manualshive.com logo in svg

NetApp CN1610, Cli Command Reference

Share
Download
NetApp CN1610 Cli Command Reference Download Page 569

566

Denial of Service Commands

 

Denial of Service Commands

This section describes the commands you use to configure Denial of Service 
(DoS) Control. FASTPATH software provides support for classifying and 
blocking specific types of Denial of Service attacks. You can configure your 
system to monitor and block these types of attacks:

SIP = DIP: 

Source IP address = Destination IP address.

First Fragment:

TCP Header size smaller then configured value.

TCP Fragment:

 Allows the device to drop packets that have a TCP payload 

where the IP payload length minus the IP header size is less than the 
minimum allowed TCP header size.

TCP Flag: 

TCP Flag SYN set and Source Port < 1024 or TCP Control Flags 

= 0 and TCP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set 
and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.

L4 Port: 

Source TCP/UDP Port = Destination TCP/UDP Port.

ICMP:

 Limiting the size of ICMP Ping packets.

SMAC = DMAC: 

Source MAC address = Destination MAC address

TCP Port:

 Source TCP Port = Destination TCP Port

UDP Port

: Source UDP Port = Destination UDP Port

TCP Flag & Sequence: 

TCP Flag SYN set and Source Port < 1024 or TCP 

Control Flags = 0 and TCP Sequence Number = 0 or TCP Flags FIN, URG, 
and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.

TCP Offset:

 Allows the device to drop packets that have a TCP header 

Offset set to 1.

TCP SYN:

 TCP Flag SYN set.

TCP SYN & FIN: 

TCP Flags SYN and FIN set.

TCP FIN & URG & PSH: 

TCP Flags FIN and URG and PSH set and TCP 

Sequence Number = 0.

ICMP V6

: Limiting the size of ICMPv6 Ping packets.

ICMP Fragment

: Checks for fragmented ICMP packets.

dos-control all

This command enables Denial of Service protection checks globally.

Default

disabled

Format

dos-control all

Summary of Contents for CN1610

Page 1: ...ce NetApp Inc 495 East Java Drive Sunnyvale CA 94089 U S A Telephone 1 408 822 6000 Fax 1 408 822 4501 Support telephone 1 888 463 8277 Documentation comments doccomments netapp com Information Web www netapp com Part number 215 06286_C0 August 2017 ...

Page 2: ...tApp The use or purchase of this product does not convey a license under any patent rights trademark rights or any other intellectual property rights of NetApp Trademark information Active IQ AltaVault Arch Design ASUP AutoSupport Campaign Express Clustered Data ONTAP Customer Fitness Data ONTAP DataMotion Element Fitness Flash Accel Flash Cache FlashPool FlexArray FlexCache FlexClone FlexPod Flex...

Page 3: ......

Page 4: ...dules 14 Command Modes 15 Command Completion and Abbreviation 21 CLI Error Messages 22 CLI Line Editing Conventions 23 Using CLI Help 25 Accessing the CLI 27 Chapter 3 Management Commands 29 Network Interface Commands 30 Console Port Access Commands 38 Telnet Commands 41 Secure Shell Commands 47 Management Security Commands 50 Access Commands 51 User Account Commands 53 SNMP Commands 89 RADIUS Com...

Page 5: ...ility and Clear Commands 210 Simple Network Time Protocol Commands 225 Time Zone Commands 231 DNS Client Commands 237 IP Address Conflict Commands 243 Serviceability Packet Tracing Commands 244 Support Mode Commands 272 BCM Shell Command 274 sFlow Commands 275 Remote Monitoring Commands 284 Chapter 5 Switching Commands 307 Port Configuration Commands 309 Spanning Tree Protocol Commands 318 VLAN Co...

Page 6: ...mands 466 Static MAC Filtering Commands 471 DHCP L2 Relay Agent Commands 476 DHCP Client Commands 485 DHCP Snooping Configuration Commands 487 Dynamic ARP Inspection Commands 499 IGMP Snooping Configuration Commands 508 IGMP Snooping Querier Commands 519 MLD Snooping Commands 524 MLD Snooping Querier Commands 535 Port Security Commands 540 LLDP 802 1AB Commands 546 LLDP MED Commands 557 Denial of ...

Page 7: ...Services Commands 616 DiffServ Class Commands 618 DiffServ Policy Commands 628 DiffServ Service Commands 636 DiffServ Show Commands 638 MAC Access Control List Commands 648 IP Access Control List Commands 655 IPv6 Access Control List Commands 676 Time Range Commands for Time Based ACLs 687 Command Index 691 ...

Page 8: ...oftware engineers who integrate FASTPATH software into their hardware platform can also benefit from a description of the configuration options This document assumes that you have an understanding of the FASTPATH software base and have read the appropriate specification for the relevant networking device platform It also assumes that you have a basic knowledge of Ethernet and networking concepts R...

Page 9: ... to decline while performance and feature sets continue to improve Devices that are capable of switching Layers 2 3 and 4 are increasingly in demand FASTPATH software provides a flexible solution to these ever increasing needs The exact functionality provided by each networking device on which the FASTPATH software base runs varies depending upon the platform and requirements of the FASTPATH softw...

Page 10: ... this chapter This chapter describes the CLI syntax conventions and modes It contains the following sections Command Syntax on page 8 Command Conventions on page 9 Common Parameter Values on page 10 Interface Naming Convention on page 12 Using the no Form of a Command on page 13 CN1610 Software Modules on page 14 Command Modes on page 15 Command Completion and Abbreviation on page 21 CLI Error Mes...

Page 11: ... command name ipaddr and netmask are parameters and represent required values that you must enter after you type the command keywords gateway is an optional parameter so you are not required to enter a value in place of the parameter The NetApp CN1610 Network Switch CLI Command Reference lists each command by the command name and provides a brief description of the command Each command reference a...

Page 12: ...ymbol Example Description square brackets value Indicates an optional parameter italic font in a parameter value or value Indicates a variable value You must replace the italicized text and brackets with an appropriate value which might be a name or number curly braces choice1 choice2 Indicates that you must select a parameter from the list of choices Vertical bars choice1 choice2 Separates the mu...

Page 13: ... 8 In addition to these formats the CLI accepts decimal hexadecimal and octal formats through the following input formats where n is any valid hexadecimal octal or decimal number 0xn CLI assumes hexadecimal format 0n CLI assumes octal format with leading zeros n CLI assumes decimal format ipv6 address FE80 0000 0000 0000 020F 24FF FEBF DBCB or FE80 0 0 0 20F 24FF FEBF DBCB or FE80 20F24FF FEBF DBC...

Page 14: ...pter 2 Using the Command Line Interface 11 Character strings Use double quotation marks to identify character strings for example System Name with Spaces An empty string is not valid Parameter Description ...

Page 15: ...al or LAG interfaces to configure at the same time with the same settings To specify a range of interfaces the slot port is separated by a dash for example 0 1 0 4 indicates that the same settings will apply to ports 1 2 3 and 4 The slot number has two uses In the case of physical ports it identifies the card containing the ports In the case of logical and CPU ports it also identifies the type of ...

Page 16: ...iguration command has a no form In general use the no form to reverse the action of a command or reset a value back to the default For example the no shutdown configuration command reverses the shutdown of an interface Use the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default Only the configuration commands are available in the no for...

Page 17: ...w commands the output fields might change based on the modules included in the CN1610 software The CN1610 software suite includes the following modules Switching Layer 2 Quality of Service Management CLI and SNMP IPv6 Management Allows management of the CN1610 switch through an IPv6 address without requiring any IPv6 Routing features in the system The management address can be associated with the ...

Page 18: ...de The command changes in each command mode to help you identify the current mode The following CLI Command Modes table describes the command modes and the prompts visible in that mode Command Mode Prompt Mode Description User EXEC CN1610 Contains a limited set of commands to view basic system information Privileged EXEC CN1610 Allows you to enter any EXEC command enter the VLAN mode or enter the ...

Page 19: ...lay as follows CN1610 Interface 0 1 0 4 Line Console CN1610 config line Contains commands to configure outbound Telnet settings and console interface settings as well as to configure console login enable authentication Line SSH CN1610 config ssh Contains commands to configure SSH login enable authentication Line Telnet CN1610 config telnet Contains commands to configure Telnet login enable authent...

Page 20: ...ify Layer 2 Layer 3 and general match criteria Class Map Config CN1610 Config class map Contains the QoS class map configuration commands for IPv4 MAC Access list Config CN1610 Config mac access list Allows you to create a MAC Access List and to enter the mode containing MAC Access List configuration commands TACACS Config CN1610 Tacacs Contains commands to configure properties for the TACACS serv...

Page 21: ...e Privileged EXEC mode enter vlan database To exit to the Privileged EXEC mode enter exit or press Ctrl Z Interface Config From the Global Config mode enter interface slot port or interface slot port startrange slot port endrange To exit to the Global Config mode enter exit To return to the Privileged EXEC mode enter Ctrl Z Line Console From the Global Config mode enter line console To exit to the...

Page 22: ... enter Ctrl Z Class Map Config From the Global Config mode enter class map and specify the optional keyword ipv4 to specify the Layer 3 protocol for this class To exit to the Global Config mode enter exit To return to the Privileged EXEC mode enter Ctrl Z MAC Access list Config From the Global Config mode enter mac access list extended name To exit to the Global Config mode enter exit To return to...

Page 23: ...ss List Config Mode From the Global Config mode enter the arp access list command To exit to the Global Config mode enter the exit command To return to the Privileged EXEC mode enter Ctrl Z Command Mode Prompt Mode Description ...

Page 24: ...ters of a command to uniquely identify the command keyword Once you have entered enough letters press the SPACEBAR or TAB key to complete the word Command abbreviation allows you to execute a command when you have entered enough letters to uniquely identify the command You must enter all of the required keywords and parameters before you enter the command ...

Page 25: ...detected at marker Indicates that you entered an incorrect or unavailable command The carat shows where the invalid text is detected This message also appears if any of the parameters or values are not recognized Command not found Incomplete command Use to list commands Indicates that you did not enter the required keywords or values Ambiguous command Indicates that you did not enter enough letter...

Page 26: ...o beginning of line Ctrl E Go to end of line Ctrl F Go forward one character Ctrl B Go backward one character Ctrl D Delete current character Ctrl U X Delete to beginning of line Ctrl K Delete to end of line Ctrl W Delete previous word Ctrl T Transpose previous character Ctrl P Go to previous line in history buffer Ctrl R Rewrites or pastes the line Ctrl N Go to next line in history buffer Ctrl Y ...

Page 27: ...24 CLI Line Editing Conventions List available commands keywords or parameters Key Sequence Description ...

Page 28: ...k after each word you enter to display available command keywords or parameters CN1610 network ipv6 Configure IPv6 parameters for system network mac address Configure MAC Address mac type Select the locally administered or burnedin MAC address mgmt_vlan Configure the Management VLAN ID of the switch parms Configure Network Parameters of the device protocol Select DHCP BootP or None as the network ...

Page 29: ...rk after typing one or more characters of a word to list the available command or parameters that begin with the letters as shown in the following example CN1610 show m mac mac addr table mac address table mail server mbuf mldsnooping monitor msg queue ...

Page 30: ... the initial connection you must use a direct connection to the console port You cannot access the system remotely until the system has an IP address subnet mask and default gateway You can set the network configuration information manually or you can configure the system to accept these settings from a BOOTP server on your network For more information see Console Port Access Commands on page 38 ...

Page 31: ...28 Accessing the CLI ...

Page 32: ... 51 User Account Commands on page 53 SNMP Commands on page 89 RADIUS Commands on page 107 TACACS Commands on page 125 Configuration Scripting Commands on page 130 Prelogin Banner System Prompt and Host Name Commands on page 133 The commands in this chapter are in one of three functional groups Show commands display switch settings statistics and other information Configuration commands configure f...

Page 33: ... the network interface do Privileged EXEC commands This command executes Privileged EXEC mode commands from any of the configuration modes The following is an example of the do command that executes the Privileged EXEC command script list in Global Config Mode CN1610 configure CN1610 config do script list Configuration Script Name Size Bytes backup config 2105 running config 4483 startup config 44...

Page 34: ...to a DHCP server until a response is received If you use the none parameter you must configure the network information for the switch manually serviceport protocol dhcp This command enables the DHCPv4 client on a Service port The following shows an example of the command CN1610 serviceport protocol dhcp network parms This command sets the IP address subnet mask and gateway of the device The IP add...

Page 35: ...work port The following shows an example of the command CN1610 network protocol dhcp network mac address This command sets locally administered MAC addresses The following rules apply Bit 6 of byte 0 called the U L bit indicates whether the address is universally administered b 0 or locally administered b 1 Bit 7 of byte 0 called the I G bit indicates whether the destination address is an individu...

Page 36: ... switch s network interface do not affect the configuration of the front panel ports through which traffic is switched or routed The network interface is always considered to be up whether or not any member ports are up therefore the show network command will always show Interface Status as Up Default burnedin Format network mac type local burnedin Mode Privileged EXEC Format no network mac type M...

Page 37: ...et to a 1 and bit 0 to a 0 i e byte 0 should have the following mask xxxx xx10 The MAC address used by this bridge when it must be referred to in a unique fashion It is recommended that this be the numerically smallest MAC address of all ports that belong to this bridge However it is only required to be unique When concatenated with dot1dStpPriority a unique Bridge Identifier is formed which is us...

Page 38: ...nfigured IPv6 Protocol None IPv6 AutoConfig Mode Disabled Management VLAN ID 1 show serviceport This command displays service port configuration information DHCPv6 Client DUID The DHCPv6 client s unique client identifier This row is displayed only when the configured IPv6 protocol is dhcp IPv6 Autoconfig Mode Whether IPv6 Stateless address autoconfiguration is enabled or disabled Management VLAN T...

Page 39: ... Gateway The default gateway for this IP interface The factory default value is 0 0 0 0 IPv6 Administrative Mode Whether enabled or disabled Default value is enabled IPv6 Prefix is The IPv6 address and length Default is Link Local format Configured IPv4 Protocol The IPv4 network protocol being used The options are bootp dhcp none Configured IPv6 Protocol The IPv6 network protocol being used The op...

Page 40: ...hapter 3 Management Commands 37 IPv6 Prefix is fe80 2a0 98ff feea 2e7b 64 Configured IPv4 Protocol DHCP Configured IPv6 Protocol None IPv6 AutoConfig Mode Disabled Burned In MAC Address 00 A0 98 EA 2E 7B ...

Page 41: ... Config mode you can enter other command modes including Line Config mode line This command gives you access to the Line Console mode which allows you to configure various Telnet settings and the console port as well as to configure console login enable authentication The following shows an example of the CLI command CN1610 config line telnet CN1610 config telnet Format configure Mode Privileged E...

Page 42: ...without console activity A value of 0 indicates that a console can be connected indefinitely The time range is 0 to 160 no serial timeout This command sets the maximum connect time in minutes without console activity show serial This command displays serial communication settings for the switch Default 9600 Format serial baudrate 1200 2400 4800 9600 19200 38400 57600 115200 Mode Line Config Format...

Page 43: ...he timeout Baud Rate bps The default baud rate at which the serial port will try to connect Character Size bits The number of bits in a character The number of bits is always 8 Flow Control Whether Hardware Flow Control is enabled or disabled Hardware Flow Control is always disabled Stop Bits The number of Stop bits per character The number of Stop bits is always 1 Parity The parity method used on...

Page 44: ...and disconnects all open Telnet sessions telnet This command establishes a new outbound Telnet connection to a remote host The host value must be a valid IP address or host name Valid values for port should be a valid decimal integer in the range of 0 to 65535 where the default value is 23 If debug is used the current Telnet options enabled is displayed The optional line parameter sets the outboun...

Page 45: ... Telnet sessions from being established transport output telnet This command regulates new outbound Telnet connections If enabled new outbound Telnet sessions can be established until the system reaches the maximum number of simultaneous outbound Telnet sessions allowed An established session remains active until the session is ended or an abnormal network error ends it no transport output telnet ...

Page 46: ...t value The timeout value unit of time is minutes no session timeout This command sets the Telnet session timeout value to the default The timeout value unit of time is minutes telnetcon maxsessions This command specifies the maximum number of Telnet connection sessions that can be established A value of 0 indicates that no Telnet connection can be established The range is 0 5 Default 5 Format ses...

Page 47: ...ed to all active and inactive sessions immediately Any sessions that have been idle longer than the new timeout value are disconnected immediately no telnetcon timeout This command sets the Telnet connection session timeout value to the default Note Changing the timeout value for active sessions does not become effective until the session is accessed again Also any keystroke activates the new time...

