pool use the no form of this command Syntax ip dhcp pool network name no ip d...

Page 289: ...le The following example configures Pool1 as the DHCP address pool switchxxxxxx config ip dhcp pool network Pool1 switchxxxxxx config dhcp 12 12 ip dhcp server To enable the DHCP server features on the device use the ip dhcp server command in Global Configuration mode To disable the DHCP server use the no form of this command Syntax ip dhcp server no ip dhcp server Default Configuration The DHCP s...

Page 290: ...days in the lease hours Optional Specifies the number of hours in the lease A days value must be supplied before configuring an hours value minutes Optional Specifies the number of minutes in the lease A days value and an hours value must be supplied before configuring a minutes value infinite Specifies that the duration of the lease is unlimited Default Configuration The default lease duration is...

Page 291: ... DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode To remove the NetBIOS name server list use the no form of this command Syntax netbios name server ip address ip address2 ip address8 no netbios name server Parameters ip address ip address2 ip address8 Specifies the IP addresses of NetBIOS WINS name servers Up to eight addresses can be specified in one command line Comma...

Page 292: ... no form of this command Syntax netbios node type b node p node m node h node no netbios node type Parameters b node Specifies the Broadcast NetBIOS node type p node Specifies the Peer to peer NetBIOS node type m node Specifies the Mixed NetBIOS node type h node Specifies the Hybrid NetBIOS node type Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Config...

Page 293: ...ers ip address Specifies the IP address of the next server in the boot process Default Configuration If the next server command is not used to configure a boot server list the DHCP server uses inbound interface helper addresses as boot servers Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode User Guidelines The client will connect using the SCP TFTP protocol to t...

Page 294: ... name name no next server name Parameters name Specifies the name of the next server in the boot process Length 1 64 characters Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No next server name is defined User Guidelines The client will connect using the SCP TFTP protocol to this server in order to download the configuration file Example ...

Page 295: ... false and 1 true integer value Specifies an integer value The option size depends on the option code ascii string Specifies a network virtual terminal NVT ASCII character string ASCII character strings that contain white spaces must be delimited by quotation marks The ASCII value is truncated to the first 160 characters entered ip address Specifies an IP address ip list ip address1 ip address2 Sp...

Page 296: ... the following options 5 7 11 33 41 42 45 48 49 65 68 76 and 150 The hex keyword may be configured for any option in the range 1 254 except for the following 1 3 4 6 12 15 44 46 50 51 53 54 56 66 67 82 and 255 The switch does not validate the syntax of an option defined by this format Examples Example 1 The following example configures DHCP option 19 which specifies whether the client should confi...

Page 297: ... displays the DHCP configuration switchxxxxxx show ip dhcp DHCP server is enabled 12 20 show ip dhcp allocated To display the allocated address or all the allocated addresses on the DHCP server use the show ip dhcp allocated command in User EXEC mode Syntax show ip dhcp allocated ip address Parameters ip address Optional Specifies the IP address Command Mode User EXEC mode Example The following ex...

Page 298: ...11 DHCP server enabled The number of allocated entries is 2 IP address Hardware address Lease expiration Type 172 16 1 11 00a0 9802 32de Feb 01 1998 12 00 AM Dynamic switchxxxxxx show ip dhcp allocated 172 16 3 254 DHCP server enabled The number of allocated entries is 2 IP address Hardware address Lease expiration Type 172 16 3 254 02c7 f800 0422 Infinite Static The following table describes the ...

Page 299: ...xamples display the DHCP server binding address parameters switchxxxxxx show ip dhcp binding DHCP server enabled The number of used all types entries is 6 The number of pre allocated entries is 1 The number of allocated entries is 1 The number of expired entries is 1 The number of declined entries is 2 The number of static entries is 1 The number of dynamic entries is 2 The number of automatic ent...

Page 300: ...Type State 1 16 1 11 00a0 9802 32de Feb 01 1998 dynamic allocated 12 00 AM switchxxxxxx show ip dhcp binding 1 16 3 24 IP address Hardware Address Lease Expiration Type State 1 16 3 24 02c7 f802 0422 dynamic declined The following table describes the significant fields shown in the display Field Description IP address The host IP address as recorded on the DHCP Server Hardware address The MAC addr...

Page 301: ...Parameters ip address Optional Specifies the IP address Command Mode User EXEC mode Example The following example displays the output of various forms of this command switchxxxxxx show ip dhcp declined DHCP server enabled The number of declined entries is 2 IP address Hardware address 172 16 1 11 00a0 9802 32de 172 16 3 254 02c7 f800 0422 switchxxxxxx show ip dhcp declined 172 16 1 11 DHCP server ...

Page 302: ...e following example displays excluded addresses switchxxxxxx show ip dhcp excluded addresses The number of excluded addresses ranges is 2 Excluded addresses 10 1 1 212 10 1 1 219 10 1 2 212 10 1 2 219 12 24 show ip dhcp expired To display the specific expired address or all of the expired addresses on the DHCP server use the show ip dhcp expired command in User EXEC mode Syntax show ip dhcp expire...

Page 303: ...f expired entries is 1 IP address Hardware address 172 16 1 13 00a0 9802 32de 12 25 show ip dhcp pool host To display the DHCP pool host configuration use the show ip dhcp pool host command in User EXEC mode Syntax show ip dhcp pool host address name Parameters address Optional Specifies the client IP address name Optional Specifies the DHCP pool name Length 1 32 characters Command Mode User EXEC ...

Page 304: ...how ip dhcp pool host station Name IP Address Hardware Address Client Identifier station 172 16 1 11 01b7 0813 8811 66 Mask 255 255 0 0 Default router 172 16 1 1 Client name client1 DNS server 10 12 1 99 Domain name yahoo com NetBIOS name server 10 12 1 90 NetBIOS node type h node Next server 10 12 1 99 Next server name 10 12 1 100 Bootfile Bootfile Time server 10 12 1 99 Options Code Type Len Val...

Page 305: ... Specifies the DHCP pool name Length 1 32 characters Command Mode User EXEC mode Examples Example 1 The following example displays configuration of all DHCP network pools switchxxxxxx show ip dhcp pool network The number of network pools is 2 Name Address range mask Lease marketing 10 1 1 17 10 1 1 178 255 255 255 0 0d 12h 0m finance 10 1 2 8 10 1 2 178 255 255 255 0 0d 12h 0m Example 2 The follow...

Page 306: ...1 90 NetBIOS node type h node Next server 10 12 1 99 Next server name 10 12 1 100 Bootfile Bootfile Time server 10 12 1 99 Options Code Type Len Value Description 2 integer 4 3600 14 ascii 16 qq aaaa bbb txt 19 boolean 1 false IP Forwarding Enable Disable Option 21 ip 4 134 14 14 1 31 ip list 8 1 1 1 1 12 23 45 2 47 hex 5 02af00aa00 12 27 show ip dhcp pre allocated To display the specific pre allo...

Page 307: ...of pre allocated entries is 1 IP address Hardware address 172 16 1 11 00a0 9802 32de 172 16 3 254 02c7 f800 0422 switchxxxxxx show ip dhcp pre allocated 172 16 1 11 DHCP server enabled The number of pre allocated entries is 1 IP address Hardware address 172 16 1 15 00a0 9802 32de 12 28 show ip dhcp server statistics To display DHCP server statistics use the show ip dhcp server statistics command i...

Page 308: ...ies is 2 The number of static entries is 1 The number of dynamic entries is 2 The number of automatic entries is 1 12 29 time server To specify the time servers list for a DHCP client use the time server command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode To remove the time servers list use the no form of this command Syntax time server ip address ip address2 ip...

Page 309: ...e 12 Default Configuration No time server is defined User Guidelines The time server s IP address should be on the same subnet as the client subnet Example The following example specifies 10 12 1 99 as the time server IP address switchxxxxxx config dhcp time server 10 12 1 99 ...

Page 310: ...n Syntax ip dhcp snooping no ip dhcp snooping Parameters N A Default Configuration DHCP snooping is disabled Command Mode Global Configuration mode User Guidelines For any DHCP Snooping configuration to take effect DHCP Snooping must be enabled globally DHCP Snooping on a VLAN is not active until DHCP Snooping on a VLAN is enabled by using the ip dhcp snooping vlan Global Configuration mode comman...

Page 311: ...pecifies the VLAN ID Default Configuration DHCP Snooping on a VLAN is disabled Command Mode Global Configuration mode User Guidelines DHCP Snooping must be enabled globally before enabling DHCP Snooping on a VLAN Example The following example enables DHCP Snooping on VLAN 21 switchxxxxxx config ip dhcp snooping vlan 21 13 3 ip dhcp snooping trust Use the ip dhcp snooping trust Interface Configurat...

Page 312: ... DHCP clients as untrusted Example The following example configures gi14 as trusted for DHCP Snooping switchxxxxxx config interface gi14 switchxxxxxx config if ip dhcp snooping trust 13 4 ip dhcp snooping information option allowed untrusted Use the ip dhcp snooping information option allowed untrusted Global Configuration mode command to allow a device to accept DHCP packets with option 82 inform...

Page 313: ...usted 13 5 ip dhcp snooping verify Use the ip dhcp snooping verify Global Configuration mode command to configure a device to verify that the source MAC address in a DHCP packet received on an untrusted port matches the client hardware address Use the no form of this command to disable MAC address verification in a DHCP packet received on an untrusted port Syntax ip dhcp snooping verify no ip dhcp...

Page 314: ...ing binding database file Use the no form of this command to delete the DHCP Snooping binding database file Syntax ip dhcp snooping database no ip dhcp snooping database Parameters N A Default Configuration The DHCP Snooping binding database file is not defined Command Mode Global Configuration mode User Guidelines The DHCP Snooping binding database file resides on Flash To ensure that the lease t...

Page 315: ...f the DHCP Snooping binding database file Use the no form of this command to restore the default configuration Syntax ip dhcp snooping database update freq seconds no ip dhcp snooping database update freq Parameters seconds Specifies the update frequency in seconds Range 600 86400 Default Configuration The default update frequency value is 1200 seconds Command Mode Global Configuration mode Exampl...

Page 316: ...Specifies a MAC address vlan id Specifies a VLAN number ip address Specifies an IP address interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel expiry seconds Specifies the time interval in seconds after which the binding entry is no longer valid Range 10 4294967294 infinite Specifies infinite lease time Default Configuration No st...

Page 317: ...y Use the no ip dhcp snooping binding command to delete manually a dynamic entry from the DHCP database A dynamic temporary entries for which the IP address is 0 0 0 0 cannot be deleted Example The following example adds a binding entry to the DHCP Snooping binding database switchxxxxxx ip dhcp snooping binding 0060 704C 73FF 23 176 10 1 1 gi14 expiry 900 13 9 clear ip dhcp snooping database Use t...

Page 318: ...s an interface ID The interface ID can be one of the following types Ethernet port or Port channel Command Mode User EXEC mode Example The following example displays the DHCP snooping configuration switchxxxxxx show ip dhcp snooping DHCP snooping is Enabled DHCP snooping is configured on following VLANs 21 DHCP snooping database is Enabled Relay agent Information option 82 is Enabled Option 82 on ...

Page 319: ...mac address Specifies a MAC address ip address ip address Specifies an IP address vlan vlan id Specifies a VLAN ID interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Command Mode User EXEC mode Example The following examples displays the DHCP snooping binding database and configuration information for all interfaces on a device s...

Page 320: ... Guard on the device or on an interface Syntax ip source guard no ip source guard Parameters N A Default Configuration IP Source Guard is disabled Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines IP Source Guard must be enabled globally before enabling IP Source Guard on an interface IP Source Guard is active only on DHCP snooping untrusted interfaces and if at least...

Page 321: ...vlan id Specifies a VLAN number ip address Specifies an IP address interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration No static binding exists Command Mode Global Configuration mode User Guidelines Use the ip source guard binding command to add a static entry to the DHCP database An entry added by this comma...

Page 322: ...ies frequency is 60 seconds Command Mode Global Configuration mode User Guidelines Since the IP Source Guard uses the Ternary Content Addressable Memory TCAM resources there may be situations when IP Source Guard addresses are inactive because of a lack of TCAM resources By default once every minute the software conducts a search for available space in the TCAM for the inactive IP Source Guard add...

Page 323: ...sources there may be situations when IP Source Guard addresses are inactive because of a lack of TCAM resources By default once every 60 seconds the software conducts a search for available space in the TCAM for the inactive IP Source Guard addresses Execute the ip source guard tcam retries freq command with the never keyword to disable automatic retries for TCAM space and then execute this comman...

Page 324: ...rface ID The interface ID can be one of the following types Ethernet port or Port channel Command Mode User EXEC mode Example The following example displays the IP Source Guard configuration 13 17 show ip source guard status Use the show ip source guard status EXEC mode command to display the IP Source Guard status Syntax show ip source guard status mac address mac address ip address ip address vl...

Page 325: ...le The following examples display the IP Source Guard status 13 18 show ip source guard inactive Use the show ip source guard inactive EXEC mode command to display the IP Source Guard inactive addresses Syntax show ip source guard inactive Parameters N A Command Mode User EXEC mode switchxxxxxx show ip source guard status IP source guard is globally enaabled Interface gi11 gi12 gi13 gi14 Filter IP...

Page 326: ... ip source guard tcam locate command to manually retry locating TCAM resources for the inactive IP Source Guard addresses This command displays the inactive IP source guard addresses Example The following example displays the IP source guard inactive addresses 13 19 show ip source guard statistics Use the show ip source guard statistics EXEC mode command to display the Source Guard dynamic informa...

Page 327: ...ress Resolution Protocol ARP inspection Use the no form of this command to disable ARP inspection Syntax ip arp inspection no ip arp inspection Parameters N A Default Configuration ARP inspection is disabled Command Mode Global Configuration mode User Guidelines Note that if a port is configured as an untrusted port then it should also be configured as an untrusted port for DHCP Snooping or the IP...

Page 328: ...mmand to disable ARP inspection on a VLAN Syntax ip arp inspection vlan vlan id no ip arp inspection vlan vlan id Parameters vlan id Specifies the VLAN ID Default Configuration DHCP Snooping based ARP inspection on a VLAN is disabled Command Mode Global Configuration mode User Guidelines This command enables ARP inspection on a VLAN based on the DHCP snooping database Use the ip arp inspection lis...

Page 329: ... Ethernet Port Channel Configuration mode User Guidelines The device does not check ARP packets that are received on the trusted interface it only forwards the packets For untrusted interfaces the device intercepts all ARP requests and responses It verifies that the intercepted packets have valid IP to MAC address bindings before updating the local cache and before forwarding the packet to the app...

Page 330: ...lobal Configuration mode User Guidelines The following checks are performed Source MAC address Compares the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses Destination MAC address Compares the destination MAC address in the Ethernet header against the target MAC address in the ARP body This check is...

Page 331: ...Parameters name Specifies the static ARP binding list name Length 1 32 characters Default Configuration No static ARP binding list exists Command Mode Global Configuration mode User Guidelines Use the ip arp inspection list assign command to assign the list to a VLAN Example The following example creates the static ARP binding list servers and enters the ARP list configuration mode switchxxxxxx co...

Page 332: ...ode Example The following example creates a static ARP binding switchxxxxxx config ip arp inspection list create servers switchxxxxxx config arp list ip 172 16 1 1 mac 0060 704C 7321 switchxxxxxx config arp list ip 172 16 1 2 mac 0060 704C 7322 13 26 ip arp inspection list assign Use the ip arp inspection list assign Global Configuration mode command to assign a static ARP binding list to a VLAN U...

Page 333: ...ogging interval Global Configuration mode command to set the minimum time interval between successive ARP SYSLOG messages Use the no form of this command to restore the default configuration Syntax ip arp inspection logging interval seconds infinite no ip arp inspection logging interval Parameters seconds Specifies the minimum time interval between successive ARP SYSLOG messages A 0 value means th...

Page 334: ...for all interfaces or for a specific interface Syntax show ip arp inspection interface id Parameters interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Command Mode User EXEC mode Example The following example displays the ARP inspection configuration switchxxxxxx show ip arp inspection IP ARP inspection is Enabled IP ARP inspect...

Page 335: ...ode Example The following example displays the static ARP binding list 13 30 show ip arp inspection statistics Use the show ip arp inspection statistics EXEC command to display statistics for the following types of packets that have been processed by this feature Forwarded Dropped IP MAC Validation Failure Syntax show ip arp inspection statistics vlan vlan id switchxxxxxx show ip arp inspection li...

Page 336: ...P Inspection feature Example switchxxxxxx show ip arp inspection statistics Vlan Forwarded Packets Dropped Packets IP MAC Failures 2 1500100 80 13 31 clear ip arp inspection statistics Use the clear ip arp inspection statistics Privileged EXEC mode command to clear statistics ARP Inspection statistics globally Syntax clear ip arp inspection statistics vlan vlan id Parameters vlan id Specifies VLAN...

Page 337: ...e id Parameters interface id Interface identifier Default Configuration N A Command Mode Privileged EXEC mode User Guidelines This command restarts DHCP for an IPv6 client on a specified interface after first releasing and unconfiguring previously acquired prefixes and other configuration options for example Domain Name System DNS servers Example The following example restarts the DHCP for IPv6 cl...

Page 338: ...fresh time in seconds The value cannot be less than the minimal acceptable refresh time configured by the ipv6 dhcp client information refresh command The maximum value that can be used is 4 294967 294 seconds 0xFFFFFFFE infinite Infinite refresh time Default Configuration The default is 86 400 seconds 24 hours Command Mode Interface Configuration mode User Guidelines The ipv6 dhcp client informat...

Page 339: ...ite no ipv6 dhcp client information refresh minimum Parameters seconds The refresh time in seconds The minimum value that can be used is 600 seconds The maximum value that can be used is 4 294 967 294 seconds 0xFFFFFFFE infinite Infinite refresh time Default Configuration The default is 86 400 seconds 24 hours Command Mode Interface Configuration mode User Guidelines The ipv6 dhcp client informati...

Page 340: ... days switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 dhcp client stateless switchxxxxxx config if ipv6 dhcp client information refresh 172800 switchxxxxxx config if exit 14 4 ipv6 dhcp client stateless Use the ipv6 dhcp client stateless command in Interface Configuration mode to enable DHCP for an IPv6 client process and to enable request for stateless configuration through the...

Page 341: ...ould send messages delivered using unicast Option 23 OPTION_DNS_SERVERS List of DNS Servers IPv6 Addresses Option 24 OPTION_DOMAIN_LIST Domain Search List Option 31 OPTION_SNTP_SERVERS List of SNTP Servers IPv6 Addresses Option 32 OPTION_INFORMATION_REFRESH_TIME Information Refresh Time Option Option 41 OPTION_NEW_POSIX_TIMEZONE New Timezone Posix String Option 59 OPT_BOOTFILE_URL Configuration Se...

Page 342: ... identifier The vendor defined non empty hex string up to 64 hex characters If the number of the character is not even 0 is added at the right Each 2 hex characters can be separated by a period or colon Default Configuration DUID Based on Link layer Address DUID LL is used The base MAC Address is used as a Link layer Address Command Mode Global Configuration mode User Guidelines By default the DHC...

Page 343: ...eters ipv6 address interface id Relay destination IPv6 address in the form documented in RFC 4291 where the address is specified in hexadecimal using 16 bit values between colons There are the following types of relay destination address Link local Unicast address A user must specify the interface id argument for this kind of address Global Unicast IPv6 address If the interface id argument is omit...

Page 344: ...y destination Use the no form of the command with the ipv6 address and interface id arguments to remove only the given globally defined address with the given output interface Use the no form of the command with the ipv6 address argument to remove only the given globally defined address for all output interfaces The no form of the command without the arguments removes all the globally defined addr...

Page 345: ...s specified in hexadecimal using 16 bit values between colons There are the following types of relay destination address Link local Unicast address A user must specify the interface id argument for this kind of address Global Unicast IPv6 address If the interface id argument is omitted then the Routing table is used interface id Interface identifier that specifies the output interface for a destin...

Page 346: ...rface for this kind of address If no output interface is configured for a destination the output interface is determined by routing tables In this case it is recommended that a Unicast or Multicast routing protocol be running on the router Multiple destinations can be configured on one interface and multiple output interfaces can be configured for one destination When the relay agent relays messag...

Page 347: ...lan 200 switchxxxxxx config if exit Example 3 The following example sets the Unicast global relay destination address and enables the DHCPv6 Relay on VLAN 100 if it was not enabled switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 dhcp relay destination 3002 1 2 switchxxxxxx config if exit Example 4 The following example enables DHCPv6 relay on VLAN 100 switchxxxxxx config interfa...

Page 348: ...n the link layer address for both client and server identifiers The device uses the MAC address from the lowest numbered interface to form the DUID The network interface is assumed to be permanently attached to the device Examples Example 1 The following is sample output from this command when the switch s UDID format is vendor based on enterprise number switchxxxxxx show ipv6 dhcp The switch s DH...

Page 349: ...itchxxxxxx show ipv6 dhcp The switch s DHCPv6 unique identifier DUID is 000300010024012607AA Format 3 Hardware type 1 MAC Address 0024 0126 07AA Relay Destinations 2001 001 250 A2FF FEBF A056 2001 1001 250 A2FF FEBF A056 2001 1011 250 A2FF FEBF A056 via VLAN 100 FE80 250 A2FF FEBF A056 via VLAN 100 FE80 250 A2FF FEBF A056 via VLAN 200 14 9 show ipv6 dhcp interface Use the show ipv6 dhcp interface ...

Page 350: ...how ipv6 dhcp interface VLAN 100 is in client mode DHCP Operational mode is enabled Stateless Service is enabled Reconfigure service is enabled Information Refresh Minimum Time 600 seconds Information Refresh Time 86400 seconds Received Information Refresh Time 3600 seconds Remain Information Refresh Time 411 seconds DHCP server Address FE80 202 FCFF FEA1 7439 DUID 000300010002FCA17400 Preference ...

Page 351: ...efresh Minimum Time 600 seconds Information Refresh Time 86400 seconds Remain Information Refresh Time 0 seconds VLAN 1010 is in relay mode DHCP Operational mode is enabled Relay source interface VLAN 101 Relay destinations 2001 001 250 A2FF FEBF A056 FE80 250 A2FF FEBF A056 via FastEthernet 1 0 10 VLAN 2000 is in client mode DHCP Operational mode is disabled Interface status is DOWN Stateless Ser...

Page 352: ...rs 1001 1 2001 10 DNS Domain Search List company com beta org SNTP Servers 2004 1 POSIX Timezone string EST5EDT4 M3 2 0 02 00 M11 1 0 02 00 Configuration Server config company com Configuration Path Name qqq config aaa_config dat Indirect Image Path Name qqq config aaa_image_name txt ...

Page 353: ...ll the dynamic hostname to address mappings are to be deleted from the DNS client name to address cache Default Configuration No hostname to address mapping entries are deleted from the DNS client name to address cache Command Mode Privileged EXEC mode User Guidelines To remove the dynamic entry that provides mapping information for a single hostname use the hostname argument To remove all the dyn...

Page 354: ... ip domain lookup command in Global Configuration mode to enable the IP Domain Naming System DNS based host name to address translation To disable the DNS use the no form of this command Syntax ip domain lookup no ip domain lookup Parameters N A Default Configuration Enabled Command Mode Global Configuration mode Example The following example enables DNS based host name to address translation swit...

Page 355: ... name from the domain name Length 1 158 characters Maximum label length of each domain level is 63 characters Default Configuration No default domain name is defined Command Mode Global Configuration mode User Guidelines Any IP hostname that does not contain a domain name that is any name without a dot will have the dot and the default domain name appended to it before being added to the host tabl...

Page 356: ...tion The default value is 2 R 1 T where R is a value configured by the ip domain retry command T is a value configured by the ip domain timeout command Command Mode Global Configuration mode User Guidelines Some applications communicate with the given IP address continuously DNS clients for such applications which have not received resolution of the IP address or have not detected a DNS server usi...

Page 357: ... retry sending a DNS query to the DNS server The range is from 0 to 16 Default Configuration The default value is 1 Command Mode Global Configuration mode User Guidelines The number argument specifies how many times the DNS query will be sent to a DNS server until the switch decides that the DNS server does not exist Example The following example shows how to configure the switch to send out 10 DN...

Page 358: ...ration mode User Guidelines Use the command to change the default time out value Use the no form of this command to return to the default time out value Example The following example shows how to configure the switch to wait 50 seconds for a response to a DNS query switchxxxxxx config ip domain timeout 50 15 7 ip host Use the ip host Global Configuration mode command to define the static host name...

Page 359: ...ode Global Configuration mode User Guidelines Host names are restricted to the ASCII letters A through Z case insensitive the digits 0 through 9 the underscore and the hyphen A period is used to separate labels An IP application will receive the IP addresses in the following order 1 IPv6 addresses in the order specified by the command 2 IPv4 addresses in the order specified by the command Use the ...

Page 360: ...rs server address1 IPv4 or IPv6 addresses of a single name server server address2 server address8 IPv4 or IPv6 addresses of additional name servers Default Configuration No name server IP addresses are defined Command Mode Global Configuration mode User Guidelines The preference of the servers is determined by the order in which they were entered Each ip name server command replaces the configurat...

Page 361: ...or all configured DNS views This is the default hostname The specified host name cache information displayed is to be limited to entries for a particular host name Command Mode Privileged EXEC mode Default Configuration Default is all User Guidelines This command displays the default domain name a list of name server hosts and the cached list of host names and addresses Example The following is sa...

Page 362: ...2 0 2 205 static 3 192 0 2 105 DHCPv6 vlan 100 1 2002 0 22AC 11 231A 0BB4 DHCPv4 vlan 1 1 192 1 122 20 DHCPv4 vlan 1 2 154 1 122 20 Casche Table Flags static dynamic OK Ne OK Okay Ne Negative Cache No Response Host Flag Address Age in preference order example1 company com dynamic OK 2002 0 130F 0A0 1504 0BB4 1 112 0 2 10 176 16 8 8 123 124 173 0 2 30 39 example2 company com dynamic example3 compan...

Page 363: ...prefix length remove ip address any mask prefix length no security suite deny fragmented Parameters add ip address any Specifies the destination IP address Use any to specify all IP addresses mask Specifies the network mask of the IP address prefix length Specifies the number of bits that comprise the IP address prefix The prefix length must be preceded by a forward slash Default Configuration Fra...

Page 364: ...ny icmp To discard ICMP echo requests from a specific interface to prevent attackers from knowing that the device is on the network use the security suite deny icmp Interface Ethernet Port Channel Configuration mode command To permit echo requests use the no form of this command Syntax security suite deny icmp add ip address any mask prefix length remove ip address any mask prefix length no securi...

Page 365: ...xx config interface gi11 switchxxxxxx config if security suite deny icmp add any 32 To perform this command DoS Prevention must be enabled in the per interface mode 16 3 security suite deny martian addresses To deny packets containing system reserved IP addresses or user defined IP addresses use the security suite deny martian addresses Global Configuration mode command To restore the default use ...

Page 366: ...rs reserved add remove Add or remove the table of reserved addresses below ip address Adds discards packets with the specified IP source or destination address mask Specifies the network mask of the IP address prefix length Specifies the number of bits that comprise the IP address prefix The prefix length must be preceded by a forward slash reserved Discards packets with the source or destination ...

Page 367: ... the security suite deny syn Interface Ethernet Port Channel Configuration mode command This a complete block of these connections To permit creation of TCP connections use the no form of this command Address Block Present Use 0 0 0 0 8 except when 0 0 0 0 32 is the source address Addresses in this block refer to source hosts on this network 127 0 0 0 8 This block is assigned for use as the Intern...

Page 368: ...p ftp control ftp data ssh telnet smtp or port number Use any to specify all ports Default Configuration Creation of TCP connections is allowed from all interfaces If the mask is not specified it defaults to 255 255 255 255 If the prefix length is not specified it defaults to 32 Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines For this command to work show security s...

Page 369: ...all ingressing TCP packets in which both SYN and FIN are set use the security suite deny syn fin Global Configuration mode command To permit TCP packets in which both SYN and FIN are set use the no form of this command Syntax security suite deny syn fin no security suite deny syn fin Parameters This command has no arguments or keywords Default Configuration The feature is disabled by default Comma...

Page 370: ...eters add remove attack Specifies the attack type to add remove To add an attack is to provide protection against it to remove the attack is to remove protection The possible attack types are stacheldraht Discards TCP packets with source TCP port 16660 invasor trojan Discards TCP packets with destination TCP port 2140 and source TCP port 1024 back orifice trojan Discards UDP packets with destinati...

Page 371: ... length no security suite dos syn attack any ip address mask prefix length Parameters syn rate Specifies the maximum number of connections per second Range 199 1000 any ip address Specifies the destination IP address Use any to specify all IP addresses mask Specifies the network mask of the destination IP address prefix length Specifies the number of bits that comprise the destination IP address p...

Page 372: ...ck 199 any 10 To perform this command DoS Prevention must be enabled in the per interface mode 16 8 security suite enable To enable the security suite feature use the security suite enable Global Configuration mode command This feature supports protection against various types of attacks When this command is used hardware resources are reserved These hardware resources are released when the no sec...

Page 373: ...his keyword is not used security suite commands can be used both globally on per interface Default Configuration The security suite feature is disabled If global rules only is not specified the default is to enable security suite globally and per interfaces Command Mode Global Configuration mode User Guidelines MAC ACLs must be removed before the security suite is enabled The rules can be re enter...

Page 374: ...uite dos syn attack 199 any 10 switchxxxxxx config if 16 9 security suite syn protection mode To set the TCP SYN protection mode use the security suite syn protection mode Global Configuration mode command To set the TCP SYN protection mode to default use the no form of this command Syntax For security suite syn protection mode disabled report block no security suite syn protection mode Parameters...

Page 375: ... protection mode report 01 Jan 2012 05 29 46 A TCP SYN Attack was identified on port gi11 s Example 2 The following example sets the TCP SYN protection feature to block TCP SYN attack on ports in case an attack is identified from these ports switchxxxxxx config security suite syn protection mode block 01 Jan 2012 05 29 46 A TCP SYN Attack was identified on port gi11 TCP SYN traffic destined to the...

Page 376: ... following example sets the TCP SYN period to 100 seconds switchxxxxxx config security suite syn protection recovery 100 16 11 security suite syn protection threshold To set the threshold for the SYN protection feature use the security suite syn protection threshold Global Configuration mode command To set the threshold to its default value use the no form of this command Syntax security suite syn...

Page 377: ...onfiguration Command Mode User EXEC mode Example The following example displays the security suite configuration switchxxxxxx show security suite configuration Security suite is enabled Per interface rules are enabled Denial Of Service Protect stacheldraht invasor trojan back office trojan Denial Of Service SYN FIN Attack is enabled Denial Of Service SYN Attack Interface gi11 IP Address 176 16 23 ...

Page 378: ...types Ethernet port of Port Channel Command Mode User EXEC mode User Guidelines Use the Interface ID to display information on a specific interface Example The following example displays the TCP SYN protection feature configuration and current status on all interfaces In this example port gi12 is attacked but since there is a user ACL on this port it cannot become blocked so its status is Reported...

Page 379: ...9 OL 32830 01 Command Line Interface Reference Guide 16 gi11 Attacked 19 58 22 289 PDT Feb 19 2012 Blocked and Reported gi12 Attacked 19 58 22 289 PDT Feb 19 2012 Reported gi13 Attacked 19 58 22 289 PDT Feb 19 2012 Blocked and Reported ...

Page 380: ... is enabled Command Mode Global Configuration mode User Guidelines In order for EEE to work the device at the other end of the link must also support EEE and have it enabled In addition for EEE to work properly auto negotaition must be enabled however if the port speed is negotiated as 1Giga EEE always works regardless of whether the auto negotiation status is enabled or disabled If auto negotiati...

Page 381: ...eywords Default Configuration EEE is enabled Command Mode Interface Ethernet Configuration mode User Guidelines If auto negotiation is not enabled on the port and its speed is 1 Giga the EEE operational status is disabled Example switchxxxxxx config interface gi11 switchxxxxxx config if eee enable 17 3 eee lldp enable To enable EEE support by LLDP on an Ethernet port use the eee lldp enable Interf...

Page 382: ...ing EEE LLDP advertisement enables devices to choose and change system wake up times in order to get the optimal energy saving mode Example switchxxxxxx config interface gi11 switchxxxxxx config if eee lldp enable 17 4 show eee Use the show eee EXEC command to display EEE information Syntax show eee interface id Parameters interface id Optional Specify an Ethernet port Defaults None Command Mode P...

Page 383: ...displayed when a port is in the Not Present state no information is displayed if the port supports EEE switchxxxxxx show eee gi11 Port Status notPresent EEE Administrate status enabled EEE LLDP Administrate status enabled Example 3 The following is the information displayed when the port is in status DOWN switchxxxxxx show eee gi11 Port Status DOWN EEE capabilities Speed 10M EEE not supported Spee...

Page 384: ...itchxxxxxx show eee gi14 Port Status UP EEE capabilities Speed 10M EEE not supported Speed 100M EEE supported Speed 1G EEE supported Current port speed 1000Mbps EEE Remote status disabled EEE Administrate status enabled EEE Operational status disabled neighbor does not support EEE LLDP Administrate status enabled EEE LLDP Operational status disabled Example 6 The following is the information displ...

Page 385: ...ort Status UP EEE capabilities Speed 10M EEE not supported Speed 100M EEE supported Speed 1G EEE supported Current port speed 1000Mbps EEE Remote status enabled EEE Administrate status enabled EEE Operational status enabled EEE LLDP Administrate status disabled EEE LLDP Operational status disabled Resolved Tx Timer 10usec Local Tx Timer 10 usec Resolved Timer 25 usec Local Rx Timer 20 usec Example...

Page 386: ... 25 usec Local Rx Timer 20 usec Remote Tx Timer 25 usec Example 9 The following is the information displayed when EEE is running on the port EEE LLDP is enabled but not synchronized with the remote link partner switchxxxxxx show eee gi14 Port Status up EEE capabilities Speed 10M EEE not supported Speed 100M EEE supported Speed 1G EEE supported Current port speed 1000Mbps EEE Remote status enabled ...

Page 387: ...E capabilities Speed 10M EEE not supported Speed 100M EEE supported Speed 1G EEE supported Current port speed 1000Mbps EEE Remote status enabled EEE Administrate status enabled EEE Operational status enabled EEE LLDP Administrate status enabled EEE LLDP Operational status enabled Resolved Tx Timer 10usec Local Tx Timer 10 usec Remote Rx Timer 5 usec Resolved Timer 25 usec Local Rx Timer 20 usec Re...

Page 388: ...x interface interface id Parameters interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port port channel VLAN range IP interface or tunnel Default Configuration None Command Mode Global Configuration mode Examples Example 1 For Ethernet ports switchxxxxxx config interface gi11 switchxxxxxx config if Example 2 For port channels LAGs switchxxxxxx confi...

Page 389: ...t Configuration None Command Mode Interface Ethernet Port Channel VLAN Configuration mode User Guidelines Commands under the interface range context are executed independently on each interface in the range If the command returns an error on one of the interfaces it does not stop the execution of the command on other interfaces Example switchxxxxxx config interface range gi11 4 switchxxxxxx config...

Page 390: ...from to higher levels For example if you shut down a VLAN on which an IP interface is configured bridging into the VLAN continues but the switch cannot transmit and receive IP traffic on the VLAN Notes If the switch shuts down an Ethernet port it additionally shuts down the port MAC sublayer too If the switch shuts down a port channel it additionally shuts down all ports of the port channel too Ex...

Page 391: ...hxxxxxx config interface tunnel 1 switchxxxxxx config if shutdown switchxxxxxx config if Example 5 The following example shuts down Port Channel 3 switchxxxxxx config interface po3 switchxxxxxx config if shutdown switchxxxxxx config if 18 4 operation time To control the time that the port is up use the operation time Interface Ethernet Port Channel Configuration mode command To cancel the time ran...

Page 392: ...d to end stations in order to proceed to the forwarding state immediately after successful authentication Example The operation time command influences the port if the port status is up This command defines the time frame during which the port stays up and at which time the port will be shutdown While the port is in shutdown because of other reasons this command has no effect The following example...

Page 393: ...nfiguration mode Example The following example adds the description SW 3 to gi14 switchxxxxxx config interface gi14 switchxxxxxx config if description SW 3 18 6 speed To configure the speed of a given Ethernet interface when not using auto negotiation use the speed Interface Ethernet Port Channel Configuration mode command To restore the default configuration use the no form of this command Syntax...

