manualshive.com logo in svg

Motorola EX-3524, Cli Reference Manual

The Motorola EX-3524 is a high-performance Ethernet switch designed to meet your networking needs. This versatile device offers seamless connectivity and advanced features. To get started, simply visit manualshive.com to download the free installation manual, providing comprehensive instructions for easy setup and operation.

Share
Download
background image

Chapter 8

  |  General Security Measures

Web Authentication

–  236  –

Web Authentication

Web authentication allows stations to authenticate and access the network in 
situations where 802.1X or Network Access authentication are infeasible or 
impractical. The web authentication feature allows unauthenticated hosts to 
request and receive a DHCP assigned IP address and perform DNS queries. All other 
traffic, except for HTTP protocol traffic, is blocked. The switch intercepts HTTP 
protocol traffic and redirects it to a switch-generated web page that facilitates user 
name and password authentication via RADIUS. Once authentication is successful, 
the web browser is forwarded on to the originally requested web page. Successful 
authentication is valid for all hosts connected to the port.

Note:

 RADIUS authentication must be activated and configured for the web 

authentication feature to work properly (see 

“Authentication Sequence” on 

page 168

).

Note:

 Web authentication cannot be configured on trunk ports.

Table 49: Web Authentication  

Command

Function

Mode

web-auth login-attempts

Defines the limit for failed web authentication login 
attempts

GC

web-auth quiet-period

Defines the amount of time to wait after the limit for 
failed login attempts is exceeded.

GC

web-auth session-timeout

Defines the amount of time a session remains valid

GC

web-auth system-auth-control

Enables web authentication globally for the switch

GC

web-auth

Enables web authentication for an interface

IC

web-auth re-authenticate (Port)

Ends all web authentication sessions on the port and 
forces the users to re-authenticate

PE

web-auth re-authenticate (IP)

Ends the web authentication session associated with the 
designated IP address and forces the user to re-
authenticate

PE

show web-auth

Displays global web authentication parameters

PE

show web-auth interface

Displays interface-specific web authentication 
parameters and statistics

PE

show web-auth summary

Displays a summary of web authentication port 
parameters and statistics

PE

Summary of Contents for EX-3524

Page 1: ...www edge core com Motorola Solutions EX 3524 EX 3548 Layer 2 Gigabit Ethernet PoE PoE Switch CLI Reference Guide ...

Page 2: ......

Page 3: ...cribes the switch s command line interface CLI For more detailed information on the switch s key features refer to the System Reference Guide The guide includes these sections Section I Getting Started Includes information on initial configuration Section II Command Line Interface Includes all management options available through the CLI Section III Appendices Includes information on troubleshooti...

Page 4: ...o show information Note Emphasizes important information or calls your attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that could cause personal injury ...

Page 5: ...ing the Switch for Remote Management 39 Setting an IP Address 39 Enabling SNMP Management Access 44 Managing System Files 47 Upgrading the Operation Code 48 Saving or Restoring Configuration Settings 48 Configuring Automatic Installation of Operation Code and Configuration Settings 50 Downloading Operation Code from a File Server 50 Specifying a DHCP Client Identifier 52 Downloading a Configuratio...

Page 6: ... Completion 63 Getting Help on Commands 64 Partial Keyword Lookup 65 Negating the Effect of Commands 66 Using Command History 66 Understanding Command Modes 66 Exec Commands 66 Configuration Commands 67 Command Line Processing 69 Output Modifiers 69 CLI Command Groups 70 3 General Commands 73 prompt 73 reload Global Configuration 74 enable 75 quit 76 show history 76 configure 77 disable 78 reload ...

Page 7: ...p config 85 show system 86 show users 87 show version 88 Frame Size 89 jumbo frame 89 File Management 90 General Commands 91 boot system 91 copy 92 delete 95 dir 96 whichboot 97 Automatic Code Upgrade Commands 97 upgrade opcode auto 97 upgrade opcode path 98 show upgrade 99 Line 100 line 101 databits 101 exec timeout 102 login 103 parity 104 password 104 password thresh 105 silent time 106 speed 1...

Page 8: ...116 logging sendmail 117 logging sendmail host 117 logging sendmail level 118 logging sendmail destination email 119 logging sendmail source email 119 show logging sendmail 120 Time 120 SNTP Commands 121 sntp client 121 sntp poll 122 sntp server 122 show sntp 123 Manual Configuration Commands 124 clock summer time 124 clock timezone 125 clock timezone predefined 126 calendar set 126 show calendar ...

Page 9: ...snmp server 138 snmp server community 139 snmp server contact 139 snmp server location 140 show snmp 140 SNMP Target Host Commands 141 snmp server enable traps 141 snmp server host 142 SNMPv3 Commands 145 snmp server engine id 145 snmp server group 146 snmp server user 147 snmp server view 148 show snmp engine id 149 show snmp group 150 show snmp user 151 show snmp view 152 Notification Log Comman...

Page 10: ...able password 166 username 167 Authentication Sequence 168 authentication enable 168 authentication login 169 RADIUS Client 170 radius server acct port 170 radius server auth port 171 radius server host 171 radius server key 172 radius server retransmit 173 radius server timeout 173 show radius server 174 TACACS Client 174 tacacs server host 175 tacacs server key 175 tacacs server port 176 show ta...

Page 11: ...net max sessions 188 ip telnet port 189 ip telnet server 189 show ip telnet 190 Secure Shell 190 ip ssh authentication retries 193 ip ssh server 193 ip ssh server key size 194 ip ssh timeout 195 delete public key 195 ip ssh crypto host key generate 196 ip ssh crypto zeroize 197 ip ssh save host key 197 show ip ssh 198 show public key 198 show ssh 199 802 1X Port Authentication 200 General Commands...

Page 12: ...ax start 209 dot1x pae supplicant 210 dot1x timeout auth period 211 dot1x timeout held period 211 dot1x timeout start period 212 Information Display Commands 212 show dot1x 212 Management IP Filter 215 management 215 show management 216 8 General Security Measures 219 Port Security 220 port security 220 Network Access MAC Address Authentication 222 network access aging 223 network access mac filte...

Page 13: ...filter 235 Web Authentication 236 web auth login attempts 237 web auth quiet period 237 web auth session timeout 238 web auth system auth control 238 web auth 239 web auth re authenticate Port 239 web auth re authenticate IP 240 show web auth 240 show web auth interface 241 show web auth summary 241 DHCP Snooping 242 ip dhcp snooping 242 ip dhcp snooping information option 244 ip dhcp snooping inf...

Page 14: ...ction trust 261 show ip arp inspection configuration 262 show ip arp inspection interface 262 show ip arp inspection log 263 show ip arp inspection statistics 263 show ip arp inspection vlan 263 Denial of Service Protection 264 flow tcp udp port zero 264 show flow 265 Port based Traffic Segmentation 265 traffic segmentation 266 show traffic segmentation 267 9 Access Control Lists 269 IPv4 ACLs 269...

Page 15: ... to MAC ACL 284 mac access group 286 show mac access group 287 show mac access list 287 ARP ACLs 288 access list arp 288 permit deny ARP ACL 289 show arp access list 290 ACL Information 290 show access group 290 show access list 291 10 Interface Commands 293 Interface Configuration 294 interface 294 alias 295 capabilities 295 description 296 flowcontrol 297 giga phy mode 298 negotiation 299 shutdo...

Page 16: ...4 Dynamic Configuration Commands 315 lacp 315 lacp admin key Ethernet Interface 316 lacp port priority 317 lacp system priority 318 lacp admin key Port Channel 319 Trunk Status Display Commands 320 show lacp 320 12 Power over Ethernet Commands 325 power inline compatible 325 power inline 326 power inline maximum allocation 327 power inline priority 328 power inline time range 329 show power inline...

Page 17: ... traffic control alarm fire threshold 353 auto traffic control auto control release 354 auto traffic control control release 355 SNMP Trap Commands 355 snmp server enable port traps atc broadcast alarm clear 355 snmp server enable port traps atc broadcast alarm fire 356 snmp server enable port traps atc broadcast control apply 356 snmp server enable port traps atc broadcast control release 357 snm...

Page 18: ...ge 371 spanning tree mode 371 spanning tree pathcost method 373 spanning tree priority 373 spanning tree mst configuration 374 spanning tree transmission limit 374 max hops 375 mst priority 376 mst vlan 376 name 377 revision 378 spanning tree bpdu filter 378 spanning tree bpdu guard 379 spanning tree cost 380 spanning tree edge port 381 spanning tree link type 382 spanning tree loopback detection ...

Page 19: ...dden vlan 396 switchport gvrp 397 show bridge ext 397 show garp timer 398 show gvrp configuration 399 Editing VLAN Groups 399 vlan database 400 vlan 400 Configuring VLAN Interfaces 401 interface vlan 402 switchport acceptable frame types 403 switchport allowed vlan 403 switchport ingress filtering 404 switchport mode 405 switchport native vlan 406 vlan trunking 407 Displaying VLAN Information 408 ...

Page 20: ...ring Voice VLANs 421 voice vlan 421 voice vlan aging 422 voice vlan mac address 423 switchport voice vlan 424 switchport voice vlan priority 424 switchport voice vlan rule 425 switchport voice vlan security 426 show voice vlan 426 18 Class of Service Commands 429 Priority Commands Layer 2 429 queue mode 430 queue weight 431 switchport priority default 432 show queue mode 433 show queue weight 433 ...

Page 21: ...e 458 20 Multicast Filtering Commands 459 IGMP Snooping 459 ip igmp snooping 461 ip igmp snooping proxy reporting 461 ip igmp snooping querier 462 ip igmp snooping router alert option check 462 ip igmp snooping router port expire time 463 ip igmp snooping tcn flood 464 ip igmp snooping tcn query solicit 465 ip igmp snooping unregistered data flood 466 ip igmp snooping unsolicited report interval 4...

Page 22: ...atic Multicast Routing 478 ip igmp snooping vlan mrouter 478 IGMP Filtering and Throttling 479 ip igmp filter Global Configuration 479 ip igmp profile 480 permit deny 481 range 481 ip igmp filter Interface Configuration 482 ip igmp max groups 482 ip igmp max groups action 483 show ip igmp filter 484 show ip igmp profile 484 show ip igmp throttle interface 485 Multicast VLAN Registration 486 mvr 48...

Page 23: ...dot1 tlv vlan name 503 lldp dot3 tlv link agg 504 lldp dot3 tlv max frame 504 lldp dot3 tlv poe 505 lldp med location civic addr 506 lldp med notification 507 lldp med tlv ext poe 508 lldp med tlv inventory 509 lldp med tlv location 509 lldp med tlv med cap 510 lldp med tlv network policy 510 lldp notification 511 show lldp config 512 show lldp info local device 513 show lldp info remote device 51...

Page 24: ...show dns 529 show dns cache 529 show hosts 530 24 DHCP Commands 531 DHCP Client 531 DHCP for IPv4 532 ip dhcp client class id 532 ip dhcp restart client 532 show ip dhcp client identifier 533 DHCP for IPv6 534 ipv6 dhcp client rapid commit vlan 534 ipv6 dhcp restart client vlan 534 show ipv6 dhcp duid 536 show ipv6 dhcp vlan 536 25 IP Interface Commands 537 IPv4 Interface 537 Basic IPv4 Configurat...

Page 25: ...g 551 ipv6 address eui 64 552 ipv6 address link local 554 ipv6 enable 555 ipv6 mtu 556 show ipv6 default gateway 557 show ipv6 interface 558 show ipv6 mtu 559 show ipv6 traffic 560 clear ipv6 traffic 564 ping6 565 Neighbor Discovery 566 ipv6 hop limit 566 ipv6 nd dad attempts 566 ipv6 nd ns interval 568 ipv6 nd reachable time 569 clear ipv6 neighbors 570 show ipv6 neighbors 570 26 IP Routing Comma...

Page 26: ... 579 Using System Logs 580 B License Information 581 The GNU General Public License 581 GNU Lesser General Public License version 3 0 584 The BSD License 586 Open Source Software Used 587 ISC License 587 C Customer Support 593 Motorola Solutions Enterprise Mobility Support Center 593 Customer Support Web Site 593 Manuals 593 Glossary 595 Index of CLI Commands 603 Index 609 ...

Page 27: ... 27 Figures Figure 1 Storm Control by Limiting the Traffic Rate 348 Figure 2 Storm Control by Shutting Down a Port 349 Figure 3 Configuring VLAN Trunking 407 ...

Page 28: ...Figures 28 ...

Page 29: ...Table 13 Frame Size Commands 89 Table 14 Flash File Commands 90 Table 15 File Directory Information 96 Table 16 Line Commands 100 Table 17 Event Logging Commands 110 Table 18 Logging Levels 111 Table 19 show logging flash ram display description 116 Table 20 show logging trap display description 116 Table 21 Event Logging Commands 116 Table 22 Time Commands 120 Table 23 Time Range Commands 128 Tab...

Page 30: ...5 General Security Commands 219 Table 46 Management IP Filter Commands 220 Table 47 Network Access Commands 222 Table 48 Dynamic QoS Profiles 225 Table 49 Web Authentication 236 Table 50 DHCP Snooping Commands 242 Table 51 IP Source Guard Commands 250 Table 52 ARP Inspection Commands 255 Table 53 DoS Protection Commands 264 Table 54 Commands for Configuring Traffic Segmentation 265 Table 55 Access...

Page 31: ...1 Default STA Path Costs 380 Table 82 VLAN Commands 393 Table 83 GVRP and Bridge Extension Commands 394 Table 84 show bridge ext display description 398 Table 85 Commands for Editing VLAN Groups 399 Table 86 Commands for Configuring VLAN Interfaces 401 Table 87 Commands for Displaying VLAN Information 408 Table 88 802 1Q Tunneling Commands 409 Table 89 Protocol based VLAN Commands 413 Table 90 IP ...

Page 32: ...22 Table 112 Address Table Commands 523 Table 113 show dns cache display description 529 Table 114 show hosts display description 530 Table 115 DHCP Commands 531 Table 116 DHCP Client Commands 531 Table 117 IP Interface Commands 537 Table 118 IPv4 Interface Commands 537 Table 119 Basic IP Configuration Commands 538 Table 120 Address Resolution Protocol Commands 545 Table 121 IPv6 Configuration Com...

Page 33: ...ction I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP This section includes these chapters Initial Switch Configuration on page 35 ...

Page 34: ...Section I Getting Started 34 ...

Page 35: ...et Explorer 6 Mozilla Firefox 4 or Google Chrome 29 or more recent versions The switch s web management interface can be accessed from any computer attached to the network The CLI program can be accessed by a direct connection to the RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Managemen...

Page 36: ...oring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatible terminal or a PC running a terminal emulation program to the switch You can use the console cable provided with this package or use a null modem cable that complies with the wiring assignments shown in the Installation Guide To connect a terminal to the console port complete the follow...

Page 37: ... password perform these steps 1 To initiate your console connection press Enter The User Access Verification procedure starts 2 At the Username prompt enter motorola 3 At the Password prompt also enter admin The password characters are not displayed on the console screen 4 The session is opened and the CLI displays the Console prompt indicating you have access at the Privileged Exec level Setting ...

Page 38: ...ch includes ports 1 28 52 When configuring the network interface the IP address subnet mask and default gateway may all be set using a console connection or DHCP protocol as described in the following sections An IPv4 address for this switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignment via DHCP see Setting an IP Address on page 39 After co...

Page 39: ... address for use in a network containing more than one subnet can obtained through the DHCPv6 server or manually configured as described in Assigning an IPv6 Address on page 40 Manual Configuration You can manually assign an IP address to the switch You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment Valid IP...

Page 40: ...on on the other ways to assign IPv6 addresses see IPv6 Interface on page 548 Link Local Address All link local addresses must be configured with a prefix in the range of FE80 FEBF Remember that this address type makes the switch accessible over IPv6 for all devices attached to the same local subnet only Also if the switch detects that the address you configured conflicts with that in use by anothe...

Page 41: ...6 addresses that start with the first byte of 73 hexadecimal could be expressed as 73 0 0 0 0 0 0 0 8 or 73 8 To generate an IPv6 global unicast address for the switch complete the following steps 1 From the global configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 From the interface prompt type ipv6 address ipv6 address or ipv6 address ipv6 ad...

Page 42: ... gateway If the DHCP BOOTP server is slow to respond you may need to use the ip dhcp restart client command to re start broadcasting service requests Note that the ip dhcp restart client command can also be used to start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP It may be necessary to use this command when DHCP is configured on a VLA...

Page 43: ...n IPv6 Address Link Local Address There are several ways to configure IPv6 addresses The simplest method is to automatically generate a link local address identified by an address prefix in the range of FE80 FEBF This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet To generate an IPv6 link local address for the switch complete the following step...

Page 44: ...onfig if ipv6 enable Console config if end Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link local address FE80 212 CFFF FE0B 4600 64 Global unicast address es 2001 DB8 2222 7272 2E0 CFF FE00 FD 64 subnet is 2001 DB8 2222 7272 64 AUTOCONFIG valid lifetime 2591978 preferred lifetime 604778 Joined group address es FF02 1 FF00 FD FF02 1 FF11 6700 FF02 1 MTU is 1500 bytes ND DAD is enabled...

Page 45: ...fault strings are public with read only access Authorized management stations are only able to retrieve MIB objects private with read write access Authorized management stations are able to both retrieve and modify MIB objects To prevent unauthorized access to the switch from SNMP version 1 or 2c clients it is recommended that you change the default community strings To configure a community strin...

Page 46: ...g Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients you need to first create a view that defines the portions of MIB that the client can read or write assign the view to a group and then assign the user to a group The following example creates one view called mib 2 that includes the entire MIB 2 tree branch and then another view that includes the IEEE 802 1d bridg...

Page 47: ...toring Configuration Settings on page 48 for more information Operation Code System software that is executed after boot up also known as run time code This code runs the switch operations and provides the CLI and web management interfaces Diagnostic Code Software that is run during system boot up also known as POST Power On Self Test Note The Boot ROM and Loader cannot be uploaded or downloaded f...

Page 48: ... Time Size bytes Unit 1 m360 bix OpCode Y 2013 02 25 15 41 04 25812529 m355 bix OpCode N 2012 12 04 13 23 59 25783857 Factory_Default_Config cfg Config N 2012 12 04 13 18 37 455 startup1 cfg Config Y 2013 03 21 05 39 15 3463 Free space for compressed user config files 1593241600 Console Saving or Restoring Configuration Settings Configuration commands only modify the running configuration file and...

Page 49: ...p config Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console To restore configuration settings from a backup server enter the following command 1 From the Privileged Exec mode prompt type copy tftp startup config and press Enter 2 Enter the address of the TFTP server Press Enter 3 Enter the name of the startup file stored on the server Press Ent...

Page 50: ...s e g ftp 192 168 0 1 The file name must not be included in the upgrade file location URL The file name of the code stored on the remote server must be ECS4620 28T bix using lower case letters as indicated The FTP connection is made with PASV mode enabled PASV mode is needed to traverse some fire walls even if FTP traffic is not blocked PASV mode cannot be disabled The switch based search function...

Page 51: ...to the file system The switch will send an SNMP trap and make a log entry upon all upgrade successes and failures The switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image To enable automatic upgrade enter the following commands 1 Specify the TFTP or FTP server to check for new operation code When specifying a TFTP server the...

Page 52: ...itten by the new version b After the image has been downloaded the switch will send a trap message to log whether or not the upgrade operation was successful c It sets the new version as the startup image d It then restarts the system to start using the new image Console config upgrade opcode auto Console config 4 Display the automatic upgrade settings Console show upgrade Auto Image Upgrade Globa...

Page 53: ...and the TFTP servers where that file can be accessed If the Factory Default Configuration file is used to provision the switch at startup in addition to requesting IP configuration settings from the DHCP server it will also ask for the name of a bootup configuration file and TFTP servers where that file is stored If the switch receives information that allows it to download the remote bootup file ...

Page 54: ... following configuration example is provided for a Linux based DHCP daemon dhcpd conf file In the Vendor class section the server will always send Option 66 and 67 to tell the switch to download the test configuration file from server 192 168 255 101 ddns update style ad hoc default lease time 600 max lease time 7200 log facility local7 server name Server1 Server identifier 192 168 255 250 option ...

Page 55: ... You can also manually set the clock If the clock is not set manually or via SNTP or NTP the switch will only record the time from the factory default set at the last bootup When the SNTP client is enabled the switch periodically sends a request for a time update to a configured time server You can configure up to three time server IP addresses The switch will attempt to poll each server in the co...

Page 56: ...l 60 Console config sntp server 10 1 0 19 Console config exit Console show sntp Current Time Apr 2 16 06 07 2013 Poll Interval 60 seconds Current Mode Unicast SNTP Status Enabled SNTP Server 10 1 0 19 Current Server 10 1 0 19 Console Configuring NTP Requesting the time from a an NTP server is the most secure method You can enable NTP authentication to ensure that reliable updates are received from...

Page 57: ... Mar 12 02 41 01 2013 UTC NTP Server 192 168 0 88 version 3 NTP Server 192 168 3 21 version 3 NTP Server 192 168 4 22 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Current Time Apr 2 16 28 34 2013 Polling 1024 seconds Current Mode unicast NTP Status Enabled NTP Authenticate Status Enabled Last Update NTP Server 192 168 5 23 Port 0 Last Update Time Apr 2 16 00 00 2013...