Page 48: ...t session is allowed to remain inactive before being logged off Maximum Number of Outbound Telnet Sessions The number of simultaneous outbound Telnet connections allowed Allow New Outbound Telnet Sessions Indicates whether outbound Telnet sessions will be allowed Format show telnetcon Modes Privileged EXEC User EXEC Term Definition Remote Connection Login Timeout minutes This object indicates the ...

Page 49: ...ons 5 Allow New Telnet Sessions Yes Telnet Server Admin Mode Enable Telnet Server Port 23 Allow New Telnet Sessions New Telnet sessions will not be allowed when this field is set to no The factory default value is yes Telnet Server Admin Mode The administrative mode of the telnet server Telnet Server Port The TCP port number where the telnet server is listening Term Definition ...

Page 50: ...m of the ip ssh server enable command ip ssh protocol This command is used to set or remove protocol levels or versions for SSH Either SSH1 1 SSH2 2 or both SSH 1 and SSH 2 1 and 2 can be set ip ssh server enable This command enables the IP secure shell server No new SSH connections are allowed but the existing SSH connections continue to work until timed out or logged out Default disabled Format ...

Page 51: ...SSH connection session timeout value in minutes A session is active as long as the session has been idle for the value set The time is a decimal value from 1 to 160 Changing the timeout value for active sessions does not become effective until the session is re accessed Also any keystroke activates the new timeout duration no sshcon timeout This command sets the SSH connection session timeout valu...

Page 52: ... the administrative mode of SSH is enabled or disabled SSH port The TCP port where the SSH server is listening Protocol Level The protocol level may have the values of version 1 version 2 or both versions 1 and version 2 SSH Sessions Currently Active The number of SSH sessions currently active Max SSH Sessions Allowed The maximum number of SSH sessions allowed SSH Timeout The SSH timeout value in ...

Page 53: ...files no crypto key generate rsa Use this command to delete the RSA key files from the device crypto key generate dsa Use this command to generate a DSA key pair for SSH The new key files will overwrite any existing generated or downloaded DSA key files no crypto key generate dsa Use this command to delete the DSA key files from the device Format crypto key generate rsa Mode Global Config Format n...

Page 54: ... to the CN1610 CLI The shell session will timeout after five minutes of inactivity The inactivity timeout value can be changed using the command session timeout on page 43 in Line Console mode show loginsession This command displays current Telnet SSH and serial port connections to the switch This command displays truncated user names Use the show loginsession long command to display the complete ...

Page 55: ...1111test1111test1111test1111 Mode Privileged EXEC Term Definition ID Login Session ID User Name The name the user entered to log on to the system Connection From IP address of the remote client machine or EIA 232 for the serial port connection Idle Time Time this session has been idle Session Time Total time this session has been connected Session Type Shows the type of session which can be telnet...

Page 56: ...character string used to name this list The method argument identifies the list of methods that the authentication algorithm tries in the given sequence The additional methods of authentication are used only if the previous method returns an error not if there is an authentication failure To ensure that the authentication succeeds even if all methods return an error specify none as the fInal metho...

Page 57: ...ault for Telnet and SSH and contains enable followed by deny methods In CN1610 by default the enable password is not configured That means that by default Telnet and SSH users list name Character string of up to 15 characters used to name the list of authentication methods activated when a user logs in method1 method2 At least one from the following enable Uses the enable password for authenticati...

Page 58: ...ntication methods do not require passwords 1 none 2 deny 3 enable if no enable password is configured 4 line if no line password is configured See the examples below aaa authentication enable default enable none aaa authentication enable default line none aaa authentication enable default enable radius none aaa authentication enable default line tacacs none The first two examples do not prompt for...

Page 59: ...efault default Format aaa authentication enable default list name method1 method2 Mode Global Config Parameter Description default Uses the listed authentication methods that follow this argument as the default list of methods when using higher privilege levels list name Character string used to name the list of authentication methods activated when using access higher privilege levels Range 1 15 ...

Page 60: ...es that the user has sufficient privilege levels for Privileged EXEC mode then the user bypasses User EXEC mode entirely The exec authorization usage scenario is this 1 Configure Authorization Method List aaa authorization exec listname method1 method2 2 Apply AML to an Access Line Mode console telnet SSH authorization exec listname 3 When the user logs in in addition to authentication authorizati...

Page 61: ... usage scenarios on exec authorization see the command aaa authorization on page 57 no authorization exec This command removes command authorization from a line config mode list name Alphanumeric character string used to name the list of authorization methods method TACACS RADIUS Local and none are supported Parameter Description Format no aaa authorization commands default list name Mode Global C...

Page 62: ...igured authorization method lists The following shows example CLI display output for the command CN1610 show authorization methods Exec Authorization Method Lists dfltExecAuthList none Line Exec Method List Console dfltExecAuthList Telnet dfltExecAuthList SSH dfltExecAuthList enable authentication Use this command to specify the authentication method list when accessing a higher privilege level fr...

Page 63: ...s used along with encrypted parameter the password must be exactly 128 hexadecimal characters in length If the password strength feature is enabled this command checks for password strength and returns an appropriate error if it fails to meet the password strength criteria Giving the optional parameter override complexity check disables the validation of the password strength Mode Line Config Para...

Page 64: ...dba1b1b7ab91be842278e5e970dbfc62d16dcd13c0b864 level 1 encrypted override complexity check Parameter Description name The name of the user Range 1 64 characters password The authentication password for the user Range 8 64 characters This value can be zero if the no passwords min length command has been executed The special characters allowed in the password include _ level The user level Level 0 c...

Page 65: ... remove a user name username nopassword Use this command to remove an existing user s password NULL password Format no username name Mode Global Config Format username name nopassword level level Mode Global Config Parameter Description name The name of the user Range 1 32 characters password The authentication password for the user Range 8 64 characters level The user level Level 0 can be assigne...

Page 66: ...ified user as readwrite for the admin user and readonly for all other users The username value is the user name for which the specified access mode will apply username snmpv3 authentication This command specifies the authentication protocol to be used for the specified user The valid authentication protocols are none md5 or sha If you specify md5 or sha the login password is also used as the snmpv...

Page 67: ... do not provide a key the user is prompted for the key When you use the des protocol the login password is also used as the snmpv3 encryption password so it must be a minimum of eight characters If you select none you do not need to provide a key The username value is the login user name associated with the specified encryption You must enter the username in the same case you used when you added t...

Page 68: ...Use the show users long command to display the complete usernames The show users command is only available for users with Level 15 privileges The SNMPv3 fields will only be displayed if SNMP is available on the system Format no username snmpv3 encryption username Mode Global Config Default no encryption Format username snmpv3 encryption encrypted username des key Mode Global Config Format show use...

Page 69: ...g command to display the complete usernames SNMPv3 Access Mode The SNMPv3 Access Mode If the value is set to ReadWrite the SNMPv3 user is able to set and retrieve parameters on the system If the value is set to ReadOnly the SNMPv3 user is only able to retrieve parameter information The SNMPv3 access mode may be different than the CLI access mode SNMPv3 Authentication The authentication protocol to...

Page 70: ... s user name Access Level The user s access level 1 for non privilege switch prompt or 15 for highest privilege switch prompt Password Aging Number of days since the password was configured until the password expires Password Expiry Date The current password expiration date in date format Lockout Indicates whether the user account is locked out true or false Term Definition Password Override Compl...

Page 71: ...owing example shows user login history outputs Console show users login history Login Time Username Protocol Location Jan 19 2005 08 23 48 Bob Serial Jan 19 2005 08 42 31 John SSH 172 16 0 1 Jan 19 2005 08 49 52 Betty Telnet 172 16 1 7 login authentication Use this command to specify the login authentication method list for a line console telnet or SSH The default configuration uses the default se...

Page 72: ...ving Level 15 privileges The following is an example of the command console password Enter old password Enter new password Confirm new password password Line Configuration Use the password command in Line Configuration mode to specify a password on a line The default configuration is no password is specified Format login authentication default list name Mode Line Configuration Parameter Descriptio...

Page 73: ...fc62d16dcd13c0b864 encrypted Switching Config line password Enter new password Confirm new password no password Line Configuration Use this command to remove the password on a line Format password password encrypted Mode Line Config Parameter Definition password Password for this level Range 8 64 characters encrypted Encrypted password to be entered copied from another switch configuration The enc...

Page 74: ...to configure a password for a user An optional parameter encrypted is provided to indicate that the password given to the command is already preencrypted no password aaa IAS User Config This command is used to clear the password of a user The following shows an example of the command CN1610 CN1610 configure CN1610 Config aaa ias user username client 1 CN1610 Config aaa ias User password client123 ...

Page 75: ... testtest Switching enable password e8d63677741431114f9e39a853a15e8fd35ad059e2e1b49816c243d7e08152b052 eafbf23b528d348cdba1b1b7ab91be842278e5e970dbfc62d16dcd13c0b864 encrypted Switching enable password Enter old password Enter new password Confirm new password Format enable password password encrypted Mode Privileged EXEC Parameter Description password Password string Range 8 64 characters encrypt...

Page 76: ... set the number of previous passwords that shall be stored for each user account When a local user changes his or her password the user will not be able to reuse any password stored in password history This ensures that users don t reuse their passwords often The valid range is 0 10 no passwords history Use this command to set the password history to the default value Format no enable password Mod...

Page 77: ... When a lockout count is configured a user that is logged in must enter the correct password within that count Otherwise the user will be locked out from further switch access Only a user with Level 15 access can reactivate a locked user account Password lockout does not apply to logins from the serial console The valid range is 1 5 The default is 0 or no lockout count enforced no passwords lock o...

Page 78: ...valid range is 0 15 The default is 0 Minimum of 0 means no restriction on that set of characters passwords strength maximum repeated characters Use this command to set the maximum number of repeated characters to be used in password strength The valid range is 0 15 The default is 0 Minimum of 0 means no restriction on that set of characters Default Disable Format passwords strength check Mode Glob...

Page 79: ...wercase letters Use this command to enforce a minimum number of lowercase letters that a password should contain The valid range is 0 16 The default is 2 Minimum of 0 means no restriction on that set of characters no passwords strength minimum lowercase letters Use this command to reset the minimum lower letters required in a password to the default value Default 2 Format passwords strength minimu...

Page 80: ...cial characters Use this command to enforce a minimum number of special characters that a password should contain The valid range is 0 16 The default is 2 Minimum of 0 means no restriction on that set of characters no passwords strength minimum special characters Use this command to reset the minimum special characters required in a password to the default value Default 2 Format passwords strength...

Page 81: ... while configuring the password The password does not accept the keyword in any form in between the string case in sensitive and reverse as a substring User can configure up to a maximum of 3 keywords no passwords strength exclude keyword Use this command to reset the restriction for the specified keyword or all the keywords configured show passwords configuration Use this command to display the c...

Page 82: ...Letters Minimum number of lowercase characters required when configuring passwords Minimum Password Numeric Characters Minimum number of numeric characters required when configuring passwords Maximum Password Consecutive Characters Maximum number of consecutive characters required that the password should contain when configuring passwords Maximum Password Repeated Characters Maximum number of rep...

Page 83: ...user database The following shows an example of the command CN1610 CN1610 configure CN1610 Config aaa ias user username client 1 CN1610 Config aaa ias User exit CN1610 Config no aaa ias user username client 1 CN1610 Config Mode Privileged EXEC Term Definition Last User Whose Password Is Set Shows the name of the user with the most recently set password Password Strength Check Shows whether passwor...

Page 84: ...ginning and at the end start stop or only at the end stop only If none is specified then accounting is disabled for the specified list If tacacs is specified as the accounting method accounting records are notified to a TACACS server If radius is the specified accounting method accounting records are notified to a RADIUS server Note Note the following A maximum of five Accounting Method lists can ...

Page 85: ...nfig Parameter Description exec Provides accounting for a user EXEC terminal sessions commands Provides accounting for all user executed commands dot1x Provides accounting for DOT1X user commands default The default list of methods for accounting services list name Character string used to name the list of accounting methods start stop Sends a start accounting notice at the beginning of a process ...

Page 86: ... aaa command creates a method list for exec sessions with the name ExecList with record type as stop only and the method as TACACS The second command changes the record type to start stop from stop only for the same method list The third command for the same list changes the methods list to tacacs radius from tacacs no aaa accounting This command deletes the accounting method list The following sh...

Page 87: ...ternal user database CN1610 CN1610 configure CN1610 Config aaa ias user username 1f3ccb1157 CN1610 Config aaa ias User password 1f3ccb1157 CN1610 Config aaa ias User exit CN1610 Config clear aaa ias users Use this command to remove all users from the IAS database Format password password encrypted Mode AAA IAS User Config Parameter Definition password Password for this level Range 8 64 characters ...

Page 88: ... configuration commands shown in the output of show running config command Passwords shown in the command output are always encrypted aaa ias user username client 1 password a45c74fdf50a558a2b5cf05573cd633bac2c6c598d54497ad4c46104918f2c encrypted exit accounting Use this command in Line Configuration mode to apply the accounting method list to a line config console telnet ssh Parameter Definition ...

Page 89: ... display output for the command CN1610 show accounting Format accounting exec commands default listname Mode Line Configuration Parameter Description exec Causes accounting for an EXEC session commands This causes accounting for each command execution attempt If a user is enabling accounting for exec mode for the current line configuration type the user will be logged out default The default Accou...

Page 90: ...d execution 0 Errors when sending Accounting Notifications at end of a command execution 0 show accounting methods Use this command to display configured accounting method lists The following shows example CLI display output for the command CN1610 CN1610 show accounting methods Acct Type Method Name Record Type Method Type Exec dfltExecList start stop TACACS Commands dfltCmdsList stop only TACACS ...

Page 91: ...splays the configured domain name The following shows example CLI display output for the command CN1610 CN1610 show domain name Domain Enable Domain name abc Format clear accounting statistics Mode Privileged EXEC Format show domain name Mode Privileged EXEC ...

Page 92: ...me snmp server community This command adds and names a new SNMP community and optionally sets the access mode allowed IP address and create a view for the community Note Community names in the SNMP Community Table must be unique When making multiple entries using the same community name the first entry is kept and processed and all duplicate entries are ignored Default none Format snmp server sysn...

Page 93: ...racters ro rw su The access mode of the SNMP community which can be public Read Only RO private Read Write RW or Super User SU ip address The associated community SNMP packet sending address and is used along with the client IP mask value to denote a range of IP addresses from which SNMP clients may use that community to access the device A value of 0 0 0 0 allows access from any IP address Otherw...

Page 94: ...iolation This command disables the sending of new violation traps snmp server enable traps This command enables the Authentication Flag Parameter Description community string The community which is created and then associated with the group The range is 1 to 20 characters group name The name of the group that the community is associated with The range is 1 to 30 characters ipaddress Optionally the...

Page 95: ...and disables link status traps by interface Note This command is valid only when the Link Up Down Flag is enabled snmp trap link status all This command enables link status traps for all interfaces Note This command is valid only when the Link Up Down Flag is enabled See snmp trap link status on page 92 Mode Global Config Format no snmp server enable traps Mode Global Config Format snmp trap link ...

Page 96: ...link status on page 92 no snmp server enable traps linkmode This command disables Link Up Down traps for the entire switch snmp server enable traps multiusers This command enables Multiple User traps When the traps are enabled a Multiple User Trap is sent when a user logs in to the terminal interface EIA 232 or Telnet and there is an existing terminal interface session Format no snmp trap link sta...

Page 97: ...s the SNMP engine ID on the local device Format no snmp server enable traps multiusers Mode Global Config Default enabled Format snmp server enable traps stpmode Mode Global Config Format no snmp server enable traps stpmode Mode Global Config Default The engineID is configured automatically based on the device MAC address Format snmp server engineID local engineid string default Mode Global Config...

Page 98: ...address Parameter Description Default The engineID is configured automatically based on the device MAC address Format no snmp server engineID local Mode Global Config Default No filters are created by default Format snmp server filter filtername oid tree included excluded Mode Global Config Parameter Description filtername The label for the filter being created The range is 1 to 30 characters oid ...

Page 99: ...reated for all versions and privileges using the default views Format snmp server group group name v1 v2c v3 noauth auth priv context context name read read view write write view notify notify view Mode Global Config Parameter Description group name The group name to be used when configuring communities or users The range is 1 to 30 characters v1 This group can only access via SNMPv1 v2 This group...

Page 100: ...ring access Applicable only if SNMPv3 is selected read view The view this group will use during GET requests The range is 1 to 30 characters write view The view this group will use during SET requests The range is 1 to 30 characters notify view The view this group will use when sending out traps The range is 1 to 30 characters Parameter Description Format no snmp server group group name v1 v2c 3 n...

Page 101: ... option is selected by default informs Send SNMPv2 informs to the host seconds The number of seconds to wait for an acknowledgement before resending the Inform The default is 15 seconds The range is 1 to 300 seconds retries The number of times to resend an Inform The default is 3 attempts The range is 0 to 255 retries community string Community string sent as part of the notification The range is ...