Page 394: ...ed of gi14 to 100 Mbps operation switchxxxxxx config interface gi14 switchxxxxxx config if speed 100 18 7 duplex To configure the full half duplex operation of a given Ethernet interface when not using auto negotiation use the duplex Interface Ethernet Port Channel Configuration mode command To restore the default configuration use the no form of this command Syntax duplex half full no duplex Para...

Page 395: ...e auto negotiation use the no form of this command Syntax negotiation capability capability2 capability5 preferred master slave no negotiation Parameters Capability Optional Specifies the capabilities to advertise Possible values 10h 10f 100h 100f 1000f 10h Advertise 10 half duplex 10f Advertise 10 full duplex 100h Advertise 100 half duplex 100f Advertise 100 full duplex 1000f Advertise 1000 full ...

Page 396: ...ure the Flow Control on a given interface use the flowcontrol Interface Ethernet Port Channel Configuration mode command To disable Flow Control use the no form of this command Syntax flowcontrol auto on off no flowcontrol Parameters auto Specifies auto negotiation of Flow Control on Enables Flow Control off Disables Flow Control Default Configuration Flow control is Disabled Command Mode Interfac...

Page 397: ...a given interface use the mdix Interface Ethernet Configuration mode command To disable cable crossover use the no form of this command Syntax mdix on auto no mdix Parameters on Enables manual MDIX auto Enables automatic MDI MDIX Default Configuration The default setting is Auto Command Mode Interface Ethernet Configuration mode Example The following example enables automatic crossover on port gi1...

Page 398: ...meters This command has no arguments or keywords Default Configuration Back pressure is disabled Command Mode Interface Ethernet Configuration mode User Guidelines Back pressure cannot be enabled when EEE is enabled Example The following example enables back pressure on port gi11 switchxxxxxx config interface gi11 switchxxxxxx config if back pressure 18 12 port jumbo frame To enable jumbo frames o...

Page 399: ...This command takes effect only after resetting the device Example The following example enables jumbo frames on the device switchxxxxxx config port jumbo frame 18 13 clear counters To clear counters on all or on a specific interface use the clear counters Privileged EXEC mode command Syntax clear counters interface id Parameters interface id Optional Specifies an interface ID The interface ID can ...

Page 400: ...ut down use the set interface active Privileged EXEC mode command Syntax set interface active interface id Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel Command Mode Privileged EXEC mode User Guidelines This command is used to activate interfaces that were configured to be active but were shut down by the...

Page 401: ...u guard loopback detection udld Parameters all Enables the error recovery mechanism for all reasons described below port security Enables the error recovery mechanism for the port security Err Disable state dot1x src address Enables the error recovery mechanism for the 802 1x Err Disable state acl deny Enables the error recovery mechanism for the ACL Deny Err Disable state stp bpdu guard Enables t...

Page 402: ... interval Global Configuration mode command To return to the default configuration use the no form of this command Syntax errdisable recovery interval seconds no errdisable recovery interval Parameters seconds Specifies the error recovery timeout interval in seconds Range 30 86400 Default Configuration The default error recovery timeout interval is 300 seconds Command Mode Global Configuration mod...

Page 403: ...s regardless of their state port security Reactivate all interfaces in the Port Security Err Disable state dot1x src address Reactivate all interfaces in the 802 1x Err Disable state acl deny Reactivate all interfaces in the ACL Deny Err Disable state stp bpdu guard Reactivate all interfaces in the STP BPDU Guard Err Disable state loopback detection Reactivate all interfaces in the Loopback Detect...

Page 404: ...y 18 18 show interfaces configuration To display the configuration for all configured interfaces or for a specific interface use the show interfaces configuration Privileged EXEC mode command Syntax show interfaces configuration interface id detailed Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed ...

Page 405: ...e Speed Neg Control State Po1 Disabled Off Up 18 19 show interfaces status To display the status of all interfaces or of a specific interface use the show interfaces status Privileged EXEC mode command Syntax show interfaces status interface id detailed Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detail...

Page 406: ...00 Disabled Off Up 18 20 show interfaces advertise To display auto negotiation advertisement information for all configured interfaces or for a specific interface use the show interfaces advertise Privileged EXEC mode command Syntax show interfaces advertise interface id detailed Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet ...

Page 407: ...aster Slave Operational Link Advertisement 1000f 100f 10f 10h 1000f switchxxxxxx show interfaces advertise gi11 Port gi11 Type 1G Copper Link state Up Auto Negotiation enabled Preference Master Admin Local link Advertisement Oper Local link Advertisement Remote Local link Advertisement Priority Resolution 10h yes yes no 10f yes yes no 100h yes yes yes 100f yes yes yes 1000f yes yes yes yes switchx...

Page 408: ...s an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Default Configuration Display description for all interfaces If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Example The following example displays the description of a...

Page 409: ...f the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Default Configuration Display counters for all interfaces If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Example The following example displays traffic seen by all the physical interfaces switchxxxxxx show interfac...

Page 410: ...ine Interface Reference Guide 410 18 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Carrier Sense Errors 0 Oversize Packets 0 Internal MAC Rx Errors 0 Symbol Errors 0 Received Pause Frames 0 ...

Page 411: ...of frames that are involved in a single collision and are subsequently transmitted successfully Multiple Collision Frames Number of frames that are involved in more than one collision and are subsequently transmitted successfully SQE Test Errors Number of times that the SQE TEST ERROR is received The SQE TEST ERROR is set in accordance with the rules for verification of the SQE detection mechanism...

Page 412: ...leged EXEC mode Example The following example displays whether jumbo frames are enabled on the device switchxxxxxx show ports jumbo frame Jumbo frames are disabled Jumbo frames will be enabled after reset Internal MAC Rx Errors Number of frames for which reception fails due to an internal MAC sublayer receive error Received Pause Frames Number of MAC Control frames received with an opcode indicati...

Page 413: ...how errdisable recovery Parameters This command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Example The following example displays the Err Disable configuration switchxxxxxx show errdisable recovery Timer interval 300 Seconds Reason Automatic Recovery port security Disable dot1x src address Disable acl deny Enable stp bpdu guard Disable stp loopback gu...

Page 414: ...ional Port or port channel number Default Configuration Display for all interfaces Command Mode Privileged EXEC mode Example The following example displays the Err Disable state of gi1 switchxxxxxx show errdisable interfaces Interface Reason gi11 stp bpdu guard 18 26 storm control broadcast enable To enable storm control on a port use the storm control broadcast enable Interface Configuration mode...

Page 415: ...e switchxxxxxx config interface gi11 switchxxxxxx config if storm control broadcast enable 18 27 storm control broadcast level To configure the maximum rate of broadcast use the storm control broadcast level Interface Ethernet Configuration mode command To return to default use the no form of this command Syntax storm control broadcast level level kbps kbps no storm control broadcast level Paramet...

Page 416: ... 1 Set to specific level switchxxxxxx config interface gi11 switchxxxxxx config if storm control broadcast level 20 Example 2 Set to specific rate switchxxxxxx config interface gi11 switchxxxxxx config if storm control broadcast kbps 10000 18 28 storm control include multicast To count Multicast packets in a Broadcast storm control use the storm control include multicast Interface Configuration mo...

Page 417: ...et Configuration mode Example switchxxxxxx config interface gi11 switchxxxxxx config if storm control include multicast 18 29 show storm control To display the configuration of storm control for a port use the show storm control Privileged EXEC mode command Syntax show storm control interface id Parameters interface id Optional Specifies the Ethernet port Default Configuration Display for all inte...

Page 418: ...rface Reference Guide 418 18 Example switchxxxxxx show storm control Port State Admin Rate Oper Rate Included Kb Sec gi11 Enabled 12345 Kb Sec 12345 Broadcast Multicast Unknown Unicast gi12 Disabled 100000 Kb Sec 100000 Broadcast gi13 Enabled 10 000000 Broadcast ...

Page 419: ...is command Syntax green ethernet energy detect no green ethernet energy detect Parameters This command has no arguments or keywords Default Configuration Disabled Command Mode Global Configuration mode Example switchxxxxxx config green ethernet energy detect 19 2 green ethernet energy detect interface Use the green ethernet energy detect Interface configuration mode command to enable Green Etherne...

Page 420: ... a port is enabled for auto selection copper fiber Energy Detect cannot work It takes the PHY 5 seconds to fall into sleep mode when the link is lost after normal operation Example switchxxxxxx config interface gi11 switchxxxxxx config if green ethernet energy detect 19 3 green ethernet short reach global Use the green ethernet short reach Global Configuration mode command to enable Green Ethernet...

Page 421: ... Configuration mode command to enable green ethernet short reach mode on a port Use the no form of this command to disable it on a port Syntax green ethernet short reach no green ethernet short reach Parameters This command has no arguments or keywords Default Configuration Disabled Command Mode Interface Ethernet Configuration mode User Guidelines The VCT length check can be performed only on a c...

Page 422: ... enabled Example switchxxxxxx config interface gi11 switchxxxxxx config if green ethernet short reach 19 5 green ethernet power meter reset Use the green ethernet power meter reset Privileged EXEC mode command to reset the power save meter Syntax green ethernet power meter reset Parameters This command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Exampl...

Page 423: ...vileged EXEC mode User Guidelines The power savings displayed is relevant to the power saved by Port LEDs Energy detect Short reach The EEE power saving is dynamic by nature since it is based on port utilization and is therefore not taken into consideration The following describes the reasons for non operation displayed by this command If there are a several reasons then only the highest priority ...

Page 424: ...Watt Hour Short Reach cable length threshold 50m Port Energy Detect Short Reach VCT Cable Admin Oper Reason Admin Force Oper Reason Length gi11 on on off off off gi12 on off LU on off off 50 gi13 on off LU off off off Short Reach Non Operational Reasons Priority Reason Description 1 NP Port is not present 2 LT Link Type is not supported fiber 3 LS Link Speed Is not Supported 100M 10M 4 LL Link Len...

Page 425: ...r gvrp statistics Privileged EXEC mode command Syntax clear gvrp statistics interface id Parameters Interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration All GVRP statistics are cleared Command Mode Privileged EXEC mode Example The following example clears all GVRP statistical information on gi14 switc...

Page 426: ...orm of this command Syntax gvrp enable no gvrp enable Parameters This command has no arguments or keywords Default Configuration GVRP is globally disabled Command Mode Global Configuration mode Example The following example enables GVRP globally on the device switchxxxxxx config gvrp enable 20 3 gvrp enable Interface To enable GVRP on an interface use the gvrp enable Interface Ethernet Port Channe...

Page 427: ...is propagated in the same way as in a tagged VLAN That is the PVID must be manually defined as the untagged VLAN ID Example The following example enables GVRP on gi14 switchxxxxxx config interface gi14 switchxxxxxx config if gvrp enable 20 4 gvrp registration forbid To deregister all dynamic VLANs on a port and prevent VLAN creation or registration on the port use the gvrp registration forbid Inte...

Page 428: ... switchxxxxxx config if gvrp registration forbid 20 5 gvrp vlan creation forbid To disable dynamic VLAN creation or modification use the gvrp vlan creation forbid Interface Configuration mode command To enable dynamic VLAN creation or modification use the no form of this command Syntax gvrp vlan creation forbid no gvrp vlan creation forbid Parameters This command has no arguments or keywords Defau...

Page 429: ...eters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Default Configuration All GVRP statistics are displayed for all interfaces If detailed is not used only present ports are displayed Command Mode User EXEC mode Example The fol...

Page 430: ...interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration All GVRP error statistics are displayed Command Mode User EXEC mode Example The following example displays GVRP error statistics switchxxxxxx show gvrp error statistics GVRP Error Statistics Legend INVPROT Invalid Protocol Id INVATYP Invalid Attribu...

Page 431: ...ifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration All GVRP statistics are displayed Command Mode User EXEC mode Example The following example displays GVRP statistical information switchxxxxxx show gvrp statistics GVRP statistics Legend rJE rEmp rLE sJE sEmp sLE Join Empty Received Empty Received Leave Empty Received Join E...

Page 432: ...ommands OL 32830 01 Command Line Interface Reference Guide 432 20 Port gi11 gi12 gi13 gi14 rJE 0 0 0 0 rJIn 0 0 0 0 rEmp 0 0 0 0 rLIn 0 0 0 0 rLE 0 0 0 0 rLA 0 0 0 0 sJE 0 0 0 0 sJIn 0 0 0 0 sEmp 0 0 0 0 sLIn 0 0 0 0 sLE 0 0 0 0 sLA 0 0 0 0 ...

Page 433: ...se the no form of this command Syntax ip igmp snooping no ip igmp snooping Default Configuration Disabled Command Mode Global Configuration mode Example The following example enables IGMP snooping switchxxxxxx config ip igmp snooping 21 2 ip igmp snooping vlan To enable IGMP snooping on a specific VLAN use the ip igmp snooping vlan command in Global Configuration mode To return to the default use ...

Page 434: ...ommand The user guidelines of the bridge multicast mode command describes the configuration that is written into the FDB as a function of the FDB mode and the IGMP version that is used in the network Example switchxxxxxx config ip igmp snooping vlan 2 21 3 ip igmp snooping vlan mrouter To enable automatic learning of Multicast router ports on a VLAN use the ip igmp snooping vlan mrouter command in...

Page 435: ...reated Example switchxxxxxx config ip igmp snooping vlan 1 mrouter learn pim dvmrp 21 4 ip igmp snooping vlan mrouter interface To define a port that is connected to a Multicast router port use the ip igmp snooping mrouter interface command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp snooping vlan vlan id mrouter interface interface list no ...

Page 436: ...snooping vlan forbidden mrouter To forbid a port from being defined as a Multicast router port by static configuration or by automatic learning use the ip igmp snooping vlan forbidden mrouter command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp snooping vlan vlan id forbidden mrouter interface interface list no ip igmp snooping vlan vlan id f...

Page 437: ...ticast address to the bridge table and to add static ports to the group defined by this address use the ip igmp snooping vlan static command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp snooping vlan vlan id static ip address interface interface list no ip igmp snooping vlan vlan id static ip address interface interface list Parameter vlan id...

Page 438: ...nooping vlan multicast tv To define the Multicast IP addresses that are associated with a Multicast TV VLAN use the ip igmp snooping vlan multicast tv command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp snooping vlan vlan id multicast tv ip multicast address count number no ip igmp snooping vlan vlan id multicast tv ip multicast address coun...

Page 439: ...IP addresses that are associated with the Multicast TV VLAN Up to 256 VLANs can be configured Example switchxxxxxx config ip igmp snooping vlan 1 multicast tv 239 2 2 2 count 3 21 8 ip igmp snooping map cpe vlan To map CPE VLANs to Multicast TV VLANs use the ip igmp snooping map cpe vlan command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp sn...

Page 440: ...ple maps CPE VLAN 2 to Multicast TV VLAN 31 switchxxxxxx config ip igmp snooping map cpe vlan 2 multicast tv vlan 31 21 9 ip igmp snooping querier To enable globally the IGMP Snooping querier use the ip igmp snooping querier command in Global Configuration mode To disable the IGMP Snooping querier globally use the no form of this command Syntax ip igmp snooping querier no ip igmp snooping querier ...

Page 441: ...bal Configuration mode To disable the IGMP Snooping querier on the VLAN interface use the no form of this command Syntax ip igmp snooping vlan vlan id querier no ip igmp snooping vlan vlan id querier Parameters vlan id Specifies the VLAN Default Configuration Disabled Command Mode Global Configuration mode User Guidelines The IGMP Snooping querier can be enabled on a VLAN only if IGMP Snooping is ...

Page 442: ...n IP address is configured for the VLAN it is used as the source address of the IGMP snooping querier If there are multiple IP addresses the minimum IP address defined on the VLAN is used Command Mode Global Configuration mode User Guidelines If an IP address is not configured by this command and no IP address is configured for the querier s VLAN the querier is disabled Example switchxxxxxx config...

Page 443: ...l Query messages for 60 seconds from the time it was enabled During this time if the switch did not receive an IGMP query from another Querier it starts sending General Query messages Once the switch acts as a Querier it will stop sending General Query messages if it detects another Querier on the VLAN In this case the switch will resume sending General Query messages if it does hear another Queri...

Page 444: ...VLAN querier version 2 Specifies that the IGMP version would be IGMPv2 querier version 3 Specifies that the IGMP version would be IGMPv3 Default Configuration IGMPv2 Command Mode Global Configuration mode Example The following example sets the version of the IGMP Snooping Querier VLAN 1 to 3 switchxxxxxx config ip igmp snooping vlan 1 querier version 3 21 14 ip igmp snooping vlan immediate leave T...

Page 445: ...ecute the command before the VLAN is created Example The following example enables IGMP snooping immediate leave feature on VLAN 1 switchxxxxxx config ip igmp snooping vlan 1 immediate leave 21 15 show ip igmp snooping cpe vlans To display the CPE VLAN to Multicast TV VLAN mappings use the show ip igmp snooping cpe vlans command in User EXEC mode Syntax show ip igmp snooping cpe vlans vlan vlan id...

Page 446: ...an id address ip multicast address source ip address Parameters vlan vlan id Optional Specifies the VLAN ID address ip multicast address Optional Specifies the IP multicast address source ip address Optional Specifies the IP source address Command Mode User EXEC mode User Guidelines To see all Multicast groups learned by IGMP snooping use the show ip igmp snooping groups command without parameters...

Page 447: ...ing interface vlan id Parameters vlan id Specifies the VLAN ID Command Mode User EXEC mode Example The following example displays the IGMP snooping configuration for VLAN 1000 switchxxxxxx show ip igmp snooping interface 1000 IGMP Snooping is globally enabled IGMP Snooping Querier is globally enabled VLAN 1000 IGMP Snooping is enabled IGMP snooping last immediate leave enable Automatic learning of...

Page 448: ...in 2 oper 2 IGMP snooping last member query interval admin 1000 msec oper 500 msec Groups that are in IGMP version 1 compatibility mode 231 2 2 3 231 2 2 3 21 18 show ip igmp snooping mrouter To display information on dynamically learned Multicast router interfaces for all VLANs or for a specific VLAN use the show ip igmp snooping mrouter command in User EXEC mode Syntax show ip igmp snooping mrou...

Page 449: ...yntax show ip igmp snooping multicast tv vlan vlan id Parameters vlan vlan id Optional Specifies the VLAN ID Command Mode User EXEC mode Example The following example displays the IP addresses associated with all Multicast TV VLANs switchxxxxxx show ip igmp snooping multicast tv VLAN IP Address 1000 239 255 0 0 1000 239 255 0 1 1000 239 255 0 2 1000 239 255 0 3 1000 239 255 0 4 1000 239 255 0 5 10...

Page 450: ...f Commands 22 1 ip address Use the ip address Interface Configuration Ethernet VLAN Port channel mode command to define an IP address for an interface Use the no form of this command to remove an IP address definition Syntax In switch mode ip address ip address mask prefix length default gateway ip address no ip address In router mode ip address ip address mask prefix length no ip address ip addre...

Page 451: ...efined IP address is added on the interface Defining a static IP address on an interface stops a DHCP client running on the interface and removes the IP address assigned by the DHCP client If a configured IP address overlaps another configured one a warning message is displayed To change an existed IP address delete the existed one and add the new one In switch mode One IP address is supported A n...

Page 452: ...xxxxx config This IP address overlaps IP address 1 1 1 1 8 on vlan1 are you sure Y N Y switchxxxxxx config exit switchxxxxxx config interface vlan 3 switchxxxxxx config if ip address 1 3 1 1 255 255 0 0 switchxxxxxx config This IP address overlaps IP address 1 1 1 1 8 on vlan1 are you sure Y N Y switchxxxxxx config exit 22 2 ip address dhcp Use the ip address dhcp Interface Configuration Ethernet ...

Page 453: ... interface Example The following example acquires an IP address for VLAN 100 from DHCP switchxxxxxx config interface vlan100 switchxxxxxx config if ip address dhcp 22 3 renew dhcp Use the renew dhcp Privileged EXEC mode command to renew an IP address that was acquired from a DHCP server for a specific interface Syntax In switch mode renew dhcp force autoconfig In router mode renew dhcp interface i...

Page 454: ...CP client is not enabled on the interface the command returns an error message Example In switch mode The following example renews an IP address that was acquired from a DHCP server switchxxxxxx renew dhcp In router mode The following example renews an IP address on VLAN 19 that was acquired from a DHCP server switchxxxxxx renew dhcp vlan 19 22 4 ip default gateway The ip default gateway Global Co...

Page 455: ... gateway ip address command to delete one default gateway Use the no ip default gateway command to delete all default gateways Example The following example defines default gateway 192 168 1 1 switchxxxxxx config ip default gateway 192 168 1 1 22 5 show ip interface Use the show ip interface EXEC mode command to display the usability status of configured IP interfaces Syntax show ip interface inte...

Page 456: ...x show ip interface source_precedence_is_supported broadcast_address_configuration_is_supported ip_redirects_is_supported IP Address I F I F Status Type Directed Redirect Status admin oper Broadcast 10 5 230 232 24 vlan 1 UP UP Static disable Enabled Valid 10 5 234 202 24 vlan 4 UP DOWN Static disable Disabled Valid Example 2 The following example displays the IP addresses configured on the given ...

Page 457: ...C address to map to the specified IP address or IP alias interface id Address pair is added for specified interface Command Mode Global Configuration mode Default Configuration No permanent entry is defined If no interface ID is entered address pair is relevant to all interfaces User Guidelines The software uses ARP cache entries to translate 32 bit IP addresses into 48 bit hardware MAC addresses ...

Page 458: ...al in seconds during which an entry remains in the ARP cache Range 1 40000000 Default Configuration The default ARP timeout is 60000 seconds in router mode and 300 seconds in switch mode Command Mode Global Configuration mode Example The following example configures the ARP timeout to 12000 seconds switchxxxxxx config arp timeout 12000 22 8 ip arp proxy disable Use the ip arp proxy disable Global ...

Page 459: ...on The command is supported only in the router mode Example The following example globally disables ARP proxy switchxxxxxx config ip arp proxy disable 22 9 ip proxy arp Use the ip proxy arp Interface Configuration mode command to enable an ARP proxy on specific interfaces Use the no form of this command disable it Syntax ip proxy arp no ip proxy arp Default Configuration ARP Proxy is disabled Comm...

Page 460: ... in router mode switchxxxxxx config if ip proxy arp 22 10 clear arp cache Use the clear arp cache Privileged EXEC mode command to delete all dynamic entries from the ARP cache Syntax clear arp cache Command Mode Privileged EXEC mode Example The following example deletes all dynamic entries from the ARP cache switchxxxxxx clear arp cache 22 11 show arp Use the show arp Privileged EXEC mode command ...

Page 461: ...that is defined on a port or port channel the VLAN field is empty Example The following example displays entries in the ARP table 22 12 show arp configuration Use the show arp configuration privileged EXEC command to display the global and interface configuration of the ARP protocol Syntax show arp configuration Parameters This command has no arguments or key words switchxxxxxx show arp ARP timeou...

Page 462: ... configuration VLAN 1 ARP Proxy disabled ARP timeout 60000 Seconds VLAN 10 ARP Proxy enabled ARP timeout 70000 Seconds VLAN 20 ARP Proxy enabled ARP timeout 80000 Second Global 22 13 interface ip Use the interface ip Global Configuration mode command to enter the IP Interface Configuration mode Syntax interface ip ip address Parameters ip address Specifies one of the IP addresses of the device Com...

Page 463: ...ip interface all address udp port list no ip helper address ip interface all address Parameters ip interface Specifies the IP interface all Specifies all IP interfaces address Specifies the destination broadcast or host address to which to forward UDP broadcast packets A value of 0 0 0 0 specifies that UDP broadcast packets are not forwarded to any host udp port list Specifies the destination UDP ...

Page 464: ...CS Server port 49 Time Service port 37 Many helper addresses may be defined However the total number of address port pairs is limited to 128 for the device The setting of a helper address for a specific interface has precedence over the setting of a helper address for all the interfaces Forwarding of BOOTP DHCP ports 67 68 cannot be enabled with this command Use the DHCP relay commands to relay BO...

Page 465: ...The following example displays the IP helper addresses configuration on the system switchxxxxxx show ip 22 16 show ip dhcp client interface Use the show ip dhcp client interface command in User EXEC or Privileged EXEC mode to display DHCP client interface information Syntax show ip dhcp client interface interface id Parameters interface id Interface identifier Interface 192 168 1 1 192 168 2 1 Hel...

Page 466: ... Gateway 170 10 100 1 DNS Servers 115 1 1 1 87 12 34 20 DNS Domain Search List company com Host Name switch_floor7 Configuration Server Addresses 192 1 1 1 202 1 1 1 Configuration Path Name qqq config aaa_config dat Image Path Name qqq image aaa_image ros POSIX Timezone string EST5EDT4 M3 2 0 02 00 M11 1 0 02 00 VLAN 1200 is in client mode Address 180 10 100 100 Mask 255 255 255 0 T1 120 T2 192 De...

Page 467: ...edirect messages use the no form of this command Syntax ip redirects no ip redirects Parameters N A Default Configuration The sending of ICMP redirect messages is enabled Command Mode IP Configuration mode Example The following example disables the sending of ICMP redirect messages on IP interface 1 1 1 1 and re enables the messages on IP interface 2 2 2 2 switchxxxxxx config interface ip 1 1 1 1 ...

Page 468: ...nation prefix length Prefix mask for the destination Specifies the number of bits that comprise the IP address prefix The prefix length must be preceded by a forward slash Range 0 32 ip address IP address of the next hop that can be used to reach that network metric value Metric of the route The default metric is 1 Range 1 255 Default Configuration No static routes are established Command Mode Glo...

Page 469: ... metric 2 Example 3 The following example shows how to reject packets for network 194 1 1 0 switchxxxxxx config ip route 194 1 1 0 255 255 255 0 reject route Example 4 The following example shows how to remove all static routes to network 194 1 1 0 24 switchxxxxxx config no ip route 194 1 1 0 24 Example 5 The following example shows how to remove one static route to network 194 1 1 0 24 via 1 1 1 ...

Page 470: ...es static Displays static routes Command Mode User EXEC mode Privileged EXEC mode User Guidelines Use this command without parameters to display the whole IPv6 Routing table Use this command with parameters to specify required routes Examples Example 1 The following is sample output from the show ip route command when IP Routing is not enabled switchxxxxxx show ip route Maximum Parallel Paths 1 1 ...

Page 471: ...istance Next Hop Last Time Outgoing Metric IP Address Updated Interface C 10 159 0 0 16 0 1 0 0 0 0 vlan2 C 10 170 0 0 16 0 1 0 0 0 0 vlan2 S 10 175 0 0 16 1 1 10 119 254 240 vlan2 S 10 180 0 0 16 1 1 10 119 254 240 vlan2 Example 3 In the following example the logical AND operation is performed on the address 10 16 0 0 and the mask 255 255 0 0 resulting in 10 16 0 0 On each destination in the rout...

Page 472: ... 16 223 0 24 110 128 20 1 2 24 00 02 22 vlan5 S 10 16 236 0 24 110 129 30 19 54 240 00 02 23 vlan6 23 4 show ip route summary Use the show ip route summary command in User EXEC or Privileged EXEC mode to display the current contents of the IP routing table in summary format Syntax show ip route summary Parameters N A Command Mode User EXEC mode Privileged EXEC mode User Guidelines This command is ...

Page 473: ...IP Routing Protocol Independent Commands 473 OL 32830 01 Command Line Interface Reference Guide 23 Number of prefixes 16 16 18 10 22 15 24 19 ...

Page 474: ...ing ipv6 address Unicast or Multicast IPv6 address to ping When the IPv6 address is a Link Local address IPv6Z address the outgoing interface name must be specified hostname Hostname to ping Length 1 160 characters Maximum label size for each part of the host name 58 size packet_size Number of bytes in the packet not including the VLAN tag The default is 64 bytes IPv4 64 1518 IPv6 68 1518 count pa...

Page 475: ...ost using its link local address the egress interface may be specified in the IPv6Z format If the egress interface is not specified the default interface is selected When using the ping ipv6 command with a Multicast address the information displayed is taken from all received echo responses When the source keyword is configured and the source address is not an address of the switch the command is ...

Page 476: ...ss round trip ms min avg max 7 8 11 Example 3 Ping an IPv6 address switchxxxxxx ping ipv6 3003 11 Pinging 3003 11 with 64 bytes of data 64 bytes from 3003 11 icmp_seq 1 time 0 ms 64 bytes from 3003 11 icmp_seq 2 time 50 ms 64 bytes from 3003 11 icmp_seq 3 time 0 ms 64 bytes from 3003 11 icmp_seq 4 time 0 ms 3003 11 PING Statistics 4 packets transmitted 4 packets received 0 packet loss round trip m...

Page 477: ...rts Telnet Syntax telnet ip address hostname port keyword Parameters ip address Specifies the destination host IP address IPv4 or IPv6 hostname Specifies the destination host name Length 1 160 characters Maximum label size for each part of the host name 58 port Specifies the decimal TCP port number or one of the keywords listed in the Ports table in the User Guidelines keyword Specifies the one or...

Page 478: ...ssion return to system command prompt Several concurrent Telnet sessions can be opened enabling switching between the sessions To open a subsequent session the current connection has to be suspended by pressing the escape sequence keys Ctrl shift 6 and x to return to the system command prompt Then open a new connection with the telnet EXEC mode command This command lists concurrent Telnet connecti...

Page 479: ...opriate for connections to ports running UNIX to UNIX Copy Program UUCP and other non Telnet protocols Ctrl shift 6 x Returns to the System Command Prompt Keyword Description Port Number BGP Border Gateway Protocol 179 chargen Character generator 19 cmd Remote commands 514 daytime Daytime 13 discard Discard 9 domain Domain Name Service 53 echo Echo 7 exec Exec 512 finger Finger 79 ftp File Transfe...

Page 480: ...x ttl count packet_count timeout time_out source ip address tos tos traceroute ipv6 ipv6 address hostname size packet_size ttl max ttl count packet_count timeout time_out source ip address tos tos nntp Network News Transport Protocol 119 pim auto r p PIM Auto RP 496 pop2 Post Office Protocol v2 109 pop3 Post Office Protocol v3 110 smtp Simple Mail Transport Protocol 25 sunrpc Sun Remote Procedure ...

Page 481: ...es to be sent at each TTL level The default count is 3 Range 1 10 timeout time_out The number of seconds to wait for a response to a probe packet The default is 3 seconds Range 1 60 source ip address One of the interface addresses of the device to use as a source address for the probes The device selects the optimal source address by default Range Valid IP address tos tos The Type Of Service byte ...

Page 482: ...p1 physics lsa umich edu Type Esc to abort Tracing the route to umaxp1 physics lsa umich edu 141 211 101 64 1 i2 gateway stanford edu 192 68 191 83 0 msec 0 msec 0 msec 2 STAN POS calren2 NET 171 64 1 213 0 msec 0 msec 0 msec 3 SUNV STAN POS calren2 net 198 32 249 73 1 msec 1 msec 1 msec 4 Abilene QSV POS calren2 net 198 32 249 162 1 msec 1 msec 1 msec 5 kscyng snvang abilene ucaid edu 198 32 8 10...

Page 483: ...c Round trip time for each of the probes that are sent Field Description The probe timed out Unknown packet type A Administratively unreachable Usually this output indicates that an access list is blocking traffic F Fragmentation required and DF is set H Host unreachable N Network unreachable P Protocol unreachable Q Source quench R Fragment reassembly time exceeded S Source route failed U Port un...

Page 484: ...es defined at the VLAN level override the globally configured rules The globally configured rules override the system defaults You can only attach 1 policy for a specific sub feature to a VLAN You can attach multiple policies for a specific sub feature to a port if they specify different VLANs A sub feature policy does not take effect until IPv6 First Hop Security is enabled on the VLAN The sub fe...

Page 485: ...ss Only auto configuration for global IPv6 bound from NDP messages is allowed any All configuration methods for global IPv6 bound from NDP messages stateless and manual are allowed If no keyword is defined the any keyword is applied dhcp Bound from DHCPv6 is allowed Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached...

Page 486: ...ess prefix validation within an IPv6 Neighbor Binding policy use the address prefix validation command in Neighbor Binding Policy Configuration mode To return to the default use the no form of this command Syntax address prefix validation enable disable no address prefix validation Parameters enable Enables bound address prefix validation If no keyword is configured this keyword is applied by defa...

Page 487: ...olicy1 switchxxxxxx config nbr binding address prefix validation enable switchxxxxxx config nbr binding exit 25 3 clear ipv6 first hop security counters To clear IPv6 First Hop Security port counters use the clear ipv6 first hop security counters command in privileged EXEC mode Syntax clear ipv6 first hop security counters interface interface id Parameters interface interface id Clear IPv6 First H...

Page 488: ... first hop security error counters command in privileged EXEC mode Syntax clear ipv6 first hop security error counters Parameters N A Command Mode Privileged EXEC mode User Guidelines This command clears global error counters Example The following example clears IPv6 First Hop Security error counters switchxxxxxx clear ipv6 first hop security error counters 25 5 clear ipv6 neighbor binding prefix ...

Page 489: ... prefix address prefix length command to delete one specific entry Use the clear ipv6 neighbor binding prefix table vlan vlan id command to delete the dynamic entries that match the specified VLAN Use the clear ipv6 neighbor binding prefix table command to delete all dynamic entries Examples Example 1 The following example clears all dynamic entries switchxxxxxx clear ipv6 neighbor binding prefix ...

Page 490: ... Clear the dynamic entries that match the specified IPv6 address mac mac address Clear the dynamic entries that match the specified MAC address ndp Clear the dynamic entries that are bound from NDP messages dhcp Clear the dynamic entries that are bound from DHCPv6 messages Command Mode Privileged EXEC mode User Guidelines This command deletes the dynamic entries of the Neighbor Binding table The d...

Page 491: ...ient server no device role Parameters client Sets the role of the device to DHCPv6 client server Sets the role of the device to DHCPv6 server Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN client Command Mode DHCP Guard Policy Configuration mode User Guidelines If this command is part of a policy attache...

Page 492: ...ecify the role of the device attached to the port within an IPv6 Neighbor Binding policy use the device role command within IPv6 Neighbor Binding Policy Configuration mode To return to the default use the no form of this command Syntax device role perimeter internal no device role Parameters perimeter Specifies that the port is connected to devices not supporting IPv6 First Hop Security internal S...

Page 493: ...ifies ports connected to devices supporting IPv6 First Hop Security NB Integrity does not establish binding for neighbors connected to these ports but it does propagate the bindings established on perimeter ports A dynamic IPv6 address bound to a port is deleted when its role is changed from perimetrical to internal A static IPv6 address is kept Example The following example defines a Neighbor Bin...

Page 494: ...s applied to all the ports in the VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to the VLAN ND Inspection performs egress filtering of NDP messages depending on a port role The following table specifies the filtering rules Example The following example defines an ND Inspection policy named policy 1 and configures the port rol...

Page 495: ...ed to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN host Command Mode RA Guard Policy Configuration mode User Guidelines If this command is part of a policy attached to a VLAN it is applied to all the ports in the VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to the VLAN ...

Page 496: ...ng messages with no or invalid options or an invalid signature If no keyword is configured this keyword is applied by default disable Disables dropping messages with no or invalid options or an invalid signature Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN global configuration Command Mode ND inspectio...

Page 497: ...d Policy Configuration mode To return to the default use the no form of this command Syntax hop limit maximum value disable minimum value disable no hop limit maximum minimum Parameters maximum value Verifies that the hop count limit is less than or equal to the value argument Range 1 255 The value of the high boundary must be equal or greater than the value of the low boundary maximum disable Dis...

Page 498: ...switch in RA Guard Policy Configuration mode and defines a minimum Cur Hop Limit value of 5 switchxxxxxx config ipv6 nd raguard policy policy1 switchxxxxxx config ra guard hop limit minimum 5 switchxxxxxx config ra guard exit Example 2 The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy Configuration mode and disables validation of the Cur Hop Limit ...

Page 499: ...nt by relay agents from clients to servers are not blocked See the device role IPv6 DHCP Guard command for details DHCPv6 Guard validates received DHCPv6 messages based on a DHCPv6 Guard policy attached to the source port Examples Example 1 The following example enables DHCPv6 Guard on VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 dhcp guard switchxxxxxx config if exi...

Page 500: ...he vlan keyword is not configured the policy is applied to all VLANs on the device on which DHCPv6 Guard is enabled Default Configuration The DHCPv6 Guard default policy is applied Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines Use this command to attach a DHCPv6 Guard policy to a port Each time the command is used it overrides the previous command within the same ...