Page 58: ...Chapter 1 Initial Switch Configuration Setting the System Clock 58 ...

Page 59: ...n page 137 Remote Monitoring Commands on page 157 Authentication Commands on page 165 General Security Measures on page 219 Access Control Lists on page 269 Interface Commands on page 293 Link Aggregation Commands on page 313 Power over Ethernet Commands on page 325 Port Mirroring Commands on page 333 Congestion Control Commands on page 343 Address Table Commands on page 361 Spanning Tree Commands...

Page 60: ...rvice Commands on page 441 Multicast Filtering Commands on page 459 LLDP Commands on page 493 CDP Commands on page 517 Domain Name Service Commands on page 523 DHCP Commands on page 531 IP Interface Commands on page 537 IP Routing Commands on page 573 ...

Page 61: ...sole prompt enter the user name and password The default user names are motorola and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal access ...

Page 62: ...254 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing th...

Page 63: ...ach command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter Console enable Console show startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username motorola password 0 smith Minimum Abbreviation T...

Page 64: ...maps cluster Display cluster dns DNS information dot1q tunnel dot1q tunnel dot1x 802 1X content flow Shows packet flow information garp GARP properties gvrp GVRP interface information history Shows history information hosts Host information interfaces Shows interface information ip IP information ipv6 IPv6 information lacp LACP statistics line TTY line information lldp LLDP log Log records logging...

Page 65: ...show The command show interfaces will display the following information Console show interfaces brief Shows brief interface description counters Interface counters information protocol vlan Protocol VLAN information status Shows interface status switchport Shows interface switchport information transceiver Interface of transceiver information Console Show commands which display more than one page ...

Page 66: ...ameters or enable certain switching functions These classes are further divided into different modes Available commands depend on the selected mode You can always enter a question mark at the prompt to display a list of the commands available for the current mode The command classes and associated modes are displayed in the following table Exec Commands When you open a new console session on the s...

Page 67: ...e not saved when the switch is rebooted To store the running configuration in non volatile storage use the copy running config startup config command The configuration commands are organized into different modes Global Configuration These commands modify the system level configuration and include commands such as hostname and snmp server community Access Control List Configuration These commands a...

Page 68: ...ivileged Exec mode For example you can use the following commands to enter interface configuration mode and then return to Privileged Exec mode Console config interface ethernet 1 5 Console config if exit Console config Table 4 Configuration Command Modes Mode Command Prompt Page Line line console vty Console config line 101 Access Control List access list ip standard access list ip extended acces...

Page 69: ...re to be excluded or in lines that are to be included Console show running config begin Begin with line that matches exclude Exclude lines that match include Include lines that match Table 5 Keystroke Commands Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shif...

Page 70: ...y Measures Segregates traffic for clients attached to common data ports and prevents unauthorized access by configuring valid static or dynamic addresses web authentication MAC address authentication filtering DHCP requests and replies and discarding invalid ARP responses 219 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code IP...

Page 71: ...ound robin relative weightfor each priority queue also sets priority for DSCP 429 Quality of Service Configures Differentiated Services 441 Multicast Filtering Configures IGMP multicast filtering query profile and proxy parameters specifies portsattachedtoamulticastrouter also configures multicast VLAN registration 459 Link Layer Discovery Protocol Configures LLDP settings to enable information di...

Page 72: ...Chapter 2 Using the Command Line Interface CLI Command Groups 72 ...

Page 73: ...m at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffer NE PE configure Activates global configuration mode PE disable Returns to normal mode from privileged mode PE reload Restarts the system immediately PE show reload Displays the current reload settings and the tim...

Page 74: ...ute period daily weekly day of week monthly day cancel at in regularity reload at A specified time at which to reload the switch hour The hour at which to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at which to reload Range 1970 2037 reload in An interval a...

Page 75: ...inutes Console config reload in minute 30 Rebooting at January 1 02 10 43 2007 Are you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additional information See Understanding Command Modes on page 66 Syntax enable level level Privilege level to log into the devi...

Page 76: ...ault Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Example This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verification Username show history This command shows the contents of the command history buffer Default Setting None Command Mode Normal Exec Privileged...

Page 77: ...story buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the other c...

Page 78: ...ed to the end of the prompt to indicate that the system is in normal access mode Example Console disable Console Related Commands enable 75 reload Privileged Exec This command restarts the system Note When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config comman...

Page 79: ...ays 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode Default Setting None Command Mode Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console config if end Console exit ...

Page 80: ... Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username ...

Page 81: ...les support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud rate and console time out Event Logging Controls logging of error messages SMTP Alerts Configures SMTP email alerts Time System Clock Sets the system clock automatically via NTP SNTP server or manually Time Range Sets a time range for u...

Page 82: ... as shown in the example below Using the no form of either command will restore the default command line prompt Example Console config hostname RD 1 RD 1 config System Status This section describes commands used to display system information Table 10 System Status Commands Command Function Mode show access list tcam utilization Shows utilization parameters for TCAM PE show memory Shows memory util...

Page 83: ...ard filter rule for a port the system will also use two PCEs Example Console show access list tcam utilization Total Policy Control Entries 512 Free Policy Control Entries 352 Entries Used by System 160 Entries Used by User 0 TCAM Utilization 31 25 Console show memory This command shows memory utilization parameters Command Mode Normal Exec Privileged Exec Command Usage This command shows the amou...

Page 84: ...key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information MAC address for the switch SNTP server settings SNMP community strings Users names access levels and encrypted passwords VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning ...

Page 85: ...face vlan 1 ip address 192 168 1 10 255 255 255 0 queue mode strict wrr 0 0 0 1 line console line vty end Console Related Commands show startup config 85 show startup config This command displays the configuration file stored in non volatile memory that is used to start up the system Command Mode Privileged Exec Command Usage Use this command in conjunction with the show running config command to ...

Page 86: ...ne Command Mode Normal Exec Privileged Exec Command Usage The POST results should all display PASS If any POST test indicates FAIL contact your distributor for assistance The number of fans provided EX 3524 2 EX 3548 3 Example Console show system System Description EX 3524 Managed POE POE Switch System OID String 1 3 6 1 4 1 388 19 101 System Information System Up Time 0 days 5 hours 45 minutes an...

Page 87: ...em Description Brief description of device type System OID String MIB II object ID for switch s network management subsystem System Up Time Length of time the management agent has been up System Name Name assigned to the switch system System Location Specifies the system location System Contact Administrator responsible for the system MAC Address MAC address assigned to this switch Web Server Port...

Page 88: ...us Up Role Master Loader Version 4 0 0 0 01R Linux Kernel Version 2 6 22 18 Operation Code Version 4 0 0 0 03R Console Table 12 show version display description Parameter Description Serial Number The serial number of the switch Hardware Version Hardware version of the main board CPLD Version Version number of Complex Programmable Logic Device Number of Ports Number of built in ports Main Power St...

Page 89: ...Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to ac...

Page 90: ... The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be copied to the FTP TFTP server but cannot be used as the destination on the switch Table 14 Flash File Commands Command Function Mode General Com...

Page 91: ...ROM config Configuration file opcode Run time operation code filename Name of configuration file or code image The colon is required Default Setting None Command Mode Global Configuration Command Usage A colon is required after the specified file type If the file contains an error it cannot be set as the default file Example Console config boot system config startup Console config Related Commands...

Page 92: ... an FTP server https certificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell on page 190 running config Keyword that allows you to copy to from the current running configuration startup config The configuration used for system initialization tftp Keyword that allows you to copy to from a ...

Page 93: ...e server command When logging into an FTP server the interface prompts for a user name and password configured on the remote server Note that anonymous is set as the default user name Example The following example shows how to download new firmware from a TFTP server Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 2 Source file name m360 bix Destination f...

Page 94: ...his example shows how to copy a secure site certificate from an TFTP server It then reboots the switch to activate the certificate Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public ...

Page 95: ...LANC BIX Console delete This command deletes a file or image Syntax delete filename filename Name of configuration file or code image Default Setting None Command Mode Privileged Exec Command Usage If the file type is used for system startup then this file cannot be deleted Factory_Default_Config cfg cannot be deleted Example This example shows how to delete the test2 cfg configuration file from f...

Page 96: ... files File information is shown below Example The following example shows how to display all file information Console dir File Name Type Startup Modify Time Size bytes Unit 1 EX3524_Op_V0 0 0 2 bix OpCode Y 2013 10 18 05 21 23 7499044 Factory_Default_Config cfg Config N 2013 10 18 01 43 38 517 startup1 cfg Config Y 2013 10 16 10 46 12 3559 Free space for compressed user config files 573440 Used s...

Page 97: ...ode Upgrade Commands upgrade opcode auto This command automatically upgrades the current operational code when a new version is detected on the server indicated by the upgrade opcode path command Use the no form of this command to restore the default setting Syntax no upgrade opcode auto Default Setting Disabled Command Mode Global Configuration Command Usage This command is used to enable or disa...

Page 98: ...sole config upgrade opcode auto Console config upgrade opcode path tftp 192 168 0 1 sm24 Console config If a new image is found at the specified location the following type of messages will be displayed during bootup Automatic Upgrade is looking for a new image New image detected current version 1 0 1 5 new version 1 1 2 0 Image upgrade in progress The switch will restart after upgrade succeeds Do...

Page 99: ...g syntax must be used where filedir indicates the path to the directory containing the new image ftp username password 192 168 0 1 filedir If the user name is omitted anonymous will be used for the connection If the password is omitted a null string will be used for the connection Example This shows how to specify a TFTP server where new code is stored Console config upgrade opcode path tftp 192 1...

Page 100: ... generated by hardware LC exec timeout Sets the interval that the command interpreter waits until user input is detected LC login Enables password checking at login LC parity Defines the generation of a parity bit LC password Specifies a password on a line LC password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC silent time These commands only ap...

Page 101: ...hown as VTY in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Console config line console Console config line Related Commands show line 109 show users 87 databits This command sets the number of data bits per character that are interpreted and generated by t...

Page 102: ...input is detected Use the no form to restore the default Syntax exec timeout seconds no exec timeout seconds Integer that specifies the timeout interval Range 0 65535 seconds 0 no timeout Default Setting CLI No timeout Telnet 10 minutes Command Mode Line Configuration Command Usage If user input is detected within the timeout interval the session is kept open otherwise the session is terminated Th...

Page 103: ...mmand When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When using this method the management interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 or 15 respectively no login selects no authentication ...

Page 104: ... as terminals and modems often require a specific parity bit setting Example To specify no parity enter this command Console config line parity none Console config line password This command specifies the password for a line Use the no form to remove the password Syntax password 0 7 password no password 0 7 0 means plain password 7 means encrypted password password Character string that specifies ...

Page 105: ... There is no need for you to manually configure encrypted passwords Example Console config line password 0 secret Console config line Related Commands login 103 password thresh 105 password thresh This command sets the password intrusion threshold which limits the number of failed logon attempts Use the no form to remove the threshold value Syntax password thresh threshold no password thresh thres...

Page 106: ...ter the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command Use the no form to remove the silent time value Syntax silent time seconds no silent time seconds The number of seconds to disable console response Range 0 65535 where 0 means disabled Default Setting 30 seconds Command Mode Line Configuration Example To set the silent time to 60 seconds enter th...

Page 107: ...ort might not be supported The system indicates if the speed you selected is not supported If you select the auto option the switch will automatically detect the baud rate configured on the attached terminal and adjust the speed accordingly Note Auto detection of baud rate is only performed at user log in Note Due to a hardware limitation the terminal program connected to the console port must be ...

Page 108: ...onds Integer that specifies the timeout interval Range 0 300 seconds for CLI 1 300 seconds for Telnet Default Setting CLI Disabled 0 seconds Telnet 300 seconds Command Mode Line Configuration Command Usage If a login attempt is not detected within the timeout interval the connection is terminated for the session This command applies to both the local console and Telnet connections The timeout for ...

Page 109: ...for an active session will disconnect an SSH or Telnet connection Example Console disconnect 1 Console Related Commands show ssh 199 show users 87 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec ...

Page 110: ...indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Table 17 Event Logging Commands Command Function Mode logging facility Setsthe facility type forremote loggingof syslogmessages GC logging history Limits syslog messages saved to switch memory based on severity GC logging host Adds a s...

Page 111: ...ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset level One of the levels listed below Messages sent include the selected level down to level 0 Range 0 7 Default Setting Flash errors level 3 0 RAM debugging level 7 0 Command Mode Global Configuration Table 18 Logging Levels Level Severity Name Description...

Page 112: ... host Syntax no logging host host ip address host ip address The IPv4 or IPv6 address of a syslog server Default Setting None Command Mode Global Configuration Command Usage Use this command more than once to build up a list of host IP addresses The maximum number of host IP addresses allowed is five Example Console config logging host 10 1 0 3 Console config logging on This command controls loggi...

Page 113: ...ssages to a remote server or limits the syslog messages saved to a remote server based on severity Use this command without a specified level to enable remote logging Use the no form to disable remote logging Syntax logging trap level level no logging trap level level One of the syslog severity levels listed in the table on page 111 Messages sent include the selected level through level 0 Default ...

Page 114: ...d Commands show log 114 show log This command displays the log messages stored in local memory Syntax show log flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset Default Setting None Command Mode Privileged Exec Command Usage All log messages are retained in RAM and Flash after a warm restart i e pow...

Page 115: ...ndmail trap flash Displays settings for storing event messages in flash memory i e permanent memory ram Displays settings for storing event messages in temporary RAM i e memory flushed on power reset sendmail Displays settings for the SMTP event handler page 120 trap Displays settings for the trap function Default Setting None Command Mode Privileged Exec Example The following example shows that s...

Page 116: ...f system logging has been enabled via the logging on command History logging in FLASH The message level s reported based on the logging history command History logging in RAM The message level s reported based on the logging history command Table 20 show logging trap display description Field Description Remote Log Status Shows if remote logging has been enabled via the logging trap command Remote...

Page 117: ...sername password password auth basic host IP address of an SMTP server that will be sent alert messages for event handling username Name of SMTP server user Range 1 64 characters password Password of SMTP server user Range 1 64 characters auth basic Indicates that Base 64 encoding is used Default Setting None logging sendmail level Severity threshold used to trigger alert messages GC logging sendm...

Page 118: ...in If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example Console config logging sendmail host 192 168 1 19 Console config logging sendmail level This command sets the severity threshold used to trigger alert messages Use the no form to restore the default setting Syntax logging sendmail level...

Page 119: ...ters Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Example Console config logging sendmail destination email ted this company com Console config logging sendmail source email This command sets the email address used for the From field in alert messages...

Page 120: ...dresses ted this company com SMTP Source Email Address bill this company com SMTP Status Enabled Console Time The system clock can be dynamically set by polling a set of specified time servers NTP or SNTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries If the clock is not set the switch will only record the time from the fact...

Page 121: ...ver command It issues time synchronization requests based on the interval set via the sntp poll command Example Console config sntp server 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current Time Dec 23 02 52 44 2002 Poll Interval 60 Current Mode unicast SNTP Status Enabled SNTP Server 137 92 140 80 0 0 0 0 0 0 0 0 Manual Configuration Comm...

Page 122: ...nge 16 16384 seconds Default Setting 16 seconds Command Mode Global Configuration Example Console config sntp poll 60 Console Related Commands sntp client 121 sntp server This command sets the IP address of the servers to which SNTP time requests are issued Use the this command with no arguments to clear all time servers from the current list Use the no form to clear all time servers from the curr...

Page 123: ... Console Related Commands sntp client 121 sntp poll 122 show sntp 123 show sntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronization requests and t...

Page 124: ...minute summer time will begin Range 0 59 minutes e date Day of the month when summer time will end Range 1 31 e month The month when summer time will end Options january february march april may june july august september october november december e year The year summer time will end e hour The hour summer time will end Range 0 23 hours e minute The minute summer time will end Range 0 59 minutes o...

Page 125: ... after UTC Range 0 12 hours before UTC 0 13 hours after UTC minutes Number of minutes before after UTC Range 0 59 minutes before utc Sets the local time zone before east of UTC after utc Sets the local time zone after west of UTC Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time UTC formerly Greenwi...

Page 126: ... Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Example Console config clock tim...

Page 127: ... clock cannot be manually configured Example This example shows how to set the system clock to 15 12 34 February 1st 2012 Console calendar set 15 12 34 1 February 2012 Console show calendar This command displays the system clock Default Setting None Command Mode Normal Exec Privileged Exec Example Console show calendar Current Time Nov 20 13 05 50 2012 Time Zone GMT Greenwich Mean Time Dublin Edin...

Page 128: ...ng None Command Mode Global Configuration Command Usage This command sets a time range for use by other functions such as Access Control Lists A maximum of seven rules can be configured for a time range Example Console config time range r d Console config time range Related Commands Access Control Lists 269 Table 23 Time Range Commands Command Function Mode time range Specifies the name of a time ...

Page 129: ...year Year 4 digit Range 2009 2037 Default Setting None Command Mode Time Range Configuration Command Usage If a time range is already configured you must use the no form of this command to remove the current entry prior to configuring a new time range If both an absolute rule and one or more periodic rules are configured for the same time range i e named entry that entry will only take effect if t...

Page 130: ...Weekdays weekend Weekends hour Hour in 24 hour format Range 0 23 minute Minute Range 0 59 Default Setting None Command Mode Time Range Configuration Command Usage If a time range is already configured you must use the no form of this command to remove the current entry prior to configuring a new time range If both an absolute rule and one or more periodic rules are configured for the same time ran...

Page 131: ...pe as long as they are connected to the same local network Using Switch Clustering A switch cluster has a primary unit called the Commander which is used to manage all other Member switches in the cluster The management station can use either Telnet or the web interface to communicate directly with the Table 24 Switch Cluster Commands Command Function Mode cluster Configures clustering on the swit...

Page 132: ...99 2 Add the participating ports to this VLAN see Configuring VLAN Interfaces on page 401 and set them to hybrid mode tagged members PVID 1 and acceptable frame type all Note Cluster Member switches can be managed either through a Telnet connection to the Commander or through a web management connection to the Commander When using a console connection from the Commander CLI prompt use the rcommand...

Page 133: ...h as cluster Commander Syntax no cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate switches only become cluster Members when manually selected by the administrator through the management station Cluster Member ...

Page 134: ...Member IDs can only be between 1 and 36 Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander You cannot change the cluster IP pool when the switch is currently in Commander mode Commander mode must first be disabled Example ...

Page 135: ...a cluster Member CLI for configuration Syntax rcommand id member id member id The ID number of the Member switch Range 1 36 Command Mode Privileged Exec Command Usage This command only operates through a Telnet connection to the Commander switch Managing cluster Members using the local console CLI on the Commander is not supported There is no need to enter the username and password for access to t...

Page 136: ...cluster members Command Mode Privileged Exec Example Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 E0 0C 00 00 FE Description EX 3524 Managed POE POE Switch Console show cluster candidates This command shows the discovered Candidate switches in the network Command Mode Privileged Exec Example Console show cluster candidates Cluster Cand...

Page 137: ...ommands Command Function Mode General SNMP Commands snmp server Enables the SNMP agent GC snmp server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Sets the system contact string GC snmp server location Sets the system location string GC show snmp Displays the status of SNMP communications NE PE SNMP Target Host Commands snmp server enable t...

Page 138: ... port traps atc broadcast control apply Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port snmp server enable port traps atc broadcast control release Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port snmp server en...

Page 139: ...thorized management stations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects Command...

Page 140: ...se the no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Console config snmp server location WC 19 Console config Related Commands snmp server contact 139 show snmp This command can be used to check the status of SN...

Page 141: ... for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get request PDUs 0 Get next PDUs 0 Set request PDUs 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging Disabled Console SNMP Target Host Commands snmp server enable traps This command enables this devi...

Page 142: ...on 3 hosts they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp server group command Example Console config snmp server enable traps link up down Console config Related Commands snmp server host 142 snmp server host This command specifies the recipient of a Simple Network Management Protocol notification operation Use the no form to remove the ...

Page 143: ... you must enter at least one snmp server host command In order to enable multiple hosts you must issue a separate snmp server host command for each host The snmp server host command is used in conjunction with the snmp server enable traps command Use the snmp server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally For a host t...

Page 144: ...view page 146 5 Allow the switch to send SNMP traps i e notifications page 141 6 Specify the target host that will receive inform messages with the snmp server host command as described in this section The switch can send SNMP Version 1 2c or 3 notifications to a host IP address depending on the SNMP version that the management station supports If the snmp server host command does not specify the ...

Page 145: ...gine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See the snmp server host command The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host SNMP passwords...

Page 146: ...hentication and privacy See Simple Network Management Protocol in the System Reference Guide for further information about these authentication and encryption options readview Defines the view for read access 1 32 characters writeview Defines the view for write access 1 32 characters notifyview Defines the view for notifications 1 32 characters Default Setting Default groups public1 read only priv...

