Enterasys SecureStack C2 Configuration Manual Download Page 525

Page: 525 / 607

SecureStack C2 Configuration Guide

18-1

Security Configuration

This

chapter

describes

the

Security

Configuration

set

commands

and

how

use

them.

Overview of Security Methods

The

following

security

methods

are

available

for

controlling

which

users

are

allowed

access,

monitor,

and

manage

the

switch.

•

user

accounts

and

passwords

–

used

log

the

CLI

via

Telnet

connection

local

COM

port

connection.

For

details,

refer

•

Host

Access

Control

Authentication

(HACA)

–

authenticates

user

access

Telnet

management,

console

local

management

and

WebView

via

central

RADIUS

Client/Server

application.

When

RADIUS

enabled,

this

essentially

overrides

user

accounts.

When

HACA

active

per

valid

RADIUS

configuration,

the

user

names

and

passwords

used

access

the

switch

via

Telnet,

SSH,

WebView,

and

COM

ports

will

validated

against

the

configured

RADIUS

server.

Only

the

case

RADIUS

timeout

will

those

credentials

compared

against

credentials

locally

configured

the

switch.

For

details,

refer

•

SNMP

user

community

names

–

allows

access

the

SecureStack

switch

via

network

SNMP

management

application.

access

the

switch,

you

must

enter

SNMP

user

community

name

string.

The

level

management

access

dependent

the

associated

access

policy.

For

details,

refer

Chapter 6

•

802.1X

Port

Based

Network

Access

Control

using

EAPOL

(Extensible

Authentication

Protocol)

–

provides

mechanism

via

RADIUS

server

for

administrators

securely

For information about...

Refer to page...

Overview of Security Methods

18-1

Configuring RADIUS

18-3

Configuring 802.1X Authentication

18-9

Configuring MAC Authentication

18-19

Configuring Multiple Authentication Methods

18-30

Configuring VLAN Authorization (RFC 3580)

18-41

Configuring MAC Locking

18-46

Configuring Port Web Authentication (PWA)

18-57

Configuring Secure Shell (SSH)

18-68

Configuring Access Lists

18-70

Summary of Contents for SecureStack C2

Page 1: ...SecureStack C2 Stackable Switches Configuration Guide Firmware Version 5 1 xx P N 9033991 16 ...

Page 2: ......

Page 3: ...YS NETWORKS HAS BEEN ADVISED OF KNEW OF OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES Enterasys Networks Inc 50 Minuteman Road Andover MA 01810 2008 Enterasys Networks Inc All rights reserved Part Number 9033991 16 February 2008 ENTERASYS ENTERASYS NETWORKS ENTERASYS NETSIGHT WEBVIEW ENTERASYS SECURESTACK and any logos associated therewith are trademarks or registered trademarks of Enter...

Page 4: ...art including for reasons of error correction or interoperability except to the extent expressly permitted by applicable law and to the extent the parties shall not be permitted by that applicable law such rights are expressly excluded Information necessary to achieve interoperability or correct errors is available from Enterasys upon request and upon payment of Enterasys applicable fee b Incorpor...

Page 5: ...eby agree to maintain complete books records and accounts showing i license fees due and paid and ii the use copying and deployment of the Program You also grant to Enterasys and its authorized representatives upon reasonable notice the right to audit and examine during Your normal business hours Your books records accounts and hardware devices upon which the Program may be deployed to verify comp...

Page 6: ...nforced to the maximum extent permissible Any such invalidity illegality or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction 14 TERMINATION Enterasys may terminate this Agreement immediately upon Your breach of any of the terms and conditions of this Agreement Upon any such termination You shall immediately cease ...

Page 7: ...Stack 2 3 Adding a New Unit to an Existing Stack 2 3 Creating a Virtual Switch Configuration 2 4 Considerations About Using Clear Config in a Stack 2 5 Issues Related to Mixed Type Stacks 2 5 Feature Support 2 5 Configuration 2 5 Stacking Configuration and Management Commands 2 6 Purpose 2 6 Commands 2 6 show switch 2 6 show switch switchtype 2 7 show switch stack ports 2 8 set switch 2 9 set swit...

Page 8: ...anner motd 3 20 show version 3 21 set system name 3 22 set system location 3 22 set system contact 3 23 set width 3 23 set length 3 24 show logout 3 24 set logout 3 25 show console 3 25 set console baud 3 26 Configuring Power over Ethernet PoE 3 27 Purpose 3 27 Commands 3 27 show inlinepower 3 27 set inlinepower threshold 3 28 set inlinepower trap 3 28 show port inlinepower 3 29 set port inlinepow...

Page 9: ...e 3 45 Commands 3 45 cls clear screen 3 45 exit 3 46 Resetting the Switch 3 46 Purpose 3 46 Commands 3 47 reset 3 47 clear config 3 48 Using and Configuring WebView 3 48 Purpose 3 48 Commands 3 49 show webview 3 49 set webview 3 49 show ssl 3 50 set ssl 3 50 Chapter 4 Discovery Protocol Configuration Configuring CDP 4 1 Purpose 4 1 Commands 4 1 show cdp 4 1 set cdp state 4 3 set cdp auth 4 3 set c...

Page 10: ... location info 4 26 set lldp port tx tlv 4 26 clear lldp 4 28 clear lldp port status 4 29 clear lldp port trap 4 29 clear lldp port med trap 4 29 clear lldp port location info 4 30 clear lldp port tx tlv 4 30 Chapter 5 Port Configuration Port Configuration Summary 5 1 C2H124 48 and C2H124 48P Switch Ports 5 1 C2G124 24 C2G124 48 and C2G124 48P Switch Ports 5 1 C2G134 24P Switch Ports 5 2 C2K122 24...

Page 11: ...Detection 5 19 Purpose 5 19 Commands 5 19 show port trap 5 19 set port trap 5 20 show linkflap 5 21 set linkflap globalstate 5 23 set linkflap portstate 5 24 set linkflap interval 5 24 set linkflap action 5 25 clear linkflap action 5 25 set linkflap threshold 5 26 set linkflap downtime 5 26 clear linkflap down 5 27 clear linkflap 5 27 Configuring Broadcast Suppression 5 28 Purpose 5 28 Commands 5 ...

Page 12: ...guration Summary 6 1 SNMPv1 and SNMPv2c 6 1 SNMPv3 6 2 About SNMP Security Models and Levels 6 2 Using SNMP Contexts to Access Specific MIBs 6 3 Configuration Considerations 6 3 Reviewing SNMP Statistics 6 3 Purpose 6 3 Commands 6 4 show snmp engineid 6 4 show snmp counters 6 5 Configuring SNMP Users Groups and Communities 6 7 Purpose 6 7 Commands 6 8 show snmp user 6 8 set snmp user 6 9 clear snm...

Page 13: ...mp notifyfilter 6 33 clear snmp notifyfilter 6 34 show snmp notifyprofile 6 34 set snmp notifyprofile 6 35 clear snmp notifyprofile 6 35 Creating a Basic SNMP Trap Configuration 6 36 Example 6 37 Chapter 7 Spanning Tree Configuration Spanning Tree Configuration Summary 7 1 Overview Single Rapid and Multiple Spanning Tree Protocols 7 1 Spanning Tree Features 7 2 Loop Protect 7 2 Configuring Spannin...

Page 14: ...spanguardtimeout 7 26 set spantree spanguardtimeout 7 26 clear spantree spanguardtimeout 7 27 show spantree spanguardlock 7 27 clear set spantree spanguardlock 7 28 show spantree spanguardtrapenable 7 28 set spantree spanguardtrapenable 7 29 clear spantree spanguardtrapenable 7 29 show spantree legacypathcost 7 30 set spantree legacypathcost 7 30 clear spantree legacypathcost 7 31 Configuring Span...

Page 15: ...nforwardingreason 7 50 Chapter 8 802 1Q VLAN Configuration VLAN Configuration Summary 8 1 Port String Syntax Used in the CLI 8 1 Creating a Secure Management VLAN 8 1 Viewing VLANs 8 2 Purpose 8 2 Command 8 3 show vlan 8 3 Creating and Naming Static VLANs 8 4 Purpose 8 4 Commands 8 4 set vlan 8 4 set vlan name 8 5 clear vlan 8 5 clear vlan name 8 6 Assigning Port VLAN IDs PVIDs and Ingress Filteri...

Page 16: ...ation Rules 9 5 Purpose 9 5 Commands 9 5 show policy rule 9 5 show policy capability 9 8 set policy rule 9 9 clear policy rule 9 12 clear policy all rules 9 13 Assigning Ports to Policy Profiles 9 14 Purpose 9 14 Commands 9 14 set policy port 9 14 clear policy port 9 15 Configuring Policy Class of Service CoS 9 15 Using Port Based or Policy Based CoS Settings 9 15 About Policy Based CoS Configurat...

Page 17: ...ing Port Traffic Rate Limiting 10 9 Purpose 10 9 Commands 10 10 show port ratelimit 10 10 set port ratelimit 10 11 clear port ratelimit 10 12 Chapter 11 IGMP Configuration IGMP Overview 11 1 About IP Multicast Group Management 11 1 About Multicasting 11 2 Configuring IGMP at Layer 2 11 2 Purpose 11 2 Commands 11 2 show igmpsnooping 11 2 set igmpsnooping adminmode 11 3 set igmpsnooping interfacemod...

Page 18: ...ogging application 12 6 set logging application 12 7 clear logging application 12 8 show logging local 12 9 set logging local 12 9 clear logging local 12 10 show logging buffer 12 10 Monitoring Network Events and Status 12 11 Purpose 12 11 Commands 12 11 history 12 11 show history 12 12 set history 12 12 ping 12 13 show users 12 13 disconnect 12 14 Managing Switch Network Addresses and Routes 12 1...

Page 19: ...MON Monitoring Group Functions 13 1 Statistics Group Commands 13 3 Purpose 13 3 Commands 13 3 show rmon stats 13 3 set rmon stats 13 4 clear rmon stats 13 4 History Group Commands 13 5 Purpose 13 5 Commands 13 5 show rmon history 13 5 set rmon history 13 6 clear rmon history 13 7 Alarm Group Commands 13 7 Purpose 13 7 Commands 13 7 show rmon alarm 13 7 set rmon alarm properties 13 9 set rmon alarm...

Page 20: ...statistics 14 10 clear dhcp server statistics 14 10 Configuring IP Address Pools 14 11 Manual Pool Configuration Considerations 14 11 Purpose 14 11 Commands 14 12 set dhcp pool 14 13 clear dhcp pool 14 13 set dhcp pool network 14 14 clear dhcp pool network 14 14 set dhcp pool hardware address 14 15 clear dhcp pool hardware address 14 15 set dhcp pool host 14 16 clear dhcp pool host 14 17 set dhcp ...

Page 21: ...icense advanced 15 3 show license 15 4 no license advanced 15 4 Chapter 16 IP Configuration Configuring Routing Interface Settings 16 1 Purpose 16 1 Commands 16 1 show interface 16 2 interface 16 2 show ip interface 16 4 ip address 16 5 show running config 16 6 no shutdown 16 6 no ip routing 16 7 Reviewing and Configuring the ARP Table 16 7 Purpose 16 7 Commands 16 7 show ip arp 16 8 arp 16 9 ip p...

Page 22: ...spf 17 12 1583compatibility 17 12 ip ospf enable 17 13 ip ospf areaid 17 13 ip ospf cost 17 14 ip ospf priority 17 14 timers spf 17 15 ip ospf retransmit interval 17 16 ip ospf transmit delay 17 16 ip ospf hello interval 17 17 ip ospf dead interval 17 17 ip ospf authentication key 17 18 ip ospf message digest key md5 17 19 distance ospf 17 19 area range 17 20 area stub 17 21 area default cost 17 2...

Page 23: ... enable 17 46 ip pimsm query interval 17 47 show ip pimsm 17 47 show ip pimsm componenttable 17 48 show ip pimsm interface 17 49 show ip pimsm neighbor 17 51 show ip pimsm rp 17 51 show ip pimsm rphash 17 53 show ip pimsm staticrp 17 53 Chapter 18 Security Configuration Overview of Security Methods 18 1 RADIUS Filter ID Attribute and Dynamic Policy Profile Assignment 18 2 Configuring RADIUS 18 3 P...

Page 24: ...entication significant bits 18 29 Configuring Multiple Authentication Methods 18 30 About Multiple Authentication Types 18 30 Configuring Multi User Authentication User IP phone 18 30 Commands 18 31 show multiauth 18 31 set multiauth mode 18 32 clear multiauth mode 18 32 set multiauth precedence 18 33 clear multiauth precedence 18 34 show multiauth port 18 34 set multiauth port 18 35 clear multiau...

Page 25: ...pwa displaylogo 18 61 set pwa ipaddress 18 62 set pwa protocol 18 62 set pwa guestname 18 63 clear pwa guestname 18 63 set pwa guestpassword 18 64 set pwa gueststatus 18 64 set pwa initialize 18 65 set pwa quietperiod 18 65 set pwa maxrequest 18 66 set pwa portcontrol 18 66 show pwa session 18 67 set pwa enhancedmode 18 68 Configuring Secure Shell SSH 18 68 Purpose 18 68 Commands 18 68 show ssh st...

Page 26: ...ls 5 36 6 1 SNMP Security Levels 6 2 6 2 show snmp engineid Output Details 6 4 6 3 show snmp counters Output Details 6 6 6 4 show snmp user Output Details 6 9 6 5 show snmp group Output Details 6 11 6 6 show snmp access Output Details 6 16 6 7 show snmp view Output Details 6 20 6 8 show snmp targetparams Output Details 6 23 6 9 show snmp targetaddr Output Details 6 26 6 10 show snmp notify Output ...

Page 27: ... links Output Details 17 30 17 7 show ip pimsm Output Detail 17 48 17 8 show ip pimsm componenettable Output Detail 17 49 17 9 show ip pimsm interface vlan Output Details 17 50 17 10 show ip pimsm interface stats Output Detail 17 50 17 11 show ip pimsm neighbor Output Detail 17 51 17 12 show ip pimsm rp Output Detail 17 52 17 13 show ip pimsm staticrp Output Details 17 54 18 1 show radius Output D...

Page 28: ...xxvi ...

Page 29: ...802 1X and RADIUS SSHv2 MAC locking and MAC authentication Configure access control lists ACLs Structure of This Guide The guide is organized as follows Chapter 1 Introduction provides an overview of the tasks that can be accomplished using the CLI interface an overview of local management requirements an overview of the device s factory default settings and information about using the Command Lin...

Page 30: ...that only ports activated for a profile will be allowed to transmit frames accordingly Chapter 10 Port Priority and Rate Limiting Configuration describes how to set the transmit priority of each port and configure a rate limit for a given port and list of priorities Chapter 11 IGMP Configuration describes how to configure Internet Group Management Protocol IGMP settings for multicast filtering Cha...

Page 31: ...es Courier font Used for examples of information displayed on the screen Courier font in italics Indicates a user supplied value either required or optional Square brackets indicate an optional value Braces indicate required values One or more values may be required A vertical bar indicates a choice in values x y z Square brackets with a vertical bar indicate a choice of a value x y z Braces with ...

Page 32: ...network environment for example layout cable type Network load and frame size at the time of trouble if known The switch history for example have you returned the switch before is this a recurring problem Any previous Return Material Authorization RMA numbers World Wide Web http www enterasys com support Phone 1 800 872 8440 toll free in U S and Canada or 1 978 684 1000 For the Enterasys Networks ...

Page 33: ...ge Assign IP address and subnet mask Select a default gateway Establish and manage Virtual Local Area Networks VLANs Establish and manage policy profiles and classifications Establish and manage priority classification Configure IPv4 routing and routing protocols including RIP versions 1 and 2 OSPF DVMRP IRDP and VRRP Configure IPv6 routing and routing protocols including OSPFv3 Configure security...

Page 34: ...on code Set to 00 00 00 00 00 00 00 00 CDP hold time Set to 180 seconds CDP interval Transmit frequency of CDP messages set to 60 seconds Cisco discovery protocol Auto enabled on all ports Cisco DP hold time Set to 180 seconds Cisco DP interval timer Set to 60 seconds Community name Public Console serial port required settings Baud rate 9600 Data bits 8 Flow control disabled Stop bits 1 Parity non...

Page 35: ...checked for duplication Policy classification Classification rules are automatically enabled when created Port auto negotiation Enabled on all ports Port advertised ability Maximum ability advertised on all ports Port broadcast suppression Enabled and set to limit broadcast packets to 14 881 per second on all switch ports Port duplex mode Set to half duplex except for 100BASE FX and 1000BASE X whi...

Page 36: ... medium priority Spanning Tree priority Bridge priority is set to 32768 Spanning Tree topology change trap suppression Enabled Spanning Tree version Set to mstp Multiple Spanning Tree Protocol SSH Disabled System baud rate Set to 9600 baud System contact Set to empty string System location Set to empty string System name Set to empty string Terminal CLI display set to 80 columns and 24 rows Timeou...

Page 37: ...n all interfaces When enabled maximum advertisement interval is set to 600 seconds minimum advertisement interval is set to 450 seconds holdtime is set to 1800 seconds and address preference is set to 0 MD5 authentication OSPF Disabled with no password set MTU size Set to 1500 bytes on all interfaces OSPF Disabled OSPF cost Set to 10 for all interfaces OSPF network None configured OSPF priority Se...

Page 38: ...elnet Once the SecureStack C2 device has a valid IP address you can establish a Telnet session from any TCP IP based node on the network For information about setting the switch s IP address refer to set ip address on page 3 9 Telnet Enabled Telnet port IP Set to port number 23 Timers OSPF SPF delay set to 5 seconds SPF holdtime set to 10 seconds Transmit delay OSPF Set to 1 second VRRP Disabled T...

Page 39: ...gs refer to Setting User Accounts and Passwords on page 3 1 Using a Default User Account If this is the first time you are logging in to the SecureStack C2 switch or if the default user accounts have not been administratively changed proceed as follows 1 At the login prompt enter one of the following default user names ro for Read Only access rw for Read Write access admin for Super User access 2 ...

Page 40: ...ith Read Only access will only be permitted to view Read Only show commands Users with Read Write access will be able to modify all modifiable parameters in set and show commands as well as view Read Only commands Administrators or Super Users will be allowed all Read Write and Read Only privileges and will be able to modify local user accounts The SecureStack C2 switch indicates which mode a user...

Page 41: ... Figure 1 5 shows how the show mac command indicates that output continues on more than one screen Figure 1 5 Scrolling Screen Output Abbreviating and Completing Commands The SecureStack C2 switch allows you to abbreviate CLI commands and keywords down to the number of characters that will allow for a unique abbreviation Figure 1 6 shows how to abbreviate the show netstat command to sh net C2 rw c...

Page 42: ...0 123 Table 1 2 Basic Line Editing Commands Key Sequence Command Ctrl A Move cursor to beginning of line Ctrl B Move cursor back one character Ctrl D Delete a character Ctrl E Move cursor to end of line Ctrl F Move cursor forward one character Ctrl H Delete character to left of cursor Ctrl I or TAB Complete word Ctrl K Delete all characters after cursor Ctrl N Scroll to next command in command his...

Page 43: ...ed as described in the SecureStack C2 Installation Guides the following occurs during initialization The switch that will manage the stack is automatically established This is known as the manager switch All other switches are established as members in the stack The hierarchy of the switches that will assume the function of backup manager is also determined in case the current manager malfunctions...

Page 44: ...Use the following procedure for installing a new stack of up to eight units out of the box 1 Before applying power make all physical connections with the stack cables as described in the SecureStack C2 Installation Guides 2 Once all of the stack cables have been connected individually power on each unit from top to bottom 3 Optional If desired change the management unit using the set switch movema...

Page 45: ...in set switch on page 2 9 then 2 Clear the original unit number using the clear switch member command 7 Repeat Step 6 until all members have been renumbered in the order you desire 8 After the stack has been reconfigured you can use the show switch unit command show switch on page 2 6 to physically confirm the identity of each unit When you enter the command with a unit number the MGR LED of the s...

Page 46: ...the stack The first port on that virtual switch is then associated with VLAN 555 C2 su show switch switchtype Mgmt Code SID Switch Model ID Pref Version 1 C2G124 24 1 0xa08245 2 C2K122 24 1 0xa08245 3 C2G124 48 1 0xa08245 4 C2G124 48P 1 0xa08245 5 C2H124 48 1 0xa08245 6 C2H124 48P 1 0xa08245 7 C2G134 24P 1 0xa08245 8 C2G170 24 1 0xa08245 9 C3G124 24P 1 0xa08245 10 C3G124 48P 1 0xa08245 11 C3G124 4...

Page 47: ...lection will leave stacking priorities on all other units Issues Related to Mixed Type Stacks Feature Support Because the SecureStack C2 and C3 switches have different hardware architectures the functionality supported by the two switch types is different When the two types of switches are mixed in a stack the functionality supported will be the lowest common denominator of features supported on a...

Page 48: ... been configured you can use this command to physically confirm the identity of each unit When you enter the command with a unit number the MGR LED of the specified switch will blink for 10 seconds The normal state of this LED is off for member units and steady green for the manager unit For information about Refer to page show switch 2 6 show switch switchtype 2 7 show switch stack ports 2 8 set ...

Page 49: ... Management Status Management Switch Hardware Management Preference Unassigned Admin Management Preference Unassigned Switch Type C2G124 24 Preconfigured Model Identifier C2G124 24 Plugged in Model Identifier C2G124 24 Switch Status OK Switch Description Enterasys Networks Inc C2 Model C2G124 24 Detected Code Version 05 1 xx Detected Code in Flash 03 01 20 Detected Code in Back Image 02 01 37 Up T...

Page 50: ...1 0xa08245 This example shows how to display switch type information about SID1 C2 ro show switch switchtype 1 Switch Type 0x56950200 Model Identifier C2G124 24 Switch Description Enterasys Networks Inc C2 Model C2G124 24 Management Preference 1 Expected Code Version 0xa08245 Supported Cards Slot 0 Card Index CID 1 Model Identifier C2G124 24 show switch stack ports Use this command to display vari...

Page 51: ...agement switch fails or to change the switch unit ID for a switch in the stack Syntax set switch unit priority value renumber newunit Parameters Defaults None Mode Switch command read write Examples This example shows how to assign priority 3 to switch 5 C2 su set switch 5 priority 3 This example shows how to renumber switch 5 to switch 7 C2 su set switch 5 renumber 7 unit Specifies a unit number ...

Page 52: ...file to all switches in the stack C2 su set switch copy fw Are you sure you want to copy firmware y n y Code transfer completed successfully set switch description Use this command to assign a name to a switch in the stack Syntax set switch description unit description Parameters Defaults None Mode Switch command read write Example This example shows how to assign the name FirstUnit to switch unit...

Page 53: ...tack management y n y set switch member Use this command to add a virtual member to a stack This allows you to preconfigure a switch before the physical device is actually added to the stack Syntax set switch member unit switch id Parameters Defaults None Mode Switch command read write Usage Refer to Creating a Virtual Switch Configuration on page 2 4 for more information about how to add a virtua...

Page 54: ... C2 su set switch member 1 1 clear switch member Use this command to remove a member entry from the stack Syntax clear switch member unit Parameters Defaults None Mode Switch command read write Example This example shows how to remove the switch 5 entry from the stack C2 su clear switch member 5 unit Specifies the unit number of the switch ...

Page 55: ... to configure user accounts and passwords are listed below For information about Refer to page Setting User Accounts and Passwords 3 1 Setting Basic Switch Properties 3 8 Configuring Power over Ethernet PoE 3 27 Downloading a New Firmware Image 3 30 Reviewing and Selecting a Boot Firmware Image 3 32 Starting and Configuring Telnet 3 34 Managing Switch Configuration and Files 3 36 Clearing and Clos...

Page 56: ... the command output set system password aging 3 5 set system password history 3 6 show system lockout 3 6 set system lockout 3 7 For information about Refer to page Table 3 1 show system login Output Details Output What It Displays Password history size Number of previously used user login passwords that will be checked for duplication when the set password command is executed Configured with set ...

Page 57: ...login name netops with super user access privileges C2 su set system login netops super user enable clear system login Use this command to remove a local login user account Syntax clear system login username Parameters Defaults None username Specifies a login name for a new or existing user This string can be a maximum of 80 characters although a maximum of 16 characters is recommended for proper ...

Page 58: ...er Users Admin can change any password on the system Examples This example shows how a super user would change the Read Write password from the system default blank string C2 su set password rw Please enter new password Please re enter new password Password changed C2 su username Only available to users with super user access Specifies a system default or a user configured login account name By de...

Page 59: ...d super user Example This example shows how to set the minimum system password length to 8 characters C2 su set system password length 8 set system password aging Use this command to set the number of days user passwords will remain valid before aging out or to disable user account password aging Syntax set system password aging days disable Parameters Defaults None Mode Switch command super user ...

Page 60: ...he system with the set password command Syntax set system password history size Parameters Defaults None Mode Switch command super user Example This example shows how to configure the system to check the last 10 passwords for duplication C2 su set system password history 10 show system lockout Use this command to display settings for locking out users after failed attempts to log in to the system ...

Page 61: ...uper user with the set system login command page 3 3 Syntax set system lockout attempts attempts time time Parameters Defaults None Mode Switch command super user Example This example shows how to set login attempts to 5 and lockout time to 30 minutes C2 su set system lockout attempts 5 time 30 Table 3 1 show system lockout Output Details Output What It Displays Lockout attempts Number of failed l...

Page 62: ...dress 3 10 show ip protocol 3 10 set ip protocol 3 11 show system 3 11 show system hardware 3 12 show system utilization 3 13 set system enhancedbuffermode 3 14 show time 3 15 set time 3 15 show summertime 3 16 set summertime 3 16 set summertime date 3 17 set summertime recurring 3 17 clear summertime 3 18 set prompt 3 19 show banner motd 3 19 set banner motd 3 20 clear banner motd 3 20 show versi...

Page 63: ...et mask and default gateway Syntax set ip address ip address mask ip mask gateway ip gateway Parameters Defaults If not specified ip mask will be set to the natural mask of the ip address and ip gateway will be set to the ip address show console 3 25 set console baud 3 26 For information about Refer to page ip address Sets the IP address for the system For SecureStack C2 systems this is the IP add...

Page 64: ...28 0 gateway 10 1 10 1 clear ip address Use this command to clear the system IP address Syntax clear ip address Parameters None Defaults None Mode Switch command read write Example This example shows how to clear the system IP address C2 rw clear ip address show ip protocol Use this command to display the method used to acquire a network IP address for switch management Syntax show ip protocol Par...

Page 65: ...faults None Mode Switch command read write Example This example shows how to set the method used to acquire a network IP address to DHCP C2 su set ip protocol dhcp show system Use this command to display system information including contact information power and fan tray status and uptime Syntax show system Parameters None Defaults None Mode Switch command read only bootp Selects BOOTP as the prot...