Page 501: ...hxxxxxx config interface gi11 switchxxxxxx config if ipv6 dhcp guard attach policy policy1 switchxxxxxx config if exit Example 2 In the following example the DHCPv6 Guard policy policy1 is attached to the gi11 port and applied to VLANs 1 10 and 12 20 switchxxxxxx config interface gi11 switchxxxxxx config if ipv6 dhcp guard attach policy policy1 vlan 1 10 12 20 switchxxxxxx config if exit Example 3...

Page 502: ...e To return to the default use the no form of this command Syntax ipv6 dhcp guard attach policy policy name no ipv6 dhcp guard attach policy Parameters policy name The DHCPv6 Guard policy name up to 32 characters Default Configuration The DHCPv6 Guard default policy is applied Command Mode Interface VLAN Configuration mode User Guidelines Use this command to attach a DHCPv6 Guard policy to a VLAN ...

Page 503: ... the ipv6 dhcp guard policy command in Global Configuration mode To remove the DHCPv6 guard policy use the no form of this command Syntax ipv6 dhcp guard policy policy name no ipv6 dhcp guard policy policy name Parameters policy name The DHCPv6 Guard policy name up to 32 characters Default Configuration No DHCPv6 Guard policy are configured Command Mode Global Configuration mode User Guidelines Th...

Page 504: ...6 dhcp guard attach policy port mode or ipv6 dhcp guard attach policy VLAN mode command The vlan_default policy is attached by default to a VLAN if no other policy is attached to the VLAN The port_default policy is attached by default to a port if no other policy is attached to the port You can define a policy using the ipv6 dhcp guard policy command multiple times Before an attached policy is rem...

Page 505: ...Policy policy1 is applied on the following ports gi11 gi12 The policy1 will be detached and removed are you sure Y N Y 25 17 ipv6 dhcp guard preference To globally enable verification of the preference in messages sent by DHCPv6 servers use the ipv6 dhcp guard preference command in Global Configuration mode To return to the default use the no form of this command Syntax ipv6 dhcp guard preference ...

Page 506: ... and argument specifies the maximum allowed value The received DHCPv6 reply message with a preference value greater than the value specified by the value argument is dropped Use no ipv6 dhcp guard preference to disable verification of the advertised preference value in DHCPv6 reply messages Use no ipv6 dhcp guard preference maximum to disable verification of the maximum boundary of the value of th...

Page 507: ... use the ipv6 first hop security command in VLAN Configuration mode To return to the default use the no form of this command Syntax ipv6 first hop security no ipv6 first hop security Parameters N A Default Configuration IPv6 First Hop Security on a VLAN is disabled Command Mode Interface VLAN Configuration mode User Guidelines Use the ipv6 first hop security command to enable IPv6 First Hop Securi...

Page 508: ...cy command in Interface Configuration mode To return to the default use the no form of this command Syntax ipv6 first hop security attach policy policy name vlan vlan list no ipv6 first hop security attach policy policy name Parameters policy name The IPv6 First Hop Security policy name up to 32 characters vlan vlan list Specifies that the IPv6 First Hop Security policy is to be attached to the VL...

Page 509: ...on which the packet arrived are added to the set The rules configured in the policy attached to the VLAN are added to the set if they have not been added The global rules are added to the set if they have not been added Use the no ipv6 first hop security attach policy command to detach all user defined policies attached to the port The default policy is reattached Use the no ipv6 first hop securit...

Page 510: ...cy policy1 vlan 1 10 switchxxxxxx config if ipv6 first hop security attach policy policy2 vlan 12 20 switchxxxxxx config if exit Example 4 In the following example IPv6 First Hop Security detaches policy policy1 detached to the gi11 port switchxxxxxx config interface gi11 switchxxxxxx config if no ipv6 first hop security attach policy policy1 switchxxxxxx config if exit 25 20 ipv6 first hop securi...

Page 511: ...ch the current policy and to reattach the default policy The no form of the command does not have an effect if the default policy was attached Example In the following example the IPv6 First Hop Security policy policy1 is attached to VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 first hop security attach policy policy1 switchxxxxxx config if exit 25 21 ipv6 first hop ...

Page 512: ...w to enable logging of dropped packets by the IPv6 first hop security feature switchxxxxxx config ipv6 first hop security logging packet drop 25 22 ipv6 first hop security policy To define an IPv6 First Hop Security policy and place the switch in IPv6 First Hop Security Policy Configuration mode use the ipv6 first hop security policy command in Global Configuration mode To remove the IPv6 First Ho...

Page 513: ...p Security policies named vlan_default and port_default ipv6 first hop security policy vlan_default exit ipv6 first hop security policy port_default exit These policies cannot be removed but they can be changed The no ipv6 first hop security policy does not remove these policies it only removes the policy configurations defined by the user The default policies do not need to be attached by the ipv...

Page 514: ... config exit Example 2 The following example removes an attached IPv6 First Hop Security policy switchxxxxxx config no ipv6 first hop security policy policy1 Policy policy1 is applied on the following ports gi11 gi12 The policy1 will be detached and removed are you sure Y N Y 25 23 ipv6 nd inspection To enable the IPv6 Neighbor Discovery ND Inspection feature on a VLAN use the ipv6 nd inspection c...

Page 515: ...igured as host see the device role command ND inspection is performed after RA Guard Examples Example 1 The following example enables ND Inspection on VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 nd inspection switchxxxxxx config if exit Example 2 The following example enables ND Inspection on VLANs 100 107 switchxxxxxx config interface range vlan 100 107 switchxxxxx...

Page 516: ... ipv6 nd inspection attach policy command to attach an ND Inspection policy to a port Each time the command is used it overrides the previous command within the same policy If a policy specified by the policy name argument is not defined the command is rejected Multiple policies with the vlan keyword can be attached to the same port if they do not have common VLANs The set of rules that is applied...

Page 517: ...ig interface gi11 switchxxxxxx config if ipv6 nd inspection attach policy policy1 vlan 1 10 12 20 switchxxxxxx config if exit Example 3 In the following example the ND Inspection policy policy1 is attached to the gi11 port and applied to VLANs 1 10 and the ND Inspection policy policy2 is attached to the gi11 port and applied to VLANs 12 20 switchxxxxxx config interface gi11 switchxxxxxx config if ...

Page 518: ...Default Configuration The ND Inspection default policy is applied Command Mode Interface VLAN Configuration mode User Guidelines Use this command to attach a ND Inspection policy to a VLAN If the policy specified by the policy name argument is not defined the command is rejected Use the no form of the command to detach the current policy and to reattach the default policy The no form of the comman...

Page 519: ...ameters N A Default Configuration All messages are bridged Command Mode Global Configuration mode User Guidelines This command drops NDP messages if they do not contain CGA and RSA Signature options If this command is not configured then the sec level minimum command does not have an effect If this command is configured then only the sec level minimum command has an effect and all other configured...

Page 520: ...me up to 32 characters Default Configuration No ND Inspection policies are configured Command Mode Global Configuration mode User Guidelines This command defines the ND Inspection policy name and places the router in ND Inspection Policy Configuration mode The following commands can be configured into a ND Inspection policy device role ND Inspection Policy drop unsecure sec level minimum validate ...

Page 521: ...v6 nd inspection policy command multiple times If an attached policy is removed it is detached automatically before removing Examples Example 1 The following example defines a ND Inspection policy named policy1 places the switch in ND Inspection Policy Configuration mode and configures the port to drop unsecured messages and sets the device role as router switchxxxxxx config ipv6 nd inspection pol...

Page 522: ...ally specify the minimum security level value use the ipv6 nd inspection sec level minimum command in Global Configuration mode To return to the default use the no form of this command Syntax ipv6 nd inspection sec level minimum value no ipv6 nd inspection sec level minimum Parameters value Sets the minimum security level Range 0 7 Default Configuration All messages are bridged Command Mode Global...

Page 523: ...n validate source mac command in Global Configuration mode To disable this function use the no form of this command Syntax ipv6 nd inspection validate source mac no ipv6 nd inspection validate source mac Parameters N A Default Configuration This command is disabled by default Command Mode Global Configuration mode User Guidelines When the switch receives an NDP message which contains a link layer ...

Page 524: ...6 nd raguard command in VLAN Configuration mode To return to the default use the no form of this command Syntax ipv6 nd raguard no ipv6 nd raguard Parameters N A Default Configuration RA Guard on a VLAN is disabled Command Mode Interface VLAN Configuration mode User Guidelines Use the ipv6 nd raguard command to enable IPv6 RA Guard on a VLAN RA Guard discards RA CPA and ICMP Redirect messages rece...

Page 525: ...aguard attach policy port mode To attach an RA Guard policy to a specific port use the ipv6 nd raguard attach policy command in Interface Configuration mode To return to the default use the no form of this command Syntax ipv6 nd raguard attach policy policy name vlan vlan list no ipv6 nd raguard attach policy policy name Parameters policy name The RA Guard policy name up to 32 characters vlan vlan...

Page 526: ...port on the VLAN on which the packet arrived are added to the set The rules configured in the policy attached to the VLAN are added to the set if they have not been added The global rules are added to the set if they have not been added Use the no ipv6 nd raguard attach policy command to detach all user defined policies attached to the port Use the no ipv6 nd raguard attach policy policy name comm...

Page 527: ... 1 10 switchxxxxxx config if ipv6 nd raguard attach policy policy2 vlan 12 20 switchxxxxxx config if exit Example 4 In the following example RA Guard detaches policy policy1 from the gi11 port switchxxxxxx config interface gi11 switchxxxxxx config if no ipv6 nd raguard attach policy policy1 switchxxxxxx config if exit 25 32 ipv6 nd raguard attach policy VLAN mode To attach an RA Guard policy to a ...

Page 528: ...example the RA Guard policy policy1 is attached to VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 nd raguard attach policy policy1 switchxxxxxx config if exit 25 33 ipv6 nd raguard hop limit To globally enable verification of the advertised Cur Hop Limit value in RA messages use the ipv6 nd raguard hop limit command in Global Configuration mode To return to the default...

Page 529: ...pped Configuring the maximum value keyword and argument enables verification that the advertised Cur Hop Limit value is less than or equal to the value set by the value argument If the advertised Cur Hop Limit value is unspecified which is the same as setting a value of 0 the packet is dropped Use the no ipv6 nd raguard hop limit maximum command to disable verification of the maximum boundary of t...

Page 530: ...d config flag on off no ipv6 nd raguard managed config flag Parameters on The value of the flag must be 1 off The value of the flag must be 0 Default Configuration Verification is disabled Command Mode Global Configuration mode User Guidelines This command enables verification of the advertised the Managed Address Configuration flag or the M flag in an RA message see RFC4861 This flag could be set...

Page 531: ...g Parameters on The value of the flag must be 1 off The value of the flag must be 0 Default Configuration Verification is disabled Command Mode Global Configuration mode User Guidelines This command enables verification of the advertised Other Configuration flag or O flag in an RA message see RFC4861 This flag could be set by an attacker to force hosts to retrieve other configuration information t...

Page 532: ...onfiguration No RA Guard policy is configured Command Mode Global Configuration mode User Guidelines This command defines the RA Guard policy name and places the switch in IPv6 RA Guard Policy Configuration mode Each policy of the same type for example RA Guard policies must have a unique name Policies of different types can have a same policy name The switch supports two predefined RA Guard polic...

Page 533: ...e configured in RA Guard Policy Configuration mode device role RA Guard Policy hop limit managed config flag match ra addresshop limit match ra prefixes other config flag router preference Examples Example 1 The following example defines an RA Guard policy named policy1 places the router in RA Guard Policy Configuration mode and disenabled validation of the Other Configuration flag and sets the de...

Page 534: ...ertised Default Router Preference value in RA messages use the ipv6 nd raguard router preference command in Global Configuration mode To return to the default use the no form of this command Syntax ipv6 nd raguard router preference maximum value minimum value no ipv6 nd raguard router preference maximum minimum Parameters maximum value Specifies the maximum allowed Advertised Default Router Prefer...

Page 535: ...ference command to disable verification of the advertised Default Router Preference value in RA messages Use the no ipv6 nd raguard router preference maximum command to disable verification of the maximum boundary of the advertised Default Router Preference value in RA messages Use the no ipv6 nd raguard router preference minimum command to disable verification of the advertised Default Router Pre...

Page 536: ...AN is disabled Command Mode Interface VLAN Configuration mode User Guidelines NB integrity establishes binding for neighbors connected to the perimetrical ports see the device role Neighbor Binding command belonging to the VLANs on which the feature is enabled Examples Example 1 The following example enables NB integrity on VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv...

Page 537: ... IPv6 bound from NDP messages any All configuration methods for global IPv6 bound from NDP messages stateless and manual are allowed If no keyword is defined the any keyword is applied dhcp Binding from DHCPv6 is allowed Default Configuration Any is the default parameter Command Mode Global Configuration mode User Guidelines This command defines allowed IPv6 address configuration methods for globa...

Page 538: ...rom NDP messages because a host must execute the DAD process for these addresses If no keyword is defined the ipv6 neighbor binding address config any command is applied Examples Example 1 The following example specifies that any global IPv6 address configuration method can be applied and there will be no binding from DHCPv6 messages switchxxxxxx config ipv6 neighbor binding address prefix validat...

Page 539: ...lobal IPv6 addresses can be assigned only by DHCPv6 switchxxxxxx config ipv6 neighbor binding address config dhcp 25 40 ipv6 neighbor binding address prefix To define a static prefix for global IPv6 addresses bound from NDP messages use the ipv6 neighbor binding address prefix command in Global Configuration mode To delete the prefix use the no form of this command Syntax ipv6 neighbor binding add...

Page 540: ...n the given VLAN Use the no ipv6 neighbor binding address prefix command to remove all static entries from the Neighbor Prefix table Examples Example 1 The following example adds two static entries The second one can be used for stateless configuration switchxxxxxx config ipv6 neighbor binding address prefix vlan 100 2001 0DB8 101 64 switchxxxxxx config ipv6 neighbor binding address prefix vlan 10...

Page 541: ...efix validation no ipv6 neighbor binding address prefix validation Parameters N A Default Configuration The feature is disabled Command Mode Global Configuration mode User Guidelines This command enables bound address prefix validation If the Neighbor Binding feature is enabled the switch checks if a bound address belongs to one of the prefixes of the Neighbor Prefix table or to a manually configu...

Page 542: ...ist If the vlan keyword is not configured the policy is applied to all VLANs on the device on which Neighbor Binding policy is enabled Default Configuration The Neighbor Binding default policy is applied Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines Use this command to attach a Neighbor Binding policy to a port Each time the command is used it overrides the previo...

Page 543: ...11 switchxxxxxx config if ipv6 neighbor binding attach policy policy1 switchxxxxxx config if exit Example 2 In the following example the Neighbor Binding policy policy1 is attached to the gi11 port and applied to VLANs 1 10 and 12 20 switchxxxxxx config interface gi11 switchxxxxxx config if ipv6 neighbor binding attach policy policy1 vlan 1 10 12 20 switchxxxxxx config if exit Example 3 In the fol...

Page 544: ...uration mode To return to the default use the no form of this command Syntax ipv6 neighbor binding attach policy policy name no ipv6 neighbor binding attach policy Parameters policy name The Neighbor Binding policy name up to 32 characters Default Configuration The Neighbor Binding default policy is applied Command Mode Interface VLAN Configuration mode User Guidelines Use this command to attach a...

Page 545: ...y lifetime use the ipv6 neighbor binding lifetime command in Global Configuration mode To return to the default setting use the no form of this command Syntax ipv6 neighbor binding lifetime value no ipv6 neighbor binding lifetime Parameters value The lifetime in minutes The range is from 1 through 60 minutes Default Configuration 5 minutes Command Mode Global Configuration mode User Guidelines Use...

Page 546: ... Configuration Binding table events are not logged Command Mode Global Configuration mode User Guidelines This command enables the logging of the following Binding table events An entry is inserted into the Binding table A Binding table entry was updated A Binding table entry was deleted from the Binding table A Binding table entry was not inserted into the Binding table possibly because the maxim...

Page 547: ...number Specifies a neighbor binding limit per port mac limit number Specifies a neighbor binding limit per MAC address Default Configuration This command is disabled Command Mode Global Configuration mode User Guidelines This command is used to control the contents of the Binding table This command specifies the maximum number of dynamic entries that can be inserted in the Binding table cache Afte...

Page 548: ...ers policy name The Neighbor Binding policy name up to 32 characters Default Configuration No Neighbor Binding policy is configured Command Mode Global Configuration mode User Guidelines This command defines a Neighbor Binding policy name and places the router in Neighbor Binding Policy Configuration mode so that additional commands can be added to the policy The switch supports two predefined Nei...

Page 549: ...eighbor Binding Policy Configuration mode device role Neighbor Binding logging binding max entries address config address prefix validation Examples Example 1 The following example defines a Neighbor Binding policy named policy1 places the router in Neighbor Binding Policy Configuration mode enables logging and defines the port as internal switchxxxxxx config ipv6 neighbor binding policy policy1 s...

Page 550: ...static entry to the Neighbor Binding table use the ipv6 neighbor binding static command in Global Configuration mode To remove the static entry use the no form of this command Syntax ipv6 neighbor binding static ipv6 ipv6 address vlan vlan id interface interface id mac mac address no ipv6 neighbor binding static ipv6 ipv6 address vlan vlan id Parameters ipv6 ipv6 address IPv6 address of the static...

Page 551: ...a static entry switchxxxxxx config ipv6 neighbor binding static ipv6 2001 600 1 vlan 100 interface gi11 mac 00BB CC01 F500 25 49 ipv6 source guard To enable the IPv6 Source Guard feature on a VLAN use the ipv6 source guard command in VLAN Configuration mode To return to the default use the no form of this command Syntax ipv6 source guard no ipv6 source guard Parameters N A Default Configuration So...

Page 552: ... config if range ipv6 source guard switchxxxxxx config if range exit 25 50 ipv6 source guard attach policy port mode To attach an IPv6 Source Guard policy to a specific port use the ipv6 source guard attach policy command in Interface Configuration mode To return to the default use the no form of this command Syntax ipv6 source guard attach policy policy name no ipv6 source guard attach policy Par...

Page 553: ...ied to an input packet is built in the following way The rules configured in the policy attached to the port The global rules are added to the set if they have not been added Use the no ipv6 source guard attach policy command to detach the user defined policy attached to the port and to reattach the default policy with name port_default Examples Example 1 In the following example the IPv6 Source G...

Page 554: ...licies are configured Command Mode Global Configuration mode User Guidelines This command defines the IPv6 Source Guard policy name and places the router in IPv6 Source Guard Policy Configuration mode The following commands can be configured in IPv6 Source Guard Policy Configuration mode trusted port IPv6 Source Guard Each policy of the same type for example IPv6 Source Guard policies must have a ...

Page 555: ...onfigures the port as trusted switchxxxxxx config ipv6 source guard policy policy1 switchxxxxxx config ipv6 srcguard trusted port switchxxxxxx config exit Example 2 The following example removes the attached IPv6 Source Guard policy switchxxxxxx config no ipv6 source guard policy policy1 Policy policy1 is applied on the following ports gi11 gi12 The policy1 will be detached and removed are you sur...

Page 556: ...applied to all the ports in the VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to the VLAN Example The following example enables logging of Binding table main events within the IPv6 Neighbor Binding policy named policy1 switchxxxxxx config ipv6 neighbor binding policy policy1 switchxxxxxx config nbr binding logging binding ena...

Page 557: ...N it is applied to all the ports in the VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to the VLAN Example The following example enables logging of dropped messaged with the IPv6 First Hop Security Policy named policy1 switchxxxxxx config ipv6 first hop security policy policy1 switchxxxxxx config ipv6 fhs logging packet drop s...

Page 558: ... config flag command on the port on which this policy applies Use the disable keyword to disable the flag validation in both global or the VLAN configuration Example The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy Configuration mode and enables M flag verification that checks if the value of the flag is 0 switchxxxxxx config ipv6 nd raguard polic...

Page 559: ...ved RA messages by a configured prefix list If the router s source IPv6 address does not match the prefix list or if the prefix list is not configured the RA message is dropped Use the disable keyword to disable verification of the router s IPv6 address regardless of the VLAN configuration Example The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy C...

Page 560: ...hannel the value configured in the policy attached to the VLAN Policy attached to VLAN advertised prefixes are not verified Command Mode RA Guard Policy Configuration mode User Guidelines This command enables verification of the advertised prefixes in received RA messages by a configured prefix list If an advertised prefix does not match the prefix list or if the prefix list is not configured the ...

Page 561: ...cy Configuration mode To return to the default use the no form of this command Syntax match reply prefix list ipv6 prefix list name disable no match reply Parameters ipv6 prefix list name The IPv6 prefix list to be matched disable Disables verification of the advertised prefixes in replies Default Configuration Policy attached to port or port channel the value configured in the policy attached to ...

Page 562: ...esses must belong to 2001 0DB8 100 200 64 or to 2001 0DB8 100 48 The ge 128 parameter must be configured for each prefix of the prefix list with prefix length less than 128 switchxxxxxx config ipv6 dhcp guard policy policy1 switchxxxxxx config dhcp guard match reply prefix list list1 switchxxxxxx config dhcp guard exit switchxxxxxx config ipv6 prefix list list1 deny 2001 0DB8 100 200 64 ge 128 swi...

Page 563: ...s This command enables verification of the source IPv6 address in messages sent by DHCPv6 servers and DHCPv6 Relays to a configured prefix list If the source IPv6 address does not match the configured prefix list or if the prefix list is not configured the DHCPv6 reply is dropped IPv6 DHCP Guard verifies the source IPv6 address in the following DHCPv6 messages sent by DHCPv6 servers relays ADVERTI...

Page 564: ...r Binding Policy Configuration mode To return to the default use the no form of this command Syntax max entries vlan limit number disable interface limit number disable mac limit number disable no max entries vlan limit interface limit mac limit Parameters vlan limit number Specifies a neighbor binding limit per VLANs The parameter is ignored in a policy attached to port vlan limit disable Disable...

Page 565: ...port to 25 switchxxxxxx config ipv6 neighbor binding policy policy1 switchxxxxxx config nbr binding max entries interface limit 25 switchxxxxxx config exit Example 2 The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy Configuration mode and disables limit per MAC switchxxxxxx config ipv6 nd raguard policy policy1 switchxxxxxx config ra guard max entr...

Page 566: ...onfig flag command on the port on which this policy applies Use the disable keyword to disable flag validation in both global or VLAN configuration Example The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy Configuration mode and enables O flag verification that checks if the value of the flag is 0 switchxxxxxx config ipv6 nd raguard policy policy1 ...

Page 567: ...nimum disable Disables verification of the lower boundary of the advertised preference value Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN global configuration Command Mode DHCP Guard Policy Configuration mode User Guidelines Use this command to change the global configuration specified by the ipv6 dhcp...

Page 568: ...he maximum allowed Advertised Default Router Preference value The following values are acceptable low medium and high see RFC4191 A value of the high boundary must be equal to or greater than a value of the low boundary maximum disable Disables verification of the high boundary of Advertised Default Router Preference minimum value Specifies the minimum allowed Advertised Default Router Preference ...

Page 569: ...xxx config ipv6 nd raguard policy policy1 switchxxxxxx config ra guard router preference minimum medium switchxxxxxx config ra guard exit 25 63 sec level minimum To specify the minimum security level value within an Ipv6 ND Inspection policy use the sec level minimum command in ND Inspection policy Configuration mode To return to the default use the no form of this command Syntax sec level minimum...

Page 570: ...Example The following example defines an NDP Inspection policy named policy1 places the switch in ND Inspection Policy Configuration mode and specifies 2 as the minimum CGA security level switchxxxxxx config ipv6 nd inspection policy policy1 switchxxxxxx config nd inspection sec level minimum 2 switchxxxxxx config nd inspection exit 25 64 show ipv6 dhcp guard To display DHCPv6 Guard global configu...

Page 571: ...ed with the DHCPv6 guard feature use the show ipv6 dhcp guard policy command in privileged EXEC mode Syntax show ipv6 dhcp guard policy policy name active Parameters policy name Displays the DHCPv6 guard policy with the given name active Displays the attached DHCPv6 guard policies Command Mode Privileged EXEC mode User Guidelines This command displays the options configured for the policy on all p...

Page 572: ... 111 4094 Attached to ports Example 2 The following example displays the attached policies switchxxxxxx show ipv6 dhcp guard policy active Attached to VLAN Policy Name VLANs policy2 200 300 vlan default 1 199 301 4094 Attached to ports Example 3 The following example displays the user defined policies Ports gi11 2 gi13 4 Po1 4 VLANs 1 58 68 4094 1 4094 1 4094 Policy Name policy1 port default Ports...

Page 573: ...irst hop security command in Privilege EXEC configuration mode Syntax show ipv6 first hop security Parameters N A Command Mode Privileged EXEC mode User Guidelines This command displays all IPv6 First Hop Security global configuration Example The following example gives an example of the show ipv6 first hop security command switchxxxxxx show ipv6 first hop security IPv6 First Hop Security is enabl...

Page 574: ...lines This command displays policies applied to frames arriving on given port and belonging to the given VLAN The policies are calculated automatically by using the policies attached to the port VLAN and the global configuration Example The following example displays the active attached policies on gi11 and VLAN 100 switchxxxxxx show ipv6 first hop security active policies interface gi11 vlan 100 ...

Page 575: ... level minimum 3 from policy1 attached to the port validate source mac enabled from global configuration Neighbor Binding Policy policy1 device role perimiter default logging binding enabled from policy1 attached to the port address prefix validation enabled from policy2 attached to the VLAN address config any default maximum entries VLAN unlimited from global configuration Port 1 from policy1 att...

Page 576: ...hed policies command in privileged EXEC mode Syntax show ipv6 first hop security attached policies interface interface id vlan vlan id Parameters interface interface id Port Identifier Ethernet port or port channel vlan vlan id VLAN Identifier Command Mode Privileged EXEC mode User Guidelines This command displays policies of all IPv6 First Hop Security attached to a VLAN specified by the vlan id ...

Page 577: ... command in privileged EXEC mode Syntax show ipv6 first hop security counters interface interface id Parameters interface interface id Displays counters for specified Ethernet port or port channel Command Mode Privileged EXEC mode User Guidelines This command displays packets handled by the switch that are being counted in port counters The switch counts packets captured per port and records wheth...

Page 578: ... on client port DHCP Guard 1 Unauthorized assigned address DHCP Guard 1 Unauthorized server source address DHCP Guard 0 Unauthorized server preference RA guard 1 Router message on host port RA guard 1 Unauthorized source address RA guard 0 Unauthorized advertise prefix RA guard 0 Unauthorized router preference RA guard 0 Unauthorized other config flag RA guard 0 Unauthorized managed config flag RA...

Page 579: ...his command displays global error counters Examples Example 1 The following examples displays global error counters switchxxxxxx show ipv6 first hop security error counters Neighbor Binding Table Overflow counter 0 Neighbor Prefix Table Overflow counter 0 TCAM Overflow counter 0 25 71 show ipv6 first hop security policy To display IPv6 First Hop Security policies on all ports configured with the I...

Page 580: ... the IPv6 First Hop feature Examples Example 1 The following example displays the Policy Configuration for a policy named policy1 switchxxxxxx show ipv6 first hop security policy policy1 IPv6D First Hop Security Policy policy1 logging packet drop enabled Attached to VLANs 1 100 111 4094 Attached to ports Example 2 The following example displays the attached policies switchxxxxxx show ipv6 first ho...

Page 581: ...icy policy1 policy2 25 72 show ipv6 nd inspection To display ND Inspection global configuration use the show ipv6 nd inspection command in Privilege EXEC configuration mode Syntax show ipv6 nd inspection Parameters N A Command Mode Privileged EXEC mode User Guidelines This command displays ND Inspection global configuration Policy Name policy1 port default Ports gi11 2 gi11 2 gi13 4 VLANs 1 100 10...

Page 582: ...IPv6 ND Inspection policy on all ports configured with the ND Inspection feature use the show ipv6 nd inspection policy command in privileged EXEC mode Syntax show ipv6 nd inspection policy policy name active Parameters policy name Displays the ND Inspection policy with the given name active Displays the attached ND Inspection policies Command Mode Privileged EXEC mode Examples Example 1 The follo...

Page 583: ...olicy Name VLANs vlan default 1 4094 Attached to ports Example 3 The following example displays the user defined policies switchxxxxxx show ipv6 nd inspection policy policy1 policy2 25 74 show ipv6 nd raguard To display RA Guard global configuration use the show ipv6 nd raguard command in Privilege EXEC configuration mode Ports gi11 2 gi13 4 Po1 VLANs 1 58 68 4094 1 4094 1 4094 Policy Name policy1...

Page 584: ...guard IPv6 RA Guard is enabled on VLANs 1 4 6 7 100 120 Managed address configuration flag M flag off Other configuration flag O flag disabled Hop Limit minimum 10 maximum 100 Default Router Preference minimum 1 maximum 1 25 75 show ipv6 nd raguard policy To display a router advertisements RAs guard policy on all ports configured with the RA guard feature use the show ipv6 nd raguard policy comman...

Page 585: ... with the RA guard feature Examples Example 1 The following example displays the policy configuration for a policy named policy1 switchxxxxxx show ipv6 nd raguard policy raguard1 RA Guard Policy policy1 device role router router address prefix list name list1 prefixes prefix list name list2 Attached to VLANs 1 100 111 4094 Attached to ports Example 2 The following example displays the attached pol...

Page 586: ...nding To display Neighbor Binding global configuration use the show ipv6 neighbor binding command in Privilege EXEC configuration mode Syntax show ipv6 neighbor binding Parameters N A Command Mode Privileged EXEC mode User Guidelines This displays Neighbor Binding global configuration Example The following example gives an example of the show ipv6 neighbor binding command output switchxxxxxx show ...

Page 587: ...y To display Neighbor Binding policies use the show ipv6 neighbor binding policy command in Privilege EXEC configuration mode Syntax show ipv6 neighbor binding policy policy name active Parameters policy name Neighbor Binding policy name active Displays the attached Neighbor Binding policies Command Mode Privileged EXEC mode User Guidelines This command either displays all policies or a specific o...

Page 588: ... max entries VLAN unlimited Port 10 MAC 2 Attached to VLANs 1 100 111 4094 Attached to ports Example 2 The following example displays the attached policies switchxxxxxx show ipv6 neighbor binding policy active Attached to VLAN Policy Name VLANs policy2 200 300 vlan default 1 199 301 4094 Attached to ports Ports gi11 2 gi13 4 Po1 4 VLANs 1 58 68 4094 1 4094 1 4094 Policy Name policy1 port default P...

Page 589: ... prefix table vlan vlan id Parameters vlan vlan id Displays the prefixes that match the specified VLAN Command Mode Privileged EXEC mode User Guidelines This command displays the Neighbor Prefix table The display output can be limited to the specified VLAN If no VLAN is configured all prefixes are displayed Example The following example displays the learned prefixes switchxxxxxx show ipv6 neighbor...

Page 590: ... table entries that match the specified port Ethernet port or port channel ipv6 ipv6 address Displays the Binding table entries that match the specified IPv6 address mac mac address Displays the Binding table entries that match the specified MAC address Command Mode Privileged EXEC mode User Guidelines This displays the contents of the Binding table The display output can be specified by the speci...

Page 591: ...ddress learnt from the DHCPv6 protocol messages State Entry s state TENT The new host IPv6 address is under validation Since its lifetime is less than 1sec its expiration time is not displayed VALID The host IPv6 address was bound Expir Time Left time in seconds until the entry will be removed if it is not confirmed TCAM Ovrflw Entries marked by have not been added to TCAM because TCAM overflow VL...

Page 592: ...ys IPv6 Source Guard global configuration Example The following example gives an example of the show ipv6 source guard command output switchxxxxxx show ipv6 source guard IPv6 Source Guard is enabled on VLANs 1 4 6 7 100 120 25 81 show ipv6 source guard policy To display IPv6 Source Guard policies use the show ipv6 source guard policy command in Privilege EXEC configuration mode Syntax show ipv6 so...

Page 593: ...Examples Example 1 The following example displays the policy configuration for a policy named policy1 switchxxxxxx show ipv6 source guard policy policy1 Neighbor Binding Policy policy1 trusted port disabled Attached to ports Ports gi11 2 gi14 Po1 4 Example 2 The following example displays the attached policies switchxxxxxx show ipv6 source guard policy active Attached to VLAN Attached to ports Pol...

Page 594: ... command in IPv6 Source Guard Policy Configuration mode To return to the default use the no form of this command Syntax trusted port no trusted port Parameters N A Default Configuration not trusted Command Mode IPv6 Source Guard Policy Configuration mode User Guidelines IPv6 data messages bridged from trusted ports are not validated by IPv6 Source Guard Example The following example defines a poli...

Page 595: ...configured this keyword is applied by default disable Disables validation of MAC address against the link layer address Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN global configuration Command Mode ND inspection Policy Configuration mode User Guidelines If this command is part of a policy attached to ...

Page 596: ...IPv6 First Hop Security OL 32830 01 Command Line Interface Reference Guide 596 25 switchxxxxxx config nd inspection validate source mac switchxxxxxx config nd inspection exit ...

Page 597: ...rom which the hit count is to be cleared This argument must be in the form documented in RFC 4293 where the address is specified in hexadecimal using 16 bit values between colons prefix length The length of the IPv6 prefix A decimal value that indicates how many of the high order contiguous bits of the address comprise the prefix the network portion of the address A slash mark must precede the dec...

Page 598: ...t name Name of the prefix list The name may contain up to 32 characters seq seq number Sequence number of the prefix list entry being configured This is an integer value from 1 to 4294967294 deny Denies networks that matches the condition permit Permits networks that matches the condition ipv6 prefix IPv6 network assigned to the specified prefix list This argument must be in the form documented in...

Page 599: ...ameter if an entry with the number exists it is replaced by the new one This command without the seq keyword removes the prefix list The no version of this command with the seq keyword removes the specified entry The sequence number of a prefix list entry determines the order of the entries in the list The router compares network addresses to the prefix list entries The router begins the compariso...

Page 600: ...at the first condition must match before the other conditions take effect An exact match is assumed when the ge or le keywords are not specified If only one keyword operand is specified then the condition for that keyword is applied and the other condition is not applied The prefix length value must be less than the ge value The ge value must be less than or equal to the le value The le value must...

Page 601: ...P P L cL le Case 4 An prefix list entry is P prefix address L prefix length ge is defined le is defined The prefix cP cL matches the prefix list entry if PrefixIsEqual cP P L ge cL le Examples Example 1 The following example denies all routes with a prefix of 0 switchxxxxxx config ipv6 prefix list abc deny 0 Example 2 The following example permits the prefix 2002 16 switchxxxxxx config ipv6 prefix...

Page 602: ...following example denies mask lengths greater than 32 bits in all address space switchxxxxxx config ipv6 prefix list abc deny 0 ge 32 Example 7 The following example denies all routes with a prefix of 2002 128 switchxxxxxx config ipv6 prefix list abc deny 2002 128 Example 8 The following example permits all routes with a prefix of 0 switchxxxxxx config ipv6 prefix list abc permit 0 26 3 show ipv6 ...

Page 603: ...e prefix the network portion of the address A slash mark must precede the decimal value longer Displays all entries of an IPv6 prefix list that are more specific than the given ipv6 prefix prefix length values first match Displays the entry of an IPv6 prefix list that matches the given ipv6 prefix prefix length values seq seq num Sequence number of the IPv6 prefix list entry Command Mode User EXEC...

Page 604: ...10 deny 0 hit count 0 seq 15 deny 1 hit count 0 seq 20 deny 2 hit count 0 seq 25 deny 3 ge 4 hit count 0 seq 30 permit 0 le 128 hit count 240664 Field Descriptions count Number of entries in the list range entries Number of entries with matching range seq Entry number in the list permit deny Granting status description Comment hit count Number of matches for the prefix entry Example 2 The followin...

Page 605: ...erence Guide 26 count 2 range entries 2 ipv6 prefix list bgp in count 6 range entries 3 Example 3 The following example shows the output of the show ipv6 prefix list command with the seq keyword switchxxxxxx show ipv6 prefix list bgp in seq 15 seq 15 deny 1 hit count 0 ...

Page 606: ... Parameters N A Command Mode Privileged EXEC mode User Guidelines Example The following example deletes all entries except static entries in the neighbor discovery cache switchxxxxxx clear ipv6 neighbors 27 2 ipv6 address Use the ipv6 address command in Interface Configuration mode to configure a global unicast IPv6 address based on an IPv6 general prefix and enable IPv6 processing on an interface...

