manualshive.com logo in svg

Cisco Sx350, Cli Manual

Share
Download
Cisco Sx350 Cli Manual Download Page 277

Denial of Service (DoS) Commands

Cisco Sx350 Ph. 2.2.5 Devices - Command Line Interface Reference Guide

276

10

 

User Guidelines

On ports in which an ACL is defined (user-defined ACL etc.), this feature cannot block TCP SYN 
packets. In case the protection mode is block but SYN Traffic cannot be blocked, a relevant 
SYSLOG message will be created, e.g.: “port gi11 is under TCP SYN attack. TCP SYN traffic 
cannot be blocked on this port since the port is bound to an ACL.”

Examples

Example 1: 

The following example sets the TCP SYN protection feature to report 

TCP SYN attack on ports in case an attack is identified from these ports.

switchxxxxxx(config)# 

security-suite syn protection mode report

01-Jan-2012 05:29:46: 

A TCP SYN Attack was identified on port 

gi1

1

Example 2: 

The following example sets the TCP SYN protection feature to block 

TCP SYN attack on ports in case an attack is identified from these ports.

switchxxxxxx(config)# 

security-suite syn protection mode block

01-Jan-2012 05:29:46: 

A TCP SYN Attack was identified on port 

gi1

1. TCP SYN 

traffic destined to the local system is automatically blocked for 100 

seconds.

10.10 security-suite syn protection recovery

To set the time period for the SYN Protection feature to block an attacked 
interface, use the security-suite syn protection period Global Configuration mode 
command.

To set the time period to its default value, use the no form of this command.

Syntax

security-suite syn protection recovery timeout

no security-suite syn protection recovery

Summary of Contents for Sx350

Page 1: ...Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide CLI GUIDE ...

Page 2: ... interfaces access lists 75 clear access lists counters 75 show interfaces access lists trapped packets 76 ip access list IP standard 77 ipv6 access list IP standard 79 3 802 1X Commands 81 aaa authentication dot1x 81 authentication open 82 clear dot1x statistics 83 data 83 dot1x auth not req 85 dot1x authentication 86 dot1x guest vlan 87 dot1x guest vlan enable 88 dot1x guest vlan timeout 89 dot1...

Page 3: ...t forbidden address 128 bridge multicast ip address 129 bridge multicast forbidden ip address 131 bridge multicast source group 132 bridge multicast forbidden source group 133 bridge multicast ipv6 mode 135 bridge multicast ipv6 ip address 137 bridge multicast ipv6 forbidden ip address 138 bridge multicast ipv6 source group 139 bridge multicast ipv6 forbidden source group 141 bridge multicast unre...

Page 4: ...le password 180 service password recovery 181 username 183 show users accounts 184 aaa accounting login 185 aaa accounting dot1x 187 show accounting 189 passwords complexity enable 190 passwords complexity 191 passwords aging 193 show passwords configuration 193 6 Auto Update and Auto Configuration 196 boot host auto config 196 boot host auto update 197 show boot 198 ip dhcp tftp server ip address...

Page 5: ... source 240 clock summer time 241 clock timezone 243 periodic 244 sntp anycast client enable 245 sntp authenticate 246 sntp authentication key 247 sntp broadcast client enable 248 sntp client enable 249 sntp client enable interface 250 sntp server 251 sntp source interface 252 sntp source interface ipv6 253 sntp trusted key 254 sntp unicast client enable 255 sntp unicast client poll 256 show clock...

Page 6: ... relay address Interface 284 show ip dhcp relay 285 ip dhcp information option 287 show ip dhcp information option 288 12 DHCP Server Commands 289 address DHCP Host 289 address DHCP Network 290 auto default router 291 bootfile 292 clear ip dhcp binding 293 client name 294 default router 295 dns server 296 domain name 297 ip dhcp excluded address 297 ip dhcp pool host 298 ip dhcp pool network 299 i...

Page 7: ...uard configuration 334 show ip source guard status 335 show ip source guard inactive 336 show ip source guard statistics 337 ip arp inspection 338 ip arp inspection vlan 338 ip arp inspection trust 339 ip arp inspection validate 340 ip arp inspection list create 341 ip mac 342 ip arp inspection list assign 343 ip arp inspection logging interval 344 show ip arp inspection 344 show ip arp inspection...

Page 8: ... time 385 description 386 speed 387 duplex 388 negotiation 389 flowcontrol 390 mdix 391 back pressure 392 port jumbo frame 392 link flap prevention 393 clear counters 394 set interface active 395 errdisable recovery cause 396 errdisable recovery interval 397 errdisable recovery reset 398 show interfaces configuration 399 show interfaces status 401 show interfaces advertise 402 show interfaces desc...

Page 9: ...ommands 452 clear gvrp statistics 452 gvrp enable Global 453 gvrp enable Interface 453 gvrp registration forbid 454 gvrp vlan creation forbid 455 show gvrp configuration 456 show gvrp error statistics 457 show gvrp statistics 458 20 Green Ethernet 460 green ethernet energy detect global 460 green ethernet energy detect interface 460 green ethernet short reach global 461 green ethernet short reach ...

Page 10: ...88 ip igmp snooping vlan static 489 ip igmp snooping vlan multicast tv 490 ip igmp snooping map cpe vlan 491 ip igmp snooping querier 492 ip igmp snooping vlan querier 493 ip igmp snooping vlan querier address 494 ip igmp snooping vlan querier election 494 ip igmp snooping vlan querier version 496 ip igmp snooping vlan immediate leave 496 show ip igmp snooping cpe vlans 497 show ip igmp snooping g...

Page 11: ...t ttl threshold 545 show ip mroute 546 show ip multicast 548 28 IPv6 Commands 551 clear ipv6 neighbors 551 ipv6 address 551 ipv6 address anycast 553 ipv6 address autoconfig 554 ipv6 address eui 64 555 ipv6 address link local 557 ipv6 default gateway 558 ipv6 enable 559 ipv6 hop limit 560 ipv6 icmp error interval 561 ipv6 link local default zone 562 ipv6 nd advertisement interval 563 ipv6 nd dad at...

Page 12: ...Neighbor Binding 615 device role ND Inspection Policy 616 device role RA Guard Policy 618 drop unsecure 619 hop limit 620 ipv6 dhcp guard 621 ipv6 dhcp guard attach policy port mode 623 ipv6 dhcp guard attach policy VLAN mode 625 ipv6 dhcp guard policy 626 ipv6 dhcp guard preference 628 ipv6 first hop security 630 ipv6 first hop security attach policy port mode 631 ipv6 first hop security attach p...

Page 13: ...source guard attach policy port mode 675 ipv6 source guard policy 677 logging binding 678 logging packet drop 679 managed config flag 680 match ra address 681 match ra prefixes 683 match reply 684 match server address 685 max entries 687 other config flag 688 preference 689 router preference 691 sec level minimum 692 show ipv6 dhcp guard 693 show ipv6 dhcp guard policy 694 show ipv6 first hop secu...

Page 14: ... 732 32 iSCSI QoS Commands 736 iscsi enable 736 iscsi flow 737 iscsi qos 738 show iscsi 740 33 IPv6 Tunnel Commands 742 interface tunnel 742 tunnel isatap solicitation interval 743 tunnel isatap robustness 743 tunnel isatap router 744 tunnel mode ipv6ip 745 tunnel source 747 show ipv6 tunnel 748 34 Line Commands 750 autobaud 750 exec timeout 751 line 751 speed 752 show line 753 35 Link Aggregation...

Page 15: ...8 lldp timer 779 lldp transmit 780 lldp tx delay 781 show lldp configuration 782 show lldp local 784 show lldp local tlvs overloading 787 show lldp med configuration 788 show lldp neighbors 789 show lldp statistics 795 37 Loopback Detection Commands 799 loopback detection enable Global 799 loopback detection enable Interface 800 loopback detection interval 800 show loopback detection 801 38 Macro ...

Page 16: ...mmands 842 ipv6 mld snooping Global 842 ipv6 mld snooping vlan 842 ipv6 mld snooping querier 843 ipv6 mld snooping vlan querier 844 ipv6 mld snooping vlan querier election 845 ipv6 mld snooping vlan querier version 846 ipv6 mld snooping vlan mrouter 847 ipv6 mld snooping vlan mrouter interface 848 ipv6 mld snooping vlan forbidden mrouter 849 ipv6 mld snooping vlan static 850 ipv6 mld snooping vlan...

Page 17: ...s optical transceiver 889 45 Power over Ethernet PoE Commands 891 power inline 891 power inline inrush test disable 892 power inline legacy support disable 893 power inline powered device 893 power inline priority 894 power inline usage threshold 895 power inline traps enable 896 power inline limit 896 power inline limit mode 897 power inline four pair forced 898 powered device forced 899 show pow...

Page 18: ... 943 qos wrr queue wrtd 944 show qos wrr queue wrtd 945 show qos interface 946 qos map policed dscp 950 qos map dscp queue 951 qos trust Global 952 qos trust Interface 953 qos cos 954 qos dscp mutation 955 qos map dscp mutation 956 show qos map 957 clear qos statistics 959 qos statistics policer 960 qos statistics aggregate policer 960 qos statistics queues 961 show qos statistics 962 48 RADIUS Co...

Page 19: ... 987 show radius server accounting 988 show radius server configuration 990 show radius server group 991 show radius server rejected users 992 show radius server nas secret 994 show radius server statistics 996 show radius server user 998 vlan 999 50 Rate Limit and Storm Control Commands 1001 clear storm control counters 1001 rate limit Ethernet 1002 rate limit vlan 1003 storm control 1005 show ra...

Page 20: ...050 crypto certificate import 1052 show crypto certificate 1058 55 Smartport Commands 1060 macro auto Global 1060 macro auto built in parameters 1061 macro auto persistent 1063 macro auto processing cdp 1064 macro auto processing lldp 1064 macro auto processing type 1065 macro auto resume 1066 macro auto smartport Interface 1067 macro auto smartport type 1068 macro auto trunk refresh 1070 macro au...

Page 21: ...1109 spanning tree link type 1110 spanning tree pathcost method 1111 spanning tree bpdu Global 1112 spanning tree bpdu Interface 1113 spanning tree guard root 1113 spanning tree bpduguard 1114 clear spanning tree detected protocols 1115 spanning tree mst priority 1116 spanning tree mst max hops 1117 spanning tree mst port priority 1118 spanning tree mst cost 1118 spanning tree mst configuration 11...

Page 22: ...G Commands 1167 aaa logging 1167 clear logging 1168 clear logging file 1168 file system logging 1169 logging buffered 1170 logging console 1171 logging file 1172 logging host 1173 logging on 1174 logging source interface 1175 logging source interface ipv6 1176 logging aggregation on 1177 logging aggregation aging time 1178 logging origin id 1178 show logging 1179 show logging file 1181 show syslog...

Page 23: ... 1208 tacacs server host source interface 1209 tacacs server host source interface ipv6 1210 tacacs server key 1211 tacacs server timeout 1212 show tacacs 1213 show tacacs key 1214 64 Telnet Secure Shell SSH and Secure Login Slogin Commands 1216 ip telnet server 1216 ip ssh server 1217 ip ssh port 1217 ip ssh password auth 1218 ip ssh pubkey auth 1219 crypto key pubkey chain ssh 1220 user key 1221...

Page 24: ...erfaces protected ports 1261 switchport 1262 switchport mode 1263 switchport access vlan 1265 switchport trunk allowed vlan 1266 switchport trunk native vlan 1267 switchport general allowed vlan 1268 switchport general pvid 1269 switchport general ingress filtering disable 1270 switchport general acceptable frame type 1271 switchport general forbidden vlan 1272 switchport customer vlan 1273 map pr...

Page 25: ... prohibit internal usage 1293 show vlan internal usage 1295 68 Voice VLAN Commands 1297 show voice vlan 1297 show voice vlan local 1301 voice vlan state 1303 voice vlan refresh 1306 voice vlan id 1307 voice vlan vpt 1308 voice vlan dscp 1309 voice vlan oui table 1310 voice vlan cos mode 1312 voice vlan cos 1312 voice vlan aging timeout 1313 voice vlan enable 1314 69 Web Server Commands 1316 ip htt...

Page 26: ...25 Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 1 ...

Page 27: ...ng the CLI CLI Command Conventions Editing Features Interface Naming Conventions IPv6z Address Conventions Loopback Interface PHY Diagnostics CLI Output Modifiers Overview The CLI is divided into various command modes Each mode includes a group of commands These modes are described in CLI Command Modes Users are assigned privilege levels Each user privilege level can access specific CLI modes User...

Page 28: ...me a higher level user For example the user may go from level 1 to level 7 level 1 to 15 or level 7 to level 15 The passwords for each level are set by an administrator using the following command enable password level privilege level password encrypted encrypted password Using these passwords you can raise your user level by entering the command enable and the password for level 7 or 15 You can g...

Page 29: ...er for details CLI Command Modes The CLI is divided into four command modes The command modes are in the order in which they are accessed User EXEC mode Privileged EXEC mode Global Configuration mode Interface Configuration mode Each command mode has its own unique console prompt and set of CLI commands Entering a question mark at the console prompt displays a list of available commands for the cu...

Page 30: ...iguration mode Privileged EXEC Mode A user with level 7 or 15 automatically logs into Privileged EXEC mode Users with level 1 can enter Privileged Exec mode by entering the enable command and when prompted the password for level 15 To return from the Privileged EXEC mode to the User EXEC mode use the disable command Global Configuration Mode The Global Configuration mode is used to run commands th...

Page 31: ...terface Configuration mode for that interface The following example enters Interface Configuration mode for vlan1 and then sets their speed The exit command returns to Global Configuration mode The following is a sample of some of the available submodes Interface Contains commands that configure a specific interface port VLAN port channel or tunnel or range of interfaces The Global Configuration m...

Page 32: ...r the Management Access List Configuration mode MAC Access List IPv6 Access List IP Access List Configures conditions required to allow traffic based on MAC addresses IPv6 address and IPv4 address respectively The mac access list ipv6 access list and ip access list Global Configuration mode commands are used to enter the these configuration mode To return from any Interface Configuration mode to t...

Page 33: ...fter the computer and switch are connected run a terminal application to access the CLI The terminal emulator must be configured to databits 8 and parity none Click Enter twice so that the device sets the serial port speed to match the PC s serial port speed When the CLI appears enter cisco at the User Name prompt and then enter cisco for the Password prompt The switchxxxxxx prompt is displayed Yo...

Page 34: ...ompt STEP 3 CLI will be displayed CLI Command Conventions When entering commands there are certain command entry standards that apply to all commands The following table describes the command conventions Convention Description In a command line square brackets indicate an optional entry In a command line curly brackets indicate a selection of compulsory parameters separated the character One optio...

Page 35: ...erved words i e VLAN put the string in inverted commas parameter Italic text indicates a parameter press key Names of keys to be pressed are shown in bold Ctrl F4 Keys separated by the character are to be pressed simultaneously on the keyboard Screen Display Fixed width font indicates CLI prompts CLI commands entered by the user and system messages displayed on the console all When a parameter is ...

Page 36: ...minal Command Buffer Every time a command is entered in the CLI it is recorded on an internally managed Command History buffer Commands stored in the buffer are maintained on a First In First Out FIFO basis These commands can be recalled reviewed modified and reissued This buffer is not preserved across device resets By default the history buffer system is enabled but it can be disabled at any tim...

Page 37: ...or has missing or invalid parameters then the appropriate error message is displayed This assists in entering the correct command By pressing Tab after an incomplete command is entered the system will attempt to identify and complete the command If the characters already entered are not enough for the system to identify a single matching command press to display the available commands matching the...

Page 38: ...ied and pasted into the device except for encrypted passwords where the keyword encrypted is used before the encrypted data for instance in the enable password command Interface Naming Conventions Interfaces on the device can be one of the following types Fast Ethernet 10 100 kbits ports This can be written as FastEthernet fa or fe Gigabit Ethernet 10 100 1000 kbits ports These can be written as e...

Page 39: ...ividual basis or within a range The interface range command has the following syntax interface range port type first port number last port number port channel first port channel number last port channel number tunnel first tunnel number last tunnel number vlan first vlan id last vlan id A sample of this command is shown in the example below switchxxxxxx config interface GigabitEthernet 1 switchxxx...

Page 40: ...er the first entry and before the comma must be entered A sample of this command is shown in the example below IPv6z Address Conventions The following describes how to write an IPv6z address which is a link local IPv6 address The format is ipv6 link local address egress interface where egress interface also known as zone vlan vlan id po number tunnel number port number 0 If the egress interface is...

Page 41: ...ed on this virtual interface is used as the local address when communicating with remote IP applications the communication will not be aborted even if the actual route to the remote application was changed The name of the loopback interface is loopback1 A loopback interface does not support bridging it cannot be a member of any VLAN and no layer 2 protocol can be enabled on it Layer 3 Specificatio...

Page 42: ...nterface with the new one In the Loopback Interface context it does not support the keyword default gateway PHY Diagnostics The following exceptions exist Copper Ports PHY diagnostics are only supported on copper ports 10G ports TDR test is supported when the operational port speed is 10G Cable length resolution is 20 meters CLI Output Modifiers To all show and more commands except show technical ...

Page 43: ...gle character in the command output or multiple characters that match the same multiple characters in the command output The pattern in the command output is referred to as a string This section describes creating both single character patterns and multiple character patterns It also discusses creating more complex regular expressions using multipliers alternation anchoring and parentheses Single ...

Page 44: ...square brackets For example aeiou matches any one of the five vowels of the lowercase alphabet while abcdABCD matches any one of the first four letters of the lower or uppercase alphabet You can simplify ranges by entering only the endpoints of the range separated by a dash Simplify the previous range as follows a dA D To add a dash as a single character pattern in your range include another dash ...

Page 45: ...period character by inserting a backslash before it For example when the expression a is used in the command syntax only the string a will be matched You can create a multiple character regular expression containing all letters all digits all keyboard characters or a combination of letters digits and other keyboard characters For example telebit 3107 v32bis is a valid regular expression Multiplier...

Page 46: ...ric pairs but not none that is an empty string is not a match A Za z 0 9 The order for matches using multipliers or is to put the longest construct first Nested constructs are matched from outside to inside Concatenated constructs are matched beginning at the left side of the construct Thus the regular expression above matches A9b3 but not 9Ab3 because the letters are specified before the numbers ...

Page 47: ...example the regular expression con matches any string that starts with con and sole matches any string that ends with sole In addition to indicating the beginning of a string the symbol can be used to indicate the logical function not when used in a bracketed range For example the expression abcd indicates a range that matches any single letter as long as it is not the letters a b c or d Table 2 S...

Page 48: ...deny IP commands The service acl input command is used to attach this ACL to an interface Use the no form of this command to remove the access list Syntax ip access list extended acl name no ip access list extended acl name Parameters acl name Name of the IPv4 access list Range 1 32 characters Default Configuration No IPv4 access list is defined Command Mode Global Configuration mode User Guidelin...

Page 49: ...ource wildcard any destination destination wildcard igmp type ace priority priority dscp number precedence number time range time range name log input permit tcp any source source wildcard any source port port range any destination destination wildcard any destination port port range ace priority priority dscp number precedence number match all list of flags time range time range name log input pe...

Page 50: ...pv6 icmp eigrp ospf ipinip pim l2tp isis To match any protocol use the ip keyword Range 0 255 source Source IP address of the packet source wildcard Wildcard bits to be applied to the source IP address Use ones in the bit position that you want to be ignored destination Destination IP address of the packet destination wildcard Wildcard bits to be applied to the destination IP address Use ones in t...

Page 51: ...23 time 37 uucp 117 whois 43 www 80 For UDP enter a number or one of the following values biff 512 bootpc 68 bootps 67 discard 9 dnsix 90 domain 53 echo 7 mobile ip 434 nameserver 42 netbios dgm 138 netbios ns 137 on500 isakmp 4500 ntp 123 rip 520 snmp 161 snmptrap 162 sunrpc 111 syslog 514 tacacs ds 49 talk 517 tftp 69 time 37 who 513 xdmcp 177 Range 0 65535 source port Specifies the UDP TCP sour...

Page 52: ...the current ACL 20 The ACE priority must be unique per ACL If the user types already existed priority then the command is rejected Example switchxxxxxx config ip access list extended server switchxxxxxx config ip al permit ip 176 212 0 0 00 255 255 any 2 3 deny IP Use the deny IP Access list Configuration mode command to set deny conditions for IPv4 access list Deny conditions are also known as ac...

Page 53: ... icmp type any icmp code dscp number precedence number time range time range name disable port log input no deny igmp any source source wildcard any destination destination wildcard igmp type dscp number precedence number time range time range name disable port log input no deny tcp any source source wildcard any source port port range any destination destination wildcard any destination port port...

Page 54: ...age code for filtering ICMP packets Range 0 255 igmp type IGMP packets can be filtered by IGMP message type Enter a number or one of the following values host query host report dvmrp pim cisco trace host report v2 host leave v2 host report v3 Range 0 255 destination port Specifies the UDP TCP destination port You can enter range of ports by using hyphen E g 20 21 For TCP enter a number or one of t...

Page 55: ...s will be logged Default Configuration No IPv4 access list is defined Command Mode IP Access list Configuration mode User Guidelines The number of TCP UDP ranges that can be defined in ACLs is limited If a range of ports is used for a source port in ACE it is not counted again if it is also used for source port in another ACE If a range of ports is used for destination port in ACE it is not counte...

Page 56: ...No IPv6 access list is defined Command Mode Global Configuration mode User Guidelines IPv6 ACL is defined by a unique name IPv4 ACL IPv6 ACL MAC ACL or policy maps cannot have the same name Every IPv6 ACL has an implicit permit icmp any any nd ns any permit icmp any any nd na any and deny ipv6 any any statements as its last match conditions The former two match conditions allow for ICMPv6 neighbor...

Page 57: ... priority dscp number precedence number match all list of flags time range time range name log input permit udp any source prefix length any source port port range any destination prefix length any destination port port range ace priority priority dscp number precedence number time range time range name log input no permit protocol any source prefix length any destination prefix length dscp number...

Page 58: ...P precedence value icmp type Specifies an ICMP message type for filtering ICMP packets Enter a number or one of the following values destination unreachable 1 packet too big 2 time exceeded 3 parameter problem 4 echo request 128 echo reply 129 mld query 130 mld report 131 mldv2 report 143 mld done 132 router solicitation 133 router advertisement 134 nd ns 135 nd na 136 Range 0 255 icmp code Specif...

Page 59: ...rd the software might not be able to match the hardware processing rate and not all packets will be logged Default Configuration No IPv6 access list is defined Command Mode Ipv6 Access list Configuration mode User Guidelines If a range of ports is used for the destination port in an ACE it is not counted again if it is also used for destination port in another ACE The number of TCP UDP ranges that...

Page 60: ...er time range time range name disable port log input deny tcp any source prefix length any source port port range any destination prefix length any destination port port range ace priority priority dscp number precedence number match all list of flags time range time range name disable port log input deny udp any source prefix length any source port port range any destination prefix length any des...

Page 61: ...fied in hexadecimal using 16 bit values between colons priority Specify the priority of the access control entry ACE in the access control list ACL 1 value represents the highest priority and 2147483647 number represents the lowest priority Range 1 2147483647 dscp number Specifies the DSCP value Range 0 63 precedence number Specifies the IP precedence value icmp type Specifies an ICMP message type...

Page 62: ...k time range name Name of the time range that applies to this permit statement Range 1 32 disable port The Ethernet interface is disabled if the condition is matched log input Specifies sending an informational syslog message about the packet that matches the entry Because forwarding dropping is done in hardware and logging is done in software if a large number of packets match an ACE containing a...

Page 63: ...list ACL based on source MAC address filtering and to place the device in MAC Access list Configuration mode All commands after this command refer to this ACL The rules ACEs for this ACL are defined in the permit MAC and deny MAC commands The service acl input command is used to attach this ACL to an interface Use the no form of this command to remove the access list Syntax mac access list extende...

Page 64: ...priority eth type 0 aarp amber dec spanning decnet iv diagnostic dsm etype 6000 vlan vlan id cos cos cos wildcard time range time range name log input no permit any source source wildcard any destination destination wildcard eth type 0 aarp amber dec spanning decnet iv diagnostic dsm etype 6000 vlan vlan id cos cos cos wildcard time range time range name log input Parameters source Source MAC addr...

Page 65: ... if a large number of packets match an ACE containing a log input keyword the software might not be able to match the hardware processing rate and not all packets will be logged User Guidelines A MAC ACL is defined by a unique name IPv4 ACL IPv6 ACL MAC ACL or policy maps cannot have the same name If ace priority is omitted the system sets the rule s priority to the current highest priority ACE in...

Page 66: ...Wildcard bits to be applied to the source MAC address Use ones in the bit position that you want to be ignored destination Destination MAC address of the packet destination wildcard Wildcard bits to be applied to the destination MAC address Use 1s in the bit position that you want to be ignored priority Specify the priority of the access control entry ACE in the access control list ACL 1 value rep...

Page 67: ... the system sets the rule s priority to the current highest priority ACE in the current ACL 20 The ACE priority must be unique per ACL If the user types already existed priority then the command is rejected Example switchxxxxxx config mac access list extended server1 switchxxxxxx config mac al deny 00 00 00 00 00 01 00 00 00 00 00 ff any 2 10 service acl input Use the service acl input command in ...

Page 68: ...ACL bound to it Two ACLs of the same type cannot be bound to a port An ACL cannot be bound to a port that is already bound to an ACL without first removing the current ACL Both ACLs must be mentioned at the same time in this command MAC ACLs that include a VLAN as match criteria cannot be bound to a VLAN ACLs with time based configuration on one of its ACEs cannot be bound to a VLAN ACLs with the ...

Page 69: ...access control Syntax service acl output acl name1 acl name2 no service acl output Parameters acl name Specifies an ACL to apply to the interface See the usage guidelines Range acl name is from 0 32 characters Use for empty string Default No ACL is assigned Command Mode Interface Configuration mode Ethernet Port Channel User Guidelines The rule actions log input is not supported Trying to use it w...

Page 70: ...xxxxx config interface gi11 switchxxxxxx config if service acl output server 2 12 time range Use the time range Global Configuration mode command to define time ranges for different functions In addition this command enters the Time range Configuration mode All commands after this one refer to the time range being defined This command sets a time range name Use the absolute and periodic commands t...

Page 71: ...me is reached and are not evaluated again after the absolute end time is reached All time specifications are interpreted as local time To ensure that the time range entries take effect at the desired times the software clock should be set by the user or by SNTP If the software clock is not set by the user or by SNTP the time range ACEs are not activated The user cannot delete a time range that is ...

Page 72: ... If no start time and date are specified the function is in effect immediately end Absolute time and date that the permit or deny statement of the associated function is no longer in effect If no end time and date are specified the function is in effect indefinitely hh mm Time in hours military format and minutes Range 0 23 mm 0 5 day Day by date in the month Range 1 31 month Month first three let...

Page 73: ...t hh mm to hh mm all no periodic list hh mm to hh mm all Parameters day of the week The starting day that the associated time range is in effect The second occurrence is the ending day the associated statement is in effect The second occurrence can be the following week see description in the User Guidelines Possible values are mon tue wed thu fri sat and sun hh mm The first occurrence of this arg...

Page 74: ...an be on the following day e g 22 00 2 00 Example switchxxxxxx config time range http allowed switchxxxxxx config time range periodic mon 12 00 to wed 12 00 2 15 show time range Use the show time range User EXEC mode command to display the time range configuration Syntax show time range time range name Parameters time range name Specifies the name of an existing time range Command Mode User EXEC m...

Page 75: ...is currently active including those that are not associated with time range Command Mode Privileged EXEC mode Example switchxxxxxx show access lists Standard IP access list 1 Extended IP access list ACL2 permit 234 172 30 19 1 0 0 0 255 any priority 20 time range weekdays permit 234 172 30 23 8 0 0 0 255 any priority 40 time range weekdays switchxxxxxx show access lists time range active Extended ...

Page 76: ...d to display access lists ACLs applied on interfaces Syntax show interfaces access lists interface id Parameters interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port port channel or VLAN Command Mode Privileged EXEC mode Example Interface ACLs gi12 Ingress server1 Egress ip 2 18 clear access lists counters Use the clear access lists counters Privi...

Page 77: ... trapped packets Use the show interfaces access lists trapped packets Privileged EXEC mode command to display Access List ACLs trapped packets Syntax show interfaces access lists trapped packets interface id port channel number VLAN Parameters interface id Specifies an interface ID the interface ID is an Ethernet port port channel port channel Specifies a port channel VLAN Specifies a VLAN Command...

Page 78: ...bal Configuration mode command to define an IP standard list The no format of the command removes the list Syntax ip access list access list name deny permit src addr src len any no ip access list access list name Parameters access list name The name of the Standard IP access list The name may contain maximum 32 characters deny permit Denies permits access if the conditions are matched src addr sr...

Page 79: ...e remainder of the list is not evaluated Use the no ip access list command to delete the access list In addition to filtering IP traffic on a per port base a basic IP access control list can be used by RIP Routing Information Protocol to filter route updates Examples Example 1 The following example of a standard access list allows only the three specified networks Any IP address that does not matc...

Page 80: ...ccess list access list name Parameters access list name The name of the Standard IPv6 access list The name may contain maximum 32 characters deny Denies access if the conditions are matched permit Permits access if the conditions are matched src addr src len any IPv6 prefix defined as an IPv6 address and length or any The any value matches to all IPv6 addresses If the src len is not defined a valu...

Page 81: ... address match is found the permit or deny statement is applied to that address and the remainder of the list is not evaluated Use the no ipv6 access list command to delete the access list The IPv6 standard access list is used to filter received and sent IPv6 routing information Example The following example of an access list allows only the one specified prefix Any IPv6 address that does not matc...

Page 82: ...his command Syntax aaa authentication dot1x default radius none radius none no aaa authentication dot1x default Parameters radius Uses the list of all RADIUS servers for authentication none Uses no authentication Default Configuration RADIUS server Command Mode Global Configuration mode User Guidelines You can select either authentication by a RADIUS server no authentication none or both methods I...

Page 83: ...Configuration mode To disable open access on this port use the no form of this command Syntax authentication open no authentication open Parameters This command has no arguments or keywords Default Configuration Disabled Command Mode Interface Ethernet Configuration mode User Guidelines Open Access or Monitoring mode allows clients or devices to gain network access before authentication is perform...

Page 84: ...Ethernet port ID Default Configuration Statistics on all ports are cleared Command Mode Privileged EXEC mode User Guidelines This command clears all the counters displayed in the show dot1x and show dot1x statistics command Example switchxxxxxx clear dot1x statistics 3 4 data To specify web based page customizing the data command is used in Web Based Page Customization Configuration mode Syntax da...

Page 85: ... A user can only customize the web based authentication pages by using the WEB interface Examples Example 1 The following example shows a partial web based page customization configuration switchxxxxxx config dot1x page customization switchxxxxxx config web page data 1feabcde switchxxxxxx config web page data 17645874 switchxxxxxx config web page exit Example 2 The following example shows how Web ...

Page 86: ... disable access to a VLAN use the no form of this command Syntax dot1x auth not req no dot1x auth not req Parameters N A Default Configuration Access is enabled Command Mode Interface VLAN Configuration mode User Guidelines The guest VLAN cannot be configured as unauthorized VLAN Example The following example enables unauthorized devices access to VLAN 5 switchxxxxxx config interface vlan 5 switch...

Page 87: ...d on the station s MAC address MAC Based authentication web Enables WEB Based authentication Default Configuration 802 1X Based authentication is enabled Command Mode Interface Ethernet Configuration mode User Guidelines Static MAC addresses cannot be authorized by the MAC based method It is not recommended to change a dynamic MAC address to a static one or delete it if the MAC address was authori...

Page 88: ... command in Interface VLAN Configuration mode To restore the default configuration use the no form of this command Syntax dot1x guest vlan no dot1x guest vlan Parameters N A Default Configuration No VLAN is defined as a guest VLAN Command Mode Interface VLAN Configuration mode User Guidelines Use the dot1x guest vlan enable command to enable unauthorized users on an interface to access the guest V...

Page 89: ...ion mode To disable access use the no form of this command Syntax dot1x guest vlan enable no dot1x guest vlan enable Parameters N A Default Configuration The default configuration is disabled Command Mode Interface Ethernet Configuration mode User Guidelines The port cannot belong to the guest VLAN The guest VLAN and the WEB Based authentication cannot be configured on a port at the same time This...

Page 90: ...n Example The following example enables unauthorized users on gi11 to access the guest VLAN switchxxxxxx config interface gi11 switchxxxxxx config if dot1x guest vlan enable 3 9 dot1x guest vlan timeout To set the time delay between enabling 802 1X or port up and adding a port to the guest VLAN use the dot1x guest vlan timeout command in Global Configuration mode To restore the default configurati...

Page 91: ...ds switchxxxxxx config dot1x guest vlan timeout 60 3 10 dot1x host mode To allow a single host client or multiple hosts on an IEEE 802 1X authorized port use the dot1x host mode command in Interface Configuration mode To restore the default configuration use the no form of this command Syntax dot1x host mode multi host single host multi sessions Parameters multi host Enable multiple hosts mode sin...

Page 92: ...ed to unauthorized Multi Host Mode The multi host mode manages the authentication status of the port the port is authorized after at least one host is authorized When a port is unauthorized and the guest VLAN is enabled untagged traffic is remapped to the guest VLAN Tagged traffic is dropped unless the VLAN tag is the guest VLAN or the unauthenticated VLANs If guest VLAN is not enabled on the port...

Page 93: ...h Policy Based VLANs configured by the following commands switchport general map protocol group vlans switchport general map macs group vlans Tagged traffic belonging to the unauthenticated VLANs is always bridged regardless if a host is authorized or not When the guest VLAN is enabled untagged and tagged traffic from unauthorized hosts not belonging to the unauthenticated VLANs is bridged via the...

Page 94: ...imum number of authorized hosts allowed on the interface May be any 32 bits positive number Default Configuration No limitation Command Mode Interface Ethernet Configuration mode User Guidelines By default the number of authorized hosts allowed on an interface is not limited To limit the number of authorized hosts allowed on an interface use the dot1x max hosts command This command is relevant onl...

Page 95: ...inite numbers of attempts The valid range is 3 10 Default Configuration Unlimited Command Mode Interface Ethernet Configuration mode User Guidelines By default the switch does not limit the number of failed login attempts To specify the number of allowed fail login attempts use this command After this number of failed login attempts the switch does not allow the host to be authenticated for a peri...

Page 96: ... max req Parameters count Specifies the maximum number of times that the device sends an EAP request identity frame before restarting the authentication process Range 1 10 Default Configuration The default maximum number of attempts is 2 Command Mode Interface Ethernet Configuration mode User Guidelines The default value of this command should be changed only to adjust to unusual circumstances suc...

Page 97: ...ommand Mode Global Configuration mode User Guidelines The command should not be entered or edited manually unless when using copy paste It is a part of the configuration file produced by the switch A user must customize the web based authentication pages by using the browser Interface Example The following example shows part of a web based page customization configuration switchxxxxxx config dot1x...

Page 98: ...ate without any authentication exchange required The port sends and receives traffic without 802 1X based client authentication force unauthorized Denies all access through this port by forcing it to transition to the unauthorized state and ignoring all attempts by the client to authenticate The device cannot provide authentication services to the client through this port time range time range nam...

Page 99: ...d in Interface Configuration mode To disable RADIUS based VLAN assignment use the no form of this command Syntax dot1x radius attributes vlan reject static no dot1x radius attributes vlan Parameters reject If the RADIUS server authorized the supplicant but did not provide a supplicant VLAN the supplicant is rejected If the parameter is omitted this option is applied by default static If the RADIUS...

Page 100: ...o the VLAN using TCAM If the last authorized host assigned to a VLAN received from RADIUS connected to a port in the multi sessions mode changes its status to unauthorized the port is removed from the VLAN if it is not in the static configuration See the User Guidelines of the dot1x host mode command for more information If 802 1X is disabled the port static configuration is reset If the reject ke...

Page 101: ... server authorized the supplicant but did not provide a supplicant VLAN the supplicant is accepted and the static VLAN configurations is used switchxxxxxx config interface gi11 switchxxxxxx config if dot1x radius attributes static switchxxxxxx config if exit 3 17 dot1x re authenticate To initiate manually re authentication of all 802 1X enabled ports or the specified 802 1X enabled port use the do...

Page 102: ...nfiguration mode To restore the default configuration use the no form of this command Syntax dot1x reauthentication no dot1x reauthentication Parameters N A Default Configuration Periodic re authentication is disabled Command Mode Interface Ethernet Configuration mode Example switchxxxxxx config interface gi11 switchxxxxxx config if dot1x reauthentication 3 19 dot1x system auth control To enable 8...

Page 103: ...l 3 20 dot1x timeout quiet period To set the time interval that the device remains in a quiet state following a failed authentication exchange use the dot1x timeout quiet period command in Interface Configuration mode To restore the default configuration use the no form of this command Syntax dot1x timeout quiet period seconds no dot1x timeout quiet period Parameters seconds Specifies the time int...

Page 104: ...ntication the number of failed logins is 1 For WEB based authentication the quite period is applied after a number of failed attempts This number is configured by the dot1x max login attempts command For 802 1x based and MAC based authentication methods the quite period is applied after each failed attempt Example The following example sets the time interval that the device remains in the quiet st...

Page 105: ...x config interface gi11 switchxxxxxx config if dot1x timeout reauth period 5000 3 22 dot1x timeout server timeout To set the time interval during which the device waits for a response from the authentication server use the dot1x timeout server timeout command in Interface Configuration mode To restore the default configuration use the no form of this command Syntax dot1x timeout server timeout sec...

Page 106: ...ting the lower of the two values Example The following example sets the time interval between retransmission of packets to the authentication server to 3600 seconds switchxxxxxx config interface gi11 switchxxxxxx config if dot1x timeout server timeout 3600 3 23 dot1x timeout silence period To set the authentication silence time use the dot1x timeout silence period command in Interface Configuratio...

Page 107: ...conds switchxxxxxx config interface gi11 switchxxxxxx config if dot1x timeout silence period 100 3 24 dot1x timeout supp timeout To set the time interval during which the device waits for a response to an Extensible Authentication Protocol EAP request frame from the client before resending the request use the dot1x timeout supp timeout command in Interface Configuration mode To restore the default...

Page 108: ... 3600 seconds switchxxxxxx config interface gi11 switchxxxxxx config if dot1x timeout supp timeout 3600 3 25 dot1x timeout tx period To set the time interval during which the device waits for a response to an Extensible Authentication Protocol EAP request identity frame from the client before resending the request use the dot1x timeout tx period command in Interface Configuration mode To restore t...

Page 109: ... for a response to an EAP request identity frame to 60 seconds switchxxxxxx config interface gi11 switchxxxxxx config if dot1x timeout tx period 60 3 26 dot1x traps authentication failure To enable sending traps when an 802 1X authentication method failed use the dot1x traps authentication failure command in Global Configuration mode To restore the default configuration use the no form of this com...

Page 110: ...fails to be authorized by the 802 1X mac authentication access control switchxxxxxx config dot1x traps authentication failure 802 1x 3 27 dot1x traps authentication quiet To enable sending traps when a host state is set to the quiet state after failing the maximum sequential attempts of login use the dot1x traps authentication quiet command in Global Configuration mode To disable the traps use the...

Page 111: ... switchxxxxxx config dot1x traps authentication quiet 3 28 dot1x traps authentication success To enable sending traps when a host is successfully authorized by an 802 1X authentication method use the dot1x traps authentication success command in Global Configuration mode To disable the traps use the no form of this command Syntax dot1x traps authentication success 802 1x mac web no dot1x traps aut...

Page 112: ... dot1x traps authentication success mac 3 29 dot1x unlock client To unlock a locked in the quiet period client use the dot1x unlock client command in Privileged EXEC mode Syntax dot1x unlock client interface id mac address Parameters interface id Interface ID where the client is connected to mac address Client MAC address Default Configuration The client is locked until the silence interval is ove...

Page 113: ... Parameters restrict Generates a trap when a station whose MAC address is not the supplicant MAC address attempts to access the interface The minimum time between the traps is 1 second Those frames are forwarded but their source addresses are not learned protect Discard frames with source addresses that are not the supplicant address shutdown Discard frames with source addresses that are not the s...

Page 114: ...switchxxxxxx config if dot1x violation mode protect 3 31 show dot1x To display the 802 1X interfaces or specified interface status use the show dot1x command in Privileged EXEC mode Syntax show dot1x interface interface id detailed Parameters interface id Specifies an Ethernet port detailed Displays information for non present ports in addition to present ports Default Configuration Display for al...

Page 115: ... are enabled for 802 1x gi11 Host mode multi sessions Authentication methods 802 1x mac Port Adminstrated status auto Guest VLAN enabled VLAN Radius Attribute enabled static Open access disabled Time range name work_hours Active now Server timeout 30 sec Maximum Hosts unlimited Maximum Login Attempts 3 Reauthentication is enabled Reauthentication period 3600 sec Silence period 1800 sec Quiet Perio...

Page 116: ...rver timeout 30 sec Aplied Authenticating Server Radius Applied Authentication method 802 1x Session Time HH MM SS 00 25 22 MAC Address 00 08 78 32 98 66 Username Bob Violation Mode restrict Trap enabled Trap Min Interval 20 sec Violations were detected 9 Reauthentication is enabled Reauthentication period 3600 sec Silence period 1800 sec Quiet Period 60 sec Interfaces 802 1X Based Parameters Tx p...

Page 117: ...erver Radius Applied Authentication method 802 1x Session Time HH MM SS 00 25 22 MAC Address 00 08 78 32 98 66 Username Bob Violation Mode restrict Trap enabled Trap Min Interval 20 sec Violations were detected 0 Reauthentication is enabled Reauthentication period 3600 sec Silence period 1800 sec Quiet Period 60 sec Interfaces 802 1X Based Parameters Tx period 30 sec Supplicant timeout 30 sec max ...

Page 118: ...C Address 00 08 78 32 98 66 Username Bob Violation Mode restrict Trap enabled Trap Min Interval 20 sec Violations were detected 0 Reauthentication is enabled Reauthentication period 3600 sec Silence period 1800 sec Quiet Period 60 sec Interfaces 802 1X Based Parameters Tx period 30 sec Supplicant timeout 30 sec max req 2 Authentication success 0 Authentication fails 0 Supplicant Configuration retr...

Page 119: ...name of the current user If the port is Unauthorized it displays the last user authorized successfully Quiet period Number of seconds that the device remains in the quiet state following a failed authentication exchange for example the client provided an invalid password Silence period Number of seconds that If an authorized client does not send traffic during the silence period specified by the c...

Page 120: ...ocked clients To display all clients who are locked and in the quiet period use the show dot1x locked clients command in Privileged EXEC mode Syntax show dot1x locked clients Parameters N A Command Mode Privileged EXEC mode User Guidelines Use the show dot1x locked clients command to display all locked in the quiet period clients Examples The following example displays locked clients Example 1 swi...

Page 121: ...ters interface id Specifies an Ethernet port Default Configuration N A Command Mode Privileged EXEC mode Example The following example displays 802 1X statistics for gi11 switchxxxxxx show dot1x statistics interface gi11 EapolFramesRx 11 EapolFramesTx 12 EapolStartFramesRx 1 EapolLogoffFramesRx 1 EapolRespIdFramesRx 3 EapolRespFramesRx 6 EapolReqIdFramesTx 3 EapolReqFramesTx 6 InvalidEapolFramesRx...

Page 122: ...n received by this Authenticator EapolRespFramesRx Number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator EapolReqIdFramesTx Number of EAP Req Id frames that have been transmitted by this Authenticator EapolReqFramesTx Number of EAP Request frames other than Req Id frames that have been transmitted by this Authenticator InvalidEapolFramesRx Numb...

Page 123: ...ername Length 1 160 characters Default Configuration Display all users Command Mode Privileged EXEC mode Examples Example 1 The following commands displays all 802 1x users show dot1x users Example 2 The following example displays 802 1X user with supplicant username Bob switchxxxxxx show dot1x users username Bob Port gi11 gi12 gi12 Udsername Bob Allan John MAC Address 0008 3b71 1111 0008 3b79 878...

Page 124: ...1X Commands 123 Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 3 Port gi11 Udsername Bob MAC Address 0008 3b71 1111 Auth Method 802 1x Auth Server Remote Session Time 09 01 00 VLAN 1020 ...

Page 125: ...ge multicast filtering Parameters This command has no arguments or keywords Default Configuration Multicast address filtering is disabled All Multicast addresses are flooded to all ports Command Mode Global Configuration mode User Guidelines When this feature is enabled unregistered Multicast traffic as opposed to registered will still be flooded All registered Multicast addresses will be forwarde...

Page 126: ...pecifies that Multicast bridging is based on the packet s VLAN and MAC address ipv4 group Specifies that Multicast bridging is based on the packet s VLAN and MAC address for non IPv4 packets and on the packet s VLAN and IPv4 destination address for IPv4 packets ipv4 src group Specifies that Multicast bridging is based on the packet s VLAN and MAC address for non IPv4 packets and on the packet s VL...

Page 127: ...s if they exist that belong to the requested group It is recommended to set the FDB mode to ipv4 group or mac group for IGMP version 2 If an application on the device requests G the operating FDB mode is changed to ipv4 group Example The following example configures the Multicast bridging mode as an mac group on VLAN 2 switchxxxxxx config interface vlan 2 switchxxxxxx config if bridge multicast mo...

Page 128: ...orts to the group remove Optional Removes ports from the group ethernet interface list Optional Specifies a list of Ethernet ports Separate nonconsecutive Ethernet ports with a comma and no spaces Use a hyphen to designate a range of ports port channel port channel list Optional Specifies a list of port channels Separate nonconsecutive port channels with a comma and no spaces use a hyphen to desig...

Page 129: ...address 01 00 5e 02 02 03 add gi11 2 4 4 bridge multicast forbidden address To forbid adding or removing a specific Multicast address to or from specific ports use the bridge multicast forbidden address IInterface VLAN Configuration mode command To restore the default configuration use the no form of this command Syntax bridge multicast forbidden address mac multicast address ipv4 multicast addres...

Page 130: ...onfiguration mode User Guidelines Before defining forbidden ports the Multicast group should be registered using bridge multicast address You can execute the command before the VLAN is created Example The following example forbids MAC address 0100 5e02 0203 on port gi14 within VLAN 8 switchxxxxxx config interface vlan 8 switchxxxxxx config if bridge multicast address 0100 5e02 0203 switchxxxxxx co...

Page 131: ...yphen to designate a range of ports port channel port channel list Optional Specifies a list of port channels Separate nonconsecutive port channels with a comma and no spaces Use a hyphen to designate a range of port channels Default Configuration No Multicast addresses are defined Default option is add Command Mode Interface VLAN Configuration mode User Guidelines To register the group in the bri...

Page 132: ... of this command Syntax bridge multicast forbidden ip address ip multicast address add remove ethernet interface list port channel port channel list no bridge multicast forbidden ip address ip multicast address Parameters ip multicast address Specifies the group IP Multicast address add Optional Forbids adding ports to the group remove Optional Forbids removing ports from the group ethernet interf...

Page 133: ...bridge multicast source group To register a source IP address Multicast IP address pair to the bridge table and statically add or remove ports to or from the source group use the bridge multicast source group Interface VLAN Configuration mode command To unregister the source group pair use the no form of this command Syntax bridge multicast source ip address group ip multicast address add remove e...

Page 134: ...nes You can execute the command before the VLAN is created Example The following example registers a source IP address Multicast IP address pair to the bridge table switchxxxxxx config interface vlan 8 switchxxxxxx config if bridge multicast source 13 16 1 1 group 239 2 2 2 4 8 bridge multicast forbidden source group To forbid adding or removing a specific IP source address Multicast address pair ...

Page 135: ... channel list Optional Specifies a list of port channels Separate nonconsecutive port channels with a comma and no spaces use a hyphen to designate a range of port channels Default Configuration No forbidden addresses are defined Command Mode Interface VLAN Configuration mode User Guidelines Before defining forbidden ports the Multicast group should be registered You can execute the command before...

Page 136: ...multicast ipv6 mode Parameters mac group Specifies that Multicast bridging is based on the packet s VLAN and MAC destination address ip group Specifies that Multicast bridging is based on the packet s VLAN and IPv6 destination address for IPv6 packets ip src group Specifies that Multicast bridging is based on the packet s VLAN IPv6 destination address and IPv6 source address for IPv6 packets Defau...

Page 137: ... cannot be written to the FDB if the mode is ip src group In that case no new FDB entry is created but the port is added to the S G entries if they exist that belong to the requested group If an application on the device requests G the operating FDB mode is changed to ip group You can execute the command before the VLAN is created Example The following example configures the Multicast bridging mod...

Page 138: ...list port channel port channel list no bridge multicast ipv6 ip address ip multicast address Parameters ipv6 multicast address Specifies the group IPv6 multicast address add Optional Adds ports to the group remove Optional Removes ports from the group ethernet interface list Optional Specifies a list of Ethernet ports Separate nonconsecutive Ethernet ports with a comma and no spaces use a hyphen t...

Page 139: ... 2 The following example registers the IPv6 address and adds ports statically switchxxxxxx config interface vlan 8 switchxxxxxx config if bridge multicast ipv6 ip address FF00 0 0 0 4 4 4 1 add gi11 2 4 11 bridge multicast ipv6 forbidden ip address To forbid adding or removing a specific IPv6 Multicast address to or from specific ports use the bridge multicast ipv6 forbidden ip address Interface V...

Page 140: ...tion No forbidden addresses are defined The default option is add Command Mode Interface VLAN Configuration mode User Guidelines Before defining forbidden ports the Multicast group should be registered You can execute the command before the VLAN is created Example The following example registers an IPv6 Multicast address and forbids the IPv6 address on port gi14 within VLAN 8 switchxxxxxx config i...

Page 141: ... Optional Adds ports to the group for the specific source IPv6 address remove Optional Removes ports from the group for the specific source IPv6 address ethernet interface list Optional Specifies a list of Ethernet ports Separate nonconsecutive Ethernet ports with a comma and no spaces Use a hyphen to designate a range of ports port channel port channel list Optional Specifies a list of port chann...

Page 142: ...t interface list port channel port channel list no bridge multicast ipv6 forbidden source ipv6 address group ipv6 multicast address Parameters ipv6 source address Specifies the source IPv6 address ipv6 multicast address Specifies the group IPv6 Multicast address add Forbids adding ports to the group for the specific source IPv6 address remove Forbids removing ports from the group for the specific ...

Page 143: ... bridge multicast source 2001 0 0 0 4 4 4 group FF00 0 0 0 4 4 4 1 switchxxxxxx config if bridge multicast forbidden source 2001 0 0 0 4 4 4 1 group FF00 0 0 0 4 4 4 1 add gi14 4 14 bridge multicast unregistered To configure forwarding unregistered Multicast addresses use the bridge multicast unregistered Interface Ethernet Port Channel Configuration mode command To restore the default configurati...

Page 144: ... config interface gi11 switchxxxxxx config if bridge multicast unregistered filtering 4 15 bridge multicast forward all To enable forwarding all multicast packets for a range of ports or port channels use the bridge multicast forward all Interface VLAN Configuration mode command To restore the default configuration use the no form of this command Syntax bridge multicast forward all add remove ethe...

Page 145: ...ig if bridge multicast forward all add gi14 4 16 bridge multicast forbidden forward all To forbid a port to dynamically join Multicast groups use the bridge multicast forbidden forward all Interface VLAN Configuration mode command To restore the default configuration use the no form of this command Syntax bridge multicast forbidden forward all add remove ethernet interface list port channel port c...

Page 146: ...to dynamically join by IGMP for example a Multicast group The port can still be a Multicast router port Example The following example forbids forwarding of all Multicast packets to gi11 within VLAN 2 switchxxxxxx config interface vlan 2 switchxxxxxx config if bridge multicast forbidden forward all add ethernet gi11 4 17 bridge unicast unknown To enable egress filtering of Unicast packets where the...

Page 147: ...rops Unicast packets on gi11 when the destination is unknown switchxxxxxx config interface gi11 switchxxxxxx config if bridge unicast unknown filtering 4 18 show bridge unicast unknown To display the unknown Unicast filtering configuration use the show bridge unicast unknown Privileged EXEC mode command Syntax show bridge unicast unknown interface id Parameters interface id Optional Specify an int...

Page 148: ...ble static mac address vlan vlan id Parameters mac address MAC address Range Valid MAC address vlan id Specify the VLAN interface id Specify an interface ID The interface ID can be one of the following types Ethernet port or port channel Range valid ethernet port valid port channel permanent Optional The permanent static MAC address The keyword is applied by the default delete on reset Optional Th...

Page 149: ...l it is removed manually delete on reset MAC address is saved until the next reboot delete on timeout MAC address that may be removed by the aging timer The following types are supported static MAC address manually added by the command with the following keywords specifying its time of live permanent delete on reset delete on timeout A static MAC address may be added in any port mode secure A MAC ...

Page 150: ...e static 00 3f bd 45 5a b2 vlan 1 interface gi11 delete on reset Example 3 The following example adds a deleted on timeout static MAC address switchxxxxxx config mac address table static 00 3f bd 45 5a b2 vlan 1 interface gi11 delete on timeout Example 4 The following example adds a secure MAC address switchxxxxxx config mac address table static 00 3f bd 45 5a b2 vlan 1 interface gi11 secure 4 20 ...

Page 151: ...orts on which port security is defined Default Configuration For dynamic addresses if interface id is not supplied all dynamic entries are deleted Command Mode Privileged EXEC mode Examples Example 1 Delete all dynamic entries from the FDB switchxxxxxx clear mac address table dynamic Example 2 Delete all secure entries from the FDB learned on secure port gi11 switchxxxxxx clear mac address table s...

Page 152: ...ort security learning mode on an interface use the no form of this command Syntax port security forward discard discard shutdown trap seconds no port security Parameters forward Optional Forwards packets with unlearned source addresses but does not learn the address discard Optional Discards packets with unlearned source addresses discard shutdown Optional Discards packets with unlearned source ad...

Page 153: ...namic addresses learned on the port are deleted When the no port security command cancels a secure mode on a port all secure addresses defined on the port are changed to dynamic addresses Additionally to set a mode use the port security command to set an action that the switch should perform on a frame which source MAC address cannot be learned Example The following example forwards all packets to...

Page 154: ...th the permanent time of live The static and secure MAC addresses may be added on the port manually by the mac address table static command secure delete on reset Secure mode with limited learning secure MAC addresses with the delete on reset time of live The static and secure MAC addresses may be added on the port manually by the mac address table static command Default Configuration The default ...

Page 155: ...f exit 4 24 port security max To configure the maximum number of addresses that can be learned on the port while the port is in port max addresses or secure mode use the port security max Interface Ethernet Port Channel Configuration mode command To restore the default configuration use the no form of this command Syntax port security max max addr no port security max Parameters max addr Specifies...

Page 156: ...xxx config if exit 4 25 show mac address table To display entries in the MAC address table use the show mac address table Privileged EXEC mode command Syntax show mac address table dynamic static secure vlan vlan interface interface id address mac address Parameters dynamic Optional Displays only dynamic MAC address table entries static Optional Displays only static MAC address table entries secur...

Page 157: ...rt number and not by a VLAN ID Examples Example 1 Displays entire address table switchxxxxxx show mac address table Aging time is 300 sec Example 2 Displays address table entries containing the specified MAC address switchxxxxxx show mac address table address 00 3f bd 45 5a b1 Aging time is 300 sec VLAN MAC Address Port Type 1 00 3f bd 45 5a b1 static gi14 VLAN MAC Address Port Type 1 00 00 26 08 ...

Page 158: ...meters vlan vlan Optional Specifies VLAN interface id interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel Command Mode Privileged EXEC mode Example switchxxxxxx show mac address table count This may take some time Capacity 16384 Free 16379 Used 5 Secure 0 Dynamic 2 Static 2 Internal 1 console 4 27 show bridge multicast mo...

Page 159: ...ticast MAC addresses or IP Multicast address table information use the show bridge multicast address table Privileged EXEC mode command Syntax show bridge multicast address table vlan vlan id show bridge multicast address table vlan vlan id address mac multicast address format ip mac show bridge multicast address table vlan vlan id address ipv4 multicast address source ipv4 source address VLAN IPv...

Page 160: ...rmat Optional Applies if mac multicast address was selected In this case either MAC or IP format can be displayed Display entries for specified Multicast address format The possible values are ip Specifies that the Multicast address is an IP address mac Specifies that the Multicast address is a MAC address source Optional Specifies the source address The possible values are ipv4 address Optional S...

Page 161: ...mode can move static Multicast addresses that are written in the device FDB to a shadow configuration because of FDB hash collisions Example The following example displays bridge Multicast address information switchxxxxxx show bridge multicast address table Multicast address table for VLANs in MAC GROUP bridging mode Vlan MAC Address Type Ports 8 01 00 5e 02 02 03 Static 1 2 Forbidden ports for Mu...

Page 162: ...1 1 1 11 gi14 Multicast address table for VLANs in IPv6 GROUP bridging mode VLAN IP MAC Address Type Ports 8 ff02 4 4 4 Static gi11 2 gi13 Po1 Forbidden ports for Multicast addresses VLAN IP MAC Address Ports 8 ff02 4 4 4 gi14 Multicast address table for VLANs in IPv6 SRC GROUP bridging mode Vlan Group Address Source address Type Ports 8 ff02 4 4 4 Static gi11 2 gi13 Po1 8 ff02 4 4 4 fe80 200 7ff ...