Page 147: ...ypted auth md5 sha auth password priv des56 priv password no snmp server user username v1 v2c v3 remote username Name of user connecting to the SNMP agent Range 1 32 characters groupname Name of an SNMP group to which the user is assigned Range 1 32 characters remote Specifies an SNMP engine on a remote device ip address The Internet address of the remote device v1 v2c v3 Use SNMP version 1 2c or ...

Page 148: ... The remote agent s SNMP engine ID is used to compute authentication privacy digests from the user s password If the remote engine ID is not first configured the snmp server user command specifying a remote user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remot...

Page 149: ...ded Console config This view includes the MIB 2 interfaces table ifDescr The wild card is used to select all the index values in this table Console config snmp server view ifEntry 2 1 3 6 1 2 1 2 2 1 2 included Console config This view includes the MIB 2 interfaces table and the mask selects all index entries Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config sho...

Page 150: ... volatile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Group Name private Security Model v2c Table 26 show snmp engine id display description Field Descript...

Page 151: ...er EngineId 80000000030004e2b316c54321 User Name mark Authentication Protocol mdt Privacy Protocol des56 Storage Type nonvolatile Row Status active Console Table 27 show snmp group display description Field Description Group Name Name of an SNMP group Security Model The SNMP version Read View The associated read view Write View The associated write view Notify View The associated notify view Stora...

Page 152: ...he authentication protocol used with SNMPv3 Privacy Protocol The privacy protocol used with SNMPv3 Storage Type The storage type for this entry Row Status The row status of this entry SNMP remote user A user associated with an SNMP engine on a remote device Table 28 show snmp user display description Continued Field Description Table 29 show snmp view display description Field Description View Nam...

Page 153: ...t delete the entries stored in the notification log Example This example enables the notification logs A1 and A2 Console config nlm A1 Console config nlm A2 Console config snmp server notify filter This command creates an SNMP notification log Use the no form to remove this log Syntax no snmp server notify filter profile name remote ip address profile name Notification log profile name Range 1 32 ...

Page 154: ...mmand and nlm command and these commands stored in the startup configuration file Then when the switch reboots SNMP traps such as warm start can now be logged When this command is executed a notification log is created with the default parameters defined in RFC 3014 Notification logging is enabled by default see the nlm command but will not start recording information until a logging profile speci...

Page 155: ... Name A2 Oper Status Operational Console show snmp notify filter This command displays the configured notification logs Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts Note that the last entry is a default filter created when a trap host is initially created Console show snmp notify filter Filter profile name IP address A1 10 ...

Page 156: ...Chapter 5 SNMP Commands Notification Log Commands 156 ...

Page 157: ...Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent then periodically communicates with the switch using the SNMP protocol However if the switch encounters a critical event it can automatically send a trap message to the management agent which can then re...

Page 158: ...the sampling period delta The last sample is subtracted from the current value and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 0 2147483647 event index The index of the event to use if an alarm is triggered If there is no corresponding entry in the event control table then no event will be generated Range 0 65535 name Name of the pe...

Page 159: ...t for an alarm Use the no form to remove an event Syntax rmon event index log trap community description string owner name no rmon event index index Index to this entry Range 1 65535 log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see Event Logging on page 110 trap Sends a trap message to all confi...

Page 160: ...ets number interval seconds interval seconds owner name buckets number interval seconds no rmon collection history controlEntry index index Index to this entry Range 1 65535 number The number of buckets requested for this entry Range 1 65536 seconds The polling interval Range 1 3600 seconds name Name of the person who created this entry Range 1 127 characters Default Setting 1 3 6 1 2 1 16 1 1 1 6...

Page 161: ...g if rmon collection history controlEntry 15 Console config if end Console show running config interface ethernet 1 5 rmon collection history controlEntry 15 buckets 50 interval 1800 interface ethernet 1 8 no rmon collection history controlEntry 15 Example Console config interface ethernet 1 1 Console config if rmon collection history controlentry 21 buckets 24 interval 60 owner mike Console confi...

Page 162: ...how rmon alarms This command shows the settings for all configured alarms Command Mode Privileged Exec Example Console show rmon alarms Alarm 1 is valid owned by Monitors 1 3 6 1 2 1 16 1 1 1 6 1 every 30 seconds Taking delta samples last value was 0 Rising threshold is 892800 assigned to event 0 Falling threshold is 446400 assigned to event 0 show rmon events This command shows the settings for a...

Page 163: ...ns of dropped packet events is 0 Network utilization is estimated at 0 show rmon statistics This command shows the information collected for all configured entries in the statistics group Command Mode Privileged Exec Example Console show rmon statistics Interface 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 which has Received 164289 octets 2372 packets 120 broadcast and 2211 multicast pa...

Page 164: ...Chapter 6 Remote Monitoring Commands 164 ...

Page 165: ... and passwords for management access Authentication Sequence Defines logon authentication method and precedence RADIUS Client Configures settings for authentication via a RADIUS server TACACS Client Configures settings for authentication via a TACACS server AAA Configures authentication authorization and accounting for network access Web Server Enables management access via a web browser Telnet Se...

Page 166: ...l Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration Command Usage You cannot set a null password You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command The encrypted password is required for compatibility with leg...

Page 167: ...rypted password password password The authentication password for the user Maximum length 32 characters plain text or encrypted case sensitive Default Setting The default access level is Normal Exec The factory defaults for the user names and passwords are Command Mode Global Configuration Command Usage The encrypted password is required for compatibility with legacy password settings i e plain te...

Page 168: ... uses TCP UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privil...

Page 169: ...DIUS uses UDP while TACACS uses TCP UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The use...

Page 170: ...t port This command sets the RADIUS server network port for accounting messages Use the no form to restore the default Syntax radius server acct port port number no radius server acct port port number RADIUS server UDP port used for accounting messages Range 1 65535 Default Setting 1813 Command Mode Global Configuration Table 35 RADIUS Client Commands Command Function Mode radius server acct port ...

Page 171: ...ers and authentication and accounting parameters that apply to each server Use the no form to remove a specified server or to restore the default values Syntax no radius server index host host ip address acct port acct port auth port auth port key key retransmit retransmit timeout timeout index Allows you to specify up to five servers These servers are queried in sequence until a server responds o...

Page 172: ...uration Example Console config radius server 1 host 192 168 1 20 acct port 181 timeout 10 retransmit 5 key green Console config radius server key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key string no radius server key key string Encryption key used to authenticate logon access for client Enclose any string containing blank spaces ...

Page 173: ...Setting 2 Command Mode Global Configuration Example Console config radius server retransmit 5 Console config radius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits for a re...

Page 174: ...up Group Name Member Index radius 1 Console TACACS Client Terminal Access Controller Access Control System TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user or group that requ...

Page 175: ...Maximum length 48 characters port number TACACS server TCP port used for authentication messages Range 1 65535 timeout Number of seconds the switch waits for a reply before resending a request Range 1 540 Default Setting authentication port 49 timeout 5 seconds Command Mode Global Configuration Example Console config tacacs server 1 host 192 168 1 25 port 181 timeout 10 key green Console config ta...

Page 176: ... tacacs server port port number TACACS server TCP port used for authentication messages Range 1 65535 Default Setting 49 Command Mode Global Configuration Example Console config tacacs server port 181 Console config show tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Exec Example Console show tacacs server Remote TACACS S...

Page 177: ...unting method for service requests Range 1 255 characters start stop Records accounting from starting point and stopping point Table 37 AAA Commands Command Function Mode aaa accounting dot1x Enables accounting of 802 1X services GC aaa accounting exec Enables accounting of Exec services GC aaa accounting update Enables periodoc updates to be sent to the accounting server GC aaa authorization exec...

Page 178: ... Console config aaa accounting dot1x default start stop group radius Console config aaa accounting exec This command enables the accounting of requested Exec services for network access Use the no form to disable the accounting service Syntax aaa accounting exec default method name start stop group radius tacacs server group no aaa accounting exec default method name default Specifies the default ...

Page 179: ...counting exec default start stop group tacacs Console config aaa accounting update This command enables the sending of periodic updates to the accounting server Use the no form to restore the default setting Syntax aaa accounting update periodic interval no aaa accounting update interval Sends an interim accounting record to the server at this interval Range 0 2147483647 minutes where 0 means disa...

Page 180: ... Specifies all TACACS hosts configured with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1 255 characters Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage This command performs authorization to determine if a user is allowed to run an Exec shel...

Page 181: ...xample Console config aaa group server radius tps Console config sg radius server This command adds a security server to an AAA server group Use the no form to remove the associated server from the group Syntax no server index ip address index Specifies the server index Range RADIUS 1 5 TACACS 1 ip address Specifies the host IP address of a server Default Setting None Command Mode Server Group Con...

Page 182: ...ng dot1x command list name Specifies a method list created with the aaa accounting dot1x command Default Setting None Command Mode Interface Configuration Example Console config interface ethernet 1 2 Console config if accounting dot1x tps Console config if accounting exec This command applies an accounting method to local console Telnet or SSH connections Use the no form to disable accounting on ...

Page 183: ...ult method list created with the aaa authorization exec command list name Specifies a method list created with the aaa authorization exec command Default Setting None Command Mode Line Configuration Example Console config line console Console config line authorization exec tps Console config line exit Console config line vty Console config line authorization exec default Console config line show a...

Page 184: ...ist radius Interface Eth 1 1 Method List tps Group List radius Interface Eth 1 2 Accounting Type EXEC Method List default Group List tacacs Interface vty Console Web Server This section describes commands used to configure web browser management access to the switch Table 38 Web Server Commands Command Function Mode ip http port Specifies the port to be used by the web browser interface GC ip http...

Page 185: ...mber no ip http port port number The TCP port to be used by the browser interface Range 1 65535 Default Setting 80 Command Mode Global Configuration Example Console config ip http port 769 Console config Related Commands ip http server 185 show system 86 ip http server This command allows this device to be monitored or configured from a browser Use the no form to disable this function Syntax no ip...

Page 186: ...ommand Usage If you change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this format https device port_number Example Console config ip http secure port 1000 Console config Related Commands ip http secure server 186 show system 86 ip http secure server This command enables the secure hypertext transfer protocol HTTPS over the Sec...

Page 187: ... the status bar for Internet Explorer 6 Mozilla Firefox 4 or Google Chrome 29 or more recent versions The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate in the System Reference Guide Also refer to the copy tftp https certificate command Connection to the web interface is not supported for H...

Page 188: ...o ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 4 Default Setting 4 sessions Command Mode Global Configuration Command Usage A maximum of four sessions can be concurrently opened for Telnet and Secure Shell i e both Telnet and SSH share a maximum number or four sessions Example Console config ip telnet max sessions 1 Console config Table 40 Telnet Server...

Page 189: ...CP port number to be used by the browser interface Range 1 65535 Default Setting 23 Command Mode Global Configuration Example Console config ip telnet port 123 Console config ip telnet server This command allows this device to be monitored or configured from Telnet Use the no form to disable this function Syntax no ip telnet server Default Setting Enabled Command Mode Global Configuration Example ...

Page 190: ...h authentication retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh server key size Sets the SSH server key size GC ip ssh timeout Specifies the authentication timeout for the SSH server GC copy tftp public key Copies the user s public key from a TFTP server to the switch PE delete public key Deletes the public key for the sp...

Page 191: ...sts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 108259132128902337654680172627257141342876294130119619556678259566410486957427 888146206519417467729848654686157177393901647793559423035774130980227370877945 4524083971752646358058176716709574804776117 3 Import Clien...

Page 192: ...ing to the public keys stored on the switch can access it The following exchanges take place during this process Authenticating SSH v1 5 Clients a The client sends its RSA public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses its secret key to generate a random 256 bit string as a challenge encrypts this string with t...

Page 193: ...face address on the switch ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting Syntax ip ssh authentication retries count no ip ssh authentication retries count The number of authentication attempts permitted after which the interface is reset Range 1 5 Default Setting 3 Command Mo...

Page 194: ...ling the SSH server Example Console ip ssh crypto host key generate dsa Console configure Console config ip ssh server Console config Related Commands ip ssh crypto host key generate 196 show ssh 199 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting Syntax ip ssh server key size key size no ip ssh server key size key size The size of se...

Page 195: ...e switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Console config ip ssh timeout 60 Console config Related Commands exec timeout 102 show ip ssh 198 delete public key This command deletes the specified user s public key Syntax delete...

Page 196: ...SHv1 5 clients and DSA Version 2 for SSHv2 clients This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The S...

Page 197: ...emory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Console ip ssh crypto zeroize dsa Console Related Commands ip ssh crypto host key generate 196 ip ssh save host key 197 no ip ssh server 193 ip ssh save host key This command saves the host key from RAM to flash memory Syntax ip ssh s...

Page 198: ...leged Exec Command Usage If no parameters are entered all keys are displayed If the user keyword is entered but no user name is specified then the public keys for all users are displayed When an RSA key is displayed the first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 35 and the last string is the encoded modulus When a DSA key is displaye...

Page 199: ...6TLdtny1wRq ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF DjKGWtPNIQqabKgYCw2 o dVzX4Gg yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 w0W Console show ssh This command displays the current SSH server connections Command Mode Privileged Exec Example Console show ssh Connection Version State Username Encryption 0 2 0 Session Started mo...

Page 200: ...e hosts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re authentication Enables re authentication for all ports IC dot1x timeout quiet period Sets thetime thata switch port waitsafterthe Max Request Count has been exceeded before attempting to acquire a new client IC dot1x timeout re authperiod Sets the time period after which a connected client must be re au...

Page 201: ...rt control dot1x port control multi host max count dot1x operation mode dot1x max req dot1x timeout quiet period dot1x timeout tx period dot1x timeout re authperiod dot1x timeout sup timeout dot1x re authentication dot1x intrusion action Example Console config dot1x default Console config dot1x timeout start period Sets the time that a supplicant port waits before resending an EAPOL start frame to...

Page 202: ...to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the edge of the network When this device is functioning as an edge switch but does not require any attached clients to be authenticated the no dot1x eapol pass through command can be used to discard unnecessary EAPOL traffic Example This example instructs the switch to pass all ...

Page 203: ...ce Configuration Command Usage For guest VLAN assignment to be successful the VLAN must be configured and set as active see the vlan database command and assigned as the guest VLAN for the port see the network access guest vlan command Example Console config interface eth 1 2 Console config if dot1x intrusion action guest vlan Console config if dot1x max req This command sets the maximum number of...

Page 204: ...of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 mac based Allows multiple hosts to connect to this port with each host needing to be authenticated Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command In...

Page 205: ...e authorized Configures the port to grant access to all clients either dot1x aware or otherwise force unauthorized Configures the port to deny access to all clients either dot1x aware or otherwise Default force authorized Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x port control auto Console config if dot1x re authentication This command ena...

Page 206: ... the time that a switch port waits after the maximum request count see page 203 has been exceeded before attempting to acquire a new client Use the no form to reset the default Syntax dot1x timeout quiet period seconds no dot1x timeout quiet period seconds The number of seconds Range 1 65535 Default 60 seconds Command Mode Interface Configuration Example Console config interface eth 1 2 Console co...

Page 207: ...out supp timeout seconds The number of seconds Range 1 65535 Default 30 seconds Command Mode Interface Configuration Command Usage This command sets the timeout for EAP request frames other than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authentication when the port link state comes up It will send an EAP request identity frame to the client t...

Page 208: ... 1 2 Console config if dot1x timeout tx period 300 Console config if dot1x re authenticate This command forces re authentication on all ports or a specific interface Syntax dot1x re authenticate interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 Command Mode Privileged Exec Command Usage The re authentication process verifies the connected client s u...

Page 209: ...and password are used to identify this switch as a supplicant when responding to an MD5 challenge from the authenticator These parameters must be set when this switch passes client authentication requests to another authenticator on the network see the dot1x pae supplicant command on page 210 Example Console config dot1x identity profile username steve Console config dot1x identity profile passwor...

Page 210: ... command on page 209 which identify this switch as a supplicant and enable dot1x supplicant mode for those ports which must authenticate clients through a remote authenticator using this command In this mode the port will not respond to dot1x messages meant for an authenticator This switch can be configured to serve as the authenticator on selected ports by setting the control mode to auto see the...

Page 211: ...upplicant waits for a response from the authenticator for packets other than EAPOL Start Example Console config interface eth 1 2 Console config if dot1x timeout auth period 60 Console config if dot1x timeout held period This command sets the time that a supplicant port waits before resending its credentials to find a new an authenticator Use the no form to reset the default Syntax dot1x timeout h...

Page 212: ...e Console config interface eth 1 2 Console config if dot1x timeout start period 60 Console config if Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface Syntax show dot1x statistics interface interface statistics Displays dot1x status for each port interface ethernet unit port unit Unit identifier Range 1 por...

Page 213: ...cquire a new client page 206 TX Period Time a port waits during authentication session before re transmitting EAP packet page 208 Supplicant Timeout Supplicant timeout Server Timeout Server timeout A RADIUS server must be set before the correct operational value of 10 seconds will be displayed in this field Reauth Max Retries Maximum number of reauthentication attempts Max Request Maximum number o...

Page 214: ... Authenticator Parameters EAPOL Pass Through Disabled Supplicant Parameters Identity Profile Username steve 802 1X Port Summary Port Type Operation Mode Control Mode Authorized Eth 1 1 Disabled Single Host Force Authorized Yes Eth 1 2 Disabled Single Host Force Authorized Yes Eth 1 27 Disabled Single Host Force Authorized Yes Eth 1 28 Enabled Single Host Auto Yes Console show dot1x interface ether...

Page 215: ...e default setting Syntax no management all client http client snmp client telnet client start address end address all client Adds IP address es to all groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group start address A single IP address or the starting address of a range end address The end add...

Page 216: ...ust delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address Example This example restricts management access to the indicated addresses Console config management all client 192 168 1 19 Console config management all client 192 168 1 25 192 168 1 30 Console show management This com...

Page 217: ... Filter 217 2 192 168 1 25 192 168 1 30 SNMP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 TELNET Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 Console ...

Page 218: ...Chapter 7 Authentication Commands Management IP Filter 218 ...

Page 219: ...b Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure addresses for a port 802 1X Port Authentication Configures host authentication on specific ports using 802 1X Network Access Configures MAC authentication and dynamic VLAN assignment Web Authentication Configures Web authentication Access Control Lists Provides filtering for IP frames based on address pr...

Page 220: ...onfigures port security Use the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to a security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take w...

Page 221: ... allowed The switch will learn up to the maximum number of allowed address pairs source MAC address VLAN for frames received on the port The specified maximum address count is effective when port security is enabled or disabled Note that you can manually add additional secure addresses to a port using the mac address table static command When the port has reached the maximum number of MAC addresse...

Page 222: ...unction Mode network access aging Enables MAC address aging GC network access mac filter Adds a MAC address to a filter table GC mac authentication reauth time Sets the time period after which a connected MAC address must be re authenticated GC network access dynamic qos Enables the dynamic quality of service feature IC network access dynamic vlan Enables dynamic VLAN assignment from a RADIUS serv...

Page 223: ... authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host or MAC Based authentication as described on page 204 The maximum number of secure MAC addresses supported for the switch system is 1024 Example Console config if network access aging Console config if mac authentication intrusion action Determines the port response when a connected host fails MAC authentication...

Page 224: ...is command is different from configuring static addresses with the mac address table static command in that it allows you configure a range of addresses when using a mask and then to assign these addresses to one or more ports with the network access port mac filter command Up to 64 filter tables can be defined There is no limitation on the number of entries that can entered in a filter table Exam...

Page 225: ...c qos Default Setting Disabled Command Mode Interface Configuration Command Usage The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user The Filter ID attribute attribute 11 can be configured on the RADIUS server to pass the following QoS information Table 48 Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service pol...

Page 226: ...k access dynamic qos Console config if network access dynamic vlan Use this command to enable dynamic VLAN assignment for an authenticated port Use the no form to disable dynamic VLAN assignment Syntax no network access dynamic vlan Default Setting Enabled Command Mode Interface Configuration Command Usage When enabled the VLAN identifiers returned by the RADIUS server through the 802 1X authentic...

Page 227: ...on a port to a guest VLAN when 802 1x authentication is rejected Use the no form of this command to disable guest VLAN assignment Syntax network access guest vlan vlan id no network access guest vlan vlan id VLAN ID Range 1 4093 Default Setting Disabled Command Mode Interface Configuration Command Usage The VLAN to be used as the guest VLAN must be defined and set as active See the vlan database c...

Page 228: ...link down Use this command to detect link down events When detected the switch can shut down the port send an SNMP trap or both Use the no form of this command to disable this feature Syntax network access link detection link down action shutdown trap trap and shutdown no network access link detection action Response to take when port security is violated shutdown Disable port only trap Issue SNMP...

Page 229: ...t Setting Disabled Command Mode Interface Configuration Example Console config interface ethernet 1 1 Console config if network access link detection link up action trap Console config if network access link detection link up down Use this command to detect link up and link down events When either event is detected the switch can shut down the port send an SNMP trap or both Use the no form of this...

Page 230: ...mber of authenticated IEEE 802 1X and MAC addresses allowed Range 1 1024 Default Setting 1024 Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024 and the maximum number of secure MAC addresses supported for the switch system is 1024 When the limit is reached all new MAC addresses are treated as authentication failures Example Console config if ne...