Page 66: ... It Displays System contact Contact person for the system Default of a blank string can be changed with the set system contact command set system contact on page 3 23 System location Where the system is located Default of a blank string can be changed with the set system location command set system location on page 3 22 System name Name identifying the system Default of a blank string can be chang...

Page 67: ...Hardware Version BCM56504 REV 19 FirmWare Version 5 1 xx Boot Code Version 01 00 17 show system utilization Use this command to display detailed information about the processor running on the switch or the overall memory usage of the Flash and SDRAM storage devices on the unit or the processes running on the switch Syntax show system utilization cpu storage process Parameters Defaults None Mode Sw...

Page 68: ...m Only partial output is shown C2 ro show system utilization process TID Name 5Sec 1Min 5Min 8d45148 captureTask 0 00 0 00 0 00 8e264f8 poe_monitor 0 00 0 01 0 05 8ea6d38 poe_read 0 80 0 22 0 20 8eb7140 vlanDynEg 0 00 0 00 0 00 8f0be10 tcdpSendTask 0 00 0 00 0 00 8f1c0e8 tcdpTask 0 00 0 00 0 00 set system enhancedbuffermode Use this command to enable or disable enhanced buffer mode which optimizes...

Page 69: ... Syntax show time Parameters None Defaults None Mode Switch command read only Example This example shows how to display the current time The output shows the day of the week month day and the time of day in hours minutes and seconds and the year C2 su show time THU SEP 05 09 21 57 2002 set time Use this command to change the time of day on the system clock Syntax set time mm dd yyyy hh mm ss Param...

Page 70: ...su show summertime Summertime is disabled and set to Start SUN APR 04 02 00 00 2004 End SUN OCT 31 02 00 00 2004 Offset 60 minutes 1 hours 0 minutes Recurring yes starting at 2 00 of the first Sunday of April and ending at 2 00 of the last Sunday of October set summertime Use this command to enable or disable the daylight savings time function Syntax set summertime enable disable zone Parameters D...

Page 71: ... 00 October 31 2004 02 00 60 set summertime recurring Use this command to configure recurring daylight savings time settings These settings will start and stop daylight savings time at the specified day of the month and hour each year and will not have to be reset annually start_month Specifies the month of the year to start daylight savings time start_date Specifies the day of the month to start ...

Page 72: ... daylight savings time configuration Syntax clear summertime Parameters None Defaults None Mode Switch command read write start_week Specifies the week of the month to restart daylight savings time Valid values are first second third fourth and last start_day Specifies the day of the week to restart daylight savings time start_hr_min Specifies the time of day to restart daylight savings time Forma...

Page 73: ...mmand read write Example This example shows how to set the command prompt to Switch 1 C2 su set prompt Switch 1 Switch 1 su show banner motd Use this command to show the banner message of the day that will display at session login Syntax show banner motd Parameters None Defaults None Mode Switch command read only prompt_string Specifies a text string for the command prompt Note A prompt string con...

Page 74: ...shows how to set the message of the day banner to read O Knights of Ni you are just and fair and we will return with a shrubbery King Arthur C2 rw set banner motd O Knights of Ni you are just and n fair and we will return with a shrubbery n t King Arthur clear banner motd Use this command to clear the banner message of the day displayed at session login to a blank string Syntax clear banner motd P...

Page 75: ...lay version information Please note that you may see different information displayed depending on the type of hardware C2 su show version Copyright c 2007 by Enterasys Networks Inc Model Serial Versions C2G124 48P 001188021035 Hw BCM5665 REV 17 Bp 01 00 29 Fw 5 1 xx BuFw 03 01 13 PoE 500_3 Table 3 3 provides an explanation of the command output Table 3 3 show version Output Details Output What It ...

Page 76: ...he system Syntax set system location string Parameters Defaults If string is not specified the location name will be cleared Mode Switch command read write Example This example shows how to set the system location string C2 su set system location Bldg N32 04 Closet 9 string Optional Specifies a text string that identifies the system Note A name string containing a space in the text must be enclose...

Page 77: ...minal connected to the switch s console port Syntax set width screenwidth default Parameters Defaults None Mode Switch command read write Usage The number of rows of CLI output displayed is set using the set length command as described in set length on page 3 24 string Optional Specifies a text string that contains the name of the person to contact for system administration Note A contact string c...

Page 78: ...xample shows how to set the terminal length to 50 C2 su set length 50 show logout Use this command to display the time in seconds an idle console or Telnet CLI session will remain connected before timing out Syntax show logout Parameters None Defaults None Mode Switch command read only Example This example shows how to display the CLI logout setting screenlength Sets the number of lines in the CLI...

Page 79: ...tes C2 su set logout 10 show console Use this command to display console settings Syntax show console baud bits flowcontrol parity stopbits Parameters Defaults If no parameters are specified all settings will be displayed Mode Switch command read only timeout Sets the number of minutes the system will remain idle before timing out baud Optional Displays the input output baud rate bits Optional Dis...

Page 80: ... none set console baud Use this command to set the console port baud rate Syntax set console baud rate Parameters Defaults None Mode Switch command read write Example This example shows how to set the console port baud rate to 19200 C2 su set console baud 19200 rate Sets the console baud rate Valid values are 300 600 1200 2400 4800 5760 9600 14400 19200 38400 and 115200 ...

Page 81: ...s used to review and set PoE port parameters are listed below show inlinepower Use this command to display switch PoE properties Syntax show inlinepower Parameters None Defaults None Mode Switch command read only Important Notice This section applies only to PoE equipped SecureStack C2 devices Consult the Installation Guide shipped with your product to determine if it is PoE equipped For informati...

Page 82: ... threshold Use this command to set the PoE usage threshold on a specified unit or module Syntax set inlinepower threshold usage threshold unit number Parameters Defaults None Mode Switch command read write Example This example shows how to set the PoE threshold to 50 on module unit 1 C2 su set inlinepower threshold 50 1 set inlinepower trap Use this command to enable or disable the sending of an S...

Page 83: ...read only Example This example shows how to display PoE information for port ge 2 1 In this case the port s administrative state PoE priority and class have not been changed from default values C2 su show port inlinepower ge 2 1 Port Type Admin Oper Priority Class Power W ge 2 1 wireless auto searching low 0 360 set port inlinepower Use this command to configure PoE parameters on one or more ports...

Page 84: ... port to the switch It should be used in cases when you cannot connect the switch to perform the in band copy download procedure via TFTP Serial console download has been successfully tested with the following applications HyperTerminal Copyright 1999 Tera Term Pro Version 2 3 Any other terminal applications may work but are not explicitly supported The C2 switch allows you to download and store d...

Page 85: ...9 2005 Options available 1 Start operational code 2 Change baud rate 3 Retrieve event log using XMODEM 64KB 4 Load new operational code using XMODEM 5 Display operational code vital product data 6 Run Flash Diagnostics 7 Update Boot Code 8 Delete operational code 9 Reset the system 10 Restore Configuration to factory defaults delete config files 11 Set new Boot Code password Boot Menu 2 3 Type 2 T...

Page 86: ...trings Length 0x0028 Ident Strings C2G124 24 C2G124 48 C2H124 48 C2K124_24 Image Version Length 0x7 Image Version Bytes 0x30 0x2e 0x35 0x2e 0x30 0x2e 0x34 0 5 0 4 7 From the boot menu options screen type 2 to display the baud rate selection screen again 8 Type 4 set the switch baud rate to 9600 The following message displays Setting baud rate to 9600 you must change your terminal baud rate 9 Set t...

Page 87: ...faults None Mode Switch command read only Example This example shows how to display the switch s boot firmware image C2 su show boot system Current system image to boot bootfile set boot system Use this command to set the firmware image the switch loads at startup Syntax set boot system filename Parameters Defaults None Mode Switch command read write For information about Refer to page show boot s...

Page 88: ... session to run simultaneously Commands The commands used to enable start and configure Telnet are listed below show telnet Use this command to display the status of Telnet on the switch Syntax show telnet Parameters None Defaults None Mode Switch command read only Example This example shows how to display Telnet status C2 su show telnet Telnet inbound is currently ENABLED Telnet outbound is curre...

Page 89: ...nnection to a remote host The SecureStack C2 switch allows a total of four inbound and or outbound Telnet session to run simultaneously Syntax telnet host port Parameters Defaults If not specified the default port number 23 will be used Mode Switch command read write Example This example shows how to start a Telnet session to a host at 10 21 42 13 C2 su telnet 10 21 42 13 enable disable Enables or...

Page 90: ...t to return After the prompt returns the configuration will be persistent You can change the persistence mode from auto to manual with the set snmp persistmode command If the persistence mode is set to manual configuration commands will not be automatically written to NVRAM Although the configuration commands will actively modify the running configuration they will not persist across a reset unles...

Page 91: ...configuration persistence mode setting In this case persistence mode is set to manual which means configuration changes are not being automatically saved C2 su show snmp persistmode persistmode is manual set snmp persistmode Use this command to set the configuration persistence mode which determines whether user defined configuration changes are saved automatically or require issuing the save conf...

Page 92: ...he configuration to all switch members in a stack Syntax save config Parameters None Defaults None Mode Switch command read write Example This example shows how to save the running configuration C2 su save config dir Use this command to list configuration and image files stored in the file system Syntax dir filename Parameters Defaults If filename is not specified all files in the system will be d...

Page 93: ...124 48P C2H124 48P C2K122 24 C2G134 24P Filename C2 image_02 61 30 Active Boot Version 5 1 xx Size 6883328 bytes Date Tue Apr 5 16 41 50 2005 CheckSum 37cb8761e1761a7a0e24c33e88138d5a Compatibility C2G124 24 C2G124 48 C2H124 48 C2G124 48P C2H124 48P C2K122 24 C2G134 24P Files Size configs Monday cfg 17509 admin1 cfg 3173 logs current log 162833 show file Use this command to display the contents of...

Page 94: ... this command to display the system configuration or write the configuration to a file Syntax show config all facility outfile configs filename Parameters Defaults By default show config will display all non default configuration information for all facilities Mode Switch command read only Usage The separate facilities that can be displayed by this command are identified in the display of the curr...

Page 95: ...nfiguration file stored on the switch Syntax configure filename append Parameters Defaults If append is not specified the current running configuration will be replaced with the contents of the configuration file which will require an automated reset of the chassis Mode Switch command read write Example This example shows how to execute the Jan1_2004 cfg configuration file C2 su configure configs ...

Page 96: ...fg delete Use this command to remove an image or a CLI configuration file from the switch Syntax delete filename Parameters Defaults None Mode Switch command read write Usage Use the dir command page 3 38 to display current image and configuration file names source Specifies location and name of the source file to copy Options are a local file path in the configs directory or the URL of a TFTP ser...

Page 97: ...meout value can be set with the set tftp timeout command The TFTP retry value can be set with the set tftp retry command Example This example shows the output of this command C2 ro show tftp settings TFTP packet timeout seconds 2 TFTP max retry 5 set tftp timeout Use this command to configure how long TFTP will wait for a reply of either an acknowledgement packet or a data packet during a data tra...

Page 98: ...one Defaults None Mode Switch command read write Example This example shows how to clear the timeout value to the default of 2 seconds C2 rw clear tftp timeout set tftp retry Use this command to configure how many times TFTP will resend a packet either an acknowledgement packet or a data packet Syntax set tftp retry retry Parameters Defaults None Mode Switch command read write retry Specifies the ...

Page 99: ...efaults None Mode Switch command read write Example This example shows how to clear the retry value to the default of 5 retries C2 rw clear tftp retry Clearing and Closing the CLI Purpose To clear the CLI screen or to close your CLI session Commands The commands used to clear and close the CLI session are listed below cls clear screen Use this command to clear the screen for the current CLI sessio...

Page 100: ...x exit Parameters None Defaults None Mode Switch command read only Usage By default switch timeout occurs after 15 minutes of user inactivity automatically closing your CLI session Use the set logout command page 3 25 to change this default Example This example shows how to exit a CLI session C2 su exit Resetting the Switch Purpose To reset one or more switches and to clear the user defined config...

Page 101: ...panel For information on how to do this refer to the SecureStack C2 Installation Guide shipped with your switch Examples This example shows how to reset the system C2 su reset Are you sure you want to reload the stack y n y Saving Configuration to stacking members Reloading all switches This example shows how to reset unit 1 C2 su reset 1 Are you sure you want to reload the switch y n y Reloading ...

Page 102: ...clear config all when it is necessary to clear all configuration parameters including stack unit IDs if applicable and switch priority values Use the clear ip address command to clear the IP address Configuration parameters and stacking information can also be cleared on the master unit only by selecting option 10 restore configuration to factory defaults from the boot menu on switch startup This ...

Page 103: ...tps 172 16 2 10 Commands show webview Use this command to display WebView status Syntax show webview Parameters None Defaults None Mode Switch command read only Example This example shows how to display WebView status C2 rw show webview WebView is Enabled set webview Use this command to enable or disable WebView on the switch Syntax set webview enable disable Parameters For information about Refer...

Page 104: ... on the switch C2 rw set webview disable show ssl Use this command to display SSL status Syntax show ssl Parameters None Defaults None Mode Switch command read only Example This example shows how to display SSL status C2 rw show ssl SSL status Enabled set ssl Use this command to enable or disable the use of WebView over SSL port 443 By default SSL is disabled on the switch This command can also be...

Page 105: ...h command read write Example This example shows how to enable SSL C2 rw set ssl enabled enabled disabled Enable or disable the ability to use WebView over SSL reinitialize Stops and then restarts the SSL process hostkey reinitialize Stops SSL regenerates new keys and then restarts SSL ...

Page 106: ...set ssl 3 52 Basic Configuration ...

Page 107: ...ves to neighboring devices Commands The commands used to review and configure the CDP discovery protocol are listed below show cdp Use this command to display the status of the CDP discovery protocol and message interval on one or more ports For information about Refer to page Configuring CDP 4 1 Configuring Cisco Discovery Protocol 4 6 Configuring Link Layer Discovery Protocol and LLDP MED 4 13 F...

Page 108: ...put port string Optional Displays CDP status for a specific port For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 Table 4 1 show cdp Output Details Output What It Displays CDP Global Status Whether CDP is globally auto enabled enabled or disabled The default state of auto enabled can be reset with the set cdp state command For detail...

Page 109: ...Frequency Frequency in seconds at which CDP messages can be transmitted The default of 60 seconds can be reset with the set cdp interval command For details refer to set cdp interval on page 4 4 Port Port designation For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 Status Whether CDP is enabled disabled or auto enabled on the port Ta...

Page 110: ...witches no matter what their authentication code and enter them into its CDP neighbor table Example This example shows how to set the CDP authentication code to 1 2 3 4 5 6 7 8 C2 su set cdp auth 1 2 3 4 5 6 7 8 set cdp interval Use this command to set the message interval frequency in seconds of the CDP discovery protocol Syntax set cdp interval frequency Parameters Defaults None Mode Switch comm...

Page 111: ...val hold time auth code Parameters Defaults At least one optional parameter must be entered Mode Switch command read write Example This example shows how to reset the CDP state to auto enabled C2 su clear cdp state hold time Specifies the hold time value for CDP messages in seconds Valid values are from 15 to 600 state Optional Resets the global CDP state to auto enabled port state port string Opt...

Page 112: ...1 6 00 01 f4 00 72 fe 140 2 4 102 cdp 140 2 4 102 ge 1 6 00 01 f4 00 70 8a 140 2 4 104 cdp 140 2 4 104 ge 1 6 00 01 f4 c5 f7 20 140 2 4 101 cdp 140 2 4 101 ge 1 6 00 01 f4 89 4f ae 140 2 4 105 cdp 140 2 4 105 ge 1 6 00 01 f4 5f 1f c0 140 2 1 11 cdp 140 2 1 11 ge 1 19 0001f400732e 165 32 100 10 ciscodp 165 32 100 10 Configuring Cisco Discovery Protocol Purpose To review and configure the Cisco disc...

Page 113: ...odp CiscoDP Enabled Timer 5 Holdtime TTl 180 Device ID 001188554A60 Last Change WED NOV 08 13 19 56 2006 Table 4 2 provides an explanation of the command output For information about Refer to page show ciscodp 4 7 show ciscodp port info 4 8 set ciscodp status 4 9 set ciscodp timer 4 9 set ciscodp holdtime 4 10 set ciscodp port 4 10 clear ciscodp 4 12 Table 4 2 show ciscodp Output Details Output Wh...

Page 114: ...ds neighboring devices will hold PDU transmissions from the sending device Default value of 180 can be changed with the set ciscodp holdtime command Device ID The MAC address of the switch Last Change The time that the last Cisco DP neighbor was discovered Table 4 2 show ciscodp Output Details Continued Output What It Displays port string Optional Displays Cisco DP information for a specific port ...

Page 115: ...DU transmissions Syntax set ciscodp timer seconds Parameters Defaults None trusted The trust mode of the port Default of trusted can be changed using the set ciscodp port command cos The Class of Service priority value for untrusted traffic The default of 0 can be changed using the set ciscodp port command Table 4 3 show ciscodp port info Output Details Continued Output What It Displays auto Globa...

Page 116: ...g device Syntax set ciscodp holdtime hold time Parameters Defaults None Mode Switch command read write Example This example shows how to set Cisco DP hold time to 180 seconds C2 su set ciscodp hold time 180 set ciscodp port Use this command to set the status voice VLAN extended trust mode and CoS priority for untrusted traffic for the Cisco Discovery Protocol on one or more ports Syntax set ciscod...

Page 117: ...or Layer 2 802 1p marking status Sets the CiscoDP port operational status disable Does not transmit or process CiscoDP PDUs enable Transmits and processes CiscoDP PDUs vvid Sets the port voice VLAN for CiscoDP PDU transmission vlan id Specifies the VLAN ID range 1 4094 none No voice VLAN will be used in CiscoDP PDUs This is the default dot1p Instructs attached phone to send 802 1p tagged frames un...

Page 118: ...ort trusted no cos 1 ge 1 5 clear ciscodp Use this command to clear the Cisco discovery protocol back to the default values Syntax clear ciscodp status timer holdtime port status vvid trust cos port string Parameters Defaults If no parameters are entered all Cisco DP parameters are reset to the defaults globally and for all ports Mode Switch mode read write Note The Cisco Discovery Protocol must b...

Page 119: ...ial or asset numbers The information sent by an LLDP enabled device is extracted and tabulated by its peers The communication can be done when information changes or on a periodic basis The information tabulated is aged to ensure that it is kept up to date Ports can be configured to send this information receive this information or both send and receive Either LLDP or LLDP MED but not both can be ...

Page 120: ... port location info 4 17 show lldp port local info 4 18 show lldp port remote info 4 21 set lldp tx interval 4 22 set lldp hold multiplier 4 22 set lldp trap interval 4 23 set lldp med fast repeat 4 24 set lldp port status 4 24 set lldp port trap 4 25 set lldp port med trap 4 25 set lldp port location info 4 26 set lldp port tx tlv 4 26 clear lldp 4 28 clear lldp port status 4 29 clear lldp port t...

Page 121: ...plier 4 Notification Tx Interval 5 MED Fast Start Count 3 Tx Enabled Ports ge 1 1 60 ge 2 1 24 ge 3 1 30 ge 4 1 12 Rx Enabled Ports ge 1 1 60 ge 2 1 24 ge 3 1 30 ge 4 1 12 Trap Enabled Ports ge 1 1 60 ge 2 1 24 ge 3 1 30 ge 4 1 12 MED Trap Enabled Ports ge 1 1 60 ge 2 1 24 ge 3 1 30 ge 4 1 12 Step Task Command s 1 Configure global system LLDP parameters set lldp tx interval set lldp hold multiplie...

Page 122: ... 1 30 ge 4 1 12 Rx Enabled Ports ge 1 1 60 ge 2 1 24 ge 3 1 30 ge 4 1 12 show lldp port trap Use this command to display the ports that are enabled to send an LLDP notification when a remote system change has been detected or an LLDP MED notification when a change in the topology has been sensed Ports are enabled to send LLDP notifications with the set lldp port trap command and to send LLDP MED n...

Page 123: ...Example This example shows how to display transmit TLV information for three ports C2 ro show lldp port tx tlv ge 1 1 3 Means TLV is supported and enabled on this port o Means TLV is supported on this port Means TLV is not supported on this port Column Pro Id uses letter notation for enable s stp l lacp g gvrp Ports Port Sys Sys Sys Mgmt Vlan Pro MAC PoE Link Max MED MED MED MED Desc Name Desc Cap...

Page 124: ...IN 1234567890 show lldp port local info Use this command to display the local system information stored for one or more ports You can use this information to detect misconfigurations or incompatibilities between the local port and the attached endpoint device remote port Syntax show lldp port local info port string Parameters Defaults If port string is not specified local system information will b...

Page 125: ... MDI Supported Enabled yes yes PoE Pair Controllable Used false spare PoE Power Class 2 PoE Power Limit mW 15400 PoE Power Priority high Table 4 4 describes the information displayed by the show lldp port local info command Table 4 4 show lldp port local info Output Details Output Field What it Displays Local Port Identifies the port for which local system information is displayed Local Port Id Ma...

Page 126: ...ted Value is the ELIN configured on this port PoE Device LLDP MED Extensions Extended Power via MDI TLV Displayed only when a port has PoE capabilities Value is the Power Type of the device On a switch port the value is Power Sourcing Entity PSE PoE Power Source LLDP MED Extensions Extended Power via MDI TLV Displayed only when a port has PoE capabilities Value can be primary or backup indicating ...

Page 127: ...2 ro show lldp port remote info ge 3 1 Local Port ge 3 1 Remote Port Id 00 09 6e 0e 14 3d Mgmt Addr 0 0 0 0 Chassis ID 0 0 0 0 Device Type Communication Device Endpoint class III Sys Name AVE0E143D Sys Cap Supported Enabled bridge telephone bridge Auto Neg Supported Enabled yes yes Auto Neg Advertised 10BASE T 10BASE TFD 100BASE TX 100BASE TXFD pause Spause Operational Speed Duplex Type 100 full T...

Page 128: ...tion received in the LLDPDU from the remote device In this case the port Id is MAC address of remote device Device Type Mandatory LLDP MED Capabilities TLV Displayed only when the port is connected to an LLDP MED capable endpoint device Hardware Revision LLDP MED Extensions Inventory Management TLV component Firmware Revision LLDP MED Extensions Inventory Management TLV component Software Revision...

Page 129: ...the minimum interval between LLDP notifications sent by this device LLDP notifications are sent when a remote system change has been detected Syntax set lldp trap interval frequency Parameters Defaults None Mode Switch command read write Example This example sets the minimum interval between LLDP traps to 10 seconds C2 rw set lldp trap interval 10 multiplier val Specifies the multiplier to apply t...

Page 130: ...be sent to 4 C2 rw set lldp med fast repeat 4 set lldp port status Use this command to enable or disable transmitting and processing received LLDPDUs on a port or range of ports Syntax set lldp port status tx enable rx enable both disable port string Parameters Defaults None count Specifies the number of fast start LLDPDUs to be sent when an LLDP MED endpoint device is detected Value can range fro...

Page 131: ... traps on ports ge 1 1 through ge 1 6 C2 rw set lldp port trap enable ge 1 1 6 set lldp port med trap Use this command to enable or disable sending an LLDP MED notification when a change in the topology has been sensed on the port that is a remote endpoint device has been attached or removed from the port Syntax set lldp port med trap enable disable port string Parameters enable Enable transmittin...

Page 132: ...ormation value you must also configure the port to send the Location Information TLV with the set lldp port tx tlv command This example configures the ELIN identifier 5551234567 on ports ge 1 1 through ge 1 6 and then configures the ports to send the Location Information TLV C2 rw set lldp port location info 5551234567 ge 1 1 6 C2 rw set lldp port tx tlv med loc ge 1 1 6 set lldp port tx tlv Use t...

Page 133: ...dentity IEEE 802 1 Extensions TLV If LACP is enabled on the port value sent includes version of protocol being used gvrp GVRP information defined by Protocol Identity IEEE 802 1 Extensions TLV If LACP is enabled on the port value sent includes version of protocol being used mac phy MAC PHY Configuration Status IEEE 802 3 Extensions TLV Value sent includes the operational MAU type duplex and speed ...

Page 134: ... via MDI TLV Values sent include the Power Limit total power the port is capable of sourcing over a maximum length cable and the power priority configured on the port Only valid for PoE enabled ports port string Specifies the port or range of ports to be affected all Returns all LLDP configuration parameters to their default values including port LLDP configuration parameters tx interval Returns t...

Page 135: ...ssing received LLDPDUs C2 rw clear lldp port status ge 1 1 clear lldp port trap Use this command to return the port LLDP trap setting to the default value of disabled Syntax clear lldp port trap port string Parameters Defaults None Mode Switch command read write Example This example returns port ge 1 1 to the default LLDP trap state of disabled C2 rw clear lldp port trap ge 1 1 clear lldp port med...

Page 136: ... port location info elin port string Parameters Defaults None Mode Switch command read write Example This example returns the location information ELIN value on port ge 1 1 to the default value of null C2 rw clear lldp port location info elin ge 1 1 clear lldp port tx tlv Use this command to clear the optional LLDP and LLDP MED TLVs to be transmitted in LLDPDUs by the specified port or ports to th...

Page 137: ...anning Tree information defined by Protocol Identity IEEE 802 1 Extensions TLV from being transmitted in LLDPDUs lacp Disables the LACP information defined by Protocol Identity IEEE 802 1 Extensions TLV from being transmitted in LLDPDUs gvrp Disables the GVRP information defined by Protocol Identity IEEE 802 1 Extensions TLV from being transmitted in LLDPDUs mac phy Disables the MAC PHY Configurat...

Page 138: ...ery Protocol Configuration Example This example disables the management address MED capability and MED location identification TLVs from being sent in LLDPDUs by port ge 1 1 C2 rw clear lldp port tx tlv mgmt addr med cap med loc ge 1 1 ...

Page 139: ...tions C2G124 24 C2G124 48 and C2G124 48P Switch Ports The C2G124 24 C2G124 48 and C2G124 48P stackable devices provide the following types of switch port connections Twenty four or forty eight RJ45 10 100 1000 Mbps 1000BASE T Fast Ethernet copper ports For information about Refer to page Port Configuration Summary 5 1 Reviewing Port Status 5 3 Disabling Enabling and Naming Ports 5 7 Setting Speed ...

Page 140: ...ections C2G170 24 Switch Ports The C2G170 24 stackable devices provide the following types of switch port connections Twenty four SFP slots that provide the option of installing Small Form Pluggable SFP Mini GBICs for 1000BASE T compliant copper connections or 1000BASE SX LX ELX Port String Syntax Used in the CLI Commands requiring a port string parameter use the following syntax to designate port...