Page 607: ...e address comprise the prefix the network portion of the address A slash mark must precede the decimal value Default Configuration No IP address is defined for the interface Command Mode Interface Configuration mode User Guidelines The ipv6 address command cannot be applied to define an IPv6 address on an ISATAP interface Using the no IPv6 address command without arguments removes all manually con...

Page 608: ...d Mode Interface Configuration mode User Guidelines This command enables IPv6 on an interface if it was disabled and causes the switch to perform IPv6 stateless address auto configuration to discover prefixes on the link and then to add the eui 64 based addresses to the interface Stateless auto configuration is applied only when IPv6 Forwarding is disabled When IPv6 forwarding is changed from disa...

Page 609: ... the address from the interface use the no form of this command Syntax ipv6 address ipv6 prefix prefix length eui 64 no ipv6 address ipv6 prefix prefix length eui 64 Parameters ipv6 address Specifies the global unicast IPv6 address assigned to the interface This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16 bit values between colons prefi...

Page 610: ...d specifies an EUI 64 interface ID in the low order 64 bits of the address switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 address 2001 0DB8 0 1 64 eui 64 switchxxxxxx config if exit 27 5 ipv6 address link local Use the ipv6 address link local command in Interface Configuration mode to configure an IPv6 link local address for an interface and enable IPv6 processing on the interfac...

Page 611: ...ut arguments removes all manually configured IPv6 addresses from an interface including link local manually configured addresses Example The following example enables IPv6 processing on VLAN 1 and configures FE80 260 3EFF FE11 6770 as the link local address for VLAN 1 switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 address FE80 260 3EFF FE11 6770 link local switchxxxxxx config if ...

Page 612: ...mple 1 The following example defines a default gateway with a global IPv6 address switchxxxxxx config ipv6 default gateway 5 5 Example 2 The following example defines a default gateway with a link local IPv6 address switchxxxxxx config ipv6 default gateway FE80 260 3EFF FE11 6770 vlan1 27 7 ipv6 enable Use the ipv6 enable command in Interface Configuration mode to enable IPv6 processing on an inte...

Page 613: ...v6 processing on an interface that is configured with an explicit IPv6 address Example The following example enables VLAN 1 for the IPv6 addressing mode switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 enable switchxxxxxx config if exit 27 8 ipv6 icmp error interval Use the ipv6 icmp error interval command in Global Configuration mode to configure the interval and bucket size for I...

Page 614: ... are placed in the virtual bucket at a specified interval until the maximum number of tokens allowed in the bucket is reached The milliseconds argument specifies the time interval between tokens arriving in the bucket The optional bucketsize argument is used to define the maximum number of tokens allowed in the bucket Tokens are removed from the bucket when IPv6 ICMP error messages are sent which ...

Page 615: ... the egress interface for packets sent without a specified IPv6Z interface identifier or with the default 0 identifier Default By default link local default zone is disabled Command Mode Global Configuration mode Example The following example defines VLAN 1 as a default zone switchxxxxxx config ipv6 link local default zone vlan1 27 10 ipv6 nd dad attempts Use the ipv6 nd dad attempts command in In...

Page 616: ...ss Autoconfiguration is used to automatically determine the number of consecutive neighbor solicitation messages that are sent on an interface while duplicate address detection is performed on a tentative Unicast IPv6 address The interval between duplicate address detection neighbor solicitation messages the duplicate address detection timeout interval is specified by the neighbor discovery relate...

Page 617: ... not used and an error SYSLOG message is issued All configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE If the link local address for an interface changes duplicate address detection is performed on the new link local address and all of the other IPv6 address associated with the interface are regenerated duplicate add...

Page 618: ...rm documented in RFC4293 where the address is specified in hexadecimal using 16 bit values between colons interface id Specified interface identifier mac address Interface MAC address Default Configuration Static entries are not configured in the IPv6 neighbor discovery cache Command Mode Global Configuration mode User Guidelines This command is similar to the arp command Use the ipv6 neighbor com...

Page 619: ...e show ipv6 neighbors command to view static entries in the IPv6 neighbor discovery cache A static entry in the IPv6 neighbor discovery cache can have one of the following states NCMP Incomplete The interface for this entry is down REACH Reachable The interface for this entry is up Note Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache therefore the descr...

Page 620: ...command in Interface Configuration mode to enable the generation of Internet Control Message Protocol for IPv6 ICMPv6 unreachable messages for any packets arriving on a specified interface To prevent the generation of unreachable messages use the no form of this command Syntax ipv6 unreachables no ipv6 unreachables Parameters N A Default Configuration The sending of ICMP IPv6 unreachable messages ...

Page 621: ...hxxxxxx config interface vlan 100 switchxxxxxx config if no ipv6 unreachables switchxxxxxx config if exit 27 13 show ipv6 interface Use the show ipv6 interface command in user EXEC or privileged EXEC mode to display the usability status of interfaces configured for IPv6 Syntax show ipv6 interface brief interface id Parameters brief Displays a brief summary of IPv6 status and configuration for each...

Page 622: ...word to see the IPv6 neighbor discovery ND prefixes that are configured on the interface Examples Example 1 The show ipv6 interface command displays information about the specified interface switchxxxxxx show ipv6 interface vlan 1 VLAN 1 is up up IPv6 is enabled link local address is FE80 0DB8 12AB FA01 Global unicast address es Ipv6 Global Address Type 2000 0DB8 2 64 ANY Manual 2000 0DB8 2 64 Man...

Page 623: ...the interface The type is manual or autoconfig Joined group address es Indicates the Multicast groups to which this interface belongs MTU is 1500 bytes Maximum transmission unit of the interface ICMP error messages Specifies the minimum interval in milliseconds between error messages sent on this interface ND DAD The state of duplicate address detection on the interface enabled or disabled number ...

Page 624: ...put Indicates that IPv6 is enabled stalled or disabled on the interface If IPv6 is enabled the interface is marked enabled If duplicate address detection processing identified the link local address of the interface as being a duplicate address the processing of IPv6 packets is disabled on the interface and the interface is marked stalled If IPv6 is not enabled the interface is marked disabled lin...

Page 625: ...pecifies the tunnel mode manual 6to4 auto tunnel or isatap Tunnel Local IPv4 address Specifies the tunnel local IPv4 address and have one of the following formats ipv4 address ipv4 address auto ipv4 address interface id Tunnel Remote Ipv4 address Specifies the tunnel remote IPv4 address Example 3 The show ipv6 interface command displays information about the specified ISATAP tunnel switchxxxxxx sh...

Page 626: ...meter value bigger than 0 number of DAD attempts Number of consecutive neighbor solicitation messages that are sent on the interface while duplicate address detection is performed vlan 1 is up up Indicates the interface status administrative operational IPv6 is enabled stalled disabled stalled and disabled are not shown in sample output Indicates that IPv6 is enabled stalled or disabled on the int...

Page 627: ... isatap Tunnel Local IPv4 address Specifies the tunnel local IPv4 address and have one of the following formats ipv4 address ipv4 address auto ipv4 address interface id Tunnel Remote Ipv4 address Specifies the tunnel remote IPv4 address ISATAP Router DNS name is The DNS name of the ISATAP Router Example 4 The following command with the brief keyword displays information about all interfaces that I...

Page 628: ... User EXEC mode Privileged EXEC mode Examples Example 1 The following example displays the default zone when it is defined switchxxxxxx show ipv6 link local default zone Link Local Default Zone is VLAN 1 Example 2 The following example displays the default zone when it is not defined switchxxxxxx show ipv6 link local default zone Link Local Default Zone is not defined 27 15 show ipv6 neighbors Use...

Page 629: ...rivileged EXEC mode User Guidelines When the interface id argument is not specified cache information for all IPv6 neighbors is displayed Specifying the interface id argument displays only cache information about the specified interface Examples Example 1 The following is sample output from the show ipv6 neighbors command when entered with an interface id switchxxxxxx show ipv6 neighbors vlan 1 IP...

Page 630: ...pv6 route command in user EXEC or privileged EXEC mode to display the current contents of the IPv6 routing table Syntax show ipv6 route ipv6 address ipv6 prefix prefix length protocol interface interface id Parameters ipv6 address Displays routing information for a specific IPv6 address This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16 b...

Page 631: ... When the ipv6 address or ipv6 prefix prefix length argument is specified a longest match lookup is performed from the routing table and only route information for that address or network is displayed When the icmp nd connected local or static keywords are specified only that type of route is displayed When the interface id argument are specified only the specified interface specific routes are di...

Page 632: ...ser EXEC or Privileged EXEC mode to display the current contents of the IPv6 routing table in summary format Syntax show ipv6 route summary Parameters N A Command Mode User EXEC mode Privileged EXEC mode Example The following is sample output from the show ipv6 route summary command switchxxxxxx show ipv6 route summary IPv6 Routing Table Summary 97 entries 37 local 35 connected 25 static Number of...

Page 633: ...tore the default configuration use the no form of this command Syntax lacp port priority value no lacp port priority Parameters value Specifies the port priority Range 1use the no form of this command65535 Default Configuration The default port priority is 1 Command Mode Interface Ethernet Configuration mode Example The following example sets the priority of gi16 switchxxxxxx config interface gi16...

Page 634: ...alue Specifies the system priority value Range 1 65535 Default Configuration The default system priority is 1 Command Mode Global Configuration mode Example The following example sets the system priority to 120 switchxxxxxx config lacp system priority 120 28 3 lacp timeout To assign an administrative LACP timeout to an interface use the lacp timeout Interface Ethernet Configuration mode command To...

Page 635: ...xxxxx config interface gi16 switchxxxxxx config if lacp timeout long 28 4 show lacp To display LACP information for all Ethernet ports or for a specific Ethernet port use the show lacp Privileged EXEC mode command Syntax show lacp interface id parameters statistics protocol state Parameters interface id Specify an interface ID The interface ID must be an Ethernet port parameters Optional Displays ...

Page 636: ... port Oper priority port Admin timeout port Oper timeout LACP Activity Aggregation synchronization collecting distributing expired 1 00 00 12 34 56 78 30 30 21 1 1 LONG LONG ACTIVE AGGREGATABLE FALSE FALSE FALSE FALSE Partner system priority system mac addr port Admin key port Oper key port Oper number port Admin priority port Oper priority port Admin timeout port Oper timeout LACP Activity Aggreg...

Page 637: ...umber Parameters port_channel_number Optional Specifies the port channel number Command Mode Privileged EXEC mode Port gi11 LACP Statistics LACP PDUs sent LACP PDUs received 2 2 Port gi11 LACP Protocol State LACP State Machines Receive FSM Mux FSM Port Disabled State Detached State Control Variables BEGIN LACP_Enabled Ready_N Selected Port_moved NNT Port_enabled FALSE TRUE FALSE UNSELECTED FALSE F...

Page 638: ...38 28 Example The following example displays LACP information about port channel 1 switchxxxxxx show lacp port channel 1 Port Channel 1 Port Type 1000 Ethernet Actor System Priority MAC Address Admin Key Oper Key 1 000285 0E1C00 29 29 Partner System Priority MAC Address Oper Key 0 00 00 00 00 00 00 14 ...

Page 639: ... Syntax autobaud no autobaud Parameters This command has no arguments or keywords Default Configuration Automatic baud rate detection is enabled Command Mode Line Configuration Mode User Guidelines When this command is enabled it is activated as follows connect the console to the device and press the Enter key twice The device detects the baud rate automatically Example The following example enabl...

Page 640: ...Specifies the number of minutes Range 0 65535 seconds Optional Specifies the number of seconds Range 0 59 Default Configuration The default idle time interval is 10 minutes Command Mode Line Configuration Mode Example The following example sets the telnet session idle time interval before automatic logoff to 20 minutes and 10 seconds switchxxxxxx config line telnet switchxxxxxx config line exec ti...

Page 641: ...e Example The following example configures the device as a virtual terminal for remote Telnet access switchxxxxxx config line telnet switchxxxxxx config line 29 4 speed To set the line baud rate use the speed command in Line Configuration mode To restore the default configuration use the no form of this command Syntax speed bps no speed Parameters bps Specifies the baud rate in bits per second bps...

Page 642: ...tchxxxxxx config line speed 9600 29 5 show line To display line parameters use the show line Privileged EXEC mode command Syntax show line console telnet ssh Parameters console Optional Displays the console configuration telnet Optional Displays the Telnet configuration ssh Optional Displays the SSH configuration Default Configuration If the line is not specified all line configuration parameters ...

Page 643: ... configuration Interactive timeout Disabled History 10 Baudrate 9600 Databits 8 Parity none Stopbits 1 Telnet configuration Telnet is enabled Interactive timeout 10 minutes 10 seconds History 10 SSH configuration SSH is enabled Interactive timeout 10 minutes 10 seconds History 10 ...

Page 644: ...lldp table interface id Parameters interface id Optional Specifies a port ID Default Configuration If no interface is specified the default is to clear the LLDP table for all ports Command Mode Privileged EXEC mode Example switchxxxxxx clear lldp table gi11 30 2 lldp chassis id To configure the source of the chassis ID of the port use the lldp chassis id Global Configuration mode command To restor...

Page 645: ...elines The host name should be configured to be a unique value If the chassis ID configured to be used in LLDP packets is empty LLDP uses the default chassis ID specified above Example The following example configures the chassis ID to be the MAC address switchxxxxxx config lldp chassis id mac address 30 3 lldp hold multiplier To specify how long the receiving device holds a LLDP packet before dis...

Page 646: ...a TTL min 65535 LLDP Timer LLDP hold multiplier For example if the value of the LLDP timer is 30 seconds and the value of the LLDP hold multiplier is 4 then the value 120 is encoded in the TTL field of the LLDP header Example The following example sets the LLDP packet hold time interval to 90 seconds switchxxxxxx config lldp timer 30 switchxxxxxx config lldp hold multiplier 3 30 4 lldp lldpdu To d...

Page 647: ...ng mode cannot be set to flooding and vice versa If LLDP is globally disabled and the LLDP packet handling mode is flooding LLDP packets are treated as data packets with the following exceptions VLAN ingress rules are not applied to LLDP packets The LLDP packets are trapped on all ports for which the STP state is Forwarding Default deny all rules are not applied to LLDP packets VLAN egress rules a...

Page 648: ...he dynamic IP addresses If there are no dynamic addresses the software selects the lowest IP address among the static IP addresses automatic interface id Available only when the device is in Layer 3 router mode Specifies that the software automatically selects a management address to advertise from the IP addresses that are configured on the interface ID In case of multiple IP addresses the softwa...

Page 649: ...o enable or disable LLDP Media Endpoint Discovery MED on a port use the lldp med Interface Ethernet Configuration mode command To return to the default state use the no form of this command Syntax lldp med enable tlv tlv4 disable no lldp med Parameters enable Enable LLDP MED tlv Specifies the TLV that should be included Available TLVs are Network Policy Location and POE PSE Inventory The Capabilit...

Page 650: ...ernet Configuration mode command To restore the default configuration use the no form of this command Syntax lldp med notifications topology change enable disable no lldp med notifications topology change Parameters enable Enables sending LLDP MED topology change notifications disable Disables sending LLDP MED topology change notifications Default Configuration Disable is the default Command Mode ...

Page 651: ...o lldp med fast start repeat count Parameters repeat count number Specifies the number of times the fast start LLDPDU is being sent during the activation of the fast start mechanism The range is 1 10 Default Configuration 3 Command Mode Global Configuration mode Example switchxxxxxx config lldp med fast start repeat count 4 30 9 lldp med location To configure the location information for the LLDP ...

Page 652: ...d by a period or colon Length coordinate 16 bytes Civic address 6 160 bytes Ecs elin 10 25 bytes Default Configuration The location is not configured Command Mode Interface Ethernet Configuration mode Example The following example configures the LLDP MED location information on gi12 as a civic address switchxxxxxx config interface gi12 switchxxxxxx config if lldp med location civic address 6162636...

Page 653: ...he primary function of the application defined for this network policy Available application names are voice voice signaling guest voice guest voice signaling softphone voice video conferencing streaming video video signaling vlan vlan id Optional VLAN identifier for the application vlan type Optional Specifies if the application is using a tagged or an untagged VLAN up priority Optional User Prio...

Page 654: ...p 1 dscp 2 switchxxxxxx config interface gi11 switchxxxxxx config if lldp med network policy add 1 30 11 lldp med network policy interface To attach or remove an LLDP MED network policy on a port use the lldp med network policy Interface Ethernet Configuration mode command Network policies are created in lldp med network policy global To remove all the LLDP MED network policies from the port use t...

Page 655: ...tchxxxxxx config if lldp med network policy add 1 30 12 lldp med network policy voice auto A network policy for voice LLDP packets can be created by using the lldp med network policy global The lldp med network policy voice auto Global Configuration mode is simpler in that it uses the configuration of the Voice application to create the network policy instead of the user having to manually configu...

Page 656: ...voice VLAN there must be no manually pre configured network policies for the voice application In Auto mode you cannot manually define a network policy for the voice application using the lldp med network policy global command Example switchxxxxxx config lldp med network policy voice auto 30 13 lldp notifications To enable disable sending LLDP notifications on an interface use the lldp notificatio...

Page 657: ...4 lldp notifications interval To configure the maximum transmission rate of LLDP notifications use the lldp notifications interval Global Configuration mode command To return to the default use the no form of this command Syntax lldp notifications interval seconds no lldp notifications interval Parameters interval seconds The device does not send more than a single notification in the indicated pe...

Page 658: ...ers tlv Specifies the TLVs to be included Available optional TLVs are port desc sys name sys desc sys cap 802 3 mac phy 802 3 lag 802 3 max frame size none Optional Clear all optional TLVs from the interface If the 802 1 protocol is selected see the command below Default Configuration The following TLV are transmitted sys name sys cap Command Mode Interface Ethernet Configuration mode Example The ...

Page 659: ...id This vlan id is advertised lldp optional tlv 802 1 vlan remove vlan id This vlan id is not advertised lldp optional tlv 802 1 protocol add stp rstp mstp pause 802 1x lacp gvrp The protocols selected are advertised lldp optional tlv 802 1 protocol remove stp rstp mstp pause 802 1x lacp gvrp The protocols selected are not advertised Parameters lldp optional tlv 802 1 pvid enable disable Advertise...

Page 660: ...ion mode command To disable LLDP use the no form of this command Syntax lldp run no lldp run Parameters This command has no arguments or keywords Default Configuration Enabled Command Mode Global Configuration mode Example switchxxxxxx config lldp run 30 18 lldp receive To enable receiving LLDP on an interface use the lldp receive Interface Ethernet Configuration mode command To stop receiving LLD...

Page 661: ...tored individually per port LLDP operation on a port is not dependent on the STP state of a port I e LLDP frames are received on blocked ports If a port is controlled by 802 1x LLDP operates only if the port is authorized Example switchxxxxxx config interface gi11 switchxxxxxx config if lldp receive 30 19 lldp reinit To specify the minimum time an LLDP port waits before reinitializing LLDP transmi...

Page 662: ... Global Configuration mode Example switchxxxxxx config lldp reinit 4 30 20 lldp timer To specify how often the software sends LLDP updates use the lldp timer Global Configuration mode command To restore the default configuration use the no form of this command Syntax lldp timer seconds no lldp timer Parameters timer seconds Specifies in seconds how often the software sends LLDP updates range 5 327...

Page 663: ... Interface Ethernet Configuration mode command Syntax lldp transmit no lldp transmit Parameters This command has no arguments or keywords Default Configuration Enabled Command Mode Interface Ethernet Configuration mode switchxxxxxx config if User Guidelines LLDP manages LAG ports individually LLDP sends separate advertisements on each port in a LAG LLDP operation on a port is not dependent on the ...

Page 664: ...e no form of this command Syntax lldp tx delay seconds no lldp tx delay Parameters tx delay seconds Specifies the delay in seconds between successive LLDP frame transmissions initiated by value status changes in the LLDP local systems MIB range 1 8192 seconds Default Configuration The default LLDP frame transmission delay is 2 seconds Command Mode Global Configuration mode User Guidelines It is re...

Page 665: ...ID detailed Optional Displays information for non present ports in addition to present ports Default Configuration Display for all ports If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Examples Example 1 Display LLDP configuration for all ports switchxxxxxx show lldp configuration State Enabled Timer 30 Seconds Hold multiplier 4 Reinit delay 2 Seconds Tx ...

Page 666: ...ndling Filtering Chassis ID mac address Port State Optional TLVs Address Notifications gi11 RX TX PD SN SD SC 72 16 1 1 Disabled 802 3 optional TLVs 802 3 mac phy 802 3 lag 802 3 max frame size 802 1 optional TLVs PVID Enabled PPVIDs 0 1 92 VLANs 1 92 Protocols 802 1x The following table describes the significant fields shown in the display Field Description Timer The time interval between LLDP up...

Page 667: ...on for all ports Command Mode Privileged EXEC mode Tx delay The delay between successive LLDP frame transmissions initiated by value status changes in the LLDP local systems MIB Port The port number State The port s LLDP state Optional TLVs Optional TLVs that are advertised Possible values are PD Port description SN System name SD System description SC System capabilities Address The management ad...

Page 668: ...s 172 16 1 8 802 3 MAC PHY Configuration Status Auto negotiation support Supported Auto negotiation status Enabled Auto negotiation Advertised Capabilities 100BASE TX full duplex 1000BASE T full duplex Operational MAU type 1000BaseTFD 802 3 Link Aggregation Aggregation capability Capable of being aggregated Aggregation status Not currently in aggregation Aggregation port ID 1 802 3 Maximum Frame S...

Page 669: ...ower Source Power priority High Power value 9 6 Watts LLDP MED Location Coordinates 54 53 c1 f7 51 57 50 ba 5b 97 27 80 00 00 67 01 Hardware Revision B1 Firmware Revision A1 Software Revision 3 8 Serial number 7978399 Manufacturer name Manufacturer Model name Model 1 Asset ID Asset 123 switchxxxxxx show lldp local gi12 LLDP is disabled 30 25 show lldp local tlvs overloading When an LLDP packet con...

Page 670: ...ommand calculates the overloading status of the current LLDP configuration and not for the last LLDP packet that was sent Example switchxxxxxx show lldp local tlvs overloading gi11 TLVs Group Bytes Status Mandatory 31 Transmitted LLDP MED Capabilities 9 Transmitted LLDP MED Location 200 Transmitted 802 1 1360 Overloading Total 1600 bytes Left 100 bytes 30 26 show lldp med configuration To display ...

Page 671: ...the command displays information for all ports If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Examples Example 1 The following example displays the LLDP MED configuration for all interfaces switchxxxxxx show lldp med configuration Fast Start Repeat Count 4 lldp med network policy voice manual Network policy 1 Application type voiceSignaling VLAN ID 1 unt...

Page 672: ...ddress 61 62 63 64 65 66 30 27 show lldp neighbors To display information about neighboring devices discovered using LLDP use the show lldp neighbors Privileged EXEC mode command The information can be displayed for all ports or for a specific port Syntax show lldp neighbors interface id Parameters interface id Optional Specifies a port ID Default Configuration If no port ID is entered the command...

Page 673: ...er TP Two Ports MAC Relay S S VLAN C C VLAN O Other Port Device ID Port ID System Name Capabilities TTL gi11 00 00 00 11 11 11 gi11 ts 7800 2 B 90 gi11 00 00 00 11 11 11 gi11 ts 7800 2 B 90 gi12 00 00 26 08 13 24 gi13 ts 7900 1 B R 90 gi13 00 00 26 08 13 24 gi12 ts 7900 2 W 90 Example 2 The following example displays information about neighboring devices discovered using LLDP on port 1 switchxxxxx...

Page 674: ...er pair control ability Not supported PSE Power Pair Signal PSE Power class 1 802 3 Link Aggregation Aggregation capability Capable of being aggregated Aggregation status Not currently in aggregation Aggregation port ID 1 802 3 Maximum Frame Size 1522 802 3 EEE Remote Tx 25 usec Remote Rx 30 usec Local Tx Echo 30 usec Local Rx Echo 25 usec 802 1 PVID 1 802 1 PPVID 2 supported enabled 802 1 VLAN 2 ...

Page 675: ...mware revision 2 3 Software revision 2 7 1 Serial number LM759846587 Manufacturer name VP Model name TR12 Asset ID 9 LLDP MED Location Coordinates 54 53 c1 f7 51 57 50 ba 5b 97 27 80 00 00 67 01 The following table describes significant LLDP fields shown in the display Field Description Port The port number Device ID The neighbor device s configured ID name or MAC address Port ID The neighbor devi...

Page 676: ...rt The auto negotiation support status on the port supported or not supported Auto negotiation status The active status of auto negotiation on the port enabled or disabled Auto negotiation Advertised Capabilities The port speed duplex flow control capabilities advertised by the auto negotiation Operational MAU type The port MAU type LLDP MED Capabilities The sender s LLDP MED capabilities Device t...

Page 677: ... PSE or Power Device PD Power Source The power source utilized by a PSE or PD device A PSE device advertises its power capability The possible values are Primary power source and Backup power source A PD device advertises its power source The possible values are Primary power Local power Primary and Local power Power priority The PD device priority A PSE device advertises the power priority config...

Page 678: ...ays information for non present ports in addition to present ports Default Configuration If no port ID is entered the command displays information for all ports If detailed is not used only present ports are displayed Command Mode User EXEC mode Example switchxxxxxx show lldp statistics Tables Last Change Time 14 Oct 2010 32 08 18 Tables Inserts 26 Tables Deletes 2 Tables Dropped 0 Tables Ageouts ...

Page 679: ... B Bridge R Router W WLAN Access Point T Telephone D DOCSIS cable device H Host r Repeater O Other System description The neighbor device s system description Port description The neighbor device s port description Management address The neighbor device s management address Auto negotiation support The auto negotiation support status on the port Supported or Not Supported Auto negotiation status T...

Page 680: ... for the specified application LLDP MED Power Over Ethernet Power type The device power type The possible values are Power Sourcing Entity PSE or Power Device PD Power Source The power source utilized by a PSE or PD device A PSE device advertises its power capability The possible values are Primary power source and Backup power source A PD device advertises its power source The possible values are...

Page 681: ...yntax loopback detection enable no loopback detection enable Parameters This command has no arguments or keywords Default Configuration Loopback Detection is disabled Command Mode Global Configuration mode User Guidelines This command enables the Loopback Detection feature globally Use the loopback detection enable Interface Configuration mode command to enable Loopback Detection on an interface E...

Page 682: ... Default Configuration Loopback Detection is enabled on an interface Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines This command enables Loopback Detection on an interface Use the loopback detection enable Global Configuration command to enable Loopback Detection globally Example The following example enables the Loopback Detection feature on port gi14 switchxxxxxx...

Page 683: ... to 45 seconds switchxxxxxx config loopback detection interval 45 31 4 show loopback detection To display information about Loopback Detection use the show loopback detection Privileged EXEC mode command Syntax show loopback detection interface id detailed Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel det...

Page 684: ...s that the interface entered errDisabled state see set interface active set interface activeor errdisable recovery cause for more information Operational status of Inactive indicates that loopback detection is not actively attempting to detect loops i e the Active status conditions are not meet Example The following example displays information about the status of Loopback Detection Console show l...

Page 685: ...macro a macro whose name is concatenated with no_ The anti macro reverses the action of the macro If a macro with this name already exists it overrides the previously defined one Use the no form of this command to delete the macro definition Syntax macro name macro name no macro name macro name Parameters macro name Name of the macro Macro names are case sensitive Default Configuration N A Command...

Page 686: ...name to create the macro with the specified name Enter one macro command per line Use the character to end the macro Use the character at the beginning of a line to enter a comment in the macro In addition is used to identify certain preprocessor commands that can only be used within a macro There are two possible preprocessor commands macro key description Each macro can be configured with up to ...

Page 687: ... You cannot override a Smartport macro To change a Smartport macro create a new macro my_macro and an anti macro no_my_macro and associate it with the Smartport type using the macro auto user smartport macro command Scope of Macro It is important to consider the scope of any user defined macro Because of the potential hazards of applying unintended configurations do not change configuration modes ...

Page 688: ...sing the help character as defined by the macro keywords command above and then run the macro on the port The macro keywords command entered in the macro definition enables the user to receive help for the macro as shown after the words e g below switchxxxxxx config interface gi11 switchxxxxxx config if macro apply duplex WORD 1 32 Keyword to replace with value e g DUPLEX SPEED cr switchxxxxxx con...

Page 689: ...face Ethernet Port Channel Configuration mode User Guidelines The macro apply command hides the commands of the macro from the user while it is being run The macro trace command displays the commands along with any errors which are generated by them as they are executed This is used to debug the macro and find syntax or configuration errors When you run a macro if a line in it fails because of a s...

Page 690: ...mmand fails on one interface it is nonetheless attempted to be applied and may fail or succeed on the remaining interfaces Examples Example 1 The following is an example of a macro being applied to an interface with the trace option switchxxxxxx config interface gi12 switchxxxxxx config if macro trace dup DUPLEX full SPEED 100 Applying command duplex full Applying command speed 100 switchxxxxxx co...

Page 691: ...scription text no macro description Parameters text Description text The text can contain up to 160 characters The text must be double quoted if it contains multiple words Default Configuration The command has no default setting Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines When multiple macros are applied on a single interface the description text is a concatenat...

Page 692: ...duplex dup duplex switchxxxxxx configure switchxxxxxx config interface gi12 switchxxxxxx config if no macro description switchxxxxxx config if end switchxxxxxx config exit switchxxxxxx show parser macro description Global Macro s Interface Macro Description s gi13 duplex dup duplex 32 4 macro global Use the macro global Global Configuration command to apply a macro to a switch with or without the ...

Page 693: ...ensitive All matching occurrences of the keyword are replaced with the corresponding value Any full match of a keyword even if it is part of a large string is considered a match and replaced by the corresponding value If you apply a macro that contains keywords in its commands the command fails if you do not specify the proper values for the keywords when you apply the macro You can use this comma...

Page 694: ...to enter a description which is used to indicate which macros have been applied to the switch Use the no form of this command to remove the description Syntax macro global description text no macro global description Parameters text Description text The text can contain up to 160 characters Default Configuration The command has no default setting Command Mode Global Configuration mode User Guideli...

Page 695: ... of all macros description interface interface id Display the macro descriptions for all interfaces or if an interface is specified display the macro descriptions for that interface name macro name Display information about a single macro identified by the macro name detailed Displays information for non present ports in addition to present ports Default Configuration Display description of all ma...

Page 696: ...AVID should not be 1 switchport access vlan AVID switchport mode access Example 2 This is an example of output from the show parser macro name command switchxxxxxx show parser macro standard switch10 Macro name standard switch10 Macro type customizable macro description standard switch10 Trust QoS settings on VOIP packets auto qos voip trust Allow port channels to be automatically formed channel p...

Page 697: ...pany router customizable snmp Example 4 This is an example of output from the show parser macro description command switchxxxxxx show parser macro description Global Macro s company global Example 5 This is an example of output from the show parser macro description interface command switchxxxxxx show parser macro description interface gi12 Interface Macro Description gi12 this is test macro ...

Page 698: ...t channel or VLAN service service Optional Specifies the service type Possible values are Telnet SSH HTTP HTTPS and SNMP ipv4 address Specifies the source IPv4 address ipv6 address ipv6 prefix length Specifies the source IPv6 address and source IPv6 address prefix length The prefix length must be preceded by a forward slash The parameter is optional mask mask Specifies the source IPv4 address netw...

Page 699: ...guration mode command Syntax permit interface id service service permit ip source ipv4 address ipv6 address ipv6 prefix length mask mask prefix length interface id service service Parameters interface id Optional Specify an interface ID The interface ID can be one of the following types Ethernet port Port channel or VLAN service service Optional Specifies the service type Possible values are Telne...

Page 700: ...channel parameters are valid only if an IP address is defined on the appropriate interface Example The following example permits all ports in the ACL called mlist switchxxxxxx config management access list mlist switchxxxxxx config macl switchpermit 33 3 management access list To configure a management access list ACL and enter the Management Access list Configuration mode use the management acces...

Page 701: ...d in IPv4 packets the management ACL is applied first on the external IPv4 header rules with the service field are ignored and then again on the inner IPv6 header Examples Example 1 The following example creates a management access list called mlist configures management gi11 and gi19 and makes the new access list the active list switchxxxxxx config management access list mlist switchxxxxxx config...

Page 702: ...d To disable management connection restrictions use the no form of this command Syntax management access class console only name no management access class Parameters console only Specifies that the device can be managed only from the console name Specifies the ACL name to be used Length 1 32 characters Default Configuration The default configuration is no management connection restrictions Comman...

Page 703: ...ss list to be displayed Length 1 32 characters Default Configuration All management ACLs are displayed Command Mode Privileged EXEC mode Example The following example displays the mlist management ACL switchxxxxxx show management access list mlist m1 deny service telnet permit gi11 service telnet Note all other access implicitly denied console config macl 33 6 show management access class To displ...

Page 704: ...how management access class Parameters This command has no arguments or keywords Command Mode Privileged EXEC mode Example The following example displays the active management ACL information switchxxxxxx show management access class Management access class is enabled using access list mlist ...

Page 705: ...he no form of this command Syntax ipv6 mld snooping no ipv6 mld snooping Parameters N A Default Configuration IPv6 MLD snooping is disabled Command Mode Global Configuration mode Example The following example enables IPv6 MLD snooping switchxxxxxx config ipv6 mld snooping 34 2 ipv6 mld snooping vlan To enable MLD snooping on a specific VLAN use the ipv6 mld snooping vlan command in Global Configur...

Page 706: ...iltering must be enabled by the bridge multicast filtering command The user guidelines of the bridge multicast mode command describe the configuration that can be written into the FDB as a function of the FDB mode and the MLD version that is used in the network Example switchxxxxxx config ipv6 mld snooping vlan 2 34 3 ipv6 mld snooping querier To enable globally the MLD Snooping querier use the ip...

Page 707: ... example disables the MLD Snooping querier globally switchxxxxxx config no ipv6 mld snooping querier 34 4 ipv6 mld snooping vlan querier To enable the Internet MLD Snooping querier on a specific VLAN use the ipv6 mld snooping vlan querier command in Global Configuration mode To return to the default use the no form of this command Syntax ipv6 mld snooping vlan vlan id querier no ipv6 mld snooping ...

Page 708: ...tion To enable MLD Querier election mechanism of an MLD Snooping querier on a specific VLAN use the ipv6 mld snooping vlan querier election command in Global Configuration mode To disable Querier election mechanism use the no form of this command Syntax ipv6 mld snooping vlan vlan id querier election no ipv6 mld snooping vlan vlan id querier election Parameters vlan id Specifies the VLAN Default C...

Page 709: ... for Query Passive interval that equals to Robustness Query Interval 0 5 Query Response Interval See the ipv6 mld robustness ipv6 mld query interval and ipv6 mld query max response time commands for configurations of these parameters It is recommended to disable MLD Querier election mechanism if there is an IPMv6 Multicast router on the VLAN Example The following example disables MLD Snooping Quer...

Page 710: ... snooping vlan mrouter command in Global Configuration mode To remove the configuration use the no form of this command Syntax ipv6 mld snooping vlan vlan id mrouter learn pim dvmrp no ipv6 mld snooping vlan vlan id mrouter learn pim dvmrp Parameters vlan id Specifies the VLAN pim dvmrp Learn Multicast router port by PIM DVMRP and MLD messages Default Configuration Learning pim dvmrp is enabled Co...

Page 711: ...an id Specifies the VLAN interface list Specifies a list of interfaces The interfaces can be from one of the following types port or port channel Default Configuration No ports defined Command Mode Global Configuration mode User Guidelines This command may be used in conjunction with the bridge multicast forward all command which is used in older versions to statically configure a port as a Multic...

Page 712: ...dden mrouter interface interface list Parameters vlan id Specifies the VLAN interface list Specifies list of interfaces The interfaces can be of one of the following types Ethernet port or Port channel Default Configuration No forbidden ports by default Command Mode Global Configuration mode User Guidelines A port that is forbidden to be defined as a Multicast router port mrouter port cannot be le...

Page 713: ...ddress interface interface list Parameters vlan id Specifies the VLAN ipv6 address Specifies the IP multicast address interface interface list Optional Specifies list of interfaces The interfaces can be from one of the following types Ethernet port or Port channel Default Configuration No Multicast addresses are defined Command Mode Global Configuration mode User Guidelines Static multicast addres...

Page 714: ...s When an MLD Leave Group message is received from a host the system removes the host port from the table entry After it relays the MLD queries from the Multicast router it deletes entries periodically if it does not receive any MLD membership reports from the Multicast clients MLD snooping Immediate Leave processing allows the switch to remove an interface that sends a leave message from the forw...