Page 231: ...802 1X and port security cannot be configured together on the same port Only one security mechanism can be applied MAC authentication cannot be configured on trunk ports When port status changes to down all MAC addresses are cleared from the secure MAC address table Static VLAN assignments are not restored The RADIUS server may optionally return a VLAN identifier list VLAN identifier list is carri...

Page 232: ... Use the no form of this command to restore the default Syntax mac authentication intrusion action block traffic pass traffic no mac authentication intrusion action Default Setting Block Traffic Command Mode Interface Con figuration Example Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum numb...

Page 233: ...s entries dynamic Specifies dynamic address entries mac address Specifies a MAC address entry Format xx xx xx xx xx xx interface Specifies a port interface ethernet unit port unit Range 1 port Port number Range Range 1 28 52 Default Setting None Command Mode Privileged Exec Example Console clear network access mac address table interface ethernet 1 1 Console show network access Use this command to...

Page 234: ...t VLAN Disabled Link Detection Disabled Detection Mode Link down Detection Action Trap Console show network access mac address table Use this command to display secure MAC address table entries Syntax show network access mac address table static dynamic address mac address mask interface interface sort address interface static Specifies static address entries dynamic Specifies dynamic address entr...

Page 235: ...C Address RADIUS Server Attribute Time 1 1 00 00 01 02 03 04 172 155 120 17 Static 00d06h32m50s 1 1 00 00 01 02 03 05 172 155 120 17 Dynamic 00d06h33m20s 1 1 00 00 01 02 03 06 172 155 120 17 Static 00d06h35m10s 1 3 00 00 01 02 03 07 172 155 120 17 Dynamic 00d06h34m20s Console show network access mac filter Use this command to display information for entries in the MAC filter tables Syntax show net...

Page 236: ...ntication Sequence on page 168 Note Web authentication cannot be configured on trunk ports Table 49 Web Authentication Command Function Mode web auth login attempts Defines the limit for failed web authentication login attempts GC web auth quiet period Defines the amount of time to wait after the limit for failed login attempts is exceeded GC web auth session timeout Defines the amount of time a s...

Page 237: ...t Setting 3 login attempts Command Mode Global Configuration Example Console config web auth login attempts 2 Console config web auth quiet period This command defines the amount of time a host must wait after exceeding the limit for failed login attempts before it may attempt web authentication again Use the no form to restore the default Syntax web auth quiet period time no web auth quiet period...

Page 238: ...nticated session remains valid Range 300 3600 seconds or 0 for disabled Default Setting 3600 seconds Command Mode Global Configuration Example Console config web auth session timeout 1800 Console config web auth system auth control This command globally enables web authentication for the switch Use the no form to restore the default Syntax no web auth system auth control Default Setting Disabled C...

Page 239: ...t be enabled for the web authentication feature to be active Example Console config if web auth Console config if web auth re authenticate Port This command ends all web authentication sessions connected to the port and forces the users to re authenticate Syntax web auth re authenticate interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number...

Page 240: ...rt interface ethernet unit port unit This is unit 1 port Port number Range 1 28 52 ip IPv4 formatted IP address Default Setting None Command Mode Privileged Exec Example Console web auth re authenticate interface ethernet 1 2 192 168 1 5 Console show web auth This command displays global web authentication parameters Command Mode Privileged Exec Example Console show web auth Global Web Auth Parame...

Page 241: ...Exec Example Console show web auth interface ethernet 1 2 Web Auth Status Enabled Host Summary IP address Web Auth State Remaining Session Time 1 1 1 1 Authenticated 295 1 1 1 2 Authenticated 111 Console show web auth summary This command displays a summary of web authentication port parameters and statistics Command Mode Privileged Exec Example Console show web auth summary Global Web Auth Parame...

Page 242: ...LAN interface by the ip dhcp snooping vlan command DHCP messages received on Table 50 DHCP Snooping Commands Command Function Mode ip dhcp snooping Enables DHCP snooping globally GC ipdhcpsnoopinginformation option Enables or disables DHCP Option 82 information relay GC ipdhcpsnoopinginformation policy Sets the information option policy for DHCP client packets that include Option 82 information GC...

Page 243: ... trusted it is processed as follows If the DHCP packet is a reply packet from a DHCP server including OFFER ACK or NAK messages the packet is dropped If the DHCP packet is from a client such as a DECLINE or RELEASE message the switch forwards the packet only if the corresponding entry is found in the binding table If the DHCP packet is from client such as a DISCOVER REQUEST INFORM DECLINE or RELEA...

Page 244: ...rmation relay for the switch Use the no form to disable this function Syntax no ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known as DHCP Option 82 it allows compatible DHCP servers to use the information when assigning IP...

Page 245: ... the client s request packet instead of relaying it keep Retains the Option 82 information in the client request and forwards the packets to trusted ports replace Replaces the Option 82 information circuit id and remote id fields in the client s request with information about the relay agent itself inserts the relay agent s address when DHCP snooping is enabled and forwards the packets to trusted ...

Page 246: ...the client s hardware address in the DHCP packet the packet is dropped Example This example enables MAC address verification Console config ip dhcp snooping verify mac address Console config Related Commands ip dhcp snooping 242 ip dhcp snooping vlan 246 ip dhcp snooping trust 247 ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN Use the no form to restore the default ...

Page 247: ...pecified interface as trusted Use the no form to restore the default setting Syntax no ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration Ethernet Port Channel Command Usage A trusted interface is an interface that is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive...

Page 248: ...cp snooping vlan 246 clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory Command Mode Privileged Exec Example Console clear ip dhcp snooping database flash Console ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory Command Mode Privileged Exec Command Usage This command can b...

Page 249: ...le DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5 Yes show ip dhcp snooping binding This command shows the DHCP snooping binding table entries Command Mode Privileged Exec Example Console show ip dhcp snooping binding MacAddress IpAddress Lease sec T...

Page 250: ...s interface ethernet unit port no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4093 ip address A valid unicast IP address including classful types A B or C unit Unit identifier Range 1 port Port number Range 1 28 52 Default Setting No configured entries Command Mode Global Configuration Table 51 IP Source Guard Com...

Page 251: ...there is no entry with same VLAN ID and MAC address a new entry is added to binding table using the type of static IP source guard binding If there is an entry with same VLAN ID and MAC address and the type of entry is static IP source guard binding then the new entry will replace the old one If there is an entry with same VLAN ID and MAC address and the type of the entry is dynamic DHCP snooping ...

Page 252: ... entries in the binding table Use the sip mac option to check these same parameters plus the source MAC address Use the no ip source guard command to disable this function on the selected port When enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table Table entries include a MAC address IP address lease tim...

Page 253: ...oping or manually configured are not yet configured the switch will drop all IP traffic on that port except for DHCP packets Only unicast addresses are accepted for static bindings Example This example enables IP source guard on port 5 Console config interface ethernet 1 5 Console config if ip source guard sip Console config if Related Commands ip source guard binding 250 ip dhcp snooping 242 ip d...

Page 254: ...inding 1 Console config if show ip source guard This command shows whether source guard is enabled or disabled on each interface Command Mode Privileged Exec Example Console show ip source guard Interface Filter type Max binding Eth 1 1 DISABLED 5 Eth 1 2 DISABLED 5 Eth 1 3 DISABLED 5 Eth 1 4 DISABLED 5 Eth 1 5 SIP 1 Eth 1 6 DISABLED 5 show ip source guard binding This command shows the source gua...

Page 255: ... hosts with statically configured IP addresses This section describes commands used to configure ARP Inspection Table 52 ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Inspection globally on the switch GC ip arp inspection filter Specifies an ARP ACL to apply to one or more VLANs GC ip arp inspection log buffer logs Sets the maximum number of entries saved in a log mes...

Page 256: ...cluding those where ARP Inspection is enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspection is disabled globally it is still possible to configure ...

Page 257: ...ed ACL address bindings in the DHCP snooping database is not checked Default Setting ARP ACLs are not bound to any VLAN Static mode is not enabled Command Mode Global Configuration Command Usage ARP ACL configuration commands are described under ARP ACLs on page 288 If static mode is enabled the switch compares ARP packets to the specified ARP ACLs Packets matching an IP to MAC address binding in ...

Page 258: ...y default logging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses If multiple identical invalid ARP packets are received consecutively on the same VLAN then the lo...

Page 259: ...e target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped Default Setting No additional validation is performed Command Mode Global Configurati...

Page 260: ...nd their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become active after ARP Inspection is globally enabled again Example Con...

Page 261: ...sole config if ip arp inspection trust This command sets a port as trusted and thus exempted from ARP Inspection Use the no form to restore the default setting Syntax no ip arp inspection trust Default Setting Untrusted Command Mode Interface Configuration Port Command Usage Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks Packets ar...

Page 262: ...e Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspection interface This command shows the trust status and ARP Inspection rate limit for ports Syntax show ip arp inspection interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 Command Mode Privileged...

Page 263: ...ics ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by ARP Inspection 150 ARP packets dropped by additional validation source MAC address 0 ARP packets dropped by additional validation destination MAC address 0 ARP packets dropped by additional validation IP address 0 ARP packets dropped by ARP ACLs 0 ARP packets dropped by DHCP snoopin...

Page 264: ...communicate adequately This section describes commands used to protect against DoS attacks flow tcp udp port zero This command protects against DoS attacks in which the UDP or TCP source port or destination port is set to zero This technique may be used as a form of DoS attack or it may just indicate a problem with the source device Use the no form to restore the default setting Syntax flow tcp ud...

Page 265: ...ro Command Mode Privileged Exec Example Console show flow TCP UDP port zero action drop Console Port based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider port based traffic segmentation can be used to isolate traffic for individual clients Table 54 Commands for...

Page 266: ...he downlink ports can only be forwarded to and from the designated uplink port s Data cannot pass between downlink ports in the same segmented group nor to ports which do not belong to the same group Any port can be defined as an uplink port or downlink port but cannot be configured to serve both roles Traffic segmentation and normal VLANs can exist simultaneously within the same switch Traffic ma...

Page 267: ... traffic segmentation This command displays the configured traffic segments Command Mode Privileged Exec Example Console show traffic segmentation Private VLAN status Disabled Up link Port Ethernet 1 12 Down link Port Ethernet 1 5 Ethernet 1 6 Ethernet 1 7 Ethernet 1 8 Console ...

Page 268: ...Chapter 8 General Security Measures Port based Traffic Segmentation 268 ...

Page 269: ...igures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses DSCP traffic class or next header type MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type ARP ACLs Configures ACLs based on ARP messages addresses ACL Information Displays ACLs and associated rules shows ACLs assigned to each...

Page 270: ...ddress and other more specific criteria acl name Name of the ACL Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the no permit or no deny command followed by the exact text of a pre...

Page 271: ...y a specific IP address time range name Name of the time range Range 1 30 characters Default Setting None Command Mode Standard IPv4 ACL Command Usage New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is...

Page 272: ...any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmask permit deny redirect to interface tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port d...

Page 273: ...nd Mode Extended IPv4 ACL Command Usage All new rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bit mask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet ...

Page 274: ... packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP Console config ext acl permit 192 168 1 0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 ...

Page 275: ...d in Console config if Related Commands show ip access list 275 Time Range 128 show ip access group This command shows the ports assigned to IP ACLs Command Mode Privileged Exec Example Console show ip access group Interface ethernet 1 2 IP access list david in Console Related Commands ip access group 274 show ip access list This command displays the rules for configured IPv4 ACLs Syntax show ip a...

Page 276: ...ACLs 276 Command Mode Privileged Exec Example Console show ip access list standard IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 Console Related Commands permit deny redirect to 271 ip access group 274 ...

Page 277: ...Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule Table 57 I...

Page 278: ...ange name no permit deny any host source ipv6 address source ipv6 address prefix length interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 any Any source IP address host Keyword followed by a specific IP address source ipv6 address An IPv6 source address or network class The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 c...

Page 279: ... ipv6 address source ipv6 address prefix length any destination ipv6 address prefix length dscp dscp next header next header time range time range name no permit deny any host source ipv6 address source ipv6 address prefix length any destination ipv6 address prefix length dscp dscp next header next header interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 any ...

Page 280: ...rs Default Setting None Command Mode Extended IPv6 ACL Command Usage All new rules are appended to the end of the list Optional internet layer information is encoded in separate headers that may be placed between the IPv6 header and the upper layer header in a packet There are a small number of such extension headers each identified by a distinct Next Header value IPv6 supports the values defined ...

Page 281: ...ccess list ipv6 277 Time Range 128 show ipv6 access list This command displays the rules for configured IPv6 ACLs Syntax show ipv6 access list standard extended acl name standard Specifies a standard IPv6 ACL extended Specifies an extended IPv6 ACL acl name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Example Console show ipv6 access list standard IPv6 standard access ...

Page 282: ...nterface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one IPv6 ACLs can only be applied to ingress packets Example Console config interface ethernet 1 2 Console config if ipv6 access group standard david in Console config if Related Commands show ...

Page 283: ...Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 128 rules Table 58 MAC ACL Commands Command Function ...

Page 284: ...y host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask Note The default is for Ethernet II packets permit deny redirect to interface tagged eth2 any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask time range time range name no permit deny redirect to interface...

Page 285: ...destination destination address bitmask interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Ethernet II packets tagged 802 3 Tagged Ethernet 802 3 packets untagged 802 3 Untagged Ethernet 802 3 packets any Any MAC source or destination address host A specific MAC address source Source MAC address des...

Page 286: ...permit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl Related Commands access list mac 283 Time Range 128 mac access group This command binds a MAC ACL to a port Use the no form to remove the port Syntax mac access group acl name in time range time range name acl name Name of the ACL Maximum length 32 characters in Indicates that this list applies to ingress packets time range na...

Page 287: ...Exec Example Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console Related Commands mac access group 286 show mac access list This command displays the rules for configured MAC ACLs Syntax show mac access list acl name acl name Name of the ACL Maximum length 32 characters Command Mode Privileged Exec Example Console show mac access list MAC access list jerry permit any...

Page 288: ...ommand Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 128 rul...

Page 289: ...p destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac destination mac mac address bitmask source ip Source IP address destination ip Destination IP address with bitmask ip address bitmask6 IPv4 number representing the address bits to match source mac Source MAC address destination mac Destination MAC address range with bitmask mac addre...

Page 290: ...it response ip any 192 168 0 0 255 255 0 0 mac any any Console Related Commands permit deny 289 ACL Information This section describes commands used to display ACL information show access group This command shows the port assignments of ACLs Command Mode Privileged Executive Example Console show access group Interface ethernet 1 2 IP access list david MAC access list jerry Console Table 60 ACL Inf...

Page 291: ...es for Standard IPv6 ACLs mac Shows ingress rules for MAC ACLs tcam utilization Shows the percentage of user configured ACL rules as a percentage of total ACL rules acl name Name of the ACL Maximum length 32 characters Command Mode Privileged Exec Example Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 1...

Page 292: ...Chapter 9 Access Control Lists ACL Information 292 ...

Page 293: ...ation Enables autonegotiation of a given interface IC shutdown Disables an interface IC speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC clear counters Clears statistics on an interface PE show interfaces brief Displays a summary of key information including operational status native VLAN ID default priority speed duplex mode and port ...

Page 294: ...ween non consecutive ports ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 vlan vlan id Range 1 4093 Default Setting None Command Mode Global Configuration Example To specify several different ports enter the following command Console config interface ethernet 1 17 20 23 Console config if shutdown Power Savings power save Enables po...

Page 295: ...e The following example adds an alias to port 4 Console config interface ethernet 1 4 Console config if alias finance Console config if capabilities This command advertises the port capabilities of a given interface during auto negotiation Use the no form with parameters to remove an advertised capability or the no form without parameters to restore the default values Syntax no capabilities 1000fu...

Page 296: ...mmand When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands Example The following example configures Ethernet port 5 capabilities to include 100half and 100full Console config interface ethernet 1 5 Console config if capabilities 100half Console config if capabilities 100full Console config if capabilities flowcontrol Console...

Page 297: ...ace Configuration Ethernet Port Channel Command Usage 1000BASE T does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and...

Page 298: ...rt as slave Default Setting master Command Mode Interface Configuration Ethernet Ports 1 24 Command Usage The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If not used the success of the link process cannot be guaranteed when connecting to other types of switches However this switch does provide a...

Page 299: ...tax no negotiation Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage 1000BASE T does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk When auto negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command When auto negotiation i...

Page 300: ...y also want to disable a port for security reasons Example The following example disables port 5 Console config interface ethernet 1 5 Console config if shutdown Console config if speed duplex This command configures the speed and duplex mode of a given interface when auto negotiation is disabled Use the no form to restore the default Syntax speed duplex 1000full 100full 100half 10full 10half no s...

Page 301: ...ex mode specified in a speed duplex command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To set the speed duplex mode under auto negotiation the required mode must be specified in the capabilities list for an interface Example The...

Page 302: ...t 1 5 Console show interfaces brief This command displays a summary of key information including operational status native VLAN ID default priority speed duplex mode and port type for all ports Command Mode Privileged Exec Example Console show interfaces brief Interface Name Status PVID Pri Speed Duplex Type Trunk Eth 1 1 Up 1 0 Auto 100full 1000T None Eth 1 2 Down 1 0 Auto 1000T None Eth 1 3 Down...

Page 303: ...ut 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protocols Input 0 QLen Output Extended Iftable Stats 23 Multi cast Input 5525 Multi cast Output 170 Broadcast Input 11 Broadcast Output Ether like Stats 0 Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Ex...

Page 304: ...x show interfaces status interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 vlan vlan id Range 1 4093 Default Setting Shows the status for all interfaces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed Example Console show interfaces stat...

Page 305: ...ll interfaces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed Example This example shows the configuration setting for port 21 Console show interfaces switchport ethernet 1 21 Information of Eth 1 21 Broadcast Threshold Enabled 500 packets second Multicast Threshold Disabled Unknown Unicast Threshold Disabled LACP Statu...

Page 306: ...765 VLAN Membership Mode Indicates membership mode as Trunk or Hybrid page 405 Ingress Rule Shows if ingress filtering is enabled or disabled page 404 Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only page 403 Native VLAN Indicates the default Port VLAN ID page 406 Priority for Untagged Traffic Indicates the default priority for untagged frames page 432 ...

Page 307: ...r Diagnostic Monitoring Interface for Optical Transceivers This information allows administrators to remotely diagnose problems with optical devices Example Console show interfaces transceiver ethernet 1 25 SFP Information of Ethernet 1 25 Identifier Unknown or unspecified Connector LC Transceiver Gigabit Ethernet Compliance Codes 1000BASE SX Fibre Channel link length intermediate distance I Fibre...

Page 308: ...est is only accurate for Gigabit Ethernet cables 0 250 meters long The test takes approximately 5 seconds The switch displays the results of the test immediately upon completion including common cable failures as well as the status and approximate length of each cable pair Potential conditions which may be listed by the diagnostics include OK Correctly terminated pair Open Open pair no link partne...

Page 309: ...ort Port number Range 1 24 48 Command Mode Privileged Exec Command Usage The results include common cable failures as well as the status and approximate distance to a fault or the approximate cable length if no fault is found To ensure more accurate measurement of the length to a fault first disable power saving mode on the link partner before running cable diagnostics For link down ports the repo...

Page 310: ...AC interface powered up even if no link connection exists When using power savings mode the switch checks for energy on the circuit to determine if there is a link partner If none is detected the switch automatically turns off the transmitter and most of the receive circuitry entering Sleep Mode In this mode the low power energy detection circuit continuously checks for energy on the cable If none...

Page 311: ...an 60 meters Example Console config interface ethernet 1 1 Console config if power save Console config if show power save This command shows the configuration settings for power savings Syntax show power save interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 24 48 Command Mode Privileged Exec Example Console show power save interface ethernet 1 ...

Page 312: ...Chapter 10 Interface Commands Power Savings 312 ...

Page 313: ... trunk can have up to 8 ports The ports at both ends of a connection must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e speed and duplex mode VLAN assignments and CoS settings Table 63 Link Aggregation Commands Command Function Mode Manual Configuration Commands interface port channel Configures a trunk and enters inter...

Page 314: ...e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key is set then the port admin key must be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port priority is used to select the backup link Manual Configur...

Page 315: ...o negotiation A trunk formed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of t...

Page 316: ...port s LACP administration key Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 Default Setting Actor 1 Partner 0 Comm...

Page 317: ...riority is used to select a backup link Range 0 65535 Default Setting 32768 Command Mode Interface Configuration Ethernet Command Usage Setting a lower value indicates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest phy...

Page 318: ...ring LAG negotiations Range 0 65535 Default Setting 32768 Command Mode Interface Configuration Ethernet Command Usage Port must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a l...

Page 319: ... LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Note that when the LAG is no longer used the port c...

Page 320: ...PDUs Sent 12 LACPDUs Received 6 Marker Sent 0 Marker Received 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 64 show lacp counters display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Mar...

Page 321: ...r s state parameters Expired The actor s receive machine is in the expired state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative c...