Page 141: ...is example shows the port string syntax for specifying all 1 Gigabit Ethernet ports in slot unit 3 in the system ge 3 This example shows the port string syntax for specifying all ports of any interface type in the system Reviewing Port Status Purpose To display operating status duplex mode speed port type and statistical information about traffic received and transmitted through one or all switch ...

Page 142: ...Defaults If port string is not specified status information for all ports will be displayed Mode Switch command read only Example This example shows how to display status information for ge 3 14 C2 su show port status ge 3 14 Port Alias Oper Admin Speed Duplex Type truncated Status Status ge 3 14 up up N A N A BaseT RJ45 Table 5 1 provides an explanation of the command output port string Optional ...

Page 143: ...atus Whether the specified port is enabled up or disabled down For details on using the set port disable command to change the default port status of enabled refer to set port disable on page 5 7 For details on using the set port enable command to re enable ports refer to set port enable on page 5 7 Speed Operational speed in Mbps or Kbps of the specified port For details on using the set port spe...

Page 144: ...es Transmitted 0 This example shows how to display all ge 3 1 port counter statistics related to traffic through the device C2 su show port counters ge 3 1 switch Port ge 3 1 Bridge Port 2 802 1Q Switch Counters Frames Received 0 Frames Transmitted 0 Table 5 2 provides an explanation of the command output Table 5 2 show port counters Output Details Output What It Displays Port Port designation For...

Page 145: ...s executed in addition to disabling the physical Ethernet link the port will no longer learn entries in the forwarding database Syntax set port disable port string Parameters Defaults None Mode Switch command read write Example This example shows how to disable ge 1 1 C2 su set port disable ge 1 1 set port enable Use this command to administratively enable one or more ports Syntax set port enable ...

Page 146: ...ly Example This example shows how to display alias information for ports 1 3 on slot 3 C2 rw show port alias ge 3 1 3 Port ge 3 1 user Port ge 3 2 user Port ge 3 3 Admin set port alias Use this command to assign an alias name to a port Syntax set port alias port string name port string Specifies the port s to enable For a detailed description of possible port string values refer to Port String Syn...

Page 147: ...lf duplex or Full for full duplex for one or more ports Commands show port speed Use this command to display the default speed setting on one or more ports port string Specifies the port to which an alias will be assigned For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 name Optional Assigns an alias name to the port If the alias nam...

Page 148: ... that have auto negotiation disabled Syntax set port speed port string 10 100 1000 Parameters Defaults None Mode Switch command read write Example This example shows how to set ge 3 3 to a port speed of 10 Mbps C2 su set port speed ge 3 3 10 port string Optional Displays default speed setting s for specific port s For a detailed description of possible port string values refer to Port String Synta...

Page 149: ...this command to set the default duplex type for one or more ports This command will only take effect on ports that have auto negotiation disabled Syntax set port duplex port string full half Parameters Defaults None Mode Switch command read write Example This example shows how to set ge 1 17 to full duplex port string Optional Displays default duplex setting s for specific port s For a detailed de...

Page 150: ...ax show port jumbo port string Parameters Defaults If port string is not specified jumbo frame support status for all ports will display Mode Switch command read only Example This example shows how to display the status of jumbo frame support for ge 1 1 C2 su show port jumbo ge 1 1 Port Number Jumbo Status Max Frame Size ge 1 1 Enable 9216 For information about Refer to page show port jumbo 5 12 s...

Page 151: ...Syntax clear port jumbo port string Parameters Defaults If port string is not specified jumbo frame support status will be reset on all ports Mode Switch command read write Example This example shows how to reset jumbo frame support status for Gigabit Ethernet port 14 in slot 3 C2 su clear port jumbo ge 3 14 enable disable Enables or disables jumbo frame support port string Optional Specifies the ...

Page 152: ...er may choose to configure a port so that only a portion of its capabilities are advertised and the others are disabled Commands show port negotiation Use this command to display the status of auto negotiation for one or more ports Syntax show port negotiation port string Parameters Defaults If port string is not specified auto negotiation status for all ports will be displayed Mode Switch command...

Page 153: ...set port negotiation ge 3 14 disable show port advertise Use this command to display port capability and advertisement as far as speed and duplex for auto negotiation Syntax show port advertise port string Parameters Defaults If port string is not specified advertisement for all ports will be displayed Mode Switch command read only port string Specifies the port s for which to enable or disable au...

Page 154: ...o set port advertise Use this command to configure what a port will advertise for speed duplex capabilities in auto negotiation Syntax set port advertise port string 10t 10tfd 100tx 100txfd 1000t 1000tfd pause Parameters Defaults None Mode Switch command read write port string Select the ports for which to configure advertisements For a detailed description of possible port string values refer to ...

Page 155: ...dvertise ge 1 1 10t 10tfd Setting Flow Control Purpose To review enable or disable port flow control Flow control is used to manage the transmission between two devices as specified by IEEE 802 3x to prevent receiving ports from being overwhelmed by frames from transmitting devices port string Clear advertisements for specific port s For a detailed description of possible port string values refer ...

Page 156: ... This example shows how to display the port flow control state C2 su show flowcontrol Flow control status enabled set flowcontrol Use this command to enable or disable flow control Syntax set flowcontrol enable disable Parameters Defaults None Mode Switch command read write For information about Refer to page show flowcontrol 5 18 set flowcontrol 5 18 enable disable Enables or disables flow contro...

Page 157: ... and takes the required actions disable port and eventually send notification trap to stop such a condition If left unresolved the link flapping condition can be detrimental to network stability because it can trigger Spanning Tree and routing table recalculation Commands show port trap Use this command to display whether the port is enabled for generating an SNMP trap message if its link state ch...

Page 158: ...tatus changes Syntax set port trap port string enable disable Parameters Defaults Sending traps when link status changes is enabled by default Mode Switch command read write Example The following example disables sending trap on ge 3 1 C2 su set port trap ge 3 1 disable port string Optional Displays link trap status for specific port s For a detailed description of possible port string values refe...

Page 159: ...supported Displays ports which can support the link flap detection function actsupported Displays link flap detection actions supported by system hardware maximum Displays the maximum allowed linkdowns per 10 seconds supported by system hardware downports Displays ports disabled by link flap detection due to a violation action Displays linkflap actions taken on violating port s operstatus Displays...

Page 160: ...300 ge 1 3 disabled S T 10 5 300 Table 5 3 provides an explanation of the show linkflap parameters command output Linkflap Parameter Default Condition Linkflap global state Disabled Linkflap port state Disabled Linkflap action None Linkflap interval 5 Linkflap maximum allowed link downs per 10 seconds 20 Linkflap threshold number of allowed link down transitions before action is taken 10 Table 5 3...

Page 161: ... Switch mode read write Usage By default the function is disabled globally and on all ports If disabled globally after per port settings have been configured using the linkflap commands per port settings will be retained Example This example shows how to globally enable the link trap detection function C2 rw set linkflap globalstate enable Table 5 4 show linkflap metrics Output Details Output What...

Page 162: ...l Use this command to set the time interval in seconds for accumulating link down transitions Syntax set linkflap interval port string interval value Parameters Defaults None Mode Switch command read write Example This example shows how to set the link flap interval on port ge 1 4 to 1000 seconds C2 rw set linkflap interval ge 1 4 1000 disable enable Disables or enables the link flap detection fun...

Page 163: ...g disableInterface gensyslogentry gentrap all Parameters Defaults If port string is not specified actions will be cleared on all ports Mode Switch mode read write port string Specifies the port s on which to set the link flap action disableInterface Sets the reaction as disabling the interface gensyslogentry Sets the reaction as generating a syslog entry gentrap Sets the reaction as generating an ...

Page 164: ... 4 to 5 C2 rw set linkflap threshold ge 1 4 5 set linkflap downtime Use this command to set the time interval in seconds one or more ports will be held down after a link flap violation Syntax set linkflap downtime port string downtime value Parameters Defaults None Mode Switch mode read write port string Specifies the port s on which to set the link flap action trigger count threshold value Specif...

Page 165: ...onal C2 rw clear linkflap down ge 1 4 clear linkflap Use this command to clear all link flap options and or statistics on one or more ports Syntax clear linkflap all stats port string parameter port string threshold interval downtime all Parameters Defaults If port string is not specified settings and or statistics will be cleared on all ports Mode Switch mode read write port string Optional Speci...

Page 166: ...ppression protects against broadcast storms and ARP sweeps Commands show port broadcast Use this command to display port broadcast suppression thresholds Syntax show port broadcast port string Parameters Defaults If port string is not specified broadcast status of all ports will be displayed Mode Switch command read only Example This example shows how to display the broadcast suppression threshold...

Page 167: ...5 50 clear port broadcast Use this command to clear the broadcast threshold limit to the default value of 14881 for the selected port Syntax clear port broadcast port string threshold Parameters Defaults None port string Select the ports for which to configure broadcast suppression thresholds For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on p...

Page 168: ... traffic will be mirrored A mirroring session which is configured to be active enabled will be operationally active only if both a destination port and at least one source port have been configured A destination port will only act as a mirroring port when the session is operationally active If the mirroring session is not operationally active then the destination port will act as a normal port and...

Page 169: ... mirroring relationship between two ports Syntax set port mirroring create disable enable source destination Parameters Defaults None Mode Switch command read write create disable enable Creates disables or enables mirroring settings on the specified ports source Specifies the source port designation This is the port on which the traffic will be monitored For a detailed description of possible por...

Page 170: ...an be accomplished if both sides agree on a set of ports that are being used as a Link Aggregation Group LAG Once a LAG is formed from selected ports problems with looping can be avoided since the Spanning Tree can treat this LAG as a single port Enabled by default the Link Aggregation Control Protocol LACP logically groups interfaces together to create a greater bandwidth uplink or link aggregati...

Page 171: ...onitoring the status of aggregated links to ensure that the aggregation is still valid Removing a link from a LAG if its membership is no longer valid and removing the group if it no longer has any member links In order to allow LACP to determine whether a set of links connect to the same device and to determine whether those links are compatible from the point of view of aggregation it is necessa...

Page 172: ...oup Once underlying physical ports for example ge x x are associated with an aggregator port the resulting aggregation will be represented as one LAG with a lag x x port designation SecureStack C2 LAGs can have up to 8associated physical ports LACPDU Link Aggregation Control Protocol Data Unit The protocol exchanges aggregation state mode information by way of a port s actor and partner operationa...

Page 173: ...lly created LAG is reduced to one port the SecureStack C2 removes the LAG from its VLAN and adds the remaining underlying port to the VLAN For this reason you should ensure that the LAG and all the ports in the LAG are assigned to the egress list of the desired VLAN Otherwise when the LAG is removed the remaining port may be assigned to the wrong VLAN The other option is to enable the singleportla...

Page 174: ...68 Admin Key 32768 Oper Key 32768 0 Attached Ports ge 1 1 ge 1 3 Table 5 6 provides an explanation of the command output port string Optional Displays LACP information for specific LAG port s Valid port designations are lag 0 1 6 Table 5 6 show lacp Output Details Output What It Displays Global Link Aggregation state Shows if LACP is enabled or disabled on the switch Single Port LAGs Displays if t...

Page 175: ... aggregation precedence Only one LACP system priority can be set on a SecureStack C2 device using either the set lacp asyspri command page 5 37 or the set port lacp command page 5 43 Admin Key Port s assigned key SecureStack C2 devices provide a default admin key value of 32768 for all LAG ports lag 0 1 though lag 0 6 Oper Key Port s operational key derived from the admin key Only underlying physi...

Page 176: ...y for one or more aggregator ports Syntax set lacp aadminkey port string value Parameters Defaults None Mode Switch command read write Usage LACP will use this value to form an oper key Only underlying physical ports with oper keys matching those of their aggregators will be allowed to aggregate The default admin key value for all LAG ports is 32768 asyspri Sets the system priority to be used in c...

Page 177: ...atic disable enable lagportstring key port string Parameters asyspri Clears system priority aadminkey port string Resets admin keys for one or more ports to the default value of 32768 disable enable Disables or enables static link aggregation lagportstring Specifies the LAG aggregator port to which new ports will be assigned key Optional Specifies the new member port and LAG port aggregator admin ...

Page 178: ... port string Parameters Defaults None Mode Switch command read write Example This example shows how to remove ge 1 6 from the LAG of aggregator port 6 C2 su clear lacp static lag 0 6 ge 1 6 set lacp singleportlag Use this command to enable or disable the formation of single port LAGs Syntax set lacp singleportlag enable disable Parameters lagportstring Specifies the LAG aggregator port from which ...

Page 179: ... as any previous LAG member ports comes up connected to the same switch as before the LAG went down Example This example enables the formation of single port LAGs C2 su set lacp singleportlag enable clear lacp singleportlag Use this command to reset the single port LAG function back to the default state of disabled Syntax clear lacp singleportlag Parameters None Defaults None Mode Switch command r...

Page 180: ...port lacp port ge 1 12 status detail Port Instance ge 1 12 ActorPort 1411 PartnerAdminPort 1411 ActorSystemPriority 32768 PartnerOperPort 1411 ActorPortPriority 32768 PartnerAdminSystemPriority 32768 ActorAdminKey 32768 PartnerOperSystemPriority 32768 ActorOperKey 32768 PartnerAdminPortPriority 32768 ActorAdminState GlA PartnerOperPortPriority 32768 ActorOperState F lA PartnerAdminKey 1411 ActorSy...

Page 181: ...ative state once aggregated Syntax set port lacp port port string aadminkey aadminkey aadminstate lacpactive lacptimeout lacpagg lacpsync lacpcollect lacpdist lacpdef lacpexpire aportpri aportpri asyspri asyspri enable disable padminkey padminkey padminport padminport padminportpri padminportpri padminstate lacpactive lacptimeout lacpagg lacpsync lacpcollect lacpdist lacpdef lacpexpire padminsysid...

Page 182: ...same aggregator Valid values are 0 65535 with higher precedence given to lower values Note Only one LACP system priority can be set on a SecureStack C2 device using either this command or the set lacp asyspri command set lacp asyspri on page 5 37 enable Optional Enables LACPDU processing on this port disable Optional Disables LACPDU processing on this port padminkey padminkey Sets a default value ...

Page 183: ...cpsync lacpcollect lacpdist lacpdef lacpexpire all padminsyspri padminsysid padminkey padminportpri padminport padminstate lacpactive lacptimeout lacpagg lacpsync lacpcollect lacpdist lacpdef lacpexpire all Parameters port port string Specifies the physical port s on which LACP settings will be cleared For a detailed description of possible port string values refer to Port String Syntax Used in th...

Page 184: ... having the same VLAN membership However protected ports can forward traffic to ports which are unprotected not listed in any group Protected ports can also forward traffic to protected ports in a different group if they are in the same VLAN Unprotected ports can forward traffic to both protected and unprotected ports A port may belong to only one group of protected ports This feature only applies...

Page 185: ...protected ge 1 1 3 1 show port protected Use this command to display information about the ports configured for protected mode Syntax show port protected port string group id Parameters Defaults If no parameters are entered information about all protected ports is displayed Mode Read only port string Specifies the port or ports to be protected group id Specifies the id of the group to which the po...

Page 186: ...witch command read write Example This example shows how to clear protected ports ge 1 1 through ge 1 3 C2 rw clear port protected ge 1 1 3 set port protected name Use this command to assign a name to a protected port group id Syntax set port protected name group id name Parameters Defaults None port string Optional Specifies the port or ports to remove from protected mode group id Optional Specifi...

Page 187: ... port protected name group id Parameters Defaults None Mode Read only Example This example shows how to show the name of protected port group 1 C2 ro show port protected name 1 Group ID Group Name 1 group1 clear port protected name Use this command to clear the name of a protected group Syntax clear port protected name group id Parameters Defaults None group id Specifies the id of the group to dis...

Page 188: ...clear port protected name 5 50 Port Configuration Mode Switch command read write Example This example shows how to clear the name of protected port group 1 C2 rw clear port protected name 1 ...

Page 189: ...ents to data types counter size and protocol operations Version 3 SNMPv3 This is the most recent version of SNMP and includes significant enhancements to administration and security SNMPv3 is fully described in RFC 2571 RFC 2572 RFC 2573 RFC 2574 and RFC 2575 SNMPv1 and SNMPv2c The components of SNMPv1 and SNMPv2c network management fall into three categories Managed devices such as a switch SNMP ...

Page 190: ...on by wrapping them in a message header and returning them to the dispatcher The message processing subsystem also accepts incoming messages from the dispatcher processes each message header and returns the enclosed PDU to the dispatcher Security subsystem This component authenticates and encrypts messages Access control subsystem This component determines which users and which operations are allo...

Page 191: ...mp context on page 6 20 Example This example permits the powergroup to manage all MIBs via SNMPv3 C2 su set snmp access powergroup security model usm Configuration Considerations Commands for configuring SNMP on the SecureStack C2 device are independent during the SNMP setup process For instance target parameters can be specified when setting up optional notification filters even though these para...

Page 192: ...p engineid EngineId 80 00 15 f8 03 00 e0 63 9d b5 87 Engine Boots 12 Engine Time 162181 Max Msg Size 2048 Table 6 2 provides an explanation of the command output For information about Refer to page show snmp engineid 6 4 show snmp counters 6 5 Table 6 2 show snmp engineid Output Details Output What It Displays EngineId String identifying the SNMP agent on the device Engine Boots Number of times th...

Page 193: ...yNames 0 snmpInBadCommunityUses 0 snmpInASNParseErrs 0 snmpInTooBigs 0 snmpInNoSuchNames 0 snmpInBadValues 0 snmpInReadOnlys 0 snmpInGenErrs 0 snmpInTotalReqVars 403661 snmpInTotalSetVars 534 snmpInGetRequests 290 snmpInGetNexts 396279 snmpInSetRequests 32 snmpInGetResponses 0 snmpInTraps 0 snmpOutTooBigs 0 snmpOutNoSuchNames 11 snmpOutBadValues 0 snmpOutGenErrs 0 snmpOutGetRequests 0 snmpOutGetNe...

Page 194: ... noSuchName snmpInBadValues Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error status field as badValue snmpInReadOnlys Number of valid SNMP PDUs delivered to the SNMP protocol entity with the value of the error status field as readOnly snmpInGenErrs Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error status field as genErr snmpI...

Page 195: ...er of SNMP Get Set or Inform request error messages that were dropped because the reply was larger than the requestor s maximum message size snmpProxyDrops Number of SNMP Get Set or Inform request error messages that were dropped because the reply was larger than the proxy target s maximum message size usmStatsUnsupportedSec Levels Number of packets received by the SNMP engine that were dropped be...

Page 196: ...ocal SNMP engine will be displayed If not specified user information for all storage types will be displayed Mode Switch command read only For information about Refer to page show snmp user 6 8 set snmp user 6 9 clear snmp user 6 10 show snmp group 6 10 set snmp group 6 12 clear snmp group 6 12 show snmp community 6 13 set snmp community 6 13 clear snmp community 6 14 list Optional Displays a list...

Page 197: ...olatile Parameters Table 6 4 show snmp user Output Details Output What It Displays EngineId SNMP local engine identifier Username SNMPv1 or v2 community name or SNMPv3 user name Auth protocol Type of authentication protocol applied to this user Privacy protocol Whether a privacy protocol is applied when authentication protocol is in use Storage type Whether entry is stored in volatile nonvolatile ...

Page 198: ...stored in permanent nonvolatile memory C2 su set snmp user netops clear snmp user Use this command to remove a user from the SNMPv3 security model list Syntax clear snmp user user remote remote Parameters Defaults If remote is not specified the user will be removed from the local SNMP engine Mode Switch command read write Example This example shows how to remove the SNMP user named bill C2 su clea...

Page 199: ...type nonVolatile Row status active Security model SNMPv1 Security user name public router1 Group name Anyone Storage type nonVolatile Row status active Table 6 5 provides an explanation of the command output groupname groupname Optional Displays information for a specific SNMP group user user Optional Displays information about users within the specified group security model v1 v2c usm Optional Di...

Page 200: ...lear snmp group Use this command to clear SNMP group settings globally or for a specific SNMP group and user Syntax clear snmp group groupname user security model v1 v2c usm Parameters Defaults If not specified settings related to all security models will be cleared Mode Switch command read write groupname Specifies an SNMP group name to create user user Specifies an SNMPv3 user name to assign to ...

Page 201: ...ample This example shows how to display information about the SNMP public community name For a description of this output refer to set snmp community page 6 13 C2 su show snmp community public Configured community strings Name Security name public Context Transport tag Storage type nonVolatile Status active set snmp community Use this command to configure an SNMP community group Syntax set snmp co...

Page 202: ... name Parameters Defaults None Mode Switch command read write Example This example shows how to delete the community name vip C2 su clear snmp community vip context context Optional Specifies a subset of management information this community will be allowed to access Valid values are full or partial context names To review all contexts configured for the device use the show snmp context command as...

Page 203: ...s will be displayed If noauthentication authentication or privacy are not specified access information for all security levels will be displayed If context is not specified all contexts will be displayed For information about Refer to page show snmp access 6 15 set snmp access 6 17 clear snmp access 6 18 groupname Optional Displays access information for a specific SNMPv3 group security model v1 v...

Page 204: ... Output Details Output What It Displays Group SNMP group name Security model Security model applied to this group Valid types are SNMPv1 SNMPv2c and SNMPv3 User based USM Security level Security level applied to this group Valid levels are noAuthNoPrivacy no authentication required AuthNoPrivacy authentication required authPriv privacy most secure level Read View Name of the view that allows this ...

Page 205: ...a SNMPv3 C2 su set snmp access powergroup security model usm groupname Specifies a name for an SNMPv3 group security model v1 v2c usm Specifies SNMP version 1 2c or 3 usm noauthentication authentication privacy Optional Applies SNMP security level as no authentication authentication without privacy or privacy Privacy specifies that messages sent on behalf of the user are protected from disclosure ...

Page 206: ... group via the authentication protocol C2 su clear snmp access mis group security model usm authentication Configuring SNMP MIB Views Purpose To review and configure SNMP MIB views SNMP views map SNMP objects to access rights Commands groupname Specifies the name of the SNMP group for which to clear access security model v1 v2c usm Specifies the security model to be cleared for the SNMP access gro...

Page 207: ... Subtree OID 1 Subtree mask View Type included Storage type nonVolatile Row status active View Name All Subtree OID 0 0 Subtree mask View Type included Storage type nonVolatile Row status active View Name Network Subtree OID 1 3 6 1 2 1 Subtree mask View Type included Storage type nonVolatile Row status active Table 6 7 provides an explanation of the command output For details on using the set snm...

Page 208: ...anagement information Example This example shows how to display a list of all SNMP contexts known to the device C2 su show snmp context Configured contexts default context all mibs set snmp view Use this command to set a MIB configuration for SNMPv3 view based access VACM Syntax set snmp view viewname viewname subtree subtree mask mask included excluded volatile nonvolatile Table 6 7 show snmp vie...

Page 209: ...this command to delete an SNMPv3 MIB view Syntax clear snmp view viewname subtree Parameters Defaults None Mode Switch command read write Example This example shows how to delete SNMP MIB view public C2 su clear snmp view public 1 3 6 1 viewname viewname Specifies a name for a MIB view subtree subtree Specifies a MIB subtree name mask mask Optional Specifies a bitmask for a subtree included exclud...

Page 210: ... Parameters Defaults If targetParams is not specified entries associated with all target parameters will be displayed If not specified entries of all storage types will be displayed Mode Switch command read only Example This example shows how to display SNMP target parameters information C2 su show snmp targetparams SNMP TargetParams information Target Parameter Name v1ExampleParams Security Name ...

Page 211: ... Output Details Output What It Displays Target Parameter Name Unique identifier for the parameter in the SNMP target parameters table Maximum length is 32 bytes Security Name Security string definition Message Proc Model SNMP version Security Level Type of security level auth security level is set to use authentication protocol noauth security level is not set to use authentication protocol or pri...

Page 212: ...and to clear the SNMP target parameter configuration Syntax clear snmp targetparams targetParams Parameters Defaults None Mode Switch command read write Example This example shows how to clear SNMP target parameters named v1ExampleParams C2 su clear snmp targetparams v1ExampleParams noauthentication authentication privacy Optional Specifies the SNMP security level applied to this target parameter ...

Page 213: ... entries for all target address names will be displayed If not specified entries of all storage types will be displayed for a target address Mode Switch command read only Example This example shows how to display SNMP target address information C2 su show snmp targetaddr Target Address Name labmachine Tag List v2cTrap IP Address 10 2 3 116 UDP Port 162 Target Mask 255 255 255 255 Timeout 1500 Retr...

Page 214: ...address Parameters Entry in the snmpTargetParamsTable Storage type Whether entry is stored in volatile nonvolatile or read only memory Row status Status of this entry active notInService or notReady targetaddr Specifies a unique identifier to index the snmpTargetAddrTable Maximum length is 32 bytes ipaddr Specifies the IP address of the target param param Specifies an entry in the SNMP target para...

Page 215: ...nt to the workstation 192 168 190 80 which is target address tr It will use security and authorization criteria contained in a target parameters entry called v2cExampleParams For more information on configuring a basic SNMP trap refer to Creating a Basic SNMP Trap Configuration on page 6 36 C2 su set snmp targetaddr tr 192 168 190 80 param v2cExampleParams taglist TrapSink clear snmp targetaddr Us...

Page 216: ...igure SNMP notification parameters and optional filters Notifications are entities which handle the generation of SNMP v1 and v2 traps or SNMP v3 informs messages to select management targets Optional notification filters identify which targets should not receive notifications For a sample SNMP trap configuration showing how SNMP notification parameters are associated with security and authorizati...

Page 217: ...waddrtrap Use this command to enable or disable SNMP trap messaging globally or on one or more ports when new source MAC addresses are detected Syntax set newaddrtrap port string enable disable Parameters Defaults If port string is not specified the trap function is set globally Mode Switch mode read write port string Optional Displays the status of the new MAC addresses trap function on specific ...

Page 218: ...targets that will receive SNMP notifications Syntax show snmp notify notify volatile nonvolatile read only Parameters Defaults If a notify name is not specified all entries will be displayed If volatile nonvolatile or read only are not specified all storage type entries will be displayed Mode Switch command read only Example This example shows how to display the SNMP notify information C2 su show ...

Page 219: ...ation with a notify name of hello and a notify tag of world Notifications will be sent as trap messages and storage type will automatically default to permanent C2 su set snmp notify hello tag world trap Table 6 10 show snmp notify Output Details Output What It Displays Notify name A unique identifier used to index the SNMP notify table Notify Tag Name of the entry in the SNMP notify table Notify ...

Page 220: ...l not receive SNMP notifications Syntax show snmp notifyfilter profile subtree oid or mibobject volatile nonvolatile read only Parameters Defaults If no parameters are specified all notify filter information will be displayed Mode Switch command read only Usage See About SNMP Notify Filters on page 6 28 for more information about notify filters notify Specifies an SNMP notify name to clear profile...