Page 715: ...the show bridge multicast address table command The Include list contains the ports which are in a forwarding state for this group according to the snooping database In general the Exclude list contains the ports which have issued an explicit Exclude for that specific source in a multicast group The Reporters That Are Forbidden Statically list contains the list of ports which have asked to receive...

Page 716: ...id Specifies the VLAN ID Default Configuration Display information for all VLANs Command Mode User EXEC mode switchxxxxxx show ipv6 mld snooping groups VLAN 1 1 19 19 19 Group Address FF12 3 FF12 3 FF12 8 FF12 8 FF12 8 Source Address FE80 201 C9FF FE40 8001 FE80 201 C9FF FE40 8002 FE80 201 C9FF FE40 8003 FE80 201 C9FF FE40 8004 FE80 201 C9FF FE40 8005 Include Ports gi11 gi12 gi14 gi11 gi110 11 Exc...

Page 717: ...n 2 MLD Snooping Querier election is enabled MLD snooping robustness admin 2 oper 2 MLD snooping query interval admin 125 sec oper 125 sec MLD snooping query maximum response admin 10 sec oper 10 sec MLD snooping last member query counter admin 2 oper 2 MLD snooping last member query interval admin 1000 msec oper 500 msec Groups that are in MLD version 1 compatibility mode FF12 3 FF12 8 34 14 show...

Page 718: ...uration Display information for all VLANs Command Mode User EXEC mode Example The following example displays information on dynamically learned Multicast router interfaces for VLAN 1000 switchxxxxxx show ipv6 mld snooping mrouter interface 1000 VLAN 1000 Dynamic gi11 Static gi12 Forbidden gi13 4 ...

Page 719: ...e id Optional Specifies an Ethernet port ID Command Mode Privileged EXEC mode User Guidelines This command does not work on fiber ports if they exist on the device The port to be tested should be shut down during the test unless it is a combination port with fiber port active In this case it does not need to be shut down because the test does not work on fiber ports The maximum length of cable for...

Page 720: ...med on all copper ports or on a specific copper port use the show cable diagnostics tdr Privileged EXEC mode command Syntax show cable diagnostics tdr interface interface id Parameters interface id Optional Specify an Ethernet port ID Command Mode Privileged EXEC mode User Guidelines The maximum length of cable for the TDR test is 120 meters Example The following example displays information on th...

Page 721: ...ow cable diagnostics cable length interface interface id Parameters interface id Optional Specify an Ethernet port ID Command Mode Privileged EXEC mode User Guidelines The port must be active and working at 100 M or 1000 M Example The following example displays the estimated copper cable length attached to all ports gi13 Test has not been performed gi14 Open 64 13 32 00 23 July 2010 switchxxxxxx s...

Page 722: ...ation All ports are displayed If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Examples switchxxxxxx show fiber ports optical transceiver Port Temp Voltage Current Output Input LOS C Volt mA Power Power mWatt mWatt gi11 Copper gi12 Copper gi13 28 3 32 7 26 3 53 3 68 No gi14 29 3 33 6 50 3 53 3 71 No Temp Internally measured transceiver temperature Voltage ...

Page 723: ...PHY Diagnostics Commands 723 OL 32830 01 Command Line Interface Reference Guide 35 N A Not Available N S Not Supported W Warning E Error ...

Page 724: ...ice discovery protocol and applies power to the device never Turns off the device discovery protocol and stops supplying power to the device time range name Specifies a time range When the time range is not in effect the power is not supplied the attached device If a time range is not specified there is no time range bounded to the port Range 1 32 characters Default Configuration The default confi...

Page 725: ...le the inrush test a hardware test that checks input surge current for PoE devices use the power inline inrush test disable Global Configuration mode command To enable the inrush test use the no form of this command Syntax power inline inrush test disable no power inline inrush test disable Parameters N A Default Configuration Inrush test is enabled Command Mode Global Configuration mode Example T...

Page 726: ...disable no power inline legacy support disable Parameters N A Default Configuration Legacy support is enabled Command Mode Global Configuration mode Example The following example disables legacy PDs support switchxxxxxx config power legacy support disable 36 4 power inline powered device To add a description of the powered device type use the power inline powered device Interface Configuration mod...

Page 727: ...fig interface gi14 switchxxxxxx config if power inline powered device ip_phone 36 5 power inline priority To configure the interface inline power management priority use the power inline priority Interface Configuration Ethernet mode command To restore the default configuration use the no form of this command Syntax power inline priority critical high low no power inline priority Parameters critic...

Page 728: ...inline power usage alarms use the power inline usage threshold Global Configuration mode command To restore the default configuration use the no form of this command Syntax power inline usage threshold percent no power inline usage threshold Parameters percent Specifies the threshold in percent to compare to the measured power Range 1 99 Default Configuration The default threshold is 95 percent Co...

Page 729: ...nline power traps are disabled Command Mode Global Configuration mode Example The following example enables inline power traps switchxxxxxx config power inline traps enable 36 8 power inline limit To configure the power limit per port on an interface use the power inline limit Interface Configuration mode command To return to default use the no form of the command Syntax power inline limit power n...

Page 730: ...an 15 4W on a PoE port the operational power limit is 15 4W Example The following example sets inline power on a port switchxxxxxx config interface gi11 switchxxxxxx config if power inline limit 2222 36 9 power inline limit mode To set the power limit mode of the system use the power inline limit mode Global Configuration mode command To return to default use the no form of this command Syntax pow...

Page 731: ...r inline limit mode class Changing the PoE limit mode of the system will turn the power OFF and ON for all PoE ports Are you sure y n 36 10 show power inline To display information about the inline power for all interfaces or for a specific interface use the show power inline privileged EXEC mode command Syntax show power inline interface id Parameters interface id Specifies an interface ID The in...

Page 732: ...med PoE Legacy Power Power Mode Mode 1 Off 1 Watts 0 Watts 0 AT Disable Port Powered Device State Status Priority Class gi11 IP Phone Model A Auto On High Class0 gi12 Wireless AP Model A Auto On Low Class1 gi13 Auto Off Low N A Example 2 The following example displays information about the inline power for a specific port switchxxxxxx config show power inline gi11 Power Limit Mode Port Powered Dev...

Page 733: ...on of the powered device type State Indicates if the port is enabled to provide power The possible values are Auto or Never Priority Port inline power management priority The possible values are Critical High or Low Status Power operational state The possible values are On Off Test Fail Testing Searching or Fault Class Power consumption classification of the powered device Overload Counter Counts ...

Page 734: ...ort is on Valid capacitor signature detected Port is off Backoff state has occurred Port is off Class error has occurred 36 11 show power inline consumption To display information about the inline power consumption for all interfaces or for a specific interface use the show power inline consumption privileged EXEC mode command Syntax show power inline consumption interface id Parameters Interface ...

Page 735: ...face Reference Guide 36 Example The following example displays information about the inline power consumption switchxxxxxx show power inline consumption Port gi11 gi12 gi13 Power Limit W 15 4 15 4 30 Power W 4 115 4 157 15 4 Voltage V 50 8 50 7 50 9 Current mA 81 82 79 ...

Page 736: ...hannel group port channel mode on auto no channel group Parameters port channel Specifies the port channel number for the current port to join mode Specifies the mode of joining the port channel The possible values are on Forces the port to join a channel without an LACP operation auto Forces the port to join a channel as a result of an LACP operation Default Configuration The port is not assigned...

Page 737: ...channel load balance Global Configuration mode command To reset to default use the no form of this command Syntax port channel load balance src dst mac src dst mac ip no port channel load balance Parameters src dst mac Port channel load balancing is based on the source and destination MAC addresses src dst mac ip Port channel load balancing is based on the source and destination of MAC and IP addr...

Page 738: ...Privileged EXEC mode command Syntax show interfaces port channel interface id Parameters interface id Optional Specify an interface ID The interface ID must be a port channel Command Mode Privileged EXEC mode Examples The following example displays information on all port channels switchxxxxxx show interfaces port channel Load balancing src dst mac Gathering information Channel Ports Po1 Active 1 ...

Page 739: ... tx no port monitor src interface id port monitor vlan vlan id no port monitor vlan vlan id Parameters rx Monitors received packets only If no option is specified it monitors both rx and tx tx Monitors transmitted packets only If no option is specified it monitors both rx and tx src interface id Specifies an interface ID The interface ID must be Ethernet port or port channel vlan vlan id VLAN numb...

Page 740: ...t is not a member in a port channel An IP interface is not configured on the port GVRP is not enabled on the port The port is not a member in any VLAN except for the default VLAN will be automatically removed from the default VLAN L2 protocols such as LLDP CDP LBD STP LACP are not active on the destination port Notes 1 In this mode some traffic duplication on the analyzer port may be observed For ...

Page 741: ...tination port gi11 switchxxxxxx config interface gi11 switchxxxxxx config if port monitor gi12 switchxxxxxx config if exit 38 2 show ports monitor Use the show ports monitor EXEC mode command to display the port monitoring status Syntax show ports monitor Command Mode User EXEC mode Example The following example displays the port monitoring status switchxxxxxx show ports monitor Source Port gi11 g...

Page 742: ...nced Specifies the QoS advanced mode which enables the full range of QoS configuration ports not trusted Relevant for advanced mode only Indicates that packets which are not classified by policy map rules to a QoS action are mapped to egress queue 0 This is the default setting in advanced mode ports trusted Relevant for advanced mode only Indicates that packets which are not classified by policy m...

Page 743: ... Global Configuration mode command to configure the trust mode in advanced mode Use the no form of this command to return to default Syntax qos advanced mode trust cos dscp cos dscp no qos advanced mode trust Parameters cos Classifies ingress packets with the packet CoS values For untagged packets the port default CoS is used dscp Classifies ingress packets with the packet DSCP values cos dscp Cla...

Page 744: ...classified to the QoS action trust Example The following example sets cos as the trust mode for QoS on the device switchxxxxxx config qos advanced mode trust cos 39 3 show qos Use the show qos Privileged EXEC mode command to display the QoS information for the device The trust mode is displayed for the QoS basic mode Syntax show qos Parameters N A Default Configuration Disabled Command Mode Comman...

Page 745: ...mode Use the no form of this command to delete a class map Syntax class map class map name match all match any no class map class map name Parameters class map name Specifies the class map name match all Performs a logical AND of all the criteria of the ACLs belonging to this class map All match criteria in this class map must be matched If neither match all nor match any is specified the match al...

Page 746: ...fferent type of ACL such as one IP ACL one IPv6 ACL and one MAC ACL The classification is by first match therefore the order of the ACLs is important Error messages are generated in the following cases There is more than one match command in a match all class map There is a repetitive classification field in the participating ACLs After entering the Class map Configuration mode the following confi...

Page 747: ...onfig show class map Class Map matchAny class1 Match access group mac 39 6 match Use the match Class map Configuration mode command to bind the ACLs that belong to the class map being configured Use the no form of this command to delete the ACLs Syntax match access group acl name no match access group acl name Parameters acl name Specifies the MAC IP ACL name or IPv6 ACL name Default Configuration...

Page 748: ...ap Global Configuration mode command to creates a policy map and enter the Policy map Configuration mode Use the no form of this command to delete a policy map Syntax policy map policy map name no policy map policy map name Parameters policy map name Specifies the policy map name Default Configuration N A Command Mode Global Configuration mode User Guidelines This command is only available when Qo...

Page 749: ...same policy map can be applied to multiple interfaces and directions The service policy command binds a policy map to a port port channel Example The following example creates a policy map called Policy1 and enters the Policy map Configuration mode switchxxxxxx config policy map policy1 switchxxxxxx config pmap 39 8 class Use the class Policy map Configuration mode command after the policy map com...

Page 750: ...icy map is defined use the service policy command to attach it to a port port channel Example The following example defines a traffic classification class map called class1 containing an ACL called enterprise The class is in a policy map called policy1 The policy map policy1 now contains the ACL enterprise switchxxxxxx config policy map policy1 switchxxxxxx config pmap class class1 access group en...

Page 751: ...p policy1 class class1 set IP dscp 7 Policy Map policy2 class class 2 police 96000 4800 exceed action drop 39 10 trust Use the trust Policy map Class Configuration mode command to configure the trust state Use the no form of this command to return to the default trust state Syntax trust no trust Parameters N A Default Configuration The default state is according to the mode selected in the qos com...

Page 752: ...ace Interface Configuration mode command The trust and set commands are mutually exclusive within the same policy map Policy maps which contain set or trust commands or that have ACL classification to an egress interface cannot be attached by using the service policy Interface Configuration mode command If specifying trust cos QoS maps a packet to a queue the received or default port CoS value and...

Page 753: ...to be marked in the packet Range 0 7 Command Mode Policy map Class Configuration mode User Guidelines This command is only available when QoS is in advanced mode The set and trust commands are mutually exclusive within the same policy map To return to the Configuration mode use the exit command To return to the Privileged EXEC mode use the end command Example The following example creates an ACL p...

Page 754: ...x police committed rate kbps committed burst byte exceed action action no police Parameters committed rate kbps Specifies the average traffic rate CIR in kbits per second bps Range 100 10000000 committed burst byte Specifies the normal burst size CBS in bytes Range 3000 19173960 exceed action Specifies the action taken when the committed rate is exceeded If the keyword is not configured then the d...

Page 755: ...cy map policy1 switchxxxxxx config pmap switchxxxxxx config pmap c police 124000 9600 exceed action drop 39 13 service policy Use the service policy Interface Ethernet Port Channel Configuration mode mode command to bind a policy map to an interface Use the no form of this command to detach a policy map from an interface Syntax service policy input policy map name default action permit any deny an...

Page 756: ...o the input interface switchxxxxxx config if service policy input policy1 The following example attaches a policy map called Policy1 to the input interface and forwards all packets that do not meet the rules of the policy switchxxxxxx config if service policy input policy1 permit any 39 14 qos aggregate policer Use the qos aggregate policer Global Configuration mode command to define the policer p...

Page 757: ...nd Default Configuration No aggregate policer is defined Command Mode Global Configuration mode User Guidelines This command is only available when QoS is in advanced mode Use the qos aggregate policer command to define a policer that aggregates traffic from multiple class maps Aggregate policers cannot aggregate traffic from multiple devices If the aggregate policer is applied to more than one de...

Page 758: ... or the normal burst size exceeds 9600 bytes the packet is dropped switchxxxxxx config qos aggregate policer policer1 124000 9600 exceed action drop 39 15 show qos aggregate policer Use the show qos aggregate policer Privileged EXEC mode mode command to display aggregate policers This command is only available in QoS advanced mode Syntax show qos aggregate policer aggregate policer name Parameters...

Page 759: ...regate policer name Parameters aggregate policer name Specifies the aggregate policer name Command Mode Policy map Class Configuration mode User Guidelines An aggregate policer can be applied to multiple classes in the same policy map An aggregate policer cannot be applied across multiple policy maps or interfaces Use the exit command to return to the Configuration mode Use the end command to retu...

Page 760: ...mand to map Class of Service CoS values to a specific egress queue Use the no form of this command to restore the default configuration Syntax wrr queue cos map queue id cos0 cos7 no wrr queue cos map queue id Parameters queue id Specifies the queue number to which the CoS values are mapped cos0 cos7 Specifies up to 8 CoS values to map to the specified queue number Range 0 7 Default Configuration ...

Page 761: ...queue 4 CoS value 7 is mapped to queue 4 Command Mode Global Configuration mode User Guidelines Use this command to distribute traffic to different queues Example The following example maps CoS value 4 and 6 to queue 2 switchxxxxxx config wrr queue cos map 2 4 6 39 18 wrr queue bandwidth Use the wrr queue bandwidth Global Configuration mode command to assign Weighted Round Robin WRR weights to egr...

Page 762: ...ets the bandwidth allocation of each queue A weight of 0 indicates that no bandwidth is allocated for the same queue and the shared bandwidth is divided among the remaining queues It is not recommended to set the weight of a queue to a 0 as it might stop transmission of control protocols packets generated by the device All queues participate in the WRR excluding the expedite queues whose correspon...

Page 763: ...eues or more than one If number of queues 0 all queues are assured forwarding according to wrr weights If the number of queues 8 all the queues are expedited strict priority queues Note the maximum number of queues depends on the value set in the set system mode command Default Configuration All queues are expedite queues Command Mode Global Configuration mode User Guidelines An expedite queue is ...

Page 764: ...mitted burst no traffic shape Parameters committed rate Specifies the maximum average traffic rate CIR in kbits per second kbps Range GE 64kbps maximum port speed committed burst Specifies the maximum permitted excess burst size CBS in bytes Range 4096 16762902 bytes Default Configuration The shaper is disabled Command Mode Interface Ethernet Configuration mode User Guidelines The egress port shap...

Page 765: ...fic shape queue queue id Parameters queue id Specifies the queue number to which the shaper is assigned Range 1 8 Note the maximum number of queues depends on the value set in the set system mode command committed rate Specifies the average traffic rate CIR in kbits per second kbps Range 64 kbps maximum port speed committed burst Specifies the excess burst size CBS in bytes Range 4096 16762902 byt...

Page 766: ...ffic rate on a port Use the no form of this command to disable the rate limit Syntax rate limit committed rate kbps burst committed burst bytes no rate limit Parameters committed rate kbps Specifies the maximum number of kilobits per second of ingress traffic on a port The range is 100 maximal port speed burst committed burst bytes The burst size in bytes Range 3000 19173960 If unspecified default...

Page 767: ...d to disable the rate limit Syntax rate limit vlan id committed rate committed burst no rate limit vlan Parameters vlan id Specifies the VLAN ID committed rate Specifies the average traffic rate CIR in kbits per second kbps Range 3 57982058 committed burst Specifies the maximum burst size CBS in bytes Range 3000 19173960 Default Configuration Rate limiting is disabled Committed burst bytes is 128K...

Page 768: ...ts the rate on VLAN 11 to 150000 kbps or the normal burst size to 9600 bytes switchxxxxxx config rate limit 11 150000 9600 39 24 qos wrr queue wrtd Use the qos wrr queue wrtd Global Configuration mode command to enable Weighted Random Tail Drop WRTD Use the no form of this command to disable WRTD Syntax qos wrr queue wrtd no qos wrr queue wrtd Parameters N A Default Disabled Command Mode Global Co...

Page 769: ...play the Weighted Random Tail Drop WRTD configuration Syntax show qos wrr queue wrtd Parameters N A Default Configuration N A Command Mode Privileged EXEC mode Example switchxxxxxx config show qos wrr queue wrtd Weighted Random Tail Drop is disabled Weighted Random Tail Drop will be enabled after reset 39 26 show qos interface Use the show qos interface Privileged EXEC mode command to display Qual...

Page 770: ...configuration interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration N A Command Mode Privileged EXEC mode User Guidelines If no parameter is specified with the show qos interface command the port QoS mode DSCP trusted CoS trusted untrusted and so on default CoS value DSCP to DSCP map if any attached to the port...

Page 771: ...ction deny all Example 2 The following is an example of the output from the show qos interface queueing command for 4 queues switchxxxxxx config show qos interface queueing gi11 Ethernet gi10 1 wrr bandwidth weights and EF priority qid weights Ef Priority 1 N A ena 1 2 N A ena 2 3 N A ena 3 4 N A ena 4 Cos queue map cos qid 0 1 1 1 2 2 3 3 4 3 5 4 6 4 7 4 ...

Page 772: ...g an example of the output from the show qos interface buffers command for 8 queues switchxxxxxx config show qos interface buffers gi11 gi11 Notify Q depth buffers gi11 Ethernet gi11 qid thresh0 thresh1 thresh2 1 100 100 80 2 100 100 80 3 100 100 80 4 100 100 80 5 100 100 80 6 100 100 80 7 100 100 80 8 100 100 80 ...

Page 773: ...pers command f switchxxxxxx config show qos interface shapers gi11 gi11 Port shaper enable Committed rate 192000 bps Committed burst 9600 bytes QID 1 2 3 4 5 6 7 8 Status Enable Disable Enable Disable Disable Disable Enable Enable Target Committed Rate bps 100000 N A 200000 N A N A N A 178000 23000 Target Committed Burst bytes 17000 N A 19000 N A N A N A 8000 1000 ...

Page 774: ...liced dscp Global Configuration mode command to configure the policed DSCP map for remarking purposes Use the no form of this command to restore the default configuration switchxxxxxx config show qos interface policer gi11 Ethernet gi11 Class map A Policer type aggregate Commited rate 192000 bps Commited burst 9600 bytes Exceed action policed dscp transmit Class map B Policer type single Commited ...

Page 775: ...alue is mapped to the same DSCP value Command Mode Global Configuration mode User Guidelines The original DSCP value and policed DSCP value must be mapped to the same queue in order to prevent reordering Example The following example marks incoming DSCP value 3 as DSCP value 5 on the policed DSCP map switchxxxxxx config qos map policed dscp 3 to 5 39 28 qos map dscp queue Use the qos map dscp queu...

Page 776: ...ollows Command Mode Global Configuration mode Example The following example maps DSCP values 33 40 and 41 to queue 1 switchxxxxxx config qos map dscp queue 33 40 41 to 1 39 29 qos trust Global Use the qos trust Global Configuration mode command to configure the system to the basic mode and trust state Use the no form of this command to return to the default configuration Syntax qos trust cos dscp ...

Page 777: ...the edge the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the domain Use this command to specify whether the port is trusted and which fields of the packet to use to classify traffic When the system is configured with trust DSCP the traffic is mapped to the queue by the DSCP queue map When t...

Page 778: ...st no qos trust Parameters N A Default Configuration Each port is enabled while the system is in basic mode Command Mode Interface Ethernet Port Channel Configuration mode Example The following example configures gi11 to the default trust state switchxxxxxx config interface gi11 switchxxxxxx config if qos trust 39 31 qos cos Use the qos cos Interface Ethernet Port Channel Configuration mode comman...

Page 779: ...rt Channel Configuration mode User Guidelines Use the default CoS value to assign a CoS value to all untagged packets entering the interface Example The following example defines the port gi11 default CoS value as 3 switchxxxxxx config interface gi11 switchxxxxxx config if qos cos 3 39 32 qos dscp mutation Use the qos dscp mutation Global Configuration mode command to apply the DSCP Mutation map t...

Page 780: ...written with newly mapped DSCP values at the ingress ports If applying the DSCP mutation map to an untrusted port to class of service CoS or to an IP precedence trusted port Global trust mode must be DSCP or CoS DSCP In advanced CoS mode ports must be trusted Example The following example applies the DSCP Mutation map to system DSCP trusted ports switchxxxxxx config qos dscp mutation 39 33 qos map...

Page 781: ...is possible to have several maps and assign each one to a different port Example The following example changes DSCP values 1 2 4 5 and 6 to DSCP Mutation Map value 63 switchxxxxxx config qos map dscp mutation 1 2 4 5 6 to 63 39 34 show qos map Use the show qos map Privileged EXEC mode command to display the various types of QoS mapping Syntax show qos map dscp queue dscp dp policed dscp dscp mutat...

Page 782: ... 0 01 01 01 01 01 01 01 01 01 01 1 01 01 01 01 01 01 02 02 02 02 2 02 02 02 02 02 02 02 02 02 02 3 02 02 03 03 03 03 03 03 03 03 4 03 03 03 03 03 03 03 03 04 04 5 04 04 04 04 04 04 04 04 04 04 6 04 04 04 04 Example 2 The following example displays the dscp remapping information switchxxxxxx config show qos map policed dscp Policed dscp map d1 d2 0 1 2 3 4 5 6 7 8 9 0 00 01 02 03 04 05 06 07 08 09 ...

Page 783: ...ult Configuration N A Command Mode Privileged EXEC mode Example The following example clears the QoS statistics counters switchxxxxxx config clear qos statistics 39 36 qos statistics policer Use the qos statistics policer Interface Ethernet Port Channel Configuration mode mode command to enable counting in profile and out of profile Use the no form of this command to disable counting This command ...

Page 784: ...ting in profile and out of profile on the interface switchxxxxxx config interface gi11 switchxxxxxx config if qos statistics policer policy1 class1 39 37 qos statistics aggregate policer Use the qos statistics aggregate policer Global Configuration mode command to enable counting in profile and out of profile Use the no form of this command to disable counting Syntax qos statistics aggregate polic...

Page 785: ...ion mode command to enable QoS statistics for output queues Use the no form of this command to disable QoS statistics for output queues Syntax qos statistics queues set queue all dp all interface all no qos statistics queues set Parameters set Specifies the counter set number interface Specifies the Ethernet port queue Specifies the output queue number dp Specifies the drop precedence The availabl...

Page 786: ...xxxx config qos statistics queues 1 all all all 39 39 show qos statistics Use the show qos statistics Privileged EXEC mode command to display Quality of Service statistical information Syntax show qos statistics Parameters N A Default Configuration N A Command Mode Privileged EXEC mode User Guidelines Up to 16 sets of counters can be enabled for policers The counters can be enabled in the creation...

Page 787: ...tatistics Policers Interface gi11 gi11 gi12 gi12 Policy map Policy1 Policy1 Policy1 Policy1 Class Map Class1 Class2 Class1 Class2 In profile bytes 7564575 8759 746587458 5326 Out of profile bytes 5433 52 3214 23 Aggregate Policers Name Policer1 In profile bytes 7985687 Out of profile bytes 121322 Output Queues Interface gi11 gi12 Queue 2 All DP High High Total packets 799921 5387326 TD packets 1 2...

Page 788: ...ing priority priority usage login dot1 x all no radius server host ip address hostname Parameters ip address Specifies the RADIUS server host IP address The IP address can be an IPv4 IPv6 or IPv6z address hostname Specifies the RADIUS server host name Translation to IPv4 addresses only is supported Length 1 158 characters Maximum label length of each part of the hostname 63 characters auth port au...

Page 789: ...rity Range 0 65535 usage login dot1 x all Specifies the RADIUS server usage type The possible values are login Specifies that the RADIUS server is used for user login parameters authentication dot1 x Specifies that the RADIUS server is used for 802 1x port authentication all Specifies that the RADIUS server is used for user login authentication and 802 1x port authentication Default Configuration ...

Page 790: ...ommunications between the device and the RADIUS daemon Use the no form of this command to restore the default configuration Syntax radius server key key string encrypted radius server key encrypted key string no radius server key Parameters key string Specifies the authentication and encryption key for all RADIUS communications between the device and the RADIUS server This key must match the encry...

Page 791: ...number of times the software searches the list of RADIUS server hosts Use the no form of this command to restore the default configuration Syntax radius server retransmit retries no radius server retransmit Parameters retransmit retries Specifies the number of retry retransmissions Range 1 15 Default Configuration The software searches the list of RADIUS server hosts 3 times Command Mode Global Co...

Page 792: ...the source interface Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the interface IP address belonging to next hop IPv4 subnet is applied If the source interface is not the outgoing interface the minimal ...

Page 793: ...ce address is the IPv6 address defined on the outgoing interface and selected in accordance with RFC6724 Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the source IPv6 address is an IPv6 address defined on the interfaces and selected in accordance with RFC 6724 If the source interface is not the outgoing interface the source IPv6 address is...

Page 794: ...ut value in seconds Range 1 30 Default Configuration The default timeout value is 3 seconds Command Mode Global Configuration mode Example The following example sets the timeout interval on all RADIUS servers to 5 seconds switchxxxxxx config radius server timeout 5 40 7 radius server deadtime Use the radius server deadtime Global Configuration mode command to configure how long unavailable RADIUS ...

Page 795: ...Mode Global Configuration mode Example The following example sets all RADIUS server deadtimes to 10 minutes switchxxxxxx config radius server deadtime 10 40 8 show radius servers Use the show radius servers Privileged EXEC mode command to display the RADIUS server settings Syntax show radius servers Command Mode Privileged EXEC mode Example The following example displays RADIUS server settings swi...

Page 796: ...an 120 Source IPv6 interface vlan 10 40 9 show radius servers key Use the show radius servers key Privileged EXEC mode command to display the RADIUS server key settings Syntax show radius servers key Command Mode Privileged EXEC mode Example The following example displays RADIUS server key settings switchxxxxxx show radius servers key IP address 172 16 1 1 172 16 1 2 Key Encrypted Sharon123 Bruce1...

Page 797: ...x Parameters index Specifies the alarm index Range 1 65535 mib object id Specifies the object identifier of the variable to be sampled Valid OID interval Specifies the interval in seconds during which the data is sampled and compared with rising and falling thresholds Range 1 2147483647 rising threshold Specifies the rising threshold value Range 0 2147483647 falling threshold Specifies the falling...

Page 798: ...ter than or equal to rising threshold a single rising alarm is generated rising falling Specifies that if the first sample after this entry becomes valid is greater than or equal to rising threshold a single rising alarm is generated If the first sample after this entry becomes valid is less than or equal to falling threshold a single falling alarm is generated falling Specifies that if the first ...

Page 799: ... table use the show rmon alarm table Privileged EXEC mode command Syntax show rmon alarm table Parameters This command has no arguments or keywords Command Mode Privileged EXEC mode Example The following example displays the alarms table The following table describes the significant fields shown in the display switchxxxxxx show rmon alarm table Index 1 2 3 OID 1 3 6 1 2 1 2 2 1 10 1 1 3 6 1 2 1 2 ...

Page 800: ...ntax show rmon alarm number Parameters alarm number Specifies the alarm index Range 1 65535 Command Mode Privileged EXEC mode Example The following example displays RMON 1 alarms switchxxxxxx show rmon alarm 1 Alarm 1 OID 1 3 6 1 2 1 2 2 1 10 1 Last sample Value 878128 Interval 30 Sample Type delta Startup Alarm rising Rising Threshold 8700000 Falling Threshold 78 Rising Event 1 Falling Event 1 Ow...

Page 801: ...he sampling interval If the value is delta the variable value at the last sample is subtracted from the current value and the difference is compared with the thresholds Startup Alarm Alarm that is sent when this entry is first set If the first sample is greater than or equal to the rising threshold and startup alarm is equal to rising or rising falling then a single rising alarm is generated If th...

Page 802: ...ted in the log table and an SNMP trap is sent to one or more management stations by the device for this event community text Optional Specifies the SNMP community password used when an SNMP trap is sent Octet string length 0 127 characters Note this must be a community used in the definition of an SNMP host using the snmp server host command description text Optional Specifies a comment describing...

Page 803: ... display switchxxxxxx show rmon events Index 1 2 Description Errors High Broadcast Type Log Log Trap Community router Owner CLI Manager Last time sent Jan 18 2006 23 58 17 Jan 18 2006 23 59 48 Field Description Index Unique index that identifies this event Description Comment describing this event Type Type of notification that the device generates about this event Can have the following values no...

Page 804: ...5 Command Mode Privileged EXEC mode Example The following example displays event 1 in the RMON log table Owner The entity that configured this event Last time sent The time this entry last generated an event If this entry has not generated any events this value is zero switchxxxxxx show rmon log 1 Maximum table size 500 800 after reset Event 1 Description MIB Var 1 3 6 1 2 1 2 2 1 10 53 Delta Risi...

Page 805: ...tory log Parameters history entries Specifies the maximum number of history table entries Range 20 32767 log entries Specifies the maximum number of log table entries Range 20 32767 Default Configuration The default history table size is 270 entries The default log table size is 200 entries Command Mode Global Configuration mode User Guidelines The configured table size takes effect after the devi...

Page 806: ...face ID The interface ID can be one of the following types Ethernet port or Port channel Command Mode Privileged EXEC mode Example The following example displays RMON Ethernet statistics for port gi11 switchxxxxxx show rmon statistics gi11 Port gi11 Dropped 0 Octets 0 Packets 0 Broadcast 0 Multicast 0 CRC Align Errors 0 Collisions 0 Undersize Pkts 0 Oversize Pkts 0 Fragments 0 Jabbers 0 64 Octets ...

Page 807: ...tween 64 and 1518 octets inclusive but with either a bad Frame Check Sequence FCS with an integral number of octets FCS Error or a bad FCS with a non integral number of octets Alignment Error Collisions Best estimate of the total number of collisions on this Ethernet segment Undersize Pkts Total number of packets received less than 64 octets long excluding framing bits but including FCS octets and...

Page 808: ...ults to 50 Range 1 50 interval seconds Optional The number of seconds in each polling cycle If unspecified defaults to 1800 Range 1 3600 65 to 127 Octets Total number of packets including bad packets received that are between 65 and 127 octets in length inclusive excluding framing bits but including FCS octets 128 to 255 Octets Total number of packets including bad packets received that are betwee...

Page 809: ... can be one of the following types Ethernet port or Port channel Command Mode Privileged EXEC mode Example The following example displays all RMON history group statistics The following table describes the significant fields shown in the display switchxxxxxx show rmon collection stats Index 1 2 Interface gi11 gi11 Interval 30 1800 Requested Samples 50 50 Granted Samples 50 50 Owner CLI Manager Fie...

Page 810: ... collision counters period seconds Optional Specifies the period of time in seconds to display Range 1 2147483647 Command Mode Privileged EXEC mode Example The following examples display RMON Ethernet history statistics for index 1 Granted Samples The granted number of samples to be saved Owner The entity that configured this entry switchxxxxxx show rmon history 1 throughput Sample Set 1 Interface...

Page 811: ...Jabbers 0 0 switchxxxxxx show rmon history 1 other Sample Set 1 Interface gi11 Requested samples 50 Owner Me Interval 1800 Granted samples 50 Maximum table size 500 Time Jan 18 2005 21 57 00 Jan 18 2005 21 57 30 Dropped 3 3 Collisions 0 0 Field Description Time Date and Time the entry is recorded Octets Total number of octets of data including those in bad packets and excluding framing bits but in...

Page 812: ...8 octets excluding framing bits but including FCS octets but were otherwise well formed Fragments Total number of packets received during this sampling interval that were less than 64 octets in length excluding framing bits but including FCS octets and had either a bad Frame Check Sequence FCS with an integral number of octets FCS Error or a bad FCS with a non integral number of octets Alignment E...

Page 813: ...8 Command Mode Global Configuration mode User Guidelines Use the system router resources command to enter new settings for routing entries After entering the command the current routing entries configuration will be displayed and the user will be required to confirm saving the new setting to the startup configuration and to reboot the system When this command is included in a configuration file th...

Page 814: ...s command to restore the default settings The following table displays the conversion between logical entities to HW entries Examples Example 1 The following example defines the supported number of IPv4 routing entries switchxxxxxx config system router resources ip routes 256 The maximal number of IPv4 Routing Entries plus Non IP Entries is 2048 In Use Reserved Current Reserved New IPv4 Entries 23...

Page 815: ...xxxxxx config system router resources ip routes 128 ipv6 routes 32 The maximal number of IPv4 and IPv6 Routing Entries plus non IP Entries is 2048 In Use Reserved Current Reserved New IPv4 Entries 232 1024 128 Number of Routes 20 Number of Neighbors 12 Number of Interfaces 100 Non IP Entries Unit 1 93 400 Unit 2 94 400 Unit 5 90 400 The new configuration of route entries is less than the route ent...

Page 816: ...the following example the configured router entries are displayed switchxxxxxx show system router resources Each IPv4 Route consumes 1 entry Each IPv4 Neighbor consumes 1 entry Each IPv4 Interface consumes 2 entries In Use Reserved IPv4 Entries 232 1024 Number of Routes 20 Number of Neighbors 12 Number of Interfaces 100 Non IP Entries Unit 1 93 400 Unit 2 94 400 Unit 5 90 400 ...

Page 817: ...rver commands Other commands can be used to import these keys from an external source These keys and certificates are stored in the configuration files The following table describes when these keys certificates are displayed File Type Being Displayed What is Displayed in a Show Command Without Detailed What is Displayed in a Show Command With Detailed Startup Config Only user defined keys certific...

Page 818: ...key generate dsa The crypto key generate dsa Global Configuration mode command generates a public and private DSA key DSA key pair Destination File Type Copy from Running Config Copy from Startup Config Copy from Remote Local Backup Config File or Mirror Config File Startup Config All keys certificate s are copied but only user defined ones can be displayed Option is not supporte d Allkeys certifi...

Page 819: ...with new keys Erasing the startup configuration or returning to factory defaults automatically deletes the default keys and they are recreated during device initialization This command is not saved in the Running configuration file However the keys generated by this command are saved in a private configuration which is never displayed to the user or backed up to another device See Keys and Certifi...

Page 820: ...idelines RSA keys are generated in pairs one public RSA key and one private RSA key If the device already has RSA keys a warning is displayed with a prompt to replace the existing keys with new keys See Keys and Certificates for information on how to display and copy this key pair Example The following example generates RSA key pairs where a RSA key already exists switchxxxxxx config crypto key ge...