Page 322: ... F1 D4 73 A0 12 32768 00 30 F1 D4 73 A0 Table 66 show lacp neighbors display description Field Description Partner Admin System ID LAG partner s system ID assigned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number...

Page 323: ...id display description Field Description Channel group A link aggregation group configured on this switch System Priority The LACP system priority and system MAC address are concatenated to form the LAG system ID LACP system priority for this channel group System MAC Address System MAC address ...

Page 324: ...Chapter 11 Link Aggregation Commands Trunk Status Display Commands 324 ...

Page 325: ...tect and provide power to powered devices that were designed prior to the IEEE 802 3af PoE standard Use the no form to disable this feature Syntax no power inline compatible Default Setting Enabled Command Mode Global Configuration Table 68 PoE Commands Command Function Mode power inline compatible Provides power to pre standard PoE devices GC power inline Turns power on and off for specific ports...

Page 326: ...nsoleP config end ConsoleP show power inline status Unit 1 Compatible mode Enabled Time Max Used Interface Admin Range Oper Power Power Priority Eth 1 1 Enabled Off 34200 mW 0 mW Low Eth 1 2 Enabled Off 34200 mW 0 mW Low Eth 1 3 Enabled Off 34200 mW 0 mW Low Eth 1 4 Enabled Off 34200 mW 0 mW Low Eth 1 5 Enabled Off 34200 mW 0 mW Low Eth 1 6 Enabled Off 34200 mW 0 mW Low Eth 1 7 Enabled Off 34200 m...

Page 327: ...e Console config if Related Commands time range 128 power inline maximum allocation This command limits the power allocated to specific ports Use the no form to restore the default setting Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts The maximum power budget for the port Range 3000 34200 milliwatts Default Setting 34200 milliwatts Command Mode Int...

Page 328: ... to the switch exceeds the power budget setting as determined during bootup the switch uses port power priority settings to control the supplied power For example A device connected to a low priority port that causes the switch to exceed its budget is not supplied power If a device is connected to a critical or high priority port and causes the switch to exceed its budget port power is still be tu...

Page 329: ...E 3 PSE 4 24 27 26 29 28 31 30 33 32 35 34 37 36 39 38 41 40 43 42 45 44 47 46 Note For more information on using the PoE provided by this switch refer to the Installation Guide Example Console config interface ethernet 1 1 Console config if power inline priority 2 Console config if power inline time range This command binds a time range to a port during which PoE is supplied to the attached devic...

Page 330: ...th 1 4 Enabled Off 34200 mW 0 mW Low Eth 1 5 Enabled Off 34200 mW 0 mW Low Eth 1 6 Enabled Off 34200 mW 0 mW Low Eth 1 7 Enabled Off 15400 mW 8597 mW Low Eth 1 8 Enabled Off 15400 mW 0 mW Low Eth 1 9 Enabled Off 15400 mW 0 mW Low Eth 1 10 Enabled Off 15400 mW 0 mW Low Eth 1 11 Enabled Off 15400 mW 0 mW Low Eth 1 12 Enabled Off 15400 mW 0 mW Low Table 69 show power inline status display description...

Page 331: ...er Range 1 port Port number Range 1 24 48 Command Mode Privileged Exec Example Console show power inline time range ethernet 1 5 Interface Time Range Name Status Eth 1 5 r d Inactive Console Related Commands power inline 326 show power poe Use this command to display the current power status for the switch Command Mode Privileged Exec Example Console show power poe Unit 1 PoE Status PoE Maximum Av...

Page 332: ...E Maximum Available Power The available power budget for the switch System Operation Status The current operating power status displays on or off PoE Power Consumption The current power consumption on the switch in watts Software Version The version of software running on the PoE controller subsystem in the switch ...

Page 333: ...th vlan vlan id mac address mac address no port monitor interface vlan vlan id mac address mac address interface ethernet unit port source port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 rx Mirror received packets tx Mirror transmitted packets Table 71 Port Mirroring Commands Command Function Local Port Mirroring Mirrorsdatatoanotherportforanalys...

Page 334: ...r command to specify the source of the traffic to mirror Note that the destination port cannot be a trunk or trunk member port When mirroring traffic from a port or trunk the mirror port trunk and monitor port speeds should match otherwise traffic may be dropped from the monitor port When mirroring traffic from a VLAN traffic may also be dropped under heavy loads When VLAN mirroring and port or tr...

Page 335: ...ll packets from port 6 to 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 both Console config if show port monitor This command displays mirror information Syntax show port monitor interface vlan vlan id mac address mac address interface ethernet unit port source port unit Unit identifier Range 1 port Port number Range 1 28 52 vlan id VLAN ID Range 1 4093 mac ...

Page 336: ...he rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session 4 Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session to specify the switch s role as a source intermediate relay or destination of the mirrored traffic and to configure the uplink ports designated to carry this traffic Table 73 RSPAN Commands Command Function...

Page 337: ...d which is limited to a single session Spanning Tree If the spanning tree is disabled BPDUs will not be flooded onto the RSPAN VLAN MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch Therefore even if spanning tree is enabled after RSPAN has been configured MAC address learning will still not be re started on the RSPAN uplink ports IEEE 802 1X RSPAN and...

Page 338: ...ndicate a consecutive list of ports or a comma between non consecutive ports ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 rx Mirror received packets tx Mirror transmitted packets both Mirror both received and transmitted packets Default Setting Both TX and RX traffic is mirrored Command Mode Global Configuration Command Usage One or more source ports can be assign...

Page 339: ...AN VLAN tag untagged Traffic exiting the destination port is untagged Default Setting Traffic exiting the destination port is untagged Command Mode Global Configuration Command Usage Only one destination port can be configured on the same switch per session but a destination port can be configured on more than one switch for the same session Only 802 1Q trunk or hybrid i e general use ports can be...

Page 340: ...iate switch transparently passing mirrored traffic from one or more sources to one or more destinations destination Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session uplink A port configured to receive or transmit remotely mirrored traffic interface ethernet unit port ethernet unit port unit Unit identifier Range 1 port Port ...

Page 341: ...cluding both local and remote mirroring If local mirroring is enabled with the port monitor command then there is only one session available for RSPAN Command Mode Global Configuration Command Usage The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database see the vlan command Example Console config no rspan session 1 Console config show rsp...

Page 342: ...nsole show rspan session RSPAN Session ID 1 Source Ports mirrored ports None RX Only None TX Only None BOTH None Destination Port monitor port Eth 1 2 Destination Tagged Mode Untagged Switch Role Destination RSPAN VLAN 2 RSPAN Uplink Ports Eth 1 3 Operation Status Up Console ...

Page 343: ...to limit traffic into or out of the network Packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped Table 74 Congestion Control Commands Command Group Function Rate Limiting Se...

Page 344: ...alue in Kbps Range 64 1000000 Kbps Default Setting Disabled Command Mode Interface Configuration Ethernet Command Usage Using both rate limiting and storm control on the same interface may lead to unexpected results It is therefore not advisable to use both of these commands on the same interface Note Due to a chip limitation the switch supports only one limit for both ingress rate limiting and st...

Page 345: ...t setting Syntax switchport broadcast multicast unknown unicast packet rate rate no switchport broadcast multicast unknown unicast broadcast Specifies storm control for broadcast traffic multicast Specifies storm control for multicast traffic unknown unicast Specifies storm control for unknown unicast traffic rate Threshold level as a rate i e kilobits per second Range 64 1000000 kbps Default Sett...

Page 346: ...ace Example The following shows how to configure broadcast storm control at 600 kbits per second Console config interface ethernet 1 5 Console config if switchport broadcast packet rate 600 Console config if Automatic Traffic Control Commands Automatic Traffic Control ATC configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shu...

Page 347: ...threshold after a storm control response has been triggered and the release timer expires IC Port snmp server enable port traps atc multicast alarm clear Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered IC Port snmp server enable port traps atc multicast alarm fire Sends a trap when multicast traffic exceeds the upper threshold...

Page 348: ...reshold after the release timer expires traffic control for rate limiting will be stopped and a Traffic Control Release Trap sent and logged Note that if the control action has shut down a port it can only be manually re enabled using the auto traffic control control release command The traffic control response of rate limiting can be released automatically or manually The control response of shut...

Page 349: ...n be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port Threshold Commands auto traffic control apply timer This command sets the time at which to apply the control response after ingress traffic has exceeded the upper threshold Use the no form to restore the default setting Syntax auto traffic control broadcast multicast apply timer...

Page 350: ...ast multicast release timer seconds no auto traffic control broadcast multicast release timer broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm control for multicast traffic seconds The time at which to release the control response after ingress traffic has fallen beneath the lower threshold Range 1 900 seconds Default Setting 900 seconds Command...

Page 351: ... packet rate command However only one of these control types can be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port Example This example enables automatic storm control for broadcast traffic on port 1 Console config interface ethernet 1 1 Console config if auto traffic control broadcast Console config if auto traffic control actio...

Page 352: ...re enabled by automatic traffic control It can only be manually re enabled using the auto traffic control control release command Example This example sets the control response for broadcast traffic on port 1 Console config interface ethernet 1 1 Console config if auto traffic control broadcast action shutdown Console config if auto traffic control alarm clear threshold This command sets the lower...

Page 353: ...nd Example This example sets the clear threshold for automatic storm control for broadcast traffic on port 1 Console config interface ethernet 1 1 Console config if auto traffic control broadcast alarm clear threshold 155 Console config if auto traffic control alarm fire threshold This command sets the upper threshold for ingress traffic beyond which a storm control response is triggered after the...

Page 354: ...sole config if auto traffic control auto control release This command automatically releases a control response of rate limiting after the time specified in the auto traffic control release timer command has expired Syntax auto traffic control broadcast multicast auto control release broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm control for m...

Page 355: ...een triggered Example Console config interface ethernet 1 1 Console config if auto traffic control broadcast control release Console config if SNMP Trap Commands snmp server enable port traps atc broadcast alarm clear This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered Use the no form to disable this trap Syntax no sn...

Page 356: ... broadcast alarm fire Console config if Related Commands auto traffic control alarm fire threshold 353 snmp server enable port traps atc broadcast control apply This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires Use the no form to disable this trap Syntax no snmp server enable port traps atc broadcast control apply D...

Page 357: ...c broadcast control release Console config if Related Commands auto traffic control alarm clear threshold 352 auto traffic control action 351 auto traffic control release timer 350 snmp server enable port traps atc multicast alarm clear This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered Use the no form to disable thi...

Page 358: ... multicast alarm fire Console config if Related Commands auto traffic control alarm fire threshold 353 snmp server enable port traps atc multicast control apply This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires Use the no form to disable this trap Syntax no snmp server enable port traps atc multicast control apply D...

Page 359: ...e Interface Configuration Ethernet Example Console config interface ethernet 1 1 Console config if snmp server enable port traps atc multicast control release Console config if Related Commands auto traffic control alarm clear threshold 352 auto traffic control action 351 auto traffic control release timer 350 ATC Display Commands show auto traffic control This command shows global configuration s...

Page 360: ...tifier Range 1 port Port number Range 1 28 52 Command Mode Privileged Exec Example Console show auto traffic control interface ethernet 1 1 Eth 1 1 Information Storm Control Broadcast Multicast State Disabled Disabled Action rate control rate control Auto Release Control Disabled Disabled Alarm Fire Threshold Kpps 128 128 Alarm Clear Threshold Kpps 128 128 Trap Storm Fire Disabled Disabled Trap St...

Page 361: ...nd Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Table 78 Address Table Commands Command Function Mode mac address table aging time Sets the aging time of the address table GC mac address table static Maps a static address to a port in a VLAN GC clear mac address table dynamic Removes any learned entries from the forwarding dat...

Page 362: ...the switch is reset permanent Assignment is permanent Default Setting No static addresses are defined The default mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Static ...

Page 363: ...dress table dynamic Console show mac address table This command shows classes of entries in the bridge forwarding database Syntax show mac address table address mac address bit mask interface interface vlan vlan id sort address vlan interface mac address MAC address bit mask Bits to match in the address interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port c...

Page 364: ...bit 0 means to match a bit and 1 means to ignore a bit For example a mask of 00 00 00 00 00 00 means an exact match and a mask of FF FF FF FF FF FF means any The maximum number of address entries is 8K Example Console show mac address table Interface MAC Address VLAN Type Life Time Eth 1 1 00 E0 29 94 34 DE 1 Config Delete on Reset Eth 1 21 00 01 EC F8 D8 D9 1 Learn Delete on Timeout Console show ...

Page 365: ...x show mac address table count interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 Default Setting None Command Mode Privileged Exec Example Console show mac address table count interface ethernet 1 1 MAC Entries for Port ID 1 Dynamic Address Count 2 Total MAC Addresses 2 Total MAC Address Space Available 8...

Page 366: ...Chapter 15 Address Table Commands 366 ...

Page 367: ...tree mst configuration Changes to MSTP configuration mode GC spanning tree transmission limit Configures the transmission limit for RSTP MSTP GC max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST mst priority Configures the priority of a spanning tree instance MST mst vlan Adds VLANs to a spanning tree instance MST name Configures the name for the m...

Page 368: ...k detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning tree mst cost Configures the path cost of an interface in the MST instance IC spanning tree mst port priority Configures the priority of an interface in the MST instance IC spanning tree port priority Configures the spanning tree priority of an interface IC spanning tree root guard Prevents a designated port from ...

Page 369: ...co IOS Release 12 2 25 SEC do not fully follow the IEEE standard causing some state machine procedures to function incorrectly The command forces the spanning tree protocol to function in a manner compatible with Cisco prestandard versions Example Console config spanning tree cisco prestandard Console config spanning tree forward time This command configures the spanning tree bridge forward time g...

Page 370: ...le Console config spanning tree forward time 20 Console config spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hello time time no spanning tree hello time time Time in seconds Range 1 10 seconds The maximum value is the lower of 10 or max age 2 1 Default Setting 2 seconds Comma...

Page 371: ...pting to reconverge All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network Example Console config spanning tree max age...

Page 372: ...ves an 802 1D BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spann...

Page 373: ...path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Note that path cost page 380 takes precedence over port priority page 387 The path cost methods apply to all spanning tree modes STP RSTP and MSTP Specifically the long method can be applied to STP since this mode is supported by a backward compatib...

Page 374: ...ommand changes to Multiple Spanning Tree MST configuration mode Default Setting No VLANs are mapped to any MST instance The region name is set the switch s MAC address Command Mode Global Configuration Example Console config spanning tree mst configuration Console config mstp Related Commands mst vlan 376 mst priority 376 name 377 revision 378 max hops 375 spanning tree transmission limit This com...

Page 375: ...ple spanning tree Range 1 40 Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols Therefore the message age for BPDUs inside an MSTI region is never changed However each spanning tree instance within a region and the internal spanning tree IST that connects these instances use a hop count to specify the maximum num...

Page 376: ...ridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priority the device with the lowest MAC address will then become the root device You can set this switch to act as the MSTI root device by specifying a priority of 0 or as the MSTI alternate device by specifying a priority of 16384 Exampl...

Page 377: ...nfigure all bridges within the same MSTI Region page 377 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree Example Console config mstp mst 1 vlan 2 5 Console config mstp name This command configures the name for the multiple spanning tree regi...

Page 378: ...dge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances Example Console config mstp revision 1 Console config mstp Related Commands name 377 spanning tree bpdu filter This command filters all BPDUs received on an edge port Use the no form to disable this feature Syntax no spanning...

Page 379: ...port 381 spanning tree bpdu guard This command shuts down an edge port i e an interface set for fast forwarding if it receives a BPDU Use the no form to disable this feature Syntax no spanning tree bpdu guard Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage An edge port should only be connected to end nodes which do not generate BPDUs If a BPDU is r...

Page 380: ... cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 Table 80 Recommended STA Path Cost Range Port Type Short Path Cost IEEE 802 1D 1998 Long Path Cost 802 1D 2004 Ethernet 50 600 200 000 20 000 000 Fas...

Page 381: ...e port auto no spanning tree edge port auto Automatically determines if an interface is an edge port Default Setting Auto Command Mode Interface Configuration Ethernet Port Channel Command Usage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to...

Page 382: ...Ethernet Port Channel Command Usage Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interface is assumed to be on a s...

Page 383: ...c or shut down the interface Use the no form to restore the default Syntax spanning tree loopback detection action shutdown duration no spanning tree loopback detection action shutdown Shuts down the interface duration The duration to shut down the interface Range 30 86400 seconds Default Setting block Command Mode Interface Configuration Ethernet Port Channel Command Usage If an interface is shut...

Page 384: ...uto Command Mode Interface Configuration Ethernet Port Channel Command Usage If the port is configured for automatic loopback release then the port will only be returned to the forwarding state if one of the following conditions is satisfied The port receives any other BPDU except for it s own or The port s link status changes to link down and then link up again or The port ceases to receive it s ...

Page 385: ...tore the default auto configuration mode Syntax spanning tree mst instance id cost cost no spanning tree mst instance id cost instance id Instance identifier of the spanning tree Range 0 4094 cost Path cost for an interface Range 0 for auto configuration 1 65535 for short path cost method10 1 200 000 000 for long path cost method The recommended path cost range is listed in Table 80 on page 380 De...

Page 386: ...cost 50 Console config if Related Commands spanning tree mst port priority 386 spanning tree mst port priority This command configures the priority of an interface in the Multiple Spanning Tree instance Use the no form to restore the default Syntax spanning tree mst instance id port priority priority no spanning tree mst instance id port priority instance id Instance identifier of the spanning tre...

Page 387: ...iority no spanning tree port priority priority The priority for a port Range 0 240 in steps of 16 Default Setting 128 Command Mode Interface Configuration Ethernet Port Channel Command Usage This command defines the priority for the use of a port in the Spanning Tree Algorithm If the path cost for all ports on a switch are the same the port with the highest priority that is lowest value will be co...

Page 388: ...or BPDUs for a fixed recovery period While in the discarding state no traffic is forwarded across the port Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location Root Guard should be enabled on any designated port connected to low speed bridges which could potentially overload a slower link by taking over as the root port and forming a new spanning tree topolo...

Page 389: ...f spanning tree spanning disabled Console config if spanning tree loopback detection release This command manually releases a port placed in discarding state by loopback detection Syntax spanning tree loopback detection release interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 Command Mode Privileged Exec Command U...

Page 390: ... However you can also use the spanning tree protocol migration command at any time to manually re check the appropriate BPDU format to send on the selected interfaces i e RSTP or STP compatible Example Console spanning tree protocol migration eth 1 5 Console show spanning tree This command shows the configuration for the common spanning tree CST for all instances within the multiple spanning tree ...

Page 391: ...tiple Spanning Tree MST including global settings and settings for all interfaces Example Console show spanning tree Spanning Tree Information Spanning Tree Mode MSTP Spanning Tree Enabled Disabled Enabled Instance 0 VLANs Configured 1 4093 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Ma...

Page 392: ...ection Release Mode Auto Loopback Detection Trap Disabled Loopback Detection Action Shutdown 300 seconds Root Guard Status Disabled BPDU Guard Status Disabled BPDU Filter Status Disabled Tx BPDUs 11320 Rx BPDUs 0 show spanning tree mst configuration This command shows the configuration of the multiple spanning tree Command Mode Privileged Exec Example Console show spanning tree mst configuration M...

Page 393: ...rfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN Information Displays VLAN groups status port members and MAC addresses Configuring IEEE 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunneling ConfiguringProtocol based VLANs If a packet matches the rules defined by more than one of these functions only one of ...

Page 394: ...nd Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Example Console config bridge ext gvrp Console config Table 83 GVRP and Bridge Extension Commands Command Function Mode bridge ext gvrp Enab...

Page 395: ...t Channel Command Usage Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values ...

Page 396: ...hyphen to designate a range of IDs Range 1 4093 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs ...

Page 397: ...le Console config interface ethernet 1 1 Console config if switchport gvrp Console config if show bridge ext This command shows the configuration for bridge extension commands Default Setting None Command Mode Privileged Exec Example Console show bridge ext Maximum Supported VLAN Numbers 256 Maximum Supported VLAN ID 4093 Extended Multicast Filtering Services No Static Entry Individual Port Yes VL...

Page 398: ...y Individual Port This switch allows static filtering for unicast and multicast addresses Refer to the mac address table static command VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering database Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagge...

Page 399: ...ace interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 Default Setting Shows both global and interface specific configuration Command Mode Normal Exec Privileged Exec Example Console show gvrp configuration ethernet 1 7 Eth 1 7 GVRP Configuration Disabled Console Editing VLAN Groups Table 85 Commands for Editing VLAN Groups C...

Page 400: ...d you can display this file by entering the show running config command Example Console config vlan database Console config vlan Related Commands show vlan 408 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN Syntax vlan vlan id name vlan name media ethernet state active suspend rspan no vlan vlan id name state vlan id VLAN ID Range 1 4093 name K...

Page 401: ...ou can configure up to 256 VLANs on the switch Note The switch allows 256 user manageable VLANs Example The following example adds a VLAN using VLAN ID 105 and name RD5 The VLAN is activated by default Console config vlan database Console config vlan vlan 105 name RD5 media ethernet Console config vlan Related Commands show vlan 408 Configuring VLAN Interfaces Table 86 Commands for Configuring VLA...