Page 163: ...show bridge multicast address table static vlan vlan id address ipv6 multicast address source ipv6 source address Parameters vlan vlan id Optional Specifies the VLAN ID address Optional Specifies the Multicast address The possible values are mac multicast address Optional Specifies the MAC Multicast address ipv4 multicast address Optional Specifies the IPv4 Multicast address ipv6 multicast address...

Page 164: ...xxxx show bridge multicast address table static MAC GROUP table Vlan 1 MAC Address 0100 9923 8787 Ports gi11 gi12 Forbidden ports for multicast addresses Vlan MAC Address Ports IPv4 GROUP Table Vlan 1 19 IP Address 231 2 2 3 231 2 2 8 Ports gi11 gi12 gi12 3 Forbidden ports for multicast addresses Vlan 1 19 IP Address 231 2 2 3 231 2 2 8 Ports gi14 gi13 IPv4 SRC GROUP Table Vlan Group Address Sourc...

Page 165: ...e multicast filtering vlan id Parameters vlan id Specifies the VLAN ID Range Valid VLAN Default Configuration None Vlan 191 IP Address FF12 8 Ports gi11 4 Forbidden ports for multicast addresses Vlan 11 191 IP Address FF12 3 FF12 8 Ports gi14 gi14 IPv6 SRC GROUP Table Vlan 192 Group Address FF12 8 Source address FE80 201 C9A9 FE40 8988 Ports gi11 4 Forbidden ports for multicast addresses Vlan 192 ...

Page 166: ...use the show bridge multicast unregistered Privileged EXEC mode command Syntax show bridge multicast unregistered interface id Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration Display for all interfaces Command Mode Privileged EXEC mode switchxxxxxx show bridge multicast filtering 1 Fil...

Page 167: ...ce id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Default Configuration Display for all interfaces If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Example The following example displays the port ...

Page 168: ... Syntax show ports security addresses interface id detailed Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Field Description Port The port number Status The port security status The possible values are Enabled or Disa...

Page 169: ...erved address To define the action on Multicast reserved address packets use the bridge multicast reserved address Global Configuration mode command To revert to default use the no form of this command Syntax bridge multicast reserved address mac multicast address ethernet v2 ethtype llc sap llc snap pid discard bridge no bridge multicast reserved address mac multicast address ethernet v2 ethtype ...

Page 170: ... packets bridge Specifies bridging forwarding the packets Default Configuration If the user supplied MAC Multicast address ethertype and encapsulation LLC specifies a protocol supported on the device called Peer the default action discard or bridge is determined by the protocol If not the default action is as follows For MAC addresses in the range 01 80 C2 00 00 00 01 80 C2 00 00 02 01 80 C2 00 00...

Page 171: ...config bridge multicast reserved address 00 3f bd 45 5a b1 4 35 show bridge multicast reserved addresses To display the Multicast reserved address rules use the show bridge multicast reserved addresses Privileged EXEC mode command Syntax show bridge multicast reserved addresses Command Mode Privileged EXEC mode Example switchxxxxxx show bridge multicast reserved addresses MAC Address Frame Type Pr...

Page 172: ...fault method list when a user logs in this list is unnamed list name Specifies a name of a list of authentication methods activated when a user logs in Length 1 12 characters method1 method2 Specifies a list of methods that the authentication algorithm tries in the given sequence Each additional authentication method is used only if the previous method returns an error not if it fails To ensure th...

Page 173: ... created with this command are used with the login authentication command The no aaa authentication login list name command deletes a list name only if it has not been referenced by another command Example The following example sets the authentication login methods for the console switchxxxxxx config aaa authentication login authen list radius local none switchxxxxxx config line console switchxxxx...

Page 174: ...method returns an error not if it fails Specify none as the final method in the command line to ensure that the authentication succeeds even if all methods return an error Select one or more methods from the following list Default Configuration The enable password command defines the default authentication login method This is the same as entering the command aaa authentication enable default enab...

Page 175: ...hat is entered for login authentication The additional methods of authentication are used only if the previous method returns an error not if it fails Specify none as the final method in the command line to ensure that the authentication succeeds even if all methods return an error no aaa authentication enable list name deletes list name if it has not been referenced Example The following example ...

Page 176: ...e session switchxxxxxx config line console switchxxxxxx config line login authentication default Example Example 2 The following example sets the authentication login methods for the console as a list of methods switchxxxxxx config aaa authentication login authen list radius local none switchxxxxxx config line console switchxxxxxx config line login authentication authen list 5 4 enable authenticat...

Page 177: ...tion method as the default method when accessing a higher privilege level from a console switchxxxxxx config line console switchxxxxxx config line enable authentication default Example 2 The following example sets a list of authentication methods for accessing higher privilege levels switchxxxxxx config aaa authentication enable enable list radius none switchxxxxxx config line console switchxxxxxx...

Page 178: ...on succeeds even if all methods return an error Select one or more methods from the following list Default Configuration The local user database is the default authentication login method This is the same as entering the ip http authentication local command Command Mode Global Configuration mode User Guidelines The command is relevant for HTTP and HTTPS server users Example The following example s...

Page 179: ...n about the authentication methods Syntax show authentication methods Parameters N A Default Configuration N A Command Mode Privileged EXEC mode Example The following example displays the authentication configuration switchxxxxxx show authentication methods Login Authentication Method Lists Default Radius Local Line Console_Login Line None Enable Authentication Method Lists Default Radius Enable C...

Page 180: ...urn to the default password Syntax password password encrypted no password Parameters password Specifies the password for this line Length 0 159 characters encrypted Specifies that the password is encrypted and copied from another device configuration Default Configuration No password is defined Command Mode Line Configuration Mode Example The following example specifies the password secret on a c...

Page 181: ...ed password Password for this level Range 0 159 chars password encrypted encrypted password Specifies that the password is encrypted Use this keyword to enter a password that is already encrypted for instance that you copied from another the configuration file of another device Range 1 40 Default Configuration Default for level is 15 Passwords are encrypted by default Command Mode Global Configura...

Page 182: ...mand sets an unencrypted password for level 7 it will be encrypted in the configuration file switchxxxxxx config enable password level 7 let me in 5 9 service password recovery Use the service password recovery Global Configuration mode command to enable the password recovery mechanism This mechanism allows an end user with physical access to the console port of the device to enter the boot menu a...

Page 183: ...figuration files and user files are removed If a device is configured to protect its sensitive data with a user defined passphrase for Secure Sensitive Data then the user cannot trigger the password recovery from the boot menu even if password recovery is enabled If a device is configured to protect its sensitive data with a user defined passphrase for Secure Sensitive Data then the user cannot tr...

Page 184: ...ssword is required for this user to log in password Specifies the password for this username Range 1 64 unencrypted password The authentication password for the user Range 1 159 encrypted encrypted password Specifies that the password is MD5 encrypted Use this keyword to enter a password that is already encrypted for instance that you copied from another the configuration file of another device Ra...

Page 185: ...s already been encrypted It will be copied to the configuration file just as it is entered To use it the user must know its unencrypted form switchxxxxxx config username jerry privilege 15 encrypted 4b529f21c93d4706090285b0c10172eb073ffebc4 5 11 show users accounts The show users accounts Privileged EXEC mode command displays information about the users local database Syntax show users accounts Pa...

Page 186: ...f this command to disable accounting Syntax aaa accounting login start stop group radius tacacs no aaa accounting login start stop Parameters group radius Uses a RADIUS server for accounting group tacacs Uses a TACACS server for accounting Default Configuration Disabled Command Mode Global Configuration mode switchxxxxxx show users accounts Username Bob Robert Smith Privilege 15 15 15 Password Exp...

Page 187: ...rver The following table describes the supported RADIUS accounting attributes values and in which messages they are sent by the switch Name Start Messag e Stop Message Description User Name 1 Yes Yes User s identity NAS IP Address 4 Yes Yes The switch IP address that is used for the session with the RADIUS server Class 25 Yes Yes Arbitrary value is included in all accounting packets for a specific...

Page 188: ...accounting dot1x Global Configuration mode command Use the no form of this command to disable accounting Syntax aaa accounting dot1x start stop group radius no aaa accounting dot1x start stop group radius Parameters N A Default Configuration Disabled Command Mode Global Configuration mode Name Description Start Message Stop Message task_id A unique accounting session identifier Yes Yes user userna...

Page 189: ... In multiple hosts mode dot1x multiple hosts the software sends start stop messages only for the supplicant that has been authenticated The software does not send start stop messages if the port is force authorized The software does not send start stop messages for hosts that are sending traffic on the guest VLAN or on the unauthenticated VLANs The following table describes the supported Radius ac...

Page 190: ...ng is enabled on the switch Syntax show accounting Parameters N A Default Configuration N A Command Mode User EXEC mode Example The following example displays information about the accounting status Acct Authentic 45 Yes Yes Indicates how the supplicant was authenticated Acct Session Time 46 No Yes Indicates how long the supplicant was logged in Acct Terminate Cause 49 No Yes Reports why the sessi...

Page 191: ...ity enable no passwords complexity enable Parameters N A Default Configuration Enabled Command Mode Global Configuration mode User Guidelines If password complexity is enabled the user is forced to enter a password that Has a minimum length of 8 characters Contains characters from at least 3 character classes uppercase letters lowercase letters numbers and special characters available on a standar...

Page 192: ...lines above switchxxxxxx config passwords complexity enable switchxxxxxx show passwords configuration Passwords aging is enabled with aging time 180 days Passwords complexity is enabled with the following attributes Minimal length 3 characters Minimal classes 3 New password must be different than the current Enabled Maximum consecutive same characters 3 New password must be different than the user...

Page 193: ...e maximum number of characters in the new password that can be repeated consecutively Zero specifies that there is no limit on repeated characters Range 0 16 not username Specifies that the password cannot repeat or reverse the user name or any variant reached by changing the case of the characters not manufacturer name Specifies that the password cannot repeat or reverse the manufacturer s name o...

Page 194: ...can use 0 to disable aging Range 0 365 Default Configuration 180 Command Mode Global Configuration mode User Guidelines Aging is relevant only to users of the local database with privilege level 15 and to enable a password of privilege level 15 To disable password aging use passwords aging 0 Using no passwords aging sets the aging time to the default Example The following example configures the ag...

Page 195: ... passwords configuration Passwords aging is enabled with aging time 180 days Passwords complexity is enabled with the following attributes Minimal length 3 characters Minimal classes 3 New password must be different than the current Enabled Maximum consecutive same characters 3 New password must be different than the user name Enabled New password must be different than the manufacturer name Enabl...

Page 196: ...Authentication Authorization and Accounting AAA Commands 195 Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 5 ...

Page 197: ...y the TFTP protocol is used by auto configuration scp Only the SCP protocol is used by auto configuration auto Default Auto configuration uses the TFTP or SCP protocol depending on the configuration file s extension If this option is selected the extension parameter may be specified or if not the default extension is used extension The SCP file extension When no value is specified scp is used Rang...

Page 198: ...the SCP protocol will be used switchxxxxxx config boot host auto config scp 6 2 boot host auto update Use the boot host auto update Global Configuration mode command to enable the support of auto update via DHCP Use the no form of this command to disable DHCP auto configuration Syntax boot host auto update tftp scp auto extension no boot host auto update Parameters tftp Only the TFTP protocol is u...

Page 199: ...le Examples Example 1 The following example specifies the auto mode and specifies scon as the SCP extension switchxxxxxx config boot host auto update auto scon Example 2 The following example specifies the auto mode and does not provide an SCP extension In this case scp is used switchxxxxxx config boot host auto update auto Example 3 The following example specifies that only the SCP protocol will ...

Page 200: ...ed Download Protocol auto SCP protocol will be used for files with extension scp Configuration file auto save enabled Auto Config State Finished successfully Server IP address 1 2 20 2 Configuration filename config configfile1 cfg Auto Update Image Download via DHCP enabled switchxxxxxx show boot Auto Config Config Download via DHCP enabled Download Protocol scp Configuration file auto save enable...

Page 201: ...d Auto Config State Downloading configuration file Auto Update Image Download via DHCP enabled switchxxxxxx show boot Auto Config Config Download via DHCP enabled Download Protocol tftp Configuration file auto save enabled Auto Config State Searching device hostname in indirect file Auto Update Image Download via DHCP enabled switchxxxxxx show boot Auto Config Config Download via DHCP enabled Down...

Page 202: ...s server as the default address used by a switch when it has not been received from the DHCP server Use the no form of the command to return to default Syntax ip dhcp tftp server ip address ip addr no ip dhcp tftp server ip address Parameters ip addr IPv4 Address or IPv6 Address or DNS name of TFTP or SCP server Default Configuration No IP address Command Mode Global Configuration mode User Guidel...

Page 203: ...cp tftp server file Global Configuration mode command to set the full file name of the configuration file to be downloaded from the backup server when it has not been received from the DHCP server Use the no form of this command to remove the name Syntax ip dhcp tftp server file file path no ip dhcp tftp server file Parameters file path Full file path and name of the configuration file on the serv...

Page 204: ...mmand to remove the file name Syntax ip dhcp tftp server image file file path no ip dhcp tftp server image file Parameters file path Full indirect file path and name of the configuration file on the server Default Configuration No file name Command Mode Global Configuration mode User Guidelines The backup server can be a TFTP server or a SCP server Examples switchxxxxxx config ip dhcp tftp server ...

Page 205: ... Parameters N A Default Configuration N A Command Mode User EXEC mode User Guidelines The backup server can be a TFTP server or a SCP server Example show ip dhcp tftp server server address active 1 1 1 1 from sname manual 2 2 2 2 file path on server active conf conf file from option 67 manual conf conf file1 ...

Page 206: ... Syntax bonjour enable no bonjour enable Default Configuration Enable Command Mode Global Configuration mode Examples switchxxxxxx config bonjour enable 7 2 bonjour interface range To add L2 interfaces to the Bonjour L2 interface list use the bonjour interface range command in Global Configuration mode To remove L2 interfaces from this list use the no format of the command Syntax bonjour interface...

Page 207: ...terface list specifies a set of interfaces on which Bonjour is enabled Use the bonjour interface range interface list command to add the specified interfaces to the Bonjour L2 interface list Use the no bonjour interface range interface list command to remove the specified interfaces from the Bonjour L2 interface list Use the no bonjour interface range command to clear the Bonjour L2 interface list...

Page 208: ...e Privileged EXEC mode Examples The example displays Bonjour status switchxxxxxx show bonjour Bonjour global status enabled Bonjour L2 interfaces list vlans 1 Service Admin Status Oper Status csco sb enabled enabled http enabled enabled https enabled disabled ssh enabled disabled telnet enabled disabled ...

Page 209: ...e the no form of this command Syntax cdp advertise v2 no cdp advertise v2 Parameters N A Default Configuration Version 2 Command Mode Global Configuration mode Example switchxxxxxx config cdp run switchxxxxxx config cdp advertise v2 8 2 cdp appliance tlv enable To enable sending of the Appliance TLV use the cdp appliance tlv enable command in Global Configuration mode To disable the sending of the...

Page 210: ...with VLAN ID 0 and an 802 1p priority 1 4094 The CDP packets transmitting through this port contain Appliance VLAN ID TLV with N VoIP and related packets are expected to be sent and received with VLAN ID N and an 802 1p priority 4095 The CDP packets transmitting through this port contain Appliance VLAN ID TLV with value of 4095 VoIP and related packets are expected to be sent and received untagged...

Page 211: ...cifies that the Device ID TLV contains the device s MAC address serial number Specifies that Device ID TLV contains the device s hardware serial number hostname Specifies that Device ID TLV contains the device s hostname Default Configuration MAC address is selected by default Command Mode Global Configuration mode Example switchxxxxxx config cdp device id format serial number 8 4 cdp enable Tp en...

Page 212: ... switchxxxxxx config cdp run switchxxxxxx config if interface gi11 switchxxxxxx config if cdp enable 8 5 cdp holdtime To specify a value of the Time to Live field into sent CDP messages use the cdp holdtime command in Global Configuration mode To return to default use the no form of this command Syntax cdp holdtime seconds no cdp holdtime Parameters seconds Value of the Time to Live field in secon...

Page 213: ...iguration and generation the SYSLOG duplex mismatch messages if they do not match use the cdp log mismatch duplex command in Global Configuration mode and Interface Ethernet Configuration mode To disable the generation of the SYSLOG messages use the no form of the CLI command Syntax cdp log mismatch duplex no cdp log mismatch duplex Parameters N A Default Configuration The switch reports duplex mi...

Page 214: ...the generation of the SYSLOG messages use the no format of the CLI command Syntax cdp log mismatch native no cdp log mismatch native Parameters N A Default Configuration The switch reports native VLAN mismatches from all ports Command Mode Global Configuration mode Interface Ethernet Configuration mode Example switchxxxxxx config interface gi11 switchxxxxxx config if cdp log mismatch native 8 8 cd...

Page 215: ...es from all ports Command Mode Global Configuration mode Interface Ethernet Configuration mode Example switchxxxxxx config interface gi11 switchxxxxxx config if cdp log mismatch voip 8 9 cdp mandatory tlvs validation To validate that all mandatory according to the CDP protocol TLVs are present in received CDP frames use the cdp mandatory tlvs validation command in Global Configuration mode To disa...

Page 216: ...P is globally disabled use the cdp pdu command in Global Configuration mode To return to default use the no form of this command Syntax cdp pdu filtering bridging flooding no cdp pdu Parameters filtering Specify that when CDP is globally disabled CDP packets are filtered deleted bridging Specify that when CDP is globally disabled CDP packets are bridged as regular data packets forwarded based on V...

Page 217: ...xample switchxxxxxx config cdp run switchxxxxxx config cdp pdu flooding 8 11 cdp run To enable CDP globally use the cdp run command in Global Configuration mode To disable CDP globally use the no form of this command Syntax cdp run no cdp run Parameters N A Default Configuration Enabled Command Mode Global Configuration mode User Guidelines CDP is a link layer protocols for directly connected CDP ...

Page 218: ...rtise CDP information it must be globally enabled it is so by default and also enabled on interfaces also by default Example switchxxxxxx config cdp run 8 12 cdp source interface To specify the CDP source port used for source IP address selection use the cdp source interface command in Global Configuration mode To delete the source interface use the no form of this command Syntax cdp source interf...

Page 219: ...ode To return to default use the no form of this command Syntax cdp timer seconds no cdp timer Parameters seconds Value of the Transmission Timer in seconds Range 5 254 seconds Default Configuration 60 seconds Command Mode Global Configuration mode Example switchxxxxxx config cdp timer 100 8 14 clear cdp counters To reset the CDP traffic counters to 0 use the clear cdp counters command in Privileg...

Page 220: ...the clear cdp counters global to clear only the global counters Use the clear cdp counters interface id command to clear the counters of the given interface Example Example 1 The example clears all the CDP counters switchxxxxxx clear cdp couters Example 2 The example clears the CDP global counters switchxxxxxx clear cdp couters global Example 3 The example clears the CDP counters of Ethernet port ...

Page 221: ...terval between advertisements the number of seconds the advertisements are valid and version of the advertisements use the show cdp Privileged EXEC mode command in Privileged EXEC mode Syntax show cdp Parameters N A Command Mode Privileged EXEC mode Example switchxxxxxx show cdp Global CDP information cdp is globally enabled cdp log duplex mismatch is globally enabled cdp log voice VLAN mismatch i...

Page 222: ...ds Sending a holdtime value of 180 seconds 8 17 show cdp entry To display information about specific neighbors use the show cdp entry command in Privileged EXEC mode Syntax show cdp entry device name protocol version Parameters Specifies all neighbors device name Specifies the name of the neighbor protocol Limits the display to information about the protocols enabled on neighbors version Limits th...

Page 223: ...FTWARE Copyright c 1986 1997 by cisco Systems Inc Compiled Mon 07 Apr 97 19 51 by dschwart switchxxxxxx show cdp entry device cisco com protocol Protocol information for device cisco com IP address 192 168 68 18 CLNS address 490001 1111 1111 1111 00 DECnet address 10 1 switchxxxxxx show cdp entry device cisco com version Version information for device cisco com Cisco Internetwork Operating System ...

Page 224: ...abled CDP log voice VLAN mismatch Globally is enabled Per interface is enabled CDP log native VLAN mismatch Globally is disabled Per interface is enabled gi11 is Down CDP is enabled Sending CDP packets every 60 seconds Holdtime is 180 seconds 8 19 show cdp neighbors To display information about neighbors kept in the main or secondary cache use the show cdp neighbors command in Privileged EXEC mode...

Page 225: ...neighbors Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater P VoIP Phone M Remotely Managed Device C CAST Phone Port W Two Port MAC Relay Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater P VoIP Phone M Remotely Managed Device C CAST Phone Port W Two Port MAC Relay Device ID Local Adv Time To Capability P...

Page 226: ...OS tm x5660 Software D5660 I N Version 18 1 10 4 MAINTENANCE INTERIM SOFTWARE Copyright c 1986 1997 by company Systems Inc Compiled Mon 07 Apr 97 19 51 by xxdeeert Duplex half Device ID lab as5300 1 Entry address es IP address 172 19 169 87 Platform company TD6780 Capabilities Router Device ID SEP000427D400ED Advertisement version 2 Entry address es IP address 1 6 1 81 Platform Company IP Phone x8...

Page 227: ...ToLive 157 Capabilities R S VLAN ID 10 Platform 206VXRYC Local Interface gi11 MAC Address 00 00 01 53 86 9c TimeToLive 163 Capabilities R S VLAN ID 10 Platform ABCD VSD Power Available TLV Request ID is 1 Power management ID is 1 Available Power is 15 4 Management Power Level is 0xFFFFFFFF Local Interface gi12 MAC Address 00 00 01 2b 86 9c TimeToLive 140 Capabilities R S VLAN ID 1210 Platform QACS...

Page 228: ...evice which cannot itself classify individual packets Device ID The name of the neighbor device and either the MAC address or the serial number of this device Duplex The duplex state of connection between the current device and the neighbor device Entry address es A list of network addresses of neighbor devices Extended Trust The Extended Trust External Port ID Identifies the physical connector po...

Page 229: ...condary Cache only the 8 last characters of the value are printed Power Available Every switch interface transmits information in the Power Available TLV which permits a device which needs power to negotiate and select an appropriate power setting The Power Available TLV includes four fields Power Consumption The maximum amount of power in milliwatts expected to be obtained and consumed from the i...

Page 230: ...sent by CDP on all ports or on a specific port use the show cdp tlv command in Privileged EXEC mode Syntax show cdp tlv interface id Parameters interface id Port ID Default Configuration TLVs for all ports Command Mode Privileged EXEC mode User Guidelines You can use the show cdp tlv command to verify the TLVs configured to be sent in CDP packets The show cdp tlv command displays information for a...

Page 231: ... 3 In this example CDP is globally enabled and enabled on the port but the port is down and no information is displayed switchxxxxxx show cdp tlv interface gi12 cdp globally is enabled Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater P VoIP Phone M Remotely Managed Device C CAST Phone Port W Two Port MAC Relay Interface TLV gi13 CDP is enabled on gi1...

Page 232: ... TLV 1 and 2 Platform TLV VSD Ardd Native VLAN TLV 1 Full Half Duplex TLV full duplex Appliance VLAN_ID TLV Appliance ID is 1 VLAN ID is 100 COS for Untrusted Ports TLV 1 sysName a switch 4 wire Power via MDI UPOE TLV 4 pair PoE Supported No Power Available TLV Request ID is 1 Power management ID is 1 Available Power is 15 4 Management Power Level is 0xFFFFFFFF Interface TLV gi12 CDP is disabled o...

Page 233: ...3 33 44 44 Address TLV IPv4 1 2 2 2 IPv6 Port_ID TLV gi11 Capabilities S I Version TLV 1 and 2 Platform TLV VSD Ardd Native VLAN TLV 1 Full Half Duplex TLV full duplex Appliance VLAN_ID TLV Appliance ID is 1 VLAN ID is 100 COS for Untrusted Ports TLV 1 sysName a switch Power Available TLV Request ID is 1 Power management ID is 1 Available Power is 15 4 Management Power Level is 0xFFFFFFFF 4 wire P...

Page 234: ...ly Managed Device C CAST Phone Port W Two Port MAC Relay Interface TLV gi11 CDP is enabled Ethernet gi11 is up Device ID TLV type is MAC address Value is 00 11 22 22 33 33 44 44 Address TLV IPv4 1 2 2 2 IPv6 Port_ID TLV gi11 Capabilities S I Version TLV 1 and 2 Platform TLV VSD Ardd Native VLAN TLV 1 Full Half Duplex TLV full duplex Appliance VLAN_ID TLV Appliance ID is 1 VLAN ID is 100 COS for Un...

Page 235: ...ed EXEC mode User Guidelines Use the command show cdp traffic without parameters to display all the counters Use the show cdp traffic global to display only the global counters Use the show cdp traffic interface id command to display the counters of the given port Example switchxxxxxx show cdp traffic CDP Global counters Total packets output 81684 Input 81790 Hdr syntax 0 Chksum error 0 Invalid pa...

Page 236: ...on 1 advertisements input and CDP Version 2 advertisements input fields Hdr syntax The number of CDP advertisements with bad headers received by the local device Chksum error The number of times the checksum verifying operation failed on incoming CDP advertisements No memory The number of times the local device did not have enough memory to store the CDP advertisements in the advertisement cache t...

Page 237: ...CDP Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 236 8 ...

Page 238: ...it or deny statement of the associated function going into effect If no start time and date are specified the function is in effect immediately end Absolute time and date that the permit or deny statement of the associated function is no longer in effect If no end time and date are specified the function is in effect indefinitely hh mm Time in hours military format and minutes Range 0 23 mm 0 5 da...

Page 239: ...e the clock dhcp timezone command in Global Configuration mode To restore the default configuration use the no form of this command Syntax clock dhcp timezone no clock dhcp timezone Parameters N A Default Configuration Disabled Command Mode Global Configuration mode User Guidelines The TimeZone taken from the DHCP server has precedence over the static TimeZone The Summer Time taken from the DHCP s...

Page 240: ...ent from where the DHCP TimeZone option was taken clears the dynamic Time Zone and Summer Time configuration Example switchxxxxxx config clock dhcp timezone 9 3 clock set To set the system clock manually use the clock set command in Privileged EXEC mode Syntax clock set hh mm ss day month month day year Parameters hh mm ss Specifies the current time in hours military format minutes and seconds Ran...

Page 241: ...ime source use the no form of this command Syntax clock source sntp browser no clock source sntp browser Parameters sntp Optional Specifies that an SNTP server is the external clock source browser Optional Specifies that if the system clock is not already set either manually or by SNTP and a user login to the device using a WEB browser either via HTTP or HTTPS the system clock will be set accordin...

Page 242: ...C May 28 2013 Time source is sntp Time from Browser is enabled 9 5 clock summer time To configure the system to automatically switch to summer time Daylight Saving Time use the clock summer time command in Global Configuration mode To restore the default configuration use the no form of this command Syntax clock summer time zone recurring usa eu week day month hh mm week day month hh mm offset clo...

Page 243: ...b year year no abbreviation Range 2000 2097 hh mm Time military format in hours and minutes Range hh mmhh 0 23 mm 0 59 offset Optional Number of minutes to add during summer time default is 60 Range 1440 Default Configuration Summer time is disabled Command Mode Global Configuration mode User Guidelines In both the date and recurring forms of the command the first part of the command specifies whe...

Page 244: ...ample switchxxxxxx config clock summer time abc date apr 1 2010 09 00 aug 2 2010 09 00 9 6 clock timezone To set the time zone for display purposes use the clock timezone command in Global Configuration mode To restore the default configuration use the no form of this command Syntax clock timezone zone hours offset minutes offset no clock timezone Parameters zone The acronym of the time zone Range...

Page 245: ...nfig clock timezone abc 2 minutes 32 9 7 periodic To specify a recurring weekly time range for functions that support the time range feature use the periodic command in Time range Configuration mode To restore the default configuration use the no form of this command Syntax periodic day of the week hh mm to day of the week hh mm no periodic day of the week hh mm to day of the week hh mm periodic l...

Page 246: ...at the following day see description in the User Guidelines Range 0 23 mm 0 59 list day of the week1 Specifies a list of days that the time range is in effect Default Configuration There is no periodic time when the time range is in effect Command Mode Time range Configuration mode User Guidelines The second occurrence of the day can be at the following week e g Thursday Monday means that the time...

Page 247: ...e IPv6 SNTP Anycast clients are enabled Default Configuration The SNTP anycast client is disabled Command Mode Global Configuration mode User Guidelines Use this command to enable the SNTP Anycast client Example The following example enables SNTP Anycast clients switchxxxxxx config sntp anycast client enable 9 9 sntp authenticate To enable authentication for received SNTP traffic from servers use ...

Page 248: ...xx config sntp trusted key 8 9 10 sntp authentication key To define an authentication key for Simple Network Time Protocol SNTP use the sntp authentication key command in Global Configuration mode To restore the default configuration use the no form of this command Syntax sntp authentication key key number md5 key value encrypted sntp authentication key key number md5 encrypted key value no sntp a...

Page 249: ...ticate 9 11 sntp broadcast client enable To enable SNTP Broadcast clients use the sntp broadcast client enable command in Global Configuration mode To restore the default configuration use the no form of this command Syntax sntp broadcast client enable both ipv4 ipv6 no sntp broadcast client enable Parameters both Optional Specifies the IPv4 and IPv6 SNTP Broadcast clients are enabled If the param...

Page 250: ...t synchronize with Broadcast servers Example The following example enables SNTP Broadcast clients s switchxxxxxx config sntp broadcast client enable 9 12 sntp client enable To enable the SNTP Broadcast and Anycast client use the sntp client enable command in Global Configuration mode To restore the default configuration use the no form of this command Syntax sntp client enable interface id no sntp...

Page 251: ...t enable interface To enable the SNTP Broadcast and Anycast client on an interface use the sntp client enable command in Interface Configuration mode To restore the default configuration use the no form of this command Syntax sntp client enable no sntp client enable Parameters N A Default Configuration The SNTP client is disabled on an interface Command Mode Interface Configuration mode User Guide...

Page 252: ...e a server from the list of SNTP servers use the no form of this command Syntax sntp server default ip address hostname poll key keyid no sntp server ip address hostname Parameters default Default defined SNTP servers ip address Specifies the server IP address This can be an IPv4 IPv6 or IPv6z address hostname Specifies the server hostname Only translation to IPv4 addresses is supported Length 1 1...

Page 253: ...to remove one SNTP server Use the no sntp server to remove all SNTP servers Example The following example configures the device to accept SNTP traffic from the server on 192 1 1 1 with polling switchxxxxxx config sntp server 192 1 1 1 poll 9 15 sntp source interface To specify the source interface whose IPv4 address will be used as the source IPv4 address for communication with IPv4 SNTP servers u...

Page 254: ...ce is applied If there is no available IPv4 source address a SYSLOG message is issued when attempting to communicate with an IPv4 SNTP server Example The following example configures the VLAN 10 as the source interface switchxxxxxx config sntp source interface vlan 10 9 16 sntp source interface ipv6 To specify the source interface whose IPv6 address will be used ad the Source IPv6 address for comm...

Page 255: ...g interface the minimal IPv4 address defined on the interface and with the scope of the destination IPv6 address is applied If there is no available IPv6 source address a SYSLOG message is issued when attempting to communicate with an IPv6 SNTP server Example The following example configures the VLAN 10 as the source interface switchxxxxxx config sntp source interface ipv6 vlan 10 9 17 sntp truste...

Page 256: ...itchxxxxxx config sntp trusted key 8 switchxxxxxx config sntp authentication key 8 md5 ClkKey switchxxxxxx config sntp trusted key 8 switchxxxxxx config sntp authenticate 9 18 sntp unicast client enable To enable the device to use Simple Network Time Protocol SNTP Unicast clients use the sntp unicast client enable command in Global Configuration mode To disable the SNTP Unicast clients use the no ...

Page 257: ... SNTP Unicast clients switchxxxxxx config sntp unicast client enable 9 19 sntp unicast client poll To enable polling for the SNTP Unicast clients use the sntp unicast client poll command in Global Configuration mode To disable the polling use the no form of this command Syntax sntp unicast client poll no sntp unicast client poll Parameters N A Default Configuration Polling is enabled Command Mode ...

Page 258: ...EXEC mode Syntax show clock detail Parameters detail Optional Displays the time zone and summer time configuration Command Mode User EXEC mode User Guidelines Before the time there is displayed either a star period or blank star The clock is invalid period The clock was set manually or by Browser blank The clock was set by SNTP Examples Example 1 The following example displays the system time and ...

Page 259: ...1 Acronym is RAIN Offset is UTC 2 Time zone Static Offset is UTC 0 Summertime DHCPv4 on VLAN1 Acronym is SUN Recurring every year Begins at first Sunday of Apr at 02 00 Ends at first Tuesday of Sep at 02 00 Offset is 60 minutes Summertime Static Acronym is GMT Recurring every year Begins at first Sunday of Mar at 10 00 Ends at first Sunday of Sep at 10 00 Offset is 60 minutes DHCP timezone Enabled...

Page 260: ... following example displays the device s current SNTP configuration switchxxxxxx show sntp configuration SNTP port 123 Polling interval 1024 seconds MD5 Authentication Keys 2 John123 3 Alice456 Authentication is not required for synchronization No trusted keys Unicast Clients enabled Unicast Clients Polling enabled Server 1 1 1 121 Polling disabled Encryption Key disabled Server 3001 1 1 1 Polling...

Page 261: ... Broadcast Clients enabled for IPv4 and IPv6 Anycast Clients disabled No Broadcast Interfaces Source IPv4 interface vlan 1 Source IPv6 interface vlan 10 9 22 show sntp status To display the SNTP servers status use the show sntp status command in Privileged EXEC mode Syntax show sntp status Parameters N A Default Configuration N A Command Mode Privileged EXEC mode Example The following example disp...

Page 262: ...ec Delay 117 79mSec Server dns_server comapany com Source static Status Unknown Last response 12 17 17 987 PDT Feb 19 2005 Stratum Level 1 Offset 8 98mSec Delay 189 19mSec Server 3001 1 1 1 Source DHCPv6 on VLAN 2 Status Unknown Last response Offset mSec Delay mSec Server dns1 company com Source DHCPv6 on VLAN 20 Status Unknown Last response Offset mSec Delay mSec Anycast servers Server 176 1 11 8...

Page 263: ...ies the name of an existing time range Command Mode User EXEC mode Example switchxxxxxx show time range http allowed absolute start 12 00 1 Jan 2005 end 12 00 31 Dec 2005 periodic Monday 12 00 to Wednesday 12 00 9 24 time range To define time ranges and to enter to Time range Configuration mode use the time range command to define time ranges and to enter to Time range Configuration mode in Global...

Page 264: ... in a time range Only one absolute command is allowed If a time range command has both absolute and periodic values specified then the periodic items are evaluated only after the absolute start time is reached and are not evaluated again after the absolute end time is reached All time specifications are interpreted as local time To ensure that the time range entries take effect at the desired time...

Page 265: ...ny mask prefix length remove ip address any mask prefix length no security suite deny fragmented Parameters add ip address any Specifies the destination IP address Use any to specify all IP addresses mask Specifies the network mask of the IP address prefix length Specifies the number of bits that comprise the IP address prefix The prefix length must be preceded by a forward slash Default Configura...

Page 266: ...suite deny icmp To discard ICMP echo requests from a specific interface to prevent attackers from knowing that the device is on the network use the security suite deny icmp Interface Ethernet Port Channel Configuration mode command To permit echo requests use the no form of this command Syntax security suite deny icmp add ip address any mask prefix length remove ip address any mask prefix length n...

Page 267: ...itchxxxxxx config interface gi11 switchxxxxxx config if security suite deny icmp add any 32 To perform this command DoS Prevention must be enabled in the per interface mode 10 3 security suite deny martian addresses To deny packets containing system reserved IP addresses or user defined IP addresses use the security suite deny martian addresses Global Configuration mode command To restore the defa...

Page 268: ...Parameters reserved add remove Add or remove the table of reserved addresses below ip address Adds discards packets with the specified IP source or destination address mask Specifies the network mask of the IP address prefix length Specifies the number of bits that comprise the IP address prefix The prefix length must be preceded by a forward slash reserved Discards packets with the source or dest...

Page 269: ...face use the security suite deny syn Interface Ethernet Port Channel Configuration mode command This a complete block of these connections To permit creation of TCP connections use the no form of this command Address Block Present Use 0 0 0 0 8 except when 0 0 0 0 32 is the source address Addresses in this block refer to source hosts on this network 127 0 0 0 8 This block is assigned for use as th...

Page 270: ... are http ftp control ftp data ssh telnet smtp or port number Use any to specify all ports Default Configuration Creation of TCP connections is allowed from all interfaces If the mask is not specified it defaults to 255 255 255 255 If the prefix length is not specified it defaults to 32 Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines For this command to work show se...

Page 271: ...To drop all ingressing TCP packets in which both SYN and FIN are set use the security suite deny syn fin Global Configuration mode command To permit TCP packets in which both SYN and FIN are set use the no form of this command Syntax security suite deny syn fin no security suite deny syn fin Parameters This command has no arguments or keywords Default Configuration The feature is disabled by defau...

Page 272: ...ct Parameters add remove attack Specifies the attack type to add remove To add an attack is to provide protection against it to remove the attack is to remove protection The possible attack types are stacheldraht Discards TCP packets with source TCP port 16660 invasor trojan Discards TCP packets with destination TCP port 2140 and source TCP port 1024 back orifice trojan Discards UDP packets with d...

Page 273: ...yn attack any ip address mask prefix length Parameters syn rate Specifies the maximum number of connections per second Range 199 1000 any ip address Specifies the destination IP address Use any to specify all IP addresses mask Specifies the network mask of the destination IP address prefix length Specifies the number of bits that comprise the destination IP address prefix The prefix length must be...

Page 274: ...syn attack 199 any 10 To perform this command DoS Prevention must be enabled in the per interface mode 10 8 security suite enable To enable the security suite feature use the security suite enable Global Configuration mode command This feature supports protection against various types of attacks When this command is used hardware resources are reserved These hardware resources are released when th...

Page 275: ...CAM If this keyword is not used security suite commands can be used both globally on per interface Default Configuration The security suite feature is disabled If global rules only is not specified the default is to enable security suite globally and per interfaces Command Mode Global Configuration mode User Guidelines MAC ACLs must be removed before the security suite is enabled The rules can be ...

Page 276: ... security suite dos syn attack 199 any 10 switchxxxxxx config if 10 9 security suite syn protection mode To set the TCP SYN protection mode use the security suite syn protection mode Global Configuration mode command To set the TCP SYN protection mode to default use the no form of this command Syntax security suite syn protection mode disabled report block no security suite syn protection mode Par...

Page 277: ... suite syn protection mode report 01 Jan 2012 05 29 46 A TCP SYN Attack was identified on port gi11 Example 2 The following example sets the TCP SYN protection feature to block TCP SYN attack on ports in case an attack is identified from these ports switchxxxxxx config security suite syn protection mode block 01 Jan 2012 05 29 46 A TCP SYN Attack was identified on port gi11 TCP SYN traffic destine...

Page 278: ...mple The following example sets the TCP SYN period to 100 seconds switchxxxxxx config security suite syn protection recovery 100 10 11 security suite syn protection threshold To set the threshold for the SYN protection feature use the security suite syn protection threshold Global Configuration mode command To set the threshold to its default value use the no form of this command Syntax security s...

Page 279: ...y suite configuration Command Mode User EXEC mode Example The following example displays the security suite configuration switchxxxxxx show security suite configuration Security suite is enabled Per interface rules are enabled Denial Of Service Protect stacheldraht invasor trojan back office trojan Denial Of Service SYN FIN Attack is enabled Denial Of Service SYN Attack Interface gi11 IP Address 1...

Page 280: ...ort Channel Command Mode User EXEC mode User Guidelines Use the Interface ID to display information on a specific interface Example The following example displays the TCP SYN protection feature configuration and current status on all interfaces In this example port gi12 is attacked but since there is a user ACL on this port it cannot become blocked so its status is Reported and not Blocked and Rep...

Page 281: ...Service DoS Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 280 10 gi12 Attacked 19 58 22 289 PDT Feb 19 2012 Reported gi13 Attacked 19 58 22 289 PDT Feb 19 2012 Blocked and Reported ...

Page 282: ...mand to enable the DHCP relay feature on the device Use the no form of this command to disable the DHCP relay feature Syntax ip dhcp relay enable no ip dhcp relay enable Parameters N A Default Configuration DHCP relay feature is disabled Command Mode Global Configuration mode Example The following example enables the DHCP relay feature on the device switchxxxxxx config ip dhcp relay enable ...

Page 283: ...elay enable Parameters N A Default Configuration Disabled Command Mode Interface Configuration mode User Guidelines The operational status of DHCP Relay on an interface is active if one of the following conditions exist DHCP Relay is globally enabled and there is an IP address defined on the interface Or DHCP Relay is globally enabled there is no IP address defined on the interface the interface i...

Page 284: ...ress Specifies the DHCP server IP address Up to 8 servers can be defined Default Configuration No server is defined Command Mode Global Configuration mode User Guidelines Use the ip dhcp relay address command to define a global DHCP Server IP address To define a few DHCP Servers use the command a few times To remove a DHCP Server use the no form of the command with the ip address argument The no f...

Page 285: ...eters ip address Specifies the DHCP server IP address Up to 8 servers can be defined Default Configuration No server is defined Command Mode Interface Configuration mode User Guidelines Use the ip dhcp relay address command to define a DHCP Server IP address per the interface To define multiple DHCP Servers use the command multiple times To remove a DHCP server use the no form of the command with ...

Page 286: ...ed Option 82 is Disabled Maximum number of supported VLANs without IP Address is 256 Number of DHCP Relays enabled on VLANs without IP Address is 0 DHCP relay is not configured on any port DHCP relay is not configured on any vlan No servers configured Example 2 Option 82 is supported disabled switchxxxxxx show ip dhcp relay DHCP relay is globally disabled Option 82 is disabled Maximum number of su...

Page 287: ...ber of DHCP Relays enabled on VLANs without IP Address 2 DHCP relay is enabled on Ports gi11 po1 2 Active gi11 Inactive po1 2 DHCP relay is enabled on VLANs 1 2 4 5 Active 1 2 4 5 Inactive Global Servers 1 1 1 1 2 2 2 2 Example 3 Option 82 is supported enabled and there DHCP Servers defined per interface switchxxxxxx show ip dhcp relay DHCP relay is globally enabled Option 82 is enabled Maximum nu...

Page 288: ... ip dhcp information option Global Configuration command to enable DHCP option 82 data insertion Use the no form of this command to disable DHCP option 82 data insertion Syntax ip dhcp information option no ip dhcp information option Parameters N A Default Configuration DHCP option 82 data insertion is disabled Command Mode Global Configuration mode User Guidelines DHCP option 82 would be enabled ...

Page 289: ...cp information option EXEC mode command displays the DHCP Option 82 configuration Syntax show ip dhcp information option Parameters N A Default Configuration N A Command Mode User EXEC mode Example The following example displays the DHCP Option 82 configuration switchxxxxxx show ip dhcp information option Relay agent Information option is Enabled ...

Page 290: ...dress Specifies the client IP address mask Specifies the client network mask prefix length Specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the client network mask The prefix length must be preceded by a forward slash unique identifier Specifies the distinct client identification in dotted hexadecimal notation Each byte in a hexadecimal c...

Page 291: ... 0 client identifier 01b7 0813 8811 66 switchxxxxxx config dhcp exit switchxxxxxx config ip dhcp pool host bbbb switchxxxxxx config dhcp address 10 12 1 88 255 255 255 0 hardware address 00 01 b7 08 13 88 switchxxxxxx config dhcp exit switchxxxxxx config 12 2 address DHCP Network To configure the subnet number and mask for a DHCP address pool on a DHCP server use the address command in DHCP Pool N...

Page 292: ...configured If the low address is not specified it defaults to the first IP address in the network If the high address is not specified it defaults to the last IP address in the network Command Mode DHCP Pool Network Configuration mode Example The following example configures the subnet number and mask for a DHCP address pool on a DHCP server switchxxxxxx config dhcp address 10 12 1 0 255 255 255 0...

Page 293: ...lt router is not configurable DHCP client is directly connected IP Routing is enabled Default router was required by the client Example The following example disable auto default router sending switchxxxxxx config dhcp no auto default router 12 4 bootfile To specify the default boot image file name for a DHCP client use the bootfile command in DHCP Pool Network Configuration mode or in DHCP Pool H...

Page 294: ...To delete the dynamic address binding from the DHCP server database use the clear ip dhcp binding command in Privileged EXEC mode Syntax clear ip dhcp binding address Parameters address Specifies the binding address to delete from the DHCP database Clears all dynamic bindings Command Mode Privileged EXEC mode User Guidelines Typically the address supplied denotes the client IP address If the aster...

Page 295: ...iguration mode To remove the client name use the no form of this command Syntax client name name no client name Parameters name Specifies the client name using standard ASCII characters The client name should not include the domain name For example the name Mars should not be specified as mars yahoo com Length 1 32 characters Command Mode DHCP Pool Host Configuration mode Default Configuration No ...

Page 296: ...es can be specified in one command line Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No default router is defined User Guidelines The router IP address should be on the same subnet as the client subnet If the auto default router command is configured then the DHCP server returns an IP address defined on the input interface as a default r...

Page 297: ...ress ip address2 ip address8 no dns server Parameters ip address ip address2 ip address8 Specifies the IP addresses of DNS servers Up to eight addresses can be specified in one command line Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No DNS server is defined User Guidelines If DNS IP servers are not configured for a DHCP client the clie...

Page 298: ... domain name string Length 1 32 characters Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No domain name is defined Example The following example specifies yahoo com as the DHCP client domain name string switchxxxxxx config dhcp domain name yahoo com 12 10 ip dhcp excluded address To specify IP addresses that a DHCP server must not assign ...

Page 299: ...Guidelines The DHCP server assumes that all pool addresses can be assigned to clients Use this command to exclude a single IP address or a range of IP addresses Example The following example configures an excluded IP address range from 172 16 1 100 through 172 16 1 199 switchxxxxxx config ip dhcp excluded address 172 16 1 100 172 16 1 199 12 11 ip dhcp pool host To configure a DHCP static address ...

Page 300: ... changes to the DHCP Pool Configuration mode In this mode the administrator can configure host parameters such as the IP subnet number and default router list Example The following example configures station as the DHCP address pool switchxxxxxx config ip dhcp pool host station switchxxxxxx config dhcp 12 12 ip dhcp pool network To configure a DHCP address pool on a DHCP Server and enter DHCP Pool...

Page 301: ... configuration mode changes to DHCP Pool Network Configuration mode In this mode the administrator can configure pool parameters such as the IP subnet number and default router list Example The following example configures Pool1 as the DHCP address pool switchxxxxxx config ip dhcp pool network Pool1 switchxxxxxx config dhcp 12 13 ip dhcp server To enable the DHCP server features on the device use ...

Page 302: ...ation mode To restore the default value use the no form of this command Syntax lease days hours minutes infinite no lease Parameters days Specifies the number of days in the lease hours Optional Specifies the number of hours in the lease A days value must be supplied before configuring an hours value minutes Optional Specifies the number of minutes in the lease A days value and an hours value must...

Page 303: ...tchxxxxxx config dhcp lease infinite 12 15 netbios name server To configure the NetBIOS Windows Internet Naming Service WINS server list that is available to Microsoft DHCP clients use the netbios name server in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode To remove the NetBIOS name server list use the no form of this command Syntax netbios name server ip address ip...

Page 304: ...bios node type To configure the NetBIOS node type for Microsoft DHCP clients use the netbios node type command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode To return to default use the no form of this command Syntax netbios node type b node p node m node h node no netbios node type Parameters b node Specifies the Broadcast NetBIOS node type p node Specifies the P...

Page 305: ...figuration mode or in DHCP Pool Host Configuration mode To remove the next server use the no form of this command Syntax next server ip address no next server Parameters ip address Specifies the IP address of the next server in the boot process Default Configuration If the next server command is not used to configure a boot server list the DHCP server uses inbound interface helper addresses as boo...

Page 306: ...Host Configuration mode To remove the boot server name use the no form of this command Syntax next server name name no next server name Parameters name Specifies the name of the next server in the boot process Length 1 64 characters Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No next server name is defined User Guidelines The client wil...

Page 307: ...pecifies a boolean value The values are coded by integer values of one octet 0 false and 1 true integer value Specifies an integer value The option size depends on the option code ascii string Specifies a network virtual terminal NVT ASCII character string ASCII character strings that contain white spaces must be delimited by quotation marks The ASCII value is truncated to the first 160 characters...

Page 308: ... for the following options 14 17 18 40 64 130 209 and 210 The ip keyword may be configured for the following options 16 28 32 128 129 131 135 and 136 The ip list keyword may be configured for the following options 5 7 11 33 41 42 45 48 49 65 68 76 and 150 The hex keyword may be configured for any option in the range 1 254 except for the following 1 3 4 6 12 15 44 46 50 51 53 54 56 66 67 82 and 255...

Page 309: ... 172 16 3 252 172 16 3 253 12 20 show ip dhcp To display the DHCP configuration use the show ip dhcp command in User EXEC mode Syntax show ip dhcp Command Mode User EXEC mode Example The following example displays the DHCP configuration switchxxxxxx show ip dhcp DHCP server is enabled 12 21 show ip dhcp allocated To display the allocated address or all the allocated addresses on the DHCP server us...

Page 310: ... 16 1 11 00a0 9802 32de Feb 01 1998 12 00 AM Dynamic 172 16 3 253 02c7 f800 0422 Infinite Automatic 172 16 3 254 02c7 f800 0422 Infinite Static switchxxxxxx show ip dhcp allocated 172 16 1 11 DHCP server enabled The number of allocated entries is 2 IP address Hardware address Lease expiration Type 172 16 1 11 00a0 9802 32de Feb 01 1998 12 00 AM Dynamic switchxxxxxx show ip dhcp allocated 172 16 3 ...

Page 311: ...ess Command Mode User EXEC mode Examples The following examples display the DHCP server binding address parameters switchxxxxxx show ip dhcp binding DHCP server enabled The number of used all types entries is 6 The number of pre allocated entries is 1 The number of allocated entries is 1 The number of expired entries is 1 Field Description IP address The host IP address as recorded on the DHCP Ser...

Page 312: ... 1 16 3 26 02c7 f804 0422 dynamic declined switchxxxxxx show ip dhcp binding 1 16 1 11 DHCP server enabled IP address Client Identifier Lease Expiration Type State 1 16 1 11 00a0 9802 32de Feb 01 1998 dynamic allocated 12 00 AM switchxxxxxx show ip dhcp binding 1 16 3 24 IP address Client Identifier Lease Expiration Type State 1 16 3 24 02c7 f802 0422 dynamic declined The following table describes...

Page 313: ...ecifies the IP address Command Mode User EXEC mode Example The following example displays the output of various forms of this command switchxxxxxx show ip dhcp declined DHCP server enabled The number of declined entries is 2 IP address Hardware address 172 16 1 11 00a0 9802 32de 172 16 3 254 02c7 f800 0422 switchxxxxxx show ip dhcp declined 172 16 1 11 DHCP server enabled The number of declined en...

Page 314: ... User EXEC mode Example The following example displays excluded addresses switchxxxxxx show ip dhcp excluded addresses The number of excluded addresses ranges is 2 Excluded addresses 10 1 1 212 10 1 1 219 10 1 2 212 10 1 2 219 12 25 show ip dhcp expired To display the specific expired address or all of the expired addresses on the DHCP server use the show ip dhcp expired command in User EXEC mode ...

Page 315: ...itchxxxxxx show ip dhcp expired 172 16 1 11 DHCP server enabled The number of expired entries is 1 IP address Hardware address 172 16 1 13 00a0 9802 32de 12 26 show ip dhcp pool host To display the DHCP pool host configuration use the show ip dhcp pool host command in User EXEC mode Syntax show ip dhcp pool host address name Parameters address Optional Specifies the client IP address name Optional...

Page 316: ...3 8811 66 Example 2 The following example displays the DHCP pool host configuration of the pool named station switchxxxxxx show ip dhcp pool host station Name IP Address Hardware Address Client Identifier station 172 16 1 11 01b7 0813 8811 66 Mask 255 255 0 0 Auto Default router enabled Default router 172 16 1 1 Client name client1 DNS server 10 12 1 99 Domain name yahoo com NetBIOS name server 10...

Page 317: ...ip dhcp pool network To display the DHCP network configuration use the show ip dhcp pool network command in User EXEC mode Syntax show ip dhcp pool network name Parameters name Optional Specifies the DHCP pool name Length 1 32 characters Command Mode User EXEC mode Examples Example 1 The following example displays configuration of all DHCP network pools switchxxxxxx show ip dhcp pool network The n...

Page 318: ...255 255 0 0d 12h 0m Statistics All range Available Free Pre allocated Allocated Expired Declined 162 150 68 50 20 3 9 Auto Default router enabled Default router 10 1 1 1 DNS server 10 12 1 99 Domain name yahoo com NetBIOS name server 10 12 1 90 NetBIOS node type h node Next server 10 12 1 99 Next server name 10 12 1 100 Bootfile Bootfile Time server 10 12 1 99 Options Code Type Len Value Descripti...

Page 319: ...User EXEC mode Syntax show ip dhcp pre allocated ip address Parameters ip address Optional Specifies the IP Command Mode User EXEC mode Examples switchxxxxxx show ip dhcp pre allocated DHCP server enabled The number of pre allocated entries is 1 IP address Hardware address 172 16 1 11 00a0 9802 32de 172 16 3 254 02c7 f800 0422 switchxxxxxx show ip dhcp pre allocated 172 16 1 11 DHCP server enabled...

Page 320: ...er enabled The number of network pools is 7 The number of excluded pools is 2 The number of used all types entries is 7 The number of pre allocated entries is 1 The number of allocated entries is 3 The number of expired entries is 1 The number of declined entries is 2 The number of static entries is 1 The number of dynamic entries is 2 The number of automatic entries is 1 12 30 time server To spec...

Page 321: ...sses of Time servers Up to eight addresses can be specified in one command line Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No time server is defined User Guidelines The time server s IP address should be on the same subnet as the client subnet Example The following example specifies 10 12 1 99 as the time server IP address switchxxxxxx...

Page 322: ...figuration Syntax ip dhcp snooping no ip dhcp snooping Parameters N A Default Configuration DHCP snooping is disabled Command Mode Global Configuration mode User Guidelines For any DHCP Snooping configuration to take effect DHCP Snooping must be enabled globally DHCP Snooping on a VLAN is not active until DHCP Snooping on a VLAN is enabled by using the ip dhcp snooping vlan Global Configuration mo...

Page 323: ...lan id Specifies the VLAN ID Default Configuration DHCP Snooping on a VLAN is disabled Command Mode Global Configuration mode User Guidelines DHCP Snooping must be enabled globally before enabling DHCP Snooping on a VLAN Example The following example enables DHCP Snooping on VLAN 21 switchxxxxxx config ip dhcp snooping vlan 21 13 3 ip dhcp snooping trust Use the ip dhcp snooping trust Interface Co...

Page 324: ...ected to DHCP clients as untrusted Example The following example configures gi14 as trusted for DHCP Snooping switchxxxxxx config interface gi14 switchxxxxxx config if ip dhcp snooping trust 13 4 ip dhcp snooping information option allowed untrusted Use the ip dhcp snooping information option allowed untrusted Global Configuration mode command to allow a device to accept DHCP packets with option 8...

Page 325: ...owed untrusted 13 5 ip dhcp snooping verify Use the ip dhcp snooping verify Global Configuration mode command to configure a device to verify that the source MAC address in a DHCP packet received on an untrusted port matches the client hardware address Use the no form of this command to disable MAC address verification in a DHCP packet received on an untrusted port Syntax ip dhcp snooping verify n...

Page 326: ...CP Snooping binding database file Use the no form of this command to delete the DHCP Snooping binding database file Syntax ip dhcp snooping database no ip dhcp snooping database Parameters N A Default Configuration The DHCP Snooping binding database file is not defined Command Mode Global Configuration mode User Guidelines The DHCP Snooping binding database file resides on Flash To ensure that the...

Page 327: ...tries from the binding database Syntax ip dhcp snooping binding mac address vlan id ip address interface id expiry seconds infinite no ip dhcp snooping binding mac address vlan id Parameters mac address Specifies a MAC address vlan id Specifies a VLAN number ip address Specifies an IP address interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or...

Page 328: ...mic entry An entry added by this command cannot override the existed static entry added by the ip source guard binding command The entry is displayed in the show commands as a DHCP Snooping entry Use the no ip dhcp snooping binding command to delete manually a dynamic entry from the DHCP database A dynamic temporary entries for which the IP address is 0 0 0 0 cannot be deleted Example The followin...

Page 329: ...nterfaces or for a specific interface Syntax show ip dhcp snooping interface id Parameters interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Command Mode User EXEC mode Example The following example displays the DHCP snooping configuration switchxxxxxx show ip dhcp snooping DHCP snooping is Enabled DHCP snooping is configured on...

Page 330: ... and configuration information for all interfaces or for a specific interface Syntax show ip dhcp snooping binding mac address mac address ip address ip address vlan vlan id interface id Parameters mac address mac address Specifies a MAC address ip address ip address Specifies an IP address vlan vlan id Specifies a VLAN ID interface id Specifies an interface ID The interface ID can be one of the f...

Page 331: ...n Interface Configuration Ethernet Port channel mode to enable IP Source Guard on an interface Use the no form of this command to disable IP Source Guard on the device or on an interface Syntax ip source guard no ip source guard Parameters N A Default Configuration IP Source Guard is disabled Command Mode Interface Ethernet Port Channel Configuration mode switchxxxxxx show ip dhcp snooping binding...