Page 102: ...group name The name of the group the user belongs to The range is 1 to 30 characters engineid string The engine id of the remote management station that this user will be connecting from The range is 5 to 32 characters password The password the user will use for the authentication or encryption mechanism The range is 1 to 32 characters md5 key A pregenerated MD5 authentication key The length is 32...

Page 103: ...Mode Global Config Parameter Description viewname The label for the view being created The range is 1 to 30 characters oid tree The OID subtree to include or exclude from the view Subtrees may be specified by numerical 1 3 6 2 4 or keywords system and asterisks may be used to specify a subtree family 1 3 4 included The tree is included in the view excluded The tree is excluded from the view Format...

Page 104: ...o the host seconds Number of seconds to wait for an acknowledgement before resending the Inform The default is 15 seconds The range is 1 to 300 seconds retries Number of times to resend an Inform The default is 3 attempts The range is 0 to 255 retries auth Enables authentication but not encryption noauth No authentication or encryption This is the default priv Enables authentication and encryption...

Page 105: ...munity Access The type of access the community has Read only Read write su View Name The view this community has access to IP Address Access to this community is limited to this IP address Community Group Table Community String The community this mapping configures Group Name The group this community is assigned to IP Address The IP address this community is limited to ...

Page 106: ...nforms Community The community traps will be sent to Version The version of SNMP the trap will be sent as UDP Port The UDP port the trap or inform will be sent to Filter name The filter the traps will be limited by for this host TO Sec The number of seconds before informs will time out when sending to this host Retries The number of times informs will be sent after timing out Term Definition Forma...

Page 107: ...D Tree The OID tree this entry will include or exclude Type Indicates if this entry includes or excludes the OID Tree Format show snmp group groupname Mode Privileged EXEC Parameter Description Name The name of the group Security Model Indicates which protocol can access the system via this group Security Level Indicates the security level allowed for this group Read View The view this group provi...

Page 108: ...configured views Mode Privileged EXEC Format show snmp user username Mode Privileged EXEC Term Definition Name The name of the user Group Name The group that defines the SNMPv3 access parameters Auth Method The authentication algorithm configured for this user Privilege Method The encryption algorithm configured for this user Remote Engine ID The engineID for the user defined on the client machine...

Page 109: ...OID tree Parameter Description Format show trapflags Mode Privileged EXEC Term Definition Authentication Flag Can be enabled or disabled The factory default is enabled Indicates whether authentication failure traps will be sent Link Up Down Flag Can be enabled or disabled The factory default is enabled Indicates whether link status traps will be sent Multiple Users Flag Can be enabled or disabled ...

Page 110: ...adius Use this command to disable the switch to accept VLAN assignment by the radius server radius accounting mode This command is used to enable the RADIUS accounting function no radius accounting mode This command is used to set the RADIUS accounting function to the default value i e the RADIUS accounting function is disabled Default disable Format authorization network radius Mode Global Config...

Page 111: ...r host This command configures the IP address or DNS name to use for communicating with the RADIUS server of a selected server type While configuring the IP address or DNS name for the authenticating or accounting servers you can also configure the port number and server name If the authenticating and accounting servers are configured without a name the command uses the Default_RADIUS_Auth_Server ...

Page 112: ... the RADIUS accounting server You can only configure one accounting server If an accounting server is currently configured use the no form of the command to remove it from the configuration The IP address or hostname you specify must match that of a previously configured accounting server If you use the optional port parameter the command configures the UDP port to use when connecting to the RADIU...

Page 113: ...192 168 37 60 name Network1_RS port 1813 CN1610 Config radius server host acct 192 168 37 60 name Network2_RS CN1610 Config no radius server host acct 192 168 37 60 radius server key This command configures the key to be used in RADIUS client communication with the specified server Depending on whether the auth or acct token is used the shared secret is configured for the RADIUS authentication or ...

Page 114: ...auth The no version of this command disables the message authenticator attribute to be used for the specified RADIUS Authenticating server Format radius server key auth acct ipaddr dnsname encrypted password Mode Global Config Field Description ipaddr The IP address of the server dnsname The DNS name of the server password The password in encrypted format Format radius server msgauth ipaddr dnsnam...

Page 115: ...ervers are identified as the Secondary type radius server retransmit This command configures the global parameter for the RADIUS client that specifies the number of transmissions of the messages to be made before attempting the fall back server upon unsuccessful communication with the current RADIUS authenticating server When the maximum number of retries are exhausted for the RADIUS accounting se...

Page 116: ...timeout value is an integer in the range of 1 to 30 no radius server timeout The no version of this command sets the timeout global parameter to the default value show radius servers Use this command to display the authentication parameters Format no radius server retransmit Mode Global Config Default 5 Format radius server timeout seconds Mode Global Config Field Description retries Maximum numbe...

Page 117: ...37 Number of Coa Requests Ignored 55 Number of CoA Missing Unsupported Attribute Requests 18 Number of CoA Session Context Not Found Requests 5 Number of CoA Invalid Attribute Value Requests 11 Number of Administratively Prohibited Requests 3 show radius This command displays the values configured for the global parameters of the RADIUS client Format show radius Mode Privileged EXEC Output Descrip...

Page 118: ... Named Authentication Server Groups The number of configured named RADIUS server groups Number of Named Accounting Server Groups The number of configured named RADIUS server groups Number of Retransmits The configured value of the maximum number of times a request packet is retransmitted Time Duration The configured timeout value in seconds for request retransmissions RADIUS Accounting Mode A glob...

Page 119: ...authenticating server Type Specifies whether this server is a primary or secondary type Current Host Address The IP address of the currently active authenticating server Secret Configured Yes or No Boolean value that indicates whether this server is configured with a secret Number of Retransmits The configured value of the maximum number of times a request packet is retransmitted Message Authentic...

Page 120: ...work1_RADIUS_Server Secondary 192 168 37 201 Network2_RADIUS_Server Primary 192 168 37 202 Network3_RADIUS_Server Secondary 192 168 37 203 Network4_RADIUS_Server Primary CN1610 show radius servers name Default_RADIUS_Server Server Name Default_RADIUS_Server Host Address 192 168 37 58 Secret Configured No Message Authenticator Enable Number of Retransmits 4 Time Duration 10 RADIUS Attribute 4 Mode ...

Page 121: ...us accounting This command displays a summary of configured RADIUS accounting servers If you do not specify any parameters then only the accounting mode and the RADIUS accounting server details are displayed Format show radius accounting name servername Mode Privileged EXEC Field Description servername An alias name to identify the server RADIUS Accounting Mode A global parameter to indicate wheth...

Page 122: ...CN1610 show radius accounting name Default_RADIUS_Server Server Name Default_RADIUS_Server Host Address 192 168 37 200 RADIUS Accounting Mode Disable Port 1813 Secret Configured Yes show radius accounting statistics This command displays a summary of statistics for the configured RADIUS accounting servers Secret Configured Yes or No Boolean value indicating whether this server is configured with a...

Page 123: ...quest packets retransmitted to this RADIUS accounting server Responses The number of RADIUS packets received on the accounting port from this server Malformed Responses The number of malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators or signature attributes or unknown types are not included as malformed...

Page 124: ...s Dropped 0 CN1610 show radius accounting statistics name Default_RADIUS_Server RADIUS Accounting Server Name Default_RADIUS_Server Host Address 192 168 37 200 Round Trip Time 0 00 Requests 0 Retransmissions 0 Responses 0 Malformed Responses 0 Bad Authenticators 0 Pending Requests 0 Timeouts 0 Unknown Types 0 Packets Dropped 0 Unknown Types The number of RADIUS packets of unknown types which were ...

Page 125: ... Access Requests The number of RADIUS Access Request packets sent to this server This number does not include retransmissions Access Retransmissions The number of RADIUS Access Request packets retransmitted to this RADIUS authentication server Access Accepts The number of RADIUS Access Accept packets including both valid and invalid packets that were received from this server Access Rejects The nu...

Page 126: ...s include packets with an invalid length Bad authenticators or signature attributes or unknown types are not included as malformed access responses Bad Authenticators The number of RADIUS Access Response packets containing invalid authenticators or signature attributes received from this server Pending Requests The number of RADIUS Access Request packets destined for this server that have not yet ...

Page 127: ...S Server Name Default_RADIUS_Server Server Host Address 192 168 37 200 Access Requests 0 00 Access Retransmissions 0 Access Accepts 0 Access Rejects 0 Access Challenges 0 Malformed Access Responses 0 Bad Authenticators 0 Pending Requests 0 Timeouts 0 Unknown Types 0 Packets Dropped 0 ...

Page 128: ...re a TACACS server This command enters into the TACACS configuration mode The ip address hostname parameter is the IP address or hostname of the TACACS server To specify multiple hosts multiple tacacs server host commands can be used no tacacs server host Use the no tacacs server host command to delete the specified hostname or IP address The ip address hostname parameter is the IP address of the ...

Page 129: ...used on the TACACS daemon tacacs server keystring Use the tacacs server keystring command to set the global authentication encryption key used for all TACACS communications between the TACACS server and the client The following shows an example of the CLI command Switching Config tacacs server keystring Enter tacacs key Re enter tacacs key tacacs server timeout Use the tacacs server timeout comman...

Page 130: ...mat When you save the configuration these secret keys are stored in encrypted format only If you want to enter the key in encrypted format enter the key along with the encrypted keyword In the show running config on page 177 command s display these secret keys are displayed in encrypted format You cannot show these keys in plain text format keystring Use the keystring command in TACACS Server Conf...

Page 131: ... specify the order in which servers are used where 0 zero is the highest priority The priority parameter specifies the priority for servers The highest priority is 0 zero and the range is 0 65535 timeout Use the timeout command in TACACS Configuration mode to specify the timeout value in seconds If no timeout value is specified the global value is used The timeout parameter has a range of 1 30 and...

Page 132: ...ress hostname client server Mode Privileged EXEC Term Definition Host address The IP address or hostname of the configured TACACS server Port The configured TACACS server port number TimeOut The timeout in seconds for establishing a TCP connection Priority The preference order in which TACACS servers are contacted If a server connection fails the next highest priority server is contacted ...

Page 133: ...th default configuration however you are not prevented from applying scripts on systems with non default configurations Scripts must conform to the following rules The file extension must be scr A maximum of ten scripts are allowed on the switch The combined size of all script files on the switch shall not exceed 2048 KB The maximum number of configuration file command lines is 2000 You can type s...

Page 134: ...e scriptname parameter is the name of the script to apply script delete This command deletes a specified script where the scriptname parameter is the name of the script to delete The all option deletes all the scripts present on the switch script list This command lists all scripts present on the switch as well as the remaining available space Format script apply scriptname Mode Privileged EXEC Fo...

Page 135: ...t file where scriptname is the name of the script to validate The validate option is intended to be used as a tool for script development Validation identifies potential problems It might not identify all problems with a given script on any given device Format script show scriptname Mode Privileged EXEC Term Definition Output Format line number line contents Format script validate scriptname Mode ...

Page 136: ...TP TFTP SFTP SCP or Xmodem Note The parameter ip6address is also a valid parameter for routing packages that support IPv6 set prompt This command changes the name of the prompt The length of name may be up to 64 alphanumeric characters hostname This command sets the system hostname It also changes the prompt The length of name may be up to 64 alphanumeric case sensitive characters Default none For...

Page 137: ...nfigured TEST set clibanner Use this command to configure the prelogin CLI banner before displaying the login prompt no set clibanner Use this command to unconfigure the prelogin CLI banner Default No contents to display before displaying the login prompt Format show clibanner Mode Privileged EXEC Format set clibanner line Mode Global Config Parameter Description line Banner text where double quot...

Page 138: ...me Protocol Commands on page 225 Time Zone Commands on page 231 DNS Client Commands on page 237 IP Address Conflict Commands on page 243 Serviceability Packet Tracing Commands on page 244 sFlow Commands on page 275 sFlow Commands on page 275 Remote Monitoring Commands on page 284 The commands in this chapter are in one of four functional groups Show commands display switch settings statistics and ...

Page 139: ...d no configuration file is found it attempts to obtain an IP address from a network DHCP server The response from the DHCP server includes the IP address of the TFTP server where the image and configuration flies are located After acquiring an IP address and the additional relevant information from the DHCP server the switch downloads the image file or configuration file from the TFTP server A dow...

Page 140: ... enable AutoInstall on the switch for the next reboot cycle The command does not change the current behavior of AutoInstall and saves the command to NVRAM no boot host dhcp Use this command to disable AutoInstall for the next reboot cycle Format boot autoinstall start stop Mode Privileged EXEC Default 3 Format boot host retrycount 1 3 Mode Privileged EXEC Format no boot host retrycount Mode Privil...

Page 141: ...this command to disable automatically saving the downloaded configuration on the switch boot host autoreboot Use this command to allow the switch to automatically reboot after successfully downloading an image When auto reboot is enabled no administrative action is required to activate the image and reload the switch no boot host autoreboot Use this command to prevent the switch from automatically...

Page 142: ...ry defaults file stored in non volatile memory show autoinstall This command displays the current status of the AutoInstall process The following shows example CLI display output for the command CN1610 show autoinstall AutoInstall Mode Stopped AutoInstall Persistent Mode Disabled AutoSave Mode Disabled AutoReboot Mode Enabled AutoInstall Retry Count 3 Format erase startup config Mode Privileged EX...

Page 143: ... containing the string2 match All other non matching lines in the output are suppressed If a line of output contains both the include and exclude strings then the line is not displayed The following shows example of the CLI command CN1610 show running config include spanning tree exclude configuration spanning tree bpduguard spanning tree bpdufilter default spanning tree forceversion 802 1w show x...

Page 144: ...r lines are suppressed The following shows an example of the CLI command CN1610 show port all begin 1 1 1 1 Enable Down Disable N A N A 1 2 Enable Down Disable N A N A 1 3 Enable Down Disable N A N A 1 4 Enable Down Disable N A N A 1 5 Enable Down Disable N A N A 1 6 Enable Down Disable N A N A CN1610 show xxx section string The command xxx is executed and the output is filtered to show only lines...

Page 145: ...fied string match criteria are part of the base output then all instances are displayed show xxx section string include string2 The command xxx is executed and the output is filtered to only show lines included within the section s identified by lines containing the string match and ending with the first line containing the default end of section identifier i e exit and that include the string2 ma...

Page 146: ... be loaded by the boot loader The current active image is marked as the backup image for subsequent reboots If the specified image doesn t exist on the system this command returns an error message show bootvar This command displays the version information and the activation status for the current active and backup images The command also displays any text description associated with an image This ...

Page 147: ... Commands update bootcode This command updates the bootcode boot loader on the switch The bootcode is read from the active image for subsequent reboots Mode Privileged EXEC Format update bootcode Mode Privileged EXEC ...

Page 148: ... not listed show eventlog This command displays the event log which contains error messages from the system The event log is not cleared on a system reset Format show arp switch Mode Privileged EXEC Term Definition IP Address IP address of the management interface or another device on the management network MAC Address Hardware MAC address of that device Interface For a service port the output is ...

Page 149: ... product name of this switch Machine Type The machine model as defined by the Vital Product Data Machine Model The machine model as defined by the Vital Product Data Serial Number The unique box serial number for this switch Part Number Manufacturing part number Burned in MAC Address Universally assigned network address Software Version The release version revision number of the code currently run...

Page 150: ...on number for the hardware Date Code The date when the switch was manufactured which is in YYYYMMDD format Operating System The operating system currently running on the switch Network Processing Device The type of the processor microcode Additional Packages The additional packages incorporated into this system Term Definition Format show platform vpd Mode User Privileged Term Definition Operation...

Page 151: ... the broadcast address Note that this does not include multicast packets Receive Packets Discarded The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for discarding such a packet could be to free up buffered space Packets Transmitted Without Error The total number ...

Page 152: ... Broadcast Packets Received The total number of packets received that were directed to the broadcast address Note that this does not include multicast packets Packets Received With Error The number of inbound packets that contained errors preventing them from being deliverable to a higher layer protocol Packets Transmitted Without Error The total number of packets transmitted out of the interface ...

Page 153: ...al CPU port channel Format show interfaces status slot port Mode Privileged EXEC Field Description Port The interface associated with the rest of the data in the row Name The descriptive user configured name for the interface Link State Indicates whether the link is up or down Physical Mode The speed and duplex settings on the interface Physical Status Indicates the port speed and duplex mode for ...

Page 154: ...er of octets received on the interface InUcastPkts The total number of unicast packets received on the interface InMcastPkts The total number of multicast packets received on the interface InBcastPkts The total number of broadcast packets received on the interface OutOctects The total number of octets transmitted by the interface OutUcastPkts The total number of unicast packets transmitted by the ...