Page 402: ...commands and save the configuration settings To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command Example The following example shows how to set the interface configuration mode to VLAN 1 and then assign an IP address to the VLAN Console config interface vlan 1 Console config if ip address 192 168 1 254 255 255 255 0 Console config if Related Commands shutdown 300 in...

Page 403: ...agged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Console config interface ethernet 1 1 Console config if switchport acceptable frame types tagged Console config if Related Commands switchport mode 405 switchport allowed vlan This command configures VLAN groups on the selected interface Use the no form to rest...

Page 404: ...ace tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection supports VLANs the interface should be added to these VLANs as an untagged member Otherwise it is only necessary to add at most one VLAN as untagged and this should correspond to the native VLAN for the interface If a VLAN on the ...

Page 405: ... to port 1 and then enable ingress filtering Console config interface ethernet 1 1 Console config if switchport ingress filtering Console config if switchport mode This command configures the VLAN membership mode for a port Use the no form to restore the default Syntax switchport mode access hybrid trunk no switchport mode access Specifies an access VLAN interface The port transmits and receives u...

Page 406: ...ort Use the no form to restore the default Syntax switchport native vlan vlan id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4093 Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage When using Access mode and an interface is assigned to a new VLAN its PVID is automatically set to the identifier for that VLAN When using Hybrid mod...

Page 407: ... and E otherwise these switches would drop any frames with unknown VLAN group tags However by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2 you only need to create these VLAN groups in switches A and B Switches C D and E automatically allow frames with VLAN group tags 1 and 2 groups that are unknown to those switches to pass through their VLAN trun...

Page 408: ...Information This section describes commands used to display VLAN information show vlan This command shows VLAN information Syntax show vlan id vlan id name vlan name id Keyword to be followed by the VLAN ID vlan id ID of the configured VLAN Range 1 4093 name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters Default Setting Shows all VLANs Command Mode Normal Ex...

Page 409: ...even when they use the same customer specific VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging This section describes commands used to configure QinQ tunneling General Configuration Guidelines for QinQ 1 Configure the switch to QinQ mode dot1q tunnel system ...

Page 410: ...ed member switchport allowed vlan Limitations for QinQ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same However the same service VLANs can be set on both tunnel port types IGMP Snooping should not be enabled on a tunnel access port If the spanning tree protocol is enabled be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tree ...

Page 411: ...t do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field as they would be with a standard 802 1Q trunk Frames arriving on the port containing any other ethertype are looked upon as untagged ...

Page 412: ...ed on the switch using the dot1q tunnel system tunnel control command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag regardless of whether there are one or more tag layers is retained in the inner tag and the service provider s tag added to the outer tag When a tunnel uplink port receives a pack...

Page 413: ...to support multiple protocols cannot be easily grouped into a common VLAN This may require non standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with...

Page 414: ...ols to a group Use the no form to remove a protocol group Syntax protocol vlan protocol group group id add remove frame type frame protocol type protocol no protocol vlan protocol group group id group id Group identifier of this protocol group Range 1 2147483647 frame11 Frame type used by this protocol Options ethernet rfc_1042 llc_other protocol Protocol type The only option for the llc_other fra...

Page 415: ...er VLAN commands such as the vlan command these interfaces will admit traffic of any protocol type into the associated VLAN When a frame enters a port that has been assigned to a protocol VLAN it is processed in the following manner If the frame is tagged it will be processed according to the standard rules applied to tagged frames If the frame is untagged and the protocol type matches the frame i...

Page 416: ... This shows protocol group 1 configured for IP over Ethernet Console show protocol vlan protocol group Protocol Group ID Frame Type Protocol Type 1 ethernet 08 00 Console show interfaces protocol vlan protocol group This command shows the mapping from protocol groups to VLANs for the selected interfaces Syntax show interfaces protocol vlan protocol group interface interface ethernet unit port unit...

Page 417: ...ned to the VLAN indicated in the entry If no IP subnet is matched the untagged frames are classified as belonging to the receiving port s VLAN ID PVID subnet vlan This command configures IP Subnet VLAN assignments Use the no form to remove an IP subnet to VLAN assignment Syntax subnet vlan subnet ip address mask vlan vlan id priority priority no subnet vlan subnet ip address mask all ip address Th...

Page 418: ...ddress When MAC based IP subnet based or protocol based VLANs are supported concurrently priority is applied in this sequence and then port based VLANs last Example The following example assigns traffic for the subnet 192 168 12 192 mask 255 255 255 224 to VLAN 4 Console config subnet vlan subnet 192 168 12 192 255 255 255 224 vlan 4 Console config show subnet vlan This command displays IP Subnet ...

Page 419: ... the VLAN indicated in the entry If no MAC address is matched the untagged frames are classified as belonging to the receiving port s VLAN ID PVID mac vlan This command configures MAC address to VLAN mapping Use the no form to remove an assignment Syntax mac vlan mac address mac address vlan vlan id priority priority no mac vlan mac address mac address all mac address The source MAC address to be ...

Page 420: ...priority is applied in this sequence and then port based VLANs last Example The following example assigns traffic from source MAC address 00 00 00 11 22 33 to VLAN 10 Console config mac vlan mac address 00 00 00 11 22 33 vlan 10 Console config show mac vlan This command displays MAC address to VLAN assignments Command Mode Privileged Exec Command Usage Use this command to display MAC address to VL...

Page 421: ...isabled Command Mode Global Configuration Command Usage When IP telephony is deployed in an enterprise network it is recommended to isolate the Voice over IP VoIP network traffic from other data traffic Traffic isolation helps prevent excessive packet delays packet loss and jitter which results in higher voice quality This is best achieved by assigning all VoIP traffic to a single VLAN Table 92 Vo...

Page 422: ...d sets the Voice VLAN ID time out Use the no form to restore the default Syntax voice vlan aging minutes no voice vlan minutes Specifies the port Voice VLAN membership time out Range 5 43200 minutes Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer recei...

Page 423: ... text that identifies the VoIP devices Range 1 32 characters Default Setting None Command Mode Global Configuration Command Usage VoIP devices attached to the switch can be identified by the manufacturer s Organizational Unique Identifier OUI in the source MAC address of received packets OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses The MAC OUI n...

Page 424: ...g the switchport voice vlan rule command When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac address command All ports are set to VLAN hybrid mode by default Prior to enabling VoIP for a port by setting the VoIP mode to Auto or Manual as described below ensure that VLAN membership is not set to access mode using the switchport mode co...

Page 425: ...on a port Use the no form to disable the detection method on the port Syntax no switchport voice vlan rule oui lldp oui Traffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address lldp Uses LLDP to discover VoIP devices attached to the port Default Setting OUI Enabled LLDP Disabled Command Mode Interface Configuration Command Usage When OUI is sele...

Page 426: ... port that are tagged with the voice VLAN ID VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list or through LLDP that discovers VoIP devices attached to the switch Packets received from non VoIP sources are dropped When enabled be sure the MAC address ranges for VoIP devices are configured in the Telephony OUI list voice vlan mac address Example The following ex...

Page 427: ...to Enabled OUI 6 100 Eth 1 2 Disabled Disabled OUI 6 NA Eth 1 3 Manual Enabled OUI 5 100 Eth 1 4 Auto Enabled OUI 6 100 Eth 1 5 Disabled Disabled OUI 6 NA Eth 1 6 Disabled Disabled OUI 6 NA Eth 1 7 Disabled Disabled OUI 6 NA Eth 1 8 Disabled Disabled OUI 6 NA Eth 1 9 Disabled Disabled OUI 6 NA Eth 1 10 Disabled Disabled OUI 6 NA Console show voice vlan oui OUI Address Mask Description 00 12 34 56 ...

Page 428: ...Chapter 17 VLAN Commands Configuring Voice VLANs 428 ...

Page 429: ...Layer 2 Configures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Sets the default priority processing method CoS or DSCP maps priority tags for internal processing maps values from internal priority table to CoS values used in tagged egress packets for Layer 2 interfaces maps internal per hop behavior to hardware queues Table 94 Priority Comm...

Page 430: ... type Options 0 indicates a normal queue 1 indicates a strict queue Default Setting Strict and WRR with Queue 3 using strict mode Command Mode Global Configuration Command Usage The switch can be set to service the port queues based on strict priority WRR or a combination of strict and weighted queueing Strict priority requires all traffic in a higher priority queue to be processed before lower pr...

Page 431: ...Commands queue weight 431 show queue mode 433 queue weight This command assigns weights to the four class of service CoS priority queues when using weighted queuing or one of the queuing modes that use a combination of strict and weighted queuing Use the no form to restore the default weights Syntax queue weight weight0 weight3 no queue weight weight0 weight3 The ratio of weights for queues 0 3 de...

Page 432: ...y mapping is IP DSCP and then default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used The switch provides four pri...

Page 433: ... default 5 Console config if Related Commands show interfaces switchport 305 show queue mode This command shows the current queue mode Command Mode Privileged Exec Example Console show queue mode Queue Mode Weighted Round Robin Mode Console show queue weight This command displays the weights used for the weighted queues Command Mode Privileged Exec Example Console show queue weight Queue ID Weight...

Page 434: ...cal format Range 0 1 Table 95 Priority Commands Layer 3 and 4 Command Function Mode qos map cos dscp Maps CoS CFI values in incoming packets to per hop behavior and drop precedence values for internal priority processing GC qos map dscp mutation Maps DSCP values in incoming packets to per hop behavior and drop precedence values for internal priority processing GC qos map phb queue Maps internal pe...

Page 435: ... is not an IP packet then the CoS CFI to PHB Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing Note that priority tags in the original packet are not modified by this command The internal DSCP consists of three bits for per hop behavior PHB which determines the queue to which a packet is sent and two bits for drop precedence namely color ...

Page 436: ...CP values separated by spaces This map is only used when the QoS mapping mode is set to DSCP by the qos map trust mode command and the ingress packet type is IPv4 Table 97 Default Mapping of DSCP Values to Internal PHB Drop Values ingress dscp1 ingress dscp10 0 1 2 3 4 5 6 7 8 9 0 0 0 0 1 0 0 0 3 0 0 0 1 0 0 0 3 1 0 1 1 1 1 0 1 3 1 0 1 1 1 0 1 3 2 0 2 1 2 0 2 3 2 2 0 2 1 2 0 2 3 3 0 3 1 3 0 3 3 3 ...

Page 437: ...e DSCP value for these packets is now set to 25 3x23 1 and passed on to the egress interface Console config qos map dscp mutation 3 1 from 1 Console config qos map phb queue This command determines the hardware output queues to use based on the internal per hop behavior value Use the no form to restore the default settings Syntax qos map phb queue queue id from phb0 phb7 no map phb queue phb0 phb7...

Page 438: ... on the DSCP value in the ingress packet If the QoS mapping mode is set to DSCP and a non IP packet is received the packet s CoS and CFI Canonical Format Indicator values are used for priority processing if the packet is tagged For an untagged packet the default port priority see page 432 is used for priority processing If the QoS mapping mode is set to CoS with this command and the ingress packet...

Page 439: ... Command Usage This map is only used when the QoS mapping mode is set to DSCP by the qos map trust mode command and the ingress packet type is IPv4 Example The ingress DSCP is composed of d1 most significant digit in the left column and d2 least significant digit in the top row in other words ingress DSCP d1 10 d2 and the corresponding Internal DSCP and drop precedence is shown at the intersecting...

Page 440: ... map phb queue phb queue map phb 0 1 2 3 4 5 6 7 Queue 1 0 0 1 2 2 3 3 Console show qos map trust mode This command shows the QoS mapping mode Syntax show qos map trust mode interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 Command Mode Privileged Exec Example The following shows that the trust mode is se...

Page 441: ...classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three color meter PM C police trtcm color Defines an enforcer for classified traffic based on a two rate three color meter PM C set cos Services IP traffic by setting a class of service value for matching packets for internal processing PM C set ip dscp Services...

Page 442: ...ity bits in the IP header IP DSCP value for the matching traffic class and use one of the police commands to monitor parameters such as the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP service level for traffic exceeding the specified rate 6 Use the service policy command to assign a policy map to a specific interface Note Create a Class ...

Page 443: ...commands Example This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd class match any Console config cmap match ip dscp 3 Console config cmap Related Commands show class map 457 description This command specifies the description of a class map or policy map Syntax description string string Description of the class m...

Page 444: ... command to designate a class map and enter the Class Map configuration mode Then use match commands to specify the fields within ingress packets that must match to qualify for this class map If an ingress packet matches an ACL specified by this command any deny rules included in the ACL will be ignored If match criteria includes an IP ACL or IP priority rule then a VLAN rule cannot be included in...

Page 445: ...config cmap rename This command redefines the name of a class map or policy map Syntax rename map name map name Name of the class map or policy map Range 1 32 characters Command Mode Class Map Configuration Policy Map Configuration Example Console config class map rd class 1 Console config cmap rename rd class 9 Console config cmap policy map This command creates a policy map that can be attached ...

Page 446: ...to drop any violating packets Console config policy map rd policy Console config pmap class rd class Console config pmap c set ip dscp 3 Console config pmap c police flow 100000 4000 conform action transmit violate action drop Console config pmap c class This command defines a traffic classification upon which a policy can act and enters Policy Map Class configuration mode Use the no form to delet...

Page 447: ...ass Console config pmap c set phb 3 Console config pmap c police flow 100000 4000 conform action transmit violate action drop Console config pmap c police flow This command defines an enforcer for classified traffic based on the metered flow rate Use the no form to remove a policer Syntax no police flow committed rate committed burst conform action transmit violate action drop new dscp committed r...

Page 448: ...ed Burst Size The token bucket C is initially full that is the token count Tc 0 BC Thereafter the token count Tc is updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else Tc is not incremented When a packet of size B bytes arrives at time t the following happens If Tc t B 0 the packet is green and Tc is decremented by B down to the minimum value of 0 else else ...

Page 449: ...ion to take when rate is within the CIR and BC There are enough tokens in bucket BC to service the packet packet is set green exceed action Action to take when rate exceeds the CIR or BC but is within the BE There are enough tokens in bucket BE to service the packet the packet is set yellow violate action Action to take when rate exceeds the BE There are not enough tokens in bucket BE to service t...

Page 450: ...ne else neither Tc nor Te is incremented When a packet of size B bytes arrives at time t the following happens if srTCM is configured to operate in color blind mode If Tc t B 0 the packet is green and Tc is decremented by B down to the minimum value of 0 else if Te t B 0 the packets is yellow and Te is decremented by B down to the minimum value of 0 else the packet is red and neither Tc nor Te is ...

Page 451: ...o rate three color meter in color aware mode committed rate Committed information rate CIR in kilobits per second Range 64 1000000 kbps at a granularity of 64 kbps or maximum port speed whichever is lower committed burst Committed burst size BC in bytes Range 4000 16000000 at a granularity of 4k bytes peak rate Peak information rate PIR in kilobits per second Range 64 1000000 kbps at a granularity...

Page 452: ...ately from a committed rate The meter operates in one of two modes In the color blind mode the meter assumes that the packet stream is uncolored In color aware mode the meter assumes that some preceding entity has pre colored the incoming packet stream so that each packet is either green yellow or red The marker re colors an IP packet according to the results of the meter The color is coded in the...

Page 453: ...vice that incoming packets will receive and then uses the police trtcm color blind command to limit the average bandwidth to 100 000 Kbps the committed burst rate to 4000 bytes the peak information rate to 1 000 000 kbps the peak burst size to 6000 to remark any packets exceeding the committed burst size and to drop any packets exceeding the peak information rate Console config policy map rd polic...

Page 454: ...o 4000 bytes and configure the response to drop any violating packets Console config policy map rd policy Console config pmap class rd class Console config pmap c set cos 3 Console config pmap c police flow 100000 4000 conform action transmit violate action drop Console config pmap c set ip dscp This command modifies the IP DSCP value in a matching packet as specified by the match command Use the ...

Page 455: ...rvices IP traffic by setting a per hop behavior value for a matching packet as specified by the match command for internal processing Use the no form to remove this setting Syntax no set phb phb value phb value Per hop behavior value Range 0 7 Default Setting None Command Mode Policy Map Class Configuration Command Usage The set phb command is used to set an internal QoS value in hardware for matc...

Page 456: ...ies a policy map defined by the policy map command to the ingress side of a particular interface Use the no form to remove this mapping Syntax no service policy input policy map name input Apply to the input traffic policy map name Name of the policy map for this interface Range 1 32 characters Default Setting No policy map is attached to an interface Command Mode Interface Configuration Ethernet ...

Page 457: ... Match ip dscp 10 Match access list rd access Match ip dscp 0 Class Map match any rd class 2 Match ip precedence 5 Class Map match any rd class 3 Match vlan 1 Console show policy map This command displays the QoS policy maps which define classification criteria for incoming traffic and may include policers for bandwidth limitations Syntax show policy map policy map name class class map name policy...

Page 458: ...ap rd policy class rd class set phb 3 Console show policy map interface This command displays the service policy assigned to the specified interface Syntax show policy map interface interface input interface unit port unit Unit identifier Range 1 port Port number Range 1 28 52 Command Mode Privileged Exec Example Console show policy map interface 1 5 input Service policy rd policy Console ...

Page 459: ...tic multicast router ports which forward all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data isolation for normal traffic Table 101 IGMP Snooping Commands Com...

Page 460: ... are no local members GC ip igmp snooping vlan last memb query intvl Configures the last member query interval GC ip igmp snooping vlan mrd Sends multicast router solicitation messages GC ip igmp snooping vlan proxy address Configures a static address for proxy IGMP query and reporting GC ip igmp snooping vlan query interval Configures the interval between sending IGMP proxy general queries GC ip ...

Page 461: ...ng can still be configured per VLAN interface but the interface settings will not take effect until snooping is re enabled globally Example The following example enables IGMP snooping globally Console config ip igmp snooping Console config ip igmp snooping proxy reporting This command enables IGMP Snooping with Proxy Reporting Use the no form to restore the default setting Syntax ip igmp snooping ...

Page 462: ...akes precedence over the global configuration Example Console config ip igmp snooping proxy reporting Console config ip igmp snooping querier This command enables the switch as an IGMP querier Use the no form to disable it Syntax no ip igmp snooping querier Default Setting Disabled Command Mode Global Configuration If enabled the switch will serve as querier if elected The querier is responsible f...

Page 463: ...option 2 Also when the switch is acting in the role of a multicast host such as when using proxy routing it should ignore version 2 or 3 queries that do not contain the Router Alert option Example Console config ip igmp snooping router alert option check Console config ip igmp snooping router port expire time This command configures the querier time out Use the no form to restore the default Synta...

Page 464: ...eived and all the uplink ports are subsequently deleted a time out mechanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolicited reports for all current learned channels out through the new uplink port By default the switch immediately enters into multicast flooding mode when a spanning tree topology change occurs In this ...

Page 465: ...ogy change notification for a VLAN where IGMP snooping is enabled it issues a global IGMP leave message query solicitation When a switch receives this solicitation it floods it to all ports in the VLAN where the spanning tree change occurred When an upstream multicast router receives this solicitation it will also immediately issues an IGMP general query The ip igmp snooping tcn query solicit comm...

Page 466: ...ise it is flooded throughout the VLAN Example Console config ip igmp snooping unregistered data flood Console config ip igmp snooping unsolicited report interval This command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled Use the no form to restore the default value Syntax ip igmp snooping unsolicited report interval seconds no i...

Page 467: ...ault Setting Global IGMP Version 2 VLAN Not configured based on global setting Command Mode Global Configuration Command Usage This command configures the IGMP report query version used by IGMP snooping Versions 1 3 are all supported and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed If the IGMP snooping version is ...

Page 468: ...lusive is disabled on a VLAN then this setting is based on the global setting If it is enabled on a VLAN then this setting takes precedence over the global setting When this function is disabled the currently selected version is backward compatible see the ip igmp snooping version command Example Console config ip igmp snooping version exclusive Console config ip igmp snooping vlan general query s...

Page 469: ...te leave vlan id VLAN ID Range 1 4093 Default Setting Disabled Command Mode Global Configuration Command Usage If immediate leave is not used a multicast router or querier will send a group specific query message when an IGMPv2 v3 group leave message is received The router querier stops forwarding traffic for that group only if no host replies to the query within the time out period The time out f...

Page 470: ...roxy group specific or group and source specific query messages to issue before assuming that there are no more group members Range 1 255 Default Setting 2 Command Mode Global Configuration Command Usage This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled page 461 Example Console config ip igmp snooping vlan 1 last memb query count 7 Console config ip igm...

Page 471: ...sole config ip igmp snooping vlan 1 last memb query intvl 700 Console config ip igmp snooping vlan mrd This command enables sending of multicast router solicitation messages Use the no form to disable these messages Syntax no ip igmp snooping vlan vlan id mrd vlan id VLAN ID Range 1 4093 Default Setting Enabled Command Mode Global Configuration Command Usage Multicast Router Discovery MRD uses mul...

Page 472: ...on messages on VLAN 1 Console config no ip igmp snooping vlan 1 mrd Console config ip igmp snooping vlan proxy address This command configures a static source address for locally generated query and report messages used by IGMP proxy reporting Use the no form to restore the default source address Syntax no ip igmp snooping vlan vlan id proxy address source address vlan id VLAN ID Range 1 4093 sour...