Page 332: ...urce guard 13 12 ip source guard binding Use the ip source guard binding Global Configuration mode command to configure the static IP source bindings on the device Use the no form of this command to delete the static bindings Syntax ip source guard binding mac address vlan id ip address interface id no ip source guard binding mac address vlan id Parameters mac address Specifies a MAC address vlan ...

Page 333: ...uard binding 0060 704C 73FF 23 176 10 1 1 gi14 13 13 ip source guard tcam retries freq Use the ip source guard tcam retries freq Global Configuration mode command to set the frequency of retries for TCAM resources for inactive IP Source Guard addresses Use the no form of this command to restore the default configuration Syntax ip source guard tcam retries freq seconds never no ip source guard tcam...

Page 334: ...es locating TCAM resources for the inactive IP Source Guard addresses The show ip source guard inactive EXEC mode command displays the inactive IP Source Guard addresses Example The following example sets the frequency of retries for TCAM resources to 2 minutes switchxxxxxx config ip source guard tcam retries freq 120 13 14 ip source guard tcam locate Use the ip source guard tcam locate Privileged...

Page 335: ... IP Source Guard addresses The show ip source guard inactive EXEC mode command displays the inactive IP source guard addresses Example The following example manually retries to locate TCAM resources switchxxxxxx ip source guard tcam locate 13 15 show ip source guard configuration Use the show ip source guard configuration EXEC mode command to display the IP source guard configuration for all inter...

Page 336: ... guard status mac address mac address ip address ip address vlan vlan interface id Parameters mac address mac address Specifies a MAC address ip address ip address Specifies an IP address vlan vlan id Specifies a VLAN ID interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Command Mode User EXEC mode switchxxxxxx show ip source gua...

Page 337: ...esses are inactive because of a lack of TCAM resources By default once every minute the software conducts a search for available space in the TCAM for the inactive IP Source Guard addresses Use the ip source guard tcam retries freq command to change the retry frequency or to disable automatic retries for TCAM space Use the ip source guard tcam locate command to manually retry locating TCAM resourc...

Page 338: ... the Source Guard dynamic information permitted stations Syntax show ip source guard statistics vlan vlan id Parameters vlan id Display the statistics on this VLAN Command Mode User EXEC mode Example switchxxxxxx show ip source guard statistics VLAN Statically Permitted Stations DHCP Snooping Permitted Stations 2 2 3 switchxxxxxx show ip source guard inactive TCAM resources search frequency 60 sec...

Page 339: ...ion mode User Guidelines Note that if a port is configured as an untrusted port then it should also be configured as an untrusted port for DHCP Snooping or the IP address MAC address binding for this port should be configured statically Otherwise hosts that are attached to this port cannot respond to ARPs Example The following example enables ARP inspection on the device switchxxxxxx config ip arp...

Page 340: ...the DHCP snooping database Use the ip arp inspection list assign command to enable static ARP inspection Example The following example enables DHCP Snooping based ARP inspection on VLAN 23 switchxxxxxx config ip arp inspection vlan 23 13 21 ip arp inspection trust Use the ip arp inspection trust Interface Configuration Ethernet Port channel mode command to configure an interface trust state that d...

Page 341: ...dating the local cache and before forwarding the packet to the appropriate destination The device drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection logging interval command Example The following example configures gi13 as a trusted interface switchxxxxxx config interface gi13 switchxxxxxx config if ip arp inspection tr...

Page 342: ...address in the Ethernet header against the target MAC address in the ARP body This check is performed for ARP responses IP addresses Compares the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and all IP multicast addresses Example The following example executes ARP inspection validation switchxxxxxx config ip arp inspection validate 13 23 ip arp inspect...

Page 343: ...owing example creates the static ARP binding list servers and enters the ARP list configuration mode switchxxxxxx config ip arp inspection list create servers 13 24 ip mac Use the ip mac ARP list Configuration mode command to create a static ARP binding Use the no form of this command to delete a static ARP binding Syntax ip ip address mac mac address no ip ip address mac mac address Parameters ip...

Page 344: ...ssign Use the ip arp inspection list assign Global Configuration mode command to assign a static ARP binding list to a VLAN Use the no form of this command to delete the assignment Syntax ip arp inspection list assign vlan id name no ip arp inspection list assign vlan id Parameters vlan id Specifies the VLAN ID name Specifies the static ARP binding list name Default Configuration No static ARP bin...

Page 345: ... time interval between successive ARP SYSLOG messages A 0 value means that a system message is immediately generated Range 0 86400 infinite Specifies that SYSLOG messages are not generated Default Configuration The default minimum ARP SYSLOG message logging time interval is 5 seconds Command Mode Global Configuration mode Example The following example sets the minimum ARP SYSLOG message logging ti...

Page 346: ...he ARP inspection configuration switchxxxxxx show ip arp inspection IP ARP inspection is Enabled IP ARP inspection is configured on following VLANs 1 Verification of packet header is Enabled IP ARP inspection logging interval is 222 seconds Interface Trusted gi11 Yes gi12 Yes 13 28 show ip arp inspection list Use the show ip arp inspection list Privileged EXEC mode command to display the static AR...

Page 347: ...Dropped IP MAC Validation Failure Syntax show ip arp inspection statistics vlan vlan id Parameters vlan id Specifies VLAN ID Command Mode User EXEC mode User Guidelines To clear ARP Inspection counters use the clear ip arp inspection statistics command Counters values are kept when disabling the ARP Inspection feature Example switchxxxxxx show ip arp inspection statistics Vlan Forwarded Packets Dr...

Page 348: ... inspection statistics Use the clear ip arp inspection statistics Privileged EXEC mode command to clear statistics ARP Inspection statistics globally Syntax clear ip arp inspection statistics vlan vlan id Parameters vlan id Specifies VLAN ID Command Mode Privileged EXEC mode Example switchxxxxxx clear ip arp inspection statistics ...

Page 349: ...interface id Parameters interface id Interface identifier Default Configuration N A Command Mode Privileged EXEC mode User Guidelines This command restarts DHCP for an IPv6 client on a specified interface after first releasing and unconfiguring previously acquired prefixes and other configuration options for example Domain Name System DNS servers Example The following example restarts the DHCP for...

Page 350: ...s The refresh time in seconds The value cannot be less than the minimal acceptable refresh time configured by the ipv6 dhcp client information refresh command The maximum value that can be used is 4 294967 294 seconds 0xFFFFFFFE infinite Infinite refresh time Default Configuration The default is 86 400 seconds 24 hours Command Mode Interface Configuration mode User Guidelines The ipv6 dhcp client ...

Page 351: ... client information refresh minimum Parameters seconds The refresh time in seconds The minimum value that can be used is 600 seconds The maximum value that can be used is 4 294 967 294 seconds 0xFFFFFFFE infinite Infinite refresh time Default Configuration The default is 86 400 seconds 24 hours Command Mode Interface Configuration mode User Guidelines The ipv6 dhcp client information refresh minim...

Page 352: ...e configures an upper limit of 2 days switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 dhcp client information refresh 172800 switchxxxxxx config if exit 14 4 ipv6 dhcp client stateless To enable DHCP for an IPv6 client process and to enable request for stateless configuration through the interface on which the command is run use the ipv6 dhcp client stateless command in Interfac...

Page 353: ...lient should send messages delivered using unicast Option 23 OPTION_DNS_SERVERS List of DNS Servers IPv6 Addresses Option 24 OPTION_DOMAIN_LIST Domain Search List Option 31 OPTION_SNTP_SERVERS List of SNTP Servers IPv6 Addresses Option 32 OPTION_INFORMATION_REFRESH_TIME Information Refresh Time Option Option 41 OPTION_NEW_POSIX_TIMEZONE New Timezone Posix String Option 59 OPT_BOOTFILE_URL Configur...

Page 354: ...umber as maintained by IANA identifier The vendor defined non empty hex string up to 64 hex characters If the number of the character is not even 0 is added at the right Each 2 hex characters can be separated by a period or colon Default Configuration DUID Based on Link layer Address DUID LL is used The base MAC Address is used as a Link layer Address Command Mode Global Configuration mode User Gu...

Page 355: ...n ipv6 address interface id interface id Parameters ipv6 address interface id Relay destination IPv6 address in the form documented in RFC 4291 where the address is specified in hexadecimal using 16 bit values between colons There are the following types of relay destination address Link local Unicast address A user must specify the interface id argument for this kind of address Global Unicast IPv...

Page 356: ...s can be configured for one destination Unspecified loopback and Multicast addresses are not acceptable as the relay destination Use the no form of the command with the ipv6 address and interface id arguments to remove only the given globally defined address with the given output interface Use the no form of the command with the ipv6 address argument to remove only the given globally defined addre...

Page 357: ...relay destination ipv6 address interface id interface id Parameters ipv6 address interface id Relay destination IPv6 address in the form documented in RFC 4291 where the address is specified in hexadecimal using 16 bit values between colons There are the following types of relay destination address Link local Unicast address A user must specify the interface id argument for this kind of address Gl...

Page 358: ...e a Unicast address of a server or another relay agent or it may be a Multicast address There are two types of relay destination addresses A link local Unicast or Multicast IPv6 address for which a user must specify an output interface A global Unicast IPv6 address A user can optionally specify an output interface for this kind of address If no output interface is configured for a destination the ...

Page 359: ...xample 2 The following example sets the relay well known Multicast link local destination address per VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if it was not enabled switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 dhcp relay destination vlan 200 switchxxxxxx config if exit Example 3 The following example sets the Unicast global relay destination address and enables the D...

Page 360: ...w ipv6 dhcp command in User EXEC mode This information is relevant for DHCPv6 clients and DHCPv6 relays Syntax show ipv6 dhcp Parameters NA Command Mode User EXEC mode User Guidelines This command uses the DUID which is based on the link layer address for both client and server identifiers The device uses the MAC address from the lowest numbered interface to form the DUID Examples Example 1 The fo...

Page 361: ...010024012607AA Format 3 Hardware type 1 MAC Address 0024 0126 07AA Example 3 The following is sample output from this command when the switch s DUID format is vendorbased on link layer address and DHCPv6 Relay is supported switchxxxxxx show ipv6 dhcp The switch s DHCPv6 unique identifier DUID is 000300010024012607AA Format 3 Hardware type 1 MAC Address 0024 0126 07AA Relay Destinations 2001 001 25...

Page 362: ...nabled are displayed If an interface is specified in the command only information about the specified interface is displayed Note It is a legacy output format supported by SW versions not supporting statefull configuration Example The following is sample output from this command when only the Stateless service is enabled switchxxxxxx show ipv6 dhcp interface VLAN 100 is in client mode DHCP Operati...

Page 363: ...erational mode is disabled IPv6 is not enabled Stateless Service is enabled Reconfigure service is enabled Information Refresh Minimum Time 600 seconds Information Refresh Time 86400 seconds Remain Information Refresh Time 0 seconds VLAN 1000 is in client mode DHCP Operational mode is disabled Interface status is DOWN Stateless Service is enabled Reconfigure service is enabled Information Refresh ...

Page 364: ...s that all the dynamic hostname to address mappings are to be deleted from the DNS client name to address cache Default Configuration No hostname to address mapping entries are deleted from the DNS client name to address cache Command Mode Privileged EXEC mode User Guidelines To remove the dynamic entry that provides mapping information for a single hostname use the hostname argument To remove all...

Page 365: ...p Use the ip domain lookup command in Global Configuration mode to enable the IP Domain Naming System DNS based host name to address translation To disable the DNS use the no form of this command Syntax ip domain lookup no ip domain lookup Parameters N A Default Configuration Enabled Command Mode Global Configuration mode Example The following example enables DNS based host name to address transla...

Page 366: ...qualified name from the domain name Length 1 158 characters Maximum label length of each domain level is 63 characters Default Configuration No default domain name is defined Command Mode Global Configuration mode User Guidelines Any IP hostname that does not contain a domain name that is any name without a dot will have the dot and the default domain name appended to it before being added to the ...

Page 367: ...onfiguration The default value is 2 R 1 T where R is a value configured by the ip domain retry command T is a value configured by the ip domain timeout command Command Mode Global Configuration mode User Guidelines Some applications communicate with the given IP address continuously DNS clients for such applications which have not received resolution of the IP address or have not detected a DNS se...

Page 368: ... times to retry sending a DNS query to the DNS server The range is from 0 to 16 Default Configuration The default value is 1 Command Mode Global Configuration mode User Guidelines The number argument specifies how many times the DNS query will be sent to a DNS server until the switch decides that the DNS server does not exist Example The following example shows how to configure the switch to send ...

Page 369: ... Configuration mode User Guidelines Use the command to change the default time out value Use the no form of this command to return to the default time out value Example The following example shows how to configure the switch to wait 50 seconds for a response to a DNS query switchxxxxxx config ip domain timeout 50 15 7 ip host Use the ip host Global Configuration mode command to define the static h...

Page 370: ...Command Mode Global Configuration mode User Guidelines Host names are restricted to the ASCII letters A through Z case insensitive the digits 0 through 9 the underscore and the hyphen A period is used to separate labels An IP application will receive the IP addresses in the following order 1 IPv6 addresses in the order specified by the command 2 IPv4 addresses in the order specified by the command...

Page 371: ... Parameters server address1 IPv4 or IPv6 addresses of a single name server server address2 server address8 IPv4 or IPv6 addresses of additional name servers Default Configuration No name server IP addresses are defined Command Mode Global Configuration mode User Guidelines The preference of the servers is determined by the order in which they were entered Each ip name server command replaces the c...

Page 372: ...splayed for all configured DNS views This is the default hostname The specified host name cache information displayed is to be limited to entries for a particular host name Command Mode Privileged EXEC mode Default Configuration Default is all User Guidelines This command displays the default domain name a list of name server hosts and the cached list of host names and addresses Example The follow...

Page 373: ...tic 2 192 0 2 205 static 3 192 0 2 105 DHCPv6 vlan 100 1 2002 0 22AC 11 231A 0BB4 DHCPv4 vlan 1 1 192 1 122 20 DHCPv4 vlan 1 2 154 1 122 20 Casche Table Flags static dynamic OK Ne OK Okay Ne Negative Cache No Response Host Flag Address Age in preference order example1 company com dynamic OK 2002 0 130F 0A0 1504 0BB4 1 112 0 2 10 176 16 8 8 123 124 173 0 2 30 39 example2 company com dynamic example...

Page 374: ...tion EEE is enabled Command Mode Global Configuration mode User Guidelines In order for EEE to work the device at the other end of the link must also support EEE and have it enabled In addition for EEE to work properly auto negotaition must be enabled however if the port speed is negotiated as 1Giga EEE always works regardless of whether the auto negotiation status is enabled or disabled If auto n...

Page 375: ...nts or keywords Default Configuration EEE is enabled Command Mode Interface Ethernet Configuration mode User Guidelines If auto negotiation is not enabled on the port and its speed is 1 Giga the EEE operational status is disabled Example switchxxxxxx config interface gi11 switchxxxxxx config if eee enable 16 3 eee lldp enable To enable EEE support by LLDP on an Ethernet port use the eee lldp enabl...

Page 376: ...delines Enabling EEE LLDP advertisement enables devices to choose and change system wake up times in order to get the optimal energy saving mode Example switchxxxxxx config interface gi11 switchxxxxxx config if eee lldp enable 16 4 show eee Use the show eee EXEC command to display EEE information Syntax show eee interface id Parameters interface id Optional Specify an Ethernet port Defaults None C...

Page 377: ... on ports gi11 2 gi14 EEE LLDP Administrate status is enabled on ports gi11 3 EEE LLDP Operational status is enabled on ports gi11 2 Example 2 The following is the information displayed when a port is in the Not Present state no information is displayed if the port supports EEE switchxxxxxx show eee gi11 Port Status notPresent EEE Administrate status enabled EEE LLDP Administrate status enabled Ex...

Page 378: ...G EEE supported Speed 10G EEE not supported Current port speed 1000Mbps EEE Administrate status enabled EEE LLDP Administrate status enabled Example 5 The following is the information displayed when the neighbor does not support EEE switchxxxxxx show eee gi14 Port Status UP EEE capabilities Speed 10M EEE not supported Speed 100M EEE supported Speed 1G EEE supported Speed 10G EEE not supported Curr...

Page 379: ...tional status disabled EEE LLDP Administrate status enabled EEE LLDP Operational status disabled Example 7 The following is the information displayed when EEE is running on the port and EEE LLDP is disabled switchxxxxxx show eee gi12 Port Status UP EEE capabilities Speed 10M EEE not supported Speed 100M EEE supported Speed 1G EEE supported Speed 10G EEE not supported Current port speed 1000Mbps EE...

Page 380: ...ot supported Current port speed 1000Mbps EEE Remote status enabled EEE Administrate status enabled EEE Operational status enabled EEE LLDP Administrate status enabled EEE LLDP Operational status enabled Resolved Tx Timer 10usec Local Tx Timer 10 usec Remote Rx Timer 5 usec Resolved Timer 25 usec Local Rx Timer 20 usec Remote Tx Timer 25 usec Example 9 The following is the information displayed whe...

Page 381: ...Tx Timer 64 Resolved Rx Timer 16 Local Rx Timer 16 Example 10 The following is the information displayed when EEE and EEE LLDP are running on the port show eee gi13 Port Status UP EEE capabilities Speed 10M EEE not supported Speed 100M EEE supported Speed 1G EEE supported Speed 10G EEE not supported Current port speed 1000Mbps EEE Remote status enabled EEE Administrate status enabled EEE Operation...

Page 382: ...EEE Commands 381 Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 16 Local Rx Timer 20 usec Remote Tx Timer 25 usec ...

Page 383: ...tion mode command Syntax interface interface id Parameters interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port port channel VLAN range IP interface or tunnel Default Configuration None Command Mode Global Configuration mode Examples Example 1 For Ethernet ports switchxxxxxx config interface gi11 switchxxxxxx config if Example 2 For port channels ...

Page 384: ...t port VLAN or port channel Default Configuration None Command Mode Interface Ethernet Port Channel VLAN Configuration mode User Guidelines Commands under the interface range context are executed independently on each interface in the range If the command returns an error on one of the interfaces it does not stop the execution of the command on other interfaces Example switchxxxxxx config interfac...

Page 385: ... The DOWN state of ifOperStatus means that the interface does not transmit receive messages from to higher levels For example if you shut down a VLAN on which an IP interface is configured bridging into the VLAN continues but the switch cannot transmit and receive IP traffic on the VLAN Notes If the switch shuts down an Ethernet port it additionally shuts down the port MAC sublayer too If the swit...

Page 386: ...tdown switchxxxxxx config if Example 4 The following example shuts down tunnel 1 switchxxxxxx config interface tunnel 1 switchxxxxxx config if shutdown switchxxxxxx config if Example 5 The following example shuts down Port Channel 3 switchxxxxxx config interface po3 switchxxxxxx config if shutdown switchxxxxxx config if 17 4 operation time To control the time that the port is up use the operation ...

Page 387: ...n auto state that are connected to end stations in order to proceed to the forwarding state immediately after successful authentication Example The operation time command influences the port if the port status is up This command defines the time frame during which the port stays up and at which time the port will be shutdown While the port is in shutdown because of other reasons this command has n...

Page 388: ...de Interface Ethernet Port Channel Configuration mode Example The following example adds the description SW 3 to gi14 switchxxxxxx config interface gi14 switchxxxxxx config if description SW 3 17 6 speed To configure the speed of a given Ethernet interface when not using auto negotiation use the speed Interface Ethernet Port Channel Configuration mode command To restore the default configuration u...

Page 389: ...ability Example The following example configures the speed of gi14 to 100 Mbps operation switchxxxxxx config interface gi14 switchxxxxxx config if speed 100 17 7 duplex To configure the full half duplex operation of a given Ethernet interface when not using auto negotiation use the duplex Interface Ethernet Port Channel Configuration mode command To restore the default configuration use the no for...

Page 390: ...interface use the negotiation Interface Ethernet Port Channel Configuration mode command To disable auto negotiation use the no form of this command Syntax negotiation capability capability2 capability5 preferred master slave no negotiation Parameters Capability Optional Specifies the capabilities to advertise Possible values 10h 10f 100h 100f 1000f 10h Advertise 10 half duplex 10f Advertise 10 fu...

Page 391: ...tion on gi11 switchxxxxxx config interface gi11 switchxxxxxx config if negotiation 17 9 flowcontrol To configure the Flow Control on a given interface use the flowcontrol Interface Ethernet Port Channel Configuration mode command To disable Flow Control use the no form of this command Syntax flowcontrol auto on off no flowcontrol Parameters auto Specifies auto negotiation of Flow Control on Enable...

Page 392: ... on 17 10 mdix To enable cable crossover on a given interface use the mdix Interface Ethernet Configuration mode command To disable cable crossover use the no form of this command Syntax mdix on auto no mdix Parameters on Enables manual MDIX auto Enables automatic MDI MDIX Default Configuration The default setting is Auto Command Mode Interface Ethernet Configuration mode Example The following exa...

Page 393: ...ure Parameters This command has no arguments or keywords Default Configuration Back pressure is disabled Command Mode Interface Ethernet Configuration mode User Guidelines Back pressure cannot be enabled when EEE is enabled Example The following example enables back pressure on port gi11 switchxxxxxx config interface gi11 switchxxxxxx config if back pressure 17 12 port jumbo frame To enable jumbo ...

Page 394: ...This command takes effect only after resetting the device Example The following example enables jumbo frames on the device switchxxxxxx config port jumbo frame 17 13 link flap prevention To enable setting a physical interface to err disable state due to excessive link flapping use the link flap prevention Global Configuration mode command Use the no form of this command to restore the default conf...

Page 395: ...flap prevention The errdisable recovery reset command with the link flapping parameter to recover all interfaces in this state due to link flap prevention or the interface interface id parameter to reset a given interface The errdisable recovery cause with the link flapping parameter to automatically recover from the link flap prevention error disabled state The command sequence of shutdown and th...

Page 396: ...xample clears the statistics counters for gi11 switchxxxxxx clear counters gi11 17 15 set interface active To reactivate an interface that was shut down use the set interface active Privileged EXEC mode command Syntax set interface active interface id Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel Command ...

Page 397: ...y stp bpdu guard loopback detection udld storm control link flap Parameters all Enables the error recovery mechanism for all reasons described below port security Enables the error recovery mechanism for the port security Err Disable state dot1x src address Enables the error recovery mechanism for the 802 1x Err Disable state acl deny Enables the error recovery mechanism for the ACL Deny Err Disab...

Page 398: ... all states switchxxxxxx config errdisable recovery cause all 17 17 errdisable recovery interval To set the error recovery timeout intervalse the errdisable recovery interval Global Configuration mode command To return to the default configuration use the no form of this command Syntax errdisable recovery interval seconds no errdisable recovery interval Parameters seconds Specifies the error recov...

Page 399: ...ol link flap interface interface id Parameters all Reactivate all interfaces regardless of their state port security Reactivate all interfaces in the Port Security Err Disable state dot1x src address Reactivate all interfaces in the 802 1x Err Disable state acl deny Reactivate all interfaces in the ACL Deny Err Disable state stp bpdu guard Reactivate all interfaces in the STP BPDU Guard Err Disabl...

Page 400: ...itchxxxxxx errdisable recovery reset all Example 3 The following example enables all interfaces in the port security Err Disable state switchxxxxxx errdisable recovery reset port security 17 19 show interfaces configuration To display the configuration for all configured interfaces or for a specific interface use the show interfaces configuration Privileged EXEC mode command Syntax show interfaces...

Page 401: ...nd Mode Privileged EXEC mode Example The following example displays the configuration of all configured interfaces switchxxxxxx show interfaces configuration Flow Admin Back Mdix Port Type Duplex Speed Neg control State Pressure Mode gi11 1G Copper Full 1000 Disabled Off Up Disabled Off Flow Admin PO Type Speed Neg Control State Po1 Disabled Off Up switchxxxxxx show interfaces configuration Port t...

Page 402: ...ce ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Command Mode Privileged EXEC mode Default Configuration Display for all interfaces If detailed is not used only present ports are displayed Example The following example displays the status of all configured interfaces switchxxxxxx show int...

Page 403: ... all configured interfaces or for a specific interface use the show interfaces advertise Privileged EXEC mode command Syntax show interfaces advertise interface id detailed Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present por...

Page 404: ...faces advertise Port gi11 gi12 Type 1G Copper 1G Copper Neg Enable Enable Prefered Master Slave Operational Link Advertisement 1000f 100f 10f 10h 1000f switchxxxxxx show interfaces advertise gi11 Port gi11 Type 1G Copper Link state Up Auto Negotiation enabled Preference Master Admin Local link Advertisement Oper Local link Advertisement Remote Local link Advertisement Priority Resolution 10h yes y...

Page 405: ... to present ports Default Configuration Display description for all interfaces If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Example The following example displays the description of all configured interfaces 17 23 show interfaces counters To display traffic seen by all the physical interfaces or by a specific interface use the show interfaces counters ...

Page 406: ...to present ports Default Configuration Display counters for all interfaces If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Example The following example displays traffic seen by all the physical interfaces switchxxxxxx show interfaces counters gi11 Port InUcastPkts InMcastPkts InBcastPkts InOctets gi11 0 0 0 0 Port OutUcastPkts OutMcastPkts OutBcastPkts O...

Page 407: ...ion Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 406 17 Carrier Sense Errors 0 Oversize Packets 0 Internal MAC Rx Errors 0 Symbol Errors 0 Received Pause Frames 0 Transmitted Pause Frames 0 ...

Page 408: ...sequently transmitted successfully Multiple Collision Frames Number of frames that are involved in more than one collision and are subsequently transmitted successfully SQE Test Errors Number of times that the SQE TEST ERROR is received The SQE TEST ERROR is set in accordance with the rules for verification of the SQE detection mechanism in the PLS Carrier Sense Function as described in IEEE Std 8...

Page 409: ...guments or keywords Default Configuration None Command Mode Privileged EXEC mode Example The following example displays whether jumbo frames are enabled on the device switchxxxxxx show ports jumbo frame Jumbo frames are disabled Jumbo frames will be enabled after reset Received Pause Frames Number of MAC Control frames received with an opcode indicating the PAUSE operation Transmitted Pause Frames...

Page 410: ...s command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Example The following example displays whether link flap prevention is enabled on the device switchxxxxxx show link flap prevention link flap prevention is currently enabled on device 17 26 show errdisable recovery To display the Err Disable configuration of the device use the show errdisable recove...

Page 411: ...overy Timer interval 300 Seconds Reason Automatic Recovery port security Disable dot1x src address Disable acl deny Enable stp bpdu guard Disable stp loopback guard Disable loop detection Disable udld Disable storm control Disable link flap Disable 17 27 show errdisable interfaces To display the Err Disable state of all interfaces or of a specific interface use the show errdisable interfaces Privi...

Page 412: ...11 switchxxxxxx show errdisable interfaces Interface Reason gi11 stp bpdu guard 17 28 clear switchport monitor To clear monitored statistics on all or on a specific interface or interface list use the clear switchport monitor Privileged EXEC mode command Syntax clear switchport monitor interface id list Parameters interface id list Optional Specifies a list of interface ID The interface ID can be ...

Page 413: ...erface id days weeks show switchport monitor utilization interface id Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel seconds last 20 samples sampled every 15 seconds minutes last 60 samples sampled every 60 seconds every round minute according to system time hours last 24 samples sampled every 60 minutes e...

Page 414: ...tilization summary per interface of the last time frame in each time frame i e last minute last hour last day and last week The show switchport monitor interface id is used to show monitored statistics samples collected per time frame and per counter types Examples Example 1 The following example displays monitored statistics utilization seen by interface gi11 switchxxxxxx show switchport monitor ...

Page 415: ...ces Command Line Interface Reference Guide 414 17 switchxxxxxx show switchport monitor gi11 minutes tx Not all samples are available Time 04 22 00 04 23 00 Unicast frames Sent 95 80 Broadcast frames Sent 80 70 Multicast frames Sent 60 60 Good Octet Sent 20 50 ...

Page 416: ...tets Good Unicast frames Sent Number of transmitted Unicast packets Good Multicast frames Sent Nmber of transmitted Unicast packets Good Broadcast frames Sent Number of transmitted Broadcast packets Frames of 64 bytes Number of received packets size of 64 bytes Frames of 65 127 bytes Number of received packets size of 65 127 bytes Frames of 128 255 bytes Number of received packets size of 128 255 ...

Page 417: ...5 Devices Command Line Interface Reference Guide 416 17 Tx Utilization Utilization in percentage for Sent frames on the interface Rx Tx Utilization An average of the Rx Utilization and the Tx Utilization in percentage on the interface Field Description ...

Page 418: ...password location file path usb file path flash file path current directory file path higher directory file path file path username string up to 70 characters password string up to 70 characters location ipv4 address ipv6 address dns name current directory usb flash higher directory usb flash file path directories path filename directories path directory name directories path directory name The ma...

Page 419: ...32 Full support NTFS Partially support read only The switch supports the following predefined URL aliases active image The predefined URL alias specifies the Active Image file This file has the following permissions readable executable inactive image The predefined URL alias specifies the Inactive Image file This file has the following permissions readable executable running config The predefined ...

Page 420: ...Example Example 1 The following example specifies a file on TFTP server using an IPv4 address tftp 1 1 1 1 aaa dat file txt Example 2 The following example specifies a file on TFTP server using an IPv6 address tftp 3000 1 2 11 aaa dat file txt Example 3 The following example specifies a file on TFTP server using a DNS name tftp files export com aaa dat file txt Example 4 The following example spec...

Page 421: ...tory usb aaa dat file txt usb aaa dat file txt Example 9 The following example specifies a file on mass storage device connected to the USB port using the higher directory usb aaa dat file txt 18 2 System Flash Files The system files used by the switch are in the flash system directory A user cannot add delete and rename the system files and directories a user cannot create new directories under t...

Page 422: ...actory Default removes all files from the FLASH except the following files active image inactive image mirror config localization The flash system directory contains the following directories flash system images The directory contains the Active and Inactive Image files flash system configuration The directory contains the Startup and Mirror Configuration files flash system localization The direct...

Page 423: ... Command Mode Privileged EXEC mode User Guidelines Use the boot config startup config url command to install Startup Configuration from the startup config url file The file must be a text file containing CLI commands The command performs the following actions Copies the file into the system directory flash system configuration Converts the file format from the text format in the inner binary forma...

Page 424: ...onfig boot config flash confiration files config v1 9 dat Example 3 The following example unsets the current Startup Configuration switchxxxxxx config no boot config Example 4 The following example installs Startup Configuration from the Running Configuration file switchxxxxxx config boot config running confg Example 5 The following example installs Startup Configuration from the Mirror Configurat...

Page 425: ... file into the system directory flash system localization Validates its format If the file does not have the correct format the file is deleted and the command is finished with an error Installs the copied file as Secondary Language Dictionary The previous Secondary Language Dictionary file is deleted Use the no boot dictionary command to uninstall Secondary Language Dictionary The uninstalled fil...

Page 426: ...es Use the boot system image url command to install a new active image from the image url file The command performs the following actions Copies the file into the system directory flash system image Validates its format If the file does not have the correct image format the file is deleted and the command is finished with an error Installs the copied file as the active image that will be used be l...

Page 427: ...ot system flash images image v1 1 ros Example 3 The following example sets the inactive image switchxxxxxx config boot system inactive image 18 6 cd To change the current directory or file system use the cd command in User EXEC mode Syntax cd url Parameters url Specifies a directory on FLASH or on USB Default Configuration The flash root directory flash Command Mode User EXEC mode User Guidelines ...

Page 428: ...s a new current directory on USB switchxxxxxx pwd flash switchxxxxxx cd usb switchxxxxxx pwd usb 18 7 copy To copy any file from a source to a destination use the copy command in Privileged EXEC mode Syntax copy src url dst url copy running config startup config dst url exclude include encrypted include plaintext copy src url running config copy running config startup config Parameters src url The...

Page 429: ...lash file the command fails if this file does not have the writable permission If the dst url argument defines a directory file then the file is copied into the directory with the same name No file format validation or conversion is performed If the src url argument and dst url arguments define flash files the dst url file will have the permissions of the src url file If the src url argument defin...

Page 430: ...chxxxxxx copy running config startup config Example 4 The following example copies the Syslog file to a TFTP server switchxxxxxx copy logging tftp 1 1 1 1 syslog txt Example 5 The following example copies a file from the mass storage device connected to the USB port to Flash switchxxxxxx copy usb aaa file1 txt flash dir1 file2 18 8 delete To delete a local file use the delete command in Privileged...

Page 431: ...tes the file called backup config from FLASH switchxxxxxx cd flash backup switchxxxxxx delete aaa ttt Delete flash backup aaa ttt Y N Y Example 2 The following example deletes the file called aaa config from the mass storage device connected to the USB port switchxxxxxx delete usb aaa config Delete usb aaa config Y N Y 18 9 dir To display a list of files on a file system use the dir command in Use...

Page 432: ...displays the flash mng directory switchxxxxxx dir flash mng Permissions d directory r readable w writable x executable 134560K of 520000K are free Directory of flash mng Permission File Size Last Modified File Name drw 4720148 Dec 12 2010 17 49 36 bin r 60 Dec 12 2011 17 49 36 config list r 160 Feb 12 2011 17 49 36 image list r x 6520148 Nov 29 2010 7 12 30 image1 rw 2014 Nov 20 2010 9 12 30 data ...

Page 433: ...into the flash system directory All directories defined in the url argument except the created one must exist Example Example 1 The following example creates a directory on FLASH switchxxxxxx mkdir flash date aaa Example 2 The following example creates a directory on the mass storage device connected to the USB port switchxxxxxx mkdir usb newdir 18 11 more To display the contents of a file use the...

Page 434: ...s the specified format The more active image and more inactive image commands display only the version number of the image regardless the specified format Example The following example displays the running configuration file contents switchxxxxxx more running config no spanning tree interface range gi1 1 11 48 speed 1000 exit no lldp run line console exec timeout 0 18 12 pwd To show the current di...

Page 435: ...ple uses the cd command to change the current directory and then uses the pwd command to display that current directory switchxxxxxx pwd flash switchxxxxxx cd date aaa switchxxxxxx pwd flash date aaa 18 13 reload To reload the operating system use the reload command in Privileged EXEC mode Syntax reload reload in hhh mm mmm at hh mm day month reload cancel Parameters in hhh mm mmm Schedules a relo...

Page 436: ...ode Privileged EXEC mode User Guidelines Use the reload command to reload the switch Use the reload in hhh mm mmm at hh mm day month command the command to specify scheduled switch reload The at keyword can be configured only if the system clock has been set on the switch When you specify the reload time using the at keyword if you specify the month and day the reload takes place at the specified ...

Page 437: ...e image at 12 10 24 Aug switchxxxxxx reload at 12 10 24 Aug This command will reset the whole system and disconnect your current session Reload is scheduled for 12 10 00 UTC Sun Aug 24 2014 in 1 hours and 12 minutes Do you want to continue Y N N Example 4 The following example reloads the image at 13 00 switchxxxxxx reload at 13 00 soft This command will reset the whole system and disconnect your ...

Page 438: ...er Guidelines The url and new url arguments must specifies the same driver The command cannot rename a network file or network directory The command cannot rename a file or directory into the flash system directory Examples Example 1 The following example renames the flash bin text1 txt file to flash archive text1sav txt switchxxxxxx cd flash archive switchxxxxxx rename flash bin text1 txt text1sa...

Page 439: ...rectory r readable w writable x executable 134560K of 520000K are free Directory of flash e g h File Name Permission File Size Last Modified switchxxxxxx rename flash a b flash e g h switchxxxxxx pwd flash e g h c d switchxxxxxx dir flash a Permissions d directory r readable w writable x executable 134560K of 520000K are free Directory of flash mng File Name Permission File Size Last Modified swit...

Page 440: ...e or directory to be deleted The predefined and network URLs cannot be configured Command Mode Privileged EXEC mode User Guidelines Only empty directory can be deleted The command cannot remove a network directory The command cannot remove a directory into the flash system directory Example Example 1 The following example removes the directory called backup config from FLASH switchxxxxxx rmdir fla...

Page 441: ...on Parameters This command has no arguments or keywords Default Configuration The default configuration is mirror configuration service enabled Command Mode Global Configuration mode User Guidelines The mirror configuration service automatically keeps a copy of the last known stable configuration startup configuration that has not been modified for 24H When this service is disabled the mirror conf...

Page 442: ...image file that will be loaded after rebooting the switch use the show bootvar or show version command in User EXEC mode Syntax show bootvar show version Parameters This command has no arguments or keywords Command Mode User EXEC mode User Guidelines The show bootvar and show version commands have the same functionality Example Example 1 The following example gives an example of the command output...

Page 443: ...3 ros Version 12 03 MD5 Digest 63FA000012857D8855AABEA7451265456 Date 04 Jul 2014 Time 15 03 07 Inactive after reboot Inactive image flash system images image_v14 01 ros Version 14 01 MD5 Digest 23FA000012857D8855AABC7577AB5562 Date 24 Jul 2014 Time 23 11 17 Active after reboot Example 3 This example continues the inactive one after a system reload switchxxxxxx show bootvar Active image flash syst...

Page 444: ...14 Time 23 11 17 Inactive after reboot Inactive image flash system images image_v12 03 ros Version 12 03 MD5 Digest 63FA000012857D8855AABEA7451265456 Date 04 Jul 2014 Time 15 03 07 Active after reboot Example 5 This example continues the inactive one after a system reload switchxxxxxx show bootvar Active image flash system images image_v12 03 ros Version 12 03 MD5 Digest 63FA000012857D8855AABEA745...

Page 445: ...8855AABC7577AB8999 Date 04 Feb 2001 Time 11 13 17 switchxxxxxx boot system tftp 1 1 1 1 image_v14 01 ros switchxxxxxx show bootvar Active image flash system images image_v12 03 ros Version 12 03 MD5 Digest 63FA000012857D8855AABEA7451265456 Date 04 Jul 2014 Time 15 03 07 Inactive after reboot Inactive image flash system images image_v14 01 ros Version 14 01 MD5 Digest 23FA000012857D8855AABC7577AB55...

Page 446: ...xxxxxx show bootvar Active image flash system images image_v12 03 ros Version 12 03 MD5 Digest 63FA000012857D8855AABEA7451265456 Date 04 Jul 2014 Time 15 03 07 Inactive image flash system images image_v12 01 ros Version 12 01 MD5 Digest 3FA000012857D8855AABC7577AB8999 Date 04 Feb 2001 Time 11 13 17 switchxxxxxx boot system tftp 1 1 1 1 image_v14 01 ros switchxxxxxx show bootvar Active image flash ...

Page 447: ...active image flash system images image_v14 01 ros Version 14 01 MD5 Digest 23FA000012857D8855AABC7577AB5562 Date 24 Jul 2014 Time 23 11 17 18 18 show mirror configuration service To display the mirror configuration service status use the show mirror configuration service command in User EXEC mode Syntax show mirror configuration service Command Mode User EXEC mode Example The following example dis...

Page 448: ...e reload To cancel the reload use the reload command with the cancel keyword Example Example 1 The following example displays information when scheduled reload has been configured switchxxxxxx show reload Image reload scheduled for 00 00 00 UTC Sat April 20 in 3 hours and 12 minutes Example 2 The following example displays information when scheduled reload has not been configured switchxxxxxx show...

Page 449: ...guration without SSL and SSH keys Default Configuration All interfaces are displayed If the detailed or brief keyword is not specified the brief keyword is applied Command Mode Privileged EXEC mode Example The following example displays the running configuration file contents switchxxxxxx show running config config file header AA307 02 v1 2 5 76 R750_NIK_1_2_584_002 CLI v1 0 file SSD indicator enc...

Page 450: ...how startup config command in Privileged EXEC mode Syntax show startup config interface interface id list Parameters interface interface id list Specifies a list of interface IDs The interface IDs can be one of the following types Ethernet port port channel or VLAN Command Mode Privileged EXEC mode Example The following example displays the startup configuration file contents switchxxxxxx show sta...

Page 451: ...rol start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd control end cb0a3fdb1f3a1af4e4430033719968c0 no spanning tree interface range gi11 4 speed 1000 exit no lldp run interface vlan 1 ip address 1 1 1 1 255 0 0 0 exit line console exec timeout 0 exit switchxxxxxx ...

Page 452: ...uidelines Use the write command or the write memory command to save the Running Configuration file into the Startup Configuration file Examples The following example shows how to overwrite the startup config file with the running config file with the write command switchxxxxxx write Overwrite file startup config Yes press any key for no 15 Sep 2010 11 27 48 COPY I FILECPY Files Copy source URL run...

Page 453: ... the clear gvrp statistics Privileged EXEC mode command Syntax clear gvrp statistics interface id Parameters Interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration All GVRP statistics are cleared Command Mode Privileged EXEC mode Example The following example clears all GVRP statistical information on g...

Page 454: ...the no form of this command Syntax gvrp enable no gvrp enable Parameters This command has no arguments or keywords Default Configuration GVRP is globally disabled Command Mode Global Configuration mode Example The following example enables GVRP globally on the device switchxxxxxx config gvrp enable 19 3 gvrp enable Interface To enable GVRP on an interface use the gvrp enable Interface Ethernet Por...

Page 455: ...ged VLAN is propagated in the same way as in a tagged VLAN That is the PVID must be manually defined as the untagged VLAN ID Example The following example enables GVRP on gi14 switchxxxxxx config interface gi14 switchxxxxxx config if gvrp enable 19 4 gvrp registration forbid To deregister all dynamic VLANs on a port and prevent VLAN creation or registration on the port use the gvrp registration fo...

Page 456: ...face gi12 switchxxxxxx config if gvrp registration forbid 19 5 gvrp vlan creation forbid To disable dynamic VLAN creation or modification use the gvrp vlan creation forbid Interface Configuration mode command To enable dynamic VLAN creation or modification use the no form of this command Syntax gvrp vlan creation forbid no gvrp vlan creation forbid Parameters This command has no arguments or keywo...

Page 457: ...led Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Optional Displays information for non present ports in addition to present ports Default Configuration All GVRP statistics are displayed for all interfaces If detailed is not used only present ports are displayed Command Mode User EXEC mode Exampl...

Page 458: ...rameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration All GVRP error statistics are displayed Command Mode User EXEC mode Example The following example displays GVRP error statistics switchxxxxxx show gvrp error statistics GVRP Error Statistics Legend INVPROT Invalid Protocol Id INVATYP Invali...

Page 459: ...nal Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port channel Default Configuration All GVRP statistics are displayed Command Mode User EXEC mode Example The following example displays GVRP statistical information switchxxxxxx show gvrp statistics GVRP statistics Legend rJE rEmp rLE sJE sEmp sLE Join Empty Received Empty Received Leave Empty Receive...

Page 460: ...59 Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 19 Port gi11 gi12 gi13 gi14 rJE 0 0 0 0 rJIn 0 0 0 0 rEmp 0 0 0 0 rLIn 0 0 0 0 rLE 0 0 0 0 rLA 0 0 0 0 sJE 0 0 0 0 sJIn 0 0 0 0 sEmp 0 0 0 0 sLIn 0 0 0 0 sLE 0 0 0 0 sLA 0 0 0 0 ...

Page 461: ...orm of this command Syntax green ethernet energy detect no green ethernet energy detect Parameters This command has no arguments or keywords Default Configuration Disabled Command Mode Global Configuration mode Example switchxxxxxx config green ethernet energy detect 20 2 green ethernet energy detect interface Use the green ethernet energy detect Interface configuration mode command to enable Gree...

Page 462: ...orts When a port is enabled for auto selection copper fiber Energy Detect cannot work It takes the PHY 5 seconds to fall into sleep mode when the link is lost after normal operation Example switchxxxxxx config interface gi11 switchxxxxxx config if green ethernet energy detect 20 3 green ethernet short reach global Use the green ethernet short reach Global Configuration mode command to enable Green...

Page 463: ...Interface Configuration mode command to enable green ethernet short reach mode on a port Use the no form of this command to disable it on a port Syntax green ethernet short reach no green ethernet short reach Parameters This command has no arguments or keywords Default Configuration Disabled Command Mode Interface Ethernet Configuration mode User Guidelines The VCT length check can be performed on...

Page 464: ... mode is enabled Example switchxxxxxx config interface gi11 switchxxxxxx config if green ethernet short reach 20 5 green ethernet power meter reset Use the green ethernet power meter reset Privileged EXEC mode command to reset the power save meter Syntax green ethernet power meter reset Parameters This command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mod...

Page 465: ... Mode Privileged EXEC mode User Guidelines The power savings displayed is relevant to the power saved by Port LEDs Energy detect Short reach The EEE power saving is dynamic by nature since it is based on port utilization and is therefore not taken into consideration The following describes the reasons for non operation displayed by this command If there are a several reasons then only the highest ...

Page 466: ...is based on the saving during the previous week NA information for previous week is not available Short Reach cable length threshold 50m Port Energy Detect Short Reach VCT Cable Admin Oper Reason Admin Force Oper Reason Length gi11 on on off off off gi12 on off LU on off off 50 gi13 on off LU off off off Short Reach Non Operational Reasons Priority Reason Description 1 NP Port is not present 2 LT ...

Page 467: ...counters interface id Parameters interface id Optional Interface Identifier Command Mode Privileged EXEC mode User Guidelines Use the clear ip igmp counters command to clear the IGMP counters which keep track of the number of joins and leaves received If you omit the optional interface id argument the clear ip igmp counters command clears the counters on all interfaces Example The following exampl...

Page 468: ...up source specific queries are sent upon receipt of a message indicating a leave Range 1 7 Default Configuration A value of IGMP Robustness variable Command Mode Interface Configuration mode User Guidelines Use the ip igmp robustness command to change the IGMP last member query counter Example The following example changes a value of the IGMP last member query counter to 3 switchxxxxxx config inte...

Page 469: ...e Interface Configuration mode User Guidelines Use the ip igmp last member query interval command to configure the IGMP last member query interval on an interface Example The following example shows how to increase the the IGMP last member query interval to 1500 milliseconds switchxxxxxx config interface vlan 100 switchxxxxxx config if ip igmp last member query interval 1500 switchxxxxxx config if...

Page 470: ...n interface The IGMP querier sends query host messages to discover which multicast groups have members on the attached networks of the router The query interval must be bigger than the maximum query response time Example The following example shows how to increase the frequency at which the IGMP querier sends IGMP host query messages to 180 seconds switchxxxxxx config interface vlan 100 switchxxxx...

Page 471: ... deletes the group This command controls how much time the hosts have to answer an IGMP query message before the router deletes their group Configuring a value of fewer than 10 seconds enables the router to prune groups faster The maximum query response time must be less than the query interval Note If the hosts do not respond fast enough they might be pruned inadvertently Therefore the hosts must...

Page 472: ...link Parameter range Range 1 7 Default Configuration The default value is 2 Command Mode Interface Configuration mode User Guidelines Use the ip igmp robustness command to change the IGMP robustness variable Example The following example changes a value of the IGMP robustness variable to 3 switchxxxxxx config interface vlan 1 switchxxxxxx config if ip igmp robustness 3 switchxxxxxx config if exit ...

Page 473: ...ion mode User Guidelines Use the commnad to change the default version of IGMP Example The following example configures the router to use IGMP Version 2 switchxxxxxx config interface vlan 100 switchxxxxxx config if ip igmp version 2 switchxxxxxx config if exit 21 8 show ip igmp counters To display the Internet Group Management Protocol IGMP traffic counters use the show ip igmp counters command in...

Page 474: ...nterfaces Example The following example displays the IGMP protocol messages received and sent switchxxxxxx show ip igmp counters vlan 100 VLAN 100 Elapsed time since counters cleared 00 00 21 Failed received Joins 0 Total IGMPv1 received messages 0 Total IGMPv2 received messages 10 Total IGMPv3 received messages 0 Total invalid received messages 0 General Sent Queries 0 Specific Sent Queries 0 21 ...

Page 475: ...d to display all directly connected groups Use the show ip igmp groups group name group address detail command to display one given directly connected group Use the show ip igmp groups interface id detail command to display all groups directly connected to the given interface Examples Example 1 The following is sample output from the show ip igmp groups command It shows all of the groups joined by...

Page 476: ...9 133 Group Timer Expires 00 20 11 Group source list Source Address Expires 20 1 1 1 00 04 08 120 1 1 1 00 02 01 Group 226 1 1 2 Router mode EXCLUDE Last reporter 100 1 12 130 Group Timer Expiry 00 22 12 Exclude Mode Expiry Filter Timer 00 10 11 Group source list Source Address Expires 2 2 2 1 00 04 08 192 168 1 1 00 04 08 12 1 1 10 00 00 00 40 3 4 2 00 00 00 21 10 show ip igmp groups summary To d...

Page 477: ...s Example The following is sample output from the show ip igmp groups summary command switchxxxxxx show ip igmp groups summary IGMP Route Summary No of G routes 5 No of S G routes 0 Field Descriptions No of G routes 5 Displays the number of groups present in the IGMP cache No of S G routes 0 Displays the number of include and exclude mode sources present in the IGMP cache 21 11 show ip igmp interf...

Page 478: ...terface 2 1 1 switchxxxxxx show ip igmp interface vlan 100 VLAN 100 is up Administrative IGMP Querier IP address is 1 1 1 1 Operational IGMP Querier IP address is 1 1 1 1 Current IGMP version is 3 Administrative IGMP robustness variable is 2 seconds Operational IGMP robustness variable is 2 seconds Administrative IGMP query interval is 125 seconds Operational IGMP query interval is 125 seconds Adm...

Page 479: ...ace id Upstream Interface identifier Default Configuration The protocol is disabled on the interface Command Mode Interface Configuration mode User Guidelines Use the ip igmp proxy command to add downstream interfaces to an IGMP proxy tree If the proxy tree does not exist it is created Use the no format of the command to remove the downstream interface When the last downstream interface is removed...

Page 480: ...22 2 ip igmp proxy downstream protected To disable forwarding of IP Multicast traffic from downstream interfaces use the ip igmp proxy downstream protected command in Global Configuration mode To allow forwarding from downstream interfaces use the no form of this command Syntax ip igmp proxy downstream protected no ip igmp proxy downstream protected Parameters This command has no arguments or keyw...

Page 481: ...led disabled no ip igmp proxy downstream protected interface Parameters enabled Downstream interface protection on the interface is enabled IPv4 Multicast traffic arriving on the interface will not be forwarded disabled Downstream interface protection on the interface is disabled IPv4 Multicast traffic arriving on the interface will be forwarded Default Configuration Global downstream protection c...

Page 482: ...chxxxxxx config if exit 22 4 ip igmp proxy ssm To define the Source Specific Multicast SSM range of IP Multicast addresses use the ip igmp proxy ssm command in Global Configuration mode To disable the SSM range use the no form of this command Syntax ip igmp proxy ssm default range access list no ip igmp proxy ssm Parameters default Defines the SSM range access list to 232 0 0 0 8 see rfc4607 range...

Page 483: ...x config ip igmp proxy ssm range list1 22 5 show ip igmp proxy interface To display information about interfaces configured for IGMP Proxy use the show ip igmp proxy interface command in User EXEC mode or Privileged EXEC mode Syntax show ip igmp proxy interface interface id Parameters interface id Optional Display IGMP Proxy information about the interface Command Mode User EXEC mode Privileged EX...

Page 484: ...0 upstream vlan 102 downstream enabled vlan 110 downstream default vlan 113 downstream disabled Example 2 The following is sample output from the show ip igmp proxy interface command for given upstream interface switchxxxxxx show ip igmp proxy interface vlan 100 the switch is the Querier on the interface IP Forwarding is enabled IP Multicast Routing is enabled IGMP Proxy is enabled Global Downdtre...

Page 485: ... Routing is enabled IGMP Proxy is enabled Global Downdtream interfaces protection is disabled vlan 102 is a Downstream interface The switch is the Querier on vlan 102 Downsteam Interface protection is enabled SSM Access List Name default Upstream interface vlan 100 Example 4 The following is sample output from the show ip igmp proxy interface command for an interface on which IGMP Proxy is disable...

Page 486: ...efault use the no form of this command Syntax ip igmp snooping no ip igmp snooping Default Configuration Disabled Command Mode Global Configuration mode Example The following example enables IGMP snooping switchxxxxxx config ip igmp snooping 23 2 ip igmp snooping vlan To enable IGMP snooping on a specific VLAN use the ip igmp snooping vlan command in Global Configuration mode To return to the defa...

Page 487: ...tering command The user guidelines of the bridge multicast mode command describes the configuration that is written into the FDB as a function of the FDB mode and the IGMP version that is used in the network Example switchxxxxxx config ip igmp snooping vlan 2 23 3 ip igmp snooping vlan mrouter To enable automatic learning of Multicast router ports on a VLAN use the ip igmp snooping vlan mrouter co...

Page 488: ...VLAN is created Example switchxxxxxx config ip igmp snooping vlan 1 mrouter learn pim dvmrp 23 4 ip igmp snooping vlan mrouter interface To define a port that is connected to a Multicast router port use the ip igmp snooping mrouter interface command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp snooping vlan vlan id mrouter interface interface...

Page 489: ...ip igmp snooping vlan forbidden mrouter To forbid a port from being defined as a Multicast router port by static configuration or by automatic learning use the ip igmp snooping vlan forbidden mrouter command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp snooping vlan vlan id forbidden mrouter interface interface list no ip igmp snooping vlan v...

Page 490: ...layer Multicast address to the bridge table and to add static ports to the group defined by this address use the ip igmp snooping vlan static command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp snooping vlan vlan id static ip address interface interface list no ip igmp snooping vlan vlan id static ip address interface interface list Paramete...

Page 491: ...ip igmp snooping vlan multicast tv To define the Multicast IP addresses that are associated with a Multicast TV VLAN use the ip igmp snooping vlan multicast tv command in Global Configuration mode To return to the default use the no form of this command Syntax ip igmp snooping vlan vlan id multicast tv ip multicast address count number no ip igmp snooping vlan vlan id multicast tv ip multicast add...

Page 492: ...ulticast IP addresses that are associated with the Multicast TV VLAN Up to 256 VLANs can be configured Example switchxxxxxx config ip igmp snooping vlan 1 multicast tv 239 2 2 2 count 3 23 8 ip igmp snooping map cpe vlan To map CPE VLANs to Multicast TV VLANs use the ip igmp snooping map cpe vlan command in Global Configuration mode To return to the default use the no form of this command Syntax i...

Page 493: ...wing example maps CPE VLAN 2 to Multicast TV VLAN 31 switchxxxxxx config ip igmp snooping map cpe vlan 2 multicast tv vlan 31 23 9 ip igmp snooping querier To enable globally the IGMP Snooping querier use the ip igmp snooping querier command in Global Configuration mode To disable the IGMP Snooping querier globally use the no form of this command Syntax ip igmp snooping querier no ip igmp snooping...

Page 494: ...nd in Global Configuration mode To disable the IGMP Snooping querier on the VLAN interface use the no form of this command Syntax ip igmp snooping vlan vlan id querier no ip igmp snooping vlan vlan id querier Parameters vlan id Specifies the VLAN Default Configuration Disabled Command Mode Global Configuration mode User Guidelines The IGMP Snooping querier can be enabled on a VLAN only if IGMP Sno...

Page 495: ...ion If an IP address is configured for the VLAN it is used as the source address of the IGMP snooping querier If there are multiple IP addresses the minimum IP address defined on the VLAN is used Command Mode Global Configuration mode User Guidelines If an IP address is not configured by this command and no IP address is configured for the querier s VLAN the querier is disabled Example switchxxxxx...

Page 496: ...ng General Query messages for 60 seconds from the time it was enabled During this time if the switch did not receive an IGMP query from another Querier it starts sending General Query messages Once the switch acts as a Querier it will stop sending General Query messages if it detects another Querier on the VLAN In this case the switch will resume sending General Query messages if it does hear anot...

Page 497: ...fies the VLAN querier version 2 Specifies that the IGMP version would be IGMPv2 querier version 3 Specifies that the IGMP version would be IGMPv3 Default Configuration IGMPv2 Command Mode Global Configuration mode Example The following example sets the version of the IGMP Snooping Querier VLAN 1 to 3 switchxxxxxx config ip igmp snooping vlan 1 querier version 3 23 14 ip igmp snooping vlan immediat...

Page 498: ...ou can execute the command before the VLAN is created Example The following example enables IGMP snooping immediate leave feature on VLAN 1 switchxxxxxx config ip igmp snooping vlan 1 immediate leave 23 15 show ip igmp snooping cpe vlans To display the CPE VLAN to Multicast TV VLAN mappings use the show ip igmp snooping cpe vlans command in User EXEC mode Syntax show ip igmp snooping cpe vlans vla...

Page 499: ...s vlan vlan id address ip multicast address source ip address Parameters vlan vlan id Optional Specifies the VLAN ID address ip multicast address Optional Specifies the IP multicast address source ip address Optional Specifies the IP source address Command Mode User EXEC mode User Guidelines To see all Multicast groups learned by IGMP snooping use the show ip igmp snooping groups command without p...

Page 500: ... EXEC mode Syntax show ip igmp snooping interface vlan id Parameters vlan id Specifies the VLAN ID Command Mode User EXEC mode Example The following example displays the IGMP snooping configuration for VLAN 1000 switchxxxxxx show ip igmp snooping interface 1000 IGMP Snooping is globally enabled IGMP Snooping Querier is globally enabled VLAN 1000 IGMP Snooping is enabled IGMP snooping last immediat...

Page 501: ...nooping last member query counter admin 2 oper 2 IGMP snooping last member query interval admin 1000 msec oper 500 msec Groups that are in IGMP version 1 compatibility mode 231 2 2 3 231 2 2 3 23 18 show ip igmp snooping mrouter To display information on dynamically learned Multicast router interfaces for all VLANs or for a specific VLAN use the show ip igmp snooping mrouter command in User EXEC m...