Page 155: ...0 2 00 00 0 3 131369 0 1189 0 4 000 0 0 5 0000 ch1 0000 ch2 0000 ch64 0000 CPU 40252930 32910120 show interface ethernet This command displays detailed statistics for a specific interface or for all CPU traffic based upon the argument When you specify a value for slot port the command displays the following information Format show interface ethernet slot port switchport all Mode Privileged EXEC ...

Page 156: ...s equation is the value Utilization which is the percent utilization of the Ethernet segment on a scale of 0 to 100 percent Packets Received 64 Octets The total number of packets including bad packets received that were 64 octets in length excluding framing bits but including FCS octets Packets Received 65 127 Octets The total number of packets including bad packets received that were between 65 a...

Page 157: ... packets received that were between 512 and 1023 octets in length inclusive excluding framing bits but including FCS octets Packets Received 1024 1518 Octets The total number of packets including bad packets received that were between 1024 and 1518 octets in length inclusive excluding framing bits but including FCS octets Packets Received 1518 Octets The total number of packets received that were ...

Page 158: ...tween 65 and 127 octets in length inclusive excluding framing bits but including FCS octets Packets RX and TX 128 255 Octets The total number of packets including bad packets received and transmitted that were between 128 and 255 octets in length inclusive excluding framing bits but including FCS octets Packets RX and TX 256 511 Octets The total number of packets including bad packets received and...

Page 159: ... were between 1519 and 2047 octets in length inclusive excluding framing bits but including FCS octets and were otherwise well formed Packets RX and TX 1523 2047 Octets The total number of packets received and transmitted that were between 1523 and 2047 octets in length inclusive excluding framing bits but including FCS octets and were otherwise well formed Packets RX and TX 2048 4095 Octets The t...

Page 160: ... a multicast address Note that this number does not include packets directed to the broadcast address Broadcast Packets Received The total number of good packets received that were directed to the broadcast address Note that this does not include multicast packets Receive Packets Discarded The number of inbound packets which were chosen to be discarded even though no errors had been detected to pr...

Page 161: ...efine jabber as the condition where any packet exceeds 20 ms The allowed range to detect jabber is between 20 ms and 150 ms Fragments Undersize Received The total number of packets received that were less than 64 octets in length excluding framing bits but including FCS octets Alignment Errors The total number of packets received that had a length excluding framing bits but including FCS octets of...

Page 162: ...tered by the forwarding process 802 3x Pause Frames Received A count of MAC Control frames received on this interface with an opcode indicating the PAUSE operation This counter does not increment when the interface is operating in half duplex mode Unacceptable Frame Type The number of frames discarded from this port due to being an unacceptable frame type Term Definition ...

Page 163: ...al number of packets including bad packets received that were between 128 and 255 octets in length inclusive excluding framing bits but including FCS octets Packets Transmitted 256 511 Octets The total number of packets including bad packets received that were between 256 and 511 octets in length inclusive excluding framing bits but including FCS octets Packets Transmitted 512 1023 Octets The tota...

Page 164: ...cols requested be transmitted to the Broadcast address including those that were discarded or not sent Transmit Packets Discarded The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol A possible reason for discarding a packet could be to free up buffer space Transmit Errors Total Transm...

Page 165: ...ular interface for which transmission is inhibited by exactly one collision Multiple Collision Frames A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by more than one collision Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions Port Membership Discards The n...

Page 166: ...The count of GMRP PDUs received in the GARP layer GMRP PDUs Transmitted The count of GMRP PDUs transmitted from the GARP layer GMRP Failed Registrations The number of times attempted GMRP registrations could not be completed STP BPDUs Transmitted Spanning Tree Protocol Bridge Protocol Data Units sent STP BPDUs Received Spanning Tree Protocol Bridge Protocol Data Units received RST BPDUs Transmitte...

Page 167: ...ssor Broadcast Packets Received The total number of packets received that were directed to the broadcast address Note that this does not include multicast packets Packets Received With Error The total number of packets with errors including broadcast packets and multicast packets received by the processor Packets Transmitted without Errors The total number of packets transmitted out of the interfa...

Page 168: ...er of bytes transmitted by the interface Bytes Rx The total number of bytes transmitted by the interface Packets Tx The total number of packets transmitted by the interface Packets Rx The total number of packets transmitted by the interface Format show interface ethernet interface id switchport Mode Privileged EXEC Parameter Description interface id The slot port of the switch Term Definition Priv...

Page 169: ...include multicast packets Receive Packets Discarded The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for discarding such a packet could be to free up buffer space Packets Transmitted Without Error The total number of packets transmitted out of the LAG Transmit Pa...

Page 170: ...Bm Fault 0 49 39 3 3 256 5 0 2 234 2 465 No No 0 50 33 9 3 260 5 3 2 374 40 000 No Yes 0 51 32 2 3 256 5 6 2 300 2 897 No No Time Since Counters Last Cleared The elapsed time in days hours minutes and seconds since the statistics for this LAG were last cleared Parameters Definition Format show fiber ports optical transceiver all slot port Mode Privileged EXEC Field Description Temp Internally meas...

Page 171: ...ion the SCSI company code for the corporation or the stock exchange code for the corporation Length 50um OM2 This value specifies link length that is supported by the transceiver while operating in compliance with applicable standards using 50 micron multimode OM2 500MHz km at 850nm fiber A value of zero means that the transceiver does not support 50 micron multimode fiber or that the length infor...

Page 172: ...rt number or product name A value of all zero in the 16 byte field indicates that the vendor PN is unspecified BR nominal The nominal bit signaling rate BR nominal is specified in units of 100 MBd rounded off to the nearest 100 MBd The bit rate includes those bits necessary to encode and delimit the signal as well as those bits carrying data information A value of 0 indicates that the bit rate is ...

Page 173: ... the specified VLAN Enter the count parameter to view summary information about the forwarding database table Use the interface slot port parameter to view MAC addresses on a specific interface Instead of slot port lag lag intf num can be used as an alternate way to specify the LAG interface lag lag intf num can also be used to specify the LAG interface where lag intf num is the LAG port number Us...

Page 174: ...tatus of this entry The meanings of the values are Static The value of the corresponding instance was added by the system or a user when a static MAC filter was defined It cannot be relearned Learned The value of the corresponding instance was learned by observing the source MAC addresses of incoming traffic and is currently in use Management The value of the corresponding instance system MAC addr...

Page 175: ... Number of MAC addresses in the forwarding database that were automatically learned Static Address User defined count Number of MAC addresses in the forwarding database that were manually entered by a user Total MAC Addresses in use Number of MAC addresses currently in the forwarding database Total MAC Addresses available Number of MAC addresses the forwarding database can handle Format process cp...

Page 176: ...sly done The falling utilization threshold must always be equal or less than the rising threshold value The CLI does not allow setting the falling threshold to be greater than the rising threshold falling interval The duration of the CPU falling threshold in seconds that must be met to trigger a notification The range is 5 to 86400 The default is 0 disabled Parameter Description Format show proces...

Page 177: ...abled Stopped show process app resource list This command displays the configured and in use resources of each application Running Status Indicates whether the process is currently running or stopped Parameter Description Format show process app resource list Mode Privileged EXEC Parameter Description ID The application identifier Name The name that identifies the process PID The number the softwa...

Page 178: ...mited Unlimited 0 MB 0 MB show process cpu This command provides the percentage utilization of the CPU by different tasks Note It is not necessarily the traffic to the CPU but different tasks that keep the CPU busy Max Mem Usage The maximum amount of memory the process has used at any given time since it started Parameter Description Format show process cpu 1 n all Mode Privileged EXEC Keyword Des...

Page 179: ...23 0 23 834 dot1s_task 0 00 0 01 0 01 810 hapiRxTask 0 00 0 01 0 01 805 dtlTask 0 00 0 02 0 02 863 spmTask 0 00 0 01 0 00 894 ip6MapLocalDataTask 0 00 0 01 0 01 908 RMONTask 0 00 0 11 0 12 Total CPU Utilization 1 55 1 58 1 50 show process proc list This application displays the processes started by applications created by the Process Manager 60Secs CPU utilization sampling in 60Secs interval 300Se...

Page 180: ...s commands with settings and configurations that differ from the default value To display or capture the commands with settings and configurations that are equal to the default value include the all option Note Show running config does not display the User Password even if you set one different from the default Parameter Description PID The number the software uses to identify the process Process ...

Page 181: ...guration mode that contains nothing but default configuration That is the command to enter a particular config mode followed immediately by its exit command are both omitted from the show running config command output and hence from the startup config file when the system configuration is saved Use the following keys to navigate the command output Note that More or q uit is displayed at the bottom...

Page 182: ...uration interface 0 1 addport 3 1 exit CN1610 Mode Privileged EXEC Format show running config interface interface lag lag intf num vlan vlan id Mode Privileged EXEC Parameter Description interface Running configuration for the specified interface lag intf num Running configuration for the LAG interface vlan id Running configuration for the VLAN routing interface Parameter Description unit slot Ent...

Page 183: ...Description Quanta LB6M 8 1 14 41 Linux 2 6 27 47 U Boot 2009 06 Apr 19 2011 15 57 06 System Software Version 8 1 14 41 System Up Time 0 days 0 hrs 48 mins 19 secs Additional Packages BGP 4 QOS IPv6 IPv6 Management Routing Data Center Current SNTP Synchronized Time Not Synchronized vlan database vlan 10 exit configure ipv6 router ospf exit line console exit line telnet exit line ssh exit Format sh...

Page 184: ...5 57 06 System Software Version 8 1 14 41 System Up Time 0 days 0 hrs 48 mins 19 secs Additional Packages BGP 4 QOS IPv6 IPv6 Management Routing Data Center Current SNTP Synchronized Time Not Synchronized vlan database vlan 10 exit configure ipv6 router ospf exit line console exit line telnet exit line ssh exit More or q uit interface 0 1 description intf1 exit router ospf exit exit The following ...

Page 185: ... exit configure ipv6 router ospf exit line console exit line telnet exit line ssh exit More or q uit interface 0 1 description intf1 exit router ospf exit exit dir Use this command to list the files in the directory mnt fastpath in flash from the CLI CN1610 dir 0 drwx 2048 May 09 2002 16 47 30 0 drwx 2048 May 09 2002 16 45 28 0 rwx 592 May 09 2002 14 50 24 slog2 txt 0 rwx 72 May 09 2002 16 45 28 b...

Page 186: ...2 pem 0 rwx 245 Apr 26 2001 13 57 46 dh1024 pem 0 rwx 0 May 09 2002 16 45 30 slog0 txt show sysinfo This command displays switch information Format show sysinfo Mode Privileged EXEC Term Definition Switch Description Text used to identify this switch System Name Name used to identify the switch The factory default is blank To configure the system name see snmp server on page 89 System Location Tex...

Page 187: ...net switchport show port all show process cpu show mbuf total show platform vpd show mac addr table show debugging show vlan brief show vlan port all show port channel all show spanning tree show logging show logging buffered show logging persistent show logging persistent previous show running config debug crash kernel logs System Up Time The time in days hours and minutes since the last switch r...

Page 188: ... lines terminal length Use this command to set the pagination length to value number of lines for the current session This command configuration takes an immediate effect on the current session and is nonpersistent no terminal length Use this command to set the value to the length value configured on Line Config mode depending on the type of session Mode Privileged EXEC Default 24 Format length va...

Page 189: ...notification is generated once the available free memory rises to 10 percent above the specified threshold To prevent generation of excessive notifications when the CPU free memory fluctuates around the configured threshold only one Rising or Falling memory notification is generated over a period of 60 seconds The threshold is specified in kilobytes The CPU free memory threshold configuration is s...

Page 190: ...rted on PowerPC platforms that use the u boot loader environment trap Use this command to configure environment status traps show environment Use this command to view information about the switch environment Format environment trap fan powersupply temperature Mode Global Config Parameter Definition fan Enables or disables the sending of traps for fan status events The default is enable powersupply...

Page 191: ...sor on the unit Description A description of the temperature sensor Temp The current temperature of the sensor State The current state of the sensor Max_Temp The maximum temperature reached by this sensor Fans Shows information for each fan on the switch Unit The unit number for the switch Fan The number of the fan on the unit Description A description of the fan Type The type of fan Speed The cur...

Page 192: ... Duty level State 1 1 Fan 1 Removable 12840 100 Operational 1 2 Fan 2 Removable 12600 100 Operational 1 3 Fan 3 Removable 12660 100 Operational 1 4 Fan 4 Removable 12660 100 Operational Power Modules Unit Power supply Description Type State 1 1 Internal AC 1 Removable Operational 1 2 Internal AC 2 Removable Not powered show hardware This command displays inventory information for the switch Power ...

Page 193: ...gned network address Software Version The release version revision number of the code currently running on the switch CPLD Version The complex programmable logic device CPLD version Manufacturer Name The name of the company who manufactured the switch Revision The revision number for the hardware Date Code The date when the switch was manufactured which is in YYYYMMDD format Operating System The o...

Page 194: ... Serial Number The serial number of the power supply Date Code The date when the power supply was manufactured which is in YYYYMMDD format Fan Tray Hardware Detail Unit The switch unit number in which the fan tray is installed which is always 1 Fan Tray The fan tray identifier State Indicates whether the fan tray is installed Part Number and Rev The fan tray part number and revision SFP Module Har...

Page 195: ...4ce360e8 Network Processing Device BCM56820_B0 Additional Packages FASTPATH QOS FASTPATH IPv6 Management Power Supply Hardware Data Power Part Number Mfg Part Number Date Unit supply State Revision Revision Serial Number Code 1 1 Present 114 00098 A0 DPSN 300DB H 00 DHUD1432008017 20140809 1 2 Present 114 00098 A0 DPSN 300DB H 00 DHUD1432008021 20140809 Fan Tray Hardware Data Unit Fan Tray State P...

Page 196: ...enables wrapping of in memory logging when the log file reaches full capacity Otherwise when the log file reaches full capacity logging stops no logging buffered wrap This command disables wrapping of in memory logging and configures logging to stop when the log file capacity is full Default disabled critical when enabled Format logging buffered Mode Global Config Format no logging buffered Mode G...

Page 197: ...ing to the console You can specify the severitylevel value as either an integer from 0 to 7 or symbolically through one of the following keywords emergency 0 alert 1 critical 2 error 3 warning 4 notice 5 info 6 or debug 7 no logging console This command disables logging to the console logging host This command configures the logging host parameters You can configure up to eight hosts Default enabl...

Page 198: ...e port severitylevel Mode Global Config Parameter Description hostaddress hostname The IP address of the logging host address type Indicates the type of address ipv4 or ipv6 or dns being passed port A port number from 1 to 65535 severitylevel Specify this value as either an integer from 0 to 7 or symbolically through one of the following keywords emergency 0 alert 1 critical 2 error 3 warning 4 no...

Page 199: ...mmand enables syslog logging The portid parameter is an integer with a range of 1 65535 no logging syslog port This command disables syslog logging show logging This command displays logging configuration information Format logging host remove hostindex Mode Global Config Format logging syslog Mode Global Config Format no logging syslog Mode Global Config Default disabled Format logging syslog por...

Page 200: ...ng is enabled Console Logging Severity Filter The minimum severity to log to the console log Messages with an equal or lower numerical severity are logged Buffered Logging Shows whether buffered logging is enabled Persistent Logging Shows whether persistent logging is enabled Persistent Logging Severity Filter The minimum severity at which the logging entries are retained after a system reboot Sys...

Page 201: ...buffered logging system startup and system operation logs show logging hosts This command displays all configured logging hosts Use the character to display the output filter options Format show logging buffered Mode Privileged EXEC Term Definition Buffered In Memory Logging Shows whether the In Memory log is enabled or disabled Buffered Logging Wrapping Behavior The behavior of the In Memory log ...

Page 202: ...tent log files are displayed Term Definition Host Index Used for deleting hosts IP Address Hostname IP address or hostname of the logging host Severity Level The minimum severity to log to the specified address The possible values are emergency 0 alert 1 critical 2 error 3 warning 4 notice 5 info 6 or debug 7 Port The server port number which is the port on the local host from which syslog message...

Page 203: ...aplogs This command displays SNMP trap events and statistics Persistent Log Count The number of persistent log entries Persistent Log Files The list of persistent log files in the system Only displayed if log files is specified Parameter Description Format show logging traplogs Mode Privileged EXEC Term Definition Number of Traps Since Last Reset The number of traps since the last boot Trap Log Ca...

Page 204: ... clears buffered logging system startup and system operation logs Log The log number System Time Up How long the system had been running at the time the trap was sent Trap The text of the trap message Term Definition Format clear logging buffered Mode Privileged EXEC ...