Page 821: ...c DSA RSA key and one private DSA RSA key If the device already has DSA RSA keys a warning is displayed with a prompt to replace the existing keys with new keys This command is saved in the Running Configuration file When using the encrypted key word the private key is imported in its encrypted form Example switchxxxxxx config encrypted crypto key import rsa BEGIN SSH2 ENCRYPTED PRIVATE KEY switch...

Page 822: ...iFUPPRxkoyhGOGnJuvxC9T9 K6BF1wBTdDQS Gu47 0 gRoD 50q4sGkzqHsRJJ53WOT0Q1bHMTMLPpwn2nXzvfGxWL bu QhZZSqRonG6MX1cP7KT7i4TPq2w2k3TGtNBnVYHx6OoNcaTHmg1N2s5OgRsyXD9tF 6nY RfMN8CsV 9jQKQP7ZaGc8Ju d72jvSwppSr032HY IpzZ4ujkK X5oawZL5NnkaEQTQKX RSL55S4O5NPOjS pC9hg7GaVjoY2mQ7HDpSUBeTIDTlvOwC2kskA9C6aF Axj2dXLweQd5 lxk7m0 mMNaiJsNk6y33LcuKjIxpNNjK9n9KzRPkGNMFObprfenWKteDftjQ END SSH2 PRIVATE KEY BEGIN SSH2 P...

Page 823: ...LIC KEY Comment RSA Public Key AAAAB3NzaC1yc2EAAAABIwAAAIEAzN31fu56KSEOZdrGVPIJHpAs8G8NDIkB dqZ2q0QPiKCnLPw0Xsk9tTVKaHZQ5jJbXn81QZpolaPLJIIH3B1cc96D7IFf VkbPbMRbz24dpuWmPVVLUlQy5nCKdDCui5KKVD6zj3gpuhLhMJor7AjAAu5e BrIi2IuwMVJuak5M098 END SSH2 PUBLIC KEY Public Key Fingerprint 6f 93 ca 01 89 6a de 6e ee c5 18 82 b2 10 bc 1e 43 5 crypto certificate generate The crypto certificate generate Global Con...

Page 824: ...anization Specifies the organization name Length 1 64 characters loc location Specifies the location or city name Length 1 64 characters st state Specifies the state or province name Length 1 64 characters cu country Specifies the country name Length 2 characters duration days Specifies the number of days a certification is valid Range 30 3650 Default Configuration The default SSL s RSA key length...

Page 825: ...uest The crypto certificate request Privileged EXEC mode command generates and displays a certificate request for HTTPS Syntax crypto certificate number request cn common name ou organization unit or organization loc location st state cu country Parameters number Specifies the certificate number Range 1 2 The following elements can be associated with the key When the key is displayed they are also...

Page 826: ...rst generate a self signed certificate using the crypto cerificate generate command to generate the keys The certificate fields must be re entered After receiving the certificate from the Certification Authority use the crypto cerificate import command to import the certificate into the device This certificate replaces the self signed certificate Example The following example displays the certific...

Page 827: ...to certificate number import no crypto certificate number Parameters number Specifies the certificate number Range 1 2 Default Configuration N A Command Mode Global Configuration mode User Guidelines To end the session return to the command line to enter the next command enter a blank line The imported certificate must be based on a certificate request created by the crypto cerificate request comm...

Page 828: ...CAYDVQQKEwEgMQowCAYDVQQLEwEg MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK beogIcke73sBSL7tC2DMZrY OOg9XM1AxfOiqLlQJHd4xP BHGZWwfkjKjUDBpZn52LxdDu1KrpB h0 TZP0Fv38 7mIDqtnoF1NLsWxkVKRM5LPka0L ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA 6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI XFDxe7I8Od3Uyt3Dmf7KE AmUV0Pif2yUluy RuxRwKhDp lGrK12tzLQz s5Ox7 Klft IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxg...

Page 829: ...rSpcbHu5V4 ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRGMLp4 END RSA PRIVATE KEY BEGIN RSA PUBLIC KEY MIGHAoGBAMVuFgfJYLbUzmbm6UoLD3ewHYd1ZMXY4A3KLF2SXUd1TIXq84aME8DIitSfB2 Cqy4QB5InhgAobBKC96VRsUe2rzoNG4QDkj2L9ukQOvoFBYNmbzHc7a 7043wfVmH QOXf TbnRDhIMVrZJGbzl1c9IzGky1l21Xmicy0 nwsXDAgEj END RSA PUBLIC KEY BEGIN CERTIFICATE MIIBkzCB QI...

Page 830: ...hDEFtHH7NdDLjQ FkPFNAKvFMcYimidapG Rwc0m3lKBLcEpNXpFEE3v1mCeyN1pPe6eSqMcBXa2VmbInutuP CZM927oxkb41g U5oYQxGhMK7OEzTmfS1FdLOmfqv0DHZNR4lt4KgqcSjSWPQeYSzB 4PW Qmy4fTF4wQdvCLy WlvEP1jWPbrdCNxIS13RWucNekrm9uf5Zuhd1FA9wf8XwSRJWuAq8q zZFRmDMHPtey9ALO2alpwjpHOPbJKiCMdjHT94ugkF30eyeni9sGN6Y063IvuKBy0nbWsA J0sxrvt3q6cbKJYozMQE5LsgxLNvQIH4BhPtUz LNgYWb3V5SI8D8kRejqBM9eaCyJsvLF yAI5xABZdTPqz0l7FNMzhIrXvCqcCC...

Page 831: ...S ST L CN router gm com O General Motors OU SHA1 Finger print DC789788 DC88A988 127897BC BB789788 Example 3 Import certificate with encrypted key encrypted crypto certificate 1 import BEGIN RSA ENCRYPTED PRIVATE KEY wJIjj tFEI Z3GFkTl5C SFOeSyTxnSsfssNo9CoHJ6X9Jg1SukjtXU49kaUbTjoQVQatZ AdQwgWM5mnjUhUaJ1MM3WfrApY7HaBL3iSXS9jDVrf Q KKhVH6Pxlv6cKvYYzHg43Unm CNI2n5zf9oisMH0U6gsIDs4ysWVD1zNgoVQwD7RqKpL...

Page 832: ...UhTWxOwbzngMwDQYJKoZIhvcNAQEEBQAwTzELMAkG A1UEBhMCICAxCjAIBgNVBAgTASAxCjAIBgNVBAcTASAxEDAOBgNVBAMTBzAuMC4w LjAxCjAIBgNVBAoTASAxCjAIBgNVBAsTASAwHhcNMTIwNTIxMTI1NzE2WhcNMTMw NTIxMTI1NzE2WjBPMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB IDEQMA4GA1UEAxMHMC4wLjAuMDEKMAgGA1UEChMBIDEKMAgGA1UECxMBIDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygJor5v2FOCvMR5aN3PnkWhbBXyzniTl Wm5G2 V7mvXOnuTMgvqa8IJeTon1ySSv5...

Page 833: ...cate Specifies that only the certificate will be displayed Default Configuration Certificate number 1 Command Mode Privileged EXEC mode Examples The following example displays SSL certificate 1 present on the device and the key pair switchxxxxxx show crypto certificate 1 Certificate 1 Certificate Source Default BEGIN CERTIFICATE dHmUgUm9vdCBDZXJ0aWZpZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp4HS nnH xQS...

Page 834: ...3AYCRBx WuGoazpxHZ0s4 7swmNZtS0xI4ek43d7RaoedGKljhPqLHuzXHUon7Zx15CUtP3sbHl XI B3u4EEcEngYMewy5obn1vnFSot d5JHuRwzEaRAIKfbHa34alVJaN 2AMCb0hpI3IkreYo A8Lk6UMOuIQaMnhYf RyPXhPOQs01PpIPHKBGTi6pj39XMviyRXvSpn5 eIYPhve5jYaEn UeOnVZRhNCVnruJAYXSLhjApf5iIQr1JiJb mVt8 zpqcCU9HCWQqsMrNFOFrSpcbHu5V4 ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRG...

Page 835: ...bled disabled Auto Smartport administrative global and operational states are disabled controlled Auto Smartport administrative global and operational states are enabled when Auto Voice VLAN is in operation Default Configuration Administrative state is controlled Command Mode Global Configuration mode User Guidelines Regardless of the status of Auto Smartport you can always manually apply a Smartp...

Page 836: ...h Auto Smartports can be enabled The appropriate VLANs are automatically enabled because the ports are configured for Auto Smartports on these VLANs switchxxxxxx config macro auto controlled switchxxxxxx config macro auto enabled Auto smartports cannot be enabled because OUI voice is enabled switchxxxxxx config voice vlan state disabled switchxxxxxx config macro auto enabled switchxxxxxx config 10...

Page 837: ...s globally enabled Example Enables the Auto Smartport feature on port 1 switchxxxxxx config interface gi11 switchxxxxxx config if macro auto smartport 44 3 macro auto trunk refresh The macro auto trunk refresh Global Configuration command reapplies the Smartport macro on a specific interface or to all the interfaces with the specified Smartport type Syntax macro auto trunk refresh smartport type i...

Page 838: ...attached Smartport macro is executed if the interface has one of the following Smartport types switch router or wireless access point ap If a Smartport macro contains configuration commands that are no longer current on one or more interfaces you can update their configuration by reapplying the Smartport macro on the interfaces Example Adds the ports of Smartport type switch to all existing VLANs ...

Page 839: ...ly the desired Smartport macro you must reset the interface using the macro auto resume command which changes the Smartport type of the interface to default Then you can run the macro auto trunk refresh command Example Changes the Smartport type from unknown to default and resumes the Smartport feature on port 1 switchxxxxxx config interface gi11 switchxxxxxx config if macro auto resume 44 5 macro...

Page 840: ... establishes two port ranges and makes one persistent and the other not switchxxxxxx config interface range gi11 2 switchxxxxxx config if range macro auto persistent switchxxxxxx config if range exit switchxxxxxx config interface range gi13 4 switchxxxxxx config if range no macro auto persistent 44 6 macro auto smartport type The macro auto smartport type Interface Configuration mode command manua...

Page 841: ...xample shows an attempt to set the Smartport type of port 1 to printer statically The macro fails at line 10 The show parser macro command is run to display the contents of the macro printer in order to see which line failed switchxxxxxx config interface gi11 switchxxxxxx config if macro auto smartport type printer 30 May 2011 15 02 45 AUTOSMARTPORT E FAILEDMACRO Macro printer for auto smar port t...

Page 842: ...torm control broadcast enable switchxxxxxx config 44 7 macro auto processing cdp The macro auto processing cdp Global Configuration mode command enables using CDP capability information to identify the type of an attached device When Auto Smartport is enabled on an interface and this command is run the switch automatically applies the corresponding Smartport type to the interface based on the CDP ...

Page 843: ...g the LLDP capability information to identify the type of an attached device When Auto Smartport is enabled on an interface and this command is run the switch automatically applies the corresponding Smartport type to the interface based on the LLDP capabilities advertised by the attaching device s The no format of the command disables the feature Syntax macro auto processing lldp no macro auto pro...

Page 844: ...ing type smartport type enabled disabled no macro auto processing type smartport type Parameters smartport type Smartport type range host ip_phone ip_phone_desktop switch router or wireless access point ap Default Configuration By default auto detection of ip_phone ip_phone_desktop switch and wireless access point ap is enabled Command Mode Global Configuration mode Example In this example automat...

Page 845: ...rt macro Syntax macro auto user smartport macro smartport type user defined macro name parameter name value parameter name value parameter name value no macro auto user smartport macro smartport type Parameters smartport type Smartport type range printer desktop guest server host ip_camera ip_phone ip_phone_desktop switch router or wireless access point ap user defined macro name Specifies the use...

Page 846: ...e concatenation of no_ with the name of the corresponding macro Please refer to the Macro Command section for details about defining macro Example To link the user defined macro my_ip_phone_desktop to the Smartport type ip_phone_desktop and provide values for its two parameters switchxxxxxx config macro auto user smartport macro ip_phone_desktop my_ip_phone_desktop p1 1 p2 2 44 11 macro auto built...

Page 847: ... By default each Smartport type is associated with a pair of built in macros a macro that applies the configuration and the anti macro no macro to remove the configuration The Smartport types are the same as the name of the corresponding built in Smartport macros with the anti macro prefixed with no_ The value of the parameter voice_vlan cannot be changed by this command Example To change the para...

Page 848: ...led 44 13 show macro auto smart macros The show macro auto smart macros EXEC mode command displays the name of Smartport macros their type built in or user defined and their parameters This information is displayed for all Smartport types or for the specified one Syntax show macro auto smart macros smartport type Parameters smartport type Smartport type range printer desktop guest server host ip_c...

Page 849: ...e guest Parameters native_vlan 1 SmartPort Macro guest Built In SmartPort type server Parameters max_hosts 10 native_vlan 1 SmartPort Macro server Built In SmartPort type host Parameters max_hosts 10 native_vlan 1 SmartPort Macro host Built In SmartPort type ip camera Parameters native_vlan 1 SmartPort Macro ip_camera Built In SmartPort type ip phone Parameters max_hosts 10 native_vlan 1 voice_vla...

Page 850: ...ormation about all Smartport ports or a specific one If a macro was run on the port and it failed the type of the port is displayed as Unknown Syntax show macro auto ports interface id detailed Parameters interface id Interface Identifier Ethernet interface port channel detailed Displays information for non present ports in addition to present ports Default Configuration Information about all port...

Page 851: ...smartports are enabled globally switchxxxxxx show macro auto ports Smartport is enabled Administrative Globally Auto Smartport is disabled Operational Globally Auto Smartport is disabled Interface gi11 gi12 gi13 gi14 Auto Smartport Admin State disabled disabled enabled enabled Persistent State enabled enabled disabled enabled Smartport Type router static switch default phone Interface gi11 gi12 gi...

Page 852: ...rface type is default No macro has been activated Example 4 Enabling auto Smartport on gi11 switchxxxxxx config interface gi11 switchxxxxxx config if macro auto smartport switchxxxxxx config if end switchxxxxxx show macro auto ports gi11 SmartPort is Enabled Administrative Globally Auto SmartPort is enabled Operational Globally Auto SmartPort is enabled Auto SmartPort is enabled on gi11 Persistent...

Page 853: ... a range of IDs remove all Remove all VLANs from interface Default Configuration None Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines This command is an extension of the switchport access vlan Non ISCLI command Unlike the switchport access vlan Non ISCLI command the vlan list parameter of this command may include the voice VLAN when it is the default VLAN If the def...

Page 854: ...eters native vlan id Specifies the native VLAN ID Default Configuration VLAN 1 Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines This command is an extension of the switchport trunk native vlan Non ISCLI switchport trunk native vlan Non ISCLI CLI command Unlike the switchport trunk native vlan Non ISCLI CLI command this command may also be applied to the default VLAN ...

Page 855: ...le Parameters This command has no arguments or keywords Default Configuration None Command Mode Interface Ethernet Port Channel Configuration mode Example switchxxxxxx config interface gi11 switchxxxxxx config if smartport storm control broadcast enable 44 18 smartport storm control broadcast level Use the smartport storm control broadcast level Interface Configuration Ethernet port channel mode c...

Page 856: ...mber of kilobits per second of Broadcast traffic on port 1 to 10000 switchxxxxxx config interface gi11 switchxxxxxx config if smartport storm control broadcast level kpbs 10000 Example 2 Set the maximum percentage of kilobits per second of Broadcast traffic on port 1 to 30 switchxxxxxx config interface gi11 switchxxxxxx config if smartport storm control broadcast level 30 44 19 smartport storm con...

Page 857: ... unicast no smartport storm control include multicast Parameters unknown unicast Specifies also the count of unknown Unicast packets Default Configuration Disabled Command Mode Interface Ethernet Port Channel Configuration mode Example switchxxxxxx config interface gi11 switchxxxxxx config if smartport storm control include multicast ...

Page 858: ...e no snmp server community community string ip address Parameters community string Define the password that permits access to the SNMP protocol Range 1 20 characters ro Optional Specifies read only access default rw Optional Specifies read write access su Optional Specifies SNMP administrator access ip address Optional Management station IP address The default is all IP addresses This can be an IP...

Page 859: ... 1 30 characters Default Configuration No community is defined Command Mode Global Configuration mode User Guidelines The logical key of the command is the pair community ip address If ip address is omitted the key is community All IPs This means that there cannot be two commands with the same community ip address pair The view name is used to restrict the access rights of a community string When ...

Page 860: ...rations is imposed on the user The group defines the objects available to the community Range 1 30 characters ip address Optional Management station IP address The default is all IP addresses This can be an IPv4 address IPv6 or IPv6z address See IPv6z Address Conventions mask Optional Specifies the mask of the IPv4 address This is not a network mask but rather a mask that defines which bits of the...

Page 861: ...or the group abcd that enables this group to access the management station 1 1 1 121 with prefix 8 switchxxxxxx config snmp server community group tom abcd 1 1 1 122 prefix 8 45 3 snmp server server To enable the device to be configured by the SNMP protocol use the snmp server server Global Configuration mode command To disable this function use the no form of this command Syntax snmp server serve...

Page 862: ...d Specifies the source interface Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet If no parameters are specified in no snmp server source interface the default is both traps and informs Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the interface IP add...

Page 863: ...Simple Network Management Protocol SNMP trap originates the informs or traps use the snmp server source interface command in Global Configuration mode To returned to the default use the no form of this command Syntax snmp server source interface ipv6 traps informs interface id no snmp server source interface ipv6 traps informs Parameters traps Specifies the SNMP traps interface informs Specifies t...

Page 864: ...terface for SNMP traps Use the no snmp server source interface ipv6 informs command to remove the source IPv6 interface for SNMP informs Use the no snmp server source interface ipv6 command to remove the source IPv6 interface for SNMP traps and informs Example The following example configures the VLAN 10 as the source interface switchxxxxxx config snmp server source interface ipv6 traps vlan 100 4...

Page 865: ...parameters themselves DefaultSuper Contains all MIBs Command Mode Global Configuration mode User Guidelines This command can be entered multiple times for the same view The command s logical key is the pair view name oid tree Therefore there cannot be two commands with the same view name and oid tree The number of views is limited to 64 Default and DefaultSuper views are reserved for internal soft...

Page 866: ...ion will be performed Applicable only to the SNMP version 3 security model auth Specifies that packet authentication without encryption will be performed Applicable only to the SNMP version 3 security model priv Specifies that packet authentication with encryption will be performed Applicable only to the SNMP version 3 security model Note that creation of SNMPv3 users with both authentication and ...

Page 867: ... defined in this command The command logical key is groupname snmp version security level For snmp version v1 v2 the security level is always noauth Example The following example attaches a group called user group to SNMPv3 assigns the encrypted security level to the group and limits the access rights of a view called user view to read only User tom is then assigned to user group So that user tom ...

Page 868: ...configured SNMP views 45 9 show snmp groups To display the configured SNMP groups use the show snmp groups Privileged EXEC mode command Syntax show snmp groups groupname Parameters groupname Optional Specifies the group name Length 1 30 characters Default Configuration Display all groups Command Mode Privileged EXEC mode switchxxxxxx show snmp views Name OID Tree Type Default Default DefaultSuper ...

Page 869: ... command Syntax snmp server user username groupname v1 v2c remote host v3 auth md5 sha auth password priv priv password switchxxxxxx show snmp groups Name Security Views user group managers group Model V2 V2 Level no_auth no_auth Read Default Default Write Default Notify Field Description Name Group name Security Model SNMP model in use v1 v2 or v3 Security Level Packet security Applicable to SNMP...

Page 870: ...ecifies that the user is a v1 user v2c Specifies that the user is a v2c user v3 Specifies that the user is a v3 user remote host Optional IP address IPv4 IPv6 or IPv6z or host name of the remote SNMP host See IPv6z Address Conventions auth Optional Specifies which authentication level is to be used md5 Optional Specifies the HMAC MD5 96 authentication level Sha Optional Specifies the HMAC SHA 96 a...

Page 871: ...ired in order to send informs to that host because an inform is a trap that requires acknowledgement A configured remote host is also able to manage the device besides getting the informs To configure a remote user specify the IP address for the remote SNMP agent of the device where the user resides Also before you configure remote users for a particular agent configure the SNMP engine ID using th...

Page 872: ...users Privileged EXEC mode command Syntax show snmp users username Parameters username Optional Specifies the user name Length 1 30 characters Default Configuration Display all users Command Mode Privileged EXEC mode Example The following examples displays the configured SNMP users switchxxxxxx show snmp users User name u1rem Group name group1 Authentication Algorithm None Privacy Algorithm None R...

Page 873: ... Password encrypted Z tC3UF5j0pYfmXm8xeMvcIOQ6LQ4GOACCGYLRdAgOE6XQKTC qMlrnpWuHraRlZj Priv Password encrypted kN1ZHzSLo6WWxlkuZVzhLOo1gI5waaNf7Vq6yLBpJdS4N68tL 1tbTRSz2H4c4Q4o User name u1noAuth Group name group1 Authentication Algorithm None Privacy Algorithm None Remote Auth Password encrypted Priv Password encrypted User name u1OnlyAuth Group name group1 Authentication Algorithm SHA Privacy Alg...

Page 874: ...ther commands Length 1 30 characters oid tree Specifies the ASN 1 subtree object identifier to be included or excluded from the view To identify the subtree specify a text string consisting of numbers such as 1 3 6 2 4 or a word such as System Replace a single sub identifier with the asterisk wildcard to specify a subtree family for example 1 3 4 included Specifies that the filter type is included...

Page 875: ...system 7 excluded switchxxxxxx config snmp server filter f3 ifEntry 1 included 45 13 show snmp filters To display the defined SNMP filters use the show snmp filters Privileged EXEC mode command Syntax show snmp filters filtername Parameters filtername Specifies the filter name Length 1 30 characters Default Configuration If filtername is not defined all filters are displayed Command Mode Privilege...

Page 876: ...ted recipient Range 1 158 characters Maximum label size of each part of the host name 63 trap Optional Sends SNMP traps to this host default informs Optional Sends SNMP informs to this host An inform is a trap that requires acknowledgement Not applicable to SNMPv1 version 1 Optional SNMPv1 traps are used version 2c Optional SNMPv2 traps or informs are used version 3 Optional SNMPv2 traps or inform...

Page 877: ...ximum number of times to resend an inform request when a response is not received for a generated message The default is 3 Range 0 255 Default Configuration Version SNMP V1 Type of notification Traps udp port 162 If informs are specified the default for retries 3 Timeout 15 Command Mode Global Configuration mode User Guidelines The logical key of the command is the list ip address hostname traps i...

Page 878: ... character string is two hexadecimal digits Bytes are separated by a period or colon If an odd number of hexadecimal digits are entered the system automatically prefixes the digit 0 to the string Length 5 32 characters 9 64 hexadecimal digits default Specifies that the engine ID is created automatically based on the device MAC address Default Configuration The default engine ID is defined per stan...

Page 879: ...nmp server engineid local default The engine id must be unique within your administrative domain Do you wish to continue Y N Y The SNMPv3 database will be erased Do you wish to continue Y N Y 45 16 snmp server engineID remote To specify the SNMP engine ID of a remote SNMP device use the snmp server engineID remote Global Configuration mode command To remove the configured engine ID use the no form...

Page 880: ...nes A remote engine ID is required when an SNMP version 3 inform is configured The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host Example switchxxxxxx config snmp server engineID remote 1 1 1 1 11 AB 01 CD 23 44 45 17 show snmp engineID To display the local SNMP engine ID use the show snmp engineID Privileged EXEC...

Page 881: ...erver enable traps Global Configuration mode command To disable all SNMP traps use the no form of the command Syntax snmp server enable traps no snmp server enable traps Default Configuration SNMP traps are enabled Command Mode Global Configuration mode User Guidelines If no snmp server enable traps has been entered you can enable failure traps by using snmp server trap authentication as shown in ...

Page 882: ...guration SNMP failed authentication traps are enabled Command Mode Global Configuration mode User Guidelines The command snmp server enable traps enables all traps including failure traps Therefore if that command is enabled it is enabled by default this command is not necessary Example The following example disables all SNMP traps and enables only failed authentication traps switchxxxxxx config n...

Page 883: ...le The following example sets the system contact information to Technical_Support switchxxxxxx config snmp server contact Technical_Support 45 21 snmp server location To set the value of the system location string use the snmp server location Global Configuration mode command To remove the location string use the no form of this command Syntax snmp server location text no snmp server location Para...

Page 884: ...ters variable name Specifies an SNMP MIB variable name which must be a valid string name value Specifies a list of names and value pairs Each name and value must be a valid string In the case of scalar MIBs there is only a single name value pair In the case of an entry in a table there is at least one name value pair followed by one or more fields Default Configuration None Command Mode Global Con...

Page 885: ...iguration mode command To disable generation of link status SNMP traps use the no form of this command Syntax snmp trap link status no snmp trap link status Parameters This command has no arguments or keywords Default Configuration Generation of SNMP link status traps is enabled Command Mode Interface Configuration mode Example The following example disables generation of SNMP link status traps sw...

Page 886: ...xxxxx show snmp SNMP is enabled SNMP traps Source IPv4 interface vlan 1 SNMP informs Source IPv4 interface vlan 11 SNMP traps Source IPv6 interface vlan 10 SNMP informs Source IPv6 interface Community String public private private Community Access read only read write su View name user view Default DefaultSuper IP Address All 172 16 1 1 10 172 16 1 1 Mask Community string public Group name user gr...

Page 887: ... Retries 3 3 Version 3 notifications Target Address 192 122 173 42 Type Inform Username Bob Security Level Priv UDP Port 162 Filter name TO Sec 15 Retries 3 System Contact Robert System Location Marketing Field Description Community string The community access string permitting access to SNMP Community access The permitted access type read only read write super access IP Address The management sta...

Page 888: ...mmand to enable spanning tree functionality Use the no form of this command to disable the spanning tree functionality Syntax spanning tree no spanning tree Parameters N A Default Configuration Spanning tree is enabled Command Mode Global Configuration mode Example The following example enables spanning tree functionality switchxxxxxx config spanning tree ...

Page 889: ... mst no spanning tree mode Parameters stp Specifies that STP is enabled rstp Specifies that the Rapid STP is enabled mst Specifies that the Multiple STP is enabled Default Configuration The default is RSTP Command Mode Global Configuration mode User Guidelines In RSTP mode the device uses STP when the neighbor device uses STP In MSTP mode the device uses RSTP when the neighbor device uses RSTP and...

Page 890: ... no form of this command to restore the default configuration Syntax spanning tree forward time seconds no spanning tree forward time Parameters seconds Specifies the spanning tree forward time in seconds Range 4 30 Default Configuration 15 seconds Command Mode Global Configuration mode User Guidelines When configuring the forwarding time the following relationship should be maintained 2 Forward T...

Page 891: ...ameters seconds Specifies the spanning tree Hello time in seconds Range 1 10 Default Configuration 2 seconds Command Mode Global Configuration mode User Guidelines When configuring the Hello time the following relationship should be maintained Max Age 2 Hello Time 1 Example The following example configures the spanning tree bridge hello time to 5 seconds switchxxxxxx config spanning tree hello tim...

Page 892: ...aximum age the following relationships should be maintained 2 Forward Time 1 Max Age Max Age 2 Hello Time 1 Example The following example configures the spanning tree bridge maximum age to 10 seconds switchxxxxxx config spanning tree max age 10 46 6 spanning tree priority Use the spanning tree priority Global Configuration mode command to configure the device STP priority which is used to determin...

Page 893: ...t of the spanning tree When more than one switch has the lowest priority the switch with the lowest MAC address is selected as the root Example The following example configures the spanning tree priority to 12288 switchxxxxxx config spanning tree priority 12288 46 7 spanning tree disable Use the spanning tree disable Interface Ethernet Port Channel Configuration mode command to disable the spannin...

Page 894: ...ng tree cost Use the spanning tree cost Interface Ethernet Port Channel Configuration mode command to configure the spanning tree path cost for a port Use the no form of this command to restore the default configuration Syntax spanning tree cost cost no spanning tree cost Parameters cost Specifies the port path cost Range 1 200000000 Default Configuration Default path cost is determined by port sp...

Page 895: ...e port priority Interface Ethernet Port Channel Configuration mode command to configure the port priority Use the no form of this command to restore the default configuration Syntax spanning tree port priority priority no spanning tree port priority Parameters priority Specifies the port priority Range 0 240 Default Configuration The default port priority is 128 Command Mode Interface Ethernet Por...

Page 896: ...hout waiting for the standard forward time delay Use the no form of this command to disable the PortFast mode Syntax spanning tree portfast auto no spanning tree portfast Parameters auto Specifies that the software waits for 3 seconds with no Bridge Protocol Data Units BPDUs received on the interface before putting the interface into the PortFast mode Default Configuration PortFast mode is disable...

Page 897: ...ecifies that the port link type is point to point shared Specifies that the port link type is shared Default Configuration The device derives the port link type from the duplex mode A full duplex port is considered a point to point link and a half duplex port is considered a shared link Command Mode Interface Ethernet Port Channel Configuration mode Example The following example enables shared spa...

Page 898: ...es This command applies to all the spanning tree instances on the switch If the short method is selected the switch calculates the default cost as 100 If the long method is selected the switch calculates the default cost as 20000 Example The following example sets the default path cost method to Long switchxxxxxx config spanning tree pathcost method long 46 13 spanning tree bpdu Global Use the spa...

Page 899: ...d Default Configuration The default setting is flooding Command Mode Global Configuration mode User Guidelines The filtering and flooding modes are relevant when the spanning tree is disabled globally or on a single interface Example The following example defines the BPDU packet handling mode as flooding when the spanning tree is disabled on an interface switchxxxxxx config spanning tree bpdu floo...

Page 900: ...du Global command determines the default configuration Command Mode Interface Ethernet Port Channel Configuration mode Example The following example defines the BPDU packet as flooding when the spanning tree is disabled on gi13 switchxxxxxx config interface gi13 switchxxxxxx config if spanning tree bpdu flooding 46 15 spanning tree guard root use the spanning tree guard root Interface Ethernet Por...

Page 901: ...e The following example prevents gi11 from being the root port of the device switchxxxxxx config interface gi11 switchxxxxxx config if spanning tree guard root 46 16 spanning tree bpduguard Use the spanning tree bpduguard Interface Ethernet Port Channel Configuration mode command to shut down an interface when it receives a Bridge Protocol Data Unit BPDU Use the no form of this command to restore ...

Page 902: ...e bpduguard enable 46 17 clear spanning tree detected protocols Use the clear spanning tree detected protocols Privileged EXEC mode command to restart the STP migration process force renegotiation with neighboring switches on all interfaces or on the specified interface Syntax clear spanning tree detected protocols interface interface id Parameters interface id Specifies an interface ID The interf...

Page 903: ... spanning tree mst instance id priority priority no spanning tree mst instance id priority Parameters instance id Specifies the spanning tree instance ID Range 1 7 priority Specifies the device priority for the specified spanning tree instance This setting determines the likelihood that the switch is selected as the root switch A lower value increases the probability that the switch is selected as...

Page 904: ...PU is discarded and the port information is aged out Use the no form of this command to restore the default configuration Syntax spanning tree mst max hops hop count no spanning tree mst max hops Parameters max hops hop count Specifies the number of hops in an MST region before the BDPU is discarded Range 1 40 Default Configuration The default number of hops is 20 Command Mode Global Configuration...

Page 905: ...D Range 1 15 priority Specifies the port priority Range 0 240 in multiples of 16 Default Configuration The default port priority is 128 Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines The priority value must be a multiple of 16 Example The following example configures the port priority of gi11 to 144 switchxxxxxx config interface gi11 switchxxxxxx config if spanning...

Page 906: ...e ID Range 1 15 cost Specifies the port path cost Range 1 200000000 Default Configuration Default path cost is determined by the port speed and path cost method long or short as shown below Command Mode Interface Ethernet Port Channel Configuration mode Example The following example configures the MSTP instance 1 path cost for port gi19 to 4 switchxxxxxx config interface gi19 switchxxxxxx config i...

Page 907: ...y must contain the same VLAN mapping the same configuration revision number and the same name Example The following example configures an MST region switchxxxxxx config spanning tree mst configuration switchxxxxxx config mst instance 1 vlan 10 20 switchxxxxxx config mst name region1 switchxxxxxx config mst revision 1 46 23 instance MST Use instance MST Configuration mode command to map VLANs to an...

Page 908: ... the common and internal spanning tree CIST instance instance 0 and cannot be unmapped from the CIST For two or more devices to be in the same MST region they must have the same VLAN mapping the same configuration revision number and the same name Example The following example maps VLANs 10 20 to MST instance 1 switchxxxxxx config spanning tree mst configuration switchxxxxxx config mst instance 1 ...

Page 909: ...witchxxxxxx config mst name region1 46 25 revision MST Use the revision MST Configuration mode command to define the MST configuration revision number Use the no form of this command to restore the default configuration Syntax revision value no revision Parameters value Specifies the MST configuration revision number Range 0 65535 Default Configuration The default configuration revision number is ...

Page 910: ...onfiguration Syntax show current pending Parameters current Displays the current MST region configuration pending Displays the pending MST region configuration Default Configuration N A Command Mode MST Configuration mode Example The following example displays a pending MST region configuration switchxxxxxx config mst show pending Gathering information Current MST configuration Name Region1 Revisi...

Page 911: ...it Parameters N A Default Configuration N A Command Mode MST Configuration mode Example The following example exits the MST Configuration mode and saves changes switchxxxxxx config spanning tree mst configuration switchxxxxxx config mst exit switchxxxxxx config 46 28 abort MST Use the abort MST Configuration mode command to exit the MST Configuration mode without applying the configuration changes...

Page 912: ...ommand to display the spanning tree configuration Syntax show spanning tree interface id instance instance id show spanning tree detail active blockedports instance instance id show spanning tree mst configuration Parameters instance instance id Specifies the spanning tree instance ID Range 1 7 detail Displays detailed information active Displays active ports only blockedports Displays blocked por...

Page 913: ...is enabled Example The following examples display spanning tree information in various configurations switchxxxxxx show spanning tree Spanning tree enabled mode RSTP Default port cost method long Loopback guard Disabled Root ID Priority Address Cost Port 32768 00 01 42 97 e0 00 20000 gi11 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address 36864 00 02 4b 29 7a 00 Hello ...

Page 914: ...2 4b 29 7a 00 This switch is the Root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interfaces Name gi11 gi12 gi13 gi14 gi15 State Enabled Enabled Disabled Enabled Enabled Prio Nbr 128 1 128 2 128 3 128 4 128 5 Cost 20000 20000 20000 20000 20000 Sts FRW FRW FRW DIS Role Desg Desg Desg PortFast No No No Type P2p RSTP Shared STP Shared STP switchxxxxxx show spanning tree Spanning tree disable...

Page 915: ...1 42 97 e0 00 20000 gi11 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address 36864 00 02 4b 29 7a 00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interfaces Name gi11 gi12 gi14 State Enabled Enabled Enabled Prio Nbr 128 1 128 2 128 4 Cost 20000 20000 20000 Sts FRW FRW BLK Role Root Desg Altn PortFast No No No Type P2p RSTP Shared STP Shared STP switchxxxxxx show...

Page 916: ...000 gi11 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address 36864 00 02 4b 29 7a 00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Number of topology changes 2 last change occurred 2d18h ago Times hold 1 topology change 35 notification 2 hello 2 max age 20 forward delay 15 Port 1 gi11 enabled State Forwarding Port id 128 1 Type P2p configured auto RSTP Designated...

Page 917: ...figured no Address N A Designated path cost N A BPDU guard Disabled Number of transitions to forwarding state N A BPDU sent N A received N A Port 4 gi14 enabled State Blocking Port id 128 4 Type Shared configured auto STP Designated bridge Priority 28672 Designated port id 128 25 Guard root Disabled Role Alternate Port cost 20000 Port Fast No configured no Address 00 30 94 41 62 c8 Designated path...

Page 918: ...f transitions to forwarding state 1 BPDU sent 2 received 120638 switchxxxxxx show spanning tree mst configuration Name Region1 Revision 1 Instance 1 2 Vlans mapped 1 9 21 4094 10 20 State Enabled Enabled switchxxxxxx show spanning tree Spanning tree enabled mode MSTP Default port cost method long MST 0 Vlans Mapped 1 9 CST Root ID Priority Address Path Cost Root Port 32768 00 01 42 97 e0 00 20000 ...