Page 502: ...EC mode Syntax show ip igmp snooping multicast tv vlan vlan id Parameters vlan vlan id Optional Specifies the VLAN ID Command Mode User EXEC mode Example The following example displays the IP addresses associated with all Multicast TV VLANs switchxxxxxx show ip igmp snooping multicast tv VLAN IP Address 1000 239 255 0 0 1000 239 255 0 1 1000 239 255 0 2 1000 239 255 0 3 1000 239 255 0 4 1000 239 2...

Page 503: ...IGMP Snooping Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 502 23 1000 239 255 0 7 ...

Page 504: ...ip address Interface Configuration Ethernet VLAN Port channel mode command to define an IP address for an interface Use the no form of this command to remove an IP address definition Syntax ip address ip address mask prefix length no ip address ip address Parameters ip address Specifies the IP address mask Specifies the network mask of the IP address prefix length Specifies the number of bits that...

Page 505: ... displayed To change an existed IP address delete the existed one and add the new one While no IP address is assigned either by DHCP client or manually the default IP address 192 168 1 254 is assigned on the Default VLAN Examples Example 1 The following example configures VLAN 1 with IP address 131 108 1 27 and subnet mask 255 255 255 0 switchxxxxxx config interface vlan 1 switchxxxxxx config if i...

Page 506: ...mode command to acquire an IP address for an Ethernet interface from the Dynamic Host Configuration Protocol DHCP server Use the no form of this command to release an acquired IP address Syntax ip address dhcp no ip address dhcp Parameters N A Command Mode Interface Configuration mode User Guidelines Use the ip address dhcp command to enable DHCP client on the interface The ip address dhcp command...

Page 507: ...interface id force autoconfig Parameters interface id Specifies an interface force autoconfig If the DHCP server holds a DHCP option 67 record for the assigned IP address the record overwrites the existing device configuration Command Mode Privileged EXEC mode User Guidelines Use the renew dhcp command to renew a DHCP address on an interface This command does not enable DHCP client on an interface...

Page 508: ...ddress Specifies the default gateway IP address Command Mode Global Configuration mode Default Configuration No default gateway is defined User Guidelines Use the ip default gateway command to defines a default gateway default route The ip default gateway command adds the default route with metric of 6 Use the no ip default gateway ip address command to delete one default gateway Use the no ip def...

Page 509: ...IP addresses Command Mode User EXEC mode Examples Example 1 The following example displays all configured IP addresses and their types switchxxxxxx show ip interface source_precedence_is_supported broadcast_address_configuration_is_supported ip_redirects_is_supported IP Address I F I F Status Type Directed Redirect Status admin oper Broadcast 10 5 230 232 24 vlan 1 UP UP Static disable Enabled Val...

Page 510: ... command to remove an entry from the ARP cache Syntax arp ip address mac address interface id no arp ip address Parameters ip address IP address or IP alias to map to the specified MAC address mac address MAC address to map to the specified IP address or IP alias interface id Address pair is added for specified interface Command Mode Global Configuration mode Default Configuration No permanent ent...

Page 511: ...e interval during which an entry remains in the ARP cache Use the no form of this command to restore the default configuration Syntax arp timeout seconds no arp timeout Parameters seconds Specifies the time interval in seconds during which an entry remains in the ARP cache Range 1 40000000 Default Configuration The default ARP timeout is 60000 seconds if IP Routing is enabled and 300 seconds if IP...

Page 512: ...e no ip arp proxy disable Parameters N A Default Enabled by default Command Mode Global Configuration mode User Guidelines This command overrides any proxy ARP interface configuration The command is supported only when IP Routing is enabled Example The following example globally disables ARP proxy switchxxxxxx config ip arp proxy disable 24 9 ip proxy arp Use the ip proxy arp Interface Configurati...

Page 513: ...ined on a specific interface The command is supported only when IP Routing is enabled Example The following example enables ARP proxy when the switch is in router mode switchxxxxxx config if ip proxy arp 24 10 clear arp cache Use the clear arp cache Privileged EXEC mode command to delete all dynamic entries from the ARP cache Syntax clear arp cache Command Mode Privileged EXEC mode Example The fol...

Page 514: ...and Mode Privileged EXEC mode User Guidelines Since the associated interface of a MAC address can be aged out from the FDB table the Interface field can be empty If an ARP entry is associated with an IP interface that is defined on a port or port channel the VLAN field is empty Example The following example displays entries in the ARP table switchxxxxxx show arp ARP timeout 80000 Seconds VLAN VLAN...

Page 515: ... of the ARP protocol Syntax show arp configuration Parameters This command has no arguments or key words Command Mode Privileged EXEC mode Example switchxxxxxx show arp configuration Global configuration ARP Proxy enabled ARP timeout 80000 Seconds Interface configuration VLAN 1 ARP Proxy disabled ARP timeout 60000 Seconds VLAN 10 ARP Proxy enabled ARP timeout 70000 Seconds VLAN 20 ARP Proxy enable...

Page 516: ...s the IP interface configuration mode switchxxxxxx config interface ip 192 168 1 1 switchxxxxxx config ip 24 14 ip helper address Use the ip helper address Global Configuration mode command to enable the forwarding of UDP Broadcast packets received on an interface to a specific helper address Use the no form of this command to disable the forwarding of broadcast packets to a specific helper addres...

Page 517: ... Mode Global Configuration mode User Guidelines This command forwards specific UDP Broadcast packets from one interface to another by specifying a UDP port number to which UDP broadcast packets with that destination port number are forwarded By default if no UDP port number is specified the device forwards UDP broadcast packets for the following six services IEN 116 Name Service port 42 DNS port 5...

Page 518: ... 9 9 49 53 1 2 24 15 show ip helper address Use the show ip helper address Privileged EXEC mode command to display the IP helper addresses configuration on the system Syntax show ip helper address Parameters This command has no arguments or key words Command Mode Privileged EXEC mode User Guidelines Example The following example displays the IP helper addresses configuration on the system switchxx...

Page 519: ...s enabled are displayed If an interface is specified only information about the specified interface is displayed Example The following is sample output of the show ip dhcp client interface command switchxxxxxx show ip dhcp client interface VLAN 100 is in client mode Address 170 10 100 100 Mask 255 255 255 0 T1 120 T2 192 Default Gateway 170 10 100 1 DNS Servers 115 1 1 1 87 12 34 20 DNS Domain Sea...

Page 520: ... T1 120 T2 192 Default Gateway 180 10 100 1 DNS Servers 115 1 1 1 87 12 34 20 DNS Domain Search List company com Host Name switch_floor7 Configuration Server Addresses configuration company com Configuration Path Name qqq config aaa_config dat Image Path Name qqq image aaa_image ros POSIX Timezone string EST5EDT4 M3 2 0 02 00 M11 1 0 02 00 ...

Page 521: ...g The name must match a map tag value specified by a route map Policy Routing command Default Configuration No policy routing occurs on the interface Command Mode Interface Configuration mode User Guidelines Use the ip policy route map command to enable policy routing on an interface The actual policy routing will take a place if an IP address is defined on the interface The IP packets matched to ...

Page 522: ... interface together with the following features VLAN ACL Example The following example shows how to configure policy routing switchxxxxxx config ip access list extended pr acl1 switchxxxxxx config ip al permit tcp any any 156 12 5 0 0 0 0 255 any switchxxxxxx config ip al exit switchxxxxxx config ip access list extended pr acl2 switchxxxxxx config ip al permit tcp any any 156 122 5 0 0 0 0 255 any...

Page 523: ...messages use the no form of this command Syntax ip redirects no ip redirects Parameters N A Default Configuration The sending of ICMP redirect messages is enabled Command Mode IP Configuration mode Example The following example disables the sending of ICMP redirect messages on IP interface 1 1 1 1 and re enables the messages on IP interface 2 2 2 2 switchxxxxxx config interface ip 1 1 1 1 switchxx...

Page 524: ...mask for the destination Specifies the number of bits that comprise the IP address prefix The prefix length must be preceded by a forward slash Range 0 32 ip address IP address of the next hop that can be used to reach that network metric value Metric of the route The default metric is 6 Range 1 255 reject route Stopping routing to the destination network Default Configuration No static routes are...

Page 525: ...config ip route 172 31 0 0 16 172 31 6 6 metric 2 Example 3 The following example shows how to reject packets for network 194 1 1 0 switchxxxxxx config ip route 194 1 1 0 255 255 255 0 reject route Example 4 The following example shows how to remove all static routes to network 194 1 1 0 24 switchxxxxxx config no ip route 194 1 1 0 24 Example 5 The following example shows how to remove one static ...

Page 526: ...ng switchxxxxxx config ip routing 25 5 show ip route To display the current state of the routing table use the show ip route command in user EXEC or privileged EXEC mode Syntax show ip route address ip address mask longer prefixes static rejected icmp connected Parameters address ip address IP address about which routing information should be displayed mask The value of the subnet mask longer pref...

Page 527: ...he show ip route command when IP Routing is not enabled switchxxxxxx show ip route Maximum Parallel Paths 1 1 after reset IP Forwarding disabled Codes best C connected S static I ICMP IP Routing Table 5 entries Code IP Route Distance Next Hop Last Time Outgoing Metric IP Address Updated Interface S 10 10 0 0 16 1 2 10 119 254 244 00 02 22 vlan2 S 10 10 0 0 16 1 1 10 120 254 244 00 02 22 vlan3 S 10...

Page 528: ...PR1 Status Active ACL Name ACLTCPHTTP Next Hop 1 1 1 1 Next Hop Status Active ACL Name ACLTCPTELNET Next Hop 2 2 2 2 Next Hop Status Not Active Unreachable ACL Name ACL_AA Next Hop 3 3 3 3 Next Hop Status Not Active Not direct VLAN 100 Route Map BPR_10 Status Not Active No IP interface on VLAN 100 ACL Name ACLTCPHTTP Next Hop 1 1 1 20 Next Hop Status Active VLAN 110 Route Map BPR_20 Status Not Act...

Page 529: ...he following example the logical AND operation is performed on the address 10 16 0 0 and the mask 255 255 0 0 resulting in 10 16 0 0 On each destination in the routing table the logical AND operation is also performed with the mask and the result is compared with 10 16 0 0 Any destinations that fall into that range are displayed in the output switchxxxxxx show ip route 10 16 0 0 255 255 0 0 longer...

Page 530: ...t Active VLAN 110 status is DOWN ACL Name ACLTCPHTTP Next Hop 1 1 1 20 Next Hop Status Active VLAN 200 Route Map BPR_A0 Status Active ACL Name ACLTCPHTTP Next Hop 1 1 1 20 Next Hop Status Active IP Routing Table 6 entries Code IP Route Distance Next Hop Last Time Outgoing Metric IP Address Updated Interface S 10 16 2 0 24 1 1 10 119 254 244 00 02 22 vlan2 S 10 16 2 64 26 1 1 100 1 14 244 00 02 22 ...

Page 531: ... 0 0 16 0 1 0 0 0 0 vlan2 25 6 show ip route summary Use the show ip route summary command in User EXEC or Privileged EXEC mode to display the current contents of the IP routing table in summary format Syntax show ip route summary Parameters N A Command Mode User EXEC mode Privileged EXEC mode User Guidelines Example The following is sample output from the show ip route summary command switchxxxxx...

Page 532: ...IP Routing Protocol Independent Commands 531 Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 25 ...

Page 533: ...ress to ping ipv6 address Unicast or Multicast IPv6 address to ping When the IPv6 address is a Link Local address IPv6Z address the outgoing interface name must be specified hostname Hostname to ping Length 1 158 characters Maximum label size for each part of the host name 58 size packet_size Number of bytes in the packet not including the VLAN tag The default is 64 bytes IPv4 64 1518 IPv6 68 1518...

Page 534: ...ttached host using its link local address the egress interface may be specified in the IPv6Z format If the egress interface is not specified the default interface is selected When using the ping ipv6 command with a Multicast address the information displayed is taken from all received echo responses When the source keyword is configured and the source address is not an address of the switch the co...

Page 535: ...packet loss round trip ms min avg max 7 8 11 Example 3 Ping an IPv6 address switchxxxxxx ping ipv6 3003 11 Pinging 3003 11 with 64 bytes of data 64 bytes from 3003 11 icmp_seq 1 time 0 ms 64 bytes from 3003 11 icmp_seq 2 time 50 ms 64 bytes from 3003 11 icmp_seq 3 time 0 ms 64 bytes from 3003 11 icmp_seq 4 time 0 ms 3003 11 PING Statistics 4 packets transmitted 4 packets received 0 packet loss rou...

Page 536: ...e 1050 ms FF02 1 PING Statistics 4 packets transmitted 12 packets received 26 2 ssh To start an encrypted session with a remote networking device use the ssh command in user EXEC or privileged EXEC mode Syntax ssh ip address hostname port keyword Parameters ip address Specifies the destination host IP address IPv4 or IPv6 hostname Hostname to ping Length 1 158 characters Maximum label size for eac...

Page 537: ...ns Description password password Specifies the password to use when logging in on the remote networking device running the SSH server If the keyword is not specified the password configured by the ip ssh client password command is used If this keyword is specified the the user keyword must be specified too source interface interface id Specifies the source interface which minimal IPv4 v6 address w...

Page 538: ...e is HQhost and the password is a password configured by the ip ssh client password command switchxxxxxx ssh 1 1 1 1 user HQhost Example 3 The following example sets a secure session between the local device and the edge device HQedge The user name is HQhost and the password is ar3245ddd switchxxxxxx ssh HQedge user HQhost password ar3245ddd Example 4 The following example sets a lookback interfac...

Page 539: ...et software supports special Telnet commands in the form of Telnet sequences that map generic terminal control functions to operating system specific functions To enter a Telnet sequence press the escape sequence keys Ctrl shift 6 followed by a Telnet command character Special Telnet Sequences At any time during an active Telnet session available Telnet commands can be listed by pressing the help ...

Page 540: ...hat were opened by the current Telnet session to the local device It does not list Telnet connections to remote hosts that were opened by other Telnet sessions Keywords Table Ports Table Options Description echo Enables local echo quiet Prevents onscreen display of all messages from the software source interfac e Specifies the source interface stream Turns on stream processing which enables a raw ...

Page 541: ...net Relay Chat 194 klogin Kerberos login 543 kshell Kerberos shell 544 login Login 513 lpd Printer service 515 nntp Network News Transport Protocol 119 pim auto r p PIM Auto RP 496 pop2 Post Office Protocol v2 109 pop3 Post Office Protocol v3 110 smtp Simple Mail Transport Protocol 25 sunrpc Sun Remote Procedure Call 111 syslog Syslog 514 tacacs TAC Access Control System 49 talk Talk 517 telnet Te...

Page 542: ...ess Parameters ip Use IPv4 to discover the route ipv6 Use IPv6 to discover the route ipv4 address IPv4 address of the destination host ipv6 address IPv6 address of the destination host hostname Hostname to ping Length 1 158 characters Maximum label size for each part of the host name 58 size packet_size Number of bytes in the packet not including the VLAN tag The default is 64 bytes IPv4 64 1518 I...

Page 543: ...me exceeded error message indicates that an intermediate router has seen and discarded the probe A destination unreachable error message indicates that the destination node has received the probe and discarded it because it could not deliver the packet If the timer goes off before a response comes in the traceroute command prints an asterisk The traceroute command terminates when the destination r...

Page 544: ... following are characters that can appear in the traceroute command output Field Description 1 Indicates the sequence number of the router in the path to the host i2 gateway stanford edu Host name of this router 192 68 191 83 IP address of this router 1 msec 1 msec 1 msec Round trip time for each of the probes that are sent Field Description The probe timed out Unknown packet type A Administrative...

Page 545: ... Syntax ip multicast routing igmp proxy no ip multicast routing Parameters igmp proxy Enable Multicast routing using IGMP Proxy Default Configuration Multicast routing is not enabled Command Mode Global Configuration mode User Guidelines Use the ip multicast routing command with parameter to specify the needed IP Multicast Routing Protocol To forward IPv4 Multicast packets on an interface IPv4 Mul...

Page 546: ... hops It can be a value from 0 to 256 Default Configuration The default TTL value is 0 Command Mode Interface Configuration mode User Guidelines Multicast packets with a TTL value less than the threshold will not be forwarded on the interface The default value of 0 means all Multicast packets are forwarded on the interface A value of 256 means that no Multicast packets are forwarded on the interfa...

Page 547: ...p mroute command to display information about Mroute entries in the mroute table The switch populates the Multicast routing table by creating S G entries from G entries The asterisk refers to all source addresses the S refers to a single source address and the G is the destination Multicast group address In creating S G entries the switch uses the best path to that destination group found in the U...

Page 548: ...ace it is discarded Outgoing Interface List OIF Interfaces through which packets will be forwarded Example 1 The following is sample output from the show ip mroute command with the summary keyword switchxxxxxx show ip mroute summary Timers Uptime Expires IP Multicast Routing Table 172 16 160 67 32 224 2 127 254 00 02 46 00 00 12 OIF count 2 172 16 244 217 32 224 2 127 254 00 02 15 00 00 40 OIF cou...

Page 549: ...lticast related information about an interface configured for IP Multicast interface id Interface identifier for which to display IP Multicast information Command Mode User EXEC mode Privileged EXEC mode User Guidelines Use the show ip multicast command without the interface keyword to display general information about the state of IP Multicast on the router Use the show ip multicast command with ...

Page 550: ...ticast command about the given interface IGMP Proxy is enabled on the interface and the interface is an IGMP Proxy Upstream interface switchxxxxxx show ip multicast interface vlan 200 IP Unicast Forwarding enabled IP Multicast Protocol IGMP Proxy vlan 200 TTL threshold 0 IGMP Protocol IGMPv3 IGMP Proxy Upstream Example 4 The following is sample output from the show ip multicast command about the g...

Page 551: ...m vlan 200 Example 5 The following is sample output from the show ip multicast command about the given interface IGMP Proxy is disabled on the interface switchxxxxxx show ip multicast interface vlan 100 IP Unicast Forwarding enabled IP Multicast Protocol IGMP Proxy vlan 200 IP Status enabled hop threshold 100 IGMP Protocol IGMPv3 IGMP Proxy disabled ...

Page 552: ...neighbors Parameters N A Command Mode Privileged EXEC mode User Guidelines Example The following example deletes all entries except static entries in the neighbor discovery cache switchxxxxxx clear ipv6 neighbors 28 2 ipv6 address Use the ipv6 address command in Interface Configuration mode to configure a global unicast IPv6 address based on an IPv6 general prefix and enable IPv6 processing on an ...

Page 553: ...its of the address comprise the prefix the network portion of the address A slash mark must precede the decimal value Default Configuration No IP address is defined for the interface Command Mode Interface Configuration mode User Guidelines The ipv6 address command cannot be applied to define an IPv6 address on an ISATAP interface Using the no IPv6 address command without arguments removes all man...

Page 554: ... many of the high order contiguous bits of the address comprise the prefix the network portion of the address A slash mark must precede the decimal value Default Configuration No IP address is defined for the interface Command Mode Interface Configuration mode User Guidelines An Anycast address is an address that is assigned to a set of interfaces that typically belong to different nodes A packet ...

Page 555: ...sing on the interface assigns the prefix 2001 0DB8 1 1 64 to the interface and configures the IPv6 Anycast address 2001 0DB8 1 1 FFFF FFFF FFFF FFFE switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 address 2001 0DB8 1 1 FFFF FFFF FFFF FFFE 64 anycast switchxxxxxx config if exit 28 4 ipv6 address autoconfig Use the ipv6 address autoconfig command in Interface Configuration mode to e...

Page 556: ...onfigured ipv6 addresses from all interfaces When IPv6 forwarding is changed from enabled to disabled and stateless auto configuration is enabled the switch resumes stateless auto configuration Using the no form of the ipv6 address command without arguments removes all manually configured IPv6 addresses from an interface including link local manually configured addresses Example The following exam...

Page 557: ...lash mark must precede the decimal value Default Configuration No IP address is defined for the interface Command Mode Interface Configuration mode User Guidelines If the value specified for the prefix length argument is greater than 64 bits the prefix bits have precedence over the interface ID The IPv6 address is built from ipv6 prefix and the EUI 64 Interface ID by the following way The first pr...

Page 558: ... config interface vlan 1 switchxxxxxx config if ipv6 address 2001 0DB8 0 1 64 eui 64 switchxxxxxx config if exit 28 6 ipv6 address link local Use the ipv6 address link local command in Interface Configuration mode to configure an IPv6 link local address for an interface and enable IPv6 processing on the interface To remove the manually configured link local address from the interface use the no fo...

Page 559: ...igured IPv6 addresses from an interface including link local manually configured addresses Example The following example enables IPv6 processing on VLAN 1 and configures FE80 260 3EFF FE11 6770 as the link local address for VLAN 1 switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 address FE80 260 3EFF FE11 6770 link local switchxxxxxx config if exit 28 7 ipv6 default gateway Use the...

Page 560: ...ple defines a default gateway with a global IPv6 address switchxxxxxx config ipv6 default gateway 5 5 Example 2 The following example defines a default gateway with a link local IPv6 address switchxxxxxx config ipv6 default gateway FE80 260 3EFF FE11 6770 vlan1 28 8 ipv6 enable Use the ipv6 enable command in Interface Configuration mode to enable IPv6 processing on an interface To disable IPv6 pro...

Page 561: ...red with an explicit IPv6 address Example The following example enables VLAN 1 for the IPv6 addressing mode switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 enable switchxxxxxx config if exit 28 9 ipv6 hop limit Use the ipv6 hop limit command in Global Configuration mode to configure the maximum number of hops used in all IPv6 packets that are originated by the router To return the...

Page 562: ...error messages To return the interval to its default setting use the no form of this command Syntax ipv6 icmp error interval milliseconds bucketsize no ipv6 icmp error interval Parameters milliseconds Time interval between tokens being placed in the bucket Each token represents a single ICMP error message The acceptable range is from 0 to 2147483647 A value of 0 disables ICMP rate limiting buckets...

Page 563: ...hen the bucket is empty of tokens IPv6 ICMP error messages are not sent until a new token is placed in the bucket Average Packets Per Second 1000 milliseconds bucketsize To disable ICMP rate limiting set the milliseconds argument to zero Example The following example shows an interval of 50 milliseconds and a bucket size of 20 tokens being configured for IPv6 ICMP error messages switchxxxxxx confi...

Page 564: ...Configuration mode to configure the advertisement interval option in router advertisements RAs To reset the interval to the default value use the no form of this command Syntax ipv6 nd advertisement interval no ipv6 nd advertisement interval Parameters N A Default Configuration Advertisement interval option is not sent Command Mode Interface Configuration mode User Guidelines Use the ipv6 nd adver...

Page 565: ...hbor solicitation messages that are sent on an interface while duplicate address detection is performed on the Unicast IPv6 addresses of the interface To return the number of messages to the default value use the no form of this command Syntax ipv6 nd dad attempts value no ipv6 nd dad attempts Parameters value The number of neighbor solicitation messages The acceptable range is from 0 to 600 Confi...

Page 566: ...on and neighbor unreachability detection Use the ipv6 nd ns interval command to configure the interval between neighbor solicitation messages that are sent during duplicate address detection Duplicate address detection is suspended on interfaces that are administratively down While an interface is administratively down the Unicast IPv6 addresses assigned to the interface are set to a pending state...

Page 567: ...nnel Example The following example configures five consecutive neighbor solicitation messages to be sent on VLAN 1 while duplicate address detection is being performed on the tentative Unicast IPv6 address of the interface The example also disables duplicate address detection processing on VLAN 2 switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 nd dad attempts 5 switchxxxxxx config...

Page 568: ... hop limit command Example The following example configures a maximum number of 15 hops for router advertisements on VLAN 2 switchxxxxxx config interface vlan 2 switchxxxxxx config if ipv6 nd hop limit 15 switchxxxxxx config if exit 28 15 ipv6 nd managed config flag Use the ipv6 nd managed config flag command in Interface Configuration mode to set the managed address configuration flag in IPv6 rou...

Page 569: ...and if it is not set the attached hosts should not use stateful autoconfiguration to obtain addresses Hosts may use stateful and stateless address autoconfiguration simultaneously Example The following example configures the Managed Address Configuration flag in IPv6 router advertisements on VLAN 1 switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 nd managed config flag switchxxxxxx...

Page 570: ...nterface Very short intervals are not recommended in normal IPv6 operation When a non default value is configured the configured time is both advertised and used by the router itself Example The following example configures an IPv6 neighbor solicit transmission interval of 9000 milliseconds for VLAN 1 switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 nd ns interval 9000 switchxxxxxx...

Page 571: ...ss information Note If the Managed Address Configuration flag is set using the ipv6 nd managed config flag command then an attached host can use stateful autoconfiguration to obtain the other nonaddress information regardless of the setting of the Other Stateful configuration flag Example The following example configures the Other Stateful configuration flag in IPv6 router advertisements on VLAN 1...

Page 572: ...alue of 4 294 967 295 represents infinity The address generated from an invalidated prefix should not appear as the destination or source address of a packet preferred lifetime Remaining length of time in seconds that this prefix will continue to be preferred i e time until deprecation A value of 4 294 967 295 represents infinity The address generated from a deprecated prefix should no longer be u...

Page 573: ...g whether the prefix should be advertised Use the ipv6 nd prefix ipv6 prefix prefix length command to add the prefix to the Prefix table Use the no ipv6 nd prefix ipv6 prefix prefix length command to remove the prefix from the Prefix table Use the no ipv6 nd prefix command without the ipv6 prefix prefix length argument o remove all prefixes from the Prefix Table Note The no ipv6 nd prefix command ...

Page 574: ...uto configuration is on by default it indicates to hosts on the local link that the specified prefix can be used for IPv6 auto configuration The configuration options affect the L bit and A bit settings associated with the prefix in the IPv6 ND Router Advertisement and presence of the prefix in the routing table as follows Default L 1 A 1 In the Routing Table no onlink L 0 A 1 In the Routing Table...

Page 575: ...face To restore the default interval use the no form of this command Syntax ipv6 nd ra interval maximum secs minimum secs no ipv6 nd ra interval Parameters maximum secs Maximum interval between IPv6 RA transmissions in seconds The range is from 4 to 1800 minimum secs Minimum interval between IPv6 RA transmissions in seconds The range is from 3 to 1350 Default Configuration maximum secs is 600 seco...

Page 576: ...6 nd ra interval 201 switchxxxxxx config if exit Example 2 The following examples shows a maximum RA interval of 200 seconds and a minimum RA interval of 50 seconds switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 nd ra interval 200 50 switchxxxxxx config if exit 28 20 ipv6 nd ra lifetime Use the ipv6 nd ra lifetime command in Interface Configuration mode to configure the Router Li...

Page 577: ... default router on this interface The Router Lifetime value can be set to a non zero value to indicate that it should be considered a default router on this interface The non zero value for the Router Lifetime value should not be less than the router advertisement interval Example The following example configures an IPv6 router advertisement lifetime of 1801 seconds for VLAN 1 switchxxxxxx config ...

Page 578: ...ssed Use the no ipv6 nd ra suppress command to enable the sending of IPv6 router advertisement transmissions on a NBMA interface for example ISATAP tunnel Examples Example 1 The following example suppresses IPv6 router advertisements on vlan 1 switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 nd ra suppress switchxxxxxx config if exit Example 2 The following example enables the send...

Page 579: ... is advertised in router advertisements and the value 30000 30 seconds is used for the neighbor discovery activity of the router itself Command Mode Interface Configuration mode User Guidelines The configured time enables the router to detect unavailable neighbors Shorter configured times enable the router to detect unavailable neighbors more quickly however shorter times consume more IPv6 network...

Page 580: ...high medium low no ipv6 nd router preference Parameters high Preference for the router specified on an interface is high medium Preference for the router specified on an interface is medium low Preference for the router specified on an interface is low Default Configuration Router advertisements RAs are sent with the medium preference Command Mode Interface Configuration mode User Guidelines RA me...

Page 581: ...scovery cache use the no form of this command Syntax ipv6 neighbor ipv6 address interface id mac address no ipv6 neighbor ipv6 address interface id Parameters ipv6 address Specified IPv6 address This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16 bit values between colons interface id Specified interface identifier mac address Interface MA...

Page 582: ...r interface id command to delete the all static entries on the given interface Use the no ipv6 neighbor command to remove the all static entries on all interfaces Use the show ipv6 neighbors command to view static entries in the IPv6 neighbor discovery cache A static entry in the IPv6 neighbor discovery cache can have one of the following states NCMP Incomplete The interface for this entry is down...

Page 583: ...v6 neighbor 28 25 ipv6 policy route map To enable policy routing on an interface and identify a route map use the ipv6 policy route map command in Interface Configuration mode To disable policy routing use the no form of this command Syntax ipv6 policy route map map tag no ipv6 policy route map Parameters map tag Name of the route map to use for policy routing The name must match a map tag value s...

Page 584: ...UP and the next hop is reachable If the IPv6 policy routing is not applied then the matched IPv6 packets will be forwarded using the obvious shortest path Note Of course like in the case of regular IPv6 Routing Policy Based IPv6 Router routes only MAC tome IPv6 frames IPv6 policy routing cannot be configured on an interface together with the following features IPv6 First Hop Security VLAN ACL VLAN...

Page 585: ...direct messages to re send a packet through the same interface on which the packet was received To disable the sending of redirect messages use the no form of this command Syntax ipv6 redirects no ipv6 redirects Parameters N A Default Configuration The sending of ICMP IPv6 redirect messages is enabled Command Mode Interface Configuration mode Example The following example disables the sending of I...

Page 586: ...atic host routes are configured prefix length Length of the IPv6 prefix A decimal value that indicates how many of the high order contiguous bits of the address comprise the prefix the network portion of the address A slash mark must precede the decimal value next ipv6 address IPv6 address of the next hop that can be used to reach the specified network If the next ipv6 address argument is a link l...

Page 587: ...te with a global next hop switchxxxxxx config ipv6 route 2001 64 5 5 10 Example 2 The following example defines a static route with a link local next hop switchxxxxxx config ipv6 route 2001 DB8 2222 48 FE80 260 3EFF FE11 6770 vlan1 12 28 28 ipv6 unicast routing Use the ipv6 unicast routing command in Global Configuration mode to enable the forwarding of IPv6 Unicast datagrams To disable the forwar...

Page 588: ...event the generation of unreachable messages use the no form of this command Syntax ipv6 unreachables no ipv6 unreachables Parameters N A Default Configuration The sending of ICMP IPv6 unreachable messages is enabled Command Mode Interface Configuration mode User Guidelines If the switch receives a Unicast packet destined for itself that uses a protocol it does not recognize it sends an ICMPv6 unr...

Page 589: ...show ipv6 interface brief interface id prefix Parameters brief Displays a brief summary of IPv6 status and configuration for each interface where IPv6 is defined interface id Interface identifier about which to display information prefix Prefix generated from a local IPv6 prefix pool Default Configuration Option brief all IPv6 interfaces are displayed Command Mode User EXEC mode Privileged EXEC mo...

Page 590: ...x show ipv6 interface vlan 1 VLAN 1 is up up IPv6 is enabled link local address is FE80 0DB8 12AB FA01 IPv6 Forwarding is enabled Global unicast address es Ipv6 Global Address Type 2000 0DB8 2 64 ANY Manual 2000 0DB8 2 64 Manual 2000 1DB8 2011 64 Manual Joined group address es FF02 1 FF02 2 FF02 1 FF11 6770 MTU is 1500 bytes ICMP error messages limited interval is 100ms Bucket size is 10 tokens IC...

Page 591: ...s Displays the link local address assigned to the interface Global unicast address es Displays the global Unicast addresses assigned to the interface The type is manual or autoconfig Joined group address es Indicates the Multicast groups to which this interface belongs MTU is 1500 bytes Maximum transmission unit of the interface ICMP error messages Specifies the minimum interval in milliseconds be...

Page 592: ...MLD Example 2 The show ipv6 interface command displays information about the specified ISATAP tunnel switchxxxxxx show ipv6 interface tunnel 1 Tunnel 1 is up up IPv6 is enabled link local address is FE80 0DB8 12AB FA01 ICMP redirects are disabled Global unicast address es Ipv6 Global Address Type 2000 0DB8 2 64 ANY Manual 2000 0DB8 2 64 Manual 2000 1DB8 2011 64 Manual Joined group address es FF02 ...

Page 593: ...ue bigger than 0 number of DAD attempts Number of consecutive neighbor solicitation messages that are sent on the interface while duplicate address detection is performed vlan 1 is up up Indicates the interface status administrative operational IPv6 is enabled stalled disabled stalled and disabled are not shown in sample output Indicates that IPv6 is enabled stalled or disabled on the interface If...

Page 594: ...tised on this interface ND advertised retransmit interval Displays the neighbor discovery retransmit interval in milliseconds advertised on this interface ND router advertisements Specifies the interval in seconds for neighbor discovery router advertisements sent on this interface and the amount of time before the advertisements expire ND advertised default router preference is Medium The DRP for ...

Page 595: ... VLAN 1 that has generated a prefix from a local IPv6 prefix pool switchxxxxxx configure terminal switchxxxxxx config interface vlan1 switchxxxxxx config if ipv6 address 2001 0DB8 1 1 64 switchxxxxxx config if ipv6 address 2001 0DB8 2 1 64 switchxxxxxx config if ipv6 address 2001 0DB8 3 1 64 switchxxxxxx config if ipv6 nd prefix 2001 0DB8 1 64 no advertise switchxxxxxx config if ipv6 nd prefix 200...

Page 596: ...he show ipv6 link local default zone command in user EXEC or privileged EXEC mode to display the IPv6 link local default zone Syntax show ipv6 link local default zone Command Mode User EXEC mode Privileged EXEC mode Examples Example 1 The following example displays the default zone when it is defined switchxxxxxx show ipv6 link local default zone Link Local Default Zone is VLAN 1 Example 2 The fol...

Page 597: ...ers interface id Specified interface identifier on which prefixes are advertised Default Configuration No prefixes are displayed Command Mode User EXEC mode Privileged EXEC mode User Guidelines Use the how ipv6 nd prefix command with the interface id argument to display prefixes advertised on a single interface Example The following example displays IPv6 prefixes switchxxxxxx show ipv6 nd prefix v...

Page 598: ...and in User EXEC or Privileged EXEC mode to display IPv6 neighbor discovery ND cache information Syntax show ipv6 neighbors interface id ipv6 address ipv6 hostname Parameters interface id Specifies the identifier of the interface from which IPv6 neighbor information is to be displayed ipv6 address Specifies the IPv6 address of the neighbor This argument must be in the form documented in RFC4293 wh...

Page 599: ...uter 2000 0 0 4 2 0 0003 a0d6 141e REACH VLAN1 Yes 3001 1 45a 0002 7d1a 9472 REACH VLAN1 FE80 203 A0FF FED6 141E 0 0003 a0d6 141e REACH VLAN1 No Example 2 The following is sample output from the show ipv6 neighbors command when entered with an IPv6 address switchxxxxxx show ipv6 neighbors 2000 0 0 4 2 IPv6 Address Age Link layer Addr State Interface Router 2000 0 0 4 2 0 0003 a0d6 141e REACH VLAN1...

Page 600: ... prefix Displays routing information for a specific IPv6 network This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16 bit values between colons prefix length The length of the IPv6 prefix A decimal value that indicates how many of the high order contiguous bits of the address comprise the prefix the network portion of the address A slash ma...

Page 601: ... are specified only the specified interface specific routes are displayed Examples Example 1 The following is sample output from the show ipv6 route command when IPv6 Routing is not enabled and the command is entered without an IPv6 address or prefix specified switchxxxxxx show ipv6 route Codes Best S Static C Connected I ICMP Redirect ND Router Advertisment d m d route s distance m route s metric...

Page 602: ...fixes defined by the ipv6 nd prefix command with on link keyword d m d route s distance m route s metric IPv6 Policy Routing VLAN 1 Route Map BPR1 Status Active ACL Name ACLTCPHTTP Next Hop fe80 77 Next Hop Status Active ACL Name ACLTCPTELNET Next Hop 4001 27 Next Hop Status Not Active Unreachable ACL Name ACL_AA Next Hop 301a 23 24 Next Hop Status Not Active Not direct VLAN 100 Route Map BPR_10 S...

Page 603: ... Status Active IPv6 Routing Table 3 entries S 3000 64 1 1 via FE80 A8BB CCFF FE02 8B00 VLAN 100 C 4001 64 0 0 via VLAN 100 L 4002 64 0 0 via VLAN 100 Lifetime 9000 sec 28 35 show ipv6 route summary Use the show ipv6 route summary command in User EXEC or Privileged EXEC mode to display the current contents of the IPv6 routing table in summary format Syntax show ipv6 route summary Parameters N A Com...

Page 604: ...ce id detail Parameters ipv6 address Provides routing information for a specific IPv6 address This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16 bit values between colons ipv6 prefix Provides routing information for a specific IPv6 network This argument must be in the form documented in RFC4293 where the address is specified in hexadecima...

Page 605: ...ed For example when the interface id argument is specified only the specified interface specific routes are displayed When the detail keyword is specified the reason why the route is not valid is displayed for invalid direct or fully specified routes Examples Example 1 The following is sample output from the show ipv6 static command without specified options switchxxxxxx show ipv6 static IPv6 Stat...

Page 606: ...route command when entered with the interface VLAN 1 switchxxxxxx show ipv6 static interface vlan 1 IPv6 Static routes Code installed in Routing Information Base RIB IPv6 Static routes distance is 1 5000 16 interface VLAN1 metric 1 Example 4 The following is sample output from the show ipv6 route command with the detail keyword switchxxxxxx show ipv6 static detail IPv6 Static routes Code installed...

Page 607: ...IPv6 Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 606 28 6000 16 via nexthop 2007 1 metric 1 ...

Page 608: ...evel Rules defined at the VLAN level override the globally configured rules The globally configured rules override the system defaults You can only attach 1 policy for a specific sub feature to a VLAN You can attach multiple policies for a specific sub feature to a port if they specify different VLANs A sub feature policy does not take effect until IPv6 First Hop Security is enabled on the VLAN Th...

Page 609: ... stateless Only auto configuration for global IPv6 bound from NDP messages is allowed any All configuration methods for global IPv6 bound from NDP messages stateless and manual are allowed If no keyword is defined the any keyword is applied dhcp Bound from DHCPv6 is allowed Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy ...

Page 610: ...ound address prefix validation within an IPv6 Neighbor Binding policy use the address prefix validation command in Neighbor Binding Policy Configuration mode To return to the default use the no form of this command Syntax address prefix validation enable disable no address prefix validation Parameters enable Enables bound address prefix validation If no keyword is configured this keyword is applie...

Page 611: ... policy policy1 switchxxxxxx config nbr binding address prefix validation enable switchxxxxxx config nbr binding exit 29 3 clear ipv6 first hop security counters To clear IPv6 First Hop Security port counters use the clear ipv6 first hop security counters command in privileged EXEC mode Syntax clear ipv6 first hop security counters interface interface id Parameters interface interface id Clear IPv...

Page 612: ...lear ipv6 first hop security error counters command in privileged EXEC mode Syntax clear ipv6 first hop security error counters Parameters N A Command Mode Privileged EXEC mode User Guidelines This command clears global error counters Example The following example clears IPv6 First Hop Security error counters switchxxxxxx clear ipv6 first hop security error counters 29 5 clear ipv6 neighbor bindin...

Page 613: ...n vlan id prefix address prefix length command to delete one specific entry Use the clear ipv6 neighbor binding prefix table vlan vlan id command to delete the dynamic entries that match the specified VLAN Use the clear ipv6 neighbor binding prefix table command to delete all dynamic entries Examples Example 1 The following example clears all dynamic entries switchxxxxxx clear ipv6 neighbor bindin...

Page 614: ... address Clear the dynamic entries that match the specified IPv6 address mac mac address Clear the dynamic entries that match the specified MAC address ndp Clear the dynamic entries that are bound from NDP messages dhcp Clear the dynamic entries that are bound from DHCPv6 messages Command Mode Privileged EXEC mode User Guidelines This command deletes the dynamic entries of the Neighbor Binding tab...

Page 615: ...e role client server no device role Parameters client Sets the role of the device to DHCPv6 client server Sets the role of the device to DHCPv6 server Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN client Command Mode DHCP Guard Policy Configuration mode User Guidelines If this command is part of a polic...

Page 616: ...ng To specify the role of the device attached to the port within an IPv6 Neighbor Binding policy use the device role command within IPv6 Neighbor Binding Policy Configuration mode To return to the default use the no form of this command Syntax device role perimeter internal no device role Parameters perimeter Specifies that the port is connected to devices not supporting IPv6 First Hop Security in...

Page 617: ...ype specifies ports connected to devices supporting IPv6 First Hop Security NB Integrity does not establish binding for neighbors connected to these ports but it does propagate the bindings established on perimeter ports A dynamic IPv6 address bound to a port is deleted when its role is changed from perimetrical to internal A static IPv6 address is kept Example The following example defines a Neig...

Page 618: ...LAN it is applied to all the ports in the VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to the VLAN ND Inspection performs egress filtering of NDP messages depending on a port role The following table specifies the filtering rules Example The following example defines an ND Inspection policy named policy 1 and configures the ...

Page 619: ...cy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN host Command Mode RA Guard Policy Configuration mode User Guidelines If this command is part of a policy attached to a VLAN it is applied to all the ports in the VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to ...

Page 620: ...es dropping messages with no or invalid options or an invalid signature If no keyword is configured this keyword is applied by default disable Disables dropping messages with no or invalid options or an invalid signature Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN global configuration Command Mode ND ...

Page 621: ...n RA Guard Policy Configuration mode To return to the default use the no form of this command Syntax hop limit maximum value disable minimum value disable no hop limit maximum minimum Parameters maximum value Verifies that the hop count limit is less than or equal to the value argument Range 1 255 The value of the high boundary must be equal or greater than the value of the low boundary maximum di...

Page 622: ...aces the switch in RA Guard Policy Configuration mode and defines a minimum Cur Hop Limit value of 5 switchxxxxxx config ipv6 nd raguard policy policy1 switchxxxxxx config ra guard hop limit minimum 5 switchxxxxxx config ra guard exit Example 2 The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy Configuration mode and disables validation of the Cur H...

Page 623: ...sages sent by relay agents from clients to servers are not blocked See the device role IPv6 DHCP Guard command for details DHCPv6 Guard validates received DHCPv6 messages based on a DHCPv6 Guard policy attached to the source port Examples Example 1 The following example enables DHCPv6 Guard on VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 dhcp guard switchxxxxxx confi...

Page 624: ...ist If the vlan keyword is not configured the policy is applied to all VLANs on the device on which DHCPv6 Guard is enabled Default Configuration The DHCPv6 Guard default policy is applied Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines Use this command to attach a DHCPv6 Guard policy to a port Each time the command is used it overrides the previous command within t...

Page 625: ...hed switchxxxxxx config interface gi11 switchxxxxxx config if ipv6 dhcp guard attach policy policy1 switchxxxxxx config if exit Example 2 In the following example the DHCPv6 Guard policy policy1 is attached to the gi11 port and applied to VLANs 1 10 and 12 20 switchxxxxxx config interface gi11 switchxxxxxx config if ipv6 dhcp guard attach policy policy1 vlan 1 10 12 20 switchxxxxxx config if exit ...

Page 626: ...tion mode To return to the default use the no form of this command Syntax ipv6 dhcp guard attach policy policy name no ipv6 dhcp guard attach policy Parameters policy name The DHCPv6 Guard policy name up to 32 characters Default Configuration The DHCPv6 Guard default policy is applied Command Mode Interface VLAN Configuration mode User Guidelines Use this command to attach a DHCPv6 Guard policy to...

Page 627: ... mode use the ipv6 dhcp guard policy command in Global Configuration mode To remove the DHCPv6 guard policy use the no form of this command Syntax ipv6 dhcp guard policy policy name no ipv6 dhcp guard policy policy name Parameters policy name The DHCPv6 Guard policy name up to 32 characters Default Configuration No DHCPv6 Guard policy are configured Command Mode Global Configuration mode User Guid...

Page 628: ...y the ipv6 dhcp guard attach policy port mode or ipv6 dhcp guard attach policy VLAN mode command The vlan_default policy is attached by default to a VLAN if no other policy is attached to the VLAN The port_default policy is attached by default to a port if no other policy is attached to the port You can define a policy using the ipv6 dhcp guard policy command multiple times Before an attached poli...

Page 629: ... policy1 Policy policy1 is applied on the following ports gi11 gi12 The policy1 will be detached and removed are you sure Y N Y 29 17 ipv6 dhcp guard preference To globally enable verification of the preference in messages sent by DHCPv6 servers use the ipv6 dhcp guard preference command in Global Configuration mode To return to the default use the no form of this command Syntax ipv6 dhcp guard pr...

Page 630: ...e keyword and argument specifies the maximum allowed value The received DHCPv6 reply message with a preference value greater than the value specified by the value argument is dropped Use no ipv6 dhcp guard preference to disable verification of the advertised preference value in DHCPv6 reply messages Use no ipv6 dhcp guard preference maximum to disable verification of the maximum boundary of the va...

Page 631: ...on a VLAN use the ipv6 first hop security command in VLAN Configuration mode To return to the default use the no form of this command Syntax ipv6 first hop security no ipv6 first hop security Parameters N A Default Configuration IPv6 First Hop Security on a VLAN is disabled Command Mode Interface VLAN Configuration mode User Guidelines Use the ipv6 first hop security command to enable IPv6 First H...

Page 632: ...tach policy command in Interface Configuration mode To return to the default use the no form of this command Syntax ipv6 first hop security attach policy policy name vlan vlan list no ipv6 first hop security attach policy policy name Parameters policy name The IPv6 First Hop Security policy name up to 32 characters vlan vlan list Specifies that the IPv6 First Hop Security policy is to be attached ...

Page 633: ...the VLAN on which the packet arrived are added to the set The rules configured in the policy attached to the VLAN are added to the set if they have not been added The global rules are added to the set if they have not been added Use the no ipv6 first hop security attach policy command to detach all user defined policies attached to the port The default policy is reattached Use the no ipv6 first ho...

Page 634: ...ach policy policy1 vlan 1 10 switchxxxxxx config if ipv6 first hop security attach policy policy2 vlan 12 20 switchxxxxxx config if exit Example 4 In the following example IPv6 First Hop Security detaches policy policy1 detached to the gi11 port switchxxxxxx config interface gi11 switchxxxxxx config if no ipv6 first hop security attach policy policy1 switchxxxxxx config if exit 29 20 ipv6 first ho...

Page 635: ... to detach the current policy and to reattach the default policy The no form of the command does not have an effect if the default policy was attached Example In the following example the IPv6 First Hop Security policy policy1 is attached to VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 first hop security attach policy policy1 switchxxxxxx config if exit 29 21 ipv6 fi...

Page 636: ... shows how to enable logging of dropped packets by the IPv6 first hop security feature switchxxxxxx config ipv6 first hop security logging packet drop 29 22 ipv6 first hop security policy To define an IPv6 First Hop Security policy and place the switch in IPv6 First Hop Security Policy Configuration mode use the ipv6 first hop security policy command in Global Configuration mode To remove the IPv6...

Page 637: ... First Hop Security policies named vlan_default and port_default ipv6 first hop security policy vlan_default exit ipv6 first hop security policy port_default exit These policies cannot be removed but they can be changed The no ipv6 first hop security policy does not remove these policies it only removes the policy configurations defined by the user The default policies do not need to be attached b...

Page 638: ...tchxxxxxx config exit Example 2 The following example removes an attached IPv6 First Hop Security policy switchxxxxxx config no ipv6 first hop security policy policy1 Policy policy1 is applied on the following ports gi11 gi12 The policy1 will be detached and removed are you sure Y N Y 29 23 ipv6 nd inspection To enable the IPv6 Neighbor Discovery ND Inspection feature on a VLAN use the ipv6 nd ins...

Page 639: ...orts configured as host see the device role command ND inspection is performed after RA Guard Examples Example 1 The following example enables ND Inspection on VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 nd inspection switchxxxxxx config if exit Example 2 The following example enables ND Inspection on VLANs 100 107 switchxxxxxx config interface range vlan 100 107 sw...

Page 640: ...r Guidelines Use the ipv6 nd inspection attach policy command to attach an ND Inspection policy to a port Use the ipv6 nd inspection command to activate the attached policy on required VLANs Each time the command is used it overrides the previous command within the same policy If a policy specified by the policy name argument is not defined the command is rejected Multiple policies with the vlan k...

Page 641: ...D Inspection policy policy1 is attached to the gi11 port and applied to VLANs 1 10 and 12 20 switchxxxxxx config interface gi11 switchxxxxxx config if ipv6 nd inspection attach policy policy1 vlan 1 10 12 20 switchxxxxxx config if exit Example 3 In the following example the ND Inspection policy policy1 is attached to the gi11 port and applied to VLANs 1 10 and the ND Inspection policy policy2 is a...

Page 642: ...policy name no ipv6 nd inspection attach policy Parameters policy name The ND Inspection policy name up to 32 characters Default Configuration The ND Inspection default policy is applied Command Mode Interface VLAN Configuration mode User Guidelines Use this command to attach a ND Inspection policy to a VLAN If the policy specified by the policy name argument is not defined the command is rejected...

Page 643: ...form of this command Syntax ipv6 nd inspection drop unsecure no ipv6 nd inspection drop unsecure Parameters N A Default Configuration All messages are bridged Command Mode Global Configuration mode User Guidelines This command drops NDP messages if they do not contain CGA and RSA Signature options If this command is not configured then the sec level minimum command does not have an effect If this ...

Page 644: ...y name Parameters policy name The ND Inspection policy name up to 32 characters Default Configuration No ND Inspection policies are configured Command Mode Global Configuration mode User Guidelines This command defines the ND Inspection policy name and places the router in ND Inspection Policy Configuration mode The following commands can be configured into a ND Inspection policy device role ND In...

Page 645: ...an define a policy using the ipv6 nd inspection policy command multiple times If an attached policy is removed it is detached automatically before removing Examples Example 1 The following example defines a ND Inspection policy named policy1 places the switch in ND Inspection Policy Configuration mode and configures the port to drop unsecured messages and sets the device role as router switchxxxxx...

Page 646: ...m To globally specify the minimum security level value use the ipv6 nd inspection sec level minimum command in Global Configuration mode To return to the default use the no form of this command Syntax ipv6 nd inspection sec level minimum value no ipv6 nd inspection sec level minimum Parameters value Sets the minimum security level Range 0 7 Default Configuration All messages are bridged Command Mo...

Page 647: ...inspection validate source mac command in Global Configuration mode To disable this function use the no form of this command Syntax ipv6 nd inspection validate source mac no ipv6 nd inspection validate source mac Parameters N A Default Configuration This command is disabled by default Command Mode Global Configuration mode User Guidelines When the switch receives an NDP message which contains a li...

Page 648: ...e the ipv6 nd raguard command in VLAN Configuration mode To return to the default use the no form of this command Syntax ipv6 nd raguard no ipv6 nd raguard Parameters N A Default Configuration RA Guard on a VLAN is disabled Command Mode Interface VLAN Configuration mode User Guidelines Use the ipv6 nd raguard command to enable IPv6 RA Guard on a VLAN RA Guard discards RA CPA and ICMP Redirect mess...

Page 649: ...pv6 nd raguard attach policy port mode To attach an RA Guard policy to a specific port use the ipv6 nd raguard attach policy command in Interface Configuration mode To return to the default use the no form of this command Syntax ipv6 nd raguard attach policy policy name vlan vlan list no ipv6 nd raguard attach policy policy name Parameters policy name The RA Guard policy name up to 32 characters v...

Page 650: ... to the port on the VLAN on which the packet arrived are added to the set The rules configured in the policy attached to the VLAN are added to the set if they have not been added The global rules are added to the set if they have not been added Use the no ipv6 nd raguard attach policy command to detach all user defined policies attached to the port Use the no ipv6 nd raguard attach policy policy n...

Page 651: ...icy1 vlan 1 10 switchxxxxxx config if ipv6 nd raguard attach policy policy2 vlan 12 20 switchxxxxxx config if exit Example 4 In the following example RA Guard detaches policy policy1 from the gi11 port switchxxxxxx config interface gi11 switchxxxxxx config if no ipv6 nd raguard attach policy policy1 switchxxxxxx config if exit 29 32 ipv6 nd raguard attach policy VLAN mode To attach an RA Guard pol...

Page 652: ...ollowing example the RA Guard policy policy1 is attached to VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 nd raguard attach policy policy1 switchxxxxxx config if exit 29 33 ipv6 nd raguard hop limit To globally enable verification of the advertised Cur Hop Limit value in RA messages use the ipv6 nd raguard hop limit command in Global Configuration mode To return to th...

Page 653: ...t is dropped Configuring the maximum value keyword and argument enables verification that the advertised Cur Hop Limit value is less than or equal to the value set by the value argument If the advertised Cur Hop Limit value is unspecified which is the same as setting a value of 0 the packet is dropped Use the no ipv6 nd raguard hop limit maximum command to disable verification of the maximum bound...

Page 654: ...rd managed config flag on off no ipv6 nd raguard managed config flag Parameters on The value of the flag must be 1 off The value of the flag must be 0 Default Configuration Verification is disabled Command Mode Global Configuration mode User Guidelines This command enables verification of the advertised the Managed Address Configuration flag or the M flag in an RA message see RFC4861 This flag cou...

Page 655: ...onfig flag Parameters on The value of the flag must be 1 off The value of the flag must be 0 Default Configuration Verification is disabled Command Mode Global Configuration mode User Guidelines This command enables verification of the advertised Other Configuration flag or O flag in an RA message see RFC4861 This flag could be set by an attacker to force hosts to retrieve other configuration info...

Page 656: ...efault Configuration No RA Guard policy is configured Command Mode Global Configuration mode User Guidelines This command defines the RA Guard policy name and places the switch in IPv6 RA Guard Policy Configuration mode Each policy of the same type for example RA Guard policies must have a unique name Policies of different types can have a same policy name The switch supports two predefined RA Gua...

Page 657: ...ds can be configured in RA Guard Policy Configuration mode device role RA Guard Policy hop limit managed config flag match ra addresshop limit match ra prefixes other config flag router preference Examples Example 1 The following example defines an RA Guard policy named policy1 places the router in RA Guard Policy Configuration mode and disenabled validation of the Other Configuration flag and set...

Page 658: ... the advertised Default Router Preference value in RA messages use the ipv6 nd raguard router preference command in Global Configuration mode To return to the default use the no form of this command Syntax ipv6 nd raguard router preference maximum value minimum value no ipv6 nd raguard router preference maximum minimum Parameters maximum value Specifies the maximum allowed Advertised Default Route...

Page 659: ...outer preference command to disable verification of the advertised Default Router Preference value in RA messages Use the no ipv6 nd raguard router preference maximum command to disable verification of the maximum boundary of the advertised Default Router Preference value in RA messages Use the no ipv6 nd raguard router preference minimum command to disable verification of the advertised Default R...

Page 660: ... on a VLAN is disabled Command Mode Interface VLAN Configuration mode User Guidelines NB integrity establishes binding for neighbors connected to the perimetrical ports see the device role Neighbor Binding command belonging to the VLANs on which the feature is enabled Examples Example 1 The following example enables NB integrity on VLAN 100 switchxxxxxx config interface vlan 100 switchxxxxxx confi...

Page 661: ...or global IPv6 bound from NDP messages any All configuration methods for global IPv6 bound from NDP messages stateless and manual are allowed If no keyword is defined the any keyword is applied dhcp Binding from DHCPv6 is allowed Default Configuration Any is the default parameter Command Mode Global Configuration mode User Guidelines This command defines allowed IPv6 address configuration methods ...

Page 662: ... DHCPv6 from NDP messages because a host must execute the DAD process for these addresses If no keyword is defined the ipv6 neighbor binding address config any command is applied Examples Example 1 The following example specifies that any global IPv6 address configuration method can be applied and there will be no binding from DHCPv6 messages switchxxxxxx config ipv6 neighbor binding address prefi...

Page 663: ...s that global IPv6 addresses can be assigned only by DHCPv6 switchxxxxxx config ipv6 neighbor binding address config dhcp 29 40 ipv6 neighbor binding address prefix To define a static prefix for global IPv6 addresses bound from NDP messages use the ipv6 neighbor binding address prefix command in Global Configuration mode To delete the prefix use the no form of this command Syntax ipv6 neighbor bin...

Page 664: ...efined on the given VLAN Use the no ipv6 neighbor binding address prefix command to remove all static entries from the Neighbor Prefix table Examples Example 1 The following example adds two static entries The second one can be used for stateless configuration switchxxxxxx config ipv6 neighbor binding address prefix vlan 100 2001 0DB8 101 64 switchxxxxxx config ipv6 neighbor binding address prefix...

Page 665: ...dress prefix validation no ipv6 neighbor binding address prefix validation Parameters N A Default Configuration The feature is disabled Command Mode Global Configuration mode User Guidelines This command enables bound address prefix validation If the Neighbor Binding feature is enabled the switch checks if a bound address belongs to one of the prefixes of the Neighbor Prefix table or to a manually...

Page 666: ...in vlan list If the vlan keyword is not configured the policy is applied to all VLANs on the device on which Neighbor Binding policy is enabled Default Configuration The Neighbor Binding default policy is applied Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines Use this command to attach a Neighbor Binding policy to a port Each time the command is used it overrides t...

Page 667: ...rface gi11 switchxxxxxx config if ipv6 neighbor binding attach policy policy1 switchxxxxxx config if exit Example 2 In the following example the Neighbor Binding policy policy1 is attached to the gi11 port and applied to VLANs 1 10 and 12 20 switchxxxxxx config interface gi11 switchxxxxxx config if ipv6 neighbor binding attach policy policy1 vlan 1 10 12 20 switchxxxxxx config if exit Example 3 In...