Page 205: ...g 7 no logging email This command disables email alerting logging email urgent This command sets the lowest severity level at which log messages are emailed immediately in a single email message Specify the severitylevel value as either an integer from 0 to 7 or symbolically through one of the following keywords emergency 0 alert 1 critical 2 error 3 warning 4 notice 5 info 6 or debug 7 Specify no...

Page 206: ...l message type to addr This command removes the configured to addr field of email logging email from addr This command configures the email address of the sender the switch no logging email from addr This command removes the configured email source address Format no logging email urgent Mode Global Config Format logging email message type urgent non urgent both to addr to email addr Mode Global Co...

Page 207: ...Non urgent messages are collected and sent in a batch email at the specified interval The valid range is every 30 1440 minutes no logging email logtime This command resets the non urgent log time to the default value Default For urgent messages Urgent Log Messages For non urgent messages Non Urgent Log Messages Format logging email message type urgent non urgent both subject subject Mode Global Co...

Page 208: ...lue logging email test message type This command sends an email to the SMTP server to test the email alerting function show logging email config This command displays information about the email alert configuration Default Info 6 messages and higher are logged Format logging traps severitylevel Mode Global Config Format no logging traps Mode Global Config Format logging email test message type urg...

Page 209: ... in a batch email Log messages that are less severe are not sent in an email message at all Email Alert Trap Severity Level The lowest severity level at which traps are logged Email Alert Notification Period The amount of time to wait between non urgent messages Email Alert To Address Table The configured email recipients Email Alert Subject Table The subject lines included in urgent Type 1 and no...

Page 210: ...rm Definition Email Alert Operation Status The operational status of the email alerting feature No of Email Failures The number of email messages that have attempted to be sent but were unsuccessful No of Email Sent The number of email messages that were sent from the switch since the counter was cleared Time Since Last Email Sent The amount of time that has passed since the last email was sent fr...

Page 211: ...ended port for TLSv1 is 465 and for no security i e none it is 25 However any nonstandard port in the range 1 to 65535 is also allowed username Mail Server Config This command configures the login ID the switch uses to authenticate with the SMTP server password This command configures the password the switch uses to authenticate with the SMTP server Default none Format security tlsv1 none Mode Mai...

Page 212: ...he switch Email Alert Mail Server Address The IPv4 IPv6 address or DNS hostname of the configured SMTP server Email Alert Mail Server Port The TCP port the switch uses to send email to the SMTP server Email Alert Security Protocol The security protocol TLS or none the switch uses to authenticate with the SMTP server Email Alert Username The username the switch uses to authenticate with the SMTP se...

Page 213: ... within the network back to hosts attached to the edge router In the CLI the user may specify the source as an IPv4 address IPv6 address a virtual router or as a routing interface When the source is specified as a routing interface the traceroute is sent using the primary IPv4 address on the source interface With SNMP the source must be specified as an address CN1610 will not accept an incoming pa...

Page 214: ...ce ip address ipv6 address unit slot port Mode Privileged EXEC Parameter Description vrf name The name of the VRF instance from which to initiate traceroute Only hosts reachable from within the VRF instance can be tracerouted If a source parameter is specified in conjunction with a vrf parameter it must be a member of the VRF The ipv6 parameter cannot be used in conjunction with the vrf parameter ...

Page 215: ...obes in seconds If a response is not received within this interval then traceroute considers that probe a failure printing and sends the next probe If traceroute does receive a response to a probe within this interval then it sends the next probe immediately Range is 1 to 60 seconds count Use the optional count parameter to specify the number of probes to send for each TTL value Range is 1 to 10 p...

Page 216: ...ure CN1610 traceroute 10 40 1 1 initTtl 1 maxFail 0 interval 1 count 3 port 33434 size 43 Traceroute to 10 40 1 1 30 hops max 43 byte packets 1 10 240 4 1 19 msec 18 msec 9 msec 2 10 240 1 252 0 msec 0 msec 1 msec 3 172 31 0 9 277 msec 276 msec 277 msec 4 10 254 1 1 289 msec 327 msec 282 msec 5 10 254 21 2 287 msec 293 msec 296 msec 6 192 168 76 2 290 msec 291 msec 289 msec 7 0 0 0 0 0 msec Hop Co...

Page 217: ... statistics for the ports on the virtual router are cleared If no router is specified the information for the default router will be displayed clear igmpsnooping This command clears the tables managed by the IGMP Snooping function and attempts to delete these entries from the Multicast Forwarding Database clear pass This command resets all user passwords to the factory defaults without powering of...

Page 218: ...ctory default as a result of handling the VLAN RESTORE NOTIFY event Since MVRP is enabled by default this means that any VLANs already created by MVRP are unaffected However for customer platforms where MVRP is disabled by default then the MVRP behavior should match GVRP That is MVRP is disabled and the MVRP VLANs are deleted logout This command closes the current telnet connection or resets the c...

Page 219: ...6 address unit slot port vlan 1 4093 serviceport network Modes Privileged EXEC User EXEC Parameter Description vrf name The name of the virtual router in which to initiate the ping If no virtual router is specified the ping is initiated in the default router instance address IPv4 or IPv6 addresses to ping count Use the count parameter to specify the number of ping packets ICMP Echo requests that a...

Page 220: ... 1 Average round trip time 3 00 ms source Use the source parameter to specify the source IP IPv6 address or interface to use when sending the Echo requests packets hostname Use the hostname parameter to resolve to an IPv4 or IPv6 address The ipv6 keyword is specified to resolve the hostname to IPv6 address The IPv4 address is resolved if no keyword is specified ipv6 The optional keyword ipv6 can b...

Page 221: ... transmitted 0 packets received 100 packet loss round trip msec min avg max 0 0 0 IPv6 ping failure CN1610 ping ipv6 2001 4 Pinging 2001 4 with 64 bytes of data Send count 3 Receive count 0 from 2001 4 Average round trip time 0 00 ms quit This command closes the current telnet connection or resets the current serial connection The system asks you whether to save configuration changes before quitti...

Page 222: ... verify noverify is only available if the image configuration verify options feature is enabled see write memory on page 224 verify specifies that digital signature verification will be performed for the specified downloaded image or configuration file noverify specifies that no verification will be performed The keyword ias users supports the downloading of the IAS user database file When the IAS...

Page 223: ...w SSL certificates to the switch using TFTP or XMODEM using only the following options pertinent to the OpenFlow SSL certificates CAUTION Remember to upload the existing fastpath cfg file off the switch prior to loading a new release image in order to make a backup Format copy mode file nvram openflow ssl ca cert openflow ssl cert openflow ssl priv key Mode Privileged EXEC Source Destination Descr...

Page 224: ...log to a server nvram errorlog url Copies the error log file to a server nvram factory defaults url Uploads factory defaults file nvram fastpath cfg url Uploads the binary config file to a server nvram log url Copies the log file to a server nvram operation al log url Copies the operational log file to a server nvram script scriptname url Copies a specified configuration script file to a server nv...

Page 225: ...em url nvram fastpat h cfg Downloads the binary config file to the system url nvram publick ey config Downloads the Public Key for Configuration Script validation url nvram publick ey image Downloads Public Key for Image validation url nvram script destfilename Downloads a configuration script file to the system During the download of a configuration script the copy command validates the script In...

Page 226: ...loads an SSH key file url nvram sshkey rsa2 Downloads an SSH key file url nvram startup config Downloads the startup configuration file to the system url ias users Downloads an IAS users database file to the system When the IAS users file is downloaded the switch IAS user s database is replaced with the users and their attributes available in the downloaded file url active backup Download an image...

Page 227: ... IAS users database Updated IAS users database successfully CN1610 write memory Use this command to save running configuration changes to NVRAM so that the changes you make will persist across a reboot This command is the same as copy system running config nvram startup config Use the confirm keyword to directly save the configuration to NVRAM without prompting for a confirmation Format write memo...

Page 228: ...ent poll interval This command resets the poll interval for SNTP broadcast client back to the default value sntp client mode This command enables Simple Network Time Protocol SNTP client mode and may set the mode to either broadcast or unicast no sntp client mode This command disables Simple Network Time Protocol SNTP client mode Default 6 Format sntp broadcast client poll interval poll interval M...

Page 229: ...val This command sets the poll interval for SNTP unicast clients in seconds as a power of two where poll interval can be a value from 6 to 10 no sntp unicast client poll interval This command resets the poll interval for SNTP unicast clients to its default value sntp unicast client poll timeout This command sets the poll timeout for SNTP unicast clients in seconds to a value from 1 30 Default 0 Fo...

Page 230: ...ver This command configures an SNTP server a maximum of three The server address can be either an IPv4 address or an IPv6 address The optional priority can be a value of 1 3 the version a value of 1 4 and the port id a value of 1 65535 Format sntp unicast client poll timeout poll timeout Mode Global Config Format no sntp unicast client poll timeout Mode Global Config Default 1 Format sntp unicast ...

Page 231: ...ileged EXEC Term Definition Last Update Time Time of last clock update Last Attempt Time Time of last transmit query in unicast mode Last Attempt Status Status of the last SNTP request in unicast mode or unsolicited message in broadcast mode Broadcast Count Current number of unsolicited broadcast messages that have been received and processed by the SNTP client since last reboot Format show sntp c...

Page 232: ...d SNTP Client Mode Term Definition Format show sntp server Mode Privileged EXEC Term Definition Server Host Address IP address or hostname of configured SNTP Server Server Type Address type of server IPv4 IPv6 or DNS Server Stratum Claimed stratum of the server for the last received valid packet Server Reference ID Reference clock identifier of the server for the last received valid packet Server ...

Page 233: ...Version number of the server The protocol version used to query the server in unicast mode Port Server Port Number Last Attempt Time Last server attempt time for the specified server Last Update Status Last server attempt status for the server Total Unicast Requests Number of requests to the server Failed Unicast Requests Number of failed requests from server Term Definition ...

Page 234: ...offset to Coordinated Universal Time UTC If the optional parameters are not specified they are read as either 0 or 0 as appropriate Format clock set hh mm ss clock set mm dd yyyy Mode Global Config Parameter Description hh mm ss Enter the current system time in 24 hour format in hours minutes and seconds The range is hours 0 to 23 minutes 0 to 59 seconds 0 to 59 mm dd yyyy Enter the current system...

Page 235: ...y name jan for example year Year The range is 2000 to 2097 hh mm Time in 24 hour format in hours and minutes The range is hours 0 to 23 minutes 0 to 59 offset The number of minutes to add during the summertime The range is 1 to 1440 acronym The acronym for the summer time to be displayed when summertime is in effect The range is up to four characters are allowed Format clock summer time recurring ...

Page 236: ...curring daylight saving time settings used in the United States week Week of the month The range is 1 to 5 first last day Day of the week The range is the first three letters by name sun for example month Month The range is the first three letters by name jan for example hh mm Time in 24 hour format in hours and minutes The range is hours 0 to 23 minutes 0 to 59 offset The number of minutes to add...

Page 237: ...ws an example of the command CN1610 Config no clock timezone show clock Use this command to display the time and date from the system clock The following shows example CLI display output for the command CN1610 show clock Format clock timezone hours minutes minutes zone acronym Mode Global Config Parameter Description hours Hours difference from UTC The range is 12 to 13 minutes Minutes difference ...

Page 238: ...e time zone and the summertime configuration The following shows example CLI display output for the command CN1610 show clock detail 15 05 24 UTC 0 00 Nov 1 2011 No time source Time zone Acronym not configured Offset is UTC 0 00 Summertime Summer time is disabled The following shows example CLI display output for the command With the above configuration the output appears as below CN1610 show cloc...

Page 239: ...236 Time Zone Commands Summertime Acronym is INDA Recurring every year Begins on second Sunday of Nov at 03 18 Ends on second Monday of Nov at 03 18 Offset is 120 minutes Summer time is in effect ...

Page 240: ...ware uses to complete unqualified host names names with a domain name By default no default domain name is configured in the system name may not be longer than 255 characters and should not include an initial period This name should be used only when the default domain name list configured using the ip domain list command is empty The CLI command ip domain name yahoo com will configure yahoo com a...

Page 241: ...mes can be entered in to this list no ip domain list Use this command to delete a name from a list ip name server Use this command to configure the available name servers Up to eight servers can be defined in one command or by using multiple commands The parameter server address is a valid IPv4 or IPv6 address of the server The preference of the servers is determined by the order they were entered...

Page 242: ...o remove the name to address mapping ipv6 host Use this command to define static host name to IPv6 address mapping in the host cache The parameter name is host name and v6 address is the IPv6 address of the host The hostname can include 1 255 alphanumeric characters periods hyphens and spaces Hostnames that include one or more space must be enclosed in quotation marks for example lab pc 45 Format ...

Page 243: ...is command to return to the default ip domain timeout Use this command to specify the amount of time to wait for a response to a DNS query The parameter seconds specifies the time in seconds to wait for a response to a DNS query The parameter seconds ranges from 0 to 3600 no ip domain timeout Use this command to return to the default setting Format no ipv6 host name Mode Global Config Default 2 Fo...

Page 244: ...ched list of host names and addresses The parameter name ranges from 1 255 characters This command displays both IPv4 and IPv6 entries Mode Global Config Format clear host name all Mode Privileged EXEC Field Description name A particular host entry to remove The parameter name ranges from 1 255 characters all Removes all entries Format show hosts name Mode Privileged EXEC User EXEC Field Descripti...

Page 245: ...onfigured Configured host name to address mapping Host Addresses accounting gm com 176 16 8 8 Host Total ElapsedTypeAddresses www stanford edu 72 3 IP 171 64 14 203 Number of Retries Number of time to retry sending Domain Name System DNS queries Retry Timeout Period Amount of time to wait for a response to a DNS query Name Servers Configured name servers DNS Client Source Interface Shows the confi...

Page 246: ...tual router If no router is specified the command is executed for the default router Format ip address conflict detect run Mode Global Config Virtual Router Config Format show ip address conflict Modes Privileged EXEC Term Definition Address Conflict Detection Status Identifies whether the switch has detected an address conflict on any IP address Last Conflicting IP Address The IP Address that was...

Page 247: ...e start to manually start capturing CPU packets for packet trace The packet capture operates in three modes capture file remote capture capture line The command is not persistent across a reboot cycle capture stop Use the command capture stop to manually stop capturing CPU packets for packet trace Format capture start all receive transmit Mode Privileged EXEC Parameter Description all Capture all ...

Page 248: ...defaults to 524288 bytes The switch can transfer the file to a TFTP server via TFTP SFTP SCP via CLI and SNMP The file is formatted in pcap format is named cpuPktCapture pcap and can be examined using network analyzer tools such as Wireshark or Ethereal Starting a file capture automatically terminates any remote capture sessions and line capturing After the packet capture is activated the capture ...

Page 249: ... 2002 If a firewall is installed between the Wireshark PC and the switch then these ports must be allowed to pass through the firewall You must configure the firewall to allow the Wireshark PC to initiate TCP connections to the switch If the client successfully connects to the switch the CPU packets are sent to the client PC then Wireshark receives the packets and displays them This continues unti...

Page 250: ...mand disables wrapping of captured packets and configures capture packet to stop when the captured packet capacity is full show capture packets Use this command to display packets captured and saved to RAM It is possible to capture and save into RAM packets that are received or transmitted through the CPU A maximum 128 packets can be saved into RAM per capturing session A maximum 128 bytes per pac...

Page 251: ...nality debug aaa authorization Use this command to enable the tracing for AAA in User Manager This is useful to debug authorization configuration and functionality in the User Manager Each of the parameters are used to configure authorization debug flags no debug aaa authorization Use this command to turn off debugging of the User Manager authorization functionality Format show capture packets Mod...

Page 252: ...This command disables all previously enabled debug traces debug console This command enables the display of debug trace output on the login session in which it is executed Debug console display must be enabled in order to view any trace output The output of debug trace commands will appear on all login sessions for which debug console has been enabled The configuration of this command remains in e...

Page 253: ...n Log Status Buffered logging Event logging Persistent logging System Information output of sysapiMbufDump Message Queue Debug Information Memory Debug Information Memory Debug Status OS Information output of osapiShowTasks proc information meminfo cpuinfo interrupts version and net sockstat Format debug console Mode Privileged EXEC Format no debug console Mode Privileged EXEC Default disabled For...

Page 254: ...er use the upload keyword and specify the required TFTP server information proc View the application process crashlog verbose Enable the verbose crashlog deleteall Delete all crash log files on the system data Crash log data recorder crashdump number Specifies the crash dump number to view The valid range is 0 2 download url To download a crash dump to the switch use the download keyword and speci...

Page 255: ...d to enable dot1x packet debug trace no debug dot1x packet Use this command to disable dot1x packet debug trace debug igmpsnooping packet This command enables tracing of IGMP Snooping packets received and transmitted by the switch Default disabled Format debug dhcp packet transmit receive Mode Privileged EXEC Format no debug dhcp packet transmit receive Mode Privileged EXEC Default disabled Format...