Page 919: ...00 gi14 19 Bridge ID Priority Address 32768 00 02 4b 29 7a 00 Interfaces Name gi11 gi12 gi13 gi14 State Enabled Enabled Enabled Enabled Prio Nbr 128 1 128 2 128 3 128 4 Cost 20000 20000 20000 20000 Sts FRW FRW BLK FRW Role Boun Boun Altn Root PortFast No No No No Type P2p Bound RSTP Shared Bound STP P2p P2p switchxxxxxx show spanning tree detail Spanning tree enabled mode MSTP Default port cost me...

Page 920: ...rt cost 20000 Port Fast No configured no Address 00 01 42 97 e0 00 Designated path cost 0 Port 2 gi12 enabled State Forwarding Port id 128 2 Type Shared configured auto Boundary STP Designated bridge Priority 32768 Designated port id 128 2 Number of transitions to forwarding state 1 BPDU sent 2 received 170638 Role Designated Port cost 20000 Port Fast No configured no Address 00 02 4b 29 7a 00 Des...

Page 921: ...apped 10 20 Root ID Priority Address Path Cost Root Port 24576 00 02 4b 29 89 76 20000 gi14 Rem hops 19 Bridge ID Priority Address 32768 00 02 4b 29 7a 00 Number of topology changes 2 last change occurred 1d9h ago Times hold 1 topology change 2 notification 2 hello 2 max age 20 forward delay 15 Port 1 gi11 enabled State Forwarding Port id 128 1 Type P2p configured auto Boundary RSTP Designated bri...

Page 922: ...mber of transitions to forwarding state 1 BPDU sent 2 received 170638 Role Alternate Port cost 20000 Port Fast No configured no Address 00 02 4b 29 1a 19 Designated path cost 20000 Port 4 gi14 enabled State Forwarding Port id 128 4 Type Shared configured auto Internal Designated bridge Priority 32768 Designated port id 128 2 Number of transitions to forwarding state 1 BPDU sent 2 received 170638 R...

Page 923: ...ort or Port channel detailed Displays information for non present ports in addition to present ports IST Master ID Priority Address Path Cost Rem hops 32768 00 02 4b 19 7a 00 10000 19 Bridge ID Priority Address 32768 00 02 4b 29 7a 00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Max hops 20 switchxxxxxx show spanning tree Spanning tree enabled mode MSTP Default port cost method long MST 0 ...

Page 924: ...ration command to shut down an interface if it receives a loopback BPDU Use the no form of this command to return the default setting switchxxxxxx show spanning tree bpdu The following is the output if the global BPDU handling command is not supported Interface gi11 gi12 gi13 Admin Mode Filtering Filtering Filtering Oper Mode Filtering Filtering Guard The following is the output if both the global...

Page 925: ... Syntax spanning tree loopback guard no spanning tree loopback guard Parameters N A Default Configuration N A Command Mode Global User Guidelines This enables shutting down all interfaces if a loopback BPDU is received on it Example switchxxxxxx config spanning tree loopback guard ...

Page 926: ...d config Parameters This command has no arguments or keywords Command Mode Global Configuration mode User Guidelines Only users with sufficient permission can use this command which edits and displays the SSD configuration See ssd rule for a description of these permissions Example switchxxxxxx config ssd config switchxxxxxx config ssd 47 2 passphrase To change the passphrase in the system use pas...

Page 927: ... displayed and the user must confirm the intention to change the passphrase Then the passphrase can be entered see example Encrypted passphrase is allowed only in the SSD Control Block of a source file that is being copied to the startup configuration file user cannot manually enter this command When generating a passphrase the user must use 4 different character classes similar to strong password...

Page 928: ...ult user user user name secure insecure secure xml snmp insecure xml snmp permission encrypted only plaintext only both exclude default read encrypted plaintext exclude no ssd rule all level 15 default user user user name secure insecure secure xml snmp insecure xml snmp Command Mode SSD Configuration mode Default Rules The device has the following factory default rules Table 1 Default SSD Rules R...

Page 929: ...evice to another in a secure manner You can modify but cannot delete the default SSD rules The following is the order in which SSD rules are applied The SSD rules for specified users The SSD rule for the default user cisco The SSD rules for level 15 users The remaining SSD rules for all The user can enter the commands in any order The ordering is done implicitly by the device Examples Example 1 Th...

Page 930: ...ule user james secure Example 6 The following example deletes all rules switchxxxxxx config ssd no ssd rule This operation will delete all user defined rules and retrieve the default rules instead Are you sure Y N N 47 4 show SSD To present the current SSD rules the rules will be displayed as plaintext use show ssd rules in SSD Configuration mode Syntax show SSD rules brief Parameters rules Option...

Page 931: ...ype Specific admin11 secure Both Encrypted User Define Specific admin2 secure Encrypted Only Encrypted User Define Level 15 secure xml snmp Plaintext Only Plaintext Default Level 15 secure Both Encrypted Default Level 15 insecure Both Encrypted Default All secure Encrypted Only Encrypted Default All insecure Encrypted Only Encrypted Default All insecure xml snmp Plaintext Only Plaintext Default Mo...

Page 932: ... SSD current parameters Local Passphrase Default File Passphrase Control Unrestricted File Integrity Control Disabled SSD parameters after reset Local Passphrase Default File Passphrase Control Unrestricted File Integrity Control Disabled 47 5 ssd session read To override the current SSD default read of the current session use ssd session read in Global Configuration mode Syntax ssd session read e...

Page 933: ... configuration will be allowed only if the user of the current session has sufficient read permissions otherwise the command will fail and an error will be displayed The setting will take effect immediately and will terminate when the user restores the settings or exits the session Example switchxxxxxx config ssd session read plaintext 47 6 show ssd session To view the SSD read permission and defa...

Page 934: ...configuration file from devices that do not have the passphrase The mode should be used when a user does not want to expose the passphrase in a configuration file Unrestricted In this mode a device will include its passphrase when creating a configuration file This allows any devices accepting the configuration file to learn the passphrase from the file Default The default is unrestricted Command ...

Page 935: ... sensitive data from tampering use ssd file integrity control command in SSD Configuration mode To disable Integrity Control use no ssd file integrity control Syntax ssd file integrity control enabled no ssd file integrity control Parameters enabled Enable file integrity control to protect newly generated configuration files from tampering Default The default file input control is disable Command ...

Page 936: ... a device finds the integrity of the file is not intact the device rejects the file Otherwise the file is accepted for further processing Examples switchxxxxxx config ssd ssd file integrity control enabled When File Integrity is enabled an internal digest command is added to the end of the entire configuration file This is used in downloading the configuration file to the startup configuration con...

Page 937: ...password public key rsa dsa no ip ssh client authentication Parameters password Username and password are used for authentication public key rsa Username and RSA public key are used for authentication public key dsa Username and DSA public key are used for authentication Default Configuration Username and password are used for authentication by the local SSH clients Command Mode Global Configurati...

Page 938: ...assword new password Parameters host DNS name of a remote SSH server ip address Specifies the IP address of a remote SSH server The IP address can be an IPv4 IPv6 or IPv6z address See IPv6z Address Conventions username Username of the local SSH clients 1 70 characters old password Old password of the local SSH client 1 70 characters new password New password for the local SSH client 1 70 character...

Page 939: ... key use the ip ssh client key command in Global Configuration mode To remove a key use the no form of the command Syntax ip ssh client key dsa rsa generate key pair privkey pubkey encrypted ip ssh client key dsa rsa key pair encrypted privkey pubkey no ip ssh client key dsa rsa Parameters dsa DSA key type rsa RSA key type key pair Key that is imported to the device privkey Plaintext private key e...

Page 940: ...the expected behavior of keys default and users within the various operations If no keys are included in text based configuration file the device generates it s own keys during initialization If the Running Configuration contains default keys not user defined the same default keys remain Examples Example 1 In the following example a key pair of the RSA type is created switchxxxxxx config ip ssh cl...

Page 941: ...BlHPz2Xczs2clOOwrnToy YTzjLUxy WS7V IxbBllipLAkEA QluVSCfFmdMlZxaEfJVzqPO1cF8guovsWLteBf gqHuvbHuNy0t OWEpObKZs1m mtCWppkgcqgrB0oJaYbUFQJBAMo cCrkyhsiV ZsryeD26NbPEKiak16V Tz2ayDstidGuuvcvm2YF7DjM6n6NYz3 ZLyc5n82okbld1NhDONsCQQCmSAas C4HaHQn zSU lWlDI88As4qJN2DMmGJbtsbVHhQxWIHAG4tBVWa8bV12 RPyuan jnk8irniGyVza FPAkEAiq8oV 1XYxA8V39V a42d7FvRjMckUmKDl4Rmt32 u9i6sFzaWcdgs87 2vS3AZQ afQDE5U6YSMiGLVew...

Page 942: ...AoGBALLOeh3css8tBL8ujFt3trcX0XJyJLlxxt4sGp8Q3ExlSRN25 Mcac6togpIEg tIzk6t1IEJscuAih9Brwh1ovgMLRaMe25j5YjO4xG6Fp42nhHiRcie YTS1o309EdZkiXa QeJtLdnYL r3uTIRVGbXI5nxwtfWpwEgxxDwfqzHAgEj END RSA PUBLIC KEY Example 4 In the following example a DSA key pair is removed switchxxxxxx config no ip ssh client key dsa Example 5 In the following example all key pairs RSA and DSA types are removed switchxxxxxx ...

Page 943: ...sword If the encrypted keyword is used the password must be in the encrypted form Use the command ip ssh client change server password to change the password on the remote SSH server so that it will match the new password of the SSH client Example The following example specifies a plaintext password for the local SSH clients switchxxxxxx config ip ssh client password 111aaff 48 5 ip ssh client ser...

Page 944: ...usted SSH servers are accepted Use the ip ssh client server fingerprint command to configure trusted SSH servers Example The following example enables SSH server authentication switchxxxxxx config ip ssh client server authentication 48 6 ip ssh client server fingerprint To add a trusted server to the Trusted Remote SSH Server Table use the ip ssh client server fingerprint command in Global configu...

Page 945: ...nt and compares it to the previously configured fingerprint The fingerprint can be obtained from the SSH server the fingerprint is calculated when the public key is generated on the SSH server The no ip ssh client server fingerprint command removes all entries from the Trusted Remote SSH Server table Example In the following example a trusted server is added to the Trusted Servers table with and w...

Page 946: ...ubnet is applied If the source interface is not the outgoing interface then the minimal IPv4 address defined on the source interface is applied If there is no available IPv4 source address a SYSLOG message is issued when attempting to communicate with an IPv4 SSH servers Example The following example configures the VLAN 10 as the source interface switchxxxxxx config ip ssh client source interface ...

Page 947: ...ed on the interfaces and selected in accordance with RFC 6724 If the source interface is not the outgoing interface then the minimal IPv4 address defined on the source interface and with the scope of the destination IPv6 address is applied If there is no available IPv6 source address a SYSLOG message is issued when attempting to communicate with an IPv6 SSH servers Example The following example co...

Page 948: ... Global Configuration mode User Guidelines The configured username is used when SSH client authentication is done both by password or by key Example The following example specifies a username of the SSH client switchxxxxxx config ip ssh client username jeff 48 10 show ip ssh client To display the SSH client credentials both default and user defined keys use the show ip ssh client command in Privil...

Page 949: ...played in the format specified by RFC 4716 Examples Example 1 The following example displays the authentication method and the RSA public key switchxxxxxx show ip ssh client mypubkey rsa Source IPv4 interface vlan 1 Source IPv6 interface vlan 10 Authentication method DSA key Username john Key Source User Defined BEGIN SSH2 PUBLIC KEY Comment RSA Public Key AAAAB3NzaC1yc2EAAAABIwAAAIEAudGEIaPARsKoV...

Page 950: ...AlN92 Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf J0 RHd NjB4eo1D 0dix6tXwYGN7PKS5R FXPNwxHPapcj9uL1Jn2AWQ2dsknf i FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP CDqzCM4loWgV END SSH2 PUBLIC KEY BEGIN SSH2 PRIVATE KEY Co...

Page 951: ...od DSA key Username anonymous default Password anonymous default password Encrypted KzGgzpYa7GzCHhaveSJDehGJ6L3Yf9ZBAU5nsxSxwic 48 11 show ip ssh client server To display the SSH remote server authentication method and the Trusted Remote SSH Server table use the show ip ssh client server command in Privilege EXEC Configuration mode Syntax show ip ssh client server host ip address Parameters host O...

Page 952: ...a 8d 1d b5 37 59 eb 44 13 b9 33 e9 server address 4002 0011 12 Server Key Fingerprint a5 34 44 44 27 8d 1d b5 37 59 eb 44 13 b9 33 e9 Example 2 The following example displays the authentication method and DSA private key in encrypted format switchxxxxxx show ip ssh client key DSA Authentication method DSA key Username john Key Source Default Public Key Fingerprint 77 C7 19 85 98 19 27 96 C9 CC 83 ...

Page 953: ...14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk gF 1VAAAAFQDb8D5c vwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92 Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf J0 RHd NjB4eo1D 0dix6tXwYGN7PKS5R FXPNwxHPapcj9uL1Jn2AWQ2dsknf i FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz64...

Page 954: ...n Enables logging messages related to successful AAA login events unsuccessful AAA login events and other AAA login related events Default Configuration Enabled Command Mode Global Configuration mode User Guidelines This command enables logging messages related to successful login events unsuccessful login events and other login related events Other types of AAA events are not subject to this comm...

Page 955: ...s command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Example The following example clears messages from the internal logging buffer switchxxxxxx clear logging Clear Logging Buffer Y N N 49 3 clear logging file To clear messages from the logging file use the clear logging file Privileged EXEC mode command Syntax clear logging file Parameters This comma...

Page 956: ...enable logging file system events use the file system logging Global Configuration mode command To disable logging file system events use the no form of this command Syntax file system logging copy delete rename no file system logging copy delete rename Parameters copy Specifies logging messages related to file copy operations delete rename Specifies logging messages related to file deletion and r...

Page 957: ...fer size to default use the no form of this command Syntax logging buffered buffer size severity level severity level name no logging buffered Parameters buffer size Optional Specifies the maximum number of messages stored in buffer Range 20 1000 severity level Optional Specifies the severity level of messages logged in the buffer The possible values are 1 7 severity level name Optional Specifies ...

Page 958: ...switchxxxxxx config logging buffered debugging switchxxxxxx config logging buffered 100 informational 49 6 logging console To limit messages logged to the console to messages to a specific severity level use the logging console Global Configuration mode command To restore the default use the no form of this command Syntax logging console level no logging console Parameters level Specifies the seve...

Page 959: ...tion mode command To cancel sending messages to the file use the no form of this command Syntax logging file level no logging file Parameters level Specifies the severity level of SYSLOG messages sent to the logging file The possible values are emergencies alerts critical errors warnings notifications informational and debugging Default Configuration The default severity level is errors Command Mo...

Page 960: ...rver Only translation to IPv4 addresses is supported Range 1 158 characters Maximum label size for each part of the host name 63 port port Optional Port number for SYSLOG messages If unspecified the port number defaults to 514 Range 1 65535 severity level Optional Limits the logging of messages to the SYSLOG servers to a specified level Emergencies Alerts Critical Errors Warnings Notifications Inf...

Page 961: ...m of this command Syntax logging on no logging on Parameters This command has no arguments or keywords Default Configuration Message logging is enabled Command Mode Global Configuration mode User Guidelines The logging process controls the logging messages distribution at various destinations such as the logging buffer logging file or SYSLOG server Logging on and off at these destinations can be i...

Page 962: ...g source interface interface id no logging source interface Parameters interface id Specifies the source interface Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the interface IP address belonging to the ...

Page 963: ...terface ipv6 interface id no logging source interface ipv6 Parameters interface id Specifies the source interface Default Configuration The IPv6 source address is the defined IPv6 address of the outgoing interface and selected in accordance with RFC6724 Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the IPv6 address defined on the interface...

Page 964: ...nfiguration mode command If aggregation is enabled logging messages are displayed every time interval according to the aging time specified by logging aggregation aging time To disable aggregation of SYSLOG messages use the no form of this command Syntax logging aggregation on no logging aggregation on Parameters This command has no arguments or keywords Default Configuration Enabled Command Mode ...

Page 965: ...d Syntax logging aggregation aging time sec no logging aggregation aging time Parameters aging time sec Aging time in seconds Range 15 3600 Default Configuration 300 seconds Command Mode Global Configuration mode Example switchxxxxxx config logging aggregation aging time 300 49 14 logging origin id To configure the origin field of the SYSLOG message packet headers sent to the SYSLOG server use the...

Page 966: ...ll be used instead string user defined id Specifies an identifying description chosen by the user The user defined id argument is the identifying description string Default Configuration No header is sent apart from the PRI field Command Mode Global Configuration mode Example switchxxxxxx config logging origin id string Domain 1 router B 49 15 show logging To display the logging status and SYSLOG ...

Page 967: ...l info Buffer Messages 61 Logged 61 Displayed 200 Max File Logging Level error File Messages 898 Logged 64 Dropped 4 messages were not logged Application filtering control Application Event Status AAA Login Enabled File system Copy Enabled File system Delete Rename Enabled Management ACL Deny Enabled Aggregation Disabled Aggregation aging time 300 Sec 01 Jan 2010 05 29 46 INIT I Startup Warm Start...

Page 968: ...on None Command Mode Privileged EXEC mode Example The following example displays the logging status and the SYSLOG messages stored in the logging file switchxxxxxx show logging file Logging is enabled Origin id hostname Console Logging Level info Console Messages 0 Dropped Buffer Logging Level info Buffer Messages 61 Logged 61 Displayed 200 Max File Logging Level error File Messages 898 Logged 64 ...

Page 969: ...ror key_read type mismatch encoding error 01 Jan 2010 05 55 03 SSHD E ERROR SSH error key_read key_from_blob bgEgGnt9 z6NHgZwKI5xKqF7cBtdl1xmFgSEWuDhho5UedydAjVkKS5XR2 failed 01 Jan 2010 05 55 03 SSHD E ERROR SSH error key_from_blob invalid key type 01 Jan 2010 05 56 34 SSHD E ERROR SSH error bad sigbloblen 58 SIGBLOB_LEN console 49 17 show syslog servers To display the SYSLOG server settings use ...

Page 970: ...le The following example provides information about the SYSLOG servers switchxxxxxx show syslog servers Source IPv4 interface vlan 1 Source IPv6 interface vlan 10 Device Configuration IP address Port Facility Severity Description 1 1 1 121 514 local7 info 3000 100 514 local7 info ...

Page 971: ... on the device to their current operational status of the port use the no disable ports leds command Syntax disable ports leds no disable ports leds Parameters This command has no arguments or keywords Default Configuration The default is no disable port leds that is the LEDs of all the ports reflect their current status Command Mode Global Configuration mode Examples The following example turns o...

Page 972: ...ximum label size for each part of the host name 58 The hostname must start with a letter end with a letter or digit and have as interior characters only letters digits and hyphens Default Configuration No host name is defined Command Mode Global Configuration mode Example The following example specifies the device host name as enterprise switchxxxxxx config hostname enterprise enterprise config 50...

Page 973: ...reload must take place within 24 days day Optional Number of the day in the range from 1 to 31 month Optional Month of the year cancel Optional Cancels a scheduled reload Default Usage None Command Mode Privileged EXEC mode User Guidelines The at keyword can be used only if the system clock has been set on the device To schedule reloads across several devices to occur simultaneously synchronize th...

Page 974: ...d disconnect your current session Reload is scheduled for 11 57 08 UTC Fri Apr 21 2012 in 10 minutes Do you want to continue y n Y Example 3 The following example reloads the operating system at 13 00 switchxxxxxx reload at 13 00 This command will reset the whole system and disconnect your current session Reload is scheduled for 13 00 00 UTC Fri Apr 21 2012 in 1 hour and 3 minutes Do you want to c...

Page 975: ...de Example The following command switches to open Telnet session number 1 switchxxxxxx resume 1 50 5 service cpu input rate The show cpu input rate Global Configuration mode command enables counting the rate of input frames to the CPU in packets per seconds pps Syntax service cpu input rate Parameters This command has no arguments or keywords Command Mode Global Configuration mode Example The foll...

Page 976: ...cpu utilization Parameters This command has no arguments or keywords Default Configuration Measuring CPU utilization is enabled Command Mode Global Configuration mode User Guidelines Use the service cpu utilization command to measure information on CPU utilization Example The following example enables measuring CPU utilization switchxxxxxx config service cpu utilization 50 7 set system To place th...

Page 977: ...he new system mode with an empty configuration Configuration download If the system mode is contained in a configuration file that is downloaded to the device but the system mode in the downloaded file matches the current system mode this information is ignored Otherwise the following cases might occur If this file is copied manually onto the device using copy tftp for example the operation is abo...

Page 978: ... queues switchxxxxxx set system mode router queues mode 8 Example The following example tries to configure the device to function as a switch router Layer 3 using tftp download while the device is currently configured to function as a switch layer 2 therefore the configuration file download will fail switchxxxxxx copy tftp 102 1 2 2 file1 startup config Copy operation aborted the downloaded config...

Page 979: ...d Syntax show cpu input rate Parameters This command has no arguments or keywords Command Mode User EXEC mode Example The following example displays CPU input rate information switchxxxxxx show cpu input rate Input Rate to CPU is 1030 pps 50 9 show cpu utilization To display information about CPU utilization use the show cpu utilization Privileged EXEC mode command Syntax show cpu utilization Para...

Page 980: ...U utilization information switchxxxxxx show cpu utilization CPU utilization service is on CPU utilization five seconds 5 one minute 3 five minutes 3 50 10 show environment To display environment information use the show environment EXEC mode command Syntax show environment all fan temperature status Parameters all Displays the fan and temperature general status fan Displays the fan status temperat...

Page 981: ...is installed Temperature can be one of OK The temperature is below the warning threshold Warning The temperature is between the warning threshold to the critical threshold Critical the temperature is above the critical threshold Examples Example 1 The following example displays the general environment status of a device switchxxxxxx show environment all FAN is OK TEMPERATURE is OK Example 2 The fo...

Page 982: ...e Examples Example 1 The following example displays all the entities in a standalone system switchxxxxxx show inventory NAME 1 DESCR 52 Port Gigabit PoE Stackable Managed Switch PID SRW224G4P K9 VID V01 SN 123456789 Example 2 The following example displays a specific entity in a standalone system switchxxxxxx show inventory gigabitethernet2 1 49 NAME GigabitEthernet2 1 49 DESCR 1000M base LX Mini ...

Page 983: ...ding software reload To cancel a pending reload use this command with the cancel parameter Example The following example displays that reboot is scheduled for 00 00 on Saturday April 20 switchxxxxxx show reload Reload scheduled for 00 00 00 UTC Sat April 20 in 3 hours and 12 minutes 50 13 show sessions To display open Telnet sessions use the show sessions EXEC mode command Syntax show sessions Par...

Page 984: ...mple displays open Telnet sessions The following table describes significant fields shown above 50 14 show system The show system EXEC mode command displays system information Syntax show system switchxxxxxx show sessions Connection 1 2 Host Remote router 172 16 1 2 Address 172 16 1 1 172 16 1 2 Port 23 23 Byte 89 8 Field Description Connection The connection number Host The remote host to which t...

Page 985: ... min sec 03 02 27 46 System Contact System Name switch151400 System Location System MAC Address 00 24 ab 15 14 00 System Object ID 1 3 6 1 4 1 9 6 1 85 24 2 Unit Temperature Celsius Status 1 42 OK 50 15 show system mode To display information on features control use the show system mode EXEC mode command Syntax show system mode Parameters This command has no arguments or keywords Default Usage Non...

Page 986: ...ion 8 Queues 50 16 show system languages To display the list of supported languages use the show system languages EXEC mode command Syntax show system languages Parameters This command has no arguments or keywords Default Usage None Command Mode User EXEC mode Example The following example displays the languages configured on the device Number of Sections indicates the number of languages permitte...

Page 987: ...ion use the show system tcam utilization EXEC mode command Syntax show system tcam utilization Parameters unit id Optional Specifies the unit number Range 1 8 Default Usage None Command Mode User EXEC mode Example The following example displays TCAM utilization information 50 18 show services tcp udp To display information about the active TCP and UDP services use the show services tcp udp Privile...

Page 988: ...e Local IP Address Remote IP address Service Name State TCP All 22 SSH LISTEN TCP All 23 Telnet LISTEN TCP All 80 HTTP LISTEN TCP All 443 HTTPS LISTEN TCP 172 16 1 1 23 172 16 1 18 8789 Telnet ESTABLISHED TCP6 All 23 Telnet LISTEN TCP6 fe80 200 b0ff fe00 0 23 Telnet fe80 200 b0ff fe00 0 8999 ESTABLISHED UDP All 161 SNMP UDP6A ll 161 SNMP 50 19 show tech support To display system and configuration ...

Page 989: ...Avoid running multiple show tech support commands on a switch or multiple switches on the network segment Doing so may cause starvation of some time sensitive protocols like STP The show tech support command may time out if the configuration file output takes longer to display than the configured session time out time If this happens enter a set logout timeout value of 0 to disable automatic disco...

Page 990: ...use the show system fans EXEC mode command Syntax show system fans Command Mode User EXEC mode Examples Example 1 If the device does not support controlled fan direction the column Fan Direction is not displayed switchxxxxxx show system fans Unit Admin state Oper state FAN Direction 1 auto on back to front Example 2 For devices whose hardware supports variable fan speed switchxxxxxx show system fa...

Page 991: ...Parameters This command has no arguments or keywords Default Usage None Command Mode User EXEC mode Examples Example 1 For Standalone systems with a single sensor status switchxxxxxx show system sensors Sensor Status OK Temperature C 37 Example 2 For systems with multiple sensor statuses Sensor Sensor Temperature c Status 1 OK 37 2 Failure Example 3 For systems with a single sensor status switchxx...

Page 992: ...sensor statuses Unit Sensor Temperature c Alarm Sensor Status Temp C 1 1 OK 37 60 1 2 Failure 60 2 1 OK 68 65 50 22 show system id To display the system identity information use the show system id EXEC mode command Syntax show system id Command Mode User EXEC mode Example The following example displays the system identity information switchxxxxxx show system id serial number 114 ...

Page 993: ... no arguments or keywords Command Mode User EXEC mode Examples Example 1 The following example displays the status of the port s LEDs when they are turned on switchxxxxxx show ports leds configuration Port leds are not disabled x Example 2 The following example displays the status of the port LEDs when they are turned off switchxxxxxx show port leds configuration Port leds are disabled 50 24 show ...

Page 994: ...er EXEC mode Example The following example displays information about the active users 50 25 show version To display system version information use the show version EXEC mode command Syntax show version Command Mode User EXEC mode switchxxxxxx show users Username Bob John Robert Betty Sam Protocol Serial SSH HTTP Telnet Location 172 16 0 1 172 16 0 8 172 16 1 7 172 16 1 6 ...

Page 995: ... firmware use the show version md5 EXEC mode command Syntax show version md5 Command Mode User EXEC mode Example switchxxxxxx show version md5 Filename Status MD5 Digest image1 Active 23FA000012857D8855AABC7577AB5562 image2 Not Active 23FA000012857D8855AABEA7451265456 boot 23FA000012857D8855AABC7577AB8999 50 27 system recovery To set the system to automatically recover from temperature that reache...

Page 996: ...eference Guide 996 50 Syntax system recovery no system recovery Parameters This command has no arguments or keywords Default Configuration System recovery is enabled by default Command Mode Global Configuration mode Example c switchxxxxxx config no system recovery ...

Page 997: ...acs server host ip address hostname Parameters host ip address Specifies the TACACS server host IP address The IP address can be an IPv4 IPv6 or IPv6z address host hostname Specifies the TACACS server host name Length 1 158 characters Maximum label length of each part of the host name 63 characters single connection Optional Specifies that a single open connection is maintained between the device ...

Page 998: ... is the highest priority Range 0 65535 Default Configuration No TACACS host is specified The default port number is 1812 If timeout is not specified the global value set in the tacacs server timeout command is used If key string is not specified the global value set in the tacacs server key command is used Command Mode Global Configuration mode User Guidelines Multiple tacacs server host commands ...

Page 999: ...pplied If the source interface is not the outgoing interface the minimal IPv4 address defined on the source interface is applied If there is no available IPv4 source address a SYSLOG message is issued when attempting to communicate with an IPv4 TACACS server Example The following example configures the VLAN 10 as the source interface switchxxxxxx config tacacs server host source interface vlan 100...

Page 1000: ... in accordance with RFC 6724 If the source interface is not the outgoing interface the source IPv6 address is the minimal IPv6 address defined on the source interface and matched to the scope of the destination IPv6 address is applied If there is no available source IPv6 address a SYSLOG message is issued when attempting to communicate with an IPv6 TACACS server Example The following example confi...

Page 1001: ...rypted key string Same as key string but the key is in encrypted format Default Configuration The default key is an empty string Command Mode Global Configuration mode Example The following example sets Enterprise as the authentication key for all TACACS servers switchxxxxxx config tacacs server key enterprise 51 5 tacacs server timeout To set the interval during which the device waits for a TACAC...

Page 1002: ...sets the timeout value to 30 for all TACACS servers switchxxxxxx config tacacs server timeout 30 51 6 show tacacs To display configuration and statistical information for a TACACS server use the show tacacs Privileged EXEC mode command Syntax show tacacs ip address Parameters ip address Specifies the TACACS server name IPv4 or IPv6 address Default Configuration If ip address is not specified infor...

Page 1003: ... Connected 49 No Global 1 Global values Time Out 3 Source IPv4 interface vlan 120 Source IPv6 interface vlan 10 51 7 show tacacs key To display the configured key of the TACACS server use the show tacacs key Privileged EXEC mode command Syntax show tacacs key ip address Parameters ip address Specifies the TACACS server name or IP address Default Configuration If ip address is not specified informa...

Page 1004: ...Reference Guide 1004 51 Example The following example displays configuration and statistical information for all TACACS servers switchxxxxxx show tacacs key IP address 172 16 1 1 172 16 1 2 Key Encrypted Sharon123 Bruce123 Global key Encrypted Alice456 ...

Page 1005: ...isable the Telnet server functionality on the device Syntax ip telnet server no ip telnet server Default Configuration Disabled Command Mode Global Configuration mode User Guidelines The device can be enabled to accept connection requests from both remote SSH and Telnet clients It is recommended that the remote client connects to the device using SSH as opposed to Telnet since SSH is a secure prot...

Page 1006: ...sh server no ip ssh server Default Configuration The SSH server functionality is disabled by default Command Mode Global Configuration mode User Guidelines The device as an SSH server generates the encryption keys automatically To generate new SSH server keys use the crypto key generate dsa and crypto key generate rsa commands Example The following example enables configuring the device to be an S...

Page 1007: ...on mode Example The following example specifies that TCP port number 8080 is used by the SSH server switchxxxxxx config ip ssh port 8080 52 4 ip ssh password auth Use the ip ssh password auth Global Configuration mode command to enable password authentication of incoming SSH sessions Use the no form of this command to disable this function Syntax ip ssh password auth no ip ssh password auth Defaul...

Page 1008: ...SH clients must still be AAA authenticated before being granted management access to the device Example The following example enables password authentication of the SSH client switchxxxxxx config ip ssh password auth 52 5 ip ssh pubkey auth Use the ip ssh pubkey auth Global Configuration mode command to enable public key authentication of incoming SSH sessions Use the no form of this command to di...

Page 1009: ...base The device management AAA authentication is transparent to the user If the user name is not in the local user database then the user receives a warning message and the user will need to pass the device management AAA authentication independently of the SSH authentication if the auto login keyword is not specified management access is granted only if the user engages and passes both SSH authen...

Page 1010: ...ubkey chain ssh switchxxxxxx config keychain user key bob rsa switchxxxxxx config keychain key key string AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ ZNXfZSkvHG QusIZ 76ILmFT34v7u7ChFAE Vu4GRfpSwoQUvV35LqJJk67IOU zfwOl1g kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq muSn Wd05iDX2IExQWu08licglk02LYciz Z4TrEU 9FJxwPiVQOjc KBXuR0juNg5nFYsY 0ZCk0N W9a tnkm1shRE7Di71 w3fNiOA 6w9o44t6 ...

Page 1011: ... key pair is manually configured Default Configuration No SSH public keys exist Command Mode SSH Public Key string Configuration mode User Guidelines After entering this command the existing key if any associated with the user will be deleted You must follow this command with the key string command to configure the key to the user Example The following example enables manually configuring an SSH p...

Page 1012: ...ode SSH Public Key string Configuration mode User Guidelines Use the key string SSH Public Key string Configuration mode command without the row parameter to specify which SSH public key is to be interactively configured next Enter a row with no characters to complete the command Use the key string row SSH Public Key string Configuration mode command to specify the SSH public key row by row Each r...

Page 1013: ...juNg5nFYsY 0ZCk0N W9a tnkm1shRE7Di71 w3fNiOA 6w9o44t6 AINEICBCCA4YcF6zMzaT1wefWwX6f Rmt5nhhqdAtN 4oJfce166DqVX1gWmN zNR4DYDvSzg0lDnwCAC8Qh Fingerprint a4 16 46 23 5a 8d 1d b5 37 59 eb 44 13 b9 33 e9 switchxxxxxx config crypto key pubkey chain ssh switchxxxxxx config keychain user key bob rsa switchxxxxxx config keychain key key string row AAAAB3Nza switchxxxxxx config keychain key key string row C...

Page 1014: ...y pubkey chain ssh username username fingerprint bubble babble hex switchxxxxxx show ip ssh SSH server enabled Port 22 RSA key was generated DSA DSS key was generated SSH Public Key Authentication is enabled with auto login SSH Password Authentication is enabled Active incoming sessions IP Address 172 16 0 1 SSH Username John Brown Version 1 5 Cipher 3DES Auth Code HMAC SHA1 182 20 2 1 Bob Smith 1...

Page 1015: ...ble Babble format hex Specifies that the fingerprint is displayed in hexadecimal format Default Configuration The default fingerprint format is hexadecimal Command Mode Privileged EXEC mode Example The following examples display SSH public keys stored on the device switchxxxxxx show crypto key pubkey chain ssh Username Fingerprint bob 9A CC 01 C5 78 39 27 86 79 CC 23 C5 98 59 F1 86 john 98 F7 6E 2...

Page 1016: ...face tunnel command in Global Configuration mode Syntax interface tunnel number Parameters number Specifies the tunnel number Default Configuration N A Command Mode Global Configuration mode Example The following example enters the Interface Configuration Tunnel mode switchxxxxxx config interface tunnel 1 switchxxxxxx config if tunnel source auto switchxxxxxx config if exit ...

Page 1017: ...messages Range 10 3600 Default Configuration The default time interval between ISATAP router solicitation messages is 10 seconds Command Mode Global Configuration mode User Guidelines This command determines the interval between unsolicited router solicitation messages sent to discovery an ISATAP router Example The following example sets the time interval between ISATAP router solicitation message...

Page 1018: ...al when there is an active ISATAP router is the minimum router lifetime that is received from the ISATAP router divided by Robustness 1 Example The following example sets the number of router solicitation refresh messages that the device sends to 5 switchxxxxxx config tunnel isatap robustness 5 53 4 tunnel isatap router To configure a global string that represents a specific automatic tunnel route...

Page 1019: ...nly one string can represent the automatic tunnel router name per tunnel Using this command therefore overwrites the existing entry The empty string means that automatic lookup is not applied Example The following example configures the global string ISATAP2 as the automatic tunnel router domain name switchxxxxxx config interface tunnel 1 switchxxxxxx config if tunnel isatap router ISATAP2 switchx...

Page 1020: ...el stops to be an IPv6 tunnel or the tunnel local IPv4 address is removed and the new IPv4 cannot be chosen ISATAP Tunnels Using this command with the isatap keyword specifies an automatic ISATAP tunnel ISATAP tunnels enable transport of IPv6 packets within network boundaries ISATAP tunnels allow individual IPv4 IPv6 dual stack hosts within a site to connect to an IPv6 network using the IPv4 infra...

Page 1021: ...source auto ipv4 address interface id no tunnel source Parameters auto The system minimum IPv4 address is used as the local IPv4 address IPv4 address of the local tunnel endpoint ip4 address Specifies the IPv4 address to use as the local IPv4 address IPv4 address of the local tunnel endpoint interface id Interface which the minimum IPv4 address is used as the local IPv4 address IPv4 address of the...

Page 1022: ... interface tunnel 1 switchxxxxxx config if tunnel source 120 12 3 4 switchxxxxxx config if exit 53 7 show ipv6 tunnel To display information on IPv6 tunnels use the show ipv6 tunnel command in User EXEC mode Syntax show ipv6 tunnel all Parameters all Optional The switch displays all parameters of the tunnel If the keyword is not configured only the tunnel parameters corresponding to its type are d...