Page 221: ... snmp notifyfilter profile subtree oid or mibobject mask mask included excluded volatile nonvolatile Parameters Defaults If not specified mask is not set If not specified subtree will be included If storage type is not specified nonvolatile permanent will be applied Mode Switch command read write Usage See About SNMP Notify Filters on page 6 28 for more information about notify filters Example Thi...

Page 222: ...rameters to an SNMP notify filter to determine who should not receive SNMP notifications Syntax show snmp notifyprofile profile targetparam targetparam volatile nonvolatile read only Parameters Defaults If no parameters are specified all notify profile information will be displayed Mode Switch command read only profile Specifies an SNMP filter notify name to delete subtree oid or mibobject Specifi...

Page 223: ...ich management targets should not receive SNMP notifications Syntax set snmp notifyprofile profile targetparam targetparam volatile nonvolatile Parameters Defaults If storage type is not specified nonvolatile permanent will be applied Mode Switch command read write Example This example shows how to create an SNMP notify profile named area51 and associate a target parameters entry C2 su set snmp no...

Page 224: ... associate security and authorization criteria to the users in the community created in Step 1 3 Verify if any applicable SNMP notification entries exist or create a new one You will use this entry to send SNMP notification messages to the appropriate management targets created in Step 2 4 Create a target address entry to bind a management IP address to The notification entry and tag name created ...

Page 225: ...created with the set snmp notify command which in this case is a key labeled entry1 2 Searches for the doors matching such a key For example the parameters set for the entry1 key shows that it opens only the door TrapSink 3 Verifies that the specified door TrapSink is in fact available In this case it was built using the set snmp targetaddr command This command also specifies that this door leads ...

Page 226: ...Creating a Basic SNMP Trap Configuration 6 38 SNMP Configuration ...

Page 227: ...ssigns port roles to individual ports on the switch depending on whether that port is part of the active topology RSTP provides rapid connectivity following the failure of a switch switch port or a LAN A new root port and the designated port on the other side of the bridge transition to forwarding through an explicit handshake between them By default user ports are configured to rapidly transition...

Page 228: ... amount of communications bandwidth to accomplish the operation of the Spanning Tree Protocol Reconfiguring the active topology in a manner that is transparent to stations transmitting and receiving data packets Managing the topology in a consistent and reproducible manner through the use of Spanning Tree Protocol parameters Loop Protect The Loop Protect feature prevents or short circuits loop for...

Page 229: ...ism is implemented This means the designated port can rely on receiving a response to its proposal regardless of the role of the connected port which has two important implications First the designated port connected to a non root port may transition to forwarding Second there is no ambiguity when a timeout happens a Loop Protect event has occurred In full functional mode when a type 2 BPDU is rec...

Page 230: ... 12 set spantree msti 7 12 clear spantree msti 7 13 show spantree mstmap 7 13 set spantree mstmap 7 14 clear spantree mstmap 7 14 show spantree vlanlist 7 15 show spantree mstcfgid 7 15 set spantree mstcfgid 7 16 clear spantree mstcfgid 7 16 set spantree priority 7 17 clear spantree priority 7 17 set spantree hello 7 18 clear spantree hello 7 18 set spantree maxage 7 19 clear spantree maxage 7 19 ...

Page 231: ...ar spantree spanguard 7 26 show spantree spanguardtimeout 7 26 set spantree spanguardtimeout 7 26 clear spantree spanguardtimeout 7 27 show spantree spanguardlock 7 27 clear set spantree spanguardlock 7 28 show spantree spanguardtrapenable 7 28 set spanstree spanguardtrapenable 7 29 clear spanstree spanguardtrapenable 7 29 show spantree legacypathcost 7 30 set spantree legacypathcost 7 30 clear sp...

Page 232: ... the root bridge can be reached Designated Root Priority Priority of the designated root bridge Designated Root Cost Total path cost to reach the root Root Max Age Amount of time in seconds a BPDU packet should be considered valid Root Hello Time Interval in seconds at which the root device sends BPDU Bridge Protocol Data Unit packets Root Forward Delay Amount of time in seconds the root device sp...

Page 233: ...ts None Bridge Forward Delay Amount of time in seconds the bridge spends in listening or learning mode This is a default value or is assigned using the set spantree fwddelay command For details refer to set spantree fwddelay on page 7 20 Topology Change Count Number of times topology has changed on the bridge Time Since Top Change Amount of time in days hours minutes and seconds since the last top...

Page 234: ...d not be changed from its default setting of mstp Multiple Spanning Tree Protocol mode MSTP mode is fully compatible and interoperable with legacy STP 802 1D and Rapid Spanning Tree RSTP bridges Setting the version to stpcompatible mode will cause the bridge to transmit only 802 1D BPDUs and will prevent non edge ports from rapidly transitioning to forwarding state Example This example shows how t...

Page 235: ... forwarding mode Syntax show spantree bpdu forwarding Parameters None Defaults None Mode Switch command read only Example This example shows how to display the Spanning Tree BPDU forwarding mode C2 su show spantree bpdu forwarding BPDU forwarding is disabled set spantree bpdu forwarding Use this command to enable or disable Spanning Tree BPDU forwarding By default BPDU forwarding is disabled Synta...

Page 236: ...w spantree bridgeprioritymode Use this command to display the Spanning Tree bridge priority mode setting Syntax show spantree bridgeprioritymode Parameters None Defaults None Mode Switch command read only Example This example shows how to display the Spanning Tree bridge priority mode setting C2 rw show spantree bridgeprioritymode Bridge Priority Mode is set to IEEE802 1t mode set spantree bridgep...

Page 237: ...ode 8021d clear spantree bridgeprioritymode Use this command to reset the Spanning Tree bridge priority mode to the default setting of 802 1t Syntax clear spantree bridgeprioritymode Parameters None Defaults None Mode Switch command read write Example This example shows how to reset the bridge priority mode to 802 1t C2 rw clear spantree bridgeprioritymode 8021d Sets the bridge priority mode to us...

Page 238: ...has been configured C2 su show spantree mstilist Configured Multiple Spanning Tree instances 2 set spantree msti Use this command to create or delete a Multiple Spanning Tree instance Syntax set spantree msti sid sid create delete Parameters Defaults None Mode Switch command read write Example This example shows how to create an MST instance 2 C2 su set spantree msti sid 2 create sid sid Sets the ...

Page 239: ... command to display the mapping of a filtering database ID FID to a Spanning Trees Since VLANs are mapped to FIDs this shows to which SID a VLAN is mapped Syntax show spantree mstmap fid fid Parameters Defaults If fid is not specified information for all assigned FIDs will be displayed Mode Switch command read only Example This example shows how to display SID to FID mapping information for FID 1 ...

Page 240: ...et spantree mstmap 3 sid 2 clear spantree mstmap Use this command to map a FID back to SID 0 Syntax clear spantree mstmap fid Parameters Defaults If fid is not specified all SID to FID mappings will be reset Mode Switch command read write Example This example shows how to map FID 2 back to SID 0 C2 su clear spantree mstmap 2 fid Specifies one or more FIDs to assign to the MST Valid values are 1 40...

Page 241: ...spantree mstmap command as described in set spantree mstmap on page 7 14 C2 su show spantree vlanlist 1 The following SIDS are assigned to VLAN 1 2 16 42 show spantree mstcfgid Use this command to display the MST configuration identifier elements including format selector configuration name revision level and configuration digest Syntax show spantree mstcfgid Parameters None Defaults None Mode Swi...

Page 242: ... write Example This example shows how to set the MST configuration name to mstconfig C2 su set spantree mstconfigid cfgname mstconfig clear spantree mstcfgid Use this command to reset the MST revision level to a default value of 0 and the configuration name to a default string representing the bridge MAC address Syntax clear spantree mstcfgid Parameters None Defaults None Mode Switch command read ...

Page 243: ...prioritymode on page 7 10 some priority values may be rounded up or down Example This example shows how to set the bridge priority to 4096 on SID 1 C2 su set spantree priority 4096 1 clear spantree priority Use this command to reset the Spanning Tree priority to the default value of 32768 Syntax clear spantree priority sid Parameters Defaults If sid is not specified priority will be reset on Spann...

Page 244: ...ad write Example This example shows how to globally set the Spanning Tree hello time to 10 seconds C2 su set spantree hello 10 clear spantree hello Use this command to reset the Spanning Tree hello time to the default value of 2 seconds Syntax clear spantree hello Parameters None Defaults None Mode Switch command read write Example This example shows how to globally reset the Spanning Tree hello t...

Page 245: ... Any port that ages out STP information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network Example This example shows how to set the maximum aging time to 25 seconds C2 su set spantree maxage 25 clear spantree maxage Use this command to reset the maximum agi...

Page 246: ...is delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a blocking state otherwise temporary data loops might result Example This example shows how to globally set the bridge forward delay to 16 seconds C2 su set spantree fwddelay ...

Page 247: ...ple shows how to display the status of the backup root function on SID 0 C2 rw show spantree backuproot Backup root is set to disable on sid 0 set spantree backuproot Use this command to enable or disable the Spanning Tree backup root function on the switch Syntax set spantree backuproot sid disable enable Parameters Defaults None Mode Switch command read write sid Optional Display backup root sta...

Page 248: ...able the backup root function on SID 2 C2 rw set spantree backuproot 2 enable clear spantree backuproot Use this command to reset the Spanning Tree backup root function to the default state of disabled Syntax clear spantree backuproot sid Parameters Defaults None Mode Switch command read write Example This example shows how to reset the backup root function to disabled on SID 2 C2 rw clear spantre...

Page 249: ...p suppression is enabled which is the device default edge ports such as end station PCs are prevented from sending topology change traps This is because there is usually no need for network management to monitor edge port STP transition states such as when PCs are powered on When topology change trap suppression is disabled all ports including edge and bridge ports will transmit topology change tr...

Page 250: ...es a port to transmit MSTP BPDUs Syntax set spantree protomigration port string Parameters Defaults None Mode Switch command read write Example This example shows how to reset the protocol state migration machine on port 20 C2 su set spantree protomigration ge 1 20 show spantree spanguard Use this command to display the status of the Spanning Tree SpanGuard function Syntax show spantree spanguard ...

Page 251: ... expected to be connected to a workstation or other end user type of device and not to another switch in the network When Spanguard is enabled if a non loopback BPDU is received on an edge port the Spanning Tree state of that port will be changed to blocking and will no longer forward traffic The port will remain disabled until the amount of time defined by set spantree spanguardtimeout set spantr...

Page 252: ...uard function to disabled C2 rw clear spantree spanguard show spantree spanguardtimeout Use this command to display the Spanning Tree SpanGuard timeout setting Syntax show spantree spanguardtimeout Parameters None Defaults None Mode Switch command read only Example This example shows how to display the SpanGuard timeout setting C2 su show spantree spanguardtimeout Spanguard timeout 300 set spantre...

Page 253: ...imeout to the default value of 300 seconds Syntax clear spantree spanguardtimeout Parameters None Defaults None Mode Switch command read write Example This example shows how to reset the SpanGuard timeout to 300 seconds C2 rw clear spantree spanguardtimeout show spantree spanguardlock Use this command to display the SpanGuard lock status of one or more ports Syntax show spantree spanguardlock port...

Page 254: ... as edge user ports as described in set spantree adminedge on page 7 37 Syntax clear spantree spanguardlock port string set spantree spanguardlock port string Parameters Defaults None Mode Switch command read write Example This example shows how to unlock port ge 1 16 C2 rw clear spantree spanguardlock ge 1 16 show spantree spanguardtrapenable Use this command to display the state of the Spanning ...

Page 255: ...ble or disable the sending of an SNMP trap message when SpanGuard has locked a port Syntax set spantree spanguardtrapenable disable enable Parameters Defaults None Mode Switch command read write Example This example shows how to disable the SpanGuard trap function C2 su set spantree spanguardtrapenable disable clear spantree spanguardtrapenable Use this command to reset the Spanning Tree SpanGuard...

Page 256: ...cost Use this command to display the default Spanning Tree path cost setting Syntax show spantree legacypathcost Parameters None Defaults None Mode Switch command read only Example This example shows how to display the default Spanning Tree path cost setting C2 su show spantree legacypathcost Legacy Path Cost is disabled set spantree legacypathcost Use this command to enable or disable legacy 802 ...

Page 257: ... cost values to 802 1D C2 rw set spantree legacypathcost enable clear spantree legacypathcost Use this command to set the Spanning Tree default value for legacy path cost to 802 1t values Syntax clear spantree legacypathcost Defaults None Mode Switch command read write Example This example clears the legacy path cost to 802 1t values C2 rw clear spantree legacypathcost Configuring Spanning Tree Po...

Page 258: ... admin status to enable on one or more ports For information about Refer to page set spantree portadmin 7 32 clear spantree portadmin 7 32 show spantree portadmin 7 33 show spantree portpri 7 33 set spantree portpri 7 34 clear spantree portpri 7 35 show spantree adminpathcost 7 35 set spantree adminpathcost 7 36 clear spantree adminpathcost 7 36 show spantree adminedge 7 37 set spantree adminedge ...

Page 259: ...l ports Mode Switch command read only Example This example shows how to display port admin status for ge 1 1 C2 ro show spantree portadmin port ge 1 1 Port ge 1 1 has portadmin set to enabled show spantree portpri Use this command to show the Spanning Tree priority for one or more ports Port priority is a component of the port ID which is one element used in determining Spanning Tree port roles po...

Page 260: ...r Spanning Tree 0 Mode Switch command read write port port string Optional Specifies the port s for which to display Spanning Tree priority For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 sid sid Optional Displays port priority for a specific Spanning Tree identifier Valid values are 0 4094 If not specified SID 0 is assumed port str...

Page 261: ...ow spantree adminpathcost port port string sid sid Parameters Defaults If port string is not specified admin path cost for all Spanning Tree ports will be displayed If sid is not specified admin path cost for Spanning Tree 0 will be displayed port string Specifies the port s for which to set Spanning Tree port priority For a detailed description of possible port string values refer to Port String ...

Page 262: ...ing Tree 0 Mode Switch command read write Example This example shows how to set the admin path cost to 200 for ge 3 2 on SID 1 C2 su set spantree adminpathcost ge 3 2 200 sid 1 clear spantree adminpathcost Use this command to reset the Spanning Tree default value for port admin path cost to 0 Syntax clear spantree adminpathcost port string sid sid port string Specifies the port s on which to set a...

Page 263: ... Switch command read only Example This example shows how to display the edge port status for ge 3 2 C2 su show spantree adminedge port ge 3 2 Port ge 3 2 has a Port Admin Edge of Edge Port set spantree adminedge Use this command to set the edge port administrative status on a Spanning Tree port port string Specifies the port s for which to reset admin path cost For a detailed description of possib...

Page 264: ...rue clear spantree adminedge Use this command to reset a Spanning Tree port to non edge status Syntax clear spantree adminedge port string Parameters Defaults None Mode Switch command read write Example This example shows how to reset ge 1 11 as a non edge port C2 su clear spantree adminedge ge 1 11 port string Specifies the edge port For a detailed description of possible port string values refer...

Page 265: ...fer to page set spantree lp 7 40 show spantree lp 7 40 clear spantree lp 7 41 show spantree lplock 7 41 clear spantree lplock 7 42 set spantree lpcapablepartner 7 43 show spantree lpcapablepartner 7 43 clear spantree lpcapablepartner 7 44 set spantree lpthreshold 7 44 show spantree lpthreshold 7 45 clear spantree lpthreshold 7 45 set spantree lpwindow 7 46 show spantree lpwindow 7 46 clear spantre...

Page 266: ...w to enable Loop Protect on ge 2 3 C2 su set spantree lp ge 1 11 enable show spantree lp Use this command to display the Loop Protect status per port and or per SID Syntax show spantree lp port port string sid sid Parameters port string Specifies port s on which to enable or disable the Loop Protect feature enable disable Enables or disables the feature on the specified port sid sid Optional Enabl...

Page 267: ...ample This example shows how to return the Loop Protect state on ge 2 3 to disabled C2 rw clear spantree lp port ge 2 3 show spantree lplock Use this command to display the Loop Protect lock status per port and or per SID A port can become locked if a configured number of Loop Protect events occur during the configured window of time See the set spantree lpthreshold and set spantree lpwindow comma...

Page 268: ...ssumed Mode Switch command read only Example This example shows how to clear Loop Protect lock from ge 1 1 C2 rw show spantree lplock port ge 1 1 The LoopProtect lock status for port ge 1 1 SID 0 is LOCKED C2 rw clear spantree lplock ge 1 1 C2 rw show spantree lplock port ge 1 1 The LoopProtect lock status for port ge 1 1 SID 0 is UNLOCKED port string Optional Specifies port s for which to display...

Page 269: ...BPDUs Therefore a conservative approach is taken in that designated ports will not be allowed to forward unless receiving agreements from a port with root role This type of timeout will not be considered a loop protection event Loop protection is maintained by keeping the port from forwarding but since this is not considered a loop event it will not be factored into locking the port Example This e...

Page 270: ...rs to the default state of false Syntax clear spantree lpcapablepartner port string Parameters Defaults None Mode Switch command read write Example This example shows how to reset the Loop Protect partner capability for ge 1 1 C2 rw clear spantree lpcapablepartner ge 1 1 set spantree lpthreshold Use this command to set the Loop Protect event threshold Syntax set spantree lpthreshold value Paramete...

Page 271: ...the threshold is 0 the ports are never locked Example This example shows how to set the Loop Protect threshold value to 4 C2 rw set spantree lpthreshold 4 show spantree lpthreshold Use this command to display the current value of the Loop Protect event threshold Syntax show spantree lpthreshold Parameters None Defaults None Mode Switch command read only Example This example shows how to display th...

Page 272: ... defines a period during which Loop Protect events are counted The default value is 180 seconds If the timer is set to 0 the event counter is not reset until the Loop Protect event threshold is reached If the threshold is reached that constitutes a loop protection event Example This example shows how to set the Loop Protect event window to 120 seconds C2 rw set spantree lpwindow 120 show spantree ...

Page 273: ...tect event window to the default value of 180 seconds Syntax clear spantree lpwindow Parameters None Defaults None Mode Switch command read write Example This example shows how to reset the Loop Protect event window to the default of 180 seconds C2 rw clear spantree lpwindow set spantree lptrapenable Use this command to enable or disable Loop Protect event notification Syntax set spantree lptrapen...

Page 274: ...enable show spantree lptrapenable Use this command to display the current status of Loop Protect event notification Syntax show spantree lptrapenable Parameters None Defaults None Mode Switch command read only Example This example shows how to display the current Loop Protect event notification status C2 rw show spantree lptrapenable The Loop Protect event notification status is enable clear spant...

Page 275: ...e Refer to the 802 1Q 2005 standard IEEE Standard for Local and Metropolitan Area Networks Virtual Bridged Local Area Networks for a full description of the dispute mechanism which prevents looping in cases of one way communication The disputed BPDU threshold is an integer variable that represents the number of disputed BPDUs that must be received on a given port SID until a disputed BPDU trap is ...

Page 276: ...shold The disputed BPDU threshold value is 0 clear spantree disputedbpduthreshold Use this command to return the disputed BPDU threshold to its default value of 0 meaning that disputed BPDU traps should not be sent Syntax clear spantree disputedbpduthreshold Parameters None Defaults None Mode Switch command read write Example This example shows how to reset the disputed BPDU threshold to the defau...

Page 277: ...t to be placed in listening or blocking state include a Loop Protect event receipt of disputed BPDUs and loopback detection Example This example shows how to display the non forwarding reason on ge 1 1 C2 rw show spantree nonforwardingreason port ge 1 1 The non forwarding reason for port ge 1 1 on SID 0 is None port string Specifies port s for which to display the non forwarding reason sid sid Opt...

Page 278: ...show spantree nonforwardingreason 7 52 Spanning Tree Configuration ...

Page 279: ...ciated with a particular VLAN and protocol isolated from the other parts of the network Port String Syntax Used in the CLI For information on how to designate VLANs and port numbers in the CLI syntax refer to Port String Syntax Used in the CLI on page 5 2 Creating a Secure Management VLAN By default at startup there is one VLAN configured on the SecureStack C2 device It is VLAN ID 1 the DEFAULT VL...

Page 280: ...ts will transmit the traffic with a VLAN tag included Step Task Refer to page 1 Create a new VLAN 8 4 2 Set the PVID for the desired switch port to the VLAN created in Step 1 8 7 3 Add the desired switch port to the egress list for the VLAN created in Step 1 8 13 4 Assign host status to the VLAN 8 17 5 Set a private community name and access policy 6 13 Table 8 1 Command Set for Creating a Secure ...

Page 281: ...su show vlan 1 VLAN 1 NAME DEFAULT VLAN VLAN Type Default Egress Ports ge 1 1 10 ge 2 1 4 ge 3 1 7 Forbidden Egress Ports None Untagged Ports ge 1 1 10 ge 2 1 4 ge 3 1 7 Table 8 2 provides an explanation of the command output For information about Refer to page show vlan 8 3 static Optional Displays information related to static VLANs Static VLANs are manually created using the set vlan command se...

Page 282: ...t What It Displays VLAN VLAN ID NAME Name assigned to the VLAN Status Whether it is enabled or disabled VLAN Type Whether it is permanent static or dynamic Egress Ports Ports configured to transmit frames for this VLAN Forbidden Egress Ports Ports prevented from transmitted frames for this VLAN Untagged Ports Ports configured to transmit untagged frames for this VLAN For information about Refer to...

Page 283: ... Examples This example shows how to create VLAN 3 C2 su set vlan create 3 This example shows how to disable VLAN 3 C2 su set vlan disable 3 set vlan name Use this command to set or change the ASCII name for a new or existing VLAN Syntax set vlan name vlan list vlan name Parameters Defaults None Mode Switch command read write Example This example shows how to set the name for VLAN 7 to green C2 su ...

Page 284: ...ame vlan list Parameters Defaults None Mode Switch command read write Example This example shows how to clear the name for VLAN 9 C2 su clear vlan name 9 Assigning Port VLAN IDs PVIDs and Ingress Filtering Purpose To assign default VLAN IDs to untagged frames on one or more ports to configure VLAN ingress filtering and constraints and to set the frame discard mode vlan list Specifies the VLAN ID o...

Page 285: ...n this case untagged frames received on these ports will be classified to VLAN 1 C2 su show port vlan ge 2 1 6 ge 2 1 is set to 1 ge 2 2 is set to 1 ge 2 3 is set to 1 ge 2 4 is set to 1 ge 2 5 is set to 1 ge 2 6 is set to 1 set port vlan Use this command to configure the PVID port VLAN identifier for one or more ports For information about Refer to page show port vlan 8 7 set port vlan 8 7 clear ...

Page 286: ...t VLAN as shown C2 su set port vlan ge 1 10 4 C2 su set vlan 4 create C2 su set vlan egress 4 ge 1 10 untagged C2 su clear vlan egress 1 ge 1 10 clear port vlan Use this command to reset a port s 802 1Q port VLAN ID PVID to the host VLAN ID 1 Syntax clear port vlan port string Parameters Defaults None port string Specifies the port s for which to configure a VLAN identifier For a detailed descript...

Page 287: ...ot specified ingress filtering status for all ports will be displayed Mode Switch command read only Example This example shows how to display the port ingress filter status for ports 10 through 15 in slot 1 In this case the ports are disabled for ingress filtering C2 su show port ingress filter ge 1 10 15 Port State ge 1 10 disabled ge 1 11 disabled ge 1 12 disabled ge 1 13 disabled ge 1 14 disabl...

Page 288: ...r one or more ports Ports can be set to discard frames based on whether or not the frame contains a VLAN tag They can also be set to discard both tagged and untagged frames or neither Syntax show port discard port string Parameters Defaults If port string is not specified frame discard mode will be displayed for all ports Mode Switch command read only port string Specifies the port s on which to e...

Page 289: ...lly allow all traffic or both essentially discarding all traffic A common practice is to discard all tagged packet on user ports Typically an Administrator does not want the end users defining what VLAN they use for communication Example This example shows how to discard all tagged frames received on port ge 3 3 C2 su set port discard ge 3 3 tagged port string Specifies the port s for which to set...

Page 290: ...ticipating in the specified VLAN and ensures that any dynamic requests either through GVRP or dynamic egress for the port to join the VLAN will be ignored Setting a port to untagged allows it to transmit frames without a tag header This setting is usually used to configure a port connected to an end user device Frames sent between VLAN aware switches are typically tagged The default VLAN defaults ...

Page 291: ...this command to prevent one or more ports from participating in a VLAN This setting instructs the device to ignore dynamic requests either through GVRP or dynamic egress for the port to join the VLAN Syntax set vlan forbidden vlan id port string Parameters Defaults None Mode Switch command read write Example This example shows you how to set ge 1 3 to forbidden for VLAN 6 C2 su set vlan forbidden ...

Page 292: ...lot 1 to transmit VLAN 7 frames as untagged C2 su set vlan egress 7 ge 1 2 untagged clear vlan egress Use this command to remove ports from a VLAN s egress list Syntax clear vlan egress vlan list port string forbidden vlan list Specifies the VLAN where a port s will be added to the egress list port string Specifies one or more ports to add to the VLAN egress list of the specified vlan list For a d...

Page 293: ... If vlan list is not specified the dynamic egress status for all VLANs will be displayed Mode Switch command read write Example This example shows how to display the dynamic egress status for VLANs 50 55 C2 rw show vlan dynamicegress 50 55 VLAN 50 is disabled vlan list Specifies the number of the VLAN from which a port s will be removed from the egress list port string Specifies one or more ports ...

Page 294: ...hat is use different ports every day but you want to keep the AppleTalk traffic isolated in its own VLAN You can create an AppleTalk VLAN with a VLAN ID of 55 with a classification rule that all AppleTalk traffic gets tagged with VLAN ID 55 Then you enable dynamic egress for VLAN 55 Now when an AppleTalk user plugs into port ge 3 5 and sends an AppleTalk packet the switch will tag the packet to VL...

Page 295: ... host VLAN C2 su show host vlan Host vlan is 7 set host vlan Use this command to assign host status to a VLAN Syntax set host vlan vlan id Parameters Defaults None Note The host port is the management entity of the device Refer to Creating a Secure Management VLAN on page 8 1 for more information For information about Refer to page show host vlan 8 17 set host vlan 8 17 clear host vlan 8 18 vlan i...

Page 296: ...lan 7 clear host vlan Use this command to reset the host VLAN to the default setting of 1 Syntax clear host vlan Parameters None Defaults None Mode Switch command read write Example This example shows how to set the host VLAN to the default setting C2 su clear host vlan Enabling Disabling GVRP GARP VLAN Registration Protocol About GARP VLAN Registration Protocol GVRP The following sections describ...