Page 256: ...d 1 Src_Mac 00 03 0e 00 00 00 Dest_Mac 01 00 5e 00 00 01 Src_IP 9 1 1 1 Dest_IP 225 0 0 1 Type V2_Membership_Report Group 225 0 0 1 The following parameters are displayed in the trace message Mode Privileged EXEC Format no debug igmpsnooping packet Mode Privileged EXEC Default disabled Format debug igmpsnooping packet transmit Mode Privileged EXEC Parameter Definition TX A packet transmitted by th...

Page 257: ...nooping_debug c 116 908 Pkt RX Intf 1 0 20 20 Vlan_Id 1 Src_Mac 00 03 0e 00 00 10 Dest_Mac 01 00 5e 00 00 05 Dest_IP The destination multicast IP address in the packet Type The type of IGMP packet Type can be one of the following Membership Query IGMP Membership Query V1_Membership_Report IGMP Version 1 Membership Report V2_Membership_Report IGMP Version 2 Membership Report V3_Membership_Report IG...

Page 258: ...for interfaces Src_Mac Source MAC address of the packet Dest_Mac Destination multicast MAC address of the packet Src_IP The source IP address in the ip header in the packet Dest_IP The destination multicast ip address in the packet Type The type of IGMP packet Type can be one of the following Membership_Query IGMP Membership Query V1_Membership_Report IGMP Version 1 Membership Report V2_Membership...

Page 259: ...g of LACP packets received and transmitted by the switch A sample output of the trace message is shown below 15 JAN 01 14 04 51 10 254 24 31 1 DOT3AD 183697744 dot3ad_debug c 385 58 Pkt TX Intf 1 0 1 1 Type LACP Sys 00 11 88 14 62 e1 State 0x47 Key 0x36 no debug lacp packet This command disables tracing of LACP packets Default disabled Format debug ipv6 dhcp Mode Privileged EXEC Format no debug ip...

Page 260: ...ug ping packet This command enables tracing of ICMP echo requests and responses The command traces pings on the network port service port for switching packages For routing packages pings are traced on the routing ports as well If specified pings can be traced on the virtual router A sample output of the trace message is shown below 15 JAN 01 00 21 22 192 168 17 29 1 SIM 181040176 sim_debug c 128 ...

Page 261: ...RX refers to packets received by the device Intf The interface that the packet came in or went out on Format used is unit slot port internal interface number Unit is always shown as 1 SRC_IP The source IP address in the IP header in the packet DEST_IP The destination IP address in the IP header in the packet Type Type determines whether or not the ICMP message is a REQUEST or a RESPONSE Format no ...

Page 262: ... is shown below 15 JAN 01 01 02 04 192 168 17 29 1 DOT1S 191096896 dot1s_debug c 1249 101 Pkt RX Intf 1 0 9 9 Source_Mac 00 11 88 4e c2 10 Version 3 Root Mac 00 11 88 4e c2 00 Root Priority 0x8000 Path Cost 0 The following parameters are displayed in the trace message Default disabled Format debug spanning tree bpdu Mode Privileged EXEC Format no debug spanning tree bpdu Mode Privileged EXEC Defau...

Page 263: ...49 101 Pkt TX Intf 1 0 7 7 Source_Mac 00 11 88 4e c2 00 Version 3 Root_Mac 00 11 88 4e c2 00 Root_Priority 0x8000 Path_Cost 0 The following parameters are displayed in the trace message Source_Mac Source MAC address of the packet Version Spanning tree protocol version 0 3 0 refers to STP 2 RSTP and 3 MSTP Root_Mac MAC address of the CIST root bridge Root_Priority Priority of the CIST root bridge T...

Page 264: ...erfaces on a non stacking device Source_Mac Source MAC address of the packet Version Spanning tree protocol version 0 3 0 refers to STP 2 RSTP and 3 MSTP Root_Mac MAC address of the CIST root bridge Root_Priority Priority of the CIST root bridge The value is between 0 and 61440 It is displayed in hex in multiples of 4096 Path_Cost External root path cost component of the BPDU Format no debug spann...

Page 265: ...mmand console debug arp Arp packet tracing enabled console show debugging Arp packet tracing enabled no show debugging Use the no show debugging command to disable packet tracing configurations packet transmit Turn on TACACS transmit packet debugs accounting Turn on TACACS authentication debugging authentication Turn on TACACS authorization debugging Parameter Description Format debug transfer Mod...

Page 266: ... remote TFTP server in order to dump core files to an external server no exception dump tftp server Use this command to reset the exception dump remote server configuration to its factory default value Mode Privileged EXEC Default None Format exception protocol nfs tftp ftp local usb none Mode Global Config Default None Format no exception protocol Mode Global Config Default None Format exception ...

Page 267: ... TFTP server NFS mount or USB device subdirectory no exception dump filepath Use this command to reset the exception dump filepath configuration to its factory default value exception core file Use this command to configure a prefix for a core file name The core file name is generated with the prefix as follows Default None Format exception dump nfs ip address dir Mode Global Config Default None F...

Page 268: ... exception switch chip register This command enables or disables the switch chip register dump in case of an exception The switch chip register dump is taken only for a master unit and not for member units exception dump ftp server This command configures the IP address of remote FTP server to dump core files to an external server If the username and password are not configured the switch uses ano...

Page 269: ... compression mode write core Use the write core command to generate a core dump file on demand The write core test command is helpful when testing the core dump setup For example if the TFTP protocol is configured write core test communicates Default None Format exception dump ftp server ip address username user name password password Mode Global Config Default None Format no exception dump ftp se...

Page 270: ...ionally you can specify the destination file name when the protocol is configured as TFTP debug exception The command displays core dump features support show exception Use this command to display the configuration parameters for generating a core dump file The following shows an example of this command CN1610 show exception Coredump file name core Coredump filename uses hostname False Coredump fi...

Page 271: ...rity level Possible values for severity level are emergency 0 alert 1 critical 2 error 3 warning 4 notice 5 info 6 debug 7 no logging persistent Use this command to disable the persistent logging in the switch mbuf Use this command to configure memory buffer MBUF threshold limits and generate notifications when MBUF limits have been reached Default None Format show exception log previous Mode Priv...

Page 272: ...d interval triggers a notification The range is 1 to 100 The default is 0 disabled Severity The severity level at which Mbuf logs messages The range is 1 to 7 The default is 5 L7_LOG_SEVERITY_NOTICE Format show mbuf Mode Privileged EXEC Field Description Rising Threshold The percentage of the memory buffer resources that when exceeded for the configured rising interval triggers a notification The ...

Page 273: ...ried to allocate a message buffer allocation of class RX Mid1 Total Rx Mid0 Alloc Attempts Number of times the system tried to allocate a message buffer allocation of class RX Mid0 Total Rx High Alloc Attempts Number of times the system tried to allocate a message buffer allocation of class RX High Total Tx Alloc Attempts Number of times the system tried to allocate a message buffer allocation of ...

Page 274: ...es Total Rx High Alloc Failures Number of message buffer allocation failures for RX High class of message buffer Total Tx Alloc Failures Number of message buffer allocation failures for TX class of message buffer Field Description Default None Format show msg queue Mode Privileged EXEC mode ...

Page 275: ...aded or downloaded techsupport enable Use this command to allow access to Support mode console Use this command to enable the display of support debug for this session save Use this command to save the trace configuration to non volatile storage snapshot routing Use this command in Support mode to dump a set of routing debug information to capture the current state of routing on the switch The out...

Page 276: ... can be extensive snapshot system Use this command in Support mode to dump a set of system debug information to capture the current state of the device The output is written to the console and can be extensive telnetd Use this command in Support mode to start or stop the Telnet daemon on the switch Mode Support Format snapshot multicast Mode Support Format snapshot multicast Mode Support Format te...

Page 277: ...hell to directly execute any of the BCM commands on the shell using the bcmsh command bcmsh The bcmsh command is used to enter into the BCM shells from Privileged EXEC mode Only users with Level 15 permissions can execute this command Management is blocked during this mode the user is notified and asked whether to continue This command is only supported on the serial console and not via telnet ssh...

Page 278: ...Table entry The range is 127 characters The default is a null string The empty string indicates that the entry is currently unclaimed and the receiver configuration is reset to the default values An entity wishing to claim an sFlowRcvrTable entry must ensure that the entry is unclaimed before trying to claim it The entry is claimed by setting the owner string to a non null value The entry must be ...

Page 279: ... config Receiver Max Datagram Size The maximum number of data bytes that can be sent in a single sample datagram The management entity should set this value to avoid fragmentation of the sFlow datagrams The allowed range is 200 to 9116 The default is 1400 Receiver IP The sFlow receiver IP address If set to 0 0 0 0 no sFlow datagrams will be sent The default is 0 0 0 0 Receiver Port The destination...

Page 280: ...will also not be shown in running config Receiver Owner The owner name corresponds to the receiver name The identity string for the receiver the entity making use of this sFlowRcvrTable entry The range is 127 characters The default is a null string The empty string indicates that the entry is currently unclaimed and the receiver configuration is reset to the default values An entity wishing to cla...

Page 281: ...set to the default values An entity wishing to claim an sFlowRcvrTable entry must ensure that the entry is unclaimed before trying to claim it The entry is claimed by setting the owner string to a non null value The entry must be claimed before assigning a receiver to a sampler or poller Field Description Format sflow sampler rcvr indx rate sampling rate maxheadersize size Mode Interface Config Fi...

Page 282: ...er parameters are set to their corresponding default value Sampling Rate The statistical sampling rate for packet sampling from this source A sampling rate of 1 counts all packets A value of zero 0 disables sampling A value of N means that out of N incoming packets 1 packet will be sampled The range is 1024 65536 and 0 The default is 0 Field Description Format no sflow sampler rcvr indx rate sampl...

Page 283: ...nterval of zero 0 disables counter sampling When set to zero 0 all the poller parameters are set to their corresponding default value The range is 0 86400 The default is 0 A value of N means once in N seconds a counter sample is generated Field Description Format no sflow poller interval Mode Interface Config Format show sflow agent Mode Privileged EXEC Field Description sFlow Version Uniquely ide...

Page 284: ...d Description Poller Data Source The sFlowDataSource slot port for this sFlow sampler This agent will support Physical ports only Receiver Index The sFlowReceiver associated with this sFlow counter poller Poller Interval The number of seconds between successive samples of the counters associated with this data source Format show sflow receivers index Mode Privileged EXEC Parameter Description Rece...

Page 285: ...ndx String Size Time Out The time in seconds remaining before the receiver is released and stops sending samples to sFlow receiver The no timeout value of this parameter means that the sFlow receiver is configured as a non timeout entry Max Datagram Size The maximum number of bytes that can be sent in a single sFlow datagram Port The destination Layer4 UDP port for sFlow datagrams IP Address The s...

Page 286: ...343 Datagram Version 5 Maximum Datagram Size 1400 show sflow samplers Use this command to display the sFlow sampling instances created on the switch Format show sflow samplers Mode Privileged EXEC Field Description Sampler Data Source The sFlowDataSource slot port for this sFlow sampler This agent will support Physical ports only Receiver Index The sFlowReceiver configured for this sFlow sampler P...

Page 287: ...variable sample interval absolute delta rising threshold value rising event index falling threshold value falling event index startup rising falling rising falling owner string Mode Global Config Parameter Description Alarm Index An index that uniquely identifies an entry in the alarm table Each entry defines a diagnostic sample at a particular interval for an object on the device The range is 1 t...

Page 288: ...7483648 to 2147483647 The default is 1 Alarm Rising Event Index The index of the eventEntry that is used when a rising threshold is crossed The range is 1 to 65535 The default is 1 Alarm Falling Threshold The falling threshold for the sample statistics The range is 2147483648 to 2147483647 The default is 1 Alarm Falling Event Index The index of the eventEntry that is used when a falling threshold ...

Page 289: ...he object identifier of the particular variable to be sampled Only variables that resolve to an ASN 1 primitive type of integer High Capacity Alarm Interval The interval in seconds over which the data is sampled and compared with the rising and falling thresholds The range is 1 to 2147483647 The default is 1 High Capacity Alarm Sample Type The method of sampling the selected variable and calculati...

Page 290: ...5 The default is 0 High Capacity Alarm Rising Threshold Value Status This object indicates the sign of the data for the rising threshold as defined by the objects hcAlarmRisingThresAbsValueLow and hcAlarmRisingThresAbsValueHigh Possible values are valueNotAvailable valuePositive or valueNegative The default is valuePositive High Capacity Alarm Falling Threshold Absolute Value Low The lower 32 bits...

Page 291: ... crossed The range is 1 to 65535 The default is 1 High Capacity Alarm Falling Event Index The index of the eventEntry that is used when a falling threshold is crossed The range is 1 to 65535 The default is 2 High Capacity Alarm Failed Attempts The number of times the associated hcAlarmVariable instance was polled on behalf of the hcAlarmEntry while in the active state and the value was not availab...

Page 292: ... entry in the event table Each such entry defines one event that is to be generated when the appropriate conditions occur The range is 1 to 65535 Event Description A comment describing the event entry The default is alarmEvent Event Type The type of notification that the probe makes about the event Possible values are None Log SNMP Trap Log and SNMP Trap The default is None Event Owner Owner strin...

Page 293: ...rol Index An index that uniquely identifies an entry in the historyControl table Each such entry defines a set of samples at a particular interval for an interface on the device The range is 1 to 65535 History Control Data Source The source interface for which historical data is collected History Control Buckets Requested The requested number of discrete time intervals over which data is to be sav...

Page 294: ...s the entries in the RMON alarm table Format no rmon collection history index number Mode Interface Config Format show rmon alarms alarm alarm index Mode Privileged EXEC Parameter Description Alarm Index An index that uniquely identifies an entry in the alarm table Each entry defines a diagnostic sample at a particular interval for an object on the device The range is 1 to 65535 Alarm Variable The...

Page 295: ... range is 2147483648 to 2147483647 The default is 1 Alarm Rising Event Index The index of the eventEntry that is used when a rising threshold is crossed The range is 1 to 65535 The default is 1 Alarm Falling Threshold The falling threshold for the sample statistics The range is 2147483648 to 2147483647 The default is 1 Alarm Falling Event Index The index of the eventEntry that is used when a falli...

Page 296: ... Each such entry defines a set of samples at a particular interval for an interface on the device The range is 1 to 65535 History Control Data Source The source interface for which historical data is collected History Control Buckets Requested The requested number of discrete time intervals over which data is to be saved The range is 1 to 65535 The default is 50 History Control Buckets Granted The...

Page 297: ...rHistoryControl 8 1 0 4 1800 50 10 monitorHistoryControl 9 1 0 5 30 50 10 monitorHistoryControl 10 1 0 5 1800 50 10 monitorHistoryControl 11 1 0 6 30 50 10 monitorHistoryControl 12 1 0 6 1800 50 10 monitorHistoryControl 13 1 0 7 30 50 10 monitorHistoryControl 14 1 0 7 1800 50 10 monitorHistoryControl 15 1 0 8 30 50 10 monitorHistoryControl 16 1 0 8 1800 50 10 monitorHistoryControl 17 1 0 9 30 50 1...

Page 298: ...nt that is to be generated when the appropriate conditions occur The range is 1 to 65535 Event Description A comment describing the event entry The default is alarmEvent Event Type The type of notification that the probe makes about the event Possible values are None Log SNMP Trap Log and SNMP Trap The default is None Event Owner Owner string associated with the entry The default is monitorEvent E...

Page 299: ...h entry defines a set of samples at a particular interval for an interface on the device The range is 1 to 65535 History Control Data Source The source interface for which historical data is collected History Control Buckets Requested The requested number of discrete time intervals over which data is to be saved The range is 1 to 65535 The default is 50 History Control Buckets Granted The number o...

Page 300: ...h or had a bad Frame Check Sequence FCS and are less than 64 octets in length excluding framing bits including FCS octets Jabbers Total number of jabber packets Packets are longer than 1518 octets excluding framing bits including FCS octets and are not an integral number of octets in length or had a bad Frame Check Sequence FCS Octets Total number of octets received on the interface Packets Total ...

Page 301: ... 0 0 0 0 Jan 01 1970 21 45 15 0 0 0 0 0 Jan 01 1970 21 45 45 0 0 0 0 0 Jan 01 1970 21 46 15 0 0 0 0 0 The following shows example CLI display output for the command CN1610 show rmon history 1 throughput Sample set 1 Owner myowner Interface 1 0 1 Interval 30 Requested Samples 10 Granted Samples 10 Maximum table size 1758 Time Octets Packets Broadcast Multicast Util Jan 01 1970 21 41 43 0 0 0 0 1 Ja...

Page 302: ...0 21 45 15 0 0 Jan 01 1970 21 45 45 0 0 Jan 01 1970 21 46 15 0 0 show rmon log This command displays the entries in the RMON log table The following shows example CLI display output for the command CN1610 show rmon log Event Description Time Format show rmon log event index Mode Privileged EXEC Parameter Description Maximum table size Maximum number of entries that the log table can hold Event Eve...

Page 303: ...ce Octets Total number of octets received on the interface Packets Total number of packets received including error packets on the interface Broadcast Total number of good broadcast packets received on the interface Multicast Total number of good multicast packets received on the interface CRC Align Errors Total number of packets received have a length excluding framing bits including FCS octets o...

Page 304: ... packets which are 64 octets in length excluding framing bits including FCS octets 65 127 Octets Total number of packets which are between 65 and 127 octets in length excluding framing bits including FCS octets 128 255 Octets Total number of packets which are between 128 and 255 octets in length excluding framing bits including FCS octets 256 511 Octets Total number of packets which are between 25...

Page 305: ... 0 HC Overflow Pkts 512 1023 Octets 0 HC Pkts 512 1023 Octets 0 HC Overflow Pkts 1024 1518 Octets 0 HC Pkts 1024 1518 Octets 0 HC Overflow Octets Total number of HC overflow octets HC Overflow Pkts 64 Octets Total number of HC overflow packets which are 64 octets in length HC Overflow Pkts 65 127 Octets Total number of HC overflow packets which are between 65 and 127 octets in length HC Overflow P...

Page 306: ...method of sampling the selected variable and calculating the value to be compared against the thresholds Possible types are Absolute Value or Delta Value The default is Absolute Value High Capacity Alarm Absolute Value The absolute value that is the unsigned value of the hcAlarmVariable statistic during the last sampling period The value during the current sampling period is not made available unt...

Page 307: ...ow The lower 32 bits of the absolute value for threshold for the sampled statistic The range is 0 to 4294967295 The default is 1 High Capacity Alarm Falling Threshold Absolute Value High The upper 32 bits of the absolute value for threshold for the sampled statistic The range is 0 to 4294967295 The default is 0 High Capacity Alarm Falling Threshold Value Status This object indicates the sign of th...

Page 308: ...hreshold Low 1 Falling Threshold Status Positive Rising Event 1 Falling Event 2 Startup Alarm Rising Falling Owner MibBrowser High Capacity Alarm Failed Attempts The number of times the associated hcAlarmVariable instance was polled on behalf of thie hcAlarmEntry while in the active state and the value was not available This object is a 32 bit counter value that is read only High Capacity Alarm Ow...

Page 309: ...306 Remote Monitoring Commands ...

Page 310: ...on page 391 GVRP Commands on page 394 GMRP Commands on page 397 Port Based Network Access Control Commands on page 401 802 1X Supplicant Commands on page 428 Storm Control Commands on page 433 Link Local Protocol Filtering Commands on page 442 Port Channel LAG 802 3ad Commands on page 444 Port Channel LAG 802 3ad Commands on page 444 Port Mirroring Commands on page 466 Static MAC Filtering Command...

Page 311: ...e 583 Note The commands in this chapter are in one of three functional groups Show commands display switch settings statistics and other information Configuration commands configure features and options of the switch For every configuration command there is a show command that displays the configuration setting Clear commands clear some or all of the settings to factory defaults ...

Page 312: ...enters Interface Config mode for port 1 0 1 CN1610 configure CN1610 config interface 1 0 1 CN1610 interface 1 0 1 The following example enters Interface Config mode for ports 1 0 1 through 1 0 4 CN1610 configure CN1610 config interface 1 0 1 1 0 4 CN1610 interface 1 0 1 1 0 4 auto negotiate This command enables automatic negotiation on a port or range of ports no auto negotiate This command disabl...

Page 313: ...it MTU size in bytes for frames that ingress or egress the interface You can use the mtu command to configure jumbo frame support for physical and port channel LAG interfaces For the standard FASTPATH implementation the MTU size is a valid integer between 1522 9216 for tagged packets and a valid integer between 1518 9216 for untagged packets Format no auto negotiate Mode Interface Config Default e...

Page 314: ...size in bytes for the interface shutdown This command disables a port or range of ports Note You can use the shutdown command on physical and port channel LAG interfaces but not on VLAN routing interfaces no shutdown This command enables a port shutdown all This command disables all ports Default 1518 untagged Format mtu 1518 12288 Mode Interface Config Format no mtu Mode Interface Config Default ...

Page 315: ...tiation on the port Use the command without the auto keyword to ensure auto negotiation is disabled and to set the port speed and mode according to the command values If auto negotiation is disabled the speed and duplex mode must be set speed all This command sets the speed and duplex setting for all interfaces Default enabled Format shutdown all Mode Global Config Format no shutdown all Mode Glob...

Page 316: ... must be enabled in order for it to be allowed into the network May be enabled or disabled The factory default is enabled Physical Mode The desired port speed and duplex mode If auto negotiation support is selected then the duplex mode and speed is set from the auto negotiation process Note that the maximum capability of the port full duplex 100M is advertised Otherwise this object determines the ...

Page 317: ...Enable long 0 5 Enable Auto 100 Full Up Enable Enable long 0 6 Enable Auto 100 Full Up Enable Enable long 0 7 Enable Auto 100 Full Up Enable Enable long 0 8 Enable Auto 100 Full Up Enable Enable long 1 1 Enable Down Disable N A N A 1 2 Enable Down Disable N A N A 1 3 Enable Down Disable N A N A 1 4 Enable Down Disable N A N A 1 5 Enable Down Disable N A N A 1 6 Enable Down Disable N A N A The foll...

Page 318: ...ble N A N A 1 6 Enable Down Disable N A N A show port advertise Use this command to display the local administrative link advertisement configuration local operational link advertisement and the link partner advertisement for an interface It also displays priority Resolution for speed and duplex as per 802 3 Annex 28B 3 It displays the Auto negotiation state Phy Master Slave Clock configuration an...

Page 319: ...iation Enabled Clock Auto 1000f 1000h 100f 100h 10f 10h Admin Local Link Advertisement no no yes no yes no Oper Local Link Advertisement no no yes no yes no Oper Peer Advertisement no no yes yes yes yes Priority Resolution yes Broadcom FASTPATH Switching show port advertise Port Type Neg Operational Link Advertisement 0 1 Gigabit Level Enabled 1000f 100f 100h 10f 10h 0 2 Gigabit Level Enabled 1000...

Page 320: ...at show port description slot port Mode Privileged EXEC Term Definition Interface slot port ifIndex The interface index number associated with the port Description The alpha numeric description of the interface created by the command description on page 310 MAC address The MAC address of the port The format is 6 two digit hexadecimal numbers that are separated by colons for example 01 23 45 67 89 ...

Page 321: ...ing tree This command sets the spanning tree operational mode to enabled no spanning tree This command sets the spanning tree operational mode to disabled While disabled the spanning tree configuration is retained and can be changed but is not activated spanning tree auto edge Use this command to allow the interface to become an edge port if it does not receive any BPDUs within a given amount of t...

Page 322: ...nated bridge backbonefast enabled switches send a Root Link Query RLQ request to all non designated ports except the port from which it received the inferior BPDU This check validates that the switch can receive packets from the root on ports where it expects to receive BPDUs The port from which the original inferior BPDU was received is excluded because it has already encountered a failure Design...

Page 323: ... for FastBackbone and FastUplink Even if FastUplink and FastBackbone are configured they are effective only in PVSTP mode spanning tree bpdufilter Use this command to enable BPDU Filter on an interface or range of interfaces no spanning tree bpdufilter Use this command to disable BPDU Filter on the interface or range of interfaces Default NA Format spanning tree backbonefast Mode Global Config For...

Page 324: ...nterfaces no spanning tree bpduflood Use this command to disable BPDU Flood on the interface or range of interfaces spanning tree bpduguard Use this command to enable BPDU Guard on the switch Default disabled Format spanning tree bpdufilter default Mode Global Config Default disabled Format no spanning tree bpdufilter default Mode Global Config Default disabled Format spanning tree bpduflood Mode ...

Page 325: ...e the system configuration or have a no version spanning tree configuration name This command sets the Configuration Identifier Name for use in identifying the configuration that this switch is currently using The name is a string of up to 32 characters no spanning tree configuration name This command resets the Configuration Identifier Name to its default Mode Global Config Default disabled Forma...

Page 326: ...ault value spanning tree cost Use this command to configure the external path cost for port used by a MST instance When the auto keyword is used the path cost from the port to the root bridge is automatically determined by the speed of the interface To configure the cost manually specify a cost value from 1 200000000 no spanning tree cost This command resets the auto edge status of the port to the...

Page 327: ...Use 802 1d to specify that the switch transmits ST BPDUs rather than MST BPDUs IEEE 802 1d functionality supported Use 802 1s to specify that the switch transmits MST BPDUs IEEE 802 1s functionality supported Use 802 1w to specify that the switch transmits RST BPDUs rather than MST BPDUs IEEE 802 1w functionality supported no spanning tree forceversion This command sets the Force Protocol Version ...

Page 328: ...ernal spanning tree to the default value spanning tree guard This command selects whether loop guard or root guard is enabled on an interface or range of interfaces If neither is enabled then the port operates in accordance with the multiple spanning tree protocol no spanning tree guard This command disables loop guard or root guard on the interface Default 15 Format spanning tree forward time 4 3...

Page 329: ...command sets the Bridge Max Hops parameter to a new value for the common and internal spanning tree The max hops value is a range from 6 to 40 no spanning tree max hops This command sets the Bridge Max Hops parameter for the common and internal spanning tree to the default value spanning tree mode This command configures global spanning tree mode per VLAN spanning tree On a switch only one mode ca...

Page 330: ...ing BPDUs and supports the discarding learning and forwarding states When the mode is changed to PVRSTP version 0 STP BPDUs are no longer transmitted and version 2 PVRSTP BPDUs that carry per VLAN information are transmitted on the VLANs enabled for spanning tree If a version 0 BPDU is seen PVRSTP reverts to sending version 0 BPDUs Per VLAN Rapid Spanning Tree Protocol PVRSTP embeds support for PV...

Page 331: ...the Path Cost or Port Priority for this port within the multiple spanning tree instance or in the common and internal spanning tree to the respective default values If you specify an mstid parameter that corresponds to an existing multiple spanning tree instance you are configuring that multiple spanning tree instance If you specify 0 defined as the default CIST ID as the mstid you are configuring...

Page 332: ...y This command sets the bridge priority for a specific multiple spanning tree instance The parameter mstid is a number that corresponds to the desired existing multiple spanning tree instance The priority value is a number within a range of 0 to 4094 If you specify 0 defined as the default CIST ID as the mstid this command sets the Bridge Priority parameter to a new value for the common and intern...

Page 333: ...rresponds to the desired existing multiple spanning tree instance The vlanid can be specified as a single VLAN a list or a range of values To specify a list of VLANs enter a list of VLAN IDs in the range 1 to 4093 each separated by a comma with no spaces in between To specify a range of VLANs separate the beginning and ending VLAN ID with a dash Spaces and zeros are not permitted The VLAN IDs may ...

Page 334: ...e port to allow the operator to select the relative importance of the port in the forwarding process Set this value to a lower number to prefer a port for forwarding of frames All LAN ports have 128 as priority value by default PVSTP PVRSTP puts the LAN port with the lowest LAN port number in the forwarding state and blocks other LAN ports The application uses the port priority value when the LAN ...

Page 335: ...status of the port to the default value spanning tree transmit This command sets the Bridge Transmit Hold Count parameter Default enabled Format spanning tree port priority 0 240 Mode Interface Config Default Enabled Format spanning tree tcnguard Mode Interface Config Format no spanning tree tcnguard Mode Interface Config Default 6 Format spanning tree transmit hold count Mode Global Config Parame...

Page 336: ...cting a root port failure and changes the new root port directly to the fowarding state A TCN is sent for this event After a switchover to an alternate port new root port uplinkfast multicasts a gratuitous frame on the new root port on behalf of each attached machine so that the rest of the network knows to use the secondary link to reach that machine PVRSTP embeds support for backbonefast and upl...

Page 337: ... in Progress Boolean value of the Topology Change parameter for the switch indicating if a topology change is in progress on any port assigned to the common and internal spanning tree Designated Root The bridge identifier of the root bridge It is made up from the bridge priority and the base MAC address of the bridge Root Path Cost Value of the Root Path Cost parameter for the common and internal ...

Page 338: ...idge Forwarding Delay 15 Hello Time 2 Bridge Hold Time 6 CST Regional Root 80 00 00 10 18 48 FC 07 Regional Root Path Cost 0 Associated FIDs Associated VLANs Bridge Hold Time Minimum time between transmission of Configuration Bridge Protocol Data Units BPDUs CST Regional Root Bridge Identifier of the CST Regional Root It is made up using the bridge priority and the base MAC address of the bridge R...

Page 339: ...Ns 0 RLQ response PDUs sent all VLANs 0 Format show spanning tree backbonefast Mode Privileged EXEC User EXEC Term Definition Transitions via Backbonefast The number of backbonefast transitions Inferior BPDUs received all VLANs The number of inferior BPDUs received on all VLANs RLQ request PDUs received all VLANs The number of root link query RLQ requests PDUs received on all VLANs RLQ response PD...

Page 340: ...Bridge Forward Delay 15 Bridge Hold Time 6 CN1610 Format show spanning tree brief Mode Privileged EXEC User EXEC Term Definition Bridge Priority Configured value Bridge Identifier The bridge identifier for the selected MST instance It is made up using the bridge priority and the base MAC address of the bridge Bridge Max Age Configured value Bridge Max Hops Bridge max hops count for the device Brid...

Page 341: ...e Privileged EXEC User EXEC Term Definition Hello Time Admin hello time for this port Port Mode Enabled or disabled BPDU Guard Effect Enabled or disabled Root Guard Enabled or disabled Loop Guard Enabled or disabled TCN Guard Enable or disable the propagation of received topology change notifications and topology changes to other ports BPDU Filter Mode Enabled or disabled BPDU Flood Mode Enabled o...

Page 342: ...itted 0 RSTP BPDUs Received 0 MSTP BPDUs Transmitted 0 MSTP BPDUs Received 0 CN1610 The following shows example CLI display output for the command CN1610 show spanning tree interface lag 1 Hello Time Not Configured STP BPDUs Received Spanning Tree Protocol Bridge Protocol Data Units received RSTP BPDUs Transmitted Rapid Spanning Tree Protocol Bridge Protocol Data Units sent RSTP BPDUs Received Rap...

Page 343: ...Us Received 0 CN1610 show spanning tree mst detailed This command displays the detailed settings for an MST instance The following shows example CLI display output for the command CN1610 show spanning tree mst detailed 0 MST Instance ID 0 MST Bridge Priority 32768 MST Bridge Identifier 80 00 00 10 18 48 FC 07 Time Since Topology Change 8 day 3 hr 47 min 7 sec Topology Change Count 0 Topology Chang...

Page 344: ...lternate way to specify the LAG interface lag lag intf num can also be used to specify the LAG interface where lag intf num is the LAG port number Format show spanning tree mst port detailed mstid slot port lag lag intf num Mode Privileged EXEC User EXEC Term Definition MST Instance ID The ID of the existing multiple spanning tree MST instance identifier The value is 0 4094 Port Identifier The por...

Page 345: ...designated root for this port Root Path Cost The path cost to get to the root bridge for this instance The root path cost is zero if the bridge is the root bridge for that instance Designated Bridge Bridge Identifier of the bridge with the Designated Port Designated Port Identifier Port on the Designated Bridge that offers the lowest cost to the LAN Loop Inconsistent State The current loop inconsi...

Page 346: ...ridge of the CIST across the boundary of the region This means that if the port is a boundary port for an MSTP region then the external path cost is used Designated Root Identifier of the designated root for this port within the CST Root Path Cost The root path cost to the LAN by the port Designated Bridge The bridge containing the designated port Designated Port Identifier Port on the Designated ...

Page 347: ...ed value indicating if this port is part of a point to point link CST Regional Root The regional root identifier in use for this port CST Internal Root Path Cost The internal root path cost to the LAN by the designated external port Loop Inconsistent State The current loop inconsistent state of this port in this MST instance When in loop inconsistent state the port has failed to receive BPDUs whil...

Page 348: ...42 Port Priority 96 Port Forwarding State Disabled Port Role Disabled Auto calculate Port Path Cost Enabled Port Path Cost 0 Auto Calculate External Port Path Cost Enabled External Port Path Cost 0 Designated Root 80 00 00 10 18 48 FC 07 Root Path Cost 0 Designated Bridge 80 00 00 10 18 48 FC 07 Designated Port Identifier 00 00 Topology Change Acknowledge FALSE Hello Time 2 Edge Port FALSE Edge Po...