Page 1023: ... Reference Guide 53 Tunnel status UP Tunnel Local address type auto Tunnel Local Ipv4 address 192 1 3 4 Router DNS name ISATAP Router IPv4 addresses 1 1 1 1 Detected 100 1 1 1 Detected 14 1 100 1 Not Detected Router Solicitation interval 10 seconds Robustness 2 ...

Page 1024: ...hbor information only Command Mode Privileged EXEC mode User Guidelines If you do not enter an interface ID value the administrative and operational UDLD status for all interfaces on which UDLD is enabled are displayed Examples Example 1 This example shows how to display the UDLD state for all interfaces Most of the fields shown in the display are self explanatory Those that are not self explanato...

Page 1025: ...Neighbor Current State Undetermined Neighbor Expiration Time 17 sec Interface gi12 Port UDLD mode normal default Port Current state Undetermined Number of detected neighbors 1 Neighbor Device ID 1234567753 Neighbor MAC 00 00 01 22 33 fe Neighbor Device name switch A Neighbor Port ID gi1 2 1 Neighbor Message Time 15 sec Neighbor Current State Undetermined Neighbor Expiration Time 11 sec Interface g...

Page 1026: ...e MAC address of the neighbor Neighbor Device name The Device name of the neighbor Neighbor Port ID The device port ID of the neighbor on which the recent UDLD message was sent Neighbor Message Time The message time of the neighbor Neighbor Current State The current state of the neighbor Bidirectional The UDLD messages received from the neighbor contain the Device ID and Port ID of the switch in t...

Page 1027: ...A Neighbor Port ID gi1 2 1 Neighbor Message Time 15 sec Neighbor Current State Undetermined Neighbor Expiration Time 17 sec Example 3 This example shows how to display neighbor information only switchxxxxxx show udld neighbors Port Device ID Port ID Device Name Message Neighbor Expiration Time sec State Time sec gi11 1234567893 gi1 0 1 SAL0734K5R2 15 Bidirect 11 gi12 3456750193 gi1 0 2 SAL0734K5R3...

Page 1028: ...and in Interface Configuration mode to enable UDLD on other interface types Use the no form of this command to disable UDLD on all fiber ports The device supports the UDLD protocol specified by RFC 5171 UDLD supports two modes of operation normal and aggressive In the aggressive mode the device shuts down a port if it cannot explicitly detect that the link is bidirectional In the normal mode the d...

Page 1029: ...54 3 udld message time Use the udld message time command in Global Configuration mode to configure a global value of the interval between two sent probe messages To return to the default value use the no form of this command Syntax udld message time seconds no udld message time Parameters seconds Interval between two sent probe messages The valid values are from 1 to 90 seconds Default Configurati...

Page 1030: ...ort aggressive normal disable no udld port Parameters aggressive Enables UDLD in aggressive mode on this interface normal Enables UDLD in normal mode on this interface The normal keyword is applied if no keyword is specified disable Disables UDLD on this interface Default Configuration The defaults are as follows Fiber interfaces are in the state configured by the udld command Non fiber interfaces...

Page 1031: ...ernet port regardless of the current global udld setting switchxxxxxx config interface gi11 switchxxxxxx config if udld port normal switchxxxxxx config if exit Example 2 This example shows how to return to the default configuration switchxxxxxx config interface gi11 switchxxxxxx config if no udld port switchxxxxxx config if exit Example 3 This example shows how to disable UDLD on an Ethernet port ...

Page 1032: ...for example You cannot use the delimiting character in the banner message message text The message must start in a new line You can enter multi line messages You can include tokens in the form of token in the message text Tokens are replaced with the corresponding configuration variable see User Guidelines The message can contain up to 1000 characters after every 510 characters press Enter to cont...

Page 1033: ... displayed Session activated Enter commands at the prompt 55 2 banner login To specify a message to be displayed before the username and password login prompts use the banner login command in Global Configuration mode This banner is applied automatically on all the user interfaces Console Telnet and SSH and also on the WEB GUI To delete the existing login banner use the no form of this command Tok...

Page 1034: ...Configuration Disabled no Login banner is displayed Command Mode Global Configuration mode User Guidelines Follow this command with one or more blank spaces and a delimiting character of your choice Then enter one or more lines of text terminating the message with the second occurrence of the delimiting character Use tokens in the form of token in the message text to customize the banner The token...

Page 1035: ...fig banner login Enter TEXT message End with the character You have entered hostname domain When the login banner is executed the user will see the following banner You have entered host123 ourdomain com 55 3 configure To enter the Global Configuration mode use the configure Privileged EXEC mode command Syntax configure terminal Parameters terminal Optional Enter the Global Configuration mode with...

Page 1036: ...tax disable privilege level Parameters privilege level Optional Reduces the privilege level to the specified privileged level If privilege level is left blank the level is reduce to the minimal privilege level Default Configuration The default privilege level is 15 Command Mode Privileged EXEC mode Example The following example returns the user to user level 1 switchxxxxxx disable 1 switchxxxxxx 5...

Page 1037: ...uration mode Example switchxxxxxx config do show vlan switchxxxxxx config 55 6 enable To enter the Privileged EXEC mode use the enable User EXEC mode command Vlan Name Ports Type Authorization 1 1 gi11 4 Po1 Po2 other Required 2 2 gi11 dynamicGvrp Required 10 v0010 gi11 permanent Not Required 11 V0011 gi11 gi13 permanent Required 20 20 gi11 permanent Required 30 30 gi11 gi13 permanent Required 31 ...

Page 1038: ...Default Configuration The default privilege level is 15 Command Mode User EXEC mode Example The following example enters privilege level 7 switchxxxxxx enable 7 enter password switchxxxxxx Accepted The following example enters privilege level 15 switchxxxxxx enable enter password switchxxxxxx Accepted 55 7 end To end the current configuration session and return to the Privileged EXEC mode use the ...

Page 1039: ...ple The following example ends the Global Configuration mode session and returns to the Privileged EXEC mode switchxxxxxx config end switchxxxxxx 55 8 exit Configuration To exit any mode and bring the user to the next higher mode in the CLI mode hierarchy use the exit command Syntax exit Parameters This command has no arguments or keywords Default Configuration None Command Mode All configuration ...

Page 1040: ... exit switchxxxxxx config exit 55 9 exit EXEC To close an active terminal session by logging off the device use the exit User EXEC mode command Syntax exit Parameters This command has no arguments or keywords Default Configuration None Command Mode User EXEC mode Example The following example closes an active terminal session switchxxxxxx exit 55 10 help To display a brief description of the Help ...

Page 1041: ...is no command matching the input as it currently appears If the request is within a command press the Backspace key and erase the entered characters to a point where the request results in a match Help is provided when 1 There is a valid command and a help request is made for entering a parameter or argument e g show All possible parameters or arguments for the entered command are then displayed 2...

Page 1042: ...xt time that the user logs in via console telnet ssh The following are related commands Use the terminal history size User EXEC mode command to enable or disable this command for the current terminal session Use the history size Line Configuration Mode command to set the size of the command history buffer Example The following example enables the command for Telnet switchxxxxxx config line telnet ...

Page 1043: ...and configures the command history buffer size for a particular line It is effective from the next time that the user logs in via console telnet ssh Use the terminal history size User EXEC mode command to configure the command history buffer size for the current terminal session The allocated command history buffer is per terminal user and is taken from a shared buffer If there is not enough space...

Page 1044: ...ters This command has no arguments or keywords Default Configuration None Command Mode User EXEC mode Example The following example enters Privileged EXEC mode and logs in with the required username bob switchxxxxxx login User Name bob Password switchxxxxxx 55 14 terminal datadump To enable dumping all the output of a show command without prompting use the terminal datadump User EXEC mode command ...

Page 1045: ...nal datadump command enables dumping all output immediately after entering the show command by removing the pause The width is not limited and the width of the line being printed on the terminal is based on the terminal itself This command is relevant only for the current session Example The following example dumps all output immediately after entering a show command switchxxxxxx terminal datadump...

Page 1046: ...termined by the history Line Configuration Mode command This command is effective immediately Example The following example disables the command history function for the current terminal session switchxxxxxx terminal no history 55 16 terminal history size To change the command history buffer size for the current terminal session meaning it will not be stored in the Running Configuration file use t...

Page 1047: ...or the current terminal session Use the history Line Configuration Mode command to change the default history buffer size The maximum number of commands in all buffers is 207 Example The following example sets the command history buffer size to 20 commands for the current terminal session switchxxxxxx terminal history size 20 55 17 terminal prompt To enable the terminal prompts use the terminal pr...

Page 1048: ...ommand To return to the default use terminal no width The command is per session and will not be saved in the configuration database Syntax terminal width number of characters terminal no width Parameters number of characters Specifies the number of characters to be displayed for the echo output of the CLI commands and the configuration file 0 means endless number of characters on a screen line Ra...

Page 1049: ...nds in User EXEC mode Syntax show banner login show banner exec Parameters This command has no arguments or keywords Command Mode User EXEC mode Examples switchxxxxxx show banner login Banner Login Line SSH Enabled Line Telnet Enabled Line Console Enabled switchxxxxxx show banner exec Banner EXEC Line SSH Enabled Line Telnet Enabled Line Console Enabled You have logged on ...

Page 1050: ...User EXEC mode User Guidelines The buffer includes executed and unexecuted commands Commands are listed from the first to the most recent command The buffer remains unchanged when entering into and returning from configuration modes Example The following example displays all the commands entered while in the current Privileged EXEC mode switchxxxxxx show version SW version 3 131 date 23 Jul 2005 t...

Page 1051: ...ivilege To display the current privilege level use the show privilege User EXEC mode command Syntax show privilege Parameters This command has no arguments or keywords Default Configuration None Command Mode User EXEC mode Example The following example displays the privilege level for the user logged on switchxxxxxx show privilege Current privilege level is 15 ...

Page 1052: ...create VLAN s and define the default VLAN Use the exit command to return to Global Configuration mode Syntax vlan database Parameters N A Default Configuration VLAN 1 exists by default Command Mode Global Configuration mode Example The following example enters the VLAN Configuration mode creates VLAN 1972 and exits VLAN Configuration mode switchxxxxxx config vlan database switchxxxxxx config vlan ...

Page 1053: ...nconsecutive VLAN IDs with a comma and no spaces Use a hyphen to designate a range of IDs range 2 4094 Default Configuration VLAN 1 exists by default Command Mode VLAN Database Configuration mode User Guidelines To assign the VLAN a name use the name command in Interface Configuration VLAN mode Example The following example creates VLANs 100 and 1972 switchxxxxxx config vlan database switchxxxxxx ...

Page 1054: ...rivileged EXEC mode Examples Example 1 The following example displays information for all VLANs switchxxxxxx show vlan Created by D Default S Static G GVRP R Radius Assigned VLAN 56 4 default vlan vlan Use the default vlan vlan VLAN Configuration mode command to define the default VLAN Use the no form of this command to set VLAN 1 as the default VLAN Syntax default vlan vlan vlan id no default vla...

Page 1055: ...n default vlan vlan 2 New Default VLAN ID will be active after save configuration and reboot device 56 5 show default vlan membership Use the show default vlan membership privileged EXEC command to view the default VLAN membership Syntax show default vlan membership interface id detailed Parameters interface id Specifies an interface ID The interface ID can be one of the following types Ethernet p...

Page 1056: ...ation VLAN mode for a specific VLAN After this command is entered all commands configure this VLAN Syntax interface vlan vlan id Parameters vlan id Specifies the VLAN to be configured Default Configuration N A Command Mode Global Configuration mode User Guidelines If the VLAN does not exist the VLAN is created If the VLAN cannot be created this command is finished with an error and the current con...

Page 1057: ...face range vlan vlan range Parameters vlan range Specifies a list of VLANs Separate nonconsecutive VLANs with a comma and no spaces Use a hyphen to designate a range of VLANs Default Configuration N A Command Mode Global Configuration mode User Guidelines Commands under the interface VLAN range context are executed independently on each VLAN in the range If the command returns an error on one of t...

Page 1058: ...guration No name is defined Command Mode Interface VLAN Configuration mode User Guidelines The VLAN name must be unique Example The following example assigns VLAN 19 the name Marketing switchxxxxxx config interface vlan 19 switchxxxxxx config if name Marketing 56 9 switchport protected port Use the switchport protected port Interface Configuration mode command to isolate Unicast Multicast and Broa...

Page 1059: ...ith the same community as the ingress interface on the same switch Please note that the packet is still subject to FDB decision and to all filtering rules Use the switchport community Interface Configuration command to associate the interface with a community Example switchxxxxxx config interface gi11 switchxxxxxx config if switchport protected port 56 10 show interfaces protected ports Use the sh...

Page 1060: ...xxx show interfaces protected ports 56 11 switchport community Use the switchport community Interface Configuration mode command to associate a protected port with a community Use the no form of this command to return to the default Syntax switchport community community no switchport community Parameters community Specifies the community number range 1 31 Default Configuration The port is not asso...

Page 1061: ... Use the switchport mode Interface Configuration mode command to configure the VLAN membership mode Use the no form of this command to restore the default configuration Syntax switchport mode access trunk general private vlan promiscuous host customer no switchport mode Parameters access Specifies an untagged layer 2 VLAN port trunk Specifies a trunking layer 2 VLAN port general Specifies a full 8...

Page 1062: ...switchxxxxxx config interface gi11 switchxxxxxx config if switchport mode access switchxxxxxx config if switchport access vlan 2 Example 2 The following example puts the port gi12 into private vlan host mode switchxxxxxx config interface gi12 switchxxxxxx config if switchport mode private vlan host 56 13 switchport access vlan An interface in access mode can belong to only one VLAN The switchport ...

Page 1063: ... be displayed once Example The following example sets gi11 as an access port and assigns it to VLAN 2 and removes it from its previous VLAN switchxxxxxx config interface gi12 switchxxxxxx config if switchport mode access switchxxxxxx config if switchport access vlan 2 56 14 switchport trunk allowed vlan A trunk interface is an untagged member of a single VLAN and in addition it may be an tagged me...

Page 1064: ...ut this issue An interface cannot become a a member of a forbidden VLAN This message will only be displayed once and the command continues to execute in case there are more VLANs in the vlan list Example To add VLANs 2 3 and 100 to trunk ports 1 to 13 switchxxxxxx config interface range gi11 3 switchxxxxxx config if switchport mode trunk switchxxxxxx config if switchport trunk allowed vlan add 2 3...

Page 1065: ...LAN untagged egress interface A value of the interface PVID is set to this VLAN ID Examples Example 1 The following example defines VLAN 2 as native VLAN for port gi11 switchxxxxxx config interface gi11 switchxxxxxx config if switchport trunk native vlan 2 switchxxxxxx config if exit 56 16 switchport general allowed vlan General ports can receive tagged or untagged packets Use the switchport gener...

Page 1066: ...le from tagged to untagged without first removing the VLAN from the list If the interface is a forbidden member of an added VLAN the interface does not become a member of this specific VLAN There will be an error message in this case An interface cannot become a a member of a forbidden VLAN This message will only be displayed once and the command continues to execute if there are more VLANs in the...

Page 1067: ...ing example sets the gi12 PVID to 234 switchxxxxxx config interface gi12 switchxxxxxx config if switchport general pvid 234 Example 2 The following example performs the following Adds VLANs 2 3 as tagged and VLAN 100 as untagged to gi14 Defines VID 100 as the PVID switchxxxxxx config interface gi14 switchxxxxxx config if switchport mode general switchxxxxxx config if switchport general allowed vla...

Page 1068: ...al ingress filtering disable Parameters N A Default Configuration Ingress filtering is enabled Command Mode Interface Ethernet Port Channel Configuration mode Example The following example disables port ingress filtering on gi11 switchxxxxxx config interface gi11 switchxxxxxx config if switchport mode general switchxxxxxx config if switchport general ingress filtering disable 56 19 switchport gene...

Page 1069: ...e accepted at ingress all Command Mode Interface Ethernet Port Channel Configuration mode Example The following example configures port gi13 to be in general mode and to discard untagged frames at ingress switchxxxxxx config interface gi13 switchxxxxxx config if switchport mode general switchxxxxxx config if switchport general acceptable frame type tagged only 56 20 switchport customer vlan Use th...

Page 1070: ...llowing example defines gi14 as a member of customer VLAN 5 switchxxxxxx config interface gi14 switchxxxxxx config if switchport mode customer switchxxxxxx config if switchport customer vlan 5 56 21 map mac macs group Use the map mac macs group VLAN Configuration mode command to map a MAC address or range of MAC addresses to a group of MAC addresses Use the no form of this command to delete the ma...

Page 1071: ... and maps the groups of MAC addresses to specific VLANs switchxxxxxx config vlan database switchxxxxxx config vlan map mac 0000 1111 0000 32 macs group 1 switchxxxxxx config vlan map mac 0000 0000 2222 host macs group 2 switchxxxxxx config vlan exit switchxxxxxx config interface gi14 switchxxxxxx config if switchport mode general switchxxxxxx config if switchport general map macs group 1 vlan 2 sw...

Page 1072: ...ch among the rules Subnet based VLAN best match among the rules Protocol based VLAN PVID User Guidelines After groups of MAC addresses have been created see the map mac macs group command they can be mapped to specific VLANs Each MAC address host or range in the MAC based group assigned to an interface consumes a single TCAM entry Example The following example creates two groups of MAC addresses s...

Page 1073: ...s group 2 vlan 3 56 23 show vlan macs groups Use the show vlan macs groups EXEC mode command to display the MAC addresses that belong to the defined MAC based classification rules Syntax show vlan macs groups Parameters N A Default Configuration N A Command Mode User EXEC mode Example The following example displays defined MAC based classification rules switchxxxxxx show vlan macs groups MAC Addre...

Page 1074: ...l Configuration mode User Guidelines The command may used only when the default VLAN is supported The command may be used at any time regardless of whether the port belongs to the default VLAN The no command does not add the port to the default VLAN it only defines an interface as permitted to be a member of the default VLAN and the port will be added only when conditions are met Example The follo...

Page 1075: ...e a range of IDs Default Configuration All VLANs are allowed Command Mode Interface Ethernet Port Channel Configuration mode Example The following example forbids adding VLAN IDs 234 to 256 to gi14 switchxxxxxx config interface gi14 switchxxxxxx config if switchport mode trunk switchxxxxxx config if switchport forbidden vlan add 234 256 56 26 switchport default vlan tagged Use the switchport defau...

Page 1076: ... added to the default VLAN as tagged the native VLAN is set by the system to 4095 When a general port is a member in the default VLAN as a tagged port then The PVID can be the default VLAN The default PVID is the default VLAN Note The PVID is not changed when the port is added to the default VLAN as a tagged When executing the switchport default vlan tagged command the port is added automatically ...

Page 1077: ...default VLAN switchxxxxxx config interface gi11 switchxxxxxx config if switchport mode trunk switchxxxxxx config if switchport default vlan tagged 56 27 show interfaces switchport Use the show interfaces switchport Privileged EXEC command to display the administrative and operational status of all interfaces or a specific interface Syntax show interfaces switchport interface id Parameters interfac...

Page 1078: ...is member in VLAN Name Egress Rule Type 1 default untagged Default 8 8 tagged Dynamic 11 11 tagged Static 19 IPv6VLAN untagged Static 72 72 untagged Static 120 untagged RADIUS Assigned VLAN Forbidden VLANS VLAN Name 73 Out Classification rules Mac based VLANs Group ID Vlan ID Example 2 The following example displays the command output for an access port switchxxxxxx show interfaces switchport gi12...

Page 1079: ...cation rules Mac based VLANs Example 3 The following example displays the output for a general port switchxxxxxx show interfaces switchport gi12 Port gi12 Port mode General Ingress Filtering Enabled Acceptable Frame Type admitAll PVID 4095 discard vlan GVRP status Enabled Protected Disabled 802 1x state multi sessions mode Port gi12 is member in VLAN Name Egress Rule Type 8 72 untagged 91 IP Telep...

Page 1080: ...ty isolated no private vlan Parameters primary Designate the VLAN as a primary VLAN community Designate the VLAN as a community VLAN isolated Designate the VLAN as an isolated VLAN Default Configuration No private VLANs are configured Command Mode Interface VLAN Configuration mode User Guidelines The VLAN type cannot be changed if there is a private VLAN port that is a member in the VLAN The VLAN ...

Page 1081: ...ist of VLAN IDs of type secondary to add to a primary VLAN Separate nonconsecutive VLAN IDs with a comma and no spaces Use a hyphen to designate a range of IDs This is the default action remove secondary vlan list List of VLAN IDs of type secondary to remove association from a primary VLAN Separate nonconsecutive VLAN IDs with a comma and no spaces Use a hyphen to designate a range of IDs Default ...

Page 1082: ...ciation add 20 22 24 56 30 switchport private vlan mapping Use the switchport private vlan mapping Interface Configuration mode command to configure the VLANs of the private VLAN promiscuous port Use the no form of this command to reset to default Syntax switchport private vlan mapping primary vlan id add remove secondary vlan list no switchport private vlan mapping Parameters primary vlan id The ...

Page 1083: ...ssociation of a host port with primary and secondary VLANs of the private VLAN Use the no form of this command to reset to default Syntax switchport private vlan host association primary vlan id secondary vlan id no switchport private vlan host association Parameters primary vlan id The VLAN ID of the primary VLAN secondary vlan id Specifies the secondary VLAN Default Configuration No association ...

Page 1084: ...he secondary VLAN The PVID is set to the VLAN ID of the secondary VLAN The port ingress filtering is disabled Example The following example set port gi14 to secondary VLAN 20 in primary VLAN 10 switchxxxxxx config interface gi14 switchxxxxxx config if switchport private vlan host association 10 20 56 32 show vlan private vlan Use the show vlan private vlan EXEC mode command to display private VLAN...

Page 1085: ...mary gi11 150 151 isolated gi12 160 primary gi13 160 161 community gi14 switchxxxxxx show vlan private vlan 150 Primary Secondary Type Ports 150 primary gi11 150 151 isolated gi14 56 33 switchport access multicast tv vlan To assign a Multicast TV VLAN to an access port use the switchport access multicast tv vlan command in Interface Ethernet Port Channel Configuration mode To return to the default...

Page 1086: ...ss VLAN To register IGMP reports arriving on the access port by IGMP Snooping running on the Multicast TV VLAN use the ip igmp snooping map cpe vlan command Example The following example enables gi14 to receive Multicast transmissions from VLAN 11 switchxxxxxx config interface gi14 switchxxxxxx config if switchport access multicast tv vlan 11 56 34 switchport customer multicast tv vlan To assign M...

Page 1087: ...reports arriving on the customer port by IGMP Snooping running on the Multicast TV VLAN use the ip igmp snooping map cpe vlan command Example The following example enables gi14 to receive Multicast transmissions from VLANs 5 6 7 switchxxxxxx config interface gi14 switchxxxxxx config if switchport customer multicast tv vlan add 5 7 56 35 show vlan multicast tv Use the show vlan Multicast tv EXEC mo...

Page 1088: ...y the switch as internal except The Prohibit Internal Usage VLAN list includes all VLANs except the VLANs specified by the vlan list argument only the VLANs specified by the vlan list argument can be used by the switch as internal add Add the given VLANs to the Prohibit Internal Usage VLAN list remove Remove the given VLANs from the Prohibit Internal Usage VLAN list vlan list List of VLAN Separate...

Page 1089: ...as chosen by the software for internal usage but you want to use that VLAN for a static or dynamic VLAN do one of the following Add the VLAN to the Prohibited User Reserved VLAN list Copy the Running Configuration file to the Startup Configuration file Reload the switch Create the VLAN Examples Example 1 The following example specifies that VLANs 4010 4012 and 4090 4094 cannot be used as internal ...

Page 1090: ...lay a list of VLANs used internally by the device defined by the user Syntax show vlan internal usage Parameters N A Default Configuration N A Command Mode Privileged EXEC mode Example The following example displays VLANs used internally by the switch show vlan internal usage User Reserved VLAN list after reset 4010 4012 4080 4094 Current User Reserved VLAN list 4010 4012 4090 4094 VLAN Usage 4089...

Page 1091: ...al Common and Auto Voice VLAN specific parameters are displayed interface id Optional Specifies an Ethernet port ID detailed Optional Displays information for non present ports in addition to present ports Default Configuration If the type parameter is omitted the current Voice VLAN type is used If the interface id parameter is omitted then information about all present interfaces is displayed If ...

Page 1092: ...switch show voice vlan type auto switchxxxxxx show voice vlan type auto Best Local Voice VLAN ID is 5 Best Local VPT is 5 default Best Local DSCP is 46 default Agreed Voice VLAN is received from switch 00 24 01 30 10 00 Agreed Voice VLAN priority is 0 active static source Agreed Voice VLAN ID is 5 Agreed VPT is 5 Agreed DSCP is 46 Agreed Voice VLAN Last Change is 11 Jul 11 15 52 51 switchxxxxxx Ex...

Page 1093: ...SDP Authentication is disabled Example 4 Displays the current voice VLAN parameters when the administrative voice VLAN state is auto triggered and it has been triggered switchxxxxxx config voice vlan state auto triggered switchxxxxxx config voice vlan state auto triggered operational voice vlan state is auto admin state is auto triggered switchxxxxxx show voice vlan Administrate Voice VLAN state i...

Page 1094: ...is disabled Best Local Voice VLAN ID is 5 Best Local VPT is 5 default Best Local DSCP is 46 default Aging timeout 1440 minutes Example 6 Displays the voice VLAN parameters when the voice VLAN operational state is OUI switch show voice vlan Administrate Voice VLAN state is oui enabled Operational Voice VLAN state is oui enabled Best Local Voice VLAN ID is 1 default Best Local VPT is 4 Best Local DS...

Page 1095: ...ation about the auto voice VLAN local configuration including the best local voice VLAN Syntax show voice vlan local Parameters This command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Examples Example 1 A CDP device is connected to an interface and a conflict is detected 30 Apr 2011 00 39 24 VLAN W ConflictingCDPDetected conflict detected between oper...

Page 1096: ...ce VLAN state is auto triggered switchxxxxxx show voice vlan local Administrate Voice VLAN state is auto triggered on IPv4 Operational Voice VLAN state is auto enabled VLAN ID VPT DSCP Source MAC Address Interface 1 5 46 default 100 CDP 00 23 56 1a dc 68 gi14 100 CDP 00 44 55 44 55 4d gi14 The character marks the best local voice VLAN Example 3 Displays the local voice VLAN configuration when the ...

Page 1097: ...auto enabled Auto Voice VLAN is enabled auto triggered Auto Voice VLAN on the switch is in standby and is put into operation when the switch detects a CDP device advertising a voice VLAN or if a voice VLAN ID is configured manually on the switch ipv6 Auto VLAN is enabled on IPv6 mDNS oui enabled Voice VLAN is of type OUI disabled Voice VLAN is disabled Default Configuration auto triggered on ipv4 ...

Page 1098: ... the same family as the current device A Voice Service Discovery Protocol VSDP message was received from a neighbor switch VSDP is a Cisco Small Business proprietary protocol for SF and SG series managed switches In all other cases the operational state is disabled Notes To change the administrative state from oui enabled to auto enabled or auto triggered or vice versa you must first set the admin...

Page 1099: ...ce VLAN state All auto Smartport configuration on ports are removed switchxxxxxx config voice vlan state disabled All interfaces with Auto Smartport dynamic type will be set to default Are you sure you want to continue Y N Y Y switchxxxxxx config 30 Apr 2011 00 04 41 LINK W Down Vlan 5 30 Apr 2011 00 04 41 LINK W Down Vlan 8 30 Apr 2011 00 04 41 LINK W Down Vlan 9 30 Apr 2011 00 04 41 LINK W Down ...

Page 1100: ...resh To restart the Voice VLAN discovery process on all the Auto Voice VLAN enabled switches in the VLAN by removing all externally learned voice VLAN attributes and resetting the voice VLAN to the default voice VLAN use the voice vlan refresh Global Configuration mode command Syntax voice vlan refresh Parameters This command has no arguments or keywords Default Configuration None Command Mode Glo...

Page 1101: ...ult Best Local DSCP is 46 default Following is the new active source Agreed Voice VLAN is received from switch b0 c6 9a c1 da 00 Agreed Voice VLAN priority is 2 active CDP device Agreed Voice VLAN ID is 100 Agreed VPT is 5 Agreed DSCP is 46 Agreed Voice VLAN Last Change is 11 Apr 30 02 01 02 57 5 voice vlan id To statically configure the VLAN identifier of the voice VLAN use the voice vlan id Glob...

Page 1102: ...administrative voice VLAN as static voice VLAN which has higher priority than voice VLAN learnt from external sources Are you sure you want to continue Y N Y Y 30 Apr 2011 00 19 36 VLAN I VoiceVlanCreated Voice Vlan ID 35 was created switchxxxxxx config 30 Apr 2011 00 19 51 VLAN I ReceivedFromVSDP Voice VLAN updated by VSDP Voice VLAN ID 35 VPT 5 DSCP 46 57 6 voice vlan vpt To specify a value of V...

Page 1103: ...voice VLAN learnt from external sources Are you sure you want to continue Y N Y Y 30 Apr 2011 00 24 52 VLAN W BestLocal Oper inconsistency detected VSDP voice VLAN configuration differs from best local Best local is Voice VLAN ID 104 VPT 5 DSCP 46 switchxxxxxx config 30 Apr 2011 00 25 07 VLAN I ReceivedFromVSDP Voice VLAN updated by VSDP Voice VLAN ID 104 VPT 7 DSCP 46 57 7 voice vlan dscp To spec...

Page 1104: ...stency detected VSDP voice VLAN configuration differs from best local Best local is Voice VLAN ID 104 VPT 7 DSCP 46 switchxxxxxx config 30 Apr 2011 00 31 22 VLAN I ReceivedFromVSDP Voice VLAN updated by VSDP Voice VLAN ID 104 VPT 7 DSCP 63 57 8 voice vlan oui table To configure the voice OUI table use the voice vlan oui table Global Configuration mode command To restore the default configuration u...

Page 1105: ... addresses the first three bytes contain a manufacturer ID Organizationally Unique Identifiers OUI and the last three bytes contain a unique station ID Since the number of IP phone manufacturers that dominates the market is limited and well known the known OUI values are configured by default and OUIs can be added removed by the user when required Example The following example adds an entry to the...

Page 1106: ...ith OUIs in the source MAC address See the User Guidelines of voice vlan oui table all QoS attributes are applied to packets that are classified to the Voice VLAN Default Configuration The default mode is src Command Mode Interface Configuration mode Example The following example applies QoS attributes to voice packets switchxxxxxx config if voice vlan cos mode all 57 10 voice vlan cos To set the ...

Page 1107: ... Command Mode Global Configuration mode Example The following example sets the OUI voice VLAN CoS to 7 and does not do remarking switchxxxxxx config voice vlan cos 7 57 11 voice vlan aging timeout To set the OUI Voice VLAN aging timeout interval use the voice vlan aging timeout Global Configuration mode command To restore the default configuration use the no form of this command Syntax voice vlan ...

Page 1108: ...To enable OUI voice VLAN configuration on an interface use the voice vlan enable Interface Configuration mode mode command To disable OUI voice VLAN configuration on an interface use the no form of this command Syntax voice vlan enable no voice vlan enable Parameters This command has no arguments or keywords Default Configuration Disabled Command Mode Interface Configuration mode User Guidelines T...

Page 1109: ...ve to be the voice VLAN it can be any VLAN The port joins the voice VLAN as a tagged port If the time since the last MAC address with a source MAC address OUI address was received on the interface exceeds the timeout limit configured by voice vlan aging timeout the interface is removed from the voice VLAN Example The following example enables OUI voice VLAN configuration on gi12 switchxxxxxx confi...

Page 1110: ...ax ip https certificate number no ip https certificate Parameters number Specifies the certificate number Range 1 2 Default Configuration The default certificate number is 1 Command Mode Global Configuration mode User Guidelines First use crypto certificate generate to generate one or two HTTPS certificates Then use this command to specify which is the active certificate Example The following exam...

Page 1111: ... http port Parameters port port number For use by the HTTP server Range 1 65534 Default Configuration The default port number is 80 Command Mode Global Configuration mode Example The following example configures the http port number as 100 switchxxxxxx config ip http port 100 58 3 ip http server To enable configuring and monitoring the device from a web browser use the ip http server Global Config...

Page 1112: ...g the device from a web browser switchxxxxxx config ip http server 58 4 ip http secure server To enable the device to be configured or monitored securely from a browser use the ip http secure server Global Configuration mode command To disable this function use the no form of this command Syntax ip http secure server no ip http secure server Parameters This command has no arguments or keywords Def...

Page 1113: ...tp timeout policy Global Configuration mode command To return to the default value use the no form of this command Syntax ip http timeout policy idle seconds http only https only no ip http timeout policy Parameters idle seconds Specifies the maximum number of seconds that a connection is kept open if no data is received or response data cannot be sent out Range 0 86400 http only Optional The time...

Page 1114: ...r configuration use the show ip http Privileged EXEC mode command Syntax show ip http Parameters This command has no arguments or keywords Command Mode Privileged EXEC mode Example The following example displays the HTTP server configuration switchxxxxxx show ip http HTTP server enabled Port 80 Interactive timeout 10 minutes 58 7 show ip https To display the HTTPS server configuration use the show...

Page 1115: ...xx show ip https HTTPS server enabled Port 443 Interactive timeout Follows the HTTP interactive timeout 10 minutes Certificate 1 is active Issued by www verisign com Valid from 8 9 2003 to 8 9 2004 Subject CN router gm com 0 General Motors C US Finger print DC789788 DC88A988 127897BC BB789788 Certificate 2 is inactive Issued by self signed Valid from 8 9 2003 to 8 9 2004 Subject CN router gm com 0...

Page 1116: ...pport_center_contacts html Cisco Firmware Downloads www cisco com go smallbizfirmware Select a link to download firmware for Cisco products No login is required Cisco Open Source Requests www cisco com go smallbiz_opensource_request Product Documentation Cisco 220 Series www cisco com go 220switches Warranty Information www cisco com go warranty Regulatory Compliance and Safety Information www cis...

Page 1117: ...Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Reviews:

No comments

Related manuals for 300 Series

Harman Kardon ABH 4000 Owner'S Manual preview
ABH 4000
Brand: Harman Kardon Pages: 2
IBM 8271 Nways Ethernet LAN Switch User Manual preview
8271 Nways Ethernet LAN Switch
Brand: IBM Pages: 210
Watt Stopper PW-203 Installation Instructions Manual preview
PW-203
Brand: Watt Stopper Pages: 10
Comtrend Corporation ES-7211PoE User Manual preview
ES-7211PoE
Brand: Comtrend Corporation Pages: 2
4O3A Signature ANTENNA GENIUS 8x2 v2 PLUS User Manual preview
Signature ANTENNA GENIUS 8x2 v2 PLUS
Brand: 4O3A Pages: 57
Velux INTEGRA KLI 310 Quick Start Manual preview
INTEGRA KLI 310
Brand: Velux Pages: 9
Bluestream Custom Pro Matrix User Manual preview
Custom Pro Matrix
Brand: Bluestream Pages: 27
Omron B3SL Quick Start Manual preview
B3SL
Brand: Omron Pages: 4
Accton Technology EH3008D Quick Installation Manual preview
EH3008D
Brand: Accton Technology Pages: 7
Shinybow USA SB-8804LCM Instruction Manual preview
SB-8804LCM
Brand: Shinybow USA Pages: 16
Optex OAM-DUAL T Operation Manual preview
OAM-DUAL T
Brand: Optex Pages: 2
Hall Research Technologies KVMC-UH-8 User Manual preview
KVMC-UH-8
Brand: Hall Research Technologies Pages: 9
Jerguson SAS-16 Installation, Operation & Maintenance Instructions preview
SAS-16
Brand: Jerguson Pages: 4
Leonton EG2-1600 Series User Manual preview
EG2-1600 Series
Brand: Leonton Pages: 19
AV-Box WUH5-H2 User Manual preview
WUH5-H2
Brand: AV-Box Pages: 11
J-Tech Digital JTD-3003 User Manual preview
JTD-3003
Brand: J-Tech Digital Pages: 13
A-Neuvideo ANI-44VGA Instruction Manual preview
ANI-44VGA
Brand: A-Neuvideo Pages: 9
Orbis DICROMAT+ User Instructions preview
DICROMAT+
Brand: Orbis Pages: 2

Brands by name

Popular brands

Load more brands