Page 668: ...AN Configuration mode To return to the default use the no form of this command Syntax ipv6 neighbor binding attach policy policy name no ipv6 neighbor binding attach policy Parameters policy name The Neighbor Binding policy name up to 32 characters Default Configuration The Neighbor Binding default policy is applied Command Mode Interface VLAN Configuration mode User Guidelines Use this command to...

Page 669: ...ble entry lifetime use the ipv6 neighbor binding lifetime command in Global Configuration mode To return to the default setting use the no form of this command Syntax ipv6 neighbor binding lifetime value no ipv6 neighbor binding lifetime Parameters value The lifetime in minutes The range is from 1 through 60 minutes Default Configuration 5 minutes Command Mode Global Configuration mode User Guidel...

Page 670: ...A Default Configuration Binding table events are not logged Command Mode Global Configuration mode User Guidelines This command enables the logging of the following Binding table events An entry is inserted into the Binding table A Binding table entry was updated A Binding table entry was deleted from the Binding table A Binding table entry was not inserted into the Binding table possibly because ...

Page 671: ...e limit number Specifies a neighbor binding limit per port mac limit number Specifies a neighbor binding limit per MAC address Default Configuration This command is disabled Command Mode Global Configuration mode User Guidelines This command is used to control the contents of the Binding table This command specifies the maximum number of dynamic entries that can be inserted in the Binding table ca...

Page 672: ...e Parameters policy name The Neighbor Binding policy name up to 32 characters Default Configuration No Neighbor Binding policy is configured Command Mode Global Configuration mode User Guidelines This command defines a Neighbor Binding policy name and places the router in Neighbor Binding Policy Configuration mode so that additional commands can be added to the policy The switch supports two prede...

Page 673: ...to IPv6 Neighbor Binding Policy Configuration mode device role Neighbor Binding logging binding max entries address config address prefix validation Examples Example 1 The following example defines a Neighbor Binding policy named policy1 places the router in Neighbor Binding Policy Configuration mode enables logging and defines the port as internal switchxxxxxx config ipv6 neighbor binding policy ...

Page 674: ...To add a static entry to the Neighbor Binding table use the ipv6 neighbor binding static command in Global Configuration mode To remove the static entry use the no form of this command Syntax ipv6 neighbor binding static ipv6 ipv6 address vlan vlan id interface interface id mac mac address no ipv6 neighbor binding static ipv6 ipv6 address vlan vlan id Parameters ipv6 ipv6 address IPv6 address of t...

Page 675: ...ple adds a static entry switchxxxxxx config ipv6 neighbor binding static ipv6 2001 600 1 vlan 100 interface gi11 mac 00BB CC01 F500 29 49 ipv6 source guard To enable the IPv6 Source Guard feature on a VLAN use the ipv6 source guard command in VLAN Configuration mode To return to the default use the no form of this command Syntax ipv6 source guard no ipv6 source guard Parameters N A Default Configu...

Page 676: ...chxxxxxx config if range ipv6 source guard switchxxxxxx config if range exit 29 50 ipv6 source guard attach policy port mode To attach an IPv6 Source Guard policy to a specific port use the ipv6 source guard attach policy command in Interface Configuration mode To return to the default use the no form of this command Syntax ipv6 source guard attach policy policy name no ipv6 source guard attach po...

Page 677: ...t is applied to an input packet is built in the following way The rules configured in the policy attached to the port The global rules are added to the set if they have not been added Use the no ipv6 source guard attach policy command to detach the user defined policy attached to the port and to reattach the default policy with name port_default Examples Example 1 In the following example the IPv6...

Page 678: ... Guard policies are configured Command Mode Global Configuration mode User Guidelines This command defines the IPv6 Source Guard policy name and places the router in IPv6 Source Guard Policy Configuration mode The following commands can be configured in IPv6 Source Guard Policy Configuration mode trusted port IPv6 Source Guard Each policy of the same type for example IPv6 Source Guard policies mus...

Page 679: ...e and configures the port as trusted switchxxxxxx config ipv6 source guard policy policy1 switchxxxxxx config ipv6 srcguard trusted port switchxxxxxx config exit Example 2 The following example removes the attached IPv6 Source Guard policy switchxxxxxx config no ipv6 source guard policy policy1 Policy policy1 is applied on the following ports gi11 gi12 The policy1 will be detached and removed are ...

Page 680: ...AN it is applied to all the ports in the VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to the VLAN Example The following example enables logging of Binding table main events within the IPv6 Neighbor Binding policy named policy1 switchxxxxxx config ipv6 neighbor binding policy policy1 switchxxxxxx config nbr binding logging bi...

Page 681: ... to a VLAN it is applied to all the ports in the VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to the VLAN Example The following example enables logging of dropped messaged with the IPv6 First Hop Security Policy named policy1 switchxxxxxx config ipv6 first hop security policy policy1 switchxxxxxx config ipv6 fhs logging pack...

Page 682: ...d managed config flag command on the port on which this policy applies Use the disable keyword to disable the flag validation in both global or the VLAN configuration Example The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy Configuration mode and enables M flag verification that checks if the value of the flag is 0 switchxxxxxx config ipv6 nd ragu...

Page 683: ...in received RA messages by a configured prefix list If the router s source IPv6 address does not match the prefix list or if the prefix list is not configured the RA message is dropped Use the disable keyword to disable verification of the router s IPv6 address regardless of the VLAN configuration Example The following example defines an RA Guard policy named policy1 places the switch in RA Guard ...

Page 684: ...or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN advertised prefixes are not verified Command Mode RA Guard Policy Configuration mode User Guidelines This command enables verification of the advertised prefixes in received RA messages by a configured prefix list If an advertised prefix does not match the prefix list or if the prefix list is not config...

Page 685: ...ard Policy Configuration mode To return to the default use the no form of this command Syntax match reply prefix list ipv6 prefix list name disable no match reply Parameters ipv6 prefix list name The IPv6 prefix list to be matched disable Disables verification of the advertised prefixes in replies Default Configuration Policy attached to port or port channel the value configured in the policy atta...

Page 686: ...Pv6 addresses must belong to 2001 0DB8 100 200 64 or to 2001 0DB8 100 48 The ge 128 parameter must be configured for each prefix of the prefix list with prefix length less than 128 switchxxxxxx config ipv6 dhcp guard policy policy1 switchxxxxxx config dhcp guard match reply prefix list list1 switchxxxxxx config dhcp guard exit switchxxxxxx config ipv6 prefix list list1 deny 2001 0DB8 100 200 64 ge...

Page 687: ...Guidelines This command enables verification of the source IPv6 address in messages sent by DHCPv6 servers and DHCPv6 Relays to a configured prefix list If the source IPv6 address does not match the configured prefix list or if the prefix list is not configured the DHCPv6 reply is dropped IPv6 DHCP Guard verifies the source IPv6 address in the following DHCPv6 messages sent by DHCPv6 servers relay...

Page 688: ... Neighbor Binding Policy Configuration mode To return to the default use the no form of this command Syntax max entries vlan limit number disable interface limit number disable mac limit number disable no max entries vlan limit interface limit mac limit Parameters vlan limit number Specifies a neighbor binding limit per VLANs The parameter is ignored in a policy attached to port vlan limit disable...

Page 689: ... on the port to 25 switchxxxxxx config ipv6 neighbor binding policy policy1 switchxxxxxx config nbr binding max entries interface limit 25 switchxxxxxx config exit Example 2 The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy Configuration mode and disables limit per MAC switchxxxxxx config ipv6 nd raguard policy policy1 switchxxxxxx config ra guard ...

Page 690: ... other config flag command on the port on which this policy applies Use the disable keyword to disable flag validation in both global or VLAN configuration Example The following example defines an RA Guard policy named policy1 places the switch in RA Guard Policy Configuration mode and enables O flag verification that checks if the value of the flag is 0 switchxxxxxx config ipv6 nd raguard policy ...

Page 691: ... 0 255 minimum disable Disables verification of the lower boundary of the advertised preference value Default Configuration Policy attached to port or port channel the value configured in the policy attached to the VLAN Policy attached to VLAN global configuration Command Mode DHCP Guard Policy Configuration mode User Guidelines Use this command to change the global configuration specified by the ...

Page 692: ...ecifies the maximum allowed Advertised Default Router Preference value The following values are acceptable low medium and high see RFC4191 A value of the high boundary must be equal to or greater than a value of the low boundary maximum disable Disables verification of the high boundary of Advertised Default Router Preference minimum value Specifies the minimum allowed Advertised Default Router Pr...

Page 693: ...switchxxxxxx config ipv6 nd raguard policy policy1 switchxxxxxx config ra guard router preference minimum medium switchxxxxxx config ra guard exit 29 63 sec level minimum To specify the minimum security level value within an Ipv6 ND Inspection policy use the sec level minimum command in ND Inspection policy Configuration mode To return to the default use the no form of this command Syntax sec leve...

Page 694: ...disabled Example The following example defines an NDP Inspection policy named policy1 places the switch in ND Inspection Policy Configuration mode and specifies 2 as the minimum CGA security level switchxxxxxx config ipv6 nd inspection policy policy1 switchxxxxxx config nd inspection sec level minimum 2 switchxxxxxx config nd inspection exit 29 64 show ipv6 dhcp guard To display DHCPv6 Guard globa...

Page 695: ... configured with the DHCPv6 guard feature use the show ipv6 dhcp guard policy command in privileged EXEC mode Syntax show ipv6 dhcp guard policy policy name active Parameters policy name Displays the DHCPv6 guard policy with the given name active Displays the attached DHCPv6 guard policies Command Mode Privileged EXEC mode User Guidelines This command displays the options configured for the policy...

Page 696: ...ANs 1 100 111 4094 Attached to ports Example 2 The following example displays the attached policies switchxxxxxx show ipv6 dhcp guard policy active Attached to VLAN Policy Name VLANs policy2 200 300 vlan default 1 199 301 4094 Attached to ports Example 3 The following example displays the user defined policies Ports gi11 2 gi13 4 Po1 4 VLANs 1 58 68 4094 1 4094 1 4094 Policy Name policy1 port defa...

Page 697: ...w ipv6 first hop security command in Privilege EXEC configuration mode Syntax show ipv6 first hop security Parameters N A Command Mode Privileged EXEC mode User Guidelines This command displays all IPv6 First Hop Security global configuration Example The following example gives an example of the show ipv6 first hop security command switchxxxxxx show ipv6 first hop security IPv6 First Hop Security ...

Page 698: ...ser Guidelines This command displays policies applied to frames arriving on given port and belonging to the given VLAN The policies are calculated automatically by using the policies attached to the port VLAN and the global configuration Example The following example displays the active attached policies on gi11 and VLAN 100 switchxxxxxx show ipv6 first hop security active policies interface gi11 ...

Page 699: ... VLAN sec level minimum 3 from policy1 attached to the port validate source mac enabled from global configuration Neighbor Binding Policy policy1 device role perimiter default logging binding enabled from policy1 attached to the port address prefix validation enabled from policy2 attached to the VLAN address config any default maximum entries VLAN unlimited from global configuration Port 1 from po...

Page 700: ...ty attached policies command in privileged EXEC mode Syntax show ipv6 first hop security attached policies interface interface id vlan vlan id Parameters interface interface id Port Identifier Ethernet port or port channel vlan vlan id VLAN Identifier Command Mode Privileged EXEC mode User Guidelines This command displays policies of all IPv6 First Hop Security attached to a VLAN specified by the ...

Page 701: ... counters command in privileged EXEC mode Syntax show ipv6 first hop security counters interface interface id Parameters interface interface id Displays counters for specified Ethernet port or port channel Command Mode Privileged EXEC mode User Guidelines This command displays packets handled by the switch that are being counted in port counters The switch counts packets captured per port and reco...

Page 702: ...r message on client port DHCP Guard 1 Unauthorized assigned address DHCP Guard 1 Unauthorized server source address DHCP Guard 0 Unauthorized server preference RA guard 1 Router message on host port RA guard 1 Unauthorized source address RA guard 0 Unauthorized advertise prefix RA guard 0 Unauthorized router preference RA guard 0 Unauthorized other config flag RA guard 0 Unauthorized managed confi...

Page 703: ...elines This command displays global error counters Examples Example 1 The following examples displays global error counters switchxxxxxx show ipv6 first hop security error counters Neighbor Binding Table Overflow counter 0 Neighbor Prefix Table Overflow counter 0 TCAM Overflow counter 0 29 71 show ipv6 first hop security policy To display IPv6 First Hop Security policies on all ports configured wi...

Page 704: ...red with the IPv6 First Hop feature Examples Example 1 The following example displays the Policy Configuration for a policy named policy1 switchxxxxxx show ipv6 first hop security policy policy1 IPv6D First Hop Security Policy policy1 logging packet drop enabled Attached to VLANs 1 100 111 4094 Attached to ports Example 2 The following example displays the attached policies switchxxxxxx show ipv6 ...

Page 705: ...urity policy policy1 policy2 29 72 show ipv6 nd inspection To display ND Inspection global configuration use the show ipv6 nd inspection command in Privilege EXEC configuration mode Syntax show ipv6 nd inspection Parameters N A Command Mode Privileged EXEC mode User Guidelines This command displays ND Inspection global configuration Policy Name policy1 port default Ports gi11 2 gi11 2 gi13 4 VLANs...

Page 706: ...play an IPv6 ND Inspection policy on all ports configured with the ND Inspection feature use the show ipv6 nd inspection policy command in privileged EXEC mode Syntax show ipv6 nd inspection policy policy name active Parameters policy name Displays the ND Inspection policy with the given name active Displays the attached ND Inspection policies Command Mode Privileged EXEC mode Examples Example 1 T...

Page 707: ... VLANs Policy Name VLANs vlan default 1 4094 Attached to ports Example 3 The following example displays the user defined policies switchxxxxxx show ipv6 nd inspection policy policy1 policy2 29 74 show ipv6 nd raguard To display RA Guard global configuration use the show ipv6 nd raguard command in Privilege EXEC configuration mode Ports gi11 2 gi13 4 Po1 VLANs 1 58 68 4094 1 4094 1 4094 Policy Name...

Page 708: ...v6 nd raguard IPv6 RA Guard is enabled on VLANs 1 4 6 7 100 120 Managed address configuration flag M flag off Other configuration flag O flag disabled Hop Limit minimum 10 maximum 100 Default Router Preference minimum 1 maximum 1 29 75 show ipv6 nd raguard policy To display a router advertisements RAs guard policy on all ports configured with the RA guard feature use the show ipv6 nd raguard polic...

Page 709: ...onfigured with the RA guard feature Examples Example 1 The following example displays the policy configuration for a policy named policy1 switchxxxxxx show ipv6 nd raguard policy raguard1 RA Guard Policy policy1 device role router router address prefix list name list1 prefixes prefix list name list2 Attached to VLANs 1 100 111 4094 Attached to ports Example 2 The following example displays the att...

Page 710: ...2 29 76 show ipv6 neighbor binding To display Neighbor Binding global configuration use the show ipv6 neighbor binding command in Privilege EXEC configuration mode Syntax show ipv6 neighbor binding Parameters N A Command Mode Privileged EXEC mode User Guidelines This displays Neighbor Binding global configuration Example The following example gives an example of the show ipv6 neighbor binding comm...

Page 711: ...ited Port 1 MAC 1 29 77 show ipv6 neighbor binding policy To display Neighbor Binding policies use the show ipv6 neighbor binding policy command in Privilege EXEC configuration mode Syntax show ipv6 neighbor binding policy policy name active Parameters policy name Neighbor Binding policy name active Displays the attached Neighbor Binding policies Command Mode Privileged EXEC mode User Guidelines T...

Page 712: ... address prefix validation disabled device role perimiter binding logging disabled max entries VLAN unlimited Port 10 MAC 2 Attached to VLANs 1 100 111 4094 Attached to ports Example 2 The following example displays the attached policies switchxxxxxx show ipv6 neighbor binding policy active Attached to VLAN Policy Name VLANs policy2 200 300 vlan default 1 199 301 4094 Ports gi11 2 gi13 4 Po1 4 VLA...

Page 713: ... ipv6 neighbor binding prefix table command in Privilege EXEC configuration mode Syntax show ipv6 neighbor binding prefix table vlan vlan id Parameters vlan vlan id Displays the prefixes that match the specified VLAN Command Mode Privileged EXEC mode User Guidelines This command displays the Neighbor Prefix table The display output can be limited to the specified VLAN If no VLAN is configured all ...

Page 714: ...contents of the Binding table use the show ipv6 neighbor binding table command in Privilege EXEC configuration mode Syntax show ipv6 neighbor binding table vlan vlan id interface interface id ipv6 ipv6 address mac mac address Parameters vlan vlan id Displays the Binding table entries that match the specified VLAN interface interface id Displays the Binding table entries that match the specified po...

Page 715: ...le has 4 entries Field Descriptions VLAN VLAN the host belongs to IPv6 address IPv6 address of the host Inter port the host is connected on MAC address MAC address of the host Origin Protocol that has added the IPv6 address Static The static IPv6 address manually defined by the ipv6 neighbor binding static command NDP The IPv6 address learnt from the NDP protocol messages DHCP The IPv6 address lea...

Page 716: ...rflw Entries marked by have not been added to TCAM because TCAM overflow 29 80 show ipv6 source guard To display IPv6 Source Guard global configuration use the show ipv6 source guard command in Privilege EXEC configuration mode Syntax show ipv6 source guard Parameters N A Command Mode Privileged EXEC mode User Guidelines This displays IPv6 Source Guard global configuration Example The following ex...

Page 717: ...d policy name active Displays the attached IPv6 Source Guard policies Command Mode Privileged EXEC mode User Guidelines This command displays all configured IPv6 Source Guard policies the given one or all attached IPv6 Source Guard policies Examples Example 1 The following example displays the policy configuration for a policy named policy1 switchxxxxxx show ipv6 source guard policy policy1 Neighb...

Page 718: ...source guard policy policy1 policy2 29 82 trusted port IPv6 Source Guard To configure a port as trusted port within an IPv6 Source Guard policy use the trusted port command in IPv6 Source Guard Policy Configuration mode To return to the default use the no form of this command Syntax trusted port no trusted port Parameters N A Default Configuration not trusted Command Mode IPv6 Source Guard Policy ...

Page 719: ...e link layer address within an IPv6 ND Inspection policy use the validate source mac command in ND Inspection Policy Configuration mode To return to the default use the no form of this command Syntax validate source mac enable disable no validate source mac Parameters enable Enables validation of the MAC address against the link layer address If no keyword is configured this keyword is applied by ...

Page 720: ...e VLAN If it is defined in a policy attached to a port in the VLAN this value overrides the value in the policy attached to the VLAN Example The following example enables the router to drop an NDP message whose link layer address does not match the MAC address switchxxxxxx config ipv6 nd inspection policy policy1 switchxxxxxx config nd inspection validate source mac switchxxxxxx config nd inspecti...

Page 721: ... Syntax ipv6 multicast routing mld proxy no ipv6 multicast routing Parameters mld proxy Enable Multicast routing using MLD Proxy Default Configuration Multicast routing is not enabled Command Mode Global Configuration mode User Guidelines Use the ipv6 multicast routing command with parameter to specify the needed IPv6 Multicast Routing Protocol To forward IPv6 Multicast packets on an interface IPv...

Page 722: ...can be a value from 0 to 256 Default Configuration The default Hop Limit value is 0 Command Mode Interface Configuration mode User Guidelines Multicast packets with a hop value less than the threshold will not be forwarded on the interface The default value of 0 means all Multicast packets are forwarded on the interface A value of 256 means that no Multicast packets are forwarded on the interface ...

Page 723: ...w ip mroute command to display information about Mroute entries in the mroute table The switch populates the Multicast routing table by creating S G entries from G entries The asterisk refers to all source addresses the S refers to a single source address and the G is the destination Multicast group address In creating S G entries the switch uses the best path to that destination group found in th...

Page 724: ... interface for a Multicast packet from the source If the packet is not received on this interface it is discarded Outgoing Interface List OIF Interfaces through which packets will be forwarded Example 1 The following is sample output from the show ipv6 mroute command with the summary keyword switchxxxxxx show ip mroute summary Timers Uptime Expires IPv6 Multicast Routing Table 2001 0DB8 999 99 FF0...

Page 725: ...nformation about interfaces configured for IPv6 Multicast interface id Interface identifier for which to display IPv6 Multicast information Command Mode User EXEC mode Privileged EXEC mode User Guidelines Use the show ipv6 multicast command without the interface keyword to display general information about the state of IPv6 Multicast on the router Use the show ipv6 multicast command with the inter...

Page 726: ... from the show ipv6 multicast command about the given interface MLD Proxy is enabled on the interface and the interface is an MLD Proxy Upstream interface switchxxxxxx show ipv6 multicast interface vlan 200 IPv6 Unicast Forwarding enabled IPv6 Multicast Protocol MLD Proxy vlan 200 IPv6 Status enabled hop threshold 0 MLD Protocol MLDv2 MLD Proxy Upstream Example 4 The following is sample output fro...

Page 727: ...LDv2 MLD Proxy DownStream Upstream vlan 200 Example 5 The following is sample output from the show ipv6 multicast command about the given interface MLD Proxy is disabled on the interface switchxxxxxx show ipv6 multicast interface vlan 100 IPv6 Unicast Forwarding enabled IPv6 Multicast Protocol MLD Proxy vlan 200 IPv6 Status enabled hop threshold 100 MLD Protocol MLDv2 MLD Proxy disabled ...

Page 728: ...network from which the hit count is to be cleared This argument must be in the form documented in RFC 4293 where the address is specified in hexadecimal using 16 bit values between colons prefix length The length of the IPv6 prefix A decimal value that indicates how many of the high order contiguous bits of the address comprise the prefix the network portion of the address A slash mark must preced...

Page 729: ...eters list name Name of the prefix list The name may contain up to 32 characters seq seq number Sequence number of the prefix list entry being configured This is an integer value from 1 to 4294967294 deny Denies networks that matches the condition permit Permits networks that matches the condition ipv6 prefix IPv6 network assigned to the specified prefix list This argument must be in the form docu...

Page 730: ...y the parameter if an entry with the number exists it is replaced by the new one This command without the seq keyword removes the prefix list The no version of this command with the seq keyword removes the specified entry The sequence number of a prefix list entry determines the order of the entries in the list The router compares network addresses to the prefix list entries The router begins the ...

Page 731: ...8 Note that the first condition must match before the other conditions take effect An exact match is assumed when the ge or le keywords are not specified If only one keyword operand is specified then the condition for that keyword is applied and the other condition is not applied The prefix length value must be less than the ge value The ge value must be less than or equal to the le value The le v...

Page 732: ...sEqual cP P L cL le Case 4 An prefix list entry is P prefix address L prefix length ge is defined le is defined The prefix cP cL matches the prefix list entry if PrefixIsEqual cP P L ge cL le Examples Example 1 The following example denies all routes with a prefix of 0 switchxxxxxx config ipv6 prefix list abc deny 0 Example 2 The following example permits the prefix 2002 16 switchxxxxxx config ipv...

Page 733: ...e 6 The following example denies mask lengths greater than 32 bits in all address space switchxxxxxx config ipv6 prefix list abc deny 0 ge 32 Example 7 The following example denies all routes with a prefix of 2002 128 switchxxxxxx config ipv6 prefix list abc deny 2002 128 Example 8 The following example permits all routes with a prefix of 0 switchxxxxxx config ipv6 prefix list abc permit 0 31 3 sh...

Page 734: ...ise the prefix the network portion of the address A slash mark must precede the decimal value longer Displays all entries of an IPv6 prefix list that are more specific than the given ipv6 prefix prefix length values first match Displays the entry of an IPv6 prefix list that matches the given ipv6 prefix prefix length values seq seq num Sequence number of the IPv6 prefix list entry Command Mode Use...

Page 735: ...with matching range seq Entry number in the list permit deny Granting status description Comment hit count Number of matches for the prefix entry Example 2 The following example shows the output of the show ipv6 prefix list command with the summary keyword switchxxxxxx show ipv6 prefix list summary ipv6 prefix list aggregate count 2 range entries 2 Example 3 The following example shows the output ...

Page 736: ...IPv6 Prefix List Commands 735 Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 31 ...

Page 737: ...l Configuration mode To restore the default configuration use the no form of the command Syntax iscsi enable no iscsi enable Parameters This command has no arguments or keywords Default Configuration Disabled Command Mode Global Configuration mode User Guidelines Use the iscsi enable command to enable the iSCSI QoS If an ACL is bounded on an interface and a frame matches both to the iSCLI and the ...

Page 738: ...d Syntax iscsi flow default tcp port ip address no iscsi flow default tcp port ip address Parameters default Restores the default IPv4 flows tcp port Specifies the TCP port number on which iSCSI targets listen to requests Range 1 65535 ip address Specifies the IPv4 address on which iSCSI targets listen to requests Default Configuration Two iSCSI IPv4 flows with well known TCP ports 3260 and 860 Co...

Page 739: ...esses Use the no iscsi flow tcp port ip address command to delete the iSCSI flows defined by the iscsi target port tcp port ip address command Use the no iscsi flow tcp port command to delete the iSCSI flows defined by the iscsi flow tcp port command To delete a default iSCSI flow use the no iscsi flow tcp port command To delete all default iSCSI flows use the no iscsi flow default command To dele...

Page 740: ...P that iSCSI frames are assigned Range 0 63 queue queue Specify the outgoing queue that iSCSI frames are sent Range 1 8 Default Configuration VPT is not changed DSCP is not changed Queue 7 Command Mode Global Configuration mode User Guidelines Use the iscsi qos command to change the default quality of service profile applying to iSCSI flows Note At least one parameter is mandatory Example The foll...

Page 741: ...w iscsi Parameters This command has no arguments or keywords Default Configuration This command has no default settings Command Mode User EXEC mode Example This example shows how to display the iSCSI configuration switchxxxxxx show iscsi iSCSI is enabled iSCSI vpt is not changed iSCSI DSCP is 18 iSCSI Queue is 7 default iSCSI Flows TCP Target IP Port Address 860 0 0 0 0 default 3260 0 0 0 0 defaul...

Page 742: ...iSCSI QoS Commands 741 Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 32 9876 0 0 0 0 20002 192 111 220 110 20002 192 1 3 230 25555 0 0 0 0 ...

Page 743: ...he interface tunnel command in Global Configuration mode Syntax interface tunnel number Parameters number Specifies the tunnel number Default Configuration N A Command Mode Global Configuration mode Example The following example enters the Interface Configuration Tunnel mode switchxxxxxx config interface tunnel 1 switchxxxxxx config if tunnel source auto switchxxxxxx config if exit ...

Page 744: ...itation messages Range 10 3600 Default Configuration The default time interval between ISATAP router solicitation messages is 10 seconds Command Mode Global Configuration mode User Guidelines This command determines the interval between unsolicited router solicitation messages sent to discovery an ISATAP router Example The following example sets the time interval between ISATAP router solicitation...

Page 745: ...n interval when there is an active ISATAP router is the minimum router lifetime that is received from the ISATAP router divided by Robustness 1 Example The following example sets the number of router solicitation refresh messages that the device sends to 5 switchxxxxxx config tunnel isatap robustness 5 33 4 tunnel isatap router To configure a global string that represents a specific automatic tunn...

Page 746: ... types Only one string can represent the automatic tunnel router name per tunnel Using this command therefore overwrites the existing entry The empty string means that automatic lookup is not applied Example The following example configures the global string ISATAP2 as the automatic tunnel router domain name switchxxxxxx config interface tunnel 1 switchxxxxxx config if tunnel isatap router ISATAP2...

Page 747: ...the tunnel stops to be an IPv6 tunnel or the tunnel local IPv4 address is removed and the new IPv4 cannot be chosen ISATAP Tunnels Using this command with the isatap keyword specifies an automatic ISATAP tunnel ISATAP tunnels enable transport of IPv6 packets within network boundaries ISATAP tunnels allow individual IPv4 IPv6 dual stack hosts within a site to connect to an IPv6 network using the IP...

Page 748: ... tunnel source auto ipv4 address interface id no tunnel source Parameters auto The system minimum IPv4 address is used as the local IPv4 address IPv4 address of the local tunnel endpoint ip4 address Specifies the IPv4 address to use as the local IPv4 address IPv4 address of the local tunnel endpoint interface id Interface which the minimum IPv4 address is used as the local IPv4 address IPv4 addres...

Page 749: ...x config interface tunnel 1 switchxxxxxx config if tunnel source 120 12 3 4 switchxxxxxx config if exit 33 7 show ipv6 tunnel To display information on IPv6 tunnels use the show ipv6 tunnel command in User EXEC mode Syntax show ipv6 tunnel all Parameters all Optional The switch displays all parameters of the tunnel If the keyword is not configured only the tunnel parameters corresponding to its ty...

Page 750: ...nterface Reference Guide 33 Tunnel status UP Tunnel Local address type auto Tunnel Local Ipv4 address 192 1 3 4 Router DNS name ISATAP Router IPv4 addresses 1 1 1 1 Detected 100 1 1 1 Detected 14 1 100 1 Not Detected Router Solicitation interval 10 seconds Robustness 2 ...

Page 751: ...on Syntax autobaud no autobaud Parameters This command has no arguments or keywords Default Configuration Automatic baud rate detection is enabled Command Mode Line Configuration Mode User Guidelines When this command is enabled it is activated as follows connect the console to the device and press the Enter key twice The device detects the baud rate automatically Note that if characters other tha...

Page 752: ...imeout minutes seconds no exec timeout Parameters minutes Specifies the number of minutes Range 0 65535 seconds Optional Specifies the number of seconds Range 0 59 Default Configuration The default idle time interval is 10 minutes Command Mode Line Configuration Mode Example The following example sets the telnet session idle time interval before automatic logoff to 20 minutes and 10 seconds switch...

Page 753: ...emote access SSH Command Mode Global Configuration mode Example The following example configures the device as a virtual terminal for remote Telnet access switchxxxxxx config line telnet switchxxxxxx config line 34 4 speed To set the line baud rate use the speed command in Line Configuration mode To restore the default configuration use the no form of this command Syntax speed bps no speed Paramet...

Page 754: ...he following example configures the line baud rate as 9600 bits per second switchxxxxxx config line speed 9600 34 5 show line To display line parameters use the show line Privileged EXEC mode command Syntax show line console telnet ssh Parameters console Optional Displays the console configuration telnet Optional Displays the Telnet configuration ssh Optional Displays the SSH configuration Default...

Page 755: ...e line configuration switchxxxxxx show line Console configuration Interactive timeout Disabled History 10 Baudrate 9600 Databits 8 Parity none Stopbits 1 Telnet configuration Telnet is enabled Interactive timeout 10 minutes 10 seconds History 10 SSH configuration SSH is enabled Interactive timeout 10 minutes 10 seconds History 10 ...

Page 756: ...tion mode command To restore the default configuration use the no form of this command Syntax lacp port priority value no lacp port priority Parameters value Specifies the port priority Range 1 65535 Default Configuration The default port priority is 1 Command Mode Interface Ethernet Configuration mode Example The following example sets the priority of gi16 switchxxxxxx config interface gi16 switc...

Page 757: ...ameters value Specifies the system priority value Range 1 65535 Default Configuration The default system priority is 1 Command Mode Global Configuration mode Example The following example sets the system priority to 120 switchxxxxxx config lacp system priority 120 35 3 lacp timeout To assign an administrative LACP timeout to an interface use the lacp timeout Interface Ethernet Configuration mode c...

Page 758: ...6 switchxxxxxx config interface gi16 switchxxxxxx config if lacp timeout long 35 4 show lacp To display LACP information for all Ethernet ports or for a specific Ethernet port use the show lacp Privileged EXEC mode command Syntax show lacp interface id parameters statistics protocol state Parameters interface id Specify an interface ID The interface ID must be an Ethernet port parameters Optional ...

Page 759: ... priority port Oper priority port Admin timeout port Oper timeout LACP Activity Aggregation synchronization collecting distributing expired 1 00 00 12 34 56 78 30 30 21 1 1 LONG LONG ACTIVE AGGREGATABLE FALSE FALSE FALSE FALSE Partner system priority system mac addr port Admin key port Oper key port Oper number port Admin priority port Oper priority port Admin timeout port Oper timeout LACP Activi...

Page 760: ...channel_number Parameters port_channel_number Optional Specifies the port channel number Command Mode Privileged EXEC mode Port gi11 LACP Statistics LACP PDUs sent LACP PDUs received 2 2 Port gi11 LACP Protocol State LACP State Machines Receive FSM Mux FSM Port Disabled State Detached State Control Variables BEGIN LACP_Enabled Ready_N Selected Port_moved NNT Port_enabled FALSE TRUE FALSE UNSELECTE...

Page 761: ... Guide 760 35 Example The following example displays LACP information about port channel 1 switchxxxxxx show lacp port channel 1 Port Channel 1 Port Type 1000 Ethernet Actor System Priority MAC Address Admin Key Oper Key 1 000285 0E1C00 29 29 Partner System Priority MAC Address Oper Key 0 00 00 00 00 00 00 14 ...

Page 762: ...ax clear lldp table interface id Parameters interface id Optional Specifies a port ID Default Configuration If no interface is specified the default is to clear the LLDP table for all ports Command Mode Privileged EXEC mode Example switchxxxxxx clear lldp table gi11 36 2 lldp chassis id To configure the source of the chassis ID of the port use the lldp chassis id Global Configuration mode command ...

Page 763: ...User Guidelines The host name should be configured to be a unique value If the chassis ID configured to be used in LLDP packets is empty LLDP uses the default chassis ID specified above Example The following example configures the chassis ID to be the MAC address switchxxxxxx config lldp chassis id mac address 36 3 lldp hold multiplier To specify how long the receiving device holds a LLDP packet b...

Page 764: ...g formula TTL min 65535 LLDP Timer LLDP hold multiplier For example if the value of the LLDP timer is 30 seconds and the value of the LLDP hold multiplier is 4 then the value 120 is encoded in the TTL field of the LLDP header Example The following example sets the LLDP packet hold time interval to 90 seconds switchxxxxxx config lldp timer 30 switchxxxxxx config lldp hold multiplier 3 36 4 lldp lld...

Page 765: ...t handling mode cannot be set to flooding and vice versa If LLDP is globally disabled and the LLDP packet handling mode is flooding LLDP packets are treated as data packets with the following exceptions VLAN ingress rules are not applied to LLDP packets The LLDP packets are trapped on all ports for which the STP state is Forwarding Default deny all rules are not applied to LLDP packets VLAN egress...

Page 766: ...selects the lowest IP address among the dynamic IP addresses If there are no dynamic addresses the software selects the lowest IP address among the static IP addresses automatic interface id Specifies that the software automatically selects a management address to advertise from the IP addresses that are configured on the interface ID In case of multiple IP addresses the software selects the lowes...

Page 767: ...nable or disable LLDP Media Endpoint Discovery MED on a port use the lldp med Interface Ethernet Configuration mode command To return to the default state use the no form of this command Syntax lldp med enable tlv tlv4 disable no lldp med Parameters enable Enable LLDP MED tlv Specifies the TLV that should be included Available TLVs are Network Policy Location and POE PSE Inventory The Capabilities...

Page 768: ...rface Ethernet Configuration mode command To restore the default configuration use the no form of this command Syntax lldp med notifications topology change enable disable no lldp med notifications topology change Parameters enable Enables sending LLDP MED topology change notifications disable Disables sending LLDP MED topology change notifications Default Configuration Disable is the default Comm...

Page 769: ...number no lldp med fast start repeat count Parameters repeat count number Specifies the number of times the fast start LLDPDU is being sent during the activation of the fast start mechanism The range is 1 10 Default Configuration 3 Command Mode Global Configuration mode Example switchxxxxxx config lldp med fast start repeat count 4 36 9 lldp med location To configure the location information for t...

Page 770: ...separated by a period or colon Length coordinate 16 bytes Civic address 6 160 bytes Ecs elin 10 25 bytes Default Configuration The location is not configured Command Mode Interface Ethernet Configuration mode Example The following example configures the LLDP MED location information on gi12 as a civic address switchxxxxxx config interface gi12 switchxxxxxx config if lldp med location civic address...

Page 771: ...ber of the primary function of the application defined for this network policy Available application names are voice voice signaling guest voice guest voice signaling softphone voice video conferencing streaming video video signaling vlan vlan id Optional VLAN identifier for the application vlan type Optional Specifies if the application is using a tagged or an untagged VLAN up priority Optional U...

Page 772: ...ntagged up 1 dscp 2 switchxxxxxx config interface gi11 switchxxxxxx config if lldp med network policy add 1 36 11 lldp med network policy interface To attach or remove an LLDP MED network policy on a port use the lldp med network policy Interface Ethernet Configuration mode command Network policies are created in lldp med network policy global To remove all the LLDP MED network policies from the p...

Page 773: ...gi11 switchxxxxxx config if lldp med network policy add 1 36 12 lldp med network policy voice auto A network policy for voice LLDP packets can be created by using the lldp med network policy global The lldp med network policy voice auto Global Configuration mode is simpler in that it uses the configuration of the Voice application to create the network policy instead of the user having to manually...

Page 774: ...the auto voice VLAN there must be no manually pre configured network policies for the voice application In Auto mode you cannot manually define a network policy for the voice application using the lldp med network policy global command Example switchxxxxxx config lldp med network policy voice auto 36 13 lldp notifications To enable disable sending LLDP notifications on an interface use the lldp no...

Page 775: ...ble 36 14 lldp notifications interval To configure the maximum transmission rate of LLDP notifications use the lldp notifications interval Global Configuration mode command To return to the default use the no form of this command Syntax lldp notifications interval seconds no lldp notifications interval Parameters interval seconds The device does not send more than a single notification in the indi...

Page 776: ...Specifies the TLVs to be included Available optional TLVs are port desc sys name sys desc sys cap 802 3 mac phy 802 3 lag 802 3 max frame size Power via MDI 4 wirePower via MDI none Optional Clear all optional TLVs from the interface If the 802 1 protocol is selected see the command below Default Configuration The following TLV are transmitted sys name sys cap Command Mode Interface Ethernet Confi...

Page 777: ...add vlan id This vlan id is advertised lldp optional tlv 802 1 vlan remove vlan id This vlan id is not advertised lldp optional tlv 802 1 protocol add stp rstp mstp pause 802 1x lacp gvrp The protocols selected are advertised lldp optional tlv 802 1 protocol remove stp rstp mstp pause 802 1x lacp gvrp The protocols selected are not advertised Parameters lldp optional tlv 802 1 pvid enable disable ...

Page 778: ...onfiguration mode command To disable LLDP use the no form of this command Syntax lldp run no lldp run Parameters This command has no arguments or keywords Default Configuration Enabled Command Mode Global Configuration mode Example switchxxxxxx config lldp run 36 18 lldp receive To enable receiving LLDP on an interface use the lldp receive Interface Ethernet Configuration mode command To stop rece...

Page 779: ...orts is stored individually per port LLDP operation on a port is not dependent on the STP state of a port I e LLDP frames are received on blocked ports If a port is controlled by 802 1x LLDP operates only if the port is authorized Example switchxxxxxx config interface gi11 switchxxxxxx config if lldp receive 36 19 lldp reinit To specify the minimum time an LLDP port waits before reinitializing LLD...

Page 780: ...and Mode Global Configuration mode Example switchxxxxxx config lldp reinit 4 36 20 lldp timer To specify how often the software sends LLDP updates use the lldp timer Global Configuration mode command To restore the default configuration use the no form of this command Syntax lldp timer seconds no lldp timer Parameters timer seconds Specifies in seconds how often the software sends LLDP updates ran...

Page 781: ... transmit Interface Ethernet Configuration mode command Syntax lldp transmit no lldp transmit Parameters This command has no arguments or keywords Default Configuration Enabled Command Mode Interface Ethernet Configuration mode switchxxxxxx config if User Guidelines LLDP manages LAG ports individually LLDP sends separate advertisements on each port in a LAG LLDP operation on a port is not dependen...

Page 782: ...on use the no form of this command Syntax lldp tx delay seconds no lldp tx delay Parameters tx delay seconds Specifies the delay in seconds between successive LLDP frame transmissions initiated by value status changes in the LLDP local systems MIB range 1 8192 seconds Default Configuration The default LLDP frame transmission delay is 2 seconds Command Mode Global Configuration mode User Guidelines...

Page 783: ...e port ID detailed Optional Displays information for non present ports in addition to present ports Default Configuration Display for all ports If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Examples Example 1 Display LLDP configuration for all ports switchxxxxxx show lldp configuration State Enabled Timer 30 Seconds Hold multiplier 4 Reinit delay 2 Seco...

Page 784: ...kets handling Filtering Chassis ID mac address Port State Optional TLVs Address Notifications gi11 RX TX PD SN SD SC 4W 72 16 1 1 Disabled 802 3 optional TLVs 802 3 mac phy 802 3 lag 802 3 max frame size 802 1 optional TLVs PVID Enabled PPVIDs 0 1 92 VLANs 1 92 Protocols 802 1x The following table describes the significant fields shown in the display Field Description Timer The time interval betwe...

Page 785: ...ation for all ports Command Mode Privileged EXEC mode Tx delay The delay between successive LLDP frame transmissions initiated by value status changes in the LLDP local systems MIB Port The port number State The port s LLDP state Optional TLVs Optional TLVs that are advertised Possible values are PD Port description SN System name SD System description SC System capabilities 4W 4 wire spare pair c...

Page 786: ...onfiguration Status Auto negotiation support Supported Auto negotiation status Enabled Auto negotiation Advertised Capabilities 100BASE TX full duplex 1000BASE T full duplex Operational MAU type 1000BaseTFD 802 3 Link Aggregation Aggregation capability Capable of being aggregated Aggregation status Not currently in aggregation Aggregation port ID 1 802 3 Maximum Frame Size 1522 Power Type Type 1 P...

Page 787: ... LLDP MED Device type Network Connectivity LLDP MED Network policy Application type Voice Flags Tagged VLAN VLAN ID 2 Layer 2 priority 0 DSCP 0 LLDP MED Power over Ethernet Device Type Power Sourcing Entity Power source Primary Power Source Power priority High Power value 9 6 Watts LLDP MED Location Coordinates 54 53 c1 f7 51 57 50 ba 5b 97 27 80 00 00 67 01 Hardware Revision B1 Firmware Revision ...

Page 788: ...ommand Syntax show lldp local tlvs overloading interface id Parameters interface id Optional Specifies a port ID Default Configuration If no port ID is entered the command displays information for all ports Command Mode User EXEC mode User Guidelines The command calculates the overloading status of the current LLDP configuration and not for the last LLDP packet that was sent Example switchxxxxxx s...

Page 789: ... Optional Specifies the port ID detailed Optional Displays information for non present ports in addition to present ports Default Configuration If no port ID is entered the command displays information for all ports If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Examples Example 1 The following example displays the LLDP MED configuration for all interfac...

Page 790: ...t Capabilities Network Policy Location Notifications Inventory gi11 Yes Yes Yes Enabled Yes Network policies Location Civic address 61 62 63 64 65 66 36 27 show lldp neighbors To display information about neighboring devices discovered using LLDP use the show lldp neighbors Privileged EXEC mode command The information can be displayed for all ports or for a specific port Syntax show lldp neighbors...

Page 791: ...dp neighbors System capability legend B Bridge R Router W Wlan Access Point T telephone D DOCSIS Cable Device H Host r Repeater TP Two Ports MAC Relay S S VLAN C C VLAN O Other Port Device ID Port ID System Name Capabilities TTL gi11 00 00 00 11 11 11 gi11 ts 7800 2 B 90 gi11 00 00 00 11 11 11 gi11 ts 7800 2 B 90 gi12 00 00 26 08 13 24 gi13 ts 7900 1 B R 90 gi13 00 00 26 08 13 24 gi12 ts 7900 2 W ...

Page 792: ...Class PD PSE MDI Power Support Not Supported PSE MDI Power State Not Enabled PSE power pair control ability Not supported PSE Power Pair Signal PSE Power class 1 Power Type Type 1 PSE Power Source Primary Power Source Power Priority Unknown PSE Allocated Power Value 30 4 Pair POE supported Yes Spare Pair Detection Classification required Yes PD Spare Pair Desired State Enabled PD Spare Pair Operat...

Page 793: ...cy LLDP MED Device type Endpoint class 2 LLDP MED Network policy Application type Voice Flags Unknown policy VLAN ID 0 Layer 2 priority 0 DSCP 0 LLDP MED Power over Ethernet Device Type Power Device Power source Primary power Power priority High Power value 9 6 Watts Hardware revision 2 1 Firmware revision 2 3 Software revision 2 7 1 Serial number LM759846587 Manufacturer name VP Model name TR12 A...

Page 794: ...r device Possible values are B Bridge R Router W WLAN Access Point T Telephone D DOCSIS cable device H Host r Repeater O Other System description The neighbor device s system description Port description The neighbor device s port description Management address The neighbor device s management address Auto negotiation support The auto negotiation support status on the port supported or not support...

Page 795: ...defined for this network policy Flags Flags The possible values are Unknown policy Policy is required by the device but is currently unknown Tagged VLAN The specified application type is using a tagged VLAN Untagged VLAN The specified application type is using an Untagged VLAN VLAN ID The VLAN identifier for the application Layer 2 priority The Layer 2 priority used for the specified application D...

Page 796: ... the command displays information for all ports If detailed is not used only present ports are displayed Command Mode User EXEC mode Example switchxxxxxx show lldp statistics Power priority The PD device priority A PSE device advertises the power priority configured for the port A PD device advertises the power priority configured for the device The possible values are Critical High and Low Power ...

Page 797: ...gi14 0 0 0 0 0 0 0 The following table describes significant LLDP fields shown in the display Field Description Port The port number Device ID The neighbor device s configured ID name or MAC address Port ID The neighbor device s port ID System name The neighbor device s administratively assigned name Capabilities The capabilities discovered on the neighbor device Possible values are B Bridge R Rou...

Page 798: ...e Indicates whether the sender is a Network Connectivity Device or Endpoint Device and if an Endpoint to which Endpoint Class it belongs LLDP MED Network Policy Application type The primary function of the application defined for this network policy Flags Flags The possible values are Unknown policy Policy is required by the device but is currently unknown Tagged VLAN The specified application typ...

Page 799: ...ry power Local power Primary and Local power Power priority The PD device priority A PSE device advertises the power priority configured for the port A PD device advertises the power priority configured for the device The possible values are Critical High and Low Power value The total power in watts required by a PD device from a PSE device or the total power a PSE device is capable of sourcing ov...

Page 800: ...command Syntax loopback detection enable no loopback detection enable Parameters This command has no arguments or keywords Default Configuration Loopback Detection is disabled Command Mode Global Configuration mode User Guidelines This command enables the Loopback Detection feature globally Use the loopback detection enable Interface Configuration mode command to enable Loopback Detection on an in...

Page 801: ...keywords Default Configuration Loopback Detection is enabled on an interface Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines This command enables Loopback Detection on an interface Use the loopback detection enable Global Configuration command to enable Loopback Detection globally Example The following example enables the Loopback Detection feature on port gi14 swit...

Page 802: ...D packets to 45 seconds switchxxxxxx config loopback detection interval 45 37 4 show loopback detection To display information about Loopback Detection use the show loopback detection Privileged EXEC mode command Syntax show loopback detection interface id detailed Parameters interface id Optional Specifies an interface ID The interface ID can be one of the following types Ethernet port or Port ch...

Page 803: ... indicates that the interface entered errDisabled state see set interface active set interface activeor errdisable recovery cause for more information Operational status of Inactive indicates that loopback detection is not actively attempting to detect loops i e the Active status conditions are not meet Example The following example displays information about the status of Loopback Detection Conso...

Page 804: ...t be an anti macro a macro whose name is concatenated with no_ The anti macro reverses the action of the macro If a macro with this name already exists it overrides the previously defined one Use the no form of this command to delete the macro definition Syntax macro name macro name no macro name macro name Parameters macro name Name of the macro Macro names are case sensitive Default Configuratio...

Page 805: ...ollowing guidelines to create a macro Use macro name to create the macro with the specified name Enter one macro command per line Use the character to end the macro Use the character at the beginning of a line to enter a comment in the macro In addition is used to identify certain preprocessor commands that can only be used within a macro There are two possible preprocessor commands macro key desc...

Page 806: ...nding anti macros for the Smartport feature You cannot override a Smartport macro To change a Smartport macro create a new macro my_macro and an anti macro no_my_macro and associate it with the Smartport type using the macro auto user smartport macro command Scope of Macro It is important to consider the scope of any user defined macro Because of the potential hazards of applying unintended config...

Page 807: ...ing example shows how to display the keywords using the help character as defined by the macro keywords command above and then run the macro on the port The macro keywords command entered in the macro definition enables the user to receive help for the macro as shown after the words e g below switchxxxxxx config interface gi11 switchxxxxxx config if macro apply duplex WORD 1 32 Keyword to replace ...

Page 808: ...e macro are replaced with the corresponding value Default Configuration The command has no default setting Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines The macro apply command hides the commands of the macro from the user while it is being run The macro trace command displays the commands along with any errors which are generated by them as they are executed This...

Page 809: ...is applied to an interface range it is applied sequentially to each interface within the range If a macro command fails on one interface it is nonetheless attempted to be applied and may fail or succeed on the remaining interfaces Examples Example 1 The following is an example of a macro being applied to an interface with the trace option switchxxxxxx config interface gi12 switchxxxxxx config if m...

Page 810: ...result the name of the macro is appended to the macro history of the interface Syntax macro description text no macro description Parameters text Description text The text can contain up to 160 characters The text must be double quoted if it contains multiple words Default Configuration The command has no default setting Command Mode Interface Ethernet Port Channel Configuration mode User Guidelin...

Page 811: ...switchxxxxxx config exit switchxxxxxx show parser macro description Global Macro s Interface Macro Description s gi12 dup gi13 duplex dup duplex switchxxxxxx configure switchxxxxxx config interface gi12 switchxxxxxx config if no macro description switchxxxxxx config if end switchxxxxxx config exit switchxxxxxx show parser macro description Global Macro s Interface Macro Description s gi13 duplex d...

Page 812: ...rror when you apply a macro the macro continues to apply the remaining commands to the switch Keyword matching is case sensitive All matching occurrences of the keyword are replaced with the corresponding value Any full match of a keyword even if it is part of a large string is considered a match and replaced by the corresponding value If you apply a macro that contains keywords in its commands th...

Page 813: ...trace console timeout timeout interval 100 Applying command line console Applying command exec timeout 100 38 5 macro global description Use the macro global description Global Configuration command to enter a description which is used to indicate which macros have been applied to the switch Use the no form of this command to remove the description Syntax macro global description text no macro glo...

Page 814: ...play the parameters for all configured macros or for one macro on the switch Syntax show parser macro brief description interface interface id detailed name macro name Parameters brief Display the name of all macros description interface interface id Display the macro descriptions for all interfaces or if an interface is specified display the macro descriptions for that interface name macro name D...

Page 815: ...res Macro name company desktop Macro type default interface macro keywords AVID Basic interface Enable data VLAN only Recommended value for access vlan AVID should not be 1 switchport access vlan AVID switchport mode access Example 2 This is an example of output from the show parser macro name command switchxxxxxx show parser macro standard switch10 Macro name standard switch10 Macro type customiz...

Page 816: ...esktop default interface company phone default interface company switch default interface company router customizable snmp Example 4 This is an example of output from the show parser macro description command switchxxxxxx show parser macro description Global Macro s company global Example 5 This is an example of output from the show parser macro description interface command switchxxxxxx show pars...

Page 817: ... port Port channel or VLAN service service Optional Specifies the service type Possible values are Telnet SSH HTTP HTTPS and SNMP ipv4 address Specifies the source IPv4 address ipv6 address ipv6 prefix length Specifies the source IPv6 address and source IPv6 address prefix length The prefix length must be preceded by a forward slash The parameter is optional mask mask Specifies the source IPv4 add...

Page 818: ...Configuration mode command Syntax permit interface id service service permit ip source ipv4 address ipv6 address ipv6 prefix length mask mask prefix length interface id service service Parameters interface id Optional Specify an interface ID The interface ID can be one of the following types Ethernet port Port channel or VLAN service service Optional Specifies the service type Possible values are ...

Page 819: ...N and port channel parameters are valid only if an IP address is defined on the appropriate interface Example The following example permits all ports in the ACL called mlist switchxxxxxx config management access list mlist switchxxxxxx config macl permit 39 3 management access list To configure a management access list ACL and enter the Management Access list Configuration mode use the management ...

Page 820: ...Pv6 management traffic that is tunneled in IPv4 packets the management ACL is applied first on the external IPv4 header rules with the service field are ignored and then again on the inner IPv6 header Examples Example 1 The following example creates a management access list called mlist configures management gi11 and gi19 and makes the new access list the active list switchxxxxxx config management...

Page 821: ... management connection restrictions use the no form of this command Syntax management access class console only name no management access class Parameters console only Specifies that the device can be managed only from the console name Specifies the ACL name to be used Length 1 32 characters Default Configuration The default configuration is no management connection restrictions Command Mode Globa...

Page 822: ...ment access list to be displayed Length 1 32 characters Default Configuration All management ACLs are displayed Command Mode Privileged EXEC mode Example The following example displays the mlist management ACL switchxxxxxx show management access list mlist m1 deny service telnet permit gi11 service telnet Note all other access implicitly denied console config macl 39 6 show management access class...

Page 823: ...Syntax show management access class Parameters This command has no arguments or keywords Command Mode Privileged EXEC mode Example The following example displays the active management ACL information switchxxxxxx show management access class Management access class is enabled using access list mlist ...

Page 824: ...nters interface id Parameters interface id Optional Interface Identifier Command Mode Privileged EXEC mode User Guidelines Use the clear ipv6 mld counters command to clear the MLD counters which keep track of the number of joins and leaves received If you omit the optional interface id argument the clear ipv6 mld counters command clears the counters on all interfaces Example The following example ...

Page 825: ... member query count count no ipv6 mld last member query count Parameters count The number of times that group or group source specific queries are sent upon receipt of a message indicating a leave Range 1 7 Default Configuration A value of MLD Robustness variable Command Mode Interface Configuration mode User Guidelines Use the ipv6 mld robustness command to change the MLD last member query counte...

Page 826: ...host query messages are sent on the interface Range 100 25500 Default Configuration The default MLD last member query interval is 1000 milliseconds Command Mode Interface Configuration mode User Guidelines Use the ipv6 mld last member query interval command to configure the MLD last member query interval on an interface Example The following example shows how to increase the MLD last member query ...

Page 827: ...ommand to configure the frequency at which the MLD querier sends MLD host query messages from an interface The MLD querier sends query host messages to discover which multicast groups have members on the attached networks of the router The query interval must be bigger than the maximum query response time Example The following example shows how to increase the frequency at which the MLD querier se...

Page 828: ...nd to an MLD query message before the router deletes the group This command controls how much time the hosts have to answer an MLD query message before the router deletes their group Configuring a value of fewer than 10 seconds enables the router to prune groups faster The maximum query response time must be less than the query interval Note If the hosts do not respond fast enough they might be pr...

Page 829: ... Parameter range Range 1 7 Default Configuration The default value is 2 Command Mode Interface Configuration mode User Guidelines Use the ipv6 mld robustness command to change the MLD robustness variable Example The following example changes a value of the MLD robustness variable to 3 switchxxxxxx config interface vlan 1 switchxxxxxx config if ipv6 mld robustness 3 switchxxxxxx config if exit 40 7...

Page 830: ...ommand to change the default version of MLD Example The following example configures the router to use MLD Version 1 switchxxxxxx config interface vlan 100 switchxxxxxx config if ipv6 mld version 1 switchxxxxxx config if exit 40 8 show ipv6 mld counters To display the Multicast Listener Discovery MLD traffic counters use the show ipv6 mld counters command in User EXEC mode Syntax show ipv6 mld cou...

Page 831: ...the MLD protocol messages received and sent switchxxxxxx show ipv6 mld counters vlan 100 VLAN 100 Elapsed time since counters cleared 00 00 21 Failed received Joins 0 Total MLDv1 received messages 10 Total MLDv2 received messages 0 Total invalid received messages 0 General Sent Queries 0 Specific Sent Queries 0 40 9 show ipv6 mld groups To display the multicast groups that are directly connected t...

Page 832: ...al detail command to display all directly connected link local groups Use the show ipv6 mld groups group name group address detail command to display one given directly connected group Use the show ipv6 mld groups interface id detail command to display all groups directly connected to the given interface Examples Example 1 The following is sample output from the show ipv6 mld groups command It sho...

Page 833: ... 5 12 1 Group Timer Expires 00 20 11 Group source list Source Address Expires 2004 4 6 00 00 11 2004 4 16 00 08 11 Group FF33 1 1 2 Router mode EXCLUDE Last reporter 2008 5 2A 10 Group Timer Expires 00 20 11 Exclude Mode Expiry Filter Timer 00 10 11 Group source list Source Address Expires 2004 5 1 00 04 08 2004 3 1 00 04 08 2004 7 10 00 00 00 2004 50 1 00 00 00 40 10 show ipv6 mld groups summary ...

Page 834: ...nk local groups Example The following is sample output from the show ipv6 mld groups summary command switchxxxxxx show ipv6 mld groups summary MLD Route Summary No of G routes 5 No of S G routes 0 Field Descriptions No of G routes 5 Displays the number of groups present in the MLD cache No of S G routes 0 Displays the number of include and exclude mode sources present in the MLD cache 40 11 show i...