Page 297: ... two devices register this in the port egress lists of the ports Switch 1 port 1 and Switch 2 port 1 that received the frames with the information Switch 2 which is connected to Switch 3 and Switch 5 declares the same information to those two devices and the port egress list of each port is updated with the new information accordingly Configuring a VLAN on an 802 1Q switch creates a static VLAN en...

Page 298: ...ng Parameters Defaults If port string is not specified GVRP configuration information will be displayed for all ports and the device Mode Switch command read only Example This example shows how to display GVRP status for the device and for fw 2 1 C2 su show gvrp ge 2 1 Global GVRP status is enabled Port Number GVRP status ge 2 1 disabled For information about Refer to page show gvrp 8 20 show garp...

Page 299: ...ble 8 3 provides an explanation of the command output For details on using the set gvrp command to enable or disable GVRP refer to set gvrp on page 8 22 For details on using the set garp timer command to change default timer values refer to set garp timer on page 8 23 port string Optional Displays GARP timer information for specific port s For a detailed description of possible port string values ...

Page 300: ...le shows how to enable GVRP on ge 1 3 C2 su set gvrp enable ge 1 3 clear gvrp Use this command to clear GVRP status or on one or more ports Syntax clear gvrp port string Parameters Defaults If port string is not specified GVRP status will be cleared for all ports Mode Switch command read write disable enable Disables or enables GVRP on the device port string Optional Disables or enables GVRP on sp...

Page 301: ...w to set the GARP join timer value to 100 centiseconds for all ports C2 su set garp timer join 100 This example shows how to set the leave timer value to 300 centiseconds for all ports C2 su set garp timer leave 300 This example shows how to set the leaveall timer value to 20000 centiseconds for all ports C2 su set garp timer leaveall 20000 join timer value Sets the GARP join timer in centiseconds...

Page 302: ...set garp timer 8 24 802 1Q VLAN Configuration ...

Page 303: ...hat only ports activated for a profile will be allowed to transmit frames accordingly Configuring Policy Profiles Purpose To review create change and remove user profiles that relate to business driven policies for managing network resources For information about Refer to page Policy Classification Configuration Summary 9 1 Configuring Policy Profiles 9 1 Configuring Classification Rules 9 5 Assig...

Page 304: ... Port VID Override 11 CoS 0 CoS Status Disable Egress Vlans none Forbidden Vlans none Untagged Vlans none Rule Precedence 1 31 MACSource 1 MACDest 2 Unknown 3 Unknown 4 Unknown 5 Unknown 6 Unknown 7 Unknown 8 Unknown 9 Unknown 10 Unknown 11 IPSource 12 IPDest 13 IPFrag 14 UDPSrcPort 15 UDPDestPort 16 TCPSrcPort 17 TCPDestPort 18 ICMPType 19 Unknown 20 IPTOS 21 IPProto 22 Unknown 23 Unknown 24 Ethe...

Page 305: ...is profile If all classification rules associated with this profile are missed then this parameter if specified determines default behavior Port VID Override The PVID assigned to packets if PVID override is enabled CoS CoS priority value to assign to packets if CoS override is enabled CoS Status Whether or not Class of Service override is enabled or disabled for this profile If all classification ...

Page 306: ...os Optional Specifies a CoS value to assign to packets if CoS override is enabled and invoked as default behavior Valid values are 0 to 7 egress vlans egress vlans Optional Specifies that the port to which this policy profile is applied should be added to the egress list of the VLANs defined by egress vlans Packets will be formatted as tagged forbidden vlans forbidden vlans Optional Specifies that...

Page 307: ...olicy profiles This maps user profiles to protocol based frame filtering policies Commands show policy rule Use this command to display policy classification rule information profile index Specifies the index number of the profile entry to be deleted Valid values are 1 to 255 Note B3 C3 and G3 devices support profile based CoS traffic rate limiting only Policy rules specifying CoS will not rate li...

Page 308: ...pdestport Displays TCP destination port rules tcpsourceport Displays TCP source port rules udpdestport Displays UDP destination port rules udpsourceport Displays UDP source port rules data Displays rules for a predefined classifier This value is dependent on the classification type entered Refer to Table 9 3 for valid values for each classification type mask mask Optional Displays rules for a spec...

Page 309: ... 16 ge 1 8 A NV 1 admin Port ge 1 9 16 ge 1 9 A NV 1 admin Port ge 1 10 16 ge 1 10 A NV 1 admin Port ge 1 11 16 ge 1 11 A NV 1 admin Port ge 1 12 16 ge 1 12 A NV 1 Table 9 2 provides an explanation of the command output verbose Optional Displays detailed information usage list Optional If selected each ruleʹs usage list shall be checked and shall display only those ports which have applied this ru...

Page 310: ... possible classifiable traffic attributes The next two columns from the left indicate how policy profiles may be assigned either administratively or dynamically The next four columns from the left indicate the actions that may be performed The last three columns indicate auditing options An x in an action column for a traffic attribute row indicates that your system has the capability to perform t...

Page 311: ...e address IPX destination address IPX source socket IPX destination socket IPX transmission control IPX type field IPv6 source address IPv6 destination address IPv6 flow label IP source address X X X IP destination address X X X IP fragmentation UDP port source X X X UDP port destination X X X TCP port source X X X TCP port destination X X X ICMP packet type X X X TTL IP type of service X X X IP p...

Page 312: ... index number Policy profiles are configured with the set policy profile command as described in set policy profile on page 9 3 Valid profile index values are 1 255 port string port string Optional Assigns this rule to the specified policy profile on specific ingress port s Rule would not be used until policy is assigned to the specified port s using the set policy port command as described in set...

Page 313: ...an Classifies to a VLAN ID cos cos Specifies that this rule will classify to a Class of Service ID Valid values are 0 4095 A value of 1 indicates that no CoS forwarding behavior modification is desired Not supported on B3 C3 and G3 drop forward Specifies that packets within this classification will be dropped or forwarded Table 9 3 Valid Values for Policy Classification Rules Classification Rule P...

Page 314: ... 0 and the other to clear a classification rule clear policy rule admin profile vlantag data mask mask clear policy rule profile index all pid entries ether icmptype ipproto ipdestsocket ipsourcesocket iptos macdest macsource tcpdestport tcpsourceport udpdestport udpsourceport Parameters The following parameters apply to deleting an admin rule The following parameters apply to deleting a classific...

Page 315: ...te classification rules Valid profile index values are 1 255 all pid entries Deletes all entries associated with the specified policy profile ether Deletes associated Ethernet II classification rule icmptype Deletes associated ICMP classification rule ipproto Deletes associated IP protocol classification rule ipdestsocket Deletes associated IP destination classification rule ipsourcesocket Deletes...

Page 316: ...rs Defaults None Mode Switch command read write Note The C2 switch supports up to eight user policies per port For information about Refer to page set policy port 9 14 clear policy port 9 15 port string Specifies the port s to add to the policy profile For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 profile index Specifies the ID of...

Page 317: ...stion The higher priority traffic going through the device is serviced first before lower priority traffic The Class of Service capability of the device is implemented by a priority queueing mechanism Class of Service is based on the IEEE 802 1D 802 1p standard specification and allows you to define eight priorities 0 7 with 7 granted highest priority and up to 8 transmit queues 0 7 for each port ...

Page 318: ...ed CoS configuration involves the following steps and associated commands listed in Procedure 9 1 An example follows the procedure Example This example creates different inbound rate limiters for two port groups and then assigns them to traffic with a CoS setting of 0 1 Configure two port groups one for user ports and one for uplink ports and assign ports to the groups Port group 1 0 will represen...

Page 319: ... 1 irl kbps 10000 drop none 3 In the CoS IRL reference mapping table for each port group create a reference for each IRL resource created in the previous step We will use reference number 1 C2 su set cos reference irl 1 0 1 rate limit 1 C2 su set cos reference irl 2 0 1 rate limit 1 C2 su show cos reference irl 1 0 Group Index Reference Type Rate Limiter 1 0 0 irl none 1 0 1 irl 1 1 0 2 irl none 1...

Page 320: ...19 clear cos state 9 19 set cos settings 9 20 clear cos settings 9 21 show cos settings 9 21 set cos port config 9 22 show cos port config 9 23 clear cos port config 9 24 set cos port resource 9 25 show cos port resource 9 26 clear cos port resource 9 26 set cos reference 9 27 show cos reference 9 28 clear cos reference 9 29 show cos unit 9 30 clear cos all entries 9 30 show cos port type 9 31 ena...

Page 321: ...tate Parameters None Defaults None Mode Switch command read only Example This example shows how to show the Class of Service enable state C2 rw show cos state Class of Service application is enabled clear cos state Use this command to set CoS state back to its default setting of disabled Syntax clear cos state Parameters None Defaults None Mode Switch command read write Example This example shows ...

Page 322: ...can be configured Priority 802 1p priority can be applied per CoS index For each new CoS index created the user has the option to assign an 802 1p priority value 0 to 7 for the class of service CoS indexes 0 through 7 map directly to 802 1p priorities and cannot be changed as they exist for backward compatibility ToS This value can be set per class of service but is not required When a frame is as...

Page 323: ...Service entry settings Syntax clear cos settings cos list all priority tos value irl reference Parameters Defaults None Mode Switch command read write Example This example shows how to clear the priority for CoS entry 8 C2 rw clear cos settings 8 priority show cos settings Use this command to display Class of Service parameters Syntax show cos settings cos list Parameters Defaults If not specified...

Page 324: ...Specifies that this is an inbound rate limiting IRL port group group type index Specifies an inbound rate limiting port group type index Valid entries are in the form of group port type Valid values for group can range from 0 to 7 Valid values for port type can range from 0 to 1 although only port type 0 is currently supported For example port group 3 would be specified as 3 0 name name Optional U...

Page 325: ... rate limit while Uplink ports can be assigned another DFE supports a maximum of 8 port groups per CoS function IRL The command show cos port config displays each IRL port group configured by group and type with the group name and associated assigned ports The command show cos port type displays the available inbound rate limiting resources for the port type Example This example configures two por...

Page 326: ...ng groups or assigned ports Syntax clear cos port config irl all group type index entry name ports Parameters Defaults None Mode Switch command read write irl Clear an IRL port group configuration all Clear all inbound rate limiting port config non default entries group type index Delete a specific port group or group name or clear the ports from that group Valid entries are in the form of group p...

Page 327: ...s rate limiting Inbound rate limiting or rate policing simply drops or clips traffic inbound if a configured rate is exceeded CoS inbound rate limiting allows the user to configure rate limits based on kilobits per second irl Set an IRL port resource group type index Specifies an inbound rate limiting port group type index Valid entries are in the form of group port type Valid values for group can...

Page 328: ...ps will be shown Mode Switch command read only Example This example displays the IRL resource index number 1 configuration for group 2 0 C2 su show cos port resource irl 2 0 1 after the rate value indicates an invalid rate value Group Index Resource Type Unit Rate Rate Limit Type Action 2 0 1 irl kbps 10000 drop none clear cos port resource Use this command to set the inbound rate limit in Kbps ir...

Page 329: ...of group port type Valid values for group can range from 0 to 7 Valid values for port type can range from 0 to 1 although only port type 0 is currently supported For example port group 3 would be specified as 3 0 irl index Optional Inbound rate limiter resource index associated with the specified port group Valid values range from 0 to 99 unit Clear the unit of measure for the inbound rate limiter...

Page 330: ...le can be displayed using the show cos reference command Example In the CoS IRL reference mapping table for port groups 1 0 and 2 0 create a reference for the IRL resource number 1 created for each group The reference number 1 is used C2 su set cos reference irl 1 0 1 rate limit 1 C2 su set cos reference irl 2 0 1 rate limit 1 show cos reference Use this command to show the Class of Service inboun...

Page 331: ...ation Syntax clear cos reference irl all group type index reference Parameters Defaults None Mode Switch command read write Example This example shows how to clear the CoS inbound rate limiting reference configuration for all groups C2 su clear cos reference irl all irl Specifies that IRL references are being cleared all Clear all groups indexes and references group type index Specifies an inbound...

Page 332: ...g C2 su show cos unit Type Unit irl inbound rate limiting Kbps Kilobits per second Port Type Type Unit Maximum Rate Minimum Rate Granularity 0 irl Kbps 1000000 512 1 clear cos all entries Use this command to clear all Class of Service entries except entries 0 7 Syntax clear cos all entries Parameters None Defaults None Mode Switch command read write Example This example shows how to clear the CoS ...

Page 333: ...all port types is displayed Mode Switch command read only Usage The C2 implementation provides one default port type 0 for designating available inbound rate limiting resources Port type 0 includes all ports The port type 0 description is C2100 IRL which indicates that this port type provides a maximum of 100 inbound rate limiting resources per port group irl Optional Displays inbound rate limitin...

Page 334: ...limiting information for port type 0 C2 su show cos port type irl 0 Number of resources Supported rate types irl inbound rate limiter s Kbps kilobits per second Port type Number of Supported Eligible Unselected Index description limiters rate type ports ports 0 C2 100 IRL 100 kbps ge 1 1 48 ge 1 1 48 ...

Page 335: ...without priority information in its tag header is assigned a priority according to the default priority setting on the port For example if the priority of a port is set to 4 the frames received through that port without a priority indicated in their tag header are classified as a priority 4 and transmitted according to that priority In addition the device s rate limiting capabilities allow you to ...

Page 336: ...Mode Switch command read only Example This example shows how to display the port priority for the ge 2 1 through 5 C2 su show port priority ge 2 1 5 ge 2 1 is set to 0 ge 2 2 is set to 0 ge 2 3 is set to 0 ge 2 4 is set to 0 ge 2 5 is set to 0 set port priority Use this command to set the 802 1D 802 1p Class of Service transmit priority 0 through 7 on each port A port receiving a frame without pri...

Page 337: ...e this command to reset the current CoS port priority setting to 0 This will cause all frames received without a priority value in its header to be set to priority 0 Syntax clear port priority port string Parameters Defaults None Mode Switch command read write Example This example shows how to reset ge 1 11 to the default priority port string Specifies the port for which to set priority For a deta...

Page 338: ...rity queue settings for one or more ports Commands show port priority queue Use this command to display the port priority levels 0 through 7 with 0 as the lowest level associated with the current transmit queues 0 being the lowest priority for each selected port A frame with a certain port priority is transmitted according to the settings entered using the set port priority queue command described...

Page 339: ...izing various data and control traffic The 7th and 8th queues are reserved for stacking if applicable and network control related communications Refer to Configuring Quality of Service QoS on page 10 6 for more information about configuring the priority mode and weight for these queues Priority to transmit queue mapping on an individual port basis can only be configured on Gigabit Ethernet ports g...

Page 340: ...ueues are implemented in the switch hardware for each port but only six are available for use in prioritizing various data and control traffic The seventh and eighth queues are reserved for stacking if applicable and network control related communications The commands in this section allow you to set the priority mode and weight for each of the available six queues queues 0 through 5 for each phys...

Page 341: ... 2 10 15 20 24 29 SP SP ge 1 14 WRR 2 10 15 20 24 29 SP SP ge 1 15 WRR 2 10 15 20 24 29 SP SP ge 1 16 WRR 2 10 15 20 24 29 SP SP ge 1 17 WRR 2 10 15 20 24 29 SP SP ge 1 18 WRR 2 10 15 20 24 29 SP SP ge 1 19 WRR 2 10 15 20 24 29 SP SP ge 1 20 WRR 2 10 15 20 24 29 SP SP ge 1 21 WRR 2 10 15 20 24 29 SP SP ge 1 22 WRR 2 10 15 20 24 29 SP SP ge 1 23 WRR 2 10 15 20 24 29 SP SP ge 1 24 WRR 2 10 15 20 24 ...

Page 342: ...t Queues can be changed back to WRR by changing the weight of queues 0 through 5 or by issuing the clear port txq command Examples This example shows how to change the arbitration values for the six transmit queues belonging to ge 1 1 C2 su set port txq ge 1 1 17 17 17 17 16 16 This example shows how to change the algorithm to strict priority for the six transmit queues belonging to ge 1 1 C2 su s...

Page 343: ...or a given port and list of priorities The list of priorities can include one some or all of the eight 802 1p priority levels Once configured the rate of all traffic entering the port with the priorities configured to that port is not allowed to exceed the programmed limit If the rate exceeds the programmed limit frames are dropped until the rate falls below the limit port string Clears transmit q...

Page 344: ...2 1 2 64 discard inbound 0 disabled ge 2 1 3 64 discard inbound 0 disabled ge 2 1 4 64 discard inbound 0 disabled ge 2 1 5 64 discard inbound 0 disabled ge 2 1 6 64 discard inbound 0 disabled ge 2 1 7 64 discard inbound 0 disabled ge 2 1 8 64 discard inbound 0 disabled Table 10 1 provides an explanation of the command output For information about Refer to page show port ratelimit 10 10 set port ra...

Page 345: ...1D 802 1p port priority level Status Whether or not this rule is active or disabled Table 10 1 show port ratelimit Output Details Continued Output What It Displays disable enable When entered without a port string globally disables or enables the port rate limiting function When entered with a port string disables or enables rate limiting on specific port s when the global function is enabled port...

Page 346: ... to clear rate limiting parameters for one or more ports Syntax clear port ratelimit port string index Parameters Defaults If not specified all index entries will be reset Mode Switch command read write Example This example shows how to clear all rate limitingparameters on port ge 2 1 C2 su clear port ratelimit ge 2 1 port string Specifies the port s on which to clear rate limiting For a detailed ...

Page 347: ...ket delivery service since it is only concerned with forwarding multicast traffic from the local device to group members on a directly attached subnetwork or LAN segment This device supports IP multicast group management by passively snooping on the IGMP query and IGMP report packets transferred between IP multicast devices and IP multicast host groups to learn IP multicast group members The purpo...

Page 348: ... to query for any attached hosts who want to receive a specific multicast service The device looks up the IP Multicast Group used for this service and adds any port that received a similar request to that group It then propagates the service request on to any neighboring multicast switch router to ensure that it will continue to receive the multicast service Configuring IGMP at Layer 2 Purpose To ...

Page 349: ...nooping Admin Mode Enable Group Membership Interval 260 Max Response Time 100 Multicast Router Present Expiration Time 0 Interfaces Enabled for IGMP Snooping ge 1 1 ge 1 2 ge 1 3 Multicast Control Frame Count 0 Data Frames Forwarded by the CPU 0 set igmpsnooping adminmode Use this command to enable or disable IGMP on the system Syntax set igmpsnooping adminmode enable disable Parameters Defaults N...

Page 350: ...mpsnooping adminmode on page 11 3 and then enabled on a port s using this command Example This example shows how to enable IGMP on ports ge 1 10 C2 su set igmpsnooping interfacemode ge 1 10 enable set igmpsnooping groupmembershipinterval Use this command to configure the IGMP group membership interval time for the system Syntax set igmpsnooping groupmembershipinterval time Parameters port string S...

Page 351: ...stem Syntax set igmpsnooping maxresponse time Parameters Defaults None Mode Switch command read write Usage This value must be less than the IGMP maximum response time described in set igmpsnooping groupmembershipinterval on page 11 4 Example This example shows how to set the IGMP maximum response time to 100 seconds C2 su set igmpsnooping maxresponse 100 set igmpsnooping mcrtrexpiretime Use this ...

Page 352: ... an existing entry Syntax set igmpsnooping add static group vlan list modify port string Parameters Defaults If no ports are specified all ports are added to the entry If modify is not specified a new entry is created Mode Switch command read write Usage Use this command to create and configure Layer 2 IGMP entries time Specifies the IGMP multicast router expiration time Valid values are 0 3600 se...

Page 353: ...rt ge 1 1 from the entry for the multicast group with IP address of 233 11 22 33 configured on VLAN 20 C2 su set igmpsnooping remove static 233 11 22 33 20 ge 1 1 show igmpsnooping static This command displays static IGMP ports for one or more VLANs or IGMP groups Syntax show igmpsnooping static vlan list group group Parameters Defaults If no group is specified information for all groups is displa...

Page 354: ...witch command read only Examples This example shows how to display multicast forwarding database entries C2 su show igmpsnooping mfdb MAC Address Type Description Interfaces 00 14 01 00 5E 02 CD B0 Dynamic Network Assist Fwd ge 1 1 ge 3 1 ge 4 1 00 32 01 00 5E 37 96 D0 Dynamic Network Assist Fwd ge 4 7 00 32 01 00 5E 7F FF FA Dynamic Network Assist Fwd ge 4 7 This example shows how to display mult...

Page 355: ... Commands Router The commands covered in this section can be executed only when the device is in router mode For details on how to enable router configuration modes refer to Enabling Router Configuration Modes on page 15 2 For information about Refer to page ip igmp 11 10 ip igmp enable 11 10 ip igmp version 11 11 show ip igmp interface 11 11 show ip igmp groups 11 12 ip igmp query interval 11 12 ...

Page 356: ...shows how to enable IGMP on the router C2 su router Config ip igmp ip igmp enable Use this command to enable IGMP on an interface The no form of this command disables IGMP on an interface Syntax ip igmp enable no ip igmp enable Parameters None Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to enable IGMP on the VLAN 1 interface C2 su router ...

Page 357: ... how to set the IGMP version to version 1 on VLAN 1 C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip igmp version 1 show ip igmp interface Use this command to display information about one or more IGMP routing interfaces Syntax show ip igmp interface vlan vlan id Parameters Defaults If not specified information will be displayed for all VLANs configured for IGMP routing Mode A...

Page 358: ...1 10 of a second Last Member Query Count is 2 show ip igmp groups Use this command to display a list of IGMP streams and client connection ports Syntax show ip igmp groups Parameters None Defaults None Mode Any router mode Example This example shows how to display information about IGMP groups C2 su router show ip igmp groups REGISTERED MULTICAST GROUP DETAILS Multicast Version1 IP Address Last Re...

Page 359: ...mum response time to the default value of 100 one tenth of a second Syntax ip igmp query max response time time no ip igmp query max response time Parameters Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to set the IGMP query maximum response time interval to 200 2 tenths of a second on VLAN 1 C2 su router Config interface vlan 1 C2 su rout...

Page 360: ...startup query count Use this command to set the number of IGMP queries sent out on startup separated by the startup query interval as described in ip igmp startup query interval on page 11 14 The no form of this command resets the IGMP startup query count to the default value of 2 Syntax ip igmp startup query count count no ip igmp startup query count Parameters Defaults None Mode Interface config...

Page 361: ...ember query interval to 10 seconds on VLAN 1 C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip igmp last member query interval 10 ip igmp last member query count Use this command to set the number of group specific queries sent before assuming there are no local members The no form of this command resets the IGMP last member query count to the default value of 2 Syntax ip igmp ...

Page 362: ...ax ip igmp robustness robustness no ip igmp robustness Parameters Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Usage This value determines how many times IGMP messages will be sent A higher number will mean that end stations will be more likely to see the packet After the robustness value is reached IGMP will assume there is no response to queries Example This example s...

Page 363: ...switch CLI only For information on router related network management tasks including reviewing router ARP tables and IP traffic refer to Chapter 16 For information about Refer to page Configuring System Logging 12 1 Monitoring Network Events and Status 12 11 Managing Switch Network Addresses and Routes 12 15 Configuring Simple Network Time Protocol SNTP 12 25 Configuring Node Aliases 12 32 For inf...

Page 364: ...ing application 12 8 show logging local 12 9 set logging local 12 9 clear logging local 12 10 show logging buffer 12 10 For information about Refer to page index Optional Displays Syslog information pertaining to a specific server table entry Valid values are 1 8 Table 12 1 show logging server Output Details Output What It Displays IP Address Syslog server s IP address For details on setting this ...

Page 365: ...9 113 facility local4 severity level 3 on port 514 C2 su set logging server 1 ip addr 134 141 89 113 facility local4 severity 3 port 514 state enable index Specifies the server table index number for this server Valid values are 1 8 ip addr ip addr Optional Specifies the Syslog message server s IP address facility facility Optional Specifies the server s facility name Valid values are local0 to lo...

Page 366: ...C2 su clear logging server 1 show logging default Use this command to display the Syslog server default values Syntax show logging default Parameters None Defaults None Mode Switch command read only Example This command shows how to display the Syslog server default values For an explanation of the command output refer back to Table 12 1 on page 12 2 C2 su show logging default Facility Severity Po...

Page 367: ... severity 4 clear logging default Use this command to reset logging default values Syntax clear logging default facility severity port facility facility Specifies the default facility name Valid values are local0 to local7 severity severity Specifies the default logging severity level Valid values and corresponding levels are 1 emergencies system is unusable 2 alerts immediate action required 3 cr...

Page 368: ...rameter is specified information for all applications will be displayed Mode Switch command read only facility Optional Resets the default facility name to local4 severity Optional Resets the default logging severity level to 6 notifications of significant conditions port Optional Resets the default UDP port the client uses to send to the server to 514 mnemonic Optional Displays severity level for...

Page 369: ...scription for applications being logged Current Severity Level Severity level at which the server is logging messages for the listed application This range from 1 to 8 and its associated severity list is shown in the CLI output For a description of these entries which are set using the set logging application command refer to set logging application on page 12 7 mnemonic Specifies a case sensitive...

Page 370: ...c all level level Optional Specifies the severity level at which the server will log messages for applications Valid values and corresponding levels are 1 emergencies system is unusable 2 alerts immediate action required 3 critical conditions 4 error conditions 5 warning conditions 6 notifications significant conditions 7 informational messages 8 debugging messages Table 12 3 Mnemonic Values for L...

Page 371: ...Example This example shows how to display the state of message logging In this case logging to the console is enabled and logging to a persistent file is disabled C2 su show logging local Syslog Console Logging enabled Syslog File Logging disabled set logging local Use this command to configure log messages to the console and a persistent file Syntax set logging local console enable disable file e...

Page 372: ...ommand to clear the console and persistent store logging for the local session Syntax clear logging local Parameters None Defaults None Mode Switch command read write Example This example shows how to clear local logging C2 su clear logging local show logging buffer Use this command to display the last 256 messages logged Syntax show logging buffer Parameters None console enable disable Enables or...

Page 373: ... 1 100 telnet Monitoring Network Events and Status Purpose To display switch events and command history to set the size of the history buffer and to display and disconnect current user sessions Commands history Use this command to display the contents of the command history buffer The command history buffer includes all the switch commands entered up to a maximum of 100 as specified in the set his...

Page 374: ...ry 1 hist 2 show gvrp 3 show vlan 4 show igmp 5 show ip address show history Use this command to display the size in lines of the history buffer Syntax show history Parameters None Defaults None Mode Switch command read only Example This example shows how to display the size of the history buffer C2 su show history History buffer size 20 set history Use this command to set the size of the history ...

Page 375: ... This example shows how to ping IP address 134 141 89 29 In this case this host is alive C2 su ping 134 141 89 29 134 141 89 29 is alive In this example the host at IP address is not responding C2 su ping 134 141 89 255 no answer from 134 141 89 255 show users Use this command to display information about the active console port or Telnet session s logged in to the switch size Specifies the size o...