Page 349: ... for one or all ports within the common and internal spanning tree The following shows example CLI display output for the command in slot port format CN1610 show spanning tree mst port summary 0 0 1 MST Instance ID CST Format show spanning tree mst port summary mstid slot port lag lag intf num all Mode Privileged EXEC User EXEC Term Definition MST Instance ID The MST instance associated with this ...

Page 350: ...Disabled Disabled show spanning tree mst port summary active This command displays settings for the ports within the specified multiple spanning tree instance that are active links Format show spanning tree mst port summary mstid active Mode Privileged EXEC User EXEC Term Definition MST Instance ID The ID of the existing MST instance Interface slot port STP Mode Indicates whether spanning tree is ...

Page 351: ...settings and parameters for the switch The following details are displayed on execution of the command Port Role The role of the specified port within the spanning tree Desc Indicates whether the port is in loop inconsistent state or not This field is blank if the loop guard feature is not available Term Definition Format show spanning tree mst summary Mode Privileged EXEC User EXEC Term Definitio...

Page 352: ...urrently supported IEEE 802 1s IEEE 802 1w or IEEE 802 1d based upon the Force Protocol Version parameter BPDU Guard Mode Enabled or disabled BPDU Filter Mode Enabled or disabled Configuration Name Identifier used to identify the configuration currently being used Configuration Revision Level Identifier used to identify the configuration currently being used Configuration Digest Key A generated Ke...

Page 353: ...0 show spanning tree uplinkfast Uplinkfast is enabled BPDU update rate 150 packets sec Uplinkfast Statistics Uplinkfast transitions all VLANs 0 Proxy multicast addresses transmitted all VLANs 0 Format show spanning tree uplinkfast Mode Privileged EXEC User EXEC Term Definition Uplinkfast transitions all VLANs The number of uplinkfast transitions on all VLANs Proxy multicast addresses transmitted a...

Page 354: ...and configures the Management VLAN ID no network mgmt_vlan This command sets the Management VLAN ID to the default vlan This command creates a new VLAN and assigns it an ID The ID is a valid VLAN identification number ID 1 is reserved for the default VLAN VLAN range is 2 4093 Format vlan database Mode Privileged EXEC Default 1 Format network mgmt_vlan 1 4093 Mode Privileged EXEC Format no network ...

Page 355: ...rface tagged frames are discarded With any option VLAN tagged frames are forwarded in accordance with the IEEE 802 1Q VLAN Specification no vlan acceptframe This command resets the frame acceptance mode for the interface or range of interfaces to the default value vlan ingressfilter This command enables ingress filtering on an interface or range of interfaces If ingress filtering is disabled frame...

Page 356: ... 4093 vlan name This command changes the name of a VLAN The name is an alphanumeric string of up to 32 characters and the ID is a valid VLAN identification number ID range is 1 4093 no vlan name This command sets the name of a VLAN to a blank string vlan participation This command configures the degree of participation for a specific interface or range of interfaces in a VLAN The ID is a valid VLA...

Page 357: ...gistration fixed exclude The interface is never a member of this VLAN This is equivalent to registration forbidden auto The interface is dynamically registered in this VLAN by GVRP and will not participate in this VLAN unless a join request is received on this interface This is equivalent to registration normal Format vlan participation all exclude include auto 1 4093 Mode Global Config Participat...

Page 358: ... forwarded in accordance with the IEEE 802 1Q VLAN Specification auto The interface is dynamically registered in this VLAN by GVRP The interface will not participate in this VLAN unless a join request is received on this interface This is equivalent to registration normal Participation Options Definition Default all Format vlan port acceptframe all vlanonly admituntaggedonly all Mode Global Config...

Page 359: ...ing is disabled frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN vlan port pvid all This command changes the VLAN ID for all interface no vlan port pvid all This command sets the VLAN ID for all interfaces to 1 Format no vlan port acceptframe all Mode Global Config Default disabled Forma...

Page 360: ...transmitted as untagged frames The ID is a valid VLAN identification number vlan protocol group This command adds protocol based VLAN groups to the system The groupid is a unique number from 1 128 that is used to identify the group in subsequent commands vlan protocol group name This command assigns a name to a protocol based VLAN groups The groupname variable can be a character string of 0 to 16 ...

Page 361: ...arp and ipx and hexadecimal or decimal values ranging from 0x0600 1536 to 0xFFFF 65535 The protocol list can accept up to 16 protocols separated by a comma no vlan protocol group add protocol This command removes the protocols specified in the protocol list from this protocol based VLAN group that is identified by this groupid protocol group This command attaches a vlanid to the protocol based VLA...

Page 362: ...ded to the group no protocol vlan group This command removes the interface from this protocol based VLAN group that is identified by this groupid protocol vlan group all This command adds all physical interfaces to the protocol based VLAN identified by groupid You can associate multiple interfaces with a group but you can only associate each interface and protocol combination with one group If add...

Page 363: ...ce or range of interfaces Default none Format protocol vlan group all groupid Mode Global Config Format no protocol vlan group all groupid Mode Global Config Format show port protocol groupid all Mode Privileged EXEC Term Definition Group Name The group name of an entry in the Protocol based VLAN table Group ID The group identifier of the protocol group VLAN The VLAN associated with this Protocol ...

Page 364: ...mber no vlan tagging This command configures the tagging behavior for a specific interface or range of interfaces in a VLAN to disabled If tagging is disabled traffic is transmitted as untagged frames The ID is a valid VLAN identification number vlan association subnet This command associates a VLAN to a specific IP subnet Default 1 Format vlan pvid 1 4093 Mode Interface Config Interface Range Con...

Page 365: ...SPAN VLAN show vlan This command displays information about the configured private VLANs including primary and secondary VLAN IDs type community isolated or primary and the ports which belong to a private VLAN Format no vlan association subnet ipaddr netmask Mode VLAN Config Format vlan association mac macaddr vlanid Mode VLAN database Format no vlan association mac macaddr Mode VLAN database Defa...

Page 366: ... associated with this VLAN as a convenience It can be up to 32 alphanumeric characters long including blanks The default is blank VLAN ID 1 always has a name of Default This field is optional VLAN Type Type of VLAN which can be Default VLAN ID 1 or static one that is configured and permanently defined or Dynamic A dynamic VLAN can be created by GVRP registration or during the 802 1X authentication...

Page 367: ...istration normal in the IEEE 802 1Q standard Configured The configured degree of participation of this port in this VLAN The permissible values are Include This port is always a member of this VLAN This is equivalent to registration fixed in the IEEE 802 1Q standard Exclude This port is never a member of this VLAN This is equivalent to registration forbidden in the IEEE 802 1Q standard Autodetect ...

Page 368: ...k VLAN ID 1 always has a name of Default This field is optional VLAN Type Type of VLAN which can be Default VLAN ID 1 or static one that is configured and permanently defined or a Dynamic one that is created by GVRP registration Format show vlan port slot port all Mode Privileged EXEC User EXEC Term Definition Interface slot port It is possible to set the parameters for all ports by using the sele...

Page 369: ... or disabled When enabled the frame is discarded if this port is not a member of the VLAN with which this frame is associated In a tagged frame the VLAN is identified by the VLAN ID in the tag In an untagged frame the VLAN is the Port VLAN ID specified for the port that received this frame When disabled all frames are forwarded in accordance with the 802 1Q VLAN bridge specification The factory de...

Page 370: ...dress is specified the VLAN associations of all the configured MAC addresses are displayed Static configuration The static configuration for the port including the VLAN name and egress rule Forbidden VLANs The forbidden VLAN configuration for the port including the VLAN and name Term Definition Format show vlan association subnet ipaddr netmask Mode Privileged EXEC Term Definition IP Address The I...

Page 371: ... has forwarding and or filtering information The format is 6 or 8 two digit hexadecimal numbers that are separated by colons for example 01 23 45 67 89 AB In an IVL system the MAC address will be displayed as 8 bytes VLAN ID There is a VLAN Identifier VID associated with each VLAN ...

Page 372: ...s the ethertype for the switch The two byte hex ethertype is used as the first 16 bits of the DVLAN tag The ethertype may have the values of 802 1Q vman or custom If the ethertype has an optional value of custom then it is a custom tunnel value and ethertype must be set to a value in the range of 1 to 65535 no dvlan tunnel ethertype This command removes the ethertype value for the switch Default v...

Page 373: ...interface Note When you use the mode dvlan tunnel command on an interface it becomes a service provider port Ports that do not have double VLAN tunneling enabled are customer ports no mode dvlan tunnel This command is used to disable Double VLAN Tunneling on the specified interface By default Double VLAN Tunneling is disabled Default disabled Format mode dot1q tunnel Mode Interface Config Format n...

Page 374: ...rfaces Format show dot1q tunnel interface slot port all Mode Privileged EXEC User EXEC Term Definition Interface slot port Mode The administrative mode through which Double VLAN Tunneling can be enabled or disabled The default value for this field is disabled EtherType A 2 byte hex EtherType to be used as the first 16 bits of the DVLAN tunnel There are three different EtherType tags The first is 8...

Page 375: ... lag lag intf num can also be used to specify the LAG interface where lag intf num is the LAG port number Mode The administrative mode through which Double VLAN Tunneling can be enabled or disabled The default value for this field is disabled EtherType A 2 byte hex EtherType to be used as the first 16 bits of the DVLAN tunnel There are three different EtherType tags The first is 802 1Q which repre...

Page 376: ...or community port or a mapping for a promiscuous port Format switchport private vlan host association primary vlan id secondary vlan id mapping primary vlan id add remove secondary vlan list Mode Interface Config Parameter Description host association Defines the VLAN association for community or host ports mapping Defines the private VLAN mapping for promiscuous ports primary vlan id Primary VLAN...

Page 377: ...mapping from the port private vlan This command configures the private VLANs and configures the association between the primary private VLAN and secondary VLANs Format no switchport private vlan host association mapping Mode Interface Config Default general Format switchport mode private vlan host promiscuous Mode Interface Config Parameter Description host Configures an interface as a private VLA...

Page 378: ...ated primary Mode VLAN Config Parameter Description association Associates the primary and secondary VLAN secondary vlan list A list of secondary VLANs to be mapped to a primary VLAN community Designates a VLAN as a community VLAN isolated Designates a VLAN as the isolated VLAN primary Designates a VLAN as the primary VLAN Format no private vlan association Mode VLAN Config ...

Page 379: ...eived with a VLAN ID of which the port is not a member are discarded and MAC learning is not performed The Trunk ports always transmit packets untagged on native VLAN In Access mode the port becomes a member of only one VLAN The port sends and receives untagged traffic It can also receive tagged traffic The ingress filtering is enabled on port It means that when the VLAN ID of received packet is n...

Page 380: ...d and MAC learning is not performed If a VLAN is added to the system after a port is set to the Trunk mode and it is in the allowed VLAN list this VLAN is assigned to this port automatically Default All Format switchport trunk allowed vlan vlan list all add vlan list remove vlan list except vlan list Mode Interface Config Parameter Description all Specifies all VLANs from 1 to 4093 This keyword is...

Page 381: ...chport trunk native vlan Use this command to reset the switch port trunk mode native VLAN to its default value switchport access vlan Use this command to configure the VLAN on the Access port Only one VLAN can be assigned to the Access port Access ports are members of VLAN 1 by default Access ports may be assigned to a VLAN other than VLAN 1 Removing vlan list Either a single VLAN number from 1 to...

Page 382: ...ow interfaces switchport 1 0 1 Port 1 0 1 VLAN Membership Mode General Access Mode VLAN 1 default General Mode PVID 1 default General Mode Ingress Filtering Disabled General Mode Acceptable Frame Type Admit all General Mode Dynamically Added VLANs General Mode Untagged VLANs 1 General Mode Tagged VLANs General Mode Forbidden VLANs Trunking Mode Native VLAN 1 default Trunking Mode Native VLAN taggi...

Page 383: ...g Disable Trunking Mode VLANs Enabled All Protected Port False show interfaces switchport Use this command to display the Switchport configuration for a selected mode per interface If the interface is not specified the configuration for all interfaces is displayed Switching show interfaces switchport access 1 0 1 Intf PVID 1 0 1 1 Switching show interfaces switchport trunk 1 0 6 Intf PVID Allowed ...

Page 384: ... Admit All 7 10 50 55 9 100 200 88 96 Switching show interfaces switchport general Intf PVID Ingress Acceptable Untagged Tagged Forbidden Dynamic Filtering Frame Type Vlans Vlans Vlans Vlans 1 0 1 1 Enabled Admit All 1 4 7 30 40 55 3 100 200 88 96 1 0 2 1 Disabled Admit All 1 30 40 55 none none ...

Page 385: ...ect attack on voice components QoS based on IEEE 802 1P class of service CoS uses classification and scheduling to sent network traffic from the switch in a predictable manner The system uses the source MAC of the traffic traveling through the port to identify the IP phone data flow voice vlan Global Config Use this command to enable the Voice VLAN capability on the switch no voice vlan Global Con...

Page 386: ...rward all voice traffic through the specified VLAN Valid VLAN ID s are from 1 to 4093 the max supported by the platform dot1p Configure the IP phone to use 802 1p priority tagging for voice traffic and to use the default native VLAN VLAN 0 to carry all traffic Valid priority range is 0 to 7 none Allow the IP phone to use its own configuration to send untagged voice traffic untagged Configure the p...

Page 387: ...AN mode Term Definition Voice VLAN Mode The admin mode of the Voice VLAN on the interface Voice VLAN ID The Voice VLAN ID Voice VLAN Priority The do1p priority for the Voice VLAN on the port Voice VLAN Untagged The tagging option for the Voice VLAN traffic Voice VLAN CoS Override The Override option for the voice traffic arriving on the port Voice VLAN Status The operational status of Voice VLAN o...

Page 388: ...for untagged packets for all ports presently plugged into the device The range for the priority is 0 7 Any subsequent per port configuration will override this configuration setting vlan priority This command configures the default 802 1p port priority assigned for untagged packets for a specific interface The range for the priority is 0 7 Format vlan port priority all priority Mode Global Config ...

Page 389: ...ntrol symmetric asymm etric Use this command to enable or disable the symmetric or asymmetric flow control on the switch Asymmetric here means that Tx Pause can never be enabled Only Rx Pause can be enabled no flowcontrol symmetric asymm etric Use the no form of this command to disable symmetric or asymmetric flow control flowcontrol Use this command to enable or disable the symmetric flow control...

Page 390: ...rol operational flow control status is displayed as Inactive The following shows example CLI display output for the command CN1610 show flowcontrol Admin Flow Control Symmetric Port Flow Control RxPause TxPause Oper 0 1 Active 310 611 0 2 Inactive 0 0 The following shows example CLI display output for the command CN1610 show flowcontrol interface 0 1 Admin Flow Control Symmetric Port Flow Control ...

Page 391: ...ace is no longer a member of a LAG the current configuration for that interface automatically becomes effective switchport protected Global Config Use this command to create a protected port group The groupid parameter identifies the set of protected ports Use the name name pair to assign a name to the protected port group The name can be up to 32 alphanumeric characters long including blanks The ...

Page 392: ... Interface Config Use this command to configure a port as unprotected The groupid parameter identifies the set of protected ports to which this interface is assigned show switchport protected This command displays the status of all the interfaces including protected and unprotected interfaces Default unprotected Format switchport protected groupid Mode Interface Config Format no switchport protect...

Page 393: ...s protected for this group this field is blank Term Definition Format show interfaces switchport slot port groupid Mode Privileged EXEC User EXEC Term Definition Name A string associated with this group as a convenience It can be up to 32 alphanumeric characters long including blanks The default is blank This field is optional Protected Indicates whether the interface is protected or not It shows ...

Page 394: ...istering membership for a VLAN or multicast group This command has an effect only when GVRP is enabled The time is from 10 to 100 centiseconds The value 20 centiseconds is 0 2 seconds no set garp timer join This command sets the GVRP join time to the default and only has an effect when GVRP is enabled set garp timer leave This command sets the GVRP leave time for one interface a range of interface...

Page 395: ...ll be unregistered Participants would need to rejoin in order to maintain registration The value applies per port and per GARP participation The time may range from 200 to 6000 centiseconds The value 1000 centiseconds is 10 seconds You can use this command on all ports Global Config mode or on a single port or a range of ports Interface Config mode and it only has an effect only when GVRP is enabl...

Page 396: ... show garp This command displays GARP information Format no set garp timer leaveall Mode Interface Config Global Config Format show garp Mode Privileged EXEC User EXEC Term Definition GMRP Admin Mode The administrative mode of GARP Multicast Registration Protocol GMRP for the system GVRP Admin Mode The administrative mode of GARP VLAN Registration Protocol GVRP for the system ...

Page 397: ...led the system does not forward GVRP messages set gvrp adminmode This command enables GVRP on