Page 835: ...chxxxxxx show ipv6 mld interface vlan 100 VLAN 100 is up Administrative MLD Querier IPv6 address is FE80 260 3EFF FE86 5649 Operational MLD Querier IPv6 address is FE80 260 3EFF FE86 5649 Current MLD version is 3 Administrative MLD robustness variable is 2 seconds Operational MLD robustness variable is 2 seconds Administrative MLD query interval is 125 seconds Operational MLD query interval is 125...

Page 836: ...ce id Upstream Interface identifier Default Configuration The protocol is disabled on the interface Command Mode Interface Configuration mode User Guidelines Use the ipv6 mld proxy command to add a downstream interface to a MLD proxy tree If the proxy tree does not exist it is created Use the no format of the command to remove the downstream interface When the last downstream interface is removed ...

Page 837: ... 2 ipv6 mld proxy downstream protected To disable forwarding of IPv6 Multicast traffic from downstream interfaces use the ipv6 mld proxy downstream protected command in Global Configuration mode To allow forwarding from downstream interfaces use the no form of this command Syntax ipv6 mld proxy downstream protected no ipv6 mld proxy downstream protected Parameters This command has no arguments or ...

Page 838: ...led disabled no ipv6 mld proxy downstream protected interface Parameters enabled Downstream interface protection on the interface is enabled IPv6 Multicast traffic arriving on the interface will not be forwarded disabled Downstream interface protection on the interface is disabled IPv6 Multicast traffic arriving on the interface will be forwarded Default Configuration Global downstream protection ...

Page 839: ...xxxxxx config if exit 41 4 ipv6 mld proxy ssm To define the Source Specific Multicast SSM range of IP Multicast addresses use the ipv6 mld proxy ssm command in Global Configuration mode To disable the SSM range use the no form of this command Syntax ipv6 mld proxy ssm default range access list no ipv6 mld proxy ssm Parameters default Defines the SSM range access list to FF3x 32 see rfc4607 range a...

Page 840: ...nfig ipv6 pim mld proxy range list1 41 5 show ipv6 mld proxy interface To display information about interfaces configured for MLD Proxy use the show ipv6 mld proxy interface command in User EXEC mode or Privileged EXEC mode Syntax show ipv6 mld proxy interface interface id Parameters interface id Optional Display MLD Proxy information about the interface Command Mode User EXEC mode Privileged EXEC...

Page 841: ...00 upstream vlan 102 downstream enabled vlan 110 downstream default vlan 113 downstream disabled Example 2 The following is sample output from the show ipv6 mld proxy interface command for given upstream interface switchxxxxxx show ipv6 mld proxy interface vlan 100 the switch is the Querier on the interface IPv6 Forwarding is enabled IPv6 Multicast Routing is enabled MLD Proxy is enabled Global Do...

Page 842: ...ulticast Routing is enabled MLD Proxy is enabled Global Downdtream interfaces protection is disabled SSM Access List Name default vlan 102 is a Downstream interface The switch is the Querier on vlan 102 Upstream interface vlan 100 Example 4 The following is sample output from the show ipv6 mld proxy interface command for an interface on which IGMP Proxy is disabled switchxxxxxx show ipv6 mld proxy...

Page 843: ...lt use the no form of this command Syntax ipv6 mld snooping no ipv6 mld snooping Parameters N A Default Configuration IPv6 MLD snooping is disabled Command Mode Global Configuration mode Example The following example enables IPv6 MLD snooping switchxxxxxx config ipv6 mld snooping 42 2 ipv6 mld snooping vlan To enable MLD snooping on a specific VLAN use the ipv6 mld snooping vlan command in Global ...

Page 844: ...lticast filtering must be enabled by the bridge multicast filtering command The user guidelines of the bridge multicast mode command describe the configuration that can be written into the FDB as a function of the FDB mode and the MLD version that is used in the network Example switchxxxxxx config ipv6 mld snooping vlan 2 42 3 ipv6 mld snooping querier To enable globally the MLD Snooping querier u...

Page 845: ...ollowing example disables the MLD Snooping querier globally switchxxxxxx config no ipv6 mld snooping querier 42 4 ipv6 mld snooping vlan querier To enable the Internet MLD Snooping querier on a specific VLAN use the ipv6 mld snooping vlan querier command in Global Configuration mode To return to the default use the no form of this command Syntax ipv6 mld snooping vlan vlan id querier no ipv6 mld s...

Page 846: ...rier election To enable MLD Querier election mechanism of an MLD Snooping querier on a specific VLAN use the ipv6 mld snooping vlan querier election command in Global Configuration mode To disable Querier election mechanism use the no form of this command Syntax ipv6 mld snooping vlan vlan id querier election no ipv6 mld snooping vlan vlan id querier election Parameters vlan id Specifies the VLAN ...

Page 847: ... Querier for Query Passive interval that equals to Robustness Query Interval 0 5 Query Response Interval See the ipv6 mld robustness ipv6 mld query interval and ipv6 mld query max response time commands for configurations of these parameters It is recommended to disable MLD Querier election mechanism if there is an IPMv6 Multicast router on the VLAN Example The following example disables MLD Snoop...

Page 848: ...ipv6 mld snooping vlan mrouter command in Global Configuration mode To remove the configuration use the no form of this command Syntax ipv6 mld snooping vlan vlan id mrouter learn pim dvmrp no ipv6 mld snooping vlan vlan id mrouter learn pim dvmrp Parameters vlan id Specifies the VLAN pim dvmrp Learn Multicast router port by PIM DVMRP and MLD messages Default Configuration Learning pim dvmrp is en...

Page 849: ...meters vlan id Specifies the VLAN interface list Specifies a list of interfaces The interfaces can be from one of the following types port or port channel Default Configuration No ports defined Command Mode Global Configuration mode User Guidelines This command may be used in conjunction with the bridge multicast forward all command which is used in older versions to statically configure a port as...

Page 850: ... id forbidden mrouter interface interface list Parameters vlan id Specifies the VLAN interface list Specifies list of interfaces The interfaces can be of one of the following types Ethernet port or Port channel Default Configuration No forbidden ports by default Command Mode Global Configuration mode User Guidelines A port that is forbidden to be defined as a Multicast router port mrouter port can...

Page 851: ...ic ipv6 address interface interface list Parameters vlan id Specifies the VLAN ipv6 address Specifies the IP multicast address interface interface list Optional Specifies list of interfaces The interfaces can be from one of the following types Ethernet port or Port channel Default Configuration No Multicast addresses are defined Command Mode Global Configuration mode User Guidelines Static multica...

Page 852: ...Guidelines When an MLD Leave Group message is received from a host the system removes the host port from the table entry After it relays the MLD queries from the Multicast router it deletes entries periodically if it does not receive any MLD membership reports from the Multicast clients MLD snooping Immediate Leave processing allows the switch to remove an interface that sends a leave message from...

Page 853: ...sses use the show bridge multicast address table command The Include list contains the ports which are in a forwarding state for this group according to the snooping database In general the Exclude list contains the ports which have issued an explicit Exclude for that specific source in a multicast group The Reporters That Are Forbidden Statically list contains the list of ports which have asked t...

Page 854: ...rs vlan id Specifies the VLAN ID Default Configuration Display information for all VLANs Command Mode User EXEC mode switchxxxxxx show ipv6 mld snooping groups VLAN 1 1 19 19 19 Group Address FF12 3 FF12 3 FF12 8 FF12 8 FF12 8 Source Address FE80 201 C9FF FE40 8001 FE80 201 C9FF FE40 8002 FE80 201 C9FF FE40 8003 FE80 201 C9FF FE40 8004 FE80 201 C9FF FE40 8005 Include Ports gi11 gi12 gi14 gi11 gi11...

Page 855: ...er version 2 MLD Snooping Querier election is enabled MLD snooping robustness admin 2 oper 2 MLD snooping query interval admin 125 sec oper 125 sec MLD snooping query maximum response admin 10 sec oper 10 sec MLD snooping last member query counter admin 2 oper 2 MLD snooping last member query interval admin 1000 msec oper 500 msec Groups that are in MLD version 1 compatibility mode FF12 3 FF12 8 4...

Page 856: ...t Configuration Display information for all VLANs Command Mode User EXEC mode Example The following example displays information on dynamically learned Multicast router interfaces for VLAN 1000 switchxxxxxx show ipv6 mld snooping mrouter interface 1000 VLAN 1000 Dynamic gi11 Static gi12 Forbidden gi13 4 ...

Page 857: ... view name no snmp server community community string ip address Parameters community string Define the password that permits access to the SNMP protocol Range 1 20 characters ro Optional Specifies read only access default rw Optional Specifies read write access su Optional Specifies SNMP administrator access ip address Optional Management station IP address The default is all IP addresses This can...

Page 858: ...le Range 1 30 characters Default Configuration No community is defined Command Mode Global Configuration mode User Guidelines The logical key of the command is the pair community ip address If ip address is omitted the key is community All IPs This means that there cannot be two commands with the same community ip address pair The view name is used to restrict the access rights of a community stri...

Page 859: ... configurations is imposed on the user The group defines the objects available to the community Range 1 30 characters ip address Optional Management station IP address The default is all IP addresses This can be an IPv4 address IPv6 or IPv6z address See IPv6z Address Conventions mask Optional Specifies the mask of the IPv4 address This is not a network mask but rather a mask that defines which bit...

Page 860: ...ord tom for the group abcd that enables this group to access the management station 1 1 1 121 with prefix 8 switchxxxxxx config snmp server community group tom abcd 1 1 1 122 prefix 8 43 3 snmp server server To enable the device to be configured by the SNMP protocol use the snmp server server Global Configuration mode command To disable this function use the no form of this command Syntax snmp ser...

Page 861: ...terface id Specifies the source interface Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet If no parameters are specified in no snmp server source interface the default is both traps and informs Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the interfa...

Page 862: ...which a Simple Network Management Protocol SNMP trap originates the informs or traps use the snmp server source interface command in Global Configuration mode To returned to the default use the no form of this command Syntax snmp server source interface ipv6 traps informs interface id no snmp server source interface ipv6 traps informs Parameters traps Specifies the SNMP traps interface informs Spe...

Page 863: ... IPv6 interface for SNMP traps Use the no snmp server source interface ipv6 informs command to remove the source IPv6 interface for SNMP informs Use the no snmp server source interface ipv6 command to remove the source IPv6 interface for SNMP traps and informs Example The following example configures the VLAN 10 as the source interface switchxxxxxx config snmp server source interface ipv6 traps vl...

Page 864: ...he SNMP parameters themselves DefaultSuper Contains all MIBs Command Mode Global Configuration mode User Guidelines This command can be entered multiple times for the same view The command s logical key is the pair view name oid tree Therefore there cannot be two commands with the same view name and oid tree The number of views is limited to 64 Default and DefaultSuper views are reserved for inter...

Page 865: ...thentication will be performed Applicable only to the SNMP version 3 security model auth Specifies that packet authentication without encryption will be performed Applicable only to the SNMP version 3 security model priv Specifies that packet authentication with encryption will be performed Applicable only to the SNMP version 3 security model Note that creation of SNMPv3 users with both authentica...

Page 866: ...he views defined in this command The command logical key is groupname snmp version security level For snmp version v1 v2 the security level is always noauth Example The following example attaches a group called user group to SNMPv3 assigns the encrypted security level to the group and limits the access rights of a view called user view to read only User tom is then assigned to user group So that u...

Page 867: ...ays the configured SNMP views 43 9 show snmp groups To display the configured SNMP groups use the show snmp groups Privileged EXEC mode command Syntax show snmp groups groupname Parameters groupname Optional Specifies the group name Length 1 30 characters Default Configuration Display all groups Command Mode Privileged EXEC mode switchxxxxxx show snmp views Name OID Tree Type Default Default Defau...

Page 868: ...m of this command Syntax snmp server user username groupname v1 v2c remote host v3 auth md5 sha auth password priv priv password switchxxxxxx show snmp groups Name Security Views user group managers group Model V2 V2 Level no_auth no_auth Read Default Default Write Default Notify Field Description Name Group name Security Model SNMP model in use v1 v2 or v3 Security Level Packet security Applicabl...

Page 869: ...ers v1 Specifies that the user is a v1 user v2c Specifies that the user is a v2c user v3 Specifies that the user is a v3 user remote host Optional IP address IPv4 IPv6 or IPv6z or host name of the remote SNMP host See IPv6z Address Conventions auth Optional Specifies which authentication level is to be used md5 Optional Specifies the HMAC MD5 96 authentication level Sha Optional Specifies the HMAC...

Page 870: ...t is required in order to send informs to that host because an inform is a trap that requires acknowledgement A configured remote host is also able to manage the device besides getting the informs To configure a remote user specify the IP address for the remote SNMP agent of the device where the user resides Also before you configure remote users for a particular agent configure the SNMP engine ID...

Page 871: ...how snmp users Privileged EXEC mode command Syntax show snmp users username Parameters username Optional Specifies the user name Length 1 30 characters Default Configuration Display all users Command Mode Privileged EXEC mode Example The following examples displays the configured SNMP users switchxxxxxx show snmp users User name u1rem Group name group1 Authentication Algorithm None Privacy Algorit...

Page 872: ...mote Auth Password encrypted Z tC3UF5j0pYfmXm8xeMvcIOQ6LQ4GOACCGYLRdAgOE6XQKTC qMlrnpWuHraRlZj Priv Password encrypted kN1ZHzSLo6WWxlkuZVzhLOo1gI5waaNf7Vq6yLBpJdS4N68tL 1tbTRSz2H4c4Q4o User name u1noAuth Group name group1 Authentication Algorithm None Privacy Algorithm None Remote Auth Password encrypted Priv Password encrypted User name u1OnlyAuth Group name group1 Authentication Algorithm SHA Pr...

Page 873: ...lter in other commands Length 1 30 characters oid tree Specifies the ASN 1 subtree object identifier to be included or excluded from the view To identify the subtree specify a text string consisting of numbers such as 1 3 6 2 4 or a word such as System Replace a single sub identifier with the asterisk wildcard to specify a subtree family for example 1 3 4 included Specifies that the filter type is...

Page 874: ...ilter f2 system 7 excluded switchxxxxxx config snmp server filter f3 ifEntry 1 included 43 13 show snmp filters To display the defined SNMP filters use the show snmp filters Privileged EXEC mode command Syntax show snmp filters filtername Parameters filtername Specifies the filter name Length 1 30 characters Default Configuration If filtername is not defined all filters are displayed Command Mode ...

Page 875: ...he targeted recipient Range 1 158 characters Maximum label size of each part of the host name 63 trap Optional Sends SNMP traps to this host default informs Optional Sends SNMP informs to this host An inform is a trap that requires acknowledgement Not applicable to SNMPv1 version 1 Optional SNMPv1 traps are used version 2c Optional SNMPv2 traps or informs are used version 3 Optional SNMPv2 traps o...

Page 876: ...s only Maximum number of times to resend an inform request when a response is not received for a generated message The default is 3 Range 0 255 Default Configuration Version SNMP V1 Type of notification Traps udp port 162 If informs are specified the default for retries 3 Timeout 15 Command Mode Global Configuration mode User Guidelines The logical key of the command is the list ip address hostnam...

Page 877: ...xadecimal character string is two hexadecimal digits Bytes are separated by a period or colon If an odd number of hexadecimal digits are entered the system automatically prefixes the digit 0 to the string Length 5 32 characters 9 64 hexadecimal digits default Specifies that the engine ID is created automatically based on the device MAC address Default Configuration The default engine ID is defined...

Page 878: ... config snmp server engineid local default The engine id must be unique within your administrative domain Do you wish to continue Y N Y The SNMPv3 database will be erased Do you wish to continue Y N Y 43 16 snmp server engineID remote To specify the SNMP engine ID of a remote SNMP device use the snmp server engineID remote Global Configuration mode command To remove the configured engine ID use th...

Page 879: ...r Guidelines A remote engine ID is required when an SNMP version 3 inform is configured The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host Example switchxxxxxx config snmp server engineID remote 1 1 1 1 11 AB 01 CD 23 44 43 17 show snmp engineID To display the local SNMP engine ID use the show snmp engineID Privil...

Page 880: ...e snmp server enable traps Global Configuration mode command To disable all SNMP traps use the no form of the command Syntax snmp server enable traps no snmp server enable traps Default Configuration SNMP traps are enabled Command Mode Global Configuration mode User Guidelines If no snmp server enable traps has been entered you can enable failure traps by using snmp server trap authentication as s...

Page 881: ...ult Configuration SNMP failed authentication traps are enabled Command Mode Global Configuration mode User Guidelines The command snmp server enable traps enables all traps including failure traps Therefore if that command is enabled it is enabled by default this command is not necessary Example The following example disables all SNMP traps and enables only failed authentication traps switchxxxxxx...

Page 882: ...ode Example The following example sets the system contact information to Technical_Support switchxxxxxx config snmp server contact Technical_Support 43 21 snmp server location To set the value of the system location string use the snmp server location Global Configuration mode command To remove the location string use the no form of this command Syntax snmp server location text no snmp server loca...

Page 883: ...e2 Parameters variable name Specifies an SNMP MIB variable name which must be a valid string name value Specifies a list of names and value pairs Each name and value must be a valid string In the case of scalar MIBs there is only a single name value pair In the case of an entry in a table there is at least one name value pair followed by one or more fields Default Configuration None Command Mode G...

Page 884: ...ace Configuration mode command To disable generation of link status SNMP traps use the no form of this command Syntax snmp trap link status no snmp trap link status Parameters This command has no arguments or keywords Default Configuration Generation of SNMP link status traps is enabled Command Mode Interface Configuration mode Example The following example disables generation of SNMP link status ...

Page 885: ... switchxxxxxx show snmp SNMP is enabled SNMP traps Source IPv4 interface vlan 1 SNMP informs Source IPv4 interface vlan 11 SNMP traps Source IPv6 interface vlan 10 SNMP informs Source IPv6 interface Community String public private private Community Access read only read write su View name user view Default DefaultSuper IP Address All 172 16 1 1 10 172 16 1 1 Mask Community string public Group name...

Page 886: ...Sec 15 15 Retries 3 3 Version 3 notifications Target Address 192 122 173 42 Type Inform Username Bob Security Level Priv UDP Port 162 Filter name TO Sec 15 Retries 3 System Contact Robert System Location Marketing Field Description Community string The community access string permitting access to SNMP Community access The permitted access type read only read write super access IP Address The manag...

Page 887: ... interface id Optional Specifies an Ethernet port ID Command Mode Privileged EXEC mode User Guidelines This command does not work on fiber ports if they exist on the device The port to be tested should be shut down during the test unless it is a combination port with fiber port active In this case it does not need to be shut down because the test does not work on fiber ports The maximum length of ...

Page 888: ...st performed on all copper ports or on a specific copper port use the show cable diagnostics tdr Privileged EXEC mode command Syntax show cable diagnostics tdr interface interface id Parameters interface id Optional Specify an Ethernet port ID Command Mode Privileged EXEC mode User Guidelines The maximum length of cable for the TDR test is 120 meters Example The following example displays informat...

Page 889: ...yntax show cable diagnostics cable length interface interface id Parameters interface id Optional Specify an Ethernet port ID Command Mode Privileged EXEC mode User Guidelines The port must be active and working at 100 M or 1000 M Example The following example displays the estimated copper cable length attached to all ports gi13 Test has not been performed gi14 Open 64 13 32 00 23 July 2010 switch...

Page 890: ...Configuration All ports are displayed If detailed is not used only present ports are displayed Command Mode Privileged EXEC mode Example ss switchxxxxxx show fiber ports optical transceiver Port Temp Voltage Current Output Input LOS C Volt mA Power Power mWatt mWatt gi11 Copper gi12 Copper gi13 28 3 32 7 26 3 53 3 68 No gi14 29 3 33 6 50 3 53 3 71 No Temp Internally measured transceiver temperatur...

Page 891: ...PHY Diagnostics Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 890 44 N A Not Available N S Not Supported W Warning E Error ...

Page 892: ... the device discovery protocol and applies power to the device never Turns off the device discovery protocol and stops supplying power to the device time range name Specifies a time range When the time range is not in effect the power is not supplied the attached device If a time range is not specified there is no time range bounded to the port Range 1 32 characters Default Configuration The defau...

Page 893: ... To disable the inrush test a hardware test that checks input surge current for PoE devices use the power inline inrush test disable Global Configuration mode command To enable the inrush test use the no form of this command Syntax power inline inrush test disable no power inline inrush test disable Parameters N A Default Configuration Inrush test is enabled Command Mode Global Configuration mode ...

Page 894: ...gacy support disable no power inline legacy support disable Parameters N A Default Configuration Legacy support is enabled Command Mode Global Configuration mode Example The following example disables legacy PDs support switchxxxxxx config power legacy support disable 45 4 power inline powered device To add a description of the device type use the power inline powered device Interface Configuratio...

Page 895: ...switchxxxxxx config interface gi14 switchxxxxxx config if power inline powered device ip_phone 45 5 power inline priority To configure the interface inline power management priority use the power inline priority Interface Configuration Ethernet mode command To restore the default configuration use the no form of this command Syntax power inline priority critical high low no power inline priority P...

Page 896: ...tiating inline power usage alarms use the power inline usage threshold Global Configuration mode command To restore the default configuration use the no form of this command Syntax power inline usage threshold percent no power inline usage threshold Parameters percent Specifies the threshold in percent to compare to the measured power Range 1 99 Default Configuration The default threshold is 95 pe...

Page 897: ...ration Inline power traps are disabled Command Mode Global Configuration mode Example The following example enables inline power traps switchxxxxxx config power inline traps enable 45 8 power inline limit To configure the power limit per port on an interface use the power inline limit Interface Configuration mode command To return to default use the no form of the command Syntax power inline limit...

Page 898: ... a port switchxxxxxx config interface gi11 switchxxxxxx config if power inline limit 2222 45 9 power inline limit mode To set the power limit mode of the system use the power inline limit mode Global Configuration mode command To return to default use the no form of this command Syntax power inline limit mode class port no power inline limit mode Parameters class The power limit of a port is based...

Page 899: ...he inline power to enabled the spare pair use the power inline four wire forced Interface Configuration mode command Syntax power inline four pair forced no power inline four pair forced Parameters Default Configuration The default configuration is set to no four pair forced Command Mode Interface Ethernet Configuration mode User Guidelines This command should only be used for ports that are conne...

Page 900: ...x powered device forced 60watts 802 3AF 802 3AT no powered device forced Parameters Default Configuration The default configuration is set to no powered device forced Command Mode Interface Ethernet Configuration mode User Guidelines This command should only be used for ports that are connected to devices that do not support the CDP LLDP protocol or the new 4 wire power via MDI TLV The command is ...

Page 901: ...power for all interfaces or for a specific interface use the show power inline privileged EXEC mode command Syntax show power inline interface id Parameters interface id Specifies an interface ID The interface ID must be an Ethernet port Default Configuration Show information for all ports Command Mode Privileged EXEC mode Examples Example 1 The following example displays information about the inl...

Page 902: ...i11 Port status Port is on Valid PD resistor signature detected Port standard 802 3AT Admin power limit 30 0 watts Unit Module Nominal power w Consumed Power w Temp c 1 48P 320 120 37 5 30 2 24P 240 0 0 50 3 24P 120 0 0 50 Interface Admin Oper Power Class Device Priority gi11 Auto On 15 4 3 0 3 IP Phone Model A Critical gi12 Auto Searchin g 0 0 High gi13 Never Off 0 0 Low Interface Admin Oper Powe...

Page 903: ... Nominal Power Inline power sourcing equipment nominal power in Watts Consumed Power Measured usage power in Watts Usage Threshold Usage threshold expressed in percent for comparing the measured power and initiating an alarm if threshold is exceeded Traps Indicates if inline power traps are enabled Port Ethernet port number device Description of the device type State Indicates if the port is enabl...

Page 904: ...and Disable for class limit Legacy Mode Enabled of Disabled legacy device support Inrush Test Displays whether the inrush test is enabled or disabled SW version The POE firmware version Usage Threshold Usage threshold expressed in percent for comparing the measured power and initiating an alarm if threshold is exceeded Traps Indicates if inline power traps are enabled Module The module name Availa...

Page 905: ...he port status on off with detailed reason see bellow for details Port standard 802 3AF 802 3AT 60W POE Admin power limit Port limit in watts used when the Port limit mode is Enabled Time Range The name of the time range associated with the interface Link partner standard 802 3AF 802 3AT 60W POE Operational Power Limit Port actual power limit in watts Current mA Port current in Milli Ampere Voltag...

Page 906: ... Port is off Improper Capacitor Detection results Port is off Discharged load Port is on Detection regardless Force On Port is off Forced power error due to Overload Port is off Out of power budget while in Force On Port is off Short condition Port is off Over temperature at the port Port is off Device is too hot Port is off Class Error Illegal class 45 13 show power inline savings To display info...

Page 907: ...rrent Power Savings 45W Cumulative Energy Saved 180 Watt Hour Estimated Annual Power saving 1800 Watt Hour Annual estimate is based on the saving during the previous week NA information for previous week is not available 45 14 clear power inline counters To clear power inline interface counters use the clear power inline counters Privileged EXEC mode command Syntax clear power inline counters inte...

Page 908: ...e counters gi12 45 15 clear power inline monitor consumption To clear power inline consumption monitor info on all or on a specific interface or interface list use the clear power inline monitor consumption Privileged EXEC mode command Syntax clear power inline monitor consumption interface id list Parameters interface id list Optional Specifies a list of interface ID The interface ID must be an E...

Page 909: ... an interface ID The interface ID must be an Ethernet port If interface ID is not specified total device PoE consumption info will be displayed minutes Average minute consumption Displays the last 60 samples sampled every 60 seconds every round minute according to system time hours Average hour consumption Displays the last 24 samples sampled every 60 minutes every round hour according to system t...

Page 910: ...ple displays the average hourly power consumption for the past day gathered for interface gi11 switchxxxxxx show power inline monitor consumption gi11 hours Not all samples are available time stamp represents end of sampling period Example 2 The following example displays the average weekly power consumption for the past 52 weeks gathered for entire device switchxxxxxx show power inline monitor co...

Page 911: ...ower of PD for all interfaces or for a specific interface use the show powered device privileged EXEC mode command Syntax show powered device interface id Parameters Interface id Specifies an interface ID The interface ID must be an Ethernet port Default Configuration Show information for all ports Command Mode Global Configuration mode Sample Time Sun 15 11 2015 00 00 00 Sun 22 11 2015 00 00 00 S...

Page 912: ...AF Power Available W 25 5 CDP Unknown LLDP Field Description PD standard This indicated the PD port physical capability Power Requested This indicates the PD requested power as requested from the PSE side in Watts If port is forced to specific power the value reflects the forced power and is indicated by Forced If port is not connected to PSE or is in down state the status is N A If CDP LLDP negot...

Page 913: ...in down state the status is N A Power available This indicates the PSE allocated power in Watts If port is not connected to PSE or is in down state the status is N A If CDP LLDP negotiation is activated than the negotiation protocol is displayed CDP or LLDP If CDP LLDP negotiation is activated than this represent the maximum allocated power level In case the power negotiation is not completed or h...

Page 914: ... channel mode on auto no channel group Parameters port channel Specifies the port channel number for the current port to join mode Specifies the mode of joining the port channel The possible values are on Forces the port to join a channel without an LACP operation auto Forces the port to join a channel as a result of an LACP operation Default Configuration The port is not assigned to a port channe...

Page 915: ...l group 1 mode on 46 2 port channel load balance To configure the load balancing policy of the port channeling use the port channel load balance Global Configuration mode command To reset to default use the no form of this command Syntax port channel load balance src dst mac src dst mac ip no port channel load balance Parameters src dst mac Port channel load balancing is based on the source and de...

Page 916: ...channel Privileged EXEC mode command Syntax show interfaces port channel interface id Parameters interface id Optional Specify an interface ID The interface ID must be a port channel Command Mode Privileged EXEC mode Examples The following example displays information on all port channels switchxxxxxx show interfaces port channel Load balancing src dst mac Gathering information Channel Ports Po1 A...

Page 917: ...ode advanced Specifies the QoS advanced mode which enables the full range of QoS configuration ports not trusted Relevant for advanced mode only Indicates that packets which are not classified by policy map rules to a QoS action are mapped to egress queue 0 This is the default setting in advanced mode ports trusted Relevant for advanced mode only Indicates that packets which are not classified by ...

Page 918: ...ode trust Global Configuration mode command to configure the trust mode in advanced mode Use the no form of this command to return to default Syntax qos advanced mode trust cos dscp cos dscp no qos advanced mode trust Parameters cos Classifies ingress packets with the packet CoS values For untagged packets the port default CoS is used dscp Classifies ingress packets with the packet DSCP values cos...

Page 919: ...tion or classified to the QoS action trust Example The following example sets cos as the trust mode for QoS on the device switchxxxxxx config qos advanced mode trust cos 47 3 show qos Use the show qos Privileged EXEC mode command to display the QoS information for the device The trust mode is displayed for the QoS basic mode Syntax show qos Parameters N A Default Configuration Disabled Command Mod...

Page 920: ...e Use the no form of this command to delete a class map Syntax class map class map name match all match any no class map class map name Parameters class map name Specifies the class map name Length 1 32 characters match all Performs a logical AND of all the criteria of the ACLs belonging to this class map All match criteria in this class map must be matched If neither match all nor match any is sp...

Page 921: ...t to a different type of ACL such as one IP ACL one IPv6 ACL and one MAC ACL The classification is by first match therefore the order of the ACLs is important Error messages are generated in the following cases There is more than one match command in a match all class map There is a repetitive classification field in the participating ACLs After entering the Class map Configuration mode the follow...

Page 922: ...ple displays the class map for Class1 switchxxxxxx config show class map Class Map matchAny class1 Match access group mac 47 6 match Use the match Class map Configuration mode command to bind the ACLs that belong to the class map being configured Use the no form of this command to delete the ACLs Syntax match access group acl name no match access group acl name Parameters acl name Specifies the MA...

Page 923: ...belong to the class map switchxxxxxx config class map class1 switchxxxxxx config cmap match access group enterprise 47 7 policy map Use the policy map Global Configuration mode command to creates a policy map and enter the Policy map Configuration mode Use the no form of this command to delete a policy map Syntax policy map policy map name no policy map policy map name Parameters policy map name S...

Page 924: ...efined for them Policy map is applied on the ingress path The match criteria is for a class map Only one policy map per interface is supported The same policy map can be applied to multiple interfaces and directions The service policy command binds a policy map to a port port channel Example The following example creates a policy map called Policy1 and enters the Policy map Configuration mode swit...

Page 925: ...s command or you can use the access group parameter to create a new class map After the policy map is defined use the service policy command to attach it to a port port channel Example The following example defines a traffic classification class map called class1 containing an ACL called enterprise The class is in a policy map called policy1 The policy map policy1 now contains the ACL enterprise s...

Page 926: ...lays all policy maps switchxxxxxx config show policy map Policy Map policy1 class class1 set dscp 7 Policy Map policy2 class class 2 police 96000 4800 exceed action drop class class2 redirect gi12 class class 3 police 96000 4800 exceed action policed dscp transmit peak 128000 9600 violate action policed dscp transmit 47 10 trust Use the trust Policy map Class Configuration mode command to configur...

Page 927: ... class map can be configured to match and trust the DSCP values in the incoming traffic The type of trust is determined in qos advanced mode trust Trust values set with this command supersede trust values set on specific interfaces with the qos trust Interface Interface Configuration mode command The trust and set commands are mutually exclusive within the same policy map The set command is not su...

Page 928: ...queue queue id cos new cos no set Parameters dscp new dscp Specifies the new DSCP value for the classified traffic Range 0 63 queue queue id Specifies the egress queue Range 1 8 cos new cos Specifies the new user priority to be marked in the packet Range 0 7 Command Mode Policy map Class Configuration mode User Guidelines This command is only available when QoS is in advanced mode The set and trus...

Page 929: ... config class map c1 switchxxxxxx config cmap match access group ip1 switchxxxxxx config cmap exit switchxxxxxx config policy map p1 switchxxxxxx config pmap class c1 switchxxxxxx config pmap c set dscp 56 47 12 redirect Use the redirect Policy map Class Configuration mode command to redirect a traffic flow to a given Ethernet port or port channel Syntax redirect interface id no redirect Parameter...

Page 930: ...itchxxxxxx config ip al exit switchxxxxxx config class map c1 switchxxxxxx config cmap match access group ip1 switchxxxxxx config cmap exit switchxxxxxx config policy map p1 switchxxxxxx config pmap class c1 switchxxxxxx config pmap c redirect gi12 switchxxxxxx config pmap c exit switchxxxxxx config pmap exit switchxxxxxx config 47 13 mirror Use the mirror Policy map Class Configuration mode comma...

Page 931: ... the monitor session destination command with the same session number Example The following example creates an ACL places it into a class map places the class map into a policy map and mirrors the flow to an analyzer Ethernet port defined by session 2 switchxxxxxx config ip access list extended ip1 switchxxxxxx config ip al permit ip any any switchxxxxxx config ip al exit switchxxxxxx config class...

Page 932: ...n when the committed rate is exceeded and the peak rate is not exceeded If the keyword is not configured then the following action is applied drop if peak the keyword is not configured policed dscp transmit if peak the keyword is configured peak Specifies the Two rate Three color policer If the peak rate is exceeded the packet is dropped peak rate kbps Specifies the average traffic rate CIR in kbi...

Page 933: ...acket is dropped The class is called class1 and is in a policy map called policy1 switchxxxxxx config policy map policy1 switchxxxxxx config pmap class cls1 switchxxxxxx config pmap c police 124000 9600 exceed action drop Example 2 The following example defines a Two rate Three color policer for classified traffic When the committed traffic rate exceeds 124 000 kbps and the committed burst size ex...

Page 934: ...ifies an ingress policy output Specifies an egress policy policy map name Specifies the policy map name to apply to the input interface Length 1 32 characters default action Specifies the default action If the keyword is not configured then the deny any default action is applied deny any Deny all the packets which were ingress of the port that do not meet the rules in a policy permit any Forward a...

Page 935: ...le The following example attaches a policy map called Policy1 to the input interface switchxxxxxx config if service policy input policy1 The following example attaches a policy map called Policy1 to the input interface and forwards all packets that do not meet the rules of the policy switchxxxxxx config if service policy input policy1 permit any The following example attaches a policy map called P...

Page 936: ...is not configured then the following action is applied drop if peak the keyword is not configured policed dscp transmit if peak the keyword is configured peak Specifies the Two rate Three color policer If the peak rate is exceeded the packet is dropped peak rate kbps Specifies the average traffic rate CIR in kbits per second bps Range 3 57982058 peak burst byte Specifies the peak burst size PBS in...

Page 937: ...ed in a policy map The no police aggregate Policy map Class Configuration mode command must first be used to delete the aggregate policer from all policy maps before using the no qos aggregate policer command Policing uses a token bucket algorithm CIR represents the speed with which the token is added to the bucket CBS represents the depth of the bucket Examples Example 1 The following example def...

Page 938: ...os aggregate policer Privileged EXEC mode mode command to display aggregate policers This command is only available in QoS advanced mode Syntax show qos aggregate policer aggregate policer name Parameters aggregate policer name Specifies the aggregate policer name Length 1 32 characters Default Configuration All policers are displayed Command Mode Privileged EXEC mode Examples Example 1 The follow...

Page 939: ...n aggregate policer to multiple class maps within the same policy map Use the no form of this command to remove an existing aggregate policer from a policy map This command is only available in QoS advanced mode Syntax police aggregate aggregate policer name no police aggregate aggregate policer name Parameters aggregate policer name Specifies the aggregate policer name Length 1 32 characters Comm...

Page 940: ...pmap c exit switchxxxxxx config pmap exit switchxxxxxx config policy map policy2 switchxxxxxx config pmap class class2 switchxxxxxx config pmap c police aggregate policer1 47 19 wrr queue cos map Use the wrr queue cos map Global Configuration mode command to map Class of Service CoS values to a specific egress queue Use the no form of this command to restore the default configuration Syntax wrr qu...

Page 941: ...figuration mode User Guidelines Use this command to distribute traffic to different queues Example The following example maps CoS value 4 and 6 to queue 2 switchxxxxxx config wrr queue cos map 2 4 6 47 20 wrr queue bandwidth Use the wrr queue bandwidth Global Configuration mode command to assign Weighted Round Robin WRR weights to egress queues The weight ratio determines the frequency at which th...

Page 942: ...dth is divided among the remaining queues It is not recommended to set the weight of a queue to a 0 as it might stop transmission of control protocols packets generated by the device All queues participate in the WRR excluding the expedite queues whose corresponding weight is not used in the ratio calculation An expedite queue is a priority queue which is serviced until empty before the other queu...

Page 943: ...edite queues Command Mode Global Configuration mode User Guidelines An expedite queue is a strict priority queue which is serviced until empty before the other lower priority queues are serviced the weighted round robin WRR weight ratios are affected by the number of expedited queues because there are fewer queues participating in WRR This indicates that the corresponding weight in the wrr queue b...

Page 944: ...led Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines The egress port shaper controls the traffic transmit rate Tx rate on a port Example The following example sets a traffic shaper on gi11 when the average traffic rate exceeds 64 kbps or the normal burst size exceeds 4096 bytes switchxxxxxx config interface gi11 switchxxxxxx config if traffic shape 64 4096 47 23 traf...

Page 945: ...uration The shaper is disabled Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines The egress port shaper controls the traffic transmit rate Tx rate on a queue on a port Example The following example sets a shaper on queue 1 on gi11 when the average traffic rate exceeds 124000 kbps or the normal burst size exceeds 9600 bytes switchxxxxxx config interface gi11 switchxxxx...

Page 946: ...effective after reset Example switchxxxxxx config qos wrr queue wrtd This setting will take effect only after copying running configuration to startu p configuration and resetting the device switchxxxxxx config 47 25 show qos wrr queue wrtd Use the show qos wrr queue wrtd Privileged EXEC mode command to display the Weighted Random Tail Drop WRTD configuration Syntax show qos wrr queue wrtd Paramet...

Page 947: ...uffers Displays the buffer settings for the interface s queues For GE ports displays the queue depth for each of the queues For FE ports displays the minimum reserved setting queueing Displays the queue s strategy WRR or EF the weight for WRR queues the CoS to queue map and the EF priority policers Displays all the policers configured for this interface their settings and the number of policers cu...

Page 948: ...s and Rate Limit only the ports which are not in the default configuration will be showed Examples Example 1 The following is an example of the output from the show qos interface command switchxxxxxx config show qos interface gi11 Ethernet gi10 1 Default CoS 0 Trust mode disabled Ingress Policy applied AV1 Egress Policy applied AV2 Default ACE ingress action deny all Default ACE egress action deny...

Page 949: ... 5 4 6 4 7 4 Example 3 The following an example of the output from the show qos interface buffers command for 8 queues switchxxxxxx config show qos interface buffers gi11 gi11 Notify Q depth buffers gi11 Ethernet gi11 qid thresh0 thresh1 thresh2 1 100 100 80 2 100 100 80 3 100 100 80 4 100 100 80 5 100 100 80 6 100 100 80 7 100 100 80 8 100 100 80 ...

Page 950: ...qos interface shapers command f switchxxxxxx config show qos interface shapers gi11 gi11 Port shaper enable Committed rate 64 kbps Committed burst 9600 bytes QID 1 2 3 4 5 6 7 8 Status Enable Disable Enable Disable Disable Disable Enable Enable Target Committed Rate kbps 64 N A N A N A N A N A N A N A Target Committed Burst bytes 17000 N A N A N A N A N A N A N A ...

Page 951: ...rk down no qos map policed dscp violation dscp list Parameters violation Specifies the DSCP remapping in the violate action If the keyword is not configured the the command specifies the DSCP remapping in the exceed action switchxxxxxx config show qos interface policer gi11 Ethernet gi11 Ingress Policers Class map A Policer type aggregate Commited rate 19 kbps Commited burst 9600 bytes Exceed acti...

Page 952: ...uidelines The original DSCP value and policed DSCP value must be mapped to the same queue in order to prevent reordering Example The following example marks incoming DSCP value 3 as DSCP value 5 on the policed DSCP map switchxxxxxx config qos map policed dscp 3 to 5 47 28 qos map dscp queue Use the qos map dscp queue Global Configuration mode command to configure the DSCP to queue map Use the no f...

Page 953: ...p dscp queue 33 40 41 to 1 47 29 qos trust Global Use the qos trust Global Configuration mode command to configure the system to the basic mode and trust state Use the no form of this command to return to the default configuration Syntax qos trust cos dscp no qos trust Parameters cos Specifies that ingress packets are classified with packet CoS values Untagged packets are classified with the defau...

Page 954: ...the packet to use to classify traffic When the system is configured with trust DSCP the traffic is mapped to the queue by the DSCP queue map When the system is configured with trust CoS the traffic is mapped to the queue by the CoS queue map For an inter QoS domain boundary configure the port to the DSCP trusted state and apply the DSCP to DSCP mutation map if the DSCP values are different in the ...

Page 955: ... switchxxxxxx config interface gi11 switchxxxxxx config if qos trust 47 31 qos cos Use the qos cos Interface Ethernet Port Channel Configuration mode command to define the default CoS value of a port Use the no form of this command to restore the default configuration Syntax qos cos default cos no qos cos Parameters default cos Specifies the default CoS value VPT value of the port If the port is t...

Page 956: ...fig interface gi11 switchxxxxxx config if qos cos 3 47 32 qos dscp mutation Use the qos dscp mutation Global Configuration mode command to apply the DSCP Mutation map to system DSCP trusted ports Use the no form of this command to restore the trusted port with no DSCP mutation Syntax qos dscp mutation no qos dscp mutation Parameters N A Default Configuration Disabled Command Mode Global Configurat...

Page 957: ...SCP In advanced CoS mode ports must be trusted Example The following example applies the DSCP Mutation map to system DSCP trusted ports switchxxxxxx config qos dscp mutation 47 33 qos map dscp mutation Use the qos map dscp mutation Global Configuration modecommand to configure the DSCP to DSCP Mutation table Use the no form of this command to restore the default configuration Syntax qos map dscp m...

Page 958: ...and 6 to DSCP Mutation Map value 63 switchxxxxxx config qos map dscp mutation 1 2 4 5 6 to 63 47 34 show qos map Use the show qos map Privileged EXEC mode command to display the various types of QoS mapping Syntax show qos map dscp queue dscp dp policed dscp dscp mutation Parameters dscp queue Displays the DSCP to queue map dscp dp Displays the DSCP to Drop Precedence map policed dscp Displays the...

Page 959: ...02 02 02 02 02 02 3 02 02 03 03 03 03 03 03 03 03 4 03 03 03 03 03 03 03 03 04 04 5 04 04 04 04 04 04 04 04 04 04 6 04 04 04 04 Example 2 The following example displays the dscp remapping information switchxxxxxx config show qos map policed dscp Policed dscp map exceed d1 d2 0 1 2 3 4 5 6 7 8 9 0 00 01 02 03 04 05 06 07 08 09 1 10 11 12 13 14 15 16 17 18 19 2 20 21 22 23 24 25 26 27 28 29 3 30 31 ...

Page 960: ... 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 11 11 11 47 35 clear qos statistics Use the clear qos statistics Privileged EXEC mode command to clear the QoS statistics counters Syntax clear qos statistics Parameters N A Default Configuration N A Command Mode Privileged EXEC mode Example The following example clears the QoS statistics counters switchxxxxxx config...

Page 961: ... map name Parameters policy map name Specifies the policy map name Length 1 32 characters class map name Specifies the class map name Length 1 32 characters Default Configuration Counting in profile and out of profile is disabled Command Mode Interface Ethernet Port Channel Configuration mode Example The following example enables counting in profile and out of profile on the interface switchxxxxxx...

Page 962: ...Global Configuration mode Example The following example enables counting in profile and out of profile on the interface switchxxxxxx config qos statistics aggregate policer policer1 47 38 qos statistics queues Use the qos statistics queues Global Configuration mode command to enable QoS statistics for output queues Use the no form of this command to disable QoS statistics for output queues Syntax ...

Page 963: ...ser Guidelines There are no user guidelines for this command If the queue parameter is all traffic in cascading ports is also counted Example The following example enables QoS statistics for output queues for counter set 1 switchxxxxxx config qos statistics queues 1 all all all 47 39 show qos statistics Use the show qos statistics Privileged EXEC mode command to display Quality of Service statisti...

Page 964: ...tistics queues Global Configuration mode command to enable QoS statistics for output queues Example The following example displays Quality of Service statistical information switchxxxxxx show qos statistics Policers Aggregate Policers Output Queues Interface gi11 gi11 gi12 gi12 Policy Map Policy1 Policy1 Policy1 Policy1 Class Map Class1 Class2 Class1 Class2 In Profile Bytes 756457 8759 75457 5326 ...

Page 965: ...Quality of Service QoS Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 964 47 Interface gi11 gi12 Queue 2 All DP High High Total Packets 756457 8759 TD Packets 1 2 0 2 ...

Page 966: ...t retries deadtime deadtime key encrypted key string priority priority usage login dot1 x all no radius server host ip address hostname Parameters ip address Specifies the RADIUS server host IP address The IP address can be an IPv4 IPv6 or IPv6z address hostname Specifies the RADIUS server host name Translation to IPv4 addresses only is supported Length 1 158 characters Maximum label length of eac...

Page 967: ...y priority Specifies the order in which servers are used where 0 has the highest priority Range 0 65535 usage login dot1 x all Specifies the RADIUS server usage type The possible values are login Specifies that the RADIUS server is used for user login parameters authentication dot1 x Specifies that the RADIUS server is used for 802 1x port authentication all Specifies that the RADIUS server is use...

Page 968: ...mand to set the authentication key for RADIUS communications between the device and the RADIUS daemon Use the no form of this command to restore the default configuration Syntax radius server key key string encrypted radius server key encrypted key string no radius server key Parameters key string Specifies the authentication and encryption key for all RADIUS communications between the device and ...

Page 969: ...cify the number of times the software searches the list of RADIUS server hosts Use the no form of this command to restore the default configuration Syntax radius server retransmit retries no radius server retransmit Parameters retransmit retries Specifies the number of retry retransmissions Range 1 15 Default Configuration The software searches the list of RADIUS server hosts 3 times Command Mode ...

Page 970: ...ecifies the source interface Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the interface IP address belonging to next hop IPv4 subnet is applied If the source interface is not the outgoing interface the ...

Page 971: ...IPv6 source address is the IPv6 address defined on the outgoing interface and selected in accordance with RFC6724 Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the source IPv6 address is an IPv6 address defined on the interfaces and selected in accordance with RFC 6724 If the source interface is not the outgoing interface the source IPv6 a...

Page 972: ...he timeout value in seconds Range 1 30 Default Configuration The default timeout value is 3 seconds Command Mode Global Configuration mode Example The following example sets the timeout interval on all RADIUS servers to 5 seconds switchxxxxxx config radius server timeout 5 48 7 radius server deadtime Use the radius server deadtime Global Configuration mode command to configure how long unavailable...

Page 973: ... Command Mode Global Configuration mode Example The following example sets all RADIUS server deadtimes to 10 minutes switchxxxxxx config radius server deadtime 10 48 8 show radius servers Use the show radius servers Privileged EXEC mode command to display the RADIUS server settings Syntax show radius servers Command Mode Privileged EXEC mode Example The following example displays RADIUS server set...

Page 974: ...erface vlan 120 Source IPv6 interface vlan 10 48 9 show radius servers key Use the show radius servers key Privileged EXEC mode command to display the RADIUS server key settings Syntax show radius servers key Command Mode Privileged EXEC mode Example The following example displays RADIUS server key settings switchxxxxxx show radius servers key IP address 172 16 1 1 172 16 1 2 Key Encrypted Sharon1...

Page 975: ...RADIUS Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 974 48 ...

Page 976: ...Parameters time range name Specifies the time range name configured by the time range command Range 1 32 characters Command Mode Radius Server Group Configuration mode User Guidelines Use the allowed time range command to define the time users can connect Use the no form of the command to return to the default Example The following example assigns an periodical time interval switchxxxxxx config ti...

Page 977: ...ng command in Privileged EXEC mode Syntax clear radius server accounting Parameters N A Command Mode Privileged EXEC mode User Guidelines Use the clear radius server accounting command to clear the Radius Accounting cache Example The following example clears the Radius Accounting cache switchxxxxxx config clear radius server accounting 49 3 clear radius server rejected users To clear the Radius Re...

Page 978: ... rejected users 49 4 clear radius server statistics To clear the Radius server counters use the clear radius server statistics command in Privileged EXEC mode Syntax clear radius server statistics ip address Parameters ip address Specifies the RADIUS client host IP address The IP address can be an IPv4 IPv6 or IPv6z address Command Mode Privileged EXEC mode User Guidelines Use the clear radius ser...

Page 979: ...ult configuration use the no form of this command Syntax privilege level level no privilege level Parameters level Specifies the user privilege level Range 1 15 Default Configuration 1 Command Mode Radius Server Group Configuration mode User Guidelines Use the privilege level command to define the privilege level of users of the given group Use the no form of the command to return to the default A...

Page 980: ...UDP port used for accounting requests use the radius server accounting port command in Global Configuration mode To restore the default configuration use the no form of this command Syntax radius server accounting port udp port no radius server accounting port Parameters udp port Specifies the UDP port number for accounting requests Range 1 65535 Default Configuration 1813 Command Mode Global Conf...

Page 981: ...onfiguration use the no form of this command Syntax radius server authentication port udp port no radius server authentication port Parameters udp port Specifies the UDP port number for authentication requests Range 1 65535 Default Configuration 1812 Command Mode Global Configuration mode User Guidelines Use the radius server authentication port command to define an UDP port for authentication req...

Page 982: ...guration Disabled Command Mode Global Configuration mode User Guidelines Use the radius server enable command to enable Embedded Radius server Use the no radius server enable command to disable Embedded Radius server Example The following example enables Embedded Radius server switchxxxxxx config radius server enable 49 9 radius server group To enter into Radius Server Group Configuration mode and...

Page 983: ...p does not exist it is created automatically Use the no radius server group group name command to delete one group Use the no radius server group command to delete all groups A group cannot be deleted if there is a user referencing to this group The Radius server supports up to 50 groups Example The following example creates group developers if it does not exist and enters into its context switchx...

Page 984: ...key ip address Specifies the RADIUS client host IP address The IP address can be an IPv4 IPv6 or IPv6z address Default Configuration The secret key does not exist Command Mode Global Configuration mode User Guidelines Use the radius server nas secret key key default command to defines a key that will be applied to communicate with NASs that do not have a private key Use the radius server nas secre...

Page 985: ...w default Example 2 The following example defines a default secret key switchxxxxxx config radius server nas secret key qrBut56 qw default Example 3 The following example defines a NAS using the default secret key switchxxxxxx config radius server nas secret 10 05 10 1 49 11 radius server traps accounting To enable sending accounting traps use the radius server traps accounting command in Global C...

Page 986: ...ver traps authentication failure To enable sending traps when an authentication failed and Access Reject is sent use the radius server traps authentication failure command in Global Configuration mode To restore the default configuration use the no form of this command Syntax radius server traps authentication failure no radius server traps authentication failure Parameters N A Default Configurati...

Page 987: ...authentication success command in Global Configuration mode To disable the traps use the no form of this command Syntax radius server traps authentication success no radius server traps authentication success Parameters N A Default Configuration Success traps are disabled Command Mode Global Configuration mode User Guidelines A rate limit is applied to the traps not more than one trap of this type...

Page 988: ...rameters user name Specifies the user name Length 1 32 characters group name Specifies the user group name Length 1 32 characters unencrypted password Specifies the user password Length 1 64 characters Default Configuration The user does not exist The Radius server supports up to 1000 users Command Mode Global Configuration mode User Guidelines Use the radius server user command to create a new us...

Page 989: ...eged EXEC mode Syntax show radius server accounting username user name Parameters user name Specifies the user name Length 1 32 characters Command Mode Privileged EXEC mode User Guidelines The Radius server saves the last 1000 accounting logs in a cycle file on FLASH Use the show radius server accounting username user name command to display accounting information of one user Use the show radius s...

Page 990: ...25 NAS Port 10 29 Jun 14 12 04 Stop User Alisa Accounting Session Time 2 days 2 hours 10 minutes Authenticated by Radius NAS Address 10 23 1 3 User Address 00 12 cf 00 1c 25 Termination Reason User Request 20 Feb 2008 9 20 Date and Time were updated to 29 Jun 14 11 00 20 Feb 2014 9 05 Start User Bob Authenticated by local NAS Address 10 23 1 3 User Address 160 134 7 8 20 Feb 2008 9 00 Reboot Examp...

Page 991: ... 29 Jun 14 11 00 20 Feb 2014 9 05 Start User Bob Authenticated by Radius NAS Address 10 23 1 3 User Address 160 134 7 8 20 Feb 2008 9 00 Reboot 49 16 show radius server configuration To display Radius Server global configuration use the show radius server configuration command in Privileged EXEC mode Syntax show radius server configuration Parameters N A Command Mode Privileged EXEC mode User Guid...

Page 992: ...s are enabled Accounting traps are enabled 49 17 show radius server group To display a Radius Server group configuration use the show radius server group command in Privileged EXEC mode Syntax show radius server group group name Parameters group name Specifies a name of the group Length 1 32 characters Command Mode Privileged EXEC mode User Guidelines Use the show radius server group group name co...

Page 993: ...command in Privileged EXEC mode Syntax show radius server rejected users username user name Parameters user name Specifies the user name Length 1 32 characters Command Mode Privileged EXEC mode User Guidelines The Radius server saves the last 1000 rejected authentication requests in a cycle file on FLASH The Radius server saves the last 1000 accounting logs in a cycle file on FLASH Use the show ra...

Page 994: ... 10 23 4 3 Reason Unknown user 30 Jun 14 16 04 User Name Bob User Type Login NAS Address 10 1 1 1 User Address 10 23 4 3 Reason Illegal password 20 Feb 2008 9 20 Date and Time were updated to 29 Jun 14 11 00 20 Feb 08 16 24 User Name Robert User Type 802 1x NAS Address 10 1 1 1 NAS Port 2 User Address 00 67 67 96 ac 21 Reason Not Supported EAP method 20 Feb 08 14 14 User Name Alisa User Type 802 1...

Page 995: ...9 Jun 14 11 00 20 Feb 2008 9 00 Reboot 49 19 show radius server nas secret To display secret keys use the show radius server nas secret command in Privileged EXEC mode Syntax show radius server nas secret default ip address Parameters default Specifies the default secret key hat will be applied to communicate with NASs that do not have a private key ip address Specifies the RADIUS client host IP a...

Page 996: ...1238af77aaca17568f1298cced1255cc NAS Address Secret Key s MD5 10 1 35 3 1238af77aaca17568f1298cced165fec 10 2 37 6 default 3000 1231 1230 9cab 1384 1238af77aaca17568f12988601fcabed 3001 ab11 9cda 0981 1238af77aaca17568f1298bc5476ddad Example 2 The following example displays the default secret key switchxxxxxx show radius server nas secret default Default Secret Key s MD5 1238af77aaca17568f1298cced...

Page 997: ...play the Radius server counters defined in RFC4669 and RFC4671 Use the show radius server statistics command without parameter to display the global counters Use the show radius server statistics command with parameter to display the counters of the given NAS Examples Example 1 The following example displays the Radius server global counters switchxxxxxx show radius server statistics Number of inc...

Page 998: ...kets with other mistakes 0 Number of incoming not recorded Accounting Requests 0 Number of incoming Accounting packets of unknown type 0 Example 2 The following example displays the Radius server counters of the given SNA secret keys switchxxxxxx show radius server statistics 1 1 1 1 NAS 1 1 1 1 Number of incoming packets on the authentication port 120 Number of duplicate incoming Access Requests ...

Page 999: ...user configuration use the show radius server user command in Privileged EXEC mode Syntax show radius server user username user name group group name Parameters user name Specifies the user name Length 1 32 characters group name Specifies a name of the group Length 1 32 characters Command Mode Privileged EXEC mode User Guidelines Use the show radius server user username user name command to displa...

Page 1000: ...vlan id Specifies a VLAN ID Range 1 4094 vlan name Specifies a name of the VLAN Length 1 32characters Default Configuration No Radius Assigned VLAN Command Mode Radius Server Group Configuration mode User Guidelines Use the vlan command to assign the VLAN to a radius client This Radius Assigned VLAN is passed to a Radius client in the Access Accept message in the following attributes Tunnel Type 6...

Page 1001: ...lopers group and VLAN with name management of users of the managers group switchxxxxxx config radius server group developers switchxxxxxx config radser group vlan id 100 switchxxxxxx config radser group exit switchxxxxxx config radius server group managers switchxxxxxx config radser group vlan name management switchxxxxxx config radser group exit switchxxxxxx config ...

Page 1002: ... control counters multicast Optional Clear Multicast storm control counters unicast Optional Clear Unicast Unknown storm control counters interface interface id Optional Clear storm control counters for the specified Ethernet port Command Mode Privileged EXEC mode User Guidelines The switch clears the port counter of a given traffic type when storm control for this traffic type on this port is ena...

Page 1003: ... given port Example Example 1 The following example clears all storm control counters of all ports switchxxxxxx clear storm control counters Example 2 The following example clears all storm control counters of port gi11 switchxxxxxx clear storm control counters interface gi11 Example 3 The following example clears broadcast storm control counter of all ports switchxxxxxx clear storm control counte...

Page 1004: ...nterface Ethernet Configuration mode User Guidelines The calculated rate includes the 20 bytes of Ethernet framing overhead preamble SFD IPG The Rate Limit does not calculate traffic controlled by Storm control The real allowed rate will be sum of the rate specified by the command and the rates specified by the Storm control commands for particular traffic types Example The following example limit...