Page 376: ...net rw 134 141 192 18 disconnect Use this command to close an active console port or Telnet session from the switch CLI Syntax disconnect ip addr console Parameters Defaults None Mode Switch command read write Examples This example shows how to close a Telnet session to host 134 141 192 119 C2 su disconnect 134 141 192 119 This example shows how to close the current console session C2 su disconnec...

Page 377: ...ay the switch s ARP table Syntax show arp Parameters None Defaults None Mode Switch command read only For information about Refer to page show arp 12 15 set arp 12 16 clear arp 12 17 traceroute 12 17 show mac 12 18 show mac agetime 12 19 set mac agetime 12 20 clear mac agetime 12 20 set mac algorithm 12 21 show mac algorithm 12 21 clear mac algorithm 12 22 set mac multicast 12 22 clear mac address...

Page 378: ...arameters Defaults None Mode Switch command read write Example This example shows how to map IP address 192 168 219 232 to MAC address 00 00 0c 40 0f bc C2 su set arp 192 168 219 232 00 00 0c 40 0f bc Table 12 4 show arp Output Details Output What It Displays IP Address IP address mapped to MAC address Phys Address MAC address mapped to IP address Flags Route status Possible values and their defin...

Page 379: ...ime f first ttl m max ttl p port q nqueries r d n v host Parameters ip address all Specifies the IP address in the ARP table to be cleared or clears all ARP entries w waittime Optional Specifies time in seconds to wait for a response to a probe f first ttl Optional Specifies the time to live TTL of the first outgoing probe packet m max ttl Optional Specifies the maximum time to live TTL used in ou...

Page 380: ...ceroute to 192 167 252 17 192 167 252 17 30 hops max 40 byte packets 1 matrix enterasys com 192 167 201 40 20 000 ms 20 000 ms 20 000 ms 2 14 1 0 45 14 1 0 45 40 000 ms 10 000 ms 20 000 ms 3 192 167 252 17 192 167 252 17 50 000 ms 0 000 ms 20 000 ms show mac Use this command to display MAC addresses in the switch s filtering database These are addresses learned on a port through the switching proc...

Page 381: ... the command output show mac agetime Use this command to display the timeout period for aging learned MAC entries Syntax show mac agetime Parameters None Defaults None Table 12 5 show mac Output Details Output What It Displays MAC Address MAC addresses mapped to the port s shown FID Filter database identifier Port Port designation Type Address type Valid types are Learned Self Management Other mca...

Page 382: ...time Parameters Defaults None Mode Switch command read only Example This example shows how to set the MAC timeout period C2 su set mac agetime 250 clear mac agetime Use this command to reset the timeout period for aging learned MAC entries to the default value of 300 seconds Syntax clear mac agetime Parameters None Defaults None Mode Switch command read only time Specifies the timeout period in se...

Page 383: ...ge Each algorithm is optimized for a different spread of MAC addresses When changing this mode the switch will display a warning message and prompt you to restart the device The default MAC algorithm is mac crc16 upperbits Example This example sets the hashing algorithm to mac crc32 upperbits C2 rw set mac algorithm mac crc32 upperbits show mac algorithm This command displays the currently selecte...

Page 384: ...ntax clear mac algorithm Parameters None Defaults None Mode Switch command read write Example This example resets the MAC hashing algorithm to the default value C2 su clear mac algorithm set mac multicast Use this command to define on what ports within a VLAN a multicast address can be dynamically learned on or on what ports a frame with the specified MAC address can be flooded Also use this comma...

Page 385: ...nd read write Example This example clears multicast MAC address 01 01 22 33 44 55 from VLAN 24 C2 su clear mac multicast 01 01 22 33 44 55 24 mac address Specifies the multicast MAC address The MAC address can be formatted as xx xx xx xx xx xx or xx xx xx xx xx xx vlan id Specifies the VLAN ID containing the ports port string Specifies the port or range of ports the multicast MAC address can be le...

Page 386: ...ved flood is disabled set mac unreserved flood Use this command to enable or disable multicast flood protection When enabled this prevents policy profiles requiring a full 10 masks from being loaded Syntax set mac unreserved flood disable enable Parameters Defaults None Mode Switch command read write Usage The following addresses will be forwarded when this function is enabled 01 80 C2 00 00 11 01...

Page 387: ...chronizes device clocks in a network Commands show sntp Use this command to display SNTP client settings Syntax show sntp Parameters None Defaults None Mode Switch command read only For information about Refer to page show sntp 12 25 set sntp client 12 27 clear sntp client 12 27 set sntp server 12 28 clear sntp server 12 28 set sntp poll interval 12 29 clear sntp poll interval 12 29 set sntp poll ...

Page 388: ... on page 12 27 Broadcast Count Number of SNTP broadcast frames received Poll Interval Interval between SNTP unicast requests Default of 512 seconds can be reset using the set sntp poll interval command set sntp poll interval on page 12 29 Poll Retry Number of poll retries to a unicast SNTP server Default of 1 can be reset using the set sntp poll retry command set sntp poll retry on page 12 30 Poll...

Page 389: ...tp client broadcast clear sntp client Use this command to clear the SNTP client s operational mode Syntax clear sntp client Parameters None Defaults None Mode Switch command read write Example This example shows how to clear the SNTP client s operational mode C2 su clear sntp client broadcast Enables SNTP in broadcast client mode unicast Enables SNTP in unicast point to point client mode In this m...

Page 390: ...er C2 su set sntp server 10 21 1 100 clear sntp server Use this command to remove one or all servers from the SNTP server list Syntax clear sntp server ip address all Parameters Defaults None Mode Switch command read write Example This example shows how to remove the server at IP address 10 21 1 100 from the SNTP server list C2 su clear sntp server 10 21 1 100 ip address Specifies the SNTP server ...

Page 391: ... This example shows how to set the SNTP poll interval to 30 seconds C2 su set sntp poll interval 30 clear sntp poll interval Use this command to clear the poll interval between unicast SNTP requests Syntax clear sntp poll interval Parameters None Defaults None Mode Switch command read write Example This example shows how to clear the SNTP poll interval C2 su clear sntp poll interval interval Speci...

Page 392: ...e This example shows how to set the number of SNTP poll retries to 5 C2 su set sntp poll retry 5 clear sntp poll retry Use this command to clear the number of poll retries to a unicast SNTP server Syntax clear sntp poll retry Parameters None Defaults None Mode Switch command read write Example This example shows how to clear the number of SNTP poll retries C2 su clear sntp poll retry retry Specifi...

Page 393: ...h command read write Example This example shows how to set the SNTP poll timeout to 10 seconds C2 su set sntp poll timeout 10 clear sntp poll timeout Use this command to clear the SNTP poll timeout Syntax clear sntp poll timeout Parameters None Defaults None Mode Switch command read write Example This example shows how to clear the SNTP poll timeout C2 su clear sntp poll timeout timeout Specifies ...

Page 394: ... be displayed for all ports Mode Switch command read only Example This example shows how to display node alias configuration settings for ports ge 2 1 through 9 C2 rw show nodealias config ge 2 1 9 Port Number Max Entries Used Entries Status ge 2 1 16 0 Enable ge 2 2 47 0 Enable ge 2 3 47 2 Enable ge 2 4 47 0 Enable ge 2 5 47 0 Enable ge 2 6 47 2 Enable ge 2 7 47 0 Enable ge 2 8 47 0 Enable ge 2 9...

Page 395: ...d in clear nodealias config on page 12 34 Example This example shows how to disable the node alias agent on ge 1 3 C2 su set nodealias disable ge 1 3 Table 12 7 show nodealias config Output Details Output What It Displays Port Number Port designation Max Entries Maximum number of alias entries configured for this port Used Entries Number of alias entries out of the maximum amount configured alread...

Page 396: ...bled and clear the maximum entries value Syntax clear nodealias config port string Parameters Defaults None Mode Switch command read write Example This example shows how to reset the node alias configuration on ge 1 3 C2 su clear nodealias config ge 1 3 port string Specifies the port s on which to reset the node alias configuration ...

Page 397: ... groups supported on SecureStack C2 devices each group s function and the elements it monitors and the associated configuration commands needed For information about Refer to page RMON Monitoring Group Functions 13 1 Statistics Group Commands 13 3 History Group Commands 13 5 Alarm Group Commands 13 7 Event Group Commands 13 11 Filter Group Commands 13 14 Packet Capture Commands 13 19 Table 13 1 RM...

Page 398: ... of events from the device Event type description last time event was sent show rmon event on page 13 11 set rmon event properties on page 13 12 set rmon event status on page 13 13 clear rmon event on page 13 14 Filter Allows packets to be matched by a filter equation These matched packets form a data stream or channel that may be captured Packets matching the filter configuration show rmon channe...

Page 399: ...l ports Mode Switch command read only Example This example shows how to display RMON statistics for Gigabit Ethernet port 1 in switch 1 C2 su show rmon stats ge 1 1 Port ge 1 1 Index 1 Owner monitor Data Source ifIndex 1 Drop Events 0 Packets 0 Collisions 0 Octets 0 Jabbers 0 0 64 Octets 0 Broadcast Pkts 0 65 127 Octets 0 Note Due to hardware limitations the only frame error counted is oversized f...

Page 400: ...rite Example This example shows how to configure RMON statistics entry 2 for ge 1 20 C2 rw set rmon stats 2 ge 1 20 clear rmon stats Use this command to delete one or more RMON statistics entries Syntax clear rmon stats index list to defaults Parameters Defaults None index Specifies an index for this statistics entry port string Specifies port s to which this entry will be assigned owner Optional ...

Page 401: ...port string is not specified information about all RMON history entries will be displayed Mode Switch command read only Example This example shows how to display RMON history entries for Gigabit Ethernet port 1 in switch 1 A control entry displays first followed by actual entries corresponding to the control entry In this case the default settings for entry owner sampling interval and maximum numb...

Page 402: ...uckets buckets interval interval owner owner Parameters Defaults If buckets is not specified the maximum number of entries maintained will be 50 If not specified interval will be set to 30 seconds If owner is not specified monitor will be applied Mode Switch command read write Example This example shows how configure RMON history entry 1 on port ge 2 1 to sample every 20 seconds C2 rw set rmon his...

Page 403: ...and clear RMON alarm entries and properties Commands show rmon alarm Use this command to display RMON alarm entries The RMON alarm group periodically takes statistical samples from RMON variables and compares them with previously configured thresholds If the monitored variable crosses a threshold an RMON event is generated index list Specifies one or more history entries to be deleted causing them...

Page 404: ...ble 13 2 show rmon alarm Output Details Output What It Displays Index Index number for this alarm entry Owner Text string identifying who configured this entry Status Whether this event entry is enabled valid or disabled Variable MIB object to be monitored Sample Type Whether the monitoring method is an absolute or a delta sampling Startup Alarm Whether alarm generated when this entry is first ena...

Page 405: ...cifies the monitoring method as sampling the absolute value of the object or the difference delta between object samples startup rising falling either Optional Specifies the type of alarm generated when this event is first enabled as Rising Sends alarm when an RMON event reaches a maximum threshold condition is reached for example more than 30 collisions per second Falling Sends alarm when RMON ev...

Page 406: ...nd to enable an RMON alarm entry An alarm is a notification that a statistical sample of a monitored variable has crossed a configured threshold Syntax set rmon alarm status index enable Parameters Defaults None Mode Switch command read write Usage An RMON alarm entry can be created using this command configured using the set rmon alarm properties command set rmon alarm properties on page 13 9 the...

Page 407: ...ch command read write Example This example shows how to clear RMON alarm entry 1 C2 rw clear rmon alarm 1 Event Group Commands Purpose To display and clear RMON events and to configure RMON event properties Commands show rmon event Use this command to display RMON event entry properties index Specifies the index number of entry to be cleared For information about Refer to page show rmon event 13 1...

Page 408: ...event entry or to create a new event entry with an unused event index number Syntax set rmon event properties index description description type none log trap both community community owner owner index Optional Displays RMON properties and log entries for a specific entry index ID Table 13 3 show rmon event Output Details Output What It Displays Index Index number for this event entry Owner Text s...

Page 409: ...N alarms and can be configured to create a log entry generate a trap or both Syntax set rmon event status index enable Parameters Defaults None index Specifies an index number for this entry Maximum number of entries is 100 Maximum value is 65535 description description Optional Specifies a text string description of this event type none log trap both Optional Specifies the type of RMON event noti...

Page 410: ...te Example This example shows how to clear RMON event 1 C2 rw clear rmon event 1 Filter Group Commands The packet capture and filter function is disabled by default Only one interface can be configured for capturing and filtering at a time When packet capture is enabled on an interface the SecureStack C2 switch will capture 100 frames as close to sequentially as possible These 100 frames will be p...

Page 411: ...ports Syntax show rmon channel port string Parameters Defaults If port string is not specified information about all channels will be displayed Mode Switch command read only Example This example shows how to display RMON channel information for ge 2 12 C2 rw show rmon channel ge 2 12 Port ge 2 12 Channel index 628 EntryStatus valid Control off AcceptType matched OnEventIndex 0 OffEventIndex 0 Even...

Page 412: ...d control on description capture all clear rmon channel Use this command to clear an RMON channel entry Syntax clear rmon channel index index Specifies an index number for this entry An entry will automatically be created if an unused index number is chosen Maximum number of entries is 2 Maximum value is 65535 port string Specifies the port on which traffic will be monitored accept matched failed ...

Page 413: ...ation for all filter entries will be displayed Mode Switch command read only Example This example shows how to display all RMON filter entries and channel information C2 rw show rmon filter Index 55508 Channel Index 628 EntryStatus valid Data Offset 0 PktStatus 0 PktStatusMask 0 PktStatusNotMask 0 Owner ETS NAC D Data ff ff ff ff ff ff DataMask ff ff ff ff ff ff DataNotMask 00 00 00 00 00 00 index...

Page 414: ...or this entry An entry will automatically be created if an unused index number is chosen Maximum number of entries is 10 Maximum value is 65535 channel index Specifies the channel to which this filter will be applied offset offset Optional Specifies an offset from the beginning of the packet to look for matches status status Optional Specifies packet status bits that are to be matched smask smask ...

Page 415: ...e receipt of back to back packets Purpose To display RMON capture entries configure enable or disable capture entries and clear capture entries Commands show rmon capture Use this command to display RMON capture entries and associated buffer control entries Syntax show rmon capture index nodata index index channel channel Clears a specific filter entry or all entries belonging to a specific channe...

Page 416: ...ys 0 hours 51 minutes 15 seconds Pkt Length 93 Pkt status 0 Data 00 00 5e 00 01 01 00 01 f4 00 7d ce 08 00 45 00 00 4b b4 b9 00 00 40 11 32 5c 0a 15 43 05 86 8d bf e5 00 a1 0e 2b 00 37 cf ca 30 2d 02 01 00 04 06 70 75 62 6c 69 63 a2 20 02 02 0c 92 02 01 00 02 01 00 30 14 30 12 06 0d 2b 06 01 02 01 10 07 01 01 0b 81 fd 1c 02 01 01 00 11 0b 00 set rmon capture Use this command to configure an RMON c...

Page 417: ...ure index Parameters Defaults None Mode Switch command read write action lock Optional Specifies the action of the buffer when it is full as lock Packets will cease to be accepted slice slice Optional Specifies the maximum octets from each packet to be saved in a buffer Currently the only value allowed is 1518 loadsize loadsize Optional Specifies the maximum octets from each packet to be downloade...

Page 418: ...clear rmon capture 13 22 RMON Configuration Example This example shows how to clear RMON capture entry 1 C2 rw clear rmon capture 1 ...

Page 419: ...st be a VLAN which is configured with an IP address Refer to the ip helper address command ip helper address on page 16 12 for more information DHCP Server DHCP server functionality allows the SecureStack C2 switch to provide basic IP configuration information to a client on the network who requests such information using the DHCP protocol DHCP provides the following mechanisms for IP address allo...

Page 420: ... would typically be used when the C2 system is NOT configured for routing 1 Configure the system stack host port IP address with the set ip address command Once the system s IP address is configured the system then knows about the configured subnet For example set ip address 192 0 0 50 mask 255 255 255 0 2 Enable DHCP server functionality on the system with the set dhcp enable command 3 Configure ...

Page 421: ...ssignment with the set dhcp exclude command Up to 128 non overlapping address ranges can be excluded on the SecureStack C2 For example set dhcp exclude 192 0 0 1 192 0 0 10 Configure static address pools for manual address assignment The only required steps are to name the pool configure either the hardware address of the client or the client identifier and configure the IP address and mask for th...

Page 422: ...e automatic address allocation for BOOTP clients By default address allocation for BOOTP clients is disabled Refer to RFC 1534 Interoperation Between DHCP and BOOTP for more information Syntax set dhcp bootp enable disable set dhcp exclude 14 7 clear dhcp exclude 14 7 set dhcp ping 14 8 clear dhcp ping 14 8 show dhcp binding 14 9 clear dhcp binding 14 9 show dhcp server statistics 14 10 clear dhcp...

Page 423: ...ear dhcp conflict logging command to disable conflict logging Syntax set dhcp conflict logging Parameters None Defaults None Mode Switch command read write Example This example enables DHCP conflict logging C2 rw set dhcp conflict logging show dhcp conflict Use this command to display conflict information for one address or all addresses Syntax show dhcp conflict address Parameters enable disable ...

Page 424: ...s 19h 01m 25s 192 0 0 12 Ping 0 days 19h 01m 26s clear dhcp conflict Use this command to clear conflict information for one or all addresses or to disable conflict logging Syntax clear dhcp conflict logging ip address Parameters Defaults None Mode Switch command read write Examples This example disables DHCP conflict logging C2 rw clear dhcp conflict logging This example clears the conflict inform...

Page 425: ...of the addresses that can be assigned by a DHCP server by excluding addresses 172 20 28 80 100 with the set dhcp exclude command C2 rw set dhcp pool auto1 network 172 20 28 0 24 C2 rw set dhcp exclude 172 20 28 80 172 20 28 100 clear dhcp exclude Use this command to clear the configured IP addresses that the DHCP server should not assign to DHCP clients Syntax clear dhcp exclude low ipaddr high ip...

Page 426: ...yntax set dhcp ping packets number Parameters Defaults None Mode Switch command read write Example This example sets the number of ping packets sent to 3 C2 rw set dhcp ping packets 3 clear dhcp ping Use this command to reset the number of ping packets sent by the DHCP server back to the default value of 2 Syntax clear dhcp ping packets Parameters None Defaults None Mode Switch command read write ...

Page 427: ...g IP address Hardware Address Lease Expiration Type 192 0 0 6 00 33 44 56 22 39 00 11 02 Automatic 192 0 0 8 00 33 44 56 22 33 00 10 22 Automatic 192 0 0 10 00 33 44 56 22 34 00 09 11 Automatic 192 0 0 11 00 33 44 56 22 35 00 10 05 Automatic 192 0 0 12 00 33 44 56 22 36 00 10 30 Automatic 192 0 0 13 00 33 44 56 22 37 infinite Manual 192 0 0 14 00 33 44 56 22 38 infinite Manual clear dhcp binding U...

Page 428: ...yntax show dhcp server statistics Parameters None Defaults None Mode Read only Example This example displays server statistics C2 ro show dhcp server statistics Automatic Bindings 36 Expired Bindings 6 Malformed Bindings 0 Messages Received DHCP DISCOVER 382 DHCP REQUEST 3855 DHCP DECLINE 0 DHCP RELEASE 67 DHCP INFORM 1 Messages Sent DHCP OFFER 381 DHCP ACK 727 DHCP NACK 2 clear dhcp server statis...

Page 429: ...not recommended If the incoming DHCP request packet contains a client identifier then a manual pool configured with that client identifier must exist on the switch in order for the request to be processed The hardware address is not checked If a manual pool is configured with a client identifier then the incoming DHCP request packet from that client must include that client identifier in order for...

Page 430: ... pool client name 14 19 set dhcp pool bootfile 14 19 clear dhcp pool bootfile 14 20 set dhcp pool next server 14 20 clear dhcp pool next server 14 21 set dhcp pool lease 14 21 clear dhcp pool lease 14 22 set dhcp pool default router 14 22 clear dhcp pool default router 14 23 set dhcp pool dns server 14 23 clear dhcp pool dns server 14 24 set dhcp pool domain name 14 24 clear dhcp pool domain name ...

Page 431: ...ers Defaults None Mode Switch command read write Example This example creates an address pool named auto1 C2 rw set dhcp pool auto1 clear dhcp pool Use this command to delete a DHCP server pool of addresses Syntax clear dhcp pool poolname Parameters Defaults None Mode Switch command read write Example This example deletes the address pool named auto1 C2 rw clear dhcp pool auto1 poolname Specifies ...

Page 432: ...named auto1 Alternatively the mask could have been specified as 255 255 255 0 C2 rw set dhcp pool auto1 network 172 20 28 0 24 This example limits the scope of 255 addresses created for the Class C network 172 20 28 0 by the previous example by excluding addresses 172 20 28 80 100 C2 rw set dhcp exclude 172 20 28 80 172 20 28 100 clear dhcp pool network Use this command to remove the network numbe...

Page 433: ...ssumed Mode Switch command read write Example This example specifies 0001 f401 2710 as the Ethernet MAC address for the manual address pool named manual1 Alternatively the MAC address could have be entered as 00 01 f4 01 27 10 C2 rw set dhcp pool manual1 hardware address 0001 f401 2710 clear dhcp pool hardware address Use this command to remove the hardware address of a DHCP client from a manual b...

Page 434: ...e Example This example shows how to configure the minimum requirements for a manual binding address pool First the hardware address of the client s hardware platform is configured followed by configuration of the address to be assigned to that client manually C2 rw set dhcp pool manual1 hardware address 0001 f401 2710 C2 rw set dhcp pool manual1 host 15 12 1 99 255 255 248 0 poolname Specifies the...

Page 435: ...ol hardware address command to create a manual binding pool but using both is not recommended Syntax set dhcp pool poolname client identifier id Parameters Defaults None Mode Switch command read write Usage The client identifier is formed by concatenating the media type and the MAC address For example if the client hardware type is Ethernet and the client MAC address is 00 01 22 33 44 55 then the ...

Page 436: ...x clear dhcp pool poolname client identifier Parameters Defaults None Mode Switch command read write Example This example deletes the client identifier from the address pool named manual1 C2 rw clear dhcp pool manual1 client identifier set dhcp pool client name Use this command to assign a name to a DHCP client when creating an address pool for manual binding Syntax set dhcp pool poolname client n...

Page 437: ...ntax clear dhcp pool poolname client name Parameters Defaults None Mode Switch command read write Example This example deletes the client name from the manual binding pool manual2 C2 rw clear dhcp pool manual2 client name set dhcp pool bootfile Use this command to specify a default boot image for the DHCP clients who will be served by the address pool being configured Syntax set dhcp pool poolname...

Page 438: ...This example removes the boot image filename from address pool named auto1 C2 rw clear dhcp pool auto1 bootfile set dhcp pool next server Use this command to specify the file server from which the default boot image is to be loaded by the client Syntax set dhcp pool poolname next server ip address Parameters Defaults None poolname Specifies the name of the address pool Pool names may be up to 31 c...

Page 439: ...read write Example This example removes the file server from address pool auto1 C2 rw clear dhcp pool auto1 next server set dhcp pool lease Use this command to specify the duration of the lease for an IP address assigned by the DHCP server from the address pool being configured Syntax set dhcp pool poolname lease days hours minutes infinite Parameters poolname Specifies the name of the address poo...

Page 440: ...efault value of one day Mode Switch command read write Example This example restores the default lease duration of one day for address pool auto1 C2 rw clear dhcp pool auto1 lease set dhcp pool default router Use this command to specify a default router list for the DHCP clients served by the address pool being configured Up to 8 default routers can be configured hours Optional When a days value h...

Page 441: ...Parameters Defaults None Mode Switch command read write Example This example removes the default router from the address pool auto1 C2 rw clear dhcp pool auto1 default router set dhcp pool dns server Use this command to specify one or more DNS servers for the DHCP clients served by the address pool being configured Up to 8 DNS servers can be configured poolname Specifies the name of the address po...

Page 442: ...server Parameters Defaults None Mode Switch command read write Example This example removes the DNS server list from the address pool auto1 C2 rw clear dhcp pool auto1 dns server set dhcp pool domain name Use this command to specify a domain name to be assigned to DHCP clients served by the address pool being configured poolname Specifies the name of the address pool Pool names may be up to 31 cha...

Page 443: ...me Parameters Defaults None Mode Switch command read write Example This example removes the domain name from the address pool auto1 C2 rw clear dhcp pool auto1 domain name set dhcp pool netbios name server Use this command to assign one or more NetBIOS name servers for the DHCP clients served by the address pool being configured Up to 8 NetBIOS name servers can be configured poolname Specifies the...

Page 444: ...etbios name server Parameters Defaults None Mode Switch command read write Example This example removes the NetBIOS name server list from the address pool auto1 C2 rw clear dhcp pool auto1 netbios name server set dhcp pool netbios node type Use this command to specify a NetBIOS node server type for the DHCP clients served by the address pool being configured poolname Specifies the name of the addr...

Page 445: ...arameters Defaults None Mode Switch command read write Example This example removes the NetBIOS node type from the address pool auto1 C2 rw clear dhcp pool auto1 netbios node type set dhcp pool option Use this command to configure DHCP options described in RFC 2132 poolname Specifies the name of the address pool Pool names may be up to 31 characters in length b node Specifies the NetBIOs node type...

Page 446: ...3 clear dhcp pool option Use this command to remove a DHCP option from the address pool being configured Syntax clear dhcp pool poolname option code Parameters Defaults None poolname Specifies the name of the address pool Pool names may be up to 31 characters in length code Specifies the DHCP option code as defined in RFC 2132 Value can range from 1 to 254 ascii string Specifies the data in ASCII ...

Page 447: ...example displays configuration information for all address pools C2 rw show dhcp pool configuration all Pool Atg_Pool Pool Type Dynamic Network 192 0 0 0 255 255 255 0 Lease Time 1 days 0 hrs 0 mins Default Routers 192 0 0 1 Pool static1 Pool Type Manual Client Name appsvr1 Client Identifier 01 00 01 f4 01 27 10 Host 10 1 1 1 255 0 0 0 Lease Time infinite Option 19 hex 01 Pool static2 Pool Type Ma...

Page 448: ...show dhcp pool configuration 14 30 DHCP Server Configuration ...

Page 449: ...onfiguring basic platform settings such as host name system clock and terminal display settings Setting Basic Switch Properties on page 3 8 Setting the system IP address set ip address on page 3 9 Creating and enabling VLANs Chapter 8 File management tasks including uploading or downloading flash or text configuration files and displaying directory and file contents Managing Switch Configuration a...

Page 450: ...obal router configuration mode configure Router C2 su router Step 4 Enable interface configuration mode using the routing VLAN or loopback id interface vlan vlan id loopback loop id Router C2 su router Config interface on page 16 2 Step 5 Assign an IP address to the routing interface ip address ip address ip mask Router C2 su router Config if Vlan 1 interface on page 16 2 Step 6 Enable the interfa...

Page 451: ...y in the show license command output Syntax license advanced activation key Parameters Router Configuration Mode Set IP protocol parameters Type router and the protocol name and for OSPF the instance ID from Global or Interface Configuration mode C2 su router Config router Note To jump to a lower configuration mode type exit at the command prompt To revert back to switch CLI type exit from Privile...

Page 452: ...commands C2 su router Config license advanced abcdefg123456789 show license When available and activated use this command to display your license key Syntax show license Parameters None Command Type Router command Mode Privileged EXEC router Defaults None Example This example shows how to display your license key information C2 su router show license license advanced abcdefg123456789 no license ad...

Page 453: ...5 5 Parameters None Command Type Router command Mode Global configuration router Config Defaults None Example This example shows how to remove an advanced license key C2 su router configure Enter configuration commands C2 su router Config no license advanced ...

Page 454: ...no license advanced 15 6 Preparing for Router Mode ...

Page 455: ...view the running configuration Commands Router Unless otherwise noted the commands covered in this chapter can be executed only when the device is in router mode For details on how to enable router configuration modes refer to Enabling Router Configuration Modes on page 15 2 For information about Refer to page Configuring Routing Interface Settings 16 1 Reviewing and Configuring the ARP Table 16 7...

Page 456: ... this device is Vlan 1 The MTU is 1500 bytes The bandwidth is 10000 Mb s Encapsulation ARPA Loopback not set ARP type ARPA ARP Timeout 14400 seconds This example shows how to display information for loopback interface 1 C2 su router show interface loopback 1 Loopback 1 is Administratively UP Loopback 1 is Operationally UP Internet Address is 10 1 192 100 Subnet Mask is 255 255 255 0 The name of th...

Page 457: ...e Routing Configuration Tasks on page 15 1 A loopback interface is always expected to be up This interface can provide the source address for sent packets and can receive both local and remote packets The loopback interface is typically used by routing protocols If RADIUS is configured with no host IP address on the device it will use the loopback interface 0 IP address if it has been configured a...

Page 458: ... 1 seconds Direct Broadcast Disabled Proxy ARP is Disabled Table 16 1 provides an explanation of the command output vlan vlan id Optional Displays information for a specific VLAN interface This interface must be configured for IP routing as described in Pre Routing Configuration Tasks on page 15 1 loopback loop id Optional Displays interface information for a specific loopback interface Table 16 1...

Page 459: ...5 0 for VLAN 1 C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip address 192 168 1 1 255 255 255 0 Outgoing Access List Not applicable MTU Interface s Maximum Transmission Unit size ARP Timeout Duration for entries to stay in the ARP table before expiring Set using the arp timeout command as described in arp timeout on page 16 10 Direct Broadcast Whether or not IP directed broa...

Page 460: ...C2 su router show running config interface vlan 10 ip address 99 99 2 10 255 255 255 0 no shutdown router ospf 1 network 99 99 2 0 0 0 0 255 area 0 0 0 0 network 192 168 100 1 0 0 0 0 area 0 0 0 0 no shutdown Use this command to enable an interface for IP routing and to allow the interface to automatically be enabled at device startup Syntax no shutdown shutdown Parameters None Defaults None Mode ...

Page 461: ... it as described in Configuring Routing Interface Settings on page 16 1 Syntax no ip routing Parameters None Mode Global configuration C2 su router Config Defaults None Example This example shows how to disable IP routing on the device C2 su router Config no ip routing Reviewing and Configuring the ARP Table Purpose To review and configure the routing ARP table to enable proxy ARP on an interface ...

Page 462: ...35 165 Protocol Address Age min Hardware Addr Type Interface Internet 134 141 235 165 0002 1664 a5b3 ARPA Vlan2 C2 su router show ip arp vlan 2 Protocol Address Age min Hardware Addr Type Interface Internet 134 141 235 251 0 0003 4712 7a99 ARPA Vlan2 Table 16 2 provides an explanation of the command output ip address Optional Displays ARP entries related to a specific IP address vlan vlan id Optio...

Page 463: ...LAN Example This example shows how to add a permanent ARP entry for the IP address 130 2 3 1 and MAC address 0003 4712 7a99 C2 su router Config arp 130 2 3 1 0003 4712 7a99 ip proxy arp Use this command to enable proxy ARP on an interface The no form of this command disables proxy ARP Table 16 2 show ip arp Output Details Output What It Displays Protocol ARP entry s type of network address Address...

Page 464: ...ault Example This example shows how to enable proxy ARP on VLAN 1 C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip proxy arp arp timeout Use this command to set the duration in seconds for dynamically learned entries to remain in the ARP table before expiring The no form of this command restores the default value of 14 400 seconds arp timeout seconds no arp timeout Parameters ...

Page 465: ...dcast Settings Purpose To configure IP broadcast settings By default interfaces on the SecureStack C2 do not forward broadcast packets Commands ip directed broadcast Use this command to enable or disable IP directed broadcasts on an interface By default interfaces on the SecureStack C2 do not forward directed broadcasts The no form of this command disables IP directed broadcast on the interface Sy...

Page 466: ...dcasts only on the one interface that will be transmitting the datagrams For example if a SecureStack C2 has five routed interfaces for the 10 20 30 40 and 50 networks enabling directed broadcast only on the 30 network interface will allow anyone from any other networks 10 20 40 50 to send directed broadcast to the 30 network Example This example shows how to enable IP directed broadcasts on VLAN ...

Page 467: ...g the Relay Agent IP address from 0 0 0 0 to the address of the local routed interface The last change to the BootP packet tells the DHCP server that it needs to assign an IP address that is in the same subnet as the Relay Agent IP When the response comes from the server the DHCP BOOTP relay agent sends it to the host Example This example show how to have all client DHCP requests for users in VLAN...

Page 468: ...nal type 2 E1 OSPF external type 1 E2 OSPF external type 2 candidate default U per user static route C 192 168 27 0 24 0 0001 directly connected vlan 1 C 192 168 32 0 24 0 0001 directly connected vlan 2 S 2 0 0 0 8 65 0001 via 192 168 72 1 vlan 1 S 3 0 0 0 8 0 0001 directly connected vlan 1 R 1 0 0 0 8 70 0002 via 192 168 72 22 vlan 1 ip route Use this command to add or remove a static IP route Th...

Page 469: ...ter Usage This command is also available in switch mode Examples This example shows output from a successful ping to IP address 182 127 63 23 C2 su router ping 182 127 63 23 182 127 63 23 is alive This example shows output from an unsuccessful ping to IP address 182 127 63 24 C2 su router ping 182 127 63 24 no answer from 182 127 63 24 prefix Specifies a destination IP address prefix mask Specifie...

Page 470: ...ailable in switch mode Example This example shows how to use traceroute to display a round trip path to host 192 141 90 183 C2 su router traceroute 192 141 90 183 Traceroute to 192 141 90 183 30 hops max 40 byte packets 1 10 1 56 1 0 000 ms 0 000 ms 0 000 ms 2 10 1 48 254 10 000 ms 0 000 ms 0 000 ms 3 10 1 0 2 0 000 ms 0 000 ms 0 000 ms 4 192 141 89 17 0 000 ms 0 000 ms 10 000 ms 5 192 141 100 13 ...

Page 471: ...routing license contact Enterasys Networks Sales Configuring RIP Purpose To enable and configure the Routing Information Protocol RIP Router The commands covered in this chapter can be executed only when the device is in router mode For details on how to enable router configuration modes refer to Enabling Router Configuration Modes on page 15 2 For information about Refer to page Activating Advanc...

Page 472: ...7 1 RIP Configuration Task List and Commands To do this Use these commands Enable RIP configuration mode router rip on page 17 2 Enable RIP on an interface ip rip enable on page 17 3 Configure an administrative distance distance on page 17 3 Allow reception of a RIP version ip rip send version on page 17 4 Allow transmission of a RIP version ip rip receive version on page 17 5 Configure RIP simple...

Page 473: ... Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to enable RIP on the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip rip enable distance Use this command to configure the administrative distance for RIP routes The no form of this command resets RIP administrative distance to the default value of 120 Syn...

Page 474: ...he RIP version s for update packets transmitted on an interface The no form of this command restores the version of update packets that was transmitted by the RIP router Syntax ip rip send version 1 2 r1compatible no ip rip send version Parameters Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to set the RIP send version to 2 for packets tra...

Page 475: ... packets received on the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip rip receive version 2 ip rip authentication key Use this command to enable or disable a RIP authentication key password for use on an interface The no form of this command prevents RIP from using authentication Syntax ip rip authentication key name no ip rip authentication key Parameters...

Page 476: ...t key keyid md5 key no ip rip message digest key keyid Parameters Mode Interface configuration C2 su router Config if Vlan 1 Defaults None Examples This example shows how to set the MD5 authentication ID to 5 for the RIP authentication key set on the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip rip message digest key 5 md5 password no auto summary Use this...

Page 477: ... rip C2 su router Config router no auto summary split horizon poison Use this command to enable or disable split horizon poison reverse mode for RIP packets The no form of this command disables split horizon poison reverse Syntax split horizon poison no split horizon poison Parameters None Defaults None Mode Router configuration C2 su router Config router Usage Split horizon prevents packets from ...

Page 478: ...AN 2 C2 su router Config router rip C2 su router Config router passive interface vlan 2 receive interface Use this command to allow RIP to receive update packets on an interface The no form of this command denies the reception of RIP updates By default receiving is enabled on all routing interfaces Syntax receive interface vlan vlan id no receive interface vlan vlan id Parameters Defaults None vla...

Page 479: ...ults If metric value is not specified 1 will be applied If subnets is not specified only non subnetted routes will be redistributed connected Specifies that non RIP routing information discovered via directly connected interfaces will be redistributed ospf Specifies that OSPF routing information will be redistributed in RIP process id Specifies the process ID an internally used identification numb...

Page 480: ...s on page 15 3 in order to enable the OSPF command set If you wish to purchase an advanced routing license contact Enterasys Networks Sales Table 17 2 OSPF Configuration Task List and Commands To do this Use these commands If necessary activate your advanced routing license See Activating Licensed Features on page 15 3 Enable OSPF configuration mode router id on page 17 11 router ospf on page 17 1...

Page 481: ... be used by Area Boundary Routers ABRs area range on page 17 20 Define an area as a stub area area stub on page 17 21 Set the cost value for the default route that is sent into a stub area area default cost on page 17 22 Define an area as an NSSA area nssa on page 17 22 Create virtual links area virtual link on page 17 23 Enable redistribution from non OSPF routes redistribute on page 17 24 Monito...

Page 482: ...uration tasks For details on enabling configuration modes refer to Table 15 2 in Enabling Router Configuration Modes on page 15 2 Only one OSPF process process id is allowed per SecureStack C2 router Example This example shows how to enable routing for OSPF process 1 C2 su router conf terminal C2 su router Config router ospf 1 C2 su router Config router 1583compatibility Use this command to enable...

Page 483: ...None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to enable OSPF on the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip ospf enable ip ospf areaid Use this command to configure area IDs for OSPF interfaces If OSPF is enabled on an interface as described in ip ospf enable on page 17 13 the OSPF area will default to ...

Page 484: ...ost no ip ospf cost Parameters Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Usage Each router interface that participates in OSPF routing is assigned a default cost This command overwrites the default of 10 Example This example shows how to set the OSPF cost to 20 for the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip ospf cost 20...

Page 485: ...s 5 seconds for delay and 10 seconds for holdtime Syntax timers spf spf delay spf hold no timers spf Parameters Defaults None Mode Router configuration C2 su router Config router Example This example shows how to set SPF delay time to 7 seconds and hold time to 3 C2 su router Config router ospf 1 C2 su router Config router timers spf 7 3 number Specifies the router s OSPF priority in a range from ...

Page 486: ...xample shows how to set the OSPF retransmit interval for the VLAN 1 interface to 20 C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip ospf retransmit interval 20 ip ospf transmit delay Use this command to set the amount of time required to transmit a link state update packet on an interface The no form of this command resets the retransmit interval value to the default 1 second...

Page 487: ...aults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to set the hello interval to 5 for the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip ospf hello interval 5 ip ospf dead interval Use this command to set the number of seconds a router must wait to receive a hello packet from its neighbor before determining t...

Page 488: ...Mode Interface configuration C2 su router Config if Vlan 1 Usage This password is used as a key that is inserted directly into the OSPF header in routing protocol packets A separate password can be assigned to each OSPF network on a per interface basis All neighboring routers on the same network must have the same password configured to be able to exchange OSPF information seconds Specifies the nu...

Page 489: ...e Interface configuration C2 su router Config if Vlan 1 Example This example shows how to enable OSPF MD5 authentication on the VLAN 1 interface set the key identifier to 20 and set the password to passone C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip ospf message digest key 20 md5 passone distance ospf Use this command to configure the administrative distance for OSPF rout...

Page 490: ...uter Config router ospf 1 C2 su router Config router distance ospf external 100 area range Use this command to define the range of addresses to be used by Area Border Routers ABRs when they communicate routes to other areas Each SecureStack C2 stackcan support up to 4 OSPF areas The no form of this command stops the routes from being summarized Syntax area area id range ip address ip mask advertis...

Page 491: ...ummary no area area id stub no summary Parameters Mode Router configuration C2 su router Config router Defaults If no summary is not specified the stub area will be able to receive LSAs area id Specifies the area from which routes are to be summarized This is a decimal value from 0 to 429496295 ip address Specifies the IP address associated with the area ID ip mask Specifies the mask for the IP ad...

Page 492: ...er Usage The use of this command is restricted to ABRs attached to stub and NSSA areas Example This example shows how to set the cost value for stub area 10 to 99 C2 su router Config router ospf 1 C2 su router Config router area 10 default cost 99 area nssa Use this command to configure an area as a Not So Stubby Area NSSA The no form of this command changes the NSSA back to a plain area Syntax ar...

Page 493: ...ents a logical connection between the backbone and a non backbone OSPF area The no form of this command removes the virtual link and or its associated settings Syntax area area id virtual link router id no area area id virtual link router id In addition to the syntax above the options for using this command are area area id virtual link router id authentication key key no area area id virtual link...

Page 494: ...rd to be used by the virtual link Valid values are alphanumeric strings of up to 8 characters Neighbor virtual link routers on a network must have the same password dead interval seconds Specifies the number of seconds that a router must wait to receive a hello packet before declaring the neighbor as dead and removing it from the OSPF neighbor list This value must be the same for all virtual links...

Page 495: ...ies that non OSPF information discovered via directly connected interfaces will be redistributed rip Specifies that RIP routing information will be redistributed in OSPF static Specifies that non OSPF information discovered via static routes will be redistributed Static routes are those created using the ip route command detailed in ip route on page 16 14 metric metric value Optional Specifies a m...

Page 496: ...f database Parameters None Defaults None Mode Any router mode Example This example shows how to display all OSPF link state database information This is a portion of the command output C2 su router show ip ospf database OSPF Router with ID 155 155 155 155 Displaying Ipnet Sum Link States Area 0 0 0 0 LinkID ADV Router Age Seq Checksum 192 168 16 0 155 155 155 155 1751 0x80000036 0x18a Displaying A...

Page 497: ...display OSPF interface related information including network type priority cost hello interval and dead interval Syntax show ip ospf interface vlan vlan id Parameters Table 17 3 show ip ospf database Output Details Output What It Displays Link ID Link ID which varies as a function of the link state record type as follows Net Link States Shows the interface IP address of the designated router to th...

Page 498: ...nterface cost which is either default or assigned with the ip ospf cost command For details refer to ip ospf cost on page 17 14 Transmit Delay The number in seconds added to the LSA Link State Advertisement age field State The interface state versus the state between neighbors Valid values include Backup Designated Router Designated Router and Err for error Priority The interface priority value wh...

Page 499: ...ink represents a logical connection between the backbone and a non backbone OSPF area detail Optional Displays detailed information about the neighbors including the area in which they are neighbors who the designated router backup designated router is on the subnet if applicable and the decimal equivalent of the E bit value from the hello packet options field ip address Optional Displays OSPF nei...

Page 500: ...clear ip ospf process process id Parameters Table 17 6 show ip ospf virtual links Output Details Output What It Displays Neighbor ID ID of the virtual link neighbor and the virtual link status which is up or down Transit area ID of the transit area through which the virtual link is configured Transmit delay Amount of time required to transmit a link state update packet on an interface State Whethe...

Page 501: ...o stop subsequent packets from traveling where there are no members DVMRP will periodically reflood in order to reach any new hosts that want to receive from a particular group Commands ip dvmrp Use this command to enable the DVMRP process The no form of this command disables the DVMRP process Advanced License Required DVMRP is an advanced routing feature that must be enabled with a license key If...

Page 502: ...n an interface The no form of this command disables DVMRP on an interface Syntax ip dvmrp enable no ip dvmrp enable Parameters None Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to enable DVMRP on the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip dvmrp enable ip dvmrp metric Use this command to confi...

Page 503: ... show ip dvmrp route neighbor status Parameters Defaults If no optional parameters are specified status information will be displayed Mode Any router mode Example This example shows how to display DVMRP status information C2 su router show ip dvmrp Vlan Id Metric Admin Status Oper Status 10 Enabled Enabled 18 Enabled Enabled 20 Enabled Enabled 25 Enabled Enabled 32 Enabled Enabled 500 Enabled Disa...

Page 504: ...rface The no form of this command disables IRDP on an interface Syntax ip irdp enable no ip irdp enable Parameters None Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to enable IRDP on the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip irdp enable For information about Refer to page ip irdp enable 17 3...

Page 505: ...ce C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip irdp maxadvertinterval 1000 ip irdp minadvertinterval Use this command to set the minimum interval in seconds between IRDP advertisements The no form of this command deletes the custom holdtime setting and resets the minimum advertisement interval to the default value of three fourths of the maxadvertinterval value which is e...

Page 506: ...This example shows how to set the IRDP hold time to 4000 seconds on the VLAN 1 interface C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip irdp holdtime 4000 ip irdp preference Use this command to set the IRDP preference value for an interface This value is used by IRDP to determine the interface s selection as a default gateway address The no form of this command resets the in...

Page 507: ...ip irdp broadcast Use this command to configure IRDP to use the limited broadcast address of 255 255 255 255 The default is multicast with address 224 0 0 1 The no form of this command resets IRDP to use multicast on IP address 224 0 0 1 Syntax ip irdp broadcast no ip irdp broadcast Parameters None Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows ...

Page 508: ...nherent in the static default routed environment by transferring the responsibility from one router to another if the original router goes down VRRP enabled routers decide who will become master and who will become backup in the event the master fails Commands vlan vlan id Optional Displays IRDP information for a specific VLAN This VLAN must be configured for IP routing as described in Pre Routing...

Page 509: ...leting other VRRP specific configuration tasks For details on enabling configuration modes refer to Table 15 2 in Enabling Router Configuration Modes on page 15 2 Example This example shows how enable VRRP configuration mode C2 su router configure C2 su router Config router vrrp C2 su router Config router create Use this command to create a VRRP session Each SecureStack C2 system supports up to 20...

Page 510: ...wner Parameters Defaults None vlan vlan id Specifies the number of the VLAN on which to create a VRRP session This VLAN must be configured for IP routing as described in Pre Routing Configuration Tasks on page 15 1 vrid Specifies a unique Virtual Router ID VRID to associate with the routing interface vlan vlan id Specifies the number of the VLAN on which to configure a virtual router address This ...

Page 511: ...via this interface as the master C2 su router Config router vrrp C2 su router Config router address vlan 1 1 182 127 62 1 1 priority Use this command to set a priority value for a VRRP router The no form of this command clears the VRRP priority configuration Syntax priority vlan vlan id vrid priority value no priority vlan vlan id vrid priority value Parameters Defaults None Mode Router configurat...

Page 512: ...ents are sent every advertising interval to let other VRRP routers in this VLAN VRID know the router is still acting as master of the VLAN VRID All routers with the same VRID should be configured with the same advertisement interval Example This example shows how set an advertise interval of 3 seconds on the VLAN 1 interface VRID 1 C2 su router Config router vrrp C2 su router Config router adverti...

Page 513: ...lan 1 1 enable Use this command to enable VRRP on an interface The no form of this command disables VRRP on an interface Syntax enable vlan vlan id vrid no enable vlan vlan id vrid Parameters Defaults None vlan vlan id Specifies the number of the VLAN on which to set preempt mode This VLAN must be configured for IP routing as described in Pre Routing Configuration Tasks on page 15 1 vrid Specifies...

Page 514: ...ose To enable and configure Protocol Independent Multicast in Sparse Mode PIM SM This protocol provides the means of dynamically learning how to forward multicast traffic in an environment where group members are sparsely located throughout the network and bandwidth is limited In situations where members are densely located and bandwidth is plentiful DVMRP would suffice see Configuring DVMRP on pa...

Page 515: ...cable Syntax ip pimsm no ip pimsm Parameters None Defaults None Mode Global router configuration C2 su router Config Note IGMP must be enabled on all VLANs running PIM SM and must also be globally enabled on the SecureStack C2 For details on enabling IGMP refer to Chapter 11 For information about Refer to page Global configuration commands ip pimsm 17 45 ip pimsm staticrp 17 46 Interface configura...

Page 516: ... Defaults None Mode Global Router configuration C2 su router Config Example This example shows how to set an RP for a specific multicast group C2 su router Config ip pimsm staticrp 192 15 18 3 224 0 0 0 240 0 0 0 ip pimsm enable This command sets the administrative mode of PIM SM multicast routing on a routing interface to enabled By default PIM is disabled on all IP interfaces The no form of this...

Page 517: ...ghbors The no form of this command resets the hello interval to the default 30 seconds Syntax ip pimsm query interval seconds no ip pimsm query interval Parameters Defaults None Mode Interface configuration C2 su router Config if Vlan 1 Example This example shows how to set the hello interval rate to 100 seconds C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip pimsm query inte...

Page 518: ...isplays the table containing objects specific to a PIM domain One row exists for each domain to which the router is connected Syntax show ip pimsm componenttable Parameters None Defaults None Table 17 7 show ip pimsm Output Detail Output What it displays Admin Mode This field indicates whether PIM SM is enabled or disabled This is a configured value Join Prune Interval secs This field shows the in...

Page 519: ...ow ip pimsm interface vlan vlan id stats vlan id all Parameters Defaults None Mode Any router mode Table 17 8 show ip pimsm componenettable Output Detail Output What it displays Component Index This field displays a number which uniquely identifies the component Component BSR Address This field displays the IP address of the bootstrap router BSR for the local PIM region Component BSR Expiry Time T...

Page 520: ...s The IP address of the specified interface Subnet Mask The Subnet Mask for the IP address of the PIM interface Mode Indicates whether PIM SM is enabled or disabled on the specified interface This is a configured value By default it is disabled Hello Interval Indicates the frequency at which PIM hello messages are transmitted on this interface This is a configured value By default the value is 30 ...

Page 521: ...le 17 11 provides an explanation of the command output show ip pimsm rp This command displays the PIM information for candidate Rendezvous Points RPs for all IP multicast groups or for a specific group address The information in the table is displayed for each IP multicast group Syntax show ip pimsm rp group address group mask all candidate vlan id Optional Display all neighbors discovered on a sp...

Page 522: ...TE RP TABLE Group Address Group Mask Address 224 0 0 0 240 0 0 0 192 168 30 2 group address The multicast group IP address group mask The multicast group address subnet mask all For all known group addresses candidate Display PIM SM candidate RP table information Table 17 12 show ip pimsm rp Output Detail Output What it displays Group Address The address of the group for which the RP set is displa...

Page 523: ...his example shows how to display RP that will be selected for group address 224 0 0 0 C2 su router show ip pimsm rphash 224 0 0 0 192 168 129 223 show ip pimsm staticrp Display the PIM SM static Rendezvous Point information Syntax show ip pimsm staticrp Parameters None Mode Any router mode Defaults None Example This example shows how to display PIM information C2 su router show ip pimsm staticrp S...

Page 524: ... Table 17 13 provides an explanation of the command output Table 17 13 show ip pimsm staticrp Output Details Output What it displays Address The IP address of the RP Group Address The group address supported by the RP Group Mask The group mask for the group address ...

Page 525: ...lidated against the configured RADIUS server Only in the case of a RADIUS timeout will those credentials be compared against credentials locally configured on the switch For details refer to Configuring RADIUS on page 18 3 SNMP user or community names allows access to the SecureStack C2 switch via a network SNMP management application To access the switch you must enter an SNMP user or community n...

Page 526: ...t Refer to Configuring VLAN Authorization RFC 3580 on page 18 41 MAC Locking locks a port to one or more MAC addresses preventing the use of unauthorized devices and MAC spoofing on the port For details refer to Configuring MAC Locking on page 18 46 Port Web Authentication PWA locks down a port a user is attached to until after the user logs in using a web browser to access the switch The switch w...

Page 527: ...e sensitive To specify a management level management access authentication Enterasys version 1 mgmt level where level indicates the management level either ro rw or su To specify both management level and policy profile Enterasys version 1 mgmt level policy string The undecorated format is simply a string that specifies a policy profile name The undecorated format cannot be used for management acc...

Page 528: ...xplanation of the command output set radius 18 5 clear radius 18 7 show radius accounting 18 7 set radius accounting 18 8 clear radius accounting 18 9 For information about Refer to page status Optional Displays the RADIUS server s enable status retries Optional Displays the number of retry attempts before the RADIUS server times out timeout Optional Displays the maximum amount of time in seconds ...

Page 529: ...ugh the RADIUS server for authentication Management access This means that anyone trying to access the switch Telnet SSH Local Management has to authenticate through the RADIUS server Network access This means that all the users have to authenticate to a RADIUS server before they are allowed access to the network Any access Means that both Management access and Network access have been enabled Tab...

Page 530: ...ement access to the switch Telnet web SSH to authenticate through a RADIUS server The all parameter at the end of the command means that any of the defined RADIUS servers can be used for this Authentication C2 rw set radius realm management access all realm management access any network access Realm allows you to define who has to go through the RADIUS server for authentication management access T...

Page 531: ...r counter ip address retries timeout Parameters retries Resets the maximum number of attempts a user can contact the RADIUS server before timing out to 3 timeout Resets the maximum amount of time to establish contact with the RADIUS server before timing out to 20 seconds server Deletes server settings index all For use with the server parameter to clear the server configuration for all servers or ...