Page 473: ... multicast router port If a proxy query address is not configured the switch will use the VLAN s IP address as the IP source address in general and group specific query messages sent downstream and use the source address of the last IGMP message received from a downstream host in report and leave messages sent upstream from the multicast router port Example The following example sets the source ad...

Page 474: ...igmp snooping vlan query resp intvl This command configures the maximum time the system waits for a response to general queries Use the no form to restore the default Syntax ip igmp snooping vlan vlan id query resp intvl interval no ip igmp snooping vlan vlan id query resp intvl vlan id VLAN ID Range 1 4093 interval The maximum time the system waits for a response to general queries Range 10 31740...

Page 475: ...ult Setting None Command Mode Global Configuration Command Usage Static multicast entries are never aged out When a multicast entry is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Example The following shows how to statically configure a multicast group on a port Console config ip igmp snooping vlan 1 static 224 0 0 12 ethern...

Page 476: ...mber query interval 10 unit 1 10 s Last member query count 2 General query suppression Disabled Query interval 125 Query response interval 100 unit 1 10 s Proxy query address 0 0 0 0 Proxy reporting Using global status Disabled Multicast Router Discovery Enabled show ip igmp snooping group This command shows known multicast group source and host port mappings for the specified VLAN interface or fo...

Page 477: ...is command displays information on statically configured and dynamically learned multicast router ports Syntax show ip igmp snooping mrouter vlan vlan id vlan id VLAN ID Range 1 4093 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic Example The following shows the ports...

Page 478: ...fault Setting No static multicast router ports are configured Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router or switch connected over the network to an interface port or trunk on this switch that interface can be manually configured to joi...

Page 479: ...filtering and throttling on the switch Use the no form to disable the feature Syntax no ip igmp filter Default Setting Disabled Command Mode Global Configuration Table 103 IGMP Filtering and Throttling Commands Command Function Mode ip igmp filter Enables IGMP filtering and throttling on the switch GC ip igmp profile Sets a profile number and enters IGMP filter profile configuration mode GC permit...

Page 480: ...ulticast groups it does not apply to statically configured groups The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic Example Console config ip igmp filter Console config ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode Use the no form to delete a profile number Syntax no ip igmp profile p...

Page 481: ...eny IGMP join reports are only processed when a multicast group is not in the controlled range Example Console config ip igmp profile 19 Console config igmp profile permit Console config igmp profile range This command specifies multicast group addresses for a profile Use the no form to delete addresses from a profile Syntax no range low ip address high ip address low ip address A valid IP address...

Page 482: ...ration Command Usage The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface Only one profile can be assigned to an interface A profile can also be assigned to a trunk interface When ports are configured as trunk members the trunk uses the filtering profile assigned to the first port member in the trunk Example Console config...

Page 483: ...trunk members the trunk uses the throttling settings of the first port member in the trunk Example Console config interface ethernet 1 1 Console config if ip igmp max groups 10 Console config if ip igmp max groups action This command sets the IGMP throttling action for an interface on the switch Syntax ip igmp max groups action deny replace deny The new multicast group join report is dropped repla...

Page 484: ...dentifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 Default Setting None Command Mode Privileged Exec Example Console show ip igmp filter IGMP filter enabled Console show ip igmp filter interface ethernet 1 1 Ethernet 1 1 information IGMP Profile 19 Deny Range 239 1 1 1 239 1 1 1 Range 239 2 3 1 239 2 3 100 Console show ip igmp profile This command displays IGMP fil...

Page 485: ...ays the interface settings for IGMP throttling Syntax show ip igmp throttle interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces Example Console show ip i...

Page 486: ... without any keywords to globally disable MVR Use the no form with the group keyword to remove a specific address or range of addresses Or use the no form with the vlan keyword to restore the default MVR VLAN Syntax no mvr group ip address count vlan vlan id group Defines a multicast service sent to all attached subscribers ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 2...

Page 487: ... be configured for an IGMP version 1 host the multicast groups must be statically assigned using the mvr vlan group command IGMP snooping and MVR share a maximum number of 255 groups Any multicast streams received in excess of this limitation will be flooded to all ports in the associated VLAN MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command a...

Page 488: ...tached to the same interface Immediate leave does not apply to multicast groups which have been statically assigned to a port with the mvr vlan group command Example The following enables immediate leave on a receiver port Console config interface ethernet 1 5 Console config if mvr immediate Console config if mvr type This command configures an interface as an MVR receiver or source port Use the n...

Page 489: ...ommand Example The following configures one source port and several receiver ports on the switch Console config interface ethernet 1 5 Console config if mvr type source Console config if exit Console config interface ethernet 1 6 Console config if mvr type receiver Console config if exit Console config interface ethernet 1 7 Console config if mvr type receiver Console config if mvr vlan group This...

Page 490: ...r type receiver Console config if mvr vlan 3 group 225 0 0 5 Console config if show mvr This command shows information about the global MVR configuration settings when entered without any keywords the interfaces attached to the MVR VLAN using the interface keyword or the multicast groups assigned to the MVR VLAN using the members keyword Syntax show mvr interface interface members ip address inter...

Page 491: ...d Description MVR Config Status Shows if MVR is globally enabled on the switch MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is true as long as MVR Status is enabled and the specified MVR VLAN exists MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic MVR Group Address A multicast service sent to a...

Page 492: ...cription Field Description MVR Forwarding Entry Count The number of multicast services currently being forwarded from the MVR VLAN Group Address Multicast groups assigned to the MVR VLAN Source Address Indicates the source address of the multicast service or displays an asterisk if the group address has been statically assigned VLAN Indicates the MVR VLAN receiving the multicast service Forwarding...

Page 493: ...urate network topology Table 108 LLDP Commands Command Function Mode lldp Enables LLDP globally on the switch GC lldp holdtime multiplier Configures the time to live TTL value sent in LLDP advertisements GC lldp med fast start count Configures how many medFastStart packets are transmitted GC lldp notification interval Configures the allowed interval for sending SNMP notifications about LLDP change...

Page 494: ...nsmission of SNMP trap notifications about LLDP MED changes IC lldp med tlv ext poe Configures an LLDP MED enabled port to advertise its extended Power over Ethernet configuration and usage information IC lldp med tlv inventory Configures an LLDP MED enabled port to advertise its inventory identification details IC lldp med tlv location Configures an LLDP MED enabled port to advertise its location...

Page 495: ...he default setting Syntax lldp holdtime multiplier value no lldp holdtime multiplier value Calculates the TTL in seconds based on the following rule minimum of Transmission Interval Holdtime Multiplier or 65536 Range 2 10 Default Setting Holdtime multiplier 4 TTL 4 30 120 seconds Command Mode Global Configuration Command Usage The time to live tells the receiving LLDP agent how long to retain all ...

Page 496: ...the port LLDP MED Fast Start is critical to the timely startup of LLDP and therefore integral to the rapid availability of Emergency Call Service Example Console config lldp med fast start count 6 Console config lldp notification interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes Use the no form to restore the default setting Syntax lldp not...

Page 497: ...e periodic transmit interval for LLDP advertisements Use the no form to restore the default setting Syntax lldp refresh interval seconds no lldp refresh delay seconds Specifies the periodic interval at which LLDP advertisements are sent Range 5 32768 seconds Default Setting 30 seconds Command Mode Global Configuration Example Console config lldp refresh interval 60 Console config lldp reinit delay...

Page 498: ...Use the no form to restore the default setting Syntax lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds Default Setting 2 seconds Command Mode Global Configuration Command Usage The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probabilit...

Page 499: ...anagement address for this device Use the no form to disable this feature Syntax no lldp basic tlv management ip address Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The management address protocol packet includes the IPv4 address of the switch If no management address is available the address should be the MAC address for the CPU or for the port...

Page 500: ... tlv port description This command configures an LLDP enabled port to advertise its port description Use the no form to disable this feature Syntax no lldp basic tlv port description Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The port description is taken from the ifDescr object in RFC 2863 which includes information about the manufacturer the ...

Page 501: ...m description Use the no form to disable this feature Syntax no lldp basic tlv system description Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system description is taken from the sysDescr object in RFC 3418 which includes the full name and version identification of the system s hardware type software operating system and networking software ...

Page 502: ...e supported protocols Use the no form to disable this feature Syntax no lldp dot1 tlv proto ident Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises the protocols that are accessible through this interface Example Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto ident Console config if lldp dot1 tlv...

Page 503: ...ldp dot1 tlv pvid Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The port s default VLAN identifier PVID indicates the VLAN with which untagged or priority tagged frames are associated see the switchport native vlan command Example Console config interface ethernet 1 1 Console config if no lldp dot1 tlv pvid Console config if lldp dot1 tlv vlan na...

Page 504: ... feature Syntax no lldp dot3 tlv link agg Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises link aggregation capabilities aggregation status of the link and the 802 3 aggregated port identifier if this interface is currently a link aggregation member Example Console config interface ethernet 1 1 Console config if no lldp dot3 tl...

Page 505: ...Power over Ethernet PoE capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv poe Default Setting Enabled Command Mode Interface Configuration Ethernet Command Usage This option advertises Power over Ethernet capabilities including whether or not PoE is supported currently enabled if the port pins through which power is delivered can be controlled the port pins selected to d...

Page 506: ... value Range 0 255 ca value Description of a location Range 1 32 characters Default Setting Not advertised No description Command Mode Interface Configuration Ethernet Port Channel Command Usage Use this command without any keywords to advertise location identification details Use the ca type to advertise the physical location of the device that is the city street number building and room informat...

Page 507: ...nsole config if lldp med location civic addr 4 West Irvine Console config if lldp med location civic addr 6 Exchange Console config if lldp med location civic addr 18 Avenue Console config if lldp med location civic addr 19 320 Console config if lldp med location civic addr 27 5 Console config if lldp med location civic addr 28 509B Console config if lldp med location civic addr country US Console...

Page 508: ...eriodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss Example Console config interface ethernet 1 1 Console config if lldp med notification Console config if lldp med tlv ext poe This command configures an LLDP MED enabled port to advertise and accept Extended Power over Ethernet configurat...

Page 509: ...l Command Usage This option advertises device details useful for inventory management such as manufacturer model software version and other pertinent information Example Console config interface ethernet 1 1 Console config if no lldp med tlv inventory Console config if lldp med tlv location This command configures an LLDP MED enabled port to advertise its location identification details Use the no...

Page 510: ...ntly discover which LLDP MED related TLVs are supported on the switch Example Console config interface ethernet 1 1 Console config if lldp med tlv med cap Console config if lldp med tlv network policy This command configures an LLDP MED enabled port to advertise its network policy configuration Use the no form to disable this feature Syntax no lldp med tlv network policy Default Setting Enabled Co...

Page 511: ...interval command Trap notifications include information about state changes in the LLDP MIB IEEE 802 1AB or organization specific LLDP EXT DOT1 and LLDP EXT DOT3 MIBs SNMP trap destinations are defined using the snmp server host command Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a trap...

Page 512: ...figuration LLDP Enabled Yes LLDP Transmit Interval 30 sec LLDP Hold Time Multiplier 4 LLDP Delay Interval 2 sec LLDP Re initialization Delay 2 sec LLDP Notification Interval 5 sec LLDP MED Fast Start Count 4 LLDP Port Configuration Port Admin Status Notification Enabled Eth 1 1 Tx Rx True Eth 1 2 Tx Rx True Eth 1 3 Tx Rx True Eth 1 4 Tx Rx True Eth 1 5 Tx Rx True Console show lldp config detail et...

Page 513: ...l device This command shows LLDP global and interface specific configuration settings for this device Syntax show lldp info local device detail interface detail Shows configuration summary interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 12 Command Mode Privileged Exec Example Console show lldp info local device LLDP Local Sys...

Page 514: ...Port Eth 1 1 Port Type MAC Address Port ID 00 1A 7E AC 2B 13 Port Description Ethernet Port on unit 1 port 1 MED Capability LLDP MED Capabilities Network Policy Location Identification Extended Power via MDI PSE Extended Power via MDI PD Inventory Console show lldp info remote device This command shows LLDP global and interface specific configuration settings for remote devices attached to an LLDP...

Page 515: ...Port ID 70 72 CF 95 DC 48 System Name System Description EX 3524 Managed POE POE Switch Port Description Ethernet Port on unit 1 port 2 System Capabilities Supported Bridge System Capabilities Enabled Bridge Remote Management Address 192 168 0 2 IPv4 Remote Port VID 1 Remote Port Protocol VLAN VLAN 2 supported enabled Remote VLAN Name VLAN 1 DefaultVlan VLAN 2 RARP vlan Remote Protocol Identity He...

Page 516: ...switch show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Port NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 0 870 0 Eth 1 2 866 867 0 Eth 1 3 867 868 0 Eth 1 4 0 869 0 Eth 1 5 849 862 0 switch show lldp info stati...

Page 517: ... for that entry is reinitialized The information contained in CDP announcements may include the CDP version host name IP address and port identifier from which the announcement was sent device type and other device specific information Table 110 CDP Commands Command Function Mode cdp Enables CDP globally on the switch GC cdp hold time Specifies the amount of time the receiving device should hold a...

Page 518: ...ig cdp Console config cdp hold time This command specifies the amount of time the receiving device should hold a CDP packet sent from this switch Use the no form to restore the default setting Syntax cdp hold time seconds no cdp hold time seconds The hold time sent in CDP update packets Range 10 255 seconds Default Setting 180 seconds Command Mode Global Configuration Example Console config cdp ho...

Page 519: ... send CDP updates Range 5 254 seconds Default Setting 60 seconds Command Mode Global Configuration Example Console config cdp transmit interval 120 Console config cdp version This command specifies the CDP version to use for transmitting advertisements Use the no form to restore the default setting Syntax cdp version 1 2 no cdp version 1 CDP version 1 2 CDP version 2 Default Setting Version 2 Comm...

Page 520: ...sole config if cdp Console config if clear cdp table This command clears the CDP neighbor table Command Mode Privileged Exec Command Usage When a port link goes down CDP will also clear the peer information for this port Example Console clear cdp table Console show cdp This command shows the global CDP configuration settings Command Mode Privileged Exec Example Console show cdp CDP Global Configur...

Page 521: ...nge 1 28 52 Command Mode Privileged Exec Example Console show cdp interface Interface Status Eth 1 1 Disabled Eth 1 2 Disabled Eth 1 3 Disabled show cdp neighbors This command shows information about neighbors obtained by monitoring CDP advertisements Syntax show cdp neighbors detail interface detail detail interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 Co...

Page 522: ... 0 SW Version Version 12 1 2 Hold Time 160 seconds Remain Time 40 seconds Table 111 show cdp neighbors display description Field Description Capability Codes The capabilities that define the primary function s of the system Interface The local port to which a remote CDP capable device is attached Version The software version running on the neighbor Device ID The name of the neighbor device its MAC...

Page 523: ...ame Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 127 characters Default Setting None Table 112 Address Table Commands Command Function Mode ip domain list Defines a list of default domain names for incomplete host names GC ip domain lookup Enables DNS based host name to address translation GC ip domain name Defines a default domain name ...

Page 524: ...sed Example This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list sample com uk Console config end Console show dns Domain Lookup Status DNS Disabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List Console Related Commands ip domain name 525 ip domain l...

Page 525: ...mand defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove the current domain name Syntax ip domain name name no ip domain name name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 127 characters Default Setting None Command...

Page 526: ...d to clear static entries or the clear host command to clear dynamic entries Example This example maps an IPv4 address to a host name Console config ip host rd5 192 168 1 55 Console config end Console show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55 rd5 Console ip name server This command specifies the address of one or more domain name servers to use for name to address reso...

Page 527: ...ain Name List sample com jp sample com uk Name Server List 192 168 1 55 10 1 0 55 Console Related Commands ip domain name 525 ip domain lookup 524 ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address Use the no form to remove an entry Syntax no ipv6 host name ipv6 address name Name of an IPv6 host Range 1 100 characters ipv6 address Corresponding ...

Page 528: ...ole clear dns cache This command clears all entries in the DNS cache Command Mode Privileged Exec Example Console clear dns cache Console show dns cache No Flag Type IP Address TTL Domain Console clear host This command deletes dynamic entries from the DNS table Syntax clear host name name Name of the host Range 1 100 characters Removes all entries Default Setting None Command Mode Privileged Exec...

Page 529: ... displays entries in the DNS cache Command Mode Privileged Exec Example Console show dns cache No Flag Type IP Address TTL Domain 3 4 Host 209 131 36 158 115 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 115 www yahoo com 5 4 CNAME POINTER TO 3 115 www wa1 b yahoo com Console Table 113 show dns cache display description Field Description No The entry number for each resource record Flag The flag...

Page 530: ...d with this record TTL The time to live reported by the name server Domain The host name associated with this record Table 113 show dns cache display description Continued Field Description Table 114 show hosts display description Field Description No The entry number for each resource record Flag The field displays 2 for a static entry or 4 for a dynamic entry stored in the cache Type This field ...

Page 531: ...Mode DHCP for IPv4 ip dhcp client class id Specifies the DHCP client identifier for an interface IC ip dhcp restart client Submits a BOOTP or DHCP client request PE show ip dhcp client identifier This command is only supported by the EX 3548 Shows the DHCP client identifier for all interfaces PE DHCP for IPv6 ipv6 dhcp client rapid commit vlan Specifies the Rapid Commit option for DHCPv6 message e...

Page 532: ...to identify the vendor class and configuration of the switch to the DHCP server which then uses this information to decide on how to service the client or the type of information to return The general framework for this DHCP option is set out in RFC 2132 Option 60 This information is used to convey configuration settings or other identification information about a client but the specific string to...

Page 533: ...igned the same address Console config interface vlan 1 Console config if ip address dhcp Console config if exit Console ip dhcp restart client Console show ip interface Vlan 1 is Administrative Up Link Up Address is 12 34 12 34 12 34 Index 1001 MTU 1500 Bandwidth 1g Address Mode is DHCP IP Address 192 168 0 9 Mask 255 255 255 0 Proxy ARP is disabled Console Related Commands ip address 538 show ip ...

Page 534: ... server through a normal four message exchange solicit advertise request reply or through a rapid two message exchange solicit reply The rapid commit option must be enabled on both client and server for the two message exchange to be used This command allows two message exchange method for prefix delegation When enabled DCHPv6 client requests submitted from the specified interface will include the...

Page 535: ...CPv6 is used for both address and other configuration settings This combination is known as DHCPv6 stateful in which a DHCPv6 server assigns stateful addresses to IPv6 hosts The M flag is set to 0 and the O flag is set to 1 DHCPv6 is used only for other configuration settings Neighboring routers are configured to advertise non link local address prefixes from which IPv6 hosts derive stateless addr...

Page 536: ...ig command Example Console show ipv6 dhcp duid DHCPv6 Unique Identifier DUID 0001 0001 4A8158B4 00E00C0000FD Console show ipv6 dhcp vlan This command shows DHCPv6 information for the specified interface s Syntax show ipv6 dhcp vlan vlan id vlan id VLAN ID specified as a single number a range of consecutive numbers separated by a hyphen or multiple numbers separated by commas Range 1 4093 Maximum c...

Page 537: ... segment IPv4 Interface There are no IP addresses assigned to this switch by default You must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment This section includes commands for c...

Page 538: ...CP Command Mode Interface Configuration VLAN Command Usage If this router is directly connected to end node devices or connected to end nodes via shared media that will be assigned to a specific subnet then you must create a router interface for each VLAN that will support routing The router interface consists of an IP address and subnet mask This interface address defines both the network number ...

Page 539: ...ubnet can be accessed through this interface Note that a secondary address cannot be configured prior to setting the primary IP address and the primary address cannot be removed if a secondary address is still present Also if any router switch in a network segment uses a secondary address all other routers switches in that segment must also use a secondary address from the same network or subnet a...

Page 540: ...n also be defined using the ip route command to ensure that traffic to the designated address or subnet passes through a preferred gateway A default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the router A gateway must be defined if the management station is located in a different IP segment The same link local address ...

Page 541: ...CP IP Address 192 168 0 3 Mask 255 255 255 0 Proxy ARP is disabled Console Related Commands ip address 538 show ipv6 interface 558 show ip traffic This command displays statistics for IP ICMP UDP TCP and ARP protocols Command Mode Privileged Exec Example Console show ip traffic IP Statistics IP received 7845 total received header errors unknown protocols address errors discards 7845 delivers reass...

Page 542: ...ed messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages UDP Statistics input no port errors other errors output TCP Statistics 7841 input input errors 9897 output Console traceroute This command shows the route packets take t...

Page 543: ...f these messages terminating only when the maximum timeout has been reached may indicate this problem with the target device If the target device does not respond or other errors are detected the switch will indicate this by one of the following messages No Response H Host Unreachable N Network Unreachable P Protocol Unreachable O Other Example Console traceroute 192 168 0 1 Press ESC to abort Tra...

Page 544: ...s unreachable Network or host unreachable The gateway found no corresponding entry in the route table When pinging a host name be sure the DNS server has been defined see page 526 and host name to address translation enabled see page 524 If necessary local devices can also be specified in the DNS static host table see page 526 Example Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 3...

Page 545: ...o 48 bit hardware i e Media Access Control addresses This cache includes entries for hosts and other routers on local network interfaces defined on this router The maximum number of static entries allowed in the ARP cache is 32 You may need to enter a static entry in the cache if there is no response to an ARP broadcast message For example some applications may not respond to ARP requests or the r...

Page 546: ...N Command Usage Proxy ARP allows a non routing device to determine the MAC address of a host on another subnet or network End stations that require Proxy ARP must view the entire network as a single network These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices Extensive use of Proxy ARP can degrade router performance because it may lead...

Page 547: ...P cache Command Mode Normal Exec Privileged Exec Command Usage This command displays information about the ARP cache The first line shows the cache timeout It also shows each cache entry including the IP address MAC address type static dynamic other and VLAN interface Note that entry type other indicates local addresses for this router Example This example displays all entries in the ARP cache Con...

Page 548: ...tu Sets the size of the maximum transmission unit MTU for IPv6 packets sent on an interface IC show ipv6 default gateway Displays the current IPv6 default gateway NE PE show ipv6 interface Displays the usability and configured settings for IPv6 interfaces NE PE show ipv6 mtu Displaysmaximumtransmissionunit MTU informationfor IPv6 interfaces NE PE show ipv6 traffic Displays statistics about IPv6 tr...

Page 549: ...ddress to indicate the appropriate number of zeros required to fill the undefined fields The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies VLAN 1 as the interface from which the ping is sent ...

Page 550: ...colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields To connect to a larger network with multiple subnets you must configure a global unicast address This address can be manually configured with this command or it can be automatically configured using the ipv6 address autoconfig command If a link local address has not yet been assigned ...

Page 551: ... address Use the no form to remove the address generated by this command Syntax no ipv6 address autoconfig Default Setting No IPv6 addresses are defined Command Mode Interface Configuration VLAN Command Usage If a link local address has not yet been assigned to this interface this command will dynamically generate a global unicast address if a global prefix is included in received router advertise...

Page 552: ...0 milliseconds Console Related Commands ipv6 address 550 show ipv6 interface 558 ipv6 address eui 64 This command configures an IPv6 address for an interface using an EUI 64 interface ID in the low order 64 bits and enables IPv6 on the interface Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface Use the no form with a specific address to remov...

Page 553: ...MAC address For devices that still use a 6 byte MAC address also known as EUI 48 format it must be converted into EUI 64 format by inverting the universal local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address For example if a device had an EUI 48 address of 28 9F 18 1C 82 35 the global local bit must first be inverted to meet ...

Page 554: ...ddress ipv6 address link local no ipv6 address ipv6 address link local ipv6 address The IPv6 address assigned to the interface Default Setting No IPv6 addresses are defined Command Mode Interface Configuration VLAN Command Usage The specified address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used i...

Page 555: ...2 1 FF00 FD FF02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console Related Commands ipv6 enable 555 show ipv6 interface 558 ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address Use the no form to disable IPv6 on an interface ...

Page 556: ...ace VLAN 1 is up IPv6 is enabled Link local address FE80 2E0 CFF FE00 FD 64 Global unicast address es 2001 DB8 2222 7273 72 96 subnet is 2001 DB8 2222 7273 96 Joined group address es FF02 1 FF00 72 FF02 1 FF00 FD FF02 1 IPv6 link MTU is 1280 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console Related Commands ...

Page 557: ...must use the same MTU in order to operate correctly IPv6 must be enabled on an interface before the MTU can be set Example The following example sets the MTU for VLAN 1 to 1280 bytes Console config interface vlan 1 Console config if ipv6 mtu 1280 Console config if Related Commands show ipv6 mtu 559 jumbo frame 89 show ipv6 default gateway This command displays the current IPv6 default gateway Comm...

Page 558: ...the address Command Mode Normal Exec Privileged Exec Example This example displays all the IPv6 addresses configured for the switch Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link local address FE80 2E0 CFF FE00 FD 64 Global unicast address es 2001 DB8 2222 7273 72 96 subnet is 2001 DB8 2222 7273 96 Joined group address es FF02 1 FF00 72 FF02 1 FF00 FD FF02 1 IPv6 link MTU is 1280 by...

Page 559: ... interface local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX XXXX as described below A node is also required to compute and join the associated solicited node multicast addresses for every unicast...

Page 560: ...ceived 0 header errors 0 too big errors 0 no routes 0 address errors 0 unknown protocols 0 truncated packets 0 discards 0 delivers 0 reassembly request datagrams 0 reassembled succeeded 0 reassembled failed IPv6 sent 0 forwarded datagrams 22 requests 0 discards 0 no routes 0 generated fragments 0 fragment succeeded 0 fragment failed Table 123 show ipv6 mtu display description No information is dis...

Page 561: ...messages 6 router solicit messages 10 neighbor solicit messages 0 neighbor advertisement messages 0 redirect messages 0 group membership response messages 0 group membership reduction messages UDP Statistics 0 input 0 no port errors 0 other errors 0 output Console Table 124 show ipv6 traffic display description Field Description IPv6 Statistics IPv6 recived total received The total number of input...

Page 562: ...ome of the fragments reassembly succeeded The number of IPv6 datagrams successfully reassembled Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments reassembly failed The number of failures detected by the IPv6 re assembly algorithm for whateverreason timedout errors etc Note that...

Page 563: ...ter problem message The number of ICMP Parameter Problem messages received by the interface echo request messages The number of ICMP Echo request messages received by the interface echo reply messages The number of ICMP Echo Reply messages received by the interface redirect messages The number of Redirect messages received by the interface group membership query messages The number of ICMPv6 Group...

Page 564: ...nterface router solicit messages The number of ICMP Router Solicitation messages sent by the interface neighbor advertisement messages The number of ICMP Router Advertisement messages sent by the interface redirect messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send redirects group membership response messages The number of ICMPv6 Group ...

Page 565: ... Setting count 5 size 100 bytes Command Mode Privileged Exec Command Usage Use the ping6 command to see if another site on the network can be reached or to evaluate delays over the path The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the ...

Page 566: ...fault setting Syntax ipv6 hop limit hops no ipv6 hop limit hops The maximum number of hops in router advertisements and all IPv6 packets Range 1 255 Default Setting 1 Command Mode Interface Configuration VLAN Example The following sets the hop limit for router advertisements to 64 Console config if interface vlan 1 Console config ipv6 hop limit 64 Console config ipv6 nd dad attempts This command c...

Page 567: ...started for the remaining IPv6 addresses If a duplicate address is detected it is set to duplicate state and a warning message is sent to the console If a duplicate link local address is detected IPv6 processes are disabled on the interface If a duplicate global unicast address is detected it is not used All configuration commands associated with a duplicate address remain configured while the add...

Page 568: ...for neighbor discovery operations 0 milliseconds is advertised in router advertisements Command Mode Interface Configuration VLAN Command Usage When a non default value is configured the specified interval is used both for router advertisements and by the router itself This command specifies the interval between transmitting neighbor solicitation messages when resolving an address or when probing ...

Page 569: ...r receiving confirmation of reachability Range 1000 3600000 Default Setting 30000 milliseconds is used for neighbor discovery operations 0 milliseconds is advertised in router advertisements Command Mode Interface Configuration VLAN Command Usage The time limit configured by this parameter allows the router to detect unavailable neighbors During the neighbor discover process an IPv6 node will mult...

Page 570: ...ipv6 neighbors vlan vlan id ipv6 address vlan id VLAN ID Range 1 4093 ipv6 address The IPv6 address of a neighbor device You can specify either a link local or global unicast address formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill t...

Page 571: ...he ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning While in STALE state the device takes no action until a packet is sent DELAY More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning A packet was sent within the last DELAY_FIRST_PROBE_TIME int...

Page 572: ...Chapter 25 IP Interface Commands IPv6 Interface 572 ...

Page 573: ... commands for both static and dynamic routing These commands are used to connect between different local subnetworks or to connect the router to the enterprise network Global Routing Configuration Table 203 IP Routing Commands Command Group Function Global Routing Configuration Configuresglobalparametersforstaticanddynamicrouting displays the routing table and statistics for protocols used to exch...

Page 574: ...her routing information Range 1 255 Default 1 Removes all static routing table entries Default Setting No static routes are configured Command Mode Global Configuration Command Usage Up to 24 static routes can be configured If an administrative distance is defined for a static route and the same destination can be reached through a dynamic route at a lower administration distance then the dynamic ...

Page 575: ...IB is distinct from the routing table or Routing Information Base which holds all routing information received from routing peers The forwarding information base contains unique paths only It does not contain any secondary paths A FIB entry consists of the minimum amount of information necessary to make a forwarding decision on a particular packet The typical components within a forwarding informa...

Page 576: ...abase Codes C connected S static R RIP B BGP O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area selected route FIB route p stale info C 127 0 0 0 8 is directly connected lo0 C 192 168 1 0 24 is directly connected VLAN1 Console show ip route summary This com...

Page 577: ... 577 Section I Appendices This section provides additional information and includes these items Troubleshooting on page 579 License Information on page 581 Customer Support on page 593 ...

Page 578: ...Section I Appendices 578 ...

Page 579: ...permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured on the management sta...

Page 580: ...6 Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set up your terminal emulation software so that it can capture all console output to a file Then enter the show tech support command to record all system settings in this file 9 Contact your distributor ...

Page 581: ... of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to ce...

Page 582: ...t you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announceme...

Page 583: ...s These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Program or works based on it 7 Each time you redistribute the Program or any work based on the Program the recipien...

Page 584: ...free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 1 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EX...

Page 585: ... than as an argument passed when the facility is invoked then you may convey a copy of the modified version a under this License provided that you make a good faith effort to ensure that in the event an Application does not supply the function or data the facility still operates and performs whatever part of its purpose remains meaningful or b under the GNU GPL with none of the additional permissi...

Page 586: ...under the terms of this License b Give prominent notice with the combined library that part of it is a work based on the Library and explaining where to find the accompanying uncombined form of the same work 6 Revised Versions of the GNU Lesser General Public License The Free Software Foundation may publish revised and or new versions of the GNU Lesser General Public License from time to time Such...

Page 587: ...g developer tools software downloads product manuals support contact information and online repair requests ISC License Permission to use copy modify and or distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH...

Page 588: ...N AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Part 2 Networks Associates Technology Inc copyright notice BSD Copyright c 2001 2003 Networks Associates Technology Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following co...

Page 589: ...ce BSD Copyright 2003 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A All rights reserved Use is subject to license terms below This distribution may include materials developed by third parties Sun Sun Microsystems the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries Redistribution and use in source and...

Page 590: ...OFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 6 Cisco BUPTNIC copyright notice BSD Copyright c 2004 Cisco Inc and Information Network Center of Beijing University of Posts and Telecommunications All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source co...

Page 591: ...CT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 8 Apple Inc copyright notice BSD Copyright c 2007 Apple Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistribu...

Page 592: ...this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL ...

Page 593: ...number of the unit Model number or product name Software type and version number Motorola Solutions responds to calls by e mail telephone or fax within the time limits set forth in support agreements If you purchased your product from a Motorola Solutions business partner contact that business partner for support Customer Support Web Site The Support Central Web site located at http supportcentral...

Page 594: ...Appendix C Customer Support Manuals 594 ...

Page 595: ...aintenance points fault verification through loop back messages and fault isolation with link trace messages CoS Class of Service is supported by prioritizing packets based on the required level of service and then placing them in the appropriate output queue Data is transmitted from the queues using weighted round robin service to enforce priority service and prevent blockage of lower level queue...

Page 596: ...tion Switching can be used to increase the availability and robustness of Ethernet rings such as those used in Metropolitan Area Networks MAN ERPS provides Layer 2 loop avoidance and fast re convergence in Layer 2 ring topologies supporting up to 255 nodes in the ring structure It can also function with IEEE 802 1ag to support link monitoring when non participating devices exist within the Etherne...

Page 597: ... allows switches to assign endstations to different virtual LANs and defines a standard way for VLANs to communicate across switched networks IEEE 802 1p An IEEE standard for providing quality of service QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value IEEE 802 1s An IEEE standa...

Page 598: ...ulticast group members In Band Management Management of the network from a station attached directly to the network IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts IP Precedence The Type of Service ToS octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for networ...

Page 599: ...whereby the switch filters incoming multicast frames for services for which no attached host has registered or forwards them to all ports contained within the designated multicast VLAN group MVR Multicast VLAN Registration is a method of using a single network wide multicast VLAN to transmit common services such as such as television channels or video on demand across a service provider s network ...

Page 600: ...to provide better service to selected traffic flows using features such as data prioritization queuing congestion avoidance and traffic shaping These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow RADIUS Remote Authentication Dial in User Service RADIUS is a logon authentication protocol that...

Page 601: ...ternet Protocol Protocol suite that includes TCP as the primary transport protocol and IP as the network layer protocol Telnet Defines a remote communication facility for interfacing to a terminal device over TCP IP TFTP Trivial File Transfer Protocol A TCP IP protocol commonly used for software downloads UDP User Datagram Protocol UDP provides a datagram mode for packet switched communications It...

Page 602: ...Glossary 602 XModem A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected ...

Page 603: ...p 442 clear arp cache 547 clear cdp table 520 clear counters 301 clear dns cache 528 clear host 528 clear ip dhcp snooping database flash 248 clear ipv6 neighbors 570 clear ipv6 traffic 564 clear log 114 clear mac address table dynamic 363 clear network access 233 clock summer time 124 clock timezone 125 clock timezone predefined 126 cluster 132 cluster commander 133 cluster ip pool 134 cluster me...

Page 604: ...g tcn flood 464 ip igmp snooping tcn query solicit 465 ip igmp snooping unregistered data flood 466 ip igmp snooping unsolicited report interval 466 ip igmp snooping version 467 ip igmp snooping version exclusive 468 ip igmp snooping vlan general query suppression 468 ip igmp snooping vlan immediate leave 469 ip igmp snooping vlan last memb query count 470 ip igmp snooping vlan last memb query int...

Page 605: ... authentication max mac count 232 mac authentication reauth time 224 mac vlan 419 management 215 match 444 max hops 375 mst priority 376 mst vlan 376 mvr 486 mvr immediate leave 487 mvr type 488 mvr vlan group 489 N name 377 negotiation 299 network access aging 223 network access dynamic qos 225 network access dynamic vlan 226 network access guest vlan 227 network access link detection 228 network...

Page 606: ...show interfaces counters 302 show interfaces protocol vlan protocol group 416 show interfaces status 304 show interfaces switchport 305 show interfaces transceiver 307 show ip access group 275 show ip access list 275 show ip arp inspection configuration 262 show ip arp inspection interface 262 show ip arp inspection log 263 show ip arp inspection statistics 263 show ip arp inspection vlan 263 show...

Page 607: ...aps atc broadcast alarm clear 355 snmp server enable port traps atc broadcast alarm fire 356 snmp server enable port traps atc broadcast control apply 356 snmp server enable port traps atc broadcast control release 357 snmp server enable port traps atc multicast alarm clear 357 snmp server enable port traps atc multicast alarm fire 358 snmp server enable port traps atc multicast control apply 358 ...

Page 608: ...le 425 switchport voice vlan security 426 T tacacs server host 175 tacacs server key 175 tacacs server port 176 test cable diagnostics 308 timeout login response 108 time range 128 traceroute 542 traffic segmentation 266 U upgrade opcode auto 97 upgrade opcode path 98 username 167 V vlan 400 vlan database 400 vlan trunking 407 voice vlan 421 voice vlan aging 422 voice vlan mac address 423 W web au...

Page 609: ...ded 277 279 IPv6 Standard 277 278 MAC 283 time range 128 address table 361 aging time 361 aging time displaying 364 aging time setting 361 administrative users displaying 87 ARP ACL 257 configuration 545 proxy 546 ARP inspection 255 ACL filter 257 additional validation criteria 259 ARP ACL 288 enabling globally 256 enabling per VLAN 259 trusted ports 261 ARP statistics 541 ATC 346 control response...

Page 610: ...CP snooping 242 enabling 242 global configuration 242 information option 244 information option policy 245 information option enabling 244 policy selection 245 specifying trusted interfaces 247 verifying MAC addresses 246 VLAN configuration 246 DiffServ 441 binding policy to interface 456 class map 442 446 class map description 443 classifying QoS traffic 444 color aware srTCM 449 color aware trTC...

Page 611: ... server 185 HTTPS 186 configuring 186 replacing SSL certificate 92 secure site certificate 92 UDP port configuring 186 HTTPS secure server 186 I IEEE 802 1D 371 IEEE 802 1s 371 IEEE 802 1w 371 IEEE 802 1X 200 202 IGMP filter profiles binding to interface 482 filter profiles configuration 480 filter interface configuration 482 483 filter parameters 479 483 filtering throttling 479 filtering throttl...

Page 612: ...40 550 manual configuration link local 40 554 setting 39 550 J jumbo frame 89 K key private 190 public 190 user public importing 92 key pair host 190 host generating 196 L LACP configuration 313 group attributes configuring 319 group members configuring 315 318 local parameters 320 partner parameters 320 protocol message statistics 320 protocol parameters 313 last member query count IGMP snooping ...

Page 613: ...61 router configuration 478 multicast groups 476 static 475 476 multicast router discovery 471 multicast router port displaying 477 multicast services configuring 475 displaying 476 multicast static router port 478 configuring 478 multicast storm threshold 345 multicast filtering and throttling 479 MVR assigning static multicast groups 489 configuring 486 interface status configuring 487 488 inter...

Page 614: ...P CoS 438 QoS policy committed burst size 447 449 451 excess burst size 449 peak burst size 451 srTCM 449 srTCM police meter 449 trTCM 451 trTCM police meter 451 QoS policy committed information rate 447 449 451 QoS policy peak information rate 451 queue mode setting 430 queue weight assigning to CoS 431 R RADIUS logon authentication 170 settings 170 rate limit port 344 setting 343 remote engine I...

Page 615: ...MSTP interface settings configuring 385 387 MSTP path cost 385 path cost 373 380 path cost method 373 port priority 386 387 port trunk loopback detection 382 protocol migration 390 transmission limit 374 startup files creating 92 displaying 85 97 setting 91 static addresses setting 362 static routes configuring 574 statistics ARP 541 ICMP 541 IP 541 TCP 541 UDP 541 statistics port 302 STP 371 Also...

Page 616: ... 405 ingress filtering 404 interface configuration 403 407 IP subnet based 417 MAC based 419 mirroring 333 port members displaying 408 protocol 413 protocol configuring 413 protocol configuring groups 414 protocol configuring interfaces 415 protocol group configuration 414 protocol interface configuration 415 PVID 406 tunneling unknown groups 407 voice 421 voice VLANs 421 detecting VoIP devices 42...

Page 617: ... MOTOROLA MOTO MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings LLC and are used under license All other trademarks are the property of their respective owners 2014 Motorola Solutions Inc All Rights Reserved MN000337A01 Revision A March 2014 ...

Reviews:

No comments

Related manuals for EX-3524

JCG Q5 Quick Installation Manual preview
Q5
Brand: JCG Pages: 3
Google AC-1304 User Manual preview
AC-1304
Brand: Google Pages: 14
TP-Link L-R480T+ User Manual preview
L-R480T+
Brand: TP-Link Pages: 131
ZyXEL Communications Prestige 100L Quick Start Manual preview
Prestige 100L
Brand: ZyXEL Communications Pages: 170
Federal Signal Corporation AR2000-M Installation And Maintenance Manual preview
AR2000-M
Brand: Federal Signal Corporation Pages: 49
Top RAMS1000 User Manual preview
RAMS1000
Brand: Top Pages: 21
Planet GSW-2416SF User Manual preview
GSW-2416SF
Brand: Planet Pages: 54
FiberHome AN5506-04-B User Manual preview
AN5506-04-B
Brand: FiberHome Pages: 44
Matrix Switch Corporation MSC-CP16X4E Product Manual preview
MSC-CP16X4E
Brand: Matrix Switch Corporation Pages: 48
Multitech ROUTE FINDER RFIPSC-1 Quick Start Manual preview
ROUTE FINDER RFIPSC-1
Brand: Multitech Pages: 54
Gigamon GigaVUE H Series Hardware Installation Manual preview
GigaVUE H Series
Brand: Gigamon Pages: 55
Open House H634 Manual preview
H634
Brand: Open House Pages: 2
NAVI R330g Quick Setup Manual preview
R330g
Brand: NAVI Pages: 18
Allied Telesis AT-24xx Owner'S Manual preview
AT-24xx
Brand: Allied Telesis Pages: 3
Zte MF279T User Manual preview
MF279T
Brand: Zte Pages: 36
Quectel QuecOpen BG952A-GL Hardware Design preview
QuecOpen BG952A-GL
Brand: Quectel Pages: 80
TCAM TMAS TMN-10 User Manual preview
TMAS TMN-10
Brand: TCAM Pages: 8
DivioTec SRA212N-004P4 User Manual preview
SRA212N-004P4
Brand: DivioTec Pages: 128

Brands by name

Popular brands

Load more brands