Page 1005: ... to 128K Default Configuration Rate limiting is disabled Command Mode Global Configuration mode User Guidelines The calculated rate includes the 20 bytes of Ethernet framing overhead preamble SFD IPG Traffic policing in a policy map takes precedence over VLAN rate limiting If a packet is subject to traffic policing in a policy map and is associated with a VLAN that is rate limited the packet is co...

Page 1006: ...unicast no storm control Parameters broadcast Enables broadcast storm control on the port multicast registered unregistered Enables ether all multicast only registered multicast or only unregistered multicast storm control on the port unicast Enables unicast unknown storm control on the port level level Suppression level in percentage Block the flooding of storm packets when the value specified fo...

Page 1007: ...ble recovery cause with the storm control parameter to automatically recover from the Storm Control error disabled state Example The following example enables broadcast multicast and unicast unknown storm control on port gi11 and multicast unregistered and unicast unknown on port gi12 Enable group 1 for registered and unregistered multicast traffic on interface gi11 Extra traffic is discarded swit...

Page 1008: ...rface id Optional Specifies an Ethernet port If the argument is not configured rate limit configuration of all Ethernet ports is displayed Default Configuration N A Command Mode Privileged EXEC mode Examples The following is an example of the output from the show rate limit interface switchxxxxxx show rate limit interface 50 6 show rate limit vlan To display rate limit configuration on a VLAN use ...

Page 1009: ...EC mode Examples The following is an example of the output from the show rate limit vlan switchxxxxxx show rate limit vlan 1075 50 7 show storm control interface To display storm control information of an interface use the show storm control interface command in Privileged EXEC mode Syntax show storm control interface interface id Parameters interface id Optional Specifies an Ethernet port If the ...

Page 1010: ...orm control interface switchxxxxxx show storm control interface gi11 Broadacst Rate 5 Action Shutdown Passed Counter Bytes 124997 Dropped Counter Bytes 10 Last drop time 27 Jan 2014 09 00 01 Multicast Rate 1000 kbps Action Drop Trap Passed Counter Bytes 112876 Dropped Counter Bytes 1272 Last drop time 20 Jan 2014 11 00 01 Unicast Rate 10 Action drop Passed Counter Bytes 27653 Dropped Counter Bytes...

Page 1011: ...rface Reference Guide 1010 50 Broadacst Rate 5 Action Shutdown Passed Counter Bytes 124997 Dropped Counter Bytes 0 Last drop time Multicast Unregistred Rate 5 Action Shutdown Traffic Type Broadcast Passed Counter Bytes 124997 Dropped Counter Bytes 3 Last drop time 26 Jan 2014 10 00 01 ...

Page 1012: ...larm index Parameters index Specifies the alarm index Range 1 65535 mib object id Specifies the object identifier of the variable to be sampled Valid OID interval Specifies the interval in seconds during which the data is sampled and compared with rising and falling thresholds Range 1 2147483647 rising threshold Specifies the rising threshold value Range 0 2147483647 falling threshold Specifies th...

Page 1013: ...d is greater than or equal to rising threshold a single rising alarm is generated rising falling Specifies that if the first sample after this entry becomes valid is greater than or equal to rising threshold a single rising alarm is generated If the first sample after this entry becomes valid is less than or equal to falling threshold a single falling alarm is generated falling Specifies that if t...

Page 1014: ...he alarms table use the show rmon alarm table Privileged EXEC mode command Syntax show rmon alarm table Parameters This command has no arguments or keywords Command Mode Privileged EXEC mode Example The following example displays the alarms table The following table describes the significant fields shown in the display switchxxxxxx show rmon alarm table Index 1 2 3 OID 1 3 6 1 2 1 2 2 1 10 1 1 3 6...

Page 1015: ...ommand Syntax show rmon alarm number Parameters alarm number Specifies the alarm index Range 1 65535 Command Mode Privileged EXEC mode Example The following example displays RMON 1 alarms switchxxxxxx show rmon alarm 1 Alarm 1 OID 1 3 6 1 2 1 2 2 1 10 1 Last sample Value 878128 Interval 30 Sample Type delta Startup Alarm rising Rising Threshold 8700000 Falling Threshold 78 Rising Event 1 Falling E...

Page 1016: ... end of the sampling interval If the value is delta the variable value at the last sample is subtracted from the current value and the difference is compared with the thresholds Startup Alarm Alarm that is sent when this entry is first set If the first sample is greater than or equal to the rising threshold and startup alarm is equal to rising or rising falling then a single rising alarm is genera...

Page 1017: ...is generated in the log table and an SNMP trap is sent to one or more management stations by the device for this event community text Optional Specifies the SNMP community password used when an SNMP trap is sent Octet string length 0 127 characters Note this must be a community used in the definition of an SNMP host using the snmp server host command description text Optional Specifies a comment d...

Page 1018: ...wn in the display switchxxxxxx show rmon events Index 1 2 Description Errors High Broadcast Type Log Log Trap Community router Owner CLI Manager Last time sent Jan 18 2006 23 58 17 Jan 18 2006 23 59 48 Field Description Index Unique index that identifies this event Description Comment describing this event Type Type of notification that the device generates about this event Can have the following ...

Page 1019: ...ge 0 65535 Command Mode Privileged EXEC mode Example The following example displays event 1 in the RMON log table Owner The entity that configured this event Last time sent The time this entry last generated an event If this entry has not generated any events this value is zero switchxxxxxx show rmon log 1 Maximum table size 500 800 after reset Event 1 Description MIB Var 1 3 6 1 2 1 2 2 1 10 53 D...

Page 1020: ... size history log Parameters history entries Specifies the maximum number of history table entries Range 20 32767 log entries Specifies the maximum number of log table entries Range 20 32767 Default Configuration The default history table size is 270 entries The default log table size is 200 entries Command Mode Global Configuration mode User Guidelines The configured table size takes effect after...

Page 1021: ... an interface ID The interface ID can be one of the following types Ethernet port or Port channel Command Mode Privileged EXEC mode Example The following example displays RMON Ethernet statistics for port gi11 switchxxxxxx show rmon statistics gi11 Port gi11 Dropped 0 Octets 0 Packets 0 Broadcast 0 Multicast 0 CRC Align Errors 0 Collisions 0 Undersize Pkts 0 Oversize Pkts 0 Fragments 0 Jabbers 0 6...

Page 1022: ...ets of between 64 and 1518 octets inclusive but with either a bad Frame Check Sequence FCS with an integral number of octets FCS Error or a bad FCS with a non integral number of octets Alignment Error Collisions Best estimate of the total number of collisions on this Ethernet segment Undersize Pkts Total number of packets received less than 64 octets long excluding framing bits but including FCS o...

Page 1023: ...fied defaults to 50 Range 1 50 interval seconds Optional The number of seconds in each polling cycle If unspecified defaults to 1800 Range 1 3600 65 to 127 Octets Total number of packets including bad packets received that are between 65 and 127 octets in length inclusive excluding framing bits but including FCS octets 128 to 255 Octets Total number of packets including bad packets received that a...

Page 1024: ...erface ID can be one of the following types Ethernet port or Port channel Command Mode Privileged EXEC mode Example The following example displays all RMON history group statistics The following table describes the significant fields shown in the display switchxxxxxx show rmon collection stats Index 1 2 Interface gi11 gi11 Interval 30 1800 Requested Samples 50 50 Granted Samples 50 50 Owner CLI Ma...

Page 1025: ... drop and collision counters period seconds Optional Specifies the period of time in seconds to display Range 1 2147483647 Command Mode Privileged EXEC mode Example The following examples display RMON Ethernet history statistics for index 1 Granted Samples The granted number of samples to be saved Owner The entity that configured this entry switchxxxxxx show rmon history 1 throughput Sample Set 1 ...

Page 1026: ...ts 49 27 Jabbers 0 0 switchxxxxxx show rmon history 1 other Sample Set 1 Interface gi11 Requested samples 50 Owner Me Interval 1800 Granted samples 50 Maximum table size 500 Time Jan 18 2005 21 57 00 Jan 18 2005 21 57 30 Dropped 3 3 Collisions 0 0 Field Description Time Date and Time the entry is recorded Octets Total number of octets of data including those in bad packets and excluding framing bi...

Page 1027: ... than 1518 octets excluding framing bits but including FCS octets but were otherwise well formed Fragments Total number of packets received during this sampling interval that were less than 64 octets in length excluding framing bits but including FCS octets and had either a bad Frame Check Sequence FCS with an integral number of octets FCS Error or a bad FCS with a non integral number of octets Al...

Page 1028: ...licy ip entries max number policy ipv6 entries max number no system router resources Parameters ip entries max number Optional The maximum number of IPv4 entries ipv6 entries max number Optional The maximum number of IPv6 entries ipm entries max number Optional The maximum number of IPv4 multicast entries ipmv6 entries max number Optional The maximum number of IPv6 multicast entries policy ip entr...

Page 1029: ...he running configuration file the command will be rejected If it downloaded to the startup configuration file the device will not be automatically rebooted The new settings will be used after the device is rebooted manually Data Validation If the new settings exceed the maximum number of routing entries the command is rejected and a message is displayed to the user If the new settings are fewer th...

Page 1030: ...d Current Reserved New IPv4 Entries 232 1024 256 Number of Routes 20 Number of Neighbors 12 Number of Interfaces 100 IPv6 Entries 233 1024 32 Number of Routes 20 Number of Neighbors 12 Number of Interfaces 100 Number of On Link Prefixes 1 IPv4 Multicast Entries 12 1024 1024 Number of Multicast Routes 6 IPv6 Multicast 40 1024 1024 Number of Multicast Routes 5 IPv4 policy Entries 0 12 12 Logical Ent...

Page 1031: ...uter entries which are currently in use Using this configurations means that the system will not have enough resources for the running again in the existing network switchxxxxxx config system router resources ip entries 128 ipv6 entries 32 The maximal number of IPv4 Routing entries and IPv6 Routing Entries is 3072 The number is Non IP Entries is 3096 In Use Reserved Current Reserved New IPv4 Entri...

Page 1032: ...the system Y N N Y 52 2 show system router resources To display router resources use the show system router resources command in User EXEC mode Syntax show system router resources Parameters This command has no arguments or keywords Command Mode User EXEC mode Example In the following example the configured router entries are displayed switchxxxxxx show system router resources Each IPv4 Route cons...

Page 1033: ... In Use Reserved IPv4 Entries 232 1024 Number of Routes 20 Number of Neighbors 12 Number of Interfaces 100 IPv6 Entries 233 1024 Number of Routes 20 Number of Neighbors 12 Number of Interfaces 100 On Link Prefixes 1 IPv4 Multicast Entries 12 1024 Number of Multicast Routes 6 IPv6 Multicast Entries 40 1024 Number of Multicast Routes 5 Non IP Entries Unit 1 93 400 Unit 2 94 400 Unit 5 90 400 ...

Page 1034: ... name no match ip address access list Parameters access list extended access list name Specifies an extended IP ACL Default Configuration No the command is configured Command Mode Route Map Configuration Mode User Guidelines The match ip address command allows you to policy route IP packets based on criteria that can be matched with an extended IP access list for example a protocol protocol servic...

Page 1035: ... acl1 switchxxxxxx config route map set ip next hop 173 23 13 20 switchxxxxxx config route map exit 53 2 match ipv6 address Policy Routing To match IPv6 packets to perform IPv6 policy routing use the match ipv6 address command in Route Map Configuration Mode To move the match ipv6 address entry use the no form of this command Syntax match ipv6 address access list extended access list name no match...

Page 1036: ...olicy Base Routing is configured switchxxxxxx config ipv6 access list acl1 switchxxxxxx config ip al permit ipv6 3211 1297 32 any switchxxxxxx config ip al exit switchxxxxxx config route map pbr switchxxxxxx config route map match ipv6 address access list acl1 switchxxxxxx config route map set ipv6 next hop 3003 17ac 20 switchxxxxxx config route map exit switchxxxxxx config ip al exit 53 3 route m...

Page 1037: ...te map configuration mode The purpose of the route map command is to define policy routing Use the ip policy route map or ipv6 policy route map command in addition to the route map command and the match and set commands to define the conditions and next hops for policy routing packets The match commands specify the conditions under which policy routing occurs and the set commands specify the routi...

Page 1038: ...exit switchxxxxxx config route map pbr switchxxxxxx config route map match ip address access list pr acl1 switchxxxxxx config route map set ip next hop 56 1 1 1 switchxxxxxx config route map exit switchxxxxxx config interface vlan 1 switchxxxxxx config if ip policy route map pbr switchxxxxxx config if exit Example 2 The following example gives an example of a route map with two sections TCP packet...

Page 1039: ... route map match ip address access list pr acl2 switchxxxxxx config route map set ip next hop 50 1 1 1 switchxxxxxx config route map exit switchxxxxxx config interface vlan 1 switchxxxxxx config if ip policy route map pbr switchxxxxxx config if exit 53 4 set ip next hop To specify the IP address of the next hop policy routing use the set ip next hop command in Route Map Configuration Mode To delet...

Page 1040: ...x config route map set ip next hop 192 168 30 1 switchxxxxxx config route map exit 53 5 set ipv6 next hop To specify the IPv6 address of the next hop policy routing use the set ipv6 next hop command in Route Map Configuration Mode To delete an entry use the no form of this command Syntax set ipv6 next hop next hop no set ipv6 next hop Parameters next hop IPv6 address of the next hop router Default...

Page 1041: ...switchxxxxxx config route map exit switchxxxxxx config ip al exit 53 6 show route map To display route maps use the show route map command in Privileged EXEC mode Syntax show route map map name Parameters map name Name of a specific route map Default Configuration Command Mode Privileged EXEC mode User Guidelines Use the show route map map name command to display one given route map Use the show r...

Page 1042: ...0 Match clauses ip address access lists acl1 Set clauses ip next hop 192 12 34 5 route map POLICY ROUTING permit sequence 20 Match clauses ip address access lists acl2 Set clauses ip next hop 192 122 23 15 route map POLICY ROUTING IPv6 permit sequence 10 Match clauses ipv6 address access lists acl3 Set clauses ipv6 next hop 3003 17ac 20 ...

Page 1043: ...d by SSL and SSH server commands Other commands can be used to import these keys from an external source These keys and certificates are stored in the configuration files The following table describes when these keys certificates are displayed File Type Being Displayed What is Displayed in a Show Command Without Detailed What is Displayed in a Show Command With Detailed Startup Config Only user de...

Page 1044: ...ds 54 1 crypto key generate dsa The crypto key generate dsa Global Configuration mode command generates a public and private DSA key DSA key pair Syntax crypto key generate dsa Destination File Type Copy from Running Config Copy from Startup Config Copy from Remote Local Backup Config File Startup Config All keys certificate s are copied but only user defined ones can be displayed Option is not su...

Page 1045: ...factory defaults automatically deletes the default keys and they are recreated during device initialization This command is not saved in the Running configuration file However the keys generated by this command are saved in a private configuration which is never displayed to the user or backed up to another device See Keys and Certificates for information on how to display and copy this key pair E...

Page 1046: ...A keys a warning is displayed with a prompt to replace the existing keys with new keys See Keys and Certificates for information on how to display and copy this key pair Example The following example generates RSA key pairs where a RSA key already exists switchxxxxxx config crypto key generate rsa Replace Existing RSA Key y n N switchxxxxxx config 54 3 crypto key import The crypto key import Globa...

Page 1047: ...ng Configuration file When using the encrypted key word the private key is imported in its encrypted form Example switchxxxxxx config encrypted crypto key import rsa BEGIN SSH2 ENCRYPTED PRIVATE KEY switchxxxxxx config encrypted crypto key import rsa BEGIN SSH2 ENCRYPTED PRIVATE KEY Comment RSA Private Key 84et9C2XUfcRlpemuGINAygnLwfkKJcDM6m2OReALHScqqLhi0wMSSYNlT1IWFZP1kEVHH Fpt1aECZi7HfGLcp1pMZw...

Page 1048: ...9tF 6nY RfMN8CsV 9jQKQP7ZaGc8Ju d72jvSwppSr032HY IpzZ4ujkK X5oawZL5NnkaEQTQKX RSL55S4O5NPOjS pC9hg7GaVjoY2mQ7HDpSUBeTIDTlvOwC2kskA9C6aF Axj2dXLweQd5 lxk7m0 mMNaiJsNk6y33LcuKjIxpNNjK9n9KzRPkGNMFObprfenWKteDftjQ END SSH2 PRIVATE KEY BEGIN SSH2 PUBLIC KEY Comment RSA Public Key AAAAB3NzaC1yc2EAAAABIwAAAIEAvRHsKry6NKMKymb yWEp9042vupLvYVq3ngt1sB9JH OcdK 2nw7lCQguy1mLsX8 bKMXYSk 3aBEvaoJQ82 r nRf0y3HTy...

Page 1049: ...AAAABIwAAAIEAzN31fu56KSEOZdrGVPIJHpAs8G8NDIkB dqZ2q0QPiKCnLPw0Xsk9tTVKaHZQ5jJbXn81QZpolaPLJIIH3B1cc96D7IFf VkbPbMRbz24dpuWmPVVLUlQy5nCKdDCui5KKVD6zj3gpuhLhMJor7AjAAu5e BrIi2IuwMVJuak5M098 END SSH2 PUBLIC KEY Public Key Fingerprint 6f 93 ca 01 89 6a de 6e ee c5 18 82 b2 10 bc 1e 54 5 crypto certificate generate The crypto certificate generate Global Configuration mode command generates a self signe...

Page 1050: ... Specifies the location or city name Length 1 64 characters st state Specifies the state or province name Length 1 64 characters cu country Specifies the country name Length 2 characters duration days Specifies the number of days a certification is valid Range 30 3650 Default Configuration The default SSL s RSA key length is 1024 If cn common name is not specified it defaults to the device s lowes...

Page 1051: ...splays a certificate request for HTTPS Syntax crypto certificate number request cn common name ou organization unit or organization loc location st state cu country Parameters number Specifies the certificate number Range 1 2 The following elements can be associated with the key When the key is displayed they are also displayed cn common name Specifies the fully qualified device URL or IP address ...

Page 1052: ...ate command to generate the keys The certificate fields must be re entered After receiving the certificate from the Certification Authority use the crypto cerificate import command to import the certificate into the device This certificate replaces the self signed certificate Example The following example displays the certificate request for HTTPS switchxxxxxx crypto certificate 1 request BEGIN CE...

Page 1053: ...s the certificate number Range 1 2 Default Configuration N A Command Mode Global Configuration mode User Guidelines To end the session return to the command line to enter the next command enter a blank line The imported certificate must be based on a certificate request created by the crypto cerificate request command If only the certificate is imported and the public key found in the certificate ...

Page 1054: ...QKBgQDK beogIcke73sBSL7tC2DMZrY OOg9XM1AxfOiqLlQJHd4xP BHGZWwfkjKjUDBpZn52LxdDu1KrpB h0 TZP0Fv38 7mIDqtnoF1NLsWxkVKRM5LPka0L ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA 6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI XFDxe7I8Od3Uyt3Dmf7KE AmUV0Pif2yUluy RuxRwKhDp lGrK12tzLQz s5Ox7 Klft IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxggEeTvWqpuS gXrIqjW WVZd0n1fXhMacoflgnnEmweIzmrqXBs END CERTIFI...

Page 1055: ...md9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRGMLp4 END RSA PRIVATE KEY BEGIN RSA PUBLIC KEY MIGHAoGBAMVuFgfJYLbUzmbm6UoLD3ewHYd1ZMXY4A3KLF2SXUd1TIXq84aME8DIitSfB2 Cqy4QB5InhgAobBKC96VRsUe2rzoNG4QDkj2L9ukQOvoFBYNmbzHc7a 7043wfVmH QOXf TbnRDhIMVrZJGbzl1c9IzGky1l21Xmicy0 nwsXDAgEj END RSA PUBLIC KEY BEGIN CERTIFICATE MIIBkzCB QIBADBUMQswCQYDVQ...

Page 1056: ...Wa4cv1Sc1hDEFtHH7NdDLjQ FkPFNAKvFMcYimidapG Rwc0m3lKBLcEpNXpFEE3v1mCeyN1pPe6eSqMcBXa2VmbInutuP CZM927oxkb41g U5oYQxGhMK7OEzTmfS1FdLOmfqv0DHZNR4lt4KgqcSjSWPQeYSzB 4PW Qmy4fTF4wQdvCLy WlvEP1jWPbrdCNxIS13RWucNekrm9uf5Zuhd1FA9wf8XwSRJWuAq8q zZFRmDMHPtey9ALO2alpwjpHOPbJKiCMdjHT94ugkF30eyeni9sGN6Y063IvuKBy0nbWsA J0sxrvt3q6cbKJYozMQE5LsgxLNvQIH4BhPtUz LNgYWb3V5SI8D8kRejqBM9eaCyJsvLF yAI5xABZdTPqz0l7FNMzh...

Page 1057: ...bject C US ST L CN router gm com O General Motors OU SHA1 Finger print DC789788 DC88A988 127897BC BB789788 Example 3 Import certificate with encrypted key encrypted crypto certificate 1 import BEGIN RSA ENCRYPTED PRIVATE KEY wJIjj tFEI Z3GFkTl5C SFOeSyTxnSsfssNo9CoHJ6X9Jg1SukjtXU49kaUbTjoQVQatZ AdQwgWM5mnjUhUaJ1MM3WfrApY7HaBL3iSXS9jDVrf Q KKhVH6Pxlv6cKvYYzHg43Unm CNI2n5zf9oisMH0U6gsIDs4ysWVD1zNgoV...

Page 1058: ...CcI4 dhLsUhTWxOwbzngMwDQYJKoZIhvcNAQEEBQAwTzELMAkG A1UEBhMCICAxCjAIBgNVBAgTASAxCjAIBgNVBAcTASAxEDAOBgNVBAMTBzAuMC4w LjAxCjAIBgNVBAoTASAxCjAIBgNVBAsTASAwHhcNMTIwNTIxMTI1NzE2WhcNMTMw NTIxMTI1NzE2WjBPMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB IDEQMA4GA1UEAxMHMC4wLjAuMDEKMAgGA1UEChMBIDEKMAgGA1UECxMBIDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygJor5v2FOCvMR5aN3PnkWhbBXyzniTl Wm5G2 V7mvXOnuTMgvqa8IJe...

Page 1059: ...mycertificate Specifies that only the certificate will be displayed Default Configuration Certificate number 1 Command Mode Privileged EXEC mode Examples The following example displays SSL certificate 1 present on the device and the key pair switchxxxxxx show crypto certificate 1 Certificate 1 Certificate Source Default BEGIN CERTIFICATE dHmUgUm9vdCBDZXJ0aWZpZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp4H...

Page 1060: ...hWNzqfg2s3AYCRBx WuGoazpxHZ0s4 7swmNZtS0xI4ek43d7RaoedGKljhPqLHuzXHUon7Zx15CUtP3sbHl XI B3u4EEcEngYMewy5obn1vnFSot d5JHuRwzEaRAIKfbHa34alVJaN 2AMCb0hpI3IkreYo A8Lk6UMOuIQaMnhYf RyPXhPOQs01PpIPHKBGTi6pj39XMviyRXvSpn5 eIYPhve5jYaEn UeOnVZRhNCVnruJAYXSLhjApf5iIQr1JiJb mVt8 zpqcCU9HCWQqsMrNFOFrSpcbHu5V4 ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC ql7yZnBeRS0zrUDgHLLRfzwjwmxj...

Page 1061: ...s are enabled disabled Auto Smartport administrative global and operational states are disabled controlled Auto Smartport administrative global and operational states are enabled when Auto Voice VLAN is in operation Default Configuration Administrative state is controlled Command Mode Global Configuration mode User Guidelines Regardless of the status of Auto Smartport you can always manually apply...

Page 1062: ...ich Auto Smartports can be enabled The appropriate VLANs are automatically enabled because the ports are configured for Auto Smartports on these VLANs switchxxxxxx config macro auto controlled switchxxxxxx config macro auto enabled Auto smartports cannot be enabled because OUI voice is enabled switchxxxxxx config voice vlan state disabled switchxxxxxx config macro auto enabled switchxxxxxx config ...

Page 1063: ...onfiguration The default value of parameter native_vlan of the built in Smartport macros is 1 For other parameters the default value is the parameter s default value For instance if the parameter is the native VLAN the default value is the default native VLAN Command Mode Global Configuration mode User Guidelines By default each Smartport type is associated with a pair of built in macros a macro t...

Page 1064: ...rt Channel Configuration mode User Guidelines A Smartport s persistent interface retains its dynamic configuration in the following cases link down up the attaching device ages out and reboot Note that for persistence and the Smartport configuration to be effective across reboot the Running Configuration file must be saved to the Startup Configuration file Example The example establishes two port ...

Page 1065: ...at of the command disables the feature Syntax macro auto processing cdp no macro auto processing cdp Parameters This command has no parameters or keywords Default Configuration Enabled Command Mode Global Configuration mode Example To enable CDP globally switchxxxxxx config macro auto processing cdp 55 5 macro auto processing lldp The macro auto processing lldp Global Configuration mode command en...

Page 1066: ...mode Example To enable LLDP globally switchxxxxxx config macro auto processing lldp 55 6 macro auto processing type The macro auto processing type Global Configuration mode command enables or disables automatic detection of devices of given type The no format of the command returns to the default Syntax macro auto processing type smartport type enabled disabled no macro auto processing type smartp...

Page 1067: ...t set type to host ip_phone set type to ip_phone ip_phone_desktop set type to ip_phone_desktop switch set type to switch router set type to router ap set type to access point switchxxxxxx config macro auto processing type ap enabled 55 7 macro auto resume The macro auto resume Interface Configuration mode command changes the Smartport type from unknown to default and resumes the Smartport feature ...

Page 1068: ... macro you must reset the interface using the macro auto built in parameters command which changes the Smartport type of the interface to default Example Changes the Smartport type from unknown to default and resumes the Smartport feature on port 1 switchxxxxxx config interface gi11 switchxxxxxx config if macro auto resume 55 8 macro auto smartport Interface The macro auto smartport Interface Conf...

Page 1069: ...Smartport type to an interface The no format of the command removes the manually configured type and returns it to default Syntax macro auto smartport type smartport type parameter name value parameter name value parameter name value no macro auto smartport type Parameters smartport type Smartport type parameter name value Specifies the parameter name and its value Range printer desktop guest serv...

Page 1070: ...to smartport type printer 30 May 2011 15 02 45 AUTOSMARTPORT E FAILEDMACRO Macro printer for auto smar port type Printer on interface gi11 failed at command number 10 switchxxxxxx config if exit switchxxxxxx config do show parser macro name printer Macro name printer Macro type default interface 1 macro description printer 2 macro keywords native_vlan 3 4 macro key description native_vlan The unta...

Page 1071: ...martport type Syntax macro auto trunk refresh smartport type interface id Parameters smartport type Smartport type switch router wireless access point ap interface id Interface Identifier port or port channel Default Configuration See User Guidelines Command Mode Global Configuration mode User Guidelines The macro auto smartport command becomes effective only when the Auto Smartport is globally en...

Page 1072: ...smartport macro The macro auto user smartport macro Global Configuration mode command links user defined Smartport macros to a Smartport type This is done by replacing the link to the built in macro with the link to the user defined macro The no format of the command returns the link to the default built in Smartport macro Syntax macro auto user smartport macro smartport type user defined macro na...

Page 1073: ...and To associate a Smartport type with a user defined macros you must have defined a pair of macros one to apply the configuration and the other anti macro to remove the configuration The macros are paired by their name The name of the anti macro is the concatenation of no_ with the name of the corresponding macro Please refer to the Macro Command section for details about defining macro Example T...

Page 1074: ...igured automatically Smartport on routers was configured statically Auto smartports are enabled globally switchxxxxxx show macro auto ports Smartport is enabled Administrative Globally Auto Smartport is enabled Operational Globally Auto Smartport is enabled Example 2 Note that Smartport on switch and phone types was configured automatically Smartport on routers was configured statically Auto smart...

Page 1075: ...nd switchxxxxxx show macro auto ports gi12 SmartPort is Enabled Administrative Globally Auto SmartPort is controlled Operational Globally Auto SmartPort is enabled Auto SmartPort is disabled on gi12 Persistent state is not persistent Interface type is default No macro has been activated Example 4 Enabling auto Smartport on gi11 switchxxxxxx config interface gi11 switchxxxxxx config if macro auto s...

Page 1076: ...Persistent state is persistent Interface type is switch Last activated macro is switch 55 13 show macro auto processing The show macro auto processing EXEC mode command displays information about which protocols CDP LLDP are enabled and which device types can be detected automatically Syntax show macro auto processing Parameters This command has no parameters or keywords Default Configuration None...

Page 1077: ...formation is displayed for all Smartport types or for the specified one Syntax show macro auto smart macros smartport type Parameters smartport type Smartport type range printer desktop guest server host ip_camera ip_phone ip_phone_desktop switch router or wireless access point ap Default Configuration None Command Mode User EXEC mode Example switchxxxxxx show macro auto smart macros SG300 52 R sh...

Page 1078: ...Port type ip camera Parameters native_vlan 1 SmartPort Macro ip_camera Built In SmartPort type ip phone Parameters max_hosts 10 native_vlan 1 voice_vlan 1 SmartPort Macro ip_phone Built In SmartPort type ip phone desktop Parameters max_hosts 10 native_vlan 1 voice_vlan 1 SmartPort Macro ip_phone_desktop Built In SmartPort type switch Parameters native_vlan 1 voice_vlan 1 SmartPort Macro switch Bui...

Page 1079: ...own no smartport storm control unicast no smartport storm control Parameters broadcast Enables broadcast storm control on the port multicast registred unregistred Enables ether all multicast only registered multicast or only unregistered multicast storm control on the port unicast Enables unicast unknown storm control on the port level level Suppression level in percentage Block the flooding of st...

Page 1080: ... the maximum number of kilobits per second of Broadcast traffic on port 1 to 10000 switchxxxxxx config interface gi11 switchxxxxxx config if smartport storm control broadcast kpbs 10000 Example 2 Set the maximum percentage of kilobits per second of Broadcast traffic on port 1 to 30 switchxxxxxx config interface gi11 switchxxxxxx config if smartport storm control broadcast level 30 ...

Page 1081: ...eceiver Range 1 8 ipv4 address IPv4 address of the host to be used as an sFlow Collector ipv6 address IPv6 address of the host to be used as an sFlow Collector When the IPv6 address is a Link Local address IPv6Z address the outgoing interface name must be specified Refer to the User Guidelines for the interface name syntax hostname Hostname of the host to be used as an sFlow Collector port Optiona...

Page 1082: ...nd Syntax sflow flow sampling rate receiver index max header size bytes no sflow flow sampling Parameters rate Specifies the average sampling rate The sampling rate is calculated as 1 rate Range 1024 1073741823 receiver index Index of the receiver collector Range 1 8 bytes Optional Specifies the maximum number of bytes that would be copied from the sampled packet If unspecified defaults to 128 Ran...

Page 1083: ...erval receiver index no sflow counters sampling Parameters interval Specifies the maximum number of seconds between successive samples of the interface counters Range 15 86400 receiver index Index of the receiver collector Range 1 8 Default Disabled Command Mode Interface Configuration mode 56 4 clear sflow statistics To clear sFlow statistics use the clear sFlow statistics Privileged EXEC mode co...

Page 1084: ... configuration for ports that are enabled for Flow sampling or Counters sampling use the show sflow configuration Privileged EXEC mode command Syntax show sflow configuration interface id Parameters interface id Optional Specifies an interface ID The interface ID must be an Ethernet port Command Mode Privileged EXEC mode Example switchxxxxxx show sflow configuration Receivers Index IP Address Port...

Page 1085: ...erface vlan 120 Source IPv6 interface vlan 10 56 6 show sflow statistics To display the sFlow statistics for ports that are enabled for Flow sampling or Counters sampling use the show sflow statistics Privileged EXEC mode command Syntax show sflow statistics interface id Parameters interface id Optional Specifies an interface ID The interface ID must be an Ethernet port Command Mode Privileged EXE...

Page 1086: ...nterface interface id no sflow receiver source interface Parameters interface id Specifies the source interface Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the interface IP address belonging to next ho...

Page 1087: ... sFlow receivers Use the no form of this command to restore the default configuration Syntax sflow receiver source interface ipv6 interface id no sflow receiver source interface ipv6 Parameters interface id Specifies the source interface Default Configuration The IPv6 source address is the IPv6 address defined on the outgoing interface and selected in accordance with RFC6724 Command Mode Global Co...

Page 1088: ... Guide 56 If there is no available source IPv6 address a SYSLOG message is issued when attempting to communicate with an IPv6 sFlow receiver Example The following example configures the VLAN 10 as the source interface switchxxxxxx config sflow receiver source interface ipv6 vlan 100 ...

Page 1089: ...number identified with the SPAN RSPAN or flow mirror session The range is 1 to 7 interface interface id Specify the destination interface for the SPAN RSPAN or flow mirror session Ethernet port When the source interface is a RSPAN VLAN the RSPAN VLAN_ID is removed from all frames copied to the interface network Specify that the destination port acts also as a network port remote vlan vlan id Speci...

Page 1090: ... reflector port cannot be a source port If the network keyword is not defined only mirrored traffic sent on a destination port and all input traffic is discard and a value of DOWN is advertised as its operational status to all applications running on it A destination port configured without the network keyword has the following limitations UDLD cannot be enabled on the port 802 1x cannot be enable...

Page 1091: ...xxxxxx config monitor session 1 source vlan 100 switchxxxxxx config monitor session 1 source interface gi13 rx switchxxxxxx config monitor session 1 destination interface gi11 Example 2 The following example configures a flow mirror session switchxxxxxx config ip access list extended ip1 switchxxxxxx config ip al permit ip any any switchxxxxxx config ip al exit switchxxxxxx config class map c1 swi...

Page 1092: ...config vlan 2 switchxxxxxx config vlan remote span switchxxxxxx config vlan exit switchxxxxxx config monitor session 1 source remote vlan 2 switchxxxxxx config monitor session 1 destination interface gi11 57 2 monitor session source To create a new Switched Port Analyzer SPAN or Remote SPAN RSPAN source session use the monitor session source command in Global Configuration mode To remove a source ...

Page 1093: ...e Global Configuration mode User Guidelines Use the monitor session session_number source interface interface id both rx tx command to create a SPAN or RSPAN start source session to monitor traffic that enters or leaves a source port Use the monitor session session_number source vlan vlan id command to create a SPAN or start RSPAN source session to monitor traffic that bridged into a source VLAN U...

Page 1094: ...n consisting from 3 source and one destination session The first source session copies traffic for both directions from the source port gi12 the second source session copies bridges traffic from VLAN 100 and the third source session copies traffic for received on the source port gi13 The destination session defines port gi11 as the destination port switchxxxxxx config monitor session 1 source inte...

Page 1095: ...x config vlan remote span switchxxxxxx config vlan exit switchxxxxxx config monitor session 1 source remote vlan 2 switchxxxxxx config monitor session 1 destination interface gi11 57 3 remote span To configure a virtual local area network VLAN as a RSPAN remote VLAN use the remote span command in VLAN Configuration mode To return to default use the no form of this command Syntax remote span no rem...

Page 1096: ...epended where it is defined Source or Start switch It is recommended that the RSPAN remote VLAN does not have any memberships Intermediate switch It is recommended to remove the RSPAN remote VLAN from trunk ports not used for passing mirrored traffic to avoid superfluous flooding Usually a RSPAN remote VLAN contains two ports Destination or Final switch The RSPAN remote VLAN should contain members...

Page 1097: ...xxxxxx config monitor session 1 source remote vlan 2 switchxxxxxx config monitor session 1 destination interface gi11 Example 3 The following example shows how to configure a RSPAN remote VLAN in an intermediate switch switchxxxxxx config interface range gi13 4 switchxxxxxx config if switchport mode trunk switchxxxxxx config if switchport trunk allowed none switchxxxxxx config if switchport trunk ...

Page 1098: ...ation This command has no default settings Command Mode User EXEC mode User Guidelines Use the show monitor session session_number command to display information about one session Use the show monitor session command to display information about all sessions Example Example 1 The following example displays information about all SPAN sessions defined into the switch switchxxxxxx show monitor sessio...

Page 1099: ... reflector port gi11 network port Example 3 The following example displays information about all final RSPAN sessions defined into the switch switchxxxxxx show monitor session Session 1 Type RSPAN Final Source RSPAN VLAN 10 Source RSPAN VLAN 20 Destination gi11 Field Definitions Type The type of the session Source A source of the session The following options are supported Source interface id traf...

Page 1100: ...ation is an interface regular forwarding on the interface is supported Destination RSPAN VLAN vlan id reflector port interface id The switch is the first switch in the RSPAN session regular forwarding on the interface is not supported Destination RSPAN VLAN vlan id reflector port interface id network The switch is the first switch in the RSPAN session regular forwarding on the interface is support...

Page 1101: ... Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 1100 57 Command Mode User EXEC mode Example Example This example shows how to display a list of remote SPAN VLANs switchxxxxxx show vlan remote span Remote SPAN VLAN 20 ...

Page 1102: ...n mode command to enable spanning tree functionality Use the no form of this command to disable the spanning tree functionality Syntax spanning tree no spanning tree Parameters N A Default Configuration Spanning tree is enabled Command Mode Global Configuration mode Example The following example enables spanning tree functionality switchxxxxxx config spanning tree ...

Page 1103: ... stp rstp mst no spanning tree mode Parameters stp Specifies that STP is enabled rstp Specifies that the Rapid STP is enabled mst Specifies that the Multiple STP is enabled Default Configuration The default is RSTP Command Mode Global Configuration mode User Guidelines In RSTP mode the device uses STP when the neighbor device uses STP In MSTP mode the device uses RSTP when the neighbor device uses...

Page 1104: ...e Use the no form of this command to restore the default configuration Syntax spanning tree forward time seconds no spanning tree forward time Parameters seconds Specifies the spanning tree forward time in seconds Range 4 30 Default Configuration 15 seconds Command Mode Global Configuration mode User Guidelines When configuring the forwarding time the following relationship should be maintained 2 ...

Page 1105: ... time Parameters seconds Specifies the spanning tree Hello time in seconds Range 1 10 Default Configuration 2 seconds Command Mode Global Configuration mode User Guidelines When configuring the Hello time the following relationship should be maintained Max Age 2 Hello Time 1 Example The following example configures the spanning tree bridge hello time to 5 seconds switchxxxxxx config spanning tree ...

Page 1106: ...ing the maximum age the following relationships should be maintained 2 Forward Time 1 Max Age Max Age 2 Hello Time 1 Example The following example configures the spanning tree bridge maximum age to 10 seconds switchxxxxxx config spanning tree max age 10 58 6 spanning tree priority Use the spanning tree priority Global Configuration mode command to configure the device STP priority which is used to...

Page 1107: ...s the root of the spanning tree When more than one switch has the lowest priority the switch with the lowest MAC address is selected as the root Example The following example configures the spanning tree priority to 12288 switchxxxxxx config spanning tree priority 12288 58 7 spanning tree disable Use the spanning tree disable Interface Ethernet Port Channel Configuration mode command to disable th...

Page 1108: ...ce gi15 switchxxxxxx config if spanning tree disable 58 8 spanning tree cost Use the spanning tree cost Interface Ethernet Port Channel Configuration mode command to configure the spanning tree path cost for a port Use the no form of this command to restore the default configuration Syntax spanning tree cost cost no spanning tree cost Parameters cost Specifies the port path cost Range 1 200000000 ...

Page 1109: ... port priority Interface Ethernet Port Channel Configuration mode command to configure the port priority Use the no form of this command to restore the default configuration Syntax spanning tree port priority priority no spanning tree port priority Parameters priority Specifies the port priority Range 0 240 Default Configuration The default port priority is 128 Interface Long Short Port channel Ha...

Page 1110: ...fast Interface Ethernet Port Channel Configuration mode command to enable the PortFast mode In PortFast mode the interface is immediately put into the forwarding state upon linkup without waiting for the standard forward time delay Use the no form of this command to disable the PortFast mode Syntax spanning tree portfast auto no spanning tree portfast Parameters auto Specifies that the software wa...

Page 1111: ...se the no form of this command to restore the default configuration Syntax spanning tree link type point to point shared no spanning tree spanning tree link type Parameters point to point Specifies that the port link type is point to point shared Specifies that the port link type is shared Default Configuration The device derives the port link type from the duplex mode A full duplex port is consid...

Page 1112: ...pecifies that the default port path costs are within the range 1 200 000 000 short Specifies that the default port path costs are within the range 1 200 000 000 Default Configuration Long path cost method Command Mode Global Configuration mode User Guidelines This command applies to all the spanning tree instances on the switch If the short method is selected the switch calculates the default cost...

Page 1113: ...packets are filtered when the spanning tree is disabled on an interface flooding Specifies that untagged BPDU packets are flooded unconditionally without applying VLAN rules to all ports with the spanning tree disabled and BPDU handling mode of flooding Tagged BPDU packets are filtered Default Configuration The default setting is flooding Command Mode Global Configuration mode User Guidelines The ...

Page 1114: ...e flooding Specifies that untagged BPDU packets are flooded unconditionally without applying VLAN rules to ports with the spanning tree disabled and BPDU handling mode of flooding Tagged BPDU packets are filtered Default Configuration The spanning tree bpdu Global command determines the default configuration Command Mode Interface Ethernet Port Channel Configuration mode Example The following exam...

Page 1115: ...evice operates in any mode STP RSTP and MSTP When Root Guard is enabled the port changes to the alternate state if the spanning tree calculations select the port as the root port Example The following example prevents gi11 from being the root port of the device switchxxxxxx config interface gi11 switchxxxxxx config if spanning tree guard root 58 16 spanning tree bpduguard Use the spanning tree bpd...

Page 1116: ...he following example shuts down gi15 when it receives a BPDU switchxxxxxx config interface gi15 switchxxxxxx config if spanning tree bpduguard enable 58 17 clear spanning tree detected protocols Use the clear spanning tree detected protocols Privileged EXEC mode command to restart the STP migration process force renegotiation with neighboring switches on all interfaces or on the specified interfac...

Page 1117: ...evice priority for the specified spanning tree instance Use the no form of this command to restore the default configuration Syntax spanning tree mst instance id priority priority no spanning tree mst instance id priority Parameters instance id Specifies the spanning tree instance ID Range 1 7 priority Specifies the device priority for the specified spanning tree instance This setting determines t...

Page 1118: ...ode command to configure the number of hops in an MST region before the BDPU is discarded and the port information is aged out Use the no form of this command to restore the default configuration Syntax spanning tree mst max hops hop count no spanning tree mst max hops Parameters max hops hop count Specifies the number of hops in an MST region before the BDPU is discarded Range 1 40 Default Config...

Page 1119: ...nstance ID Range 1 15 priority Specifies the port priority Range 0 240 in multiples of 16 Default Configuration The default port priority is 128 Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines The priority value must be a multiple of 16 Example The following example configures the port priority of gi11 to 144 switchxxxxxx config interface gi11 switchxxxxxx config if...

Page 1120: ...e instance ID Range 1 15 cost Specifies the port path cost Range 1 200000000 Default Configuration Default path cost is determined by the port speed and path cost method long or short as shown below Command Mode Interface Ethernet Port Channel Configuration mode Example The following example configures the MSTP instance 1 path cost for port gi19 to 4 switchxxxxxx config interface gi19 switchxxxxxx...

Page 1121: ...egion they must contain the same VLAN mapping the same configuration revision number and the same name Example The following example configures an MST region switchxxxxxx config spanning tree mst configuration switchxxxxxx config mst instance 1 vlan 10 20 switchxxxxxx config mst name region1 switchxxxxxx config mst revision 1 58 23 instance MST Use instance MST Configuration mode command to map VL...

Page 1122: ...mapped to the common and internal spanning tree CIST instance instance 0 and cannot be unmapped from the CIST For two or more devices to be in the same MST region they must have the same VLAN mapping the same configuration revision number and the same name Example The following example maps VLANs 10 20 to MST instance 1 switchxxxxxx config spanning tree mst configuration switchxxxxxx config mst in...

Page 1123: ...uration switchxxxxxx config mst name region1 58 25 revision MST Use the revision MST Configuration mode command to define the MST configuration revision number Use the no form of this command to restore the default configuration Syntax revision value no revision Parameters value Specifies the MST configuration revision number Range 0 65535 Default Configuration The default configuration revision n...

Page 1124: ... region configuration Syntax show current pending Parameters current Displays the current MST region configuration pending Displays the pending MST region configuration Default Configuration N A Command Mode MST Configuration mode Example The following example displays a pending MST region configuration switchxxxxxx config mst show pending Gathering information Current MST configuration Name Regio...

Page 1125: ...Syntax exit Parameters N A Default Configuration N A Command Mode MST Configuration mode Example The following example exits the MST Configuration mode and saves changes switchxxxxxx config spanning tree mst configuration switchxxxxxx config mst exit switchxxxxxx config 58 28 abort MST Use the abort MST Configuration mode command to exit the MST Configuration mode without applying the configuratio...

Page 1126: ...EC mode command to display the spanning tree configuration Syntax show spanning tree interface id instance instance id show spanning tree detail active blockedports instance instance id show spanning tree mst configuration Parameters instance instance id Specifies the spanning tree instance ID Range 1 7 detail Displays detailed information active Displays active ports only blockedports Displays bl...

Page 1127: ...when MST is enabled Example The following examples display spanning tree information in various configurations switchxxxxxx show spanning tree Spanning tree enabled mode RSTP Default port cost method long Loopback guard Disabled Root ID Priority Address Cost Port 32768 00 01 42 97 e0 00 20000 gi11 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address 36864 00 02 4b 29 7a ...

Page 1128: ...6864 00 02 4b 29 7a 00 This switch is the Root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interfaces Name gi11 gi12 gi13 gi14 gi15 State Enabled Enabled Disabled Enabled Enabled Prio Nbr 128 1 128 2 128 3 128 4 128 5 Cost 20000 20000 20000 20000 20000 Sts FRW FRW FRW DIS Role Desg Desg Desg PortFast No No No Type P2p RSTP Shared STP Shared STP switchxxxxxx show spanning tree Spanning tre...

Page 1129: ...2768 00 01 42 97 e0 00 20000 gi11 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address 36864 00 02 4b 29 7a 00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interfaces Name gi11 gi12 gi14 State Enabled Enabled Enabled Prio Nbr 128 1 128 2 128 4 Cost 20000 20000 20000 Sts FRW FRW BLK Role Root Desg Altn PortFast No No No Type P2p RSTP Shared STP Shared STP switchxx...

Page 1130: ... e0 00 20000 gi11 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address 36864 00 02 4b 29 7a 00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Number of topology changes 2 last change occurred 2d18h ago Times hold 1 topology change 35 notification 2 hello 2 max age 20 forward delay 15 Port 1 gi11 enabled State Forwarding Port id 128 1 Type P2p configured auto RSTP D...

Page 1131: ...t N A configured no Address N A Designated path cost N A BPDU guard Disabled Number of transitions to forwarding state N A BPDU sent N A received N A Port 4 gi14 enabled State Blocking Port id 128 4 Type Shared configured auto STP Designated bridge Priority 28672 Designated port id 128 25 Guard root Disabled Role Alternate Port cost 20000 Port Fast No configured no Address 00 30 94 41 62 c8 Design...

Page 1132: ... Number of transitions to forwarding state 1 BPDU sent 2 received 120638 switchxxxxxx show spanning tree mst configuration Name Region1 Revision 1 Instance 1 2 Vlans mapped 1 9 21 4094 10 20 State Enabled Enabled switchxxxxxx show spanning tree Spanning tree enabled mode MSTP Default port cost method long MST 0 Vlans Mapped 1 9 CST Root ID Priority Address Path Cost Root Port 32768 00 01 42 97 e0 ...

Page 1133: ...89 76 20000 gi14 19 Bridge ID Priority Address 32768 00 02 4b 29 7a 00 Interfaces Name gi11 gi12 gi13 gi14 State Enabled Enabled Enabled Enabled Prio Nbr 128 1 128 2 128 3 128 4 Cost 20000 20000 20000 20000 Sts FRW FRW BLK FRW Role Boun Boun Altn Root PortFast No No No No Type P2p Bound RSTP Shared Bound STP P2p P2p switchxxxxxx show spanning tree detail Spanning tree enabled mode MSTP Default por...

Page 1134: ...e Root Port cost 20000 Port Fast No configured no Address 00 01 42 97 e0 00 Designated path cost 0 Port 2 gi12 enabled State Forwarding Port id 128 2 Type Shared configured auto Boundary STP Designated bridge Priority 32768 Designated port id 128 2 Number of transitions to forwarding state 1 BPDU sent 2 received 170638 Role Designated Port cost 20000 Port Fast No configured no Address 00 02 4b 29 ...

Page 1135: ...1 Vlans Mapped 10 20 Root ID Priority Address Path Cost Root Port 24576 00 02 4b 29 89 76 20000 gi14 Rem hops 19 Bridge ID Priority Address 32768 00 02 4b 29 7a 00 Number of topology changes 2 last change occurred 1d9h ago Times hold 1 topology change 2 notification 2 hello 2 max age 20 forward delay 15 Port 1 gi11 enabled State Forwarding Port id 128 1 Type P2p configured auto Boundary RSTP Desig...

Page 1136: ...128 78 Number of transitions to forwarding state 1 BPDU sent 2 received 170638 Role Alternate Port cost 20000 Port Fast No configured no Address 00 02 4b 29 1a 19 Designated path cost 20000 Port 4 gi14 enabled State Forwarding Port id 128 4 Type Shared configured auto Internal Designated bridge Priority 32768 Designated port id 128 2 Number of transitions to forwarding state 1 BPDU sent 2 received...

Page 1137: ...thernet port or Port channel detailed Displays information for non present ports in addition to present ports IST Master ID Priority Address Path Cost Rem hops 32768 00 02 4b 19 7a 00 10000 19 Bridge ID Priority Address 32768 00 02 4b 29 7a 00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Max hops 20 switchxxxxxx show spanning tree Spanning tree enabled mode MSTP Default port cost method lo...

Page 1138: ...l configuration command to shut down an interface if it receives a loopback BPDU Use the no form of this command to return the default setting switchxxxxxx show spanning tree bpdu The following is the output if the global BPDU handling command is not supported Interface gi11 gi12 gi13 Admin Mode Filtering Filtering Filtering Oper Mode Filtering Filtering Guard The following is the output if both t...

Page 1139: ...e 1138 58 Syntax spanning tree loopback guard no spanning tree loopback guard Parameters N A Default Configuration N A Command Mode Global User Guidelines This enables shutting down all interfaces if a loopback BPDU is received on it Example switchxxxxxx config spanning tree loopback guard ...

Page 1140: ...tication password public key rsa dsa no ip ssh client authentication Parameters password Username and password are used for authentication public key rsa Username and RSA public key are used for authentication public key dsa Username and DSA public key are used for authentication Default Configuration Username and password are used for authentication by the local SSH clients Command Mode Global Co...

Page 1141: ...ord new password new password Parameters host DNS name of a remote SSH server ip address Specifies the IP address of a remote SSH server The IP address can be an IPv4 IPv6 or IPv6z address See IPv6z Address Conventions username Username of the local SSH clients 1 70 characters old password Old password of the local SSH client 1 70 characters new password New password for the local SSH client 1 70 ...

Page 1142: ...porting a key use the ip ssh client key command in Global Configuration mode To remove a key use the no form of the command Syntax ip ssh client key dsa rsa generate key pair privkey pubkey encrypted ip ssh client key dsa rsa key pair encrypted privkey pubkey no ip ssh client key dsa rsa Parameters dsa DSA key type rsa RSA key type key pair Key that is imported to the device privkey Plaintext priv...

Page 1143: ...escribes the expected behavior of keys default and users within the various operations If no keys are included in text based configuration file the device generates it s own keys during initialization If the Running Configuration contains default keys not user defined the same default keys remain Examples Example 1 In the following example a key pair of the RSA type is created switchxxxxxx config ...

Page 1144: ...2jukB 5Z7BlHPz2Xczs2clOOwrnToy YTzjLUxy WS7V IxbBllipLAkEA QluVSCfFmdMlZxaEfJVzqPO1cF8guovsWLteBf gqHuvbHuNy0t OWEpObKZs1m mtCWppkgcqgrB0oJaYbUFQJBAMo cCrkyhsiV ZsryeD26NbPEKiak16V Tz2ayDstidGuuvcvm2YF7DjM6n6NYz3 ZLyc5n82okbld1NhDONsCQQCmSAas C4HaHQn zSU lWlDI88As4qJN2DMmGJbtsbVHhQxWIHAG4tBVWa8bV12 RPyuan jnk8irniGyVza FPAkEAiq8oV 1XYxA8V39V a42d7FvRjMckUmKDl4Rmt32 u9i6sFzaWcdgs87 2vS3AZQ afQDE5U6...

Page 1145: ... KEY MIGHAoGBALLOeh3css8tBL8ujFt3trcX0XJyJLlxxt4sGp8Q3ExlSRN25 Mcac6togpIEg tIzk6t1IEJscuAih9Brwh1ovgMLRaMe25j5YjO4xG6Fp42nhHiRcie YTS1o309EdZkiXa QeJtLdnYL r3uTIRVGbXI5nxwtfWpwEgxxDwfqzHAgEj END RSA PUBLIC KEY Example 4 In the following example a DSA key pair is removed switchxxxxxx config no ip ssh client key dsa Example 5 In the following example all key pairs RSA and DSA types are removed swit...

Page 1146: ...e the password If the encrypted keyword is used the password must be in the encrypted form Use the command ip ssh client change server password to change the password on the remote SSH server so that it will match the new password of the SSH client Example The following example specifies a plaintext password for the local SSH clients switchxxxxxx config ip ssh client password 111aaff 59 5 ip ssh c...

Page 1147: ...d only trusted SSH servers are accepted Use the ip ssh client server fingerprint command to configure trusted SSH servers Example The following example enables SSH server authentication switchxxxxxx config ip ssh client server authentication 59 6 ip ssh client server fingerprint To add a trusted server to the Trusted Remote SSH Server Table use the ip ssh client server fingerprint command in Globa...

Page 1148: ...fingerprint and compares it to the previously configured fingerprint The fingerprint can be obtained from the SSH server the fingerprint is calculated when the public key is generated on the SSH server The no ip ssh client server fingerprint command removes all entries from the Trusted Remote SSH Server table Example In the following example a trusted server is added to the Trusted Servers table w...

Page 1149: ...op IPv4 subnet is applied If the source interface is not the outgoing interface then the minimal IPv4 address defined on the source interface is applied If there is no available IPv4 source address a SYSLOG message is issued when attempting to communicate with an IPv4 SSH servers Example The following example configures the VLAN 10 as the source interface switchxxxxxx config ip ssh client source i...

Page 1150: ...ess defined on the interfaces and selected in accordance with RFC 6724 If the source interface is not the outgoing interface then the minimal IPv4 address defined on the source interface and with the scope of the destination IPv6 address is applied If there is no available IPv6 source address a SYSLOG message is issued when attempting to communicate with an IPv6 SSH servers Example The following e...

Page 1151: ...mand Mode Global Configuration mode User Guidelines The configured username is used when SSH client authentication is done both by password or by key Example The following example specifies a username of the SSH client switchxxxxxx config ip ssh client username jeff 59 10 show ip ssh client To display the SSH client credentials both default and user defined keys use the show ip ssh client command ...

Page 1152: ...s are displayed in the format specified by RFC 4716 Examples Example 1 The following example displays the authentication method and the RSA public key switchxxxxxx show ip ssh client mypubkey rsa Source IPv4 interface vlan 1 Source IPv6 interface vlan 10 Authentication method DSA key Username john Key Source User Defined BEGIN SSH2 PUBLIC KEY Comment RSA Public Key AAAAB3NzaC1yc2EAAAABIwAAAIEAudGE...

Page 1153: ...NBvQAAAIEAlN92 Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf J0 RHd NjB4eo1D 0dix6tXwYGN7PKS5R FXPNwxHPapcj9uL1Jn2AWQ2dsknf i FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP CDqzCM4loWgV END SSH2 PUBLIC KEY BEGIN SSH2 PRIVA...

Page 1154: ...tion method DSA key Username anonymous default Password anonymous default password Encrypted KzGgzpYa7GzCHhaveSJDehGJ6L3Yf9ZBAU5nsxSxwic 59 11 show ip ssh client server To display the SSH remote server authentication method and the Trusted Remote SSH Server table use the show ip ssh client server command in Privilege EXEC Configuration mode Syntax show ip ssh client server host ip address Paramete...

Page 1155: ...6 46 23 5a 8d 1d b5 37 59 eb 44 13 b9 33 e9 server address 4002 0011 12 Server Key Fingerprint a5 34 44 44 27 8d 1d b5 37 59 eb 44 13 b9 33 e9 Example 2 The following example displays the authentication method and DSA private key in encrypted format switchxxxxxx show ip ssh client key DSA Authentication method DSA key Username john Key Source Default Public Key Fingerprint 77 C7 19 85 98 19 27 96 ...

Page 1156: ...6JYrdH YI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk gF 1VAAAAFQDb8D5c vwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92 Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf J0 RHd NjB4eo1D 0dix6tXwYGN7PKS5R FXPNwxHPapcj9uL1Jn2AWQ2dsknf i FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmx...

Page 1157: ...Syntax ssd config Parameters This command has no arguments or keywords Command Mode Global Configuration mode User Guidelines Only users with sufficient permission can use this command which edits and displays the SSD configuration See ssd rule for a description of these permissions Example switchxxxxxx config ssd config switchxxxxxx config ssd 60 2 passphrase To change the passphrase in the syste...