Page 532: ...ccounting Use this command to configure RADIUS accounting Syntax set radius accounting enable disable retries retries timeout timeout server ip_address port server secret Parameters Mode Switch command read write Defaults None enable disable Enables or disables the RADIUS accounting client retries retries Sets the maximum number of attempts to contact a specified RADIUS accounting server before ti...

Page 533: ...etries 10 clear radius accounting Use this command to clear RADIUS accounting configuration settings Syntax clear radius accounting server ip address retries timeout counter Parameters Mode Switch command read write Defaults None Example This example shows how to reset the RADIUS accounting timeout to 5 seconds C2 su clear radius accounting timeout Configuring 802 1X Authentication Purpose To revi...

Page 534: ...d through the switch to an upstream device 802 1X authentication must be globally disabled with the set dot1x command set dot1x on page 18 13 For information about Refer to page show dot1x 18 10 show dot1x auth config 18 11 set dot1x 18 13 set dot1x auth config 18 13 clear dot1x auth config 18 15 show eapol 18 15 set eapol 18 17 clear eapol 18 18 auth diag Optional Displays authentication diagnost...

Page 535: ...authentication statistics for ge 1 1 C2 su show dot1x auth stats ge 1 1 Port 1 Auth Stats EAPOL Frames Rx 0 EAPOL Frames Tx 0 EAPOL Start Frames Rx 0 EAPOL Logoff Frames Rx 0 EAPOL RespId Frames Rx 0 EAPOL Resp Frames Rx 0 EAPOL Req Frames Tx 0 EAP Length Error Frames Rx 0 Last EAPOL Frame Version 0 Last EAPOL Frame Source 00 00 00 00 00 00 This example shows how to display the status of port reau...

Page 536: ...rtcontrol Optional Displays the current value of the controlled Port control parameter for the port maxreq Optional Displays the value set for maximum requests currently in use by the backend authentication state machine quietperiod Optional Displays the value set for quiet period currently in use by the authenticator PAE state machine reauthenabled Optional Displays the state of reauthentication ...

Page 537: ...ough feature EAP pass through allows client authentication packets to be forwarded unmodified through the switch to an upstream device Examples This example shows how to enable 802 1X C2 su set dot1x enable This example shows how to reinitialize ge 1 2 C2 rw set dot1x port init true ge 1 2 set dot1x auth config Use this command to configure 802 1X authentication Syntax set dot1x auth config authco...

Page 538: ...fies the time in seconds following a failed authentication before another attempt can be made by the authenticator PAE state machine Valid values are 0 65535 Default value is 60 seconds reauthenabled false true Enables true or disables false reauthentication control of the reauthentication timer state machine Default value is false reauthperiod value Specifies the time lapse in seconds between att...

Page 539: ...authenabled ge 1 1 3 This example shows how to reset the 802 1X quiet period to 60 seconds on ports ge 1 1 3 C2 su clear dot1x auth config quietperiod ge 1 1 3 show eapol Use this command to display EAPOL status or settings for one or more ports authcontrolled portcontrol Optional Resets the 802 1X port control mode to auto maxreq Optional Resets the maximum requests value to 2 quietperiod Optiona...

Page 540: ...lize Auto ge 1 3 Initialize Auto Table 18 2 provides an explanation of the command output For details on using the set eapol command to enable the protocol and assign an authentication mode refer to set eapol on page 18 17 port string Optional Displays EAPOL status for specific port s For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 ...

Page 541: ...ated The port enters this state from authenticating state after the exchange completes with a favorable result It remains in this state until linkdown logoff or until a reauthentication begins aborting The port enters this state from authenticating when any event occurs that interrupts the login exchange held After any login failure the port remains in this state for the number of seconds equal to...

Page 542: ... auth mode auto forced auth forced unauth Specifies the authentication mode as auto Auto authorization mode This is the default mode and will forward frames according to the authentication state of the port For details on this mode refer to Table 18 2 forced auth Forced authorized mode which disables authentication on the port forced unauth Forced unauthorized mode which filters and discards all f...

Page 543: ... applies the associated policy rules You can specify a mask to apply to MAC addresses when authenticating users through a RADIUS server see set macauthentication significant bits on page 18 29 The most common use of significant bit masks is for authentication of all MAC addresses for a specific vendor Commands For information about Refer to page show macauthentication 18 20 show macauthentication ...

Page 544: ...e 2 4 disabled 3600 1 1 disabled ge 2 5 disabled 3600 1 1 disabled ge 2 6 disabled 3600 1 1 disabled ge 2 7 disabled 3600 1 1 disabled ge 2 8 disabled 3600 1 1 disabled Table 18 3 provides an explanation of the command output clear macauthentication significant bits 18 29 For information about Refer to page port string Optional Displays MAC authentication information for specific port s For a deta...

Page 545: ...o authenticate the full address i e authentication server timeout causes the next attempt to start once again with a full MAC authentication Default value of 48 can be changed with the set macauthentication significant bits command Port Port designation For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 Port State Whether or not MAC au...

Page 546: ...cation password Use this command to set a MAC authentication password Table 18 4 show macauthentication session Output Details Output What It Displays Port Port designation For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 MAC Address MAC address associated with the session Duration Time this session has been active Reauth Period Reau...

Page 547: ...entication password Use this command to clear the MAC authentication password Syntax clear macauthentication password Parameters None Defaults None Mode Switch command read write Example This example shows how to clear the MAC authentication password C2 su clear macauthentication password set macauthentication port Use this command to enable or disable one or more ports for MAC authentication Synt...

Page 548: ... to force one or more MAC authentication ports to re initialize and remove any currently active sessions on those ports Syntax set macauthentication portinitialize port string Parameters Defaults None Mode Switch command read write Example This example shows how to force ge 2 1 through 5 to initialize C2 su set macauthentication portinitialize ge 2 1 5 enable disable Enables or disables MAC authen...

Page 549: ...back to the default value Syntax clear macauthentication portquietperiod port string Parameters Defaults If a port string is not specified then all ports will be set to the default port quiet period Mode Switch command read write Example This example resets the default quit period on port 1 C2 su clear macauthentication portquietperiod ge 1 1 time Period in seconds to wait after a failed authentic...

Page 550: ...entication Use this command to enable or disable reauthentication of all currently authenticated MAC addresses on one or more ports Syntax set macauthentication reauthentication enable disable port string Parameters Defaults None Mode Switch command read write Example This example shows how to enable MAC reauthentication on ge 4 1 though 5 C2 su set macauthentication reauthentication enable ge 4 1...

Page 551: ...hentication ge 2 1 5 set macauthentication macreauthenticate Use this command to force an immediate reauthentication of a MAC address Syntax set macauthentication macreauthenticate mac addr Parameters Defaults None Mode Switch command read write Example This example shows how to force the MAC authentication session for address 00 60 97 b5 4c 07 to reauthenticate C2 su set macauthentication macreau...

Page 552: ... 5 C2 su set macauthentication reauthperiod 7200 ge 2 1 5 clear macauthentication reauthperiod Use this command to clear the MAC reauthentication period on one or more ports Syntax clear macauthentication reauthperiod port string Parameters Defaults If port string is not specified the reauthentication period will be cleared on all ports Mode Switch command read write time Specifies the number of s...

Page 553: ...s the user name If access is denied and if a significant bit mask has been configured other than 48 with this command the switch will apply the mask and resend the masked address to the RADIUS server For example if a user with MAC address of 00 16 CF 12 34 56 is denied access and a 32 bit mask has been configured the switch will apply the mask and resend a MAC address of 00 16 CF 12 00 00 to the R...

Page 554: ...Authentication on the SecureStack C2 is implemented by assigning an ingressed packet received on a port to a policy role based on the VLAN the packet was assigned to and not the packetʹs source MAC address Therefore on a port configured for User IP Phone Authentication there exists two different VLAN to policy role mappings The policy role for the IP phone is statically mapped using the VLAN to po...

Page 555: ...auth Use this command to display multiple authentication system configuration Syntax show multiauth Parameters None Defaults None Mode Switch command read only For information about Refer to page show multiauth 18 31 set multiauth mode 18 32 clear multiauth mode 18 32 set multiauth precedence 18 33 clear multiauth precedence 18 34 show multiauth port 18 34 set multiauth port 18 35 clear multiauth ...

Page 556: ...e Switch command read write Usage Multiauth multi mode requires that MAC PWA and 802 1X authentication be enabled globally and configured appropriately on the desired ports according to their corresponding command sets described in this chapter Refer to Configuring 802 1X Authentication on page 18 9 and Configuring MAC Authentication on page 18 19 and Configuring Port Web Authentication PWA on pag...

Page 557: ...uth precedence dot1x mac pwa Parameters Defaults None Mode Switch command read write Usage When a user is successfully authenticated by more than one method at the same time the precedence of the authentication methods will determine which RADIUS returned filter ID will be processed and result in an applied traffic policy profile Example This example shows how to set precedence for MAC authenticat...

Page 558: ...and to display multiple authentication properties for one or more ports Syntax show multiauth port port string Parameters Defaults If port string is not specified multiple authentication information will be displayed for all ports Mode Switch command read only Example This example shows how to display multiple authentication information for ports ge 3 1 4 C2 rw show multiauth port ge 3 1 4 Port Mo...

Page 559: ...qd force auth force unauth Specifies the port s multiple authentication mode as auth opt Authentication optional non strict behavior If a user does not attempt to authenticate using 802 1x or if 802 1x authentication fails the port will allow traffic to be forwarded according to the defined default VLAN auth reqd Authentication is required force auth Authentication considered force unauth Authenti...

Page 560: ...ly Defaults If no options are specified multiple authentication station entries will be displayed for all MAC addresses and ports Example This example shows how to display multiple authentication station entries In this case two end user MAC addresses are shown C2 rw show multiauth station Port Address type Address ge 1 20 mac 00 10 a4 9e 24 87 ge 2 16 mac 00 b0 d0 e5 0c d0 show multiauth session ...

Page 561: ...adius VLAN Tunnel Attr none Policy index 0 Policy name Administrator Session timeout 0 Session duration 0 00 00 25 Idle timeout 5 Idle time 0 00 00 00 Termination time Not Terminated show multiauth idle timeout Use this command to display the timeout value in seconds for an idle session for all authentication methods Syntax show multiauth idle timeout Parameters None Defaults None Mode Switch comm...

Page 562: ...ddress for the specified idle timeout period A value of zero indicates that no idle timeout will be applied unless an idle timeout value is provided by the authenticating server For example if a session is authenticated by a RADIUS server that server may encode a Idle Timeout Attribute in its authentication response Example This example sets the idle timeout value for all authentication methods to...

Page 563: ...resets the idle timeout value for all authentication methods to 0 seconds C2 su clear multiauth idle timeout show multiauth session timeout Use this command to display the session timeout value in seconds for all authentication methods Syntax show multiauth session timeout Parameters None Defaults None Mode Switch mode read only dot1x Optional Specifies the IEEE 802 1X port based network access co...

Page 564: ...henticating server For example if a session is authenticated by a RADIUS server that server may encode a Session Timeout Attribute in its authentication response Example This example sets the session timeout value for the IEEE 802 1X authentication method to 300 seconds C2 su set multiauth session timeout dot1x 300 dot1x Optional Specifies the IEEE 802 1X port based network access control authenti...

Page 565: ... of RFC 3580 for details on configuring a RADIUS server to return the desired tunnel attributes As stated in RFC 3580 it may be desirable to allow a port to be placed into a particular Virtual LAN VLAN defined in IEEE8021Q based on the result of the authentication The RADIUS server typically indicates the desired VLAN by including tunnel attributes within its Access Accept parameters However the I...

Page 566: ...nnel you can use the set multiauth port on page 18 35 command to set the number of RFC 3580 users numusers allowed per Gigabit port Up to six users can be configured per Gigabit port Syntax show policy maptable response Parameters None Defaults None Mode Switch command read only Example This example shows how to display the current policy maptable response setting C2 rw show policy maptable respon...

Page 567: ...o enable VLAN authentication for all Gigabit Ethernet ports C2 rw set vlanauthorization enable ge This example shows how to disable VLAN authentication for all Gigabit Ethernet ports on switch unit module 3 policy Sets the maptable response to policy This is the default setting which allows authentication of up to 2 multiauth users per port tunnel Sets the maptable response to tunnel which allows ...

Page 568: ...command to return port s to the default configuration of VLAN authorization disabled egress untagged Syntax clear vlanauthorization port string Parameters none Specifies that no egress manipulation will be made tagged Specifies that the authenticating port will be added to the current tagged egress for the VLAN ID returned untagged Specifies that the authenticating port will be added to the curren...

Page 569: ...xample This command shows how to display VLAN authorization status for ge 1 1 C2 rw show vlanauthorization ge 1 1 port status administrative egress operational egress vlan id ge 1 1 enabled untagged none 0 Table 18 5 provides an explanation of command output For details on enabling and assigning protocol and egress attributes refer to set vlanauthorization on page 18 43 and set vlanauthorization e...

Page 570: ...nt from any of the currently locked MAC addresses for that port MACs are unlocked as a result of A link down event When MAC locking is disabled on a port When a MAC is aged out of the forwarding database when FirstArrival aging is enabled When properly configured MAC locking is an excellent security tool as it prevents MAC spoofing on configured ports Also if a MAC were to be secured by something ...

Page 571: ...led disabled enabled 20 1 00 a0 c9 39 5c b4 Table 18 6 provides an explanation of the command output clear maclock 18 51 set maclock static 18 52 clear maclock static 18 52 set maclock firstarrival 18 53 clear maclock firstarrival 18 53 set maclock agefirstarrival 18 54 clear maclock agefirstarrival 18 55 set maclock move 18 55 set maclock trap 18 56 For information about Refer to page port string...

Page 572: ...es is enabled or disabled on the port Refer to set maclock agefirstarrival on page 18 54 Max Static Allocated The maximum static MAC addresses allowed locked to the port For details on setting this value refer to set maclock static on page 18 52 Max FirstArrival Allocated The maximum end station MAC addresses allowed locked to the port For details on setting this value refer to set maclock firstar...

Page 573: ...C locking defines which MAC addresses as well as how many MAC addresses are permitted to use specific port s Table 18 7 show maclock stations Output Details Output What It Displays Port Number Port designation For a detailed description of possible port string values refer to Port String Syntax Used in the CLI on page 5 2 MAC address MAC address of the end station s locked to the port Status Wheth...

Page 574: ...te Example This example shows how to disable MAC locking on ge 2 3 C2 su set maclock disable ge 2 3 set maclock Use this command to create a static MAC address to port locking and to enable or disable MAC locking for the specified MAC address and port Syntax set maclock mac address port string create enable disable Parameters port string Optional Disables MAC locking on specific port s For a detai...

Page 575: ... be able to communicate on the port unless the first arrival limit has been set to a value greater than 0 and this limit has not yet been met For example if user B s MAC is removed from the static MAC address list and the first arrival limit has been set to 0 then user B will not be able to communicate on the port If user A s MAC is create Establishes a MAC locking association between the specifie...

Page 576: ...read write Example This example shows how to set the maximum number of allowable static MACs to 2 on ge 3 1 C2 rw set maclock static ge 3 1 2 clear maclock static Use this command to reset the number of static MAC addresses allowed per port to the default value of 20 Syntax clear maclock static port string Parameters port string Specifies the port on which to set the maximum number of static MACs ...

Page 577: ...t will be reset every time a user moves to another port but will still protect against connecting multiple devices on a single port and will protect against MAC address spoofing If you wish to have only statically set MACs set a port s first arrival limit to 0 Example This example shows how to restrict MAC locking to 6 MAC addresses on ge 2 3 C2 su set maclock firstarrival ge 2 3 6 clear maclock f...

Page 578: ...ck Syntax set maclock agefirstarrival port string enable disable Parameters Defaults None Mode Switch mode read write Example This example enables first arrival aging on port ge 1 1 C2 su set maclock agefirstarrival ge 1 1 enable port string Specifies the port on which to reset the first arrival value For a detailed description of possible port string values refer to Port String Syntax Used in the...

Page 579: ...re are more first arrival MACs than the allowed maximum static MACs then only the latest first arrival MACs will be moved to static entries For example if you set the maximum number of static MACs to 2 with the set maclock static command and then executed the set maclock move command even though there were five MACs in the first arrival table only the two most recent MAC entries would be moved to ...

Page 580: ...o send an SNMP trap message if an end station is connected that exceeds the maximum values configured using the set maclock firstarrival and set maclock static commands Violating MAC addresses are dropped from the device s or stack s filtering database Example This example shows how to enable MAC lock trap messaging on ge 2 3 C2 su set maclock trap ge 2 3 enable port string Specifies the port on w...

Page 581: ...PWA the user makes a request via a web browser for the PWA web page or is automatically redirected to this login page after requesting a URL in a browser Depending upon the authenticated state of the user a login page or a logout page will display When a user submits username and password the switch then authenticates the user via a preconfigured RADIUS server If the login is successful then the u...

Page 582: ...bled PWA Guest Networking Status disabled PWA Guest Name guest PWA Redirect Time N A Port Mode AuthStatus QuietPeriod MaxReq ge 2 1 disabled disconnected 60 16 Table 18 8 provides an explanation of the command output set pwa quietperiod 18 65 set pwa maxrequest 18 66 set pwa portcontrol 18 66 show pwa session 18 67 set pwa enhancedmode 18 68 For information about Refer to page port string Optional...

Page 583: ...a gueststatus command as described in set pwa gueststatus on page 18 64 PWA Guest Name Guest user name for PWA enhanced mode networking Default value of guest can be changed using the set pwa guestname command as described in set pwa guestname on page 18 63 PWA Guest Password Guest user s password Default value of an empty string can be changed using the set pwa guestpassword command as described ...

Page 584: ...ort web authentication login banner string Syntax show pwa banner Parameters None Defaults None Mode Switch command read only Example This example shows how to display the PWA login banner C2 su show pwa banner Welcome to Enterasys Networks set pwa banner Use this command to configure a string to be displayed as the PWA login banner Syntax set pwa banner string Parameters Defaults None string Spec...

Page 585: ...anner to a blank string Syntax clear pwa banner Parameters None Defaults None Mode Switch command read write Example This example shows how to reset the PWA login banner to a blank string C2 su clear pwa banner set pwa displaylogo Use this command to set the display options for the Enterasys Networks logo Syntax set pwa displaylogo display hide Parameters Defaults None Mode Switch command read wri...

Page 586: ... shows how to set a PWA IP address of 1 2 3 4 C2 su set pwa ipaddress 1 2 3 4 set pwa protocol Use this command to set the port web authentication protocol Syntax set pwa protocol chap pap Parameters Defaults None Mode Switch command read write ip address Specifies a globally unique IP address This same value must be configured into every authenticating switch in the domain chap pap Sets the PWA p...

Page 587: ...hed login names and passwords Syntax set pwa guestname name Parameters Defaults None Mode Switch command read write Example This example shows how to set the PWA guest user name to guestuser C2 su set pwa guestname guestuser clear pwa guestname Use this command to clear the PWA guest user name Syntax clear pwa guestname Parameters None Defaults None Mode Switch command read write Example This exam...

Page 588: ...ws how to set the PWA guest user password name C2 su set pwa guestpassword Guest Password Retype Guest Password set pwa gueststatus Use this command to enable or disable guest networking for port web authentication Syntax set pwa gueststatus authnone authradius disable Parameters Defaults None Mode Switch command read write authnone Enables guest networking with no authentication method authradius...

Page 589: ...ll ports will be initialized Mode Switch command read write Example This example shows how to initialize ports ge 1 5 7 C2 su set pwa initialize ge 1 5 7 set pwa quietperiod Use this command to set the amount of time a port will remain in the held state after a user unsuccessfully attempts to log on to the network Syntax set pwa quietperiod time port string Parameters port string Optional Initiali...

Page 590: ...requests requests port string Parameters Defaults If port string is not specified maximum requests will be set for all ports Mode Switch command read write Example This example shows how to set the PWA maximum requests to 3 for all ports C2 su set pwa maxrequests 3 set pwa portcontrol This command enables or disables PWA authentication on select ports Syntax set pwa portcontrol enable disable port...

Page 591: ...This example shows how to display PWA session information C2 su show pwa session Port MAC IP User Duration Status ge 2 19 00 c0 4f 20 05 4b 172 50 15 121 pwachap10 0 14 46 55 active ge 2 19 00 c0 4f 24 51 70 172 50 15 120 pwachap1 0 15 43 30 active ge 2 19 00 00 f8 78 9c a7 172 50 15 61 pwachap11 0 14 47 58 active enable disable Enables or disables PWA on specified ports port string Optional Sets ...

Page 592: ... None Mode Switch command read write Example This example shows how to enable PWA enhancedmode C2 su set pwa enhancedmode enable Configuring Secure Shell SSH Purpose To review enable disable and configure the Secure Shell SSH protocol which provides secure Telnet Commands show ssh status Use this command to display the current status of SSH on the switch Syntax show ssh status enable disable Enabl...

Page 593: ...fault the SSH server is disabled Syntax set ssh enable disable reinitialize Parameters Defaults None Mode Switch command read write Example This example shows how to disable SSH C2 su set ssh disable set ssh hostkey Use this command to set or reinitialize new SSH authentication keys Syntax set ssh hostkey reinitialize Parameters enable disable Enables or disables SSH or reinitializes the SSH serve...

Page 594: ...cess lists number Parameters Router These commands can be executed when the device is in router mode only For details on how to enable router configuration modes refer to Enabling Router Configuration Modes on page 15 2 Note Access Control Lists are limited to 100 per stack and 9 per interface on C2 stack configurations or mixed configurations of C2 and C3 switches in a stack On C3 only configurat...

Page 595: ...ess lists 101 Extended IP access list 101 1 permit icmp host 18 2 32 130 any 2 permit udp host 198 92 32 130 host 171 68 225 126 3 deny ip 150 136 0 0 0 0 255 255 224 0 0 0 15 255 255 255 4 deny ip 11 6 0 0 0 1 255 255 224 0 0 0 15 255 255 255 5 deny ip 172 24 24 0 0 0 1 255 224 0 0 0 15 255 255 255 access list standard Use this command to define a standard IP access list by number when operating ...

Page 596: ...ss list 1 permit 36 0 0 0 0 255 255 255 This example moves entry 16 to the beginning of ACL 22 C2 su router Config access list 22 move 1 16 access list number Specifies a standard access list number Valid values are from 1 to 99 deny permit Denies or permits access if specified conditions are met source Specifies the network or host from which the packet will be sent Valid options for expressing s...

Page 597: ... are met protocol Specifies an IP protocol for which to deny or permit access Valid values and their corresponding protocols are ip Any Internet protocol udp User Datagram Protocol tcp Transmission Control Protocol icmp Internet Control Message Protocol source Specifies the network or host from which the packet will be sent Valid options for expressing source are IP address or range of addresses A...

Page 598: ...is command to apply access restrictions to inbound frames on an interface when operating in router mode The no form of this command removes the specified access list Syntax ip access group access list number in no ip access group access list number in Parameters Defaults None insert replace entry Optional Inserts this new entry before a specified entry in an existing ACL or replaces a specified en...

Page 599: ... Config interface vlan 1 C2 su router Config if Vlan 1 ip access group 1 in Configuring Access Lists Purpose To review and configure security access control lists ACLs which permit or deny access to routing interfaces based on protocol and IP address restrictions Commands The commands used to review and configure security access lists are listed below show access lists Use this command to display ...

Page 600: ... 0 0 255 255 224 0 0 0 15 255 255 255 4 deny ip 11 6 0 0 0 1 255 255 224 0 0 0 15 255 255 255 5 deny ip 172 24 24 0 0 0 1 255 224 0 0 0 15 255 255 255 access list standard Use this command to define a standard IP access list by number when operating in router mode The no form of this command removes the defined access list or entry Syntax To create an ACL entry access list access list number deny ...

Page 601: ...rmit 36 0 0 0 0 255 255 255 This example moves entry 16 to the beginning of ACL 22 C2 su router Config access list 22 move 1 16 access list extended Use this command to define an extended IP access list by number when operating in router mode The no form of this command removes the defined access list or entry source Specifies the network or host from which the packet will be sent Valid options fo...

Page 602: ... Protocol tcp Transmission Control Protocol icmp Internet Control Message Protocol source Specifies the network or host from which the packet will be sent Valid options for expressing source are IP address or range of addresses A B C D any Any source host host source IP address of a single source host source wildcard Optional Specifies the bits to ignore in the source address operator port Optiona...

Page 603: ...st 101 deny ICMP any any ip access group Use this command to apply access restrictions to inbound frames on an interface when operating in router mode The no form of this command removes the specified access list Syntax ip access group access list number in no ip access group access list number in Parameters Defaults None Mode Interface configuration C2 su router Config if Vlan vlan_id move destin...

Page 604: ...for all inbound frames on the VLAN 1 interface Through the definition of access list 1 only frames with a source address on the 192 5 34 0 24 network will be routed All the frames with other source addresses received on the VLAN 1 interface are dropped C2 su router Config access list 1 permit 192 5 34 0 0 0 0 255 C2 su router Config interface vlan 1 C2 su router Config if Vlan 1 ip access group 1 ...

Page 605: ...37 D Defaults CLI behavior described 1 8 factory installed 1 2 DHCP server configuring 14 1 DHCP BOOTP Relay 14 1 DVMRP 17 31 Dynamic policy profile assignment 18 2 E EAP pass through 18 2 18 13 EAPOL 18 17 F Flow Control 5 17 Forbidden VLAN port 8 13 G Getting Help xxx GVRP enabling and disabling 8 22 purpose of 8 19 timer 8 23 H Hardware show system 3 12 3 21 Hello Packets 17 17 Help keyword loo...

Page 606: ... reviewing 5 3 Power over Ethernet PoE configuring 3 27 Priority OSPF 17 14 VRRP 17 41 Priority to Transmit Queue Mapping 10 4 Prompt in router mode 15 2 set 3 19 Protocol Independant Multicast 17 44 PWA 18 57 R RADIUS 18 3 realm 18 6 RADIUS Filter ID 18 2 attribute formats 18 3 RADIUS server 18 5 18 8 Rapid Spanning Tree Protocol RSTP 7 1 Rate Limiting 10 9 Redistribute 17 9 17 24 Related Manuals...

Page 607: ...uring 2 4 VLANs assigning ingress filtering 8 9 assigning port VLAN IDs 8 6 authentication 18 41 18 45 classifying to 9 6 9 11 creating static 8 4 dynamic egress 8 16 egress lists 8 12 18 44 enabling GVRP 8 18 forbidden ports 8 13 host setting 8 16 ingress filtering 8 6 naming 8 5 RADIUS 18 41 secure management creating 8 1 VRRP configuration mode enabling 17 39 creating a session 17 39 enabling o...

Search results

Summary of Contents for SecureStack C2

Reviews:

Brands by name

Popular brands

Enterasys SecureStack C2, Configuration Manual

Search results

Summary of Contents for SecureStack C2

Reviews:

Brands by name

Popular brands