Page 1158: ...essage is displayed and the user must confirm the intention to change the passphrase Then the passphrase can be entered see example Encrypted passphrase is allowed only in the SSD Control Block of a source file that is being copied to the startup configuration file user cannot manually enter this command When generating a passphrase the user must use 4 different character classes similar to strong...

Page 1159: ...l 15 default user user user name secure insecure secure xml snmp insecure xml snmp permission encrypted only plaintext only both exclude default read encrypted plaintext exclude no ssd rule all level 15 default user user user name secure insecure secure xml snmp insecure xml snmp Command Mode SSD Configuration mode Default Rules The device has the following factory default rules Table 4 Default SS...

Page 1160: ...rom one device to another in a secure manner You can modify but cannot delete the default SSD rules The following is the order in which SSD rules are applied The SSD rules for specified users The SSD rule for the default user cisco The SSD rules for level 15 users The remaining SSD rules for all The user can enter the commands in any order The ordering is done implicitly by the device Examples Exa...

Page 1161: ... no ssd rule user james secure Example 6 The following example deletes all rules switchxxxxxx config ssd no ssd rule This operation will delete all user defined rules and retrieve the default rules instead Are you sure Y N N 60 4 show SSD To present the current SSD rules the rules will be displayed as plaintext use show ssd rules in SSD Configuration mode Syntax show SSD rules brief Parameters rul...

Page 1162: ...lt Read Type Specific admin11 secure Both Encrypted User Define Specific admin2 secure Encrypted Only Encrypted User Define Level 15 secure xml snmp Plaintext Only Plaintext Default Level 15 secure Both Encrypted Default Level 15 insecure Both Encrypted Default All secure Encrypted Only Encrypted Default All insecure Encrypted Only Encrypted Default All insecure xml snmp Plaintext Only Plaintext D...

Page 1163: ...ssd brief SSD current parameters Local Passphrase Default File Passphrase Control Unrestricted File Integrity Control Disabled SSD parameters after reset Local Passphrase Default File Passphrase Control Unrestricted File Integrity Control Disabled 60 5 ssd session read To override the current SSD default read of the current session use ssd session read in Global Configuration mode Syntax ssd sessi...

Page 1164: ...ules This configuration will be allowed only if the user of the current session has sufficient read permissions otherwise the command will fail and an error will be displayed The setting will take effect immediately and will terminate when the user restores the settings or exits the session Example switchxxxxxx config ssd session read plaintext 60 6 show ssd session To view the SSD read permission...

Page 1165: ...ata in a configuration file from devices that do not have the passphrase The mode should be used when a user does not want to expose the passphrase in a configuration file Unrestricted In this mode a device will include its passphrase when creating a configuration file This allows any devices accepting the configuration file to learn the passphrase from the file Default The default is unrestricted...

Page 1166: ...encrypted sensitive data from tampering use ssd file integrity control command in SSD Configuration mode To disable Integrity Control use no ssd file integrity control Syntax ssd file integrity control enabled no ssd file integrity control Parameters enabled Enable file integrity control to protect newly generated configuration files from tampering Default The default file input control is disable...

Page 1167: ...ected but a device finds the integrity of the file is not intact the device rejects the file Otherwise the file is accepted for further processing Examples switchxxxxxx config ssd ssd file integrity control enabled When File Integrity is enabled an internal digest command is added to the end of the entire configuration file This is used in downloading the configuration file to the startup configur...

Page 1168: ...ters login Enables logging messages related to successful AAA login events unsuccessful AAA login events and other AAA login related events Default Configuration Enabled Command Mode Global Configuration mode User Guidelines This command enables logging messages related to successful login events unsuccessful login events and other login related events Other types of AAA events are not subject to ...

Page 1169: ...eters This command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Example The following example clears messages from the internal logging buffer switchxxxxxx clear logging Clear Logging Buffer Y N N 61 3 clear logging file To clear messages from the logging file use the clear logging file Privileged EXEC mode command Syntax clear logging file Parameters T...

Page 1170: ...gging To enable logging file system events use the file system logging Global Configuration mode command To disable logging file system events use the no form of this command Syntax file system logging copy delete rename no file system logging copy delete rename Parameters copy Specifies logging messages related to file copy operations delete rename Specifies logging messages related to file delet...

Page 1171: ...n the buffer size to default use the no form of this command Syntax logging buffered buffer size severity level severity level name no logging buffered Parameters buffer size Optional Specifies the maximum number of messages stored in buffer Range 20 1000 severity level Optional Specifies the severity level of messages logged in the buffer The possible values are 1 7 severity level name Optional S...

Page 1172: ...mational switchxxxxxx config logging buffered debugging switchxxxxxx config logging buffered 100 informational 61 6 logging console To limit messages logged to the console to messages to a specific severity level use the logging console Global Configuration mode command To restore the default use the no form of this command Syntax logging console level no logging console Parameters level Specifies...

Page 1173: ...Configuration mode command To cancel sending messages to the file use the no form of this command Syntax logging file level no logging file Parameters level Specifies the severity level of SYSLOG messages sent to the logging file The possible values are emergencies alerts critical errors warnings notifications informational and debugging Default Configuration The default severity level is errors C...

Page 1174: ...SYSLOG server Only translation to IPv4 addresses is supported Range 1 158 characters Maximum label size for each part of the host name 63 port port Optional Port number for SYSLOG messages If unspecified the port number defaults to 514 Range 1 65535 severity level Optional Limits the logging of messages to the SYSLOG servers to a specified level Emergencies Alerts Critical Errors Warnings Notifica...

Page 1175: ...he no form of this command Syntax logging on no logging on Parameters This command has no arguments or keywords Default Configuration Message logging is enabled Command Mode Global Configuration mode User Guidelines The logging process controls the logging messages distribution at various destinations such as the logging buffer logging file or SYSLOG server Logging on and off at these destinations...

Page 1176: ...ax logging source interface interface id no logging source interface Parameters interface id Specifies the source interface Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the interface IP address belongin...

Page 1177: ...source interface ipv6 interface id no logging source interface ipv6 Parameters interface id Specifies the source interface Default Configuration The IPv6 source address is the defined IPv6 address of the outgoing interface and selected in accordance with RFC6724 Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface the IPv6 address defined on the ...

Page 1178: ...Global Configuration mode command If aggregation is enabled logging messages are displayed every time interval according to the aging time specified by logging aggregation aging time To disable aggregation of SYSLOG messages use the no form of this command Syntax logging aggregation on no logging aggregation on Parameters This command has no arguments or keywords Default Configuration Disabled Com...

Page 1179: ...is command Syntax logging aggregation aging time sec no logging aggregation aging time Parameters aging time sec Aging time in seconds Range 15 3600 Default Configuration 300 seconds Command Mode Global Configuration mode Example switchxxxxxx config logging aggregation aging time 300 61 14 logging origin id To configure the origin field of the SYSLOG message packet headers sent to the SYSLOG serve...

Page 1180: ...ddress will be used instead string user defined id Specifies an identifying description chosen by the user The user defined id argument is the identifying description string Default Configuration No header is sent apart from the PRI field Command Mode Global Configuration mode Example switchxxxxxx config logging origin id string Domain 1 router B 61 15 show logging To display the logging status an...

Page 1181: ...ging Level info Buffer Messages 61 Logged 61 Displayed 200 Max File Logging Level error File Messages 898 Logged 64 Dropped 4 messages were not logged Application filtering control Application Event Status AAA Login Enabled File system Copy Enabled File system Delete Rename Enabled Management ACL Deny Enabled Aggregation Disabled Aggregation aging time 300 Sec 01 Jan 2010 05 29 46 INIT I Startup W...

Page 1182: ...nfiguration None Command Mode Privileged EXEC mode Example The following example displays the logging status and the SYSLOG messages stored in the logging file switchxxxxxx show logging file Logging is enabled Origin id hostname Console Logging Level info Console Messages 0 Dropped Buffer Logging Level info Buffer Messages 61 Logged 61 Displayed 200 Max File Logging Level error File Messages 898 L...

Page 1183: ...OR SSH error key_read type mismatch encoding error 01 Jan 2010 05 55 03 SSHD E ERROR SSH error key_read key_from_blob bgEgGnt9 z6NHgZwKI5xKqF7cBtdl1xmFgSEWuDhho5UedydAjVkKS5XR2 failed 01 Jan 2010 05 55 03 SSHD E ERROR SSH error key_from_blob invalid key type 01 Jan 2010 05 56 34 SSHD E ERROR SSH error bad sigbloblen 58 SIGBLOB_LEN console 61 17 show syslog servers To display the SYSLOG server sett...

Page 1184: ... 61 Example The following example provides information about the SYSLOG servers switchxxxxxx show syslog servers Source IPv4 interface vlan 1 Source IPv6 interface vlan 10 Device Configuration IP address Port Facility Severity Description 1 1 1 121 514 local7 info 3000 100 514 local7 info ...

Page 1185: ...the ports on the device to their current operational status of the port use the no disable ports leds command Syntax disable ports leds no disable ports leds Parameters This command has no arguments or keywords Default Configuration The default is no disable port leds that is the LEDs of all the ports reflect their current status Command Mode Global Configuration mode Examples The following exampl...

Page 1186: ...host name Length 1 58 characters The hostname must start with a letter end with a letter or digit and have as interior characters only letters digits and hyphens Default Configuration No host name is defined Command Mode Global Configuration mode Example The following example specifies the device host name as enterprise switchxxxxxx config hostname enterprise enterprise config 62 3 reload To reloa...

Page 1187: ...ight The reload must take place within 24 days day Optional Number of the day in the range from 1 to 31 month Optional Month of the year cancel Optional Cancels a scheduled reload Default Usage None Command Mode Privileged EXEC mode User Guidelines The at keyword can be used only if the system clock has been set on the device To schedule reloads across several devices to occur simultaneously synch...

Page 1188: ...system and disconnect your current session Reload is scheduled for 11 57 08 UTC Fri Apr 21 2012 in 10 minutes Do you want to continue y n Y Example 3 The following example reloads the operating system at 13 00 switchxxxxxx reload at 13 00 This command will reset the whole system and disconnect your current session Reload is scheduled for 13 00 00 UTC Fri Apr 21 2012 in 1 hour and 3 minutes Do you ...

Page 1189: ... mode Example The following command switches to open Telnet session number 1 switchxxxxxx resume 1 62 5 service cpu utilization To enable measuring CPU utilization use the service cpu utilization Global Configuration mode command To restore the default configuration use the no form of this command Syntax service cpu utilization no service cpu utilization Parameters This command has no arguments or...

Page 1190: ...62 6 show cpu input rate To display the rate of input frames to the CPU in packets per seconds pps use the show cpu input rate EXEC mode command Syntax show cpu input rate Parameters This command has no arguments or keywords Command Mode User EXEC mode Example The following example displays CPU input rate information switchxxxxxx show cpu input rate Input Rate to CPU is 1030 pps 62 7 show cpu util...

Page 1191: ...w cpu utilization command to enable measuring CPU utilization Example The following example displays CPU utilization information switchxxxxxx show cpu utilization CPU utilization service is on CPU utilization five seconds 5 one minute 3 five minutes 3 62 8 show environment To display environment information use the show environment EXEC mode command Syntax show environment all fan temperature stat...

Page 1192: ...tive power supply is used Available Power supply is connected but is not used Not Connected The PD port is not connected or not connected to PSE The fan and temperature status parameters are available only on devices on which FAN and or temperature sensor are installed Fan status can be one of Fans OK redundant fan Ready The fan s functions correctly Fans OK redundant fan Active One of the fans fa...

Page 1193: ...atus of a device switchxxxxxx show environment all Internal power supply Active PD power supply Available FANs OK redundant fan ready TEMPERATURE is OK Example 2 The following example displays the power status of a device Internal power supply Active PD power supply Available Example 2 The following example displays the general FAN status of a device switchxxxxxx show environment fan FANs OK redun...

Page 1194: ...xample 1 The following example displays all the entities in a standalone system switchxxxxxx show inventory NAME 1 DESCR 52 Port Gigabit PoE Stackable Managed Switch PID SRW224G4P K9 VID V01 SN 123456789 Example 2 The following example displays a specific entity in a standalone system switchxxxxxx show inventory gigabitethernet2 1 49 NAME GigabitEthernet2 1 49 DESCR 1000M base LX Mini GBIC SFP Tra...

Page 1195: ...reload To cancel a pending reload use this command with the cancel parameter Example The following example displays that reboot is scheduled for 00 00 on Saturday April 20 switchxxxxxx show reload Reload scheduled for 00 00 00 UTC Sat April 20 in 3 hours and 12 minutes 62 11 show sessions To display open Telnet sessions use the show sessions EXEC mode command Syntax show sessions Parameters This c...

Page 1196: ...Telnet sessions The following table describes significant fields shown above 62 12 show system The show system EXEC mode command displays system information Syntax show system Command Mode User EXEC mode switchxxxxxx show sessions Connection 1 2 Host Remote router 172 16 1 2 Address 172 16 1 1 172 16 1 2 Port 23 23 Byte 89 8 Field Description Connection The connection number Host The remote host t...

Page 1197: ...System Name switch151400 System Location System MAC Address 00 24 ab 15 14 00 System Object ID 1 3 6 1 4 1 9 6 1 85 24 2 Unit Type 1 SG350 24P Unit Main Power Supply 1 OK Unit Fans Status Redundant Fan Status 1 OK Ready Unit Temperature Celsius Temperature Sensor Status 1 42 OK 62 13 show system languages To display the list of supported languages use the show system languages EXEC mode command Sy...

Page 1198: ...umber of Sections indicates the number of languages permitted on the device switchxxxxxx show system languages Language Name Unicode Name Code Num of Sections English English en US 2 Japanese µùѵ F P ja JP 2 62 14 show system tcam utilization To display the Ternary Content Addressable Memory TCAM utilization use the show system tcam utilization EXEC mode command Syntax show system tcam utilizatio...

Page 1199: ... the show services tcp udp Privileged EXEC mode command Syntax show services tcp udp Parameters This command has no arguments or keywords Command Mode Privileged EXEC mode User Guidelines The output does not show sessions where the device is a TCP UDP client Examples switchxxxxxx show services tcp udp Type Local IP Address Remote IP address Service Name State TCP All 22 SSH LISTEN TCP All 23 Telne...

Page 1200: ...Technical Assistance Center when reporting a problem use the show tech support EXEC mode command Syntax show tech support config memory Parameters memory Optional Displays memory and processor state data config Optional Displays switch configuration within the CLI commands supported on the device Default Configuration By default this command displays the output of technical support related show co...

Page 1201: ...omatic disconnection of idle sessions or enter a longer timeout value The show tech support command output is continuous meaning that it does not display one screen at a time To interrupt the output press Esc If the user specifies the memory keyword the show tech support command displays the following output Flash info dir if exists or flash mapping Output of command show bootvar Buffers info like...

Page 1202: ...nit Speed State RPM 1 8000 Fans OK redundant fan ready 62 18 show system sensors To view the temperature sensor status use the show system sensors EXEC mode command Syntax show system sensors Parameters This command has no arguments or keywords Default Usage None Command Mode User EXEC mode Examples For Standalone systems with a single sensor status switchxxxxxx show system sensors Sensor Status O...

Page 1203: ...arameters This command has no arguments or keywords Default Usage None Command Mode User EXEC mode User Guidelines Power supply supported Main internal power supply PD POE Powered Device port Main Power supply statuses Active power supply is used Failure Main power has failed When the power supply changes to Main power supply the following syslog message is created Power supply source changed to M...

Page 1204: ...802 3AF 802 3AT 60W POE When the power supply changes to PD power supply PD the following syslog message is created Power supply source changed to PD Power Supply Examples switchxxxxxx show system power supply Show power supported with PoE switchxxxxxx show system power supply 62 20 show system id To display the system identity information use the show system id EXEC mode command Power Supply Stat...

Page 1205: ...number 114 62 21 show ports leds configuration To display whether the LEDs of the ports are enabled or disabled use the show port leds configuration EXEC mode command Syntax show ports leds configuration Parameters This command has no arguments or keywords Command Mode User EXEC mode Examples Example 1 The following example displays the status of the port s LEDs when they are turned on switchxxxxx...

Page 1206: ... are disabled 62 22 show users To display information about the active users use the show users EXEC mode command Syntax show users Parameters This command has no arguments or keywords Default Usage None Command Mode User EXEC mode Example The following example displays information about the active users switchxxxxxx show users Username Bob John Robert Betty Sam Protocol Serial SSH HTTP Telnet Loc...

Page 1207: ...owing example displays system version information switchxxxxxx show version SW Version 1 1 0 5 date 15 Sep 2010 time 10 31 33 Boot Version 1 1 0 2 date 04 Sep 2010 time 21 51 53 HW Version 62 24 show hardware version To display hardware version information use the show hardware version EXEC mode command Syntax show hardware version Command Mode User EXEC mode Example The following example displays...

Page 1208: ...ure that reached the critical threshold use the system recovery Global Configuration command To return to disable automatic recovery use the no form of the command Syntax system recovery no system recovery Parameters This command has no arguments or keywords Default Configuration System recovery is enabled by default Command Mode Global Configuration mode Example c switchxxxxxx config no system re...

Page 1209: ...ty no tacacs server host ip address hostname Parameters host ip address Specifies the TACACS server host IP address The IP address can be an IPv4 IPv6 or IPv6z address host hostname Specifies the TACACS server host name Length 1 158 characters Maximum label length of each part of the host name 63 characters single connection Optional Specifies that a single open connection is maintained between th...

Page 1210: ...d where 0 is the highest priority Range 0 65535 Default Configuration No TACACS host is specified The default port number is 1812 If timeout is not specified the global value set in the tacacs server timeout command is used If key string is not specified the global value set in the tacacs server key command is used Command Mode Global Configuration mode User Guidelines Multiple tacacs server host ...

Page 1211: ...bnet is applied If the source interface is not the outgoing interface the minimal IPv4 address defined on the source interface is applied If there is no available IPv4 source address a SYSLOG message is issued when attempting to communicate with an IPv4 TACACS server Example The following example configures the VLAN 10 as the source interface switchxxxxxx config tacacs server host source interface...

Page 1212: ... selected in accordance with RFC 6724 If the source interface is not the outgoing interface the source IPv6 address is the minimal IPv6 address defined on the source interface and matched to the scope of the destination IPv6 address is applied If there is no available source IPv6 address a SYSLOG message is issued when attempting to communicate with an IPv6 TACACS server Example The following exam...

Page 1213: ...ters encrypted key string Same as key string but the key is in encrypted format Default Configuration The default key is an empty string Command Mode Global Configuration mode Example The following example sets Enterprise as the authentication key for all TACACS servers switchxxxxxx config tacacs server key enterprise 63 5 tacacs server timeout To set the interval during which the device waits for...

Page 1214: ...example sets the timeout value to 30 for all TACACS servers switchxxxxxx config tacacs server timeout 30 63 6 show tacacs To display configuration and statistical information for a TACACS server use the show tacacs Privileged EXEC mode command Syntax show tacacs ip address Parameters ip address Specifies the TACACS server name IPv4 or IPv6 address Default Configuration If ip address is not specifi...

Page 1215: ...72 16 1 1 Connected 49 No Global 1 Global values Time Out 3 Source IPv4 interface vlan 120 Source IPv6 interface vlan 10 63 7 show tacacs key To display the configured key of the TACACS server use the show tacacs key Privileged EXEC mode command Syntax show tacacs key ip address Parameters ip address Specifies the TACACS server name or IP address Default Configuration If ip address is not specifie...

Page 1216: ...ine Interface Reference Guide 63 Example The following example displays configuration and statistical information for all TACACS servers switchxxxxxx show tacacs key IP address 172 16 1 1 172 16 1 2 Key Encrypted Sharon123 Bruce123 Global key Encrypted Alice456 ...

Page 1217: ...mand to disable the Telnet server functionality on the device Syntax ip telnet server no ip telnet server Default Configuration Disabled Command Mode Global Configuration mode User Guidelines The device can be enabled to accept connection requests from both remote SSH and Telnet clients It is recommended that the remote client connects to the device using SSH as opposed to Telnet since SSH is a se...

Page 1218: ...tax ip ssh server no ip ssh server Default Configuration The SSH server functionality is disabled by default Command Mode Global Configuration mode User Guidelines The device as an SSH server generates the encryption keys automatically To generate new SSH server keys use the crypto key generate dsa and crypto key generate rsa commands Example The following example enables configuring the device to...

Page 1219: ...nfiguration mode Example The following example specifies that TCP port number 8080 is used by the SSH server switchxxxxxx config ip ssh port 8080 64 4 ip ssh password auth Use the ip ssh password auth Global Configuration mode command to enable password authentication of incoming SSH sessions Use the no form of this command to disable this function Syntax ip ssh password auth no ip ssh password au...

Page 1220: ...remote SSH clients must still be AAA authenticated before being granted management access to the device Example The following example enables password authentication of the SSH client switchxxxxxx config ip ssh password auth 64 5 ip ssh pubkey auth Use the ip ssh pubkey auth Global Configuration mode command to enable public key authentication of incoming SSH sessions Use the no form of this comma...

Page 1221: ...user database The device management AAA authentication is transparent to the user If the user name is not in the local user database then the user receives a warning message and the user will need to pass the device management AAA authentication independently of the SSH authentication if the auto login keyword is not specified management access is granted only if the user engages and passes both S...

Page 1222: ...to key pubkey chain ssh switchxxxxxx config keychain user key bob rsa switchxxxxxx config keychain key key string AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ ZNXfZSkvHG QusIZ 76ILmFT34v7u7ChFAE Vu4GRfpSwoQUvV35LqJJk67IOU zfwOl1g kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq muSn Wd05iDX2IExQWu08licglk02LYciz Z4TrEU 9FJxwPiVQOjc KBXuR0juNg5nFYsY 0ZCk0N W9a tnkm1shRE7Di71 w3fNiOA 6...

Page 1223: ...t the DSA key pair is manually configured Default Configuration No SSH public keys exist Command Mode SSH Public Key string Configuration mode User Guidelines After entering this command the existing key if any associated with the user will be deleted You must follow this command with the key string command to configure the key to the user Example The following example enables manually configuring...

Page 1224: ...Command Mode SSH Public Key string Configuration mode User Guidelines Use the key string SSH Public Key string Configuration mode command without the row parameter to specify which SSH public key is to be interactively configured next Enter a row with no characters to complete the command Use the key string row SSH Public Key string Configuration mode command to specify the SSH public key row by r...

Page 1225: ...jc KBXuR0juNg5nFYsY 0ZCk0N W9a tnkm1shRE7Di71 w3fNiOA 6w9o44t6 AINEICBCCA4YcF6zMzaT1wefWwX6f Rmt5nhhqdAtN 4oJfce166DqVX1gWmN zNR4DYDvSzg0lDnwCAC8Qh Fingerprint a4 16 46 23 5a 8d 1d b5 37 59 eb 44 13 b9 33 e9 switchxxxxxx config crypto key pubkey chain ssh switchxxxxxx config keychain user key bob rsa switchxxxxxx config keychain key key string row AAAAB3Nza switchxxxxxx config keychain key key str...

Page 1226: ...rypto key pubkey chain ssh username username fingerprint bubble babble hex switchxxxxxx show ip ssh SSH server enabled Port 22 RSA key was generated DSA DSS key was generated SSH Public Key Authentication is enabled with auto login SSH Password Authentication is enabled Active incoming sessions IP Address 172 16 0 1 SSH Username John Brown Version 1 5 Cipher 3DES Auth Code HMAC SHA1 182 20 2 1 Bob...

Page 1227: ...ed in Bubble Babble format hex Specifies that the fingerprint is displayed in hexadecimal format Default Configuration The default fingerprint format is hexadecimal Command Mode Privileged EXEC mode Example The following examples display SSH public keys stored on the device switchxxxxxx show crypto key pubkey chain ssh Username Fingerprint bob 9A CC 01 C5 78 39 27 86 79 CC 23 C5 98 59 F1 86 john 9...

Page 1228: ...lays neighbor information only Command Mode Privileged EXEC mode User Guidelines If you do not enter an interface ID value the administrative and operational UDLD status for all interfaces on which UDLD is enabled are displayed Examples Example 1 This example shows how to display the UDLD state for all interfaces Most of the fields shown in the display are self explanatory Those that are not self ...

Page 1229: ...e 15 sec Neighbor Current State Undetermined Neighbor Expiration Time 17 sec Interface gi12 Port UDLD mode normal default Port Current state Undetermined Number of detected neighbors 1 Neighbor Device ID 1234567753 Neighbor MAC 00 00 01 22 33 fe Neighbor Device name switch A Neighbor Port ID gi1 2 1 Neighbor Message Time 15 sec Neighbor Current State Undetermined Neighbor Expiration Time 11 sec In...

Page 1230: ...or MAC The MAC address of the neighbor Neighbor Device name The Device name of the neighbor Neighbor Port ID The device port ID of the neighbor on which the recent UDLD message was sent Neighbor Message Time The message time of the neighbor Neighbor Current State The current state of the neighbor Bidirectional The UDLD messages received from the neighbor contain the Device ID and Port ID of the sw...

Page 1231: ... switch A Neighbor Port ID gi1 2 1 Neighbor Message Time 15 sec Neighbor Current State Undetermined Neighbor Expiration Time 17 sec Example 3 This example shows how to display neighbor information only switchxxxxxx show udld neighbors Port Device ID Port ID Device Name Message Neighbor Expiration Time sec State Time sec gi11 1234567893 gi1 0 1 SAL0734K5R2 15 Bidirect 11 gi12 3456750193 gi1 0 2 SAL...

Page 1232: ...port command in Interface Configuration mode to enable UDLD on other interface types Use the no form of this command to disable UDLD on all fiber ports The device supports the UDLD protocol specified by RFC 5171 UDLD supports two modes of operation normal and aggressive In the aggressive mode the device shuts down a port if it cannot explicitly detect that the link is bidirectional In the normal m...

Page 1233: ... normal 65 3 udld message time Use the udld message time command in Global Configuration mode to configure a global value of the interval between two sent probe messages To return to the default value use the no form of this command Syntax udld message time seconds no udld message time Parameters seconds Interval between two sent probe messages The valid values are from 1 to 90 seconds Default Con...

Page 1234: ...ax udld port aggressive normal disable no udld port Parameters aggressive Enables UDLD in aggressive mode on this interface normal Enables UDLD in normal mode on this interface The normal keyword is applied if no keyword is specified disable Disables UDLD on this interface Default Configuration The defaults are as follows Fiber interfaces are in the state configured by the udld command Non fiber i...

Page 1235: ...on an Ethernet port regardless of the current global udld setting switchxxxxxx config interface gi11 switchxxxxxx config if udld port normal switchxxxxxx config if exit Example 2 This example shows how to return to the default configuration switchxxxxxx config interface gi11 switchxxxxxx config if no udld port switchxxxxxx config if exit Example 3 This example shows how to disable UDLD on an Ether...

Page 1236: ...und sign for example You cannot use the delimiting character in the banner message message text The message must start in a new line You can enter multi line messages You can include tokens in the form of token in the message text Tokens are replaced with the corresponding configuration variable see User Guidelines The message can contain up to 1000 characters after every 510 characters press Ente...

Page 1237: ...utput is displayed Session activated Enter commands at the prompt 66 2 banner login To specify a message to be displayed before the username and password login prompts use the banner login command in Global Configuration mode This banner is applied automatically on all the user interfaces Console Telnet and SSH and also on the WEB GUI To delete the existing login banner use the no form of this com...

Page 1238: ...Default Configuration Disabled no Login banner is displayed Command Mode Global Configuration mode User Guidelines Follow this command with one or more blank spaces and a delimiting character of your choice Then enter one or more lines of text terminating the message with the second occurrence of the delimiting character Use tokens in the form of token in the message text to customize the banner T...

Page 1239: ...xxxxx config banner login Enter TEXT message End with the character You have entered hostname domain When the login banner is executed the user will see the following banner You have entered host123 ourdomain com 66 3 configure To enter the Global Configuration mode use the configure Privileged EXEC mode command Syntax configure terminal Parameters terminal Optional Enter the Global Configuration ...

Page 1240: ...mmand Syntax disable privilege level Parameters privilege level Optional Reduces the privilege level to the specified privileged level If privilege level is left blank the level is reduce to the minimal privilege level Default Configuration The default privilege level is 15 Command Mode Privileged EXEC mode Example The following example returns the user to user level 1 switchxxxxxx disable 1 switc...

Page 1241: ...l Configuration mode Example switchxxxxxx config do show vlan switchxxxxxx config 66 6 enable To enter the Privileged EXEC mode use the enable User EXEC mode command Vlan Name Ports Type Authorization 1 1 gi11 4 Po1 Po2 other Required 2 2 gi11 dynamicGvrp Required 10 v0010 gi11 permanent Not Required 11 V0011 gi11 gi13 permanent Required 20 20 gi11 permanent Required 30 30 gi11 gi13 permanent Requ...

Page 1242: ...e 1 7 15 Default Configuration The default privilege level is 15 Command Mode User EXEC mode Example The following example enters privilege level 7 switchxxxxxx enable 7 enter password switchxxxxxx Accepted The following example enters privilege level 15 switchxxxxxx enable enter password switchxxxxxx Accepted 66 7 end To end the current configuration session and return to the Privileged EXEC mode...

Page 1243: ...odes Example The following example ends the Global Configuration mode session and returns to the Privileged EXEC mode switchxxxxxx config end switchxxxxxx 66 8 exit Configuration To exit any mode and bring the user to the next higher mode in the CLI mode hierarchy use the exit command Syntax exit Parameters This command has no arguments or keywords Default Configuration None Command Mode All confi...

Page 1244: ...onfig if exit switchxxxxxx config exit 66 9 exit EXEC To close an active terminal session by logging off the device use the exit User EXEC mode command Syntax exit Parameters This command has no arguments or keywords Default Configuration None Command Mode User EXEC mode Example The following example closes an active terminal session switchxxxxxx exit 66 10 help To display a brief description of t...

Page 1245: ...t there is no command matching the input as it currently appears If the request is within a command press the Backspace key and erase the entered characters to a point where the request results in a match Help is provided when 1 There is a valid command and a help request is made for entering a parameter or argument e g show All possible parameters or arguments for the entered command are then dis...

Page 1246: ...m the next time that the user logs in via console telnet ssh The following are related commands Use the terminal history size User EXEC mode command to enable or disable this command for the current terminal session Use the history size Line Configuration Mode command to set the size of the command history buffer Example The following example enables the command for Telnet switchxxxxxx config line...

Page 1247: ...This command configures the command history buffer size for a particular line It is effective from the next time that the user logs in via console telnet ssh Use the terminal history size User EXEC mode command to configure the command history buffer size for the current terminal session The allocated command history buffer is per terminal user and is taken from a shared buffer If there is not eno...

Page 1248: ...n Parameters This command has no arguments or keywords Default Configuration None Command Mode User EXEC mode Example The following example enters Privileged EXEC mode and logs in with the required username bob switchxxxxxx login User Name bob Password switchxxxxxx 66 14 terminal datadump To enable dumping all the output of a show command without prompting use the terminal datadump User EXEC mode ...

Page 1249: ...he terminal datadump command enables dumping all output immediately after entering the show command by removing the pause The width is not limited and the width of the line being printed on the terminal is based on the terminal itself This command is relevant only for the current session Example The following example dumps all output immediately after entering a show command switchxxxxxx terminal ...

Page 1250: ...ult is determined by the history Line Configuration Mode command This command is effective immediately Example The following example disables the command history function for the current terminal session switchxxxxxx terminal no history 66 16 terminal history size To change the command history buffer size for the current terminal session meaning it will not be stored in the Running Configuration f...

Page 1251: ...er size for the current terminal session Use the history Line Configuration Mode command to change the default history buffer size The maximum number of commands in all buffers is 207 Example The following example sets the command history buffer size to 20 commands for the current terminal session switchxxxxxx terminal history size 20 66 17 terminal prompt To enable the terminal prompts use the te...

Page 1252: ...C mode command To return to the default use terminal no width The command is per session and will not be saved in the configuration database Syntax terminal width number of characters terminal no width Parameters number of characters Specifies the number of characters to be displayed for the echo output of the CLI commands and the configuration file 0 means endless number of characters on a screen...

Page 1253: ...er commands in User EXEC mode Syntax show banner login show banner exec Parameters This command has no arguments or keywords Command Mode User EXEC mode Examples switchxxxxxx show banner login Banner Login Line SSH Enabled Line Telnet Enabled Line Console Enabled switchxxxxxx show banner exec Banner EXEC Line SSH Enabled Line Telnet Enabled Line Console Enabled You have logged on ...

Page 1254: ...nd Mode User EXEC mode User Guidelines The buffer includes executed and unexecuted commands Commands are listed from the first to the most recent command The buffer remains unchanged when entering into and returning from configuration modes Example The following example displays all the commands entered while in the current Privileged EXEC mode switchxxxxxx show version SW version 3 131 date 23 Ju...

Page 1255: ...1 show privilege To display the current privilege level use the show privilege User EXEC mode command Syntax show privilege Parameters This command has no arguments or keywords Default Configuration None Command Mode User EXEC mode Example The following example displays the privilege level for the user logged on switchxxxxxx show privilege Current privilege level is 15 ...

Page 1256: ... used to create VLAN s and define the default VLAN Use the exit command to return to Global Configuration mode Syntax vlan database Parameters N A Default Configuration VLAN 1 exists by default Command Mode Global Configuration mode Example The following example enters the VLAN Configuration mode creates VLAN 1972 and exits VLAN Configuration mode switchxxxxxx config vlan database switchxxxxxx con...

Page 1257: ... Use a hyphen to designate a range of IDs range 2 4094 vlan id Specifies a VLAN ID range 2 4094 vlan name Specifies the VLAN name range 1 32 characters media Specifies the media type of the VLAN Valid values are ethernet state Specifies whether the state of the VLAN Valid values are active Default Configuration VLAN 1 exists by default Command Mode Global Configuration mode VLAN Database Configura...

Page 1258: ...N information Syntax show vlan tag vlan id name vlan name Parameters tag vlan id Specifies a VLAN ID name vlan name Specifies a VLAN name string length 1 32 characters Default Configuration All VLANs are displayed Command Mode Privileged EXEC mode Examples Example 1 The following example displays information for all VLANs switchxxxxxx show vlan Created by S Static G GVRP R Radius Assigned VLAN V V...

Page 1259: ...red Default Configuration N A Command Mode Global Configuration mode User Guidelines If the VLAN does not exist the VLAN is created If the VLAN cannot be created this command is finished with an error and the current context is not changed Example The following example configures VLAN 1 with IP address 131 108 1 27 and subnet mask 255 255 255 0 switchxxxxxx config interface vlan 1 switchxxxxxx con...

Page 1260: ...AN range context are executed independently on each VLAN in the range If the command returns an error on one of the VLANs an error message is displayed and the system attempts to configure the remaining VLANs Example The following example groups VLANs 221 through 228 and 889 to receive the same command s switchxxxxxx config interface range vlan 221 228 vlan 889 67 6 name Use the name Interface Con...

Page 1261: ...if name Marketing 67 7 switchport protected port Use the switchport protected port Interface Configuration mode command to isolate Unicast Multicast and Broadcast traffic at Layer 2 from other protected ports on the same switch Use the no form of this command to disable protection on the port Syntax switchport protected port no switchport protected port Parameters N A Default Configuration Unprote...

Page 1262: ...switchxxxxxx config if switchport protected port 67 8 show interfaces protected ports Use the show interfaces protected ports EXEC mode command to display protected ports configuration Syntax show interfaces protected ports interface id detailed Parameters interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel detailed Displays infor...

Page 1263: ...tchport Parameters N A Default Configuration Layer 2 mode Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines Use the no switchport command to set the interface as a Layer 3 interface An interface cannot be set as a Layer 3 interface if 802x 1 is enabled on the interface and one of the following conditions is true The host mode differs from multi host MAC Based or WEB B...

Page 1264: ...e command to configure the VLAN membership mode Use the no form of this command to restore the default configuration Syntax switchport mode access trunk general private vlan promiscuous host customer no switchport mode Parameters access Specifies an untagged layer 2 VLAN port trunk Specifies a trunking layer 2 VLAN port general Specifies a full 802 1q supported VLAN port customer Specifies that an...

Page 1265: ...be enabled if vlan mapping is allowed IPv4 routing IPv6 routing Auto Smart Port Voice VLAN IPv4 and IPv6 interfaces cannot be defined on VLANs containing edge interfaces The following Layer 2 features are not supported into VLANs containing edge interfaces IGMP Snooping MLD Snooping DHCP Snooping IPv6 First Hop Security Examples Example 1 The following example configures gi11 as an access port unt...

Page 1266: ...an id none no switchport access vlan Parameters vlan id Specifies the VLAN to which the port is configured none Specifies that the access port cannot belong to any VLAN Default Configuration The interface belongs to the Default VLAN Command Mode Interface Ethernet Port Channel Configuration mode User Guidelines When the port is assigned to a different VLAN it is automatically removed from its prev...

Page 1267: ...vlan list remove vlan list except vlan list no switchport trunk allowed vlan Parameters all Specifies all VLANs from 1 to 4094 At any time the port belongs to all VLANs existing at the time range 1 4094 none Specifies an empty VLAN list The port does not belong to any VLAN add vlan list List of VLAN IDs to add to the port Separate nonconsecutive VLAN IDs with a comma and no spaces Use a hyphen to ...

Page 1268: ...rt mode trunk switchxxxxxx config if switchport trunk allowed vlan add 2 3 100 switchxxxxxx config if exit 67 13 switchport trunk native vlan If an untagged packet arrives on a trunk port it is directed to the port s native VLAN Use the switchport trunk native vlan Interface Configuration mode command to define the native VLAN for a trunk interface Use the no form of this command to restore the de...

Page 1269: ...llowed vlan Interface Configuration mode command to add remove VLANs to from a general port and configure whether packets on the egress are tagged or untagged Use the no form of this command to reset to the default Syntax switchport general allowed vlan add vlan list tagged untagged switchport general allowed vlan remove vlan list no switchport general allowed vlan Parameters add vlan list List of...

Page 1270: ...s in the vlan list A non existed VLAN cannot be configured When a VLAN is removed it is deleted from the vlan list The configuration is applied only when the port mode is general Example The example adds gi11 and to VLAN 2 and 3 Packets are tagged on the egress switchxxxxxx config interface gi11 switchxxxxxx config if switchport general allowed vlan add 2 3 tagged 67 15 switchport general pvid Use...

Page 1271: ...nterface gi14 switchxxxxxx config if switchport mode general switchxxxxxx config if switchport general allowed vlan add 2 3 tagged switchxxxxxx config if switchport general allowed vlan add 100 untagged switchxxxxxx config if switchport general pvid 100 switchxxxxxx config if exit 67 16 switchport general ingress filtering disable Use the switchport general ingress filtering disable Interface Conf...

Page 1272: ...ble frame type The switchport general acceptable frame type Interface Configuration mode command configures the types of packets tagged untagged that are filtered discarded on the interface Use the no form of this command to return ingress filtering to the default Syntax switchport general acceptable frame type tagged only untagged only all no switchport general acceptable frame type Parameters ta...

Page 1273: ...en vlan Interface Configuration mode command to forbid adding removing specific VLANs to from a port Use the no form of this command to restore the default configuration Syntax switchport general forbidden vlan add vlan list remove vlan list no switchport general forbidden vlan Parameters add vlan list Specifies a list of VLAN IDs to add to interface Separate nonconsecutive VLAN IDs with a comma a...

Page 1274: ...e the switchport customer vlan Interface Configuration mode command to set the port s VLAN when the interface is in customer mode set by the switchport mode command Use the no form of this command to restore the default configuration Syntax switchport customer vlan vlan id no switchport customer vlan Parameters vlan id Specifies the customer VLAN Default Configuration No VLAN is configured as cust...

Page 1275: ...to delete a protocol from a group Syntax map protocol protocol encapsulation value protocols group group no map protocol protocol encapsulation Parameters protocol Specifies a 16 bit protocol number or one of the reserved names listed in the User Guidelines range 0x0600 0xFFFF encapsulation value Specifies one of the following values Ethernet rfc1042 llcOther protocols group group Specifies the gr...

Page 1276: ...Interface Configuration mode command to forward packets based on their protocol otherwise known as setting up a classifying rule This command forwards packets arriving on an interface containing a specific protocol to a specific VLAN Use the no form of this command to stop forwarding packets based on their protocol Syntax switchport general map protocols group group vlan vlan id no switchport gene...

Page 1277: ... rules Protocol based VLAN PVID Example The following example forwards packets with protocols belong to protocol group 1 to VLAN 8 switchxxxxxx config if switchport general map protocols group 1 vlan 8 67 22 show vlan protocols groups Use the show vlan protocols groups EXEC mode command to display the protocols that belong to the defined protocols groups Syntax show vlan protocols groups Parameter...

Page 1278: ...the mapping Syntax map mac mac address prefix mask host macs group group no map mac mac address prefix mask host Parameters mac address Specifies the MAC address to be mapped to the group of MAC addresses prefix mask Specifies the number of ones in the mask host Specifies that the mask is comprised of all 1s group Specifies the group number range 1 2147483647 Default Configuration N A Command Mode...

Page 1279: ...0000 32 macs group 1 switchxxxxxx config vlan map mac 0000 0000 2222 host macs group 2 switchxxxxxx config vlan exit switchxxxxxx config interface gi14 switchxxxxxx config if switchport mode general switchxxxxxx config if switchport general map macs group 1 vlan 2 switchxxxxxx config if switchport general map macs group 2 vlan 3 67 24 switchport general map macs group vlan Use the switchport gener...

Page 1280: ... map mac macs group command they can be mapped to specific VLANs Each MAC address host or range in the MAC based group assigned to an interface consumes a single TCAM entry Example The following example creates two groups of MAC addresses sets a port to general mode and maps the groups of MAC addresses to specific VLANs switchxxxxxx config vlan database switchxxxxxx config vlan map mac 0000 1111 0...

Page 1281: ...efault Configuration N A Command Mode User EXEC mode Example The following example displays defined MAC based classification rules switchxxxxxx show vlan macs groups MAC Address Mask Group ID 00 12 34 56 78 90 20 22 00 60 70 4c 73 ff 40 1 67 26 map subnet subnets group Use the map subnet subnets group VLAN Configuration mode command to map an IP subnet to a group of IP subnets Use the no form of t...

Page 1282: ...LANs Example The following example maps an IP subnet to the group of IP subnets 4 It then maps this group of IP subnets to VLAN 8 switchxxxxxx config vlan database switchxxxxxx config vlan map subnet 172 16 1 1 24 subnets group 4 switchxxxxxx config vlan switchport general map subnets group 4 vlan 8 67 27 switchport general map subnets group vlan Use the switchport general map subnets group vlan I...

Page 1283: ...es Subnet based VLAN Best match among the rules Protocol based VLAN PVID Example The following example maps an IP subnet to the group of IP subnets 4 It then maps this group of IP subnets to VLAN 8 switchxxxxxx config vlan database switchxxxxxx config vlan map subnet 172 16 1 1 24 subnets group 4 switchxxxxxx config vlan switchport general map subnets group 4 vlan 8 67 28 show vlan subnets groups ...

Page 1284: ...isplay the administrative and operational status of all interfaces or a specific interface Syntax show interfaces switchport interface id Parameters Interface id Specifies an interface ID The interface ID can be one of the following types Ethernet port or port channel Command Mode Privileged EXEC mode Default Displays the status of all interfaces User Guidelines Each port mode has its own private ...

Page 1285: ...ctive General PVID 1 General VLANs none General Egress Tagged VLANs none General Forbidden VLANs none General Ingress Filtering enabled General Acceptable Frame Type all General GVRP status Enabled General GVRP VLANs none Customer Mode VLAN none Private vlan promiscuous association primary VLAN none Private vlan promiscuous association Secondary VLANs none Private vlan host association primary VLA...

Page 1286: ...n primary community isolated no private vlan Parameters primary Designate the VLAN as a primary VLAN community Designate the VLAN as a community VLAN isolated Designate the VLAN as an isolated VLAN Default Configuration No private VLANs are configured Command Mode Interface VLAN Configuration mode User Guidelines The VLAN type cannot be changed if there is a private VLAN port that is a member in t...

Page 1287: ...an list List of VLAN IDs of type secondary to add to a primary VLAN Separate nonconsecutive VLAN IDs with a comma and no spaces Use a hyphen to designate a range of IDs This is the default action remove secondary vlan list List of VLAN IDs of type secondary to remove association from a primary VLAN Separate nonconsecutive VLAN IDs with a comma and no spaces Use a hyphen to designate a range of IDs...

Page 1288: ...vlan association add 20 22 24 67 32 switchport private vlan mapping Use the switchport private vlan mapping Interface Configuration mode command to configure the VLANs of the private VLAN promiscuous port Use the no form of this command to reset to default Syntax switchport private vlan mapping primary vlan id add remove secondary vlan list no switchport private vlan mapping Parameters primary vla...

Page 1289: ... Configuration mode command to configure the association of a host port with primary and secondary VLANs of the private VLAN Use the no form of this command to reset to default Syntax switchport private vlan host association primary vlan id secondary vlan id no switchport private vlan host association Parameters primary vlan id The VLAN ID of the primary VLAN secondary vlan id Specifies the second...

Page 1290: ...only to the primary VLAN and is not added to the secondary VLAN The PVID is set to the VLAN ID of the secondary VLAN The port ingress filtering is disabled Example The following example set port gi14 to secondary VLAN 20 in primary VLAN 10 switchxxxxxx config interface gi14 switchxxxxxx config if switchport private vlan host association 10 20 67 34 show vlan private vlan Use the show vlan private ...

Page 1291: ...s 150 primary gi11 150 151 isolated gi12 160 primary gi13 160 161 community gi14 switchxxxxxx show vlan private vlan 150 Primary Secondary Type Ports 150 primary gi11 150 151 isolated gi14 67 35 switchport access multicast tv vlan To assign a Multicast TV VLAN to an access port use the switchport access multicast tv vlan command in Interface Ethernet Port Channel Configuration mode To return to th...

Page 1292: ...iving on the access port by IGMP Snooping running on the Multicast TV VLAN use the ip igmp snooping map cpe vlan command A non existed VLAN can be assigned as a Multicast TV VLAN If the Multicast TV VLAN does not exist the show interfaces switchport command adds text Inactive after VLAN ID Example The following example enables gi14 to receive Multicast transmissions from VLAN 11 switchxxxxxx confi...

Page 1293: ...arriving on the customer port by IGMP Snooping running on the Multicast TV VLAN use the ip igmp snooping map cpe vlan command A non existed VLAN can be assigned as a Multicast TV VLAN If the Multicast TV VLAN does not exist the show interfaces switchport command adds text Inactive after VLAN ID Example The following example enables gi14 to receive Multicast transmissions from VLANs 5 6 7 switchxxx...

Page 1294: ...list Parameters none The Prohibit Internal Usage VLAN list is empty any VLAN can be used by the switch as internal except The Prohibit Internal Usage VLAN list includes all VLANs except the VLANs specified by the vlan list argument only the VLANs specified by the vlan list argument can be used by the switch as internal add Add the given VLANs to the Prohibit Internal Usage VLAN list remove Remove ...

Page 1295: ...D Use the vlan prohibit internal usage command to define a list of VLANs that cannot be used as internal VLANs after reload If a VLAN was chosen by the software for internal usage but you want to use that VLAN for a static or dynamic VLAN do one of the following Add the VLAN to the Prohibited User Reserved VLAN list Copy the Running Configuration file to the Startup Configuration file Reload the s...

Page 1296: ...an internal usage Use the show vlan internal usage Privileged EXEC mode command to display a list of VLANs used internally by the device defined by the user Syntax show vlan internal usage Parameters N A Default Configuration N A Command Mode Privileged EXEC mode Example The following example displays VLANs used internally by the switch show vlan internal usage User Reserved VLAN list after reset ...

Page 1297: ...Virtual Local Area Network VLAN Commands Cisco Sx350 Ph 2 2 5 Devices Command Line Interface Reference Guide 1296 67 4086 802 1x ...

Page 1298: ...to Optional Common and Auto Voice VLAN specific parameters are displayed interface id Optional Specifies an Ethernet port ID detailed Optional Displays information for non present ports in addition to present ports Default Configuration If the type parameter is omitted the current Voice VLAN type is used If the interface id parameter is omitted then information about all present interfaces is disp...

Page 1299: ... enabled switch show voice vlan type auto switchxxxxxx show voice vlan type auto Best Local Voice VLAN ID is 5 Best Local VPT is 5 default Best Local DSCP is 46 default Agreed Voice VLAN is received from switch 00 24 01 30 10 00 Agreed Voice VLAN priority is 0 active static source Agreed Voice VLAN ID is 5 Agreed VPT is 5 Agreed DSCP is 46 Agreed Voice VLAN Last Change is 11 Jul 11 15 52 51 switch...

Page 1300: ...sabled VSDP Authentication is disabled Example 4 Displays the current voice VLAN parameters when the administrative voice VLAN state is auto triggered and it has been triggered switchxxxxxx config voice vlan state auto triggered switchxxxxxx config voice vlan state auto triggered operational voice vlan state is auto admin state is auto triggered switchxxxxxx show voice vlan Administrate Voice VLAN...

Page 1301: ...AN state is disabled Best Local Voice VLAN ID is 5 Best Local VPT is 5 default Best Local DSCP is 46 default Aging timeout 1440 minutes Example 6 Displays the voice VLAN parameters when the voice VLAN operational state is OUI switch show voice vlan Administrate Voice VLAN state is oui enabled Operational Voice VLAN state is oui enabled Best Local Voice VLAN ID is 1 default Best Local VPT is 4 Best...

Page 1302: ...ys information about the auto voice VLAN local configuration including the best local voice VLAN Syntax show voice vlan local Parameters This command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Examples Example 1 A CDP device is connected to an interface and a conflict is detected 30 Apr 2011 00 39 24 VLAN W ConflictingCDPDetected conflict detected bet...

Page 1303: ...n the voice VLAN state is auto triggered switchxxxxxx show voice vlan local Administrate Voice VLAN state is auto triggered on IPv4 Operational Voice VLAN state is auto enabled VLAN ID VPT DSCP Source MAC Address Interface 1 5 46 default 100 CDP 00 23 56 1a dc 68 gi14 100 CDP 00 44 55 44 55 4d gi14 The character marks the best local voice VLAN Example 3 Displays the local voice VLAN configuration ...

Page 1304: ...rameters auto enabled Auto Voice VLAN is enabled auto triggered Auto Voice VLAN on the switch is in standby and is put into operation when the switch detects a CDP device advertising a voice VLAN or if a voice VLAN ID is configured manually on the switch ipv6 Auto VLAN is enabled on IPv6 mDNS oui enabled Voice VLAN is of type OUI disabled Voice VLAN is disabled Default Configuration auto triggered...

Page 1305: ...evice of the same family as the current device A Voice Service Discovery Protocol VSDP message was received from a neighbor switch VSDP is a Cisco Small Business proprietary protocol for SF and SG series managed switches In all other cases the operational state is disabled Notes To change the administrative state from oui enabled to auto enabled or auto triggered or vice versa you must first set t...

Page 1306: ... the Voice VLAN state All auto Smartport configuration on ports are removed switchxxxxxx config voice vlan state disabled All interfaces with Auto Smartport dynamic type will be set to default Are you sure you want to continue Y N Y Y switchxxxxxx config 30 Apr 2011 00 04 41 LINK W Down Vlan 5 30 Apr 2011 00 04 41 LINK W Down Vlan 8 30 Apr 2011 00 04 41 LINK W Down Vlan 9 30 Apr 2011 00 04 41 LINK...

Page 1307: ...vlan refresh To restart the Voice VLAN discovery process on all the Auto Voice VLAN enabled switches in the VLAN by removing all externally learned voice VLAN attributes and resetting the voice VLAN to the default voice VLAN use the voice vlan refresh Global Configuration mode command Syntax voice vlan refresh Parameters This command has no arguments or keywords Default Configuration None Command ...

Page 1308: ...is 5 default Best Local DSCP is 46 default Following is the new active source Agreed Voice VLAN is received from switch b0 c6 9a c1 da 00 Agreed Voice VLAN priority is 2 active CDP device Agreed Voice VLAN ID is 100 Agreed VPT is 5 Agreed DSCP is 46 Agreed Voice VLAN Last Change is 11 Apr 30 02 01 02 68 5 voice vlan id To statically configure the VLAN identifier of the voice VLAN use the voice vla...

Page 1309: ...ise the administrative voice VLAN as static voice VLAN which has higher priority than voice VLAN learnt from external sources Are you sure you want to continue Y N Y Y 30 Apr 2011 00 19 36 VLAN I VoiceVlanCreated Voice Vlan ID 35 was created switchxxxxxx config 30 Apr 2011 00 19 51 VLAN I ReceivedFromVSDP Voice VLAN updated by VSDP Voice VLAN ID 35 VPT 5 DSCP 46 68 6 voice vlan vpt To specify a va...

Page 1310: ...ty than voice VLAN learnt from external sources Are you sure you want to continue Y N Y Y 30 Apr 2011 00 24 52 VLAN W BestLocal Oper inconsistency detected VSDP voice VLAN configuration differs from best local Best local is Voice VLAN ID 104 VPT 5 DSCP 46 switchxxxxxx config 30 Apr 2011 00 25 07 VLAN I ReceivedFromVSDP Voice VLAN updated by VSDP Voice VLAN ID 104 VPT 7 DSCP 46 68 7 voice vlan dscp...

Page 1311: ...r inconsistency detected VSDP voice VLAN configuration differs from best local Best local is Voice VLAN ID 104 VPT 7 DSCP 46 switchxxxxxx config 30 Apr 2011 00 31 22 VLAN I ReceivedFromVSDP Voice VLAN updated by VSDP Voice VLAN ID 104 VPT 7 DSCP 63 68 8 voice vlan oui table To configure the voice OUI table use the voice vlan oui table Global Configuration mode command To restore the default config...

Page 1312: ...E In MAC addresses the first three bytes contain a manufacturer ID Organizationally Unique Identifiers OUI and the last three bytes contain a unique station ID Since the number of IP phone manufacturers that dominates the market is limited and well known the known OUI values are configured by default and OUIs can be added removed by the user when required Example The following example adds an entr...

Page 1313: ...packets with OUIs in the source MAC address See the User Guidelines of voice vlan oui table all QoS attributes are applied to packets that are classified to the Voice VLAN Default Configuration The default mode is src Command Mode Interface Configuration mode Example The following example applies QoS attributes to voice packets switchxxxxxx config if voice vlan cos mode all 68 10 voice vlan cos To...

Page 1314: ... default Command Mode Global Configuration mode Example The following example sets the OUI voice VLAN CoS to 7 and does not do remarking switchxxxxxx config voice vlan cos 7 68 11 voice vlan aging timeout To set the OUI Voice VLAN aging timeout interval use the voice vlan aging timeout Global Configuration mode command To restore the default configuration use the no form of this command Syntax voi...

Page 1315: ... enable To enable OUI voice VLAN configuration on an interface use the voice vlan enable Interface Configuration mode mode command To disable OUI voice VLAN configuration on an interface use the no form of this command Syntax voice vlan enable no voice vlan enable Parameters This command has no arguments or keywords Default Configuration Disabled Command Mode Interface Configuration mode User Guid...

Page 1316: ...s not have to be the voice VLAN it can be any VLAN The port joins the voice VLAN as a tagged port If the time since the last MAC address with a source MAC address OUI address was received on the interface exceeds the timeout limit configured by voice vlan aging timeout the interface is removed from the voice VLAN Example The following example enables OUI voice VLAN configuration on gi12 switchxxxx...

Page 1317: ...mand Syntax ip https certificate number no ip https certificate Parameters number Specifies the certificate number Range 1 2 Default Configuration The default certificate number is 1 Command Mode Global Configuration mode User Guidelines First use crypto certificate generate to generate one or two HTTPS certificates Then use this command to specify which is the active certificate Example The follo...

Page 1318: ...ber no ip http port Parameters port port number For use by the HTTP server Range 1 65534 Default Configuration The default port number is 80 Command Mode Global Configuration mode Example The following example configures the http port number as 100 switchxxxxxx config ip http port 100 69 3 ip http server To enable configuring and monitoring the device from a web browser use the ip http server Glob...

Page 1319: ...onfiguring the device from a web browser switchxxxxxx config ip http server 69 4 ip http secure server To enable the device to be configured or monitored securely from a browser use the ip http secure server Global Configuration mode command To disable this function use the no form of this command Syntax ip http secure server no ip http secure server Parameters This command has no arguments or key...

Page 1320: ...he ip http timeout policy Global Configuration mode command To return to the default value use the no form of this command Syntax ip http timeout policy idle seconds http only https only no ip http timeout policy Parameters idle seconds Specifies the maximum number of seconds that a connection is kept open if no data is received or response data cannot be sent out Range 0 86400 http only Optional ...

Page 1321: ...TP server configuration use the show ip http Privileged EXEC mode command Syntax show ip http Parameters This command has no arguments or keywords Command Mode Privileged EXEC mode Example The following example displays the HTTP server configuration switchxxxxxx show ip http HTTP server enabled Port 80 Interactive timeout 10 minutes 69 7 show ip https To display the HTTPS server configuration use ...

Page 1322: ...itchxxxxxx show ip https HTTPS server enabled Port 443 Interactive timeout Follows the HTTP interactive timeout 10 minutes Certificate 1 is active Issued by www verisign com Valid from 8 9 2003 to 8 9 2004 Subject CN router gm com 0 General Motors C US Finger print DC789788 DC88A988 127897BC BB789788 Certificate 2 is inactive Issued by self signed Valid from 8 9 2003 to 8 9 2004 Subject CN router ...

Page 1323: ...arks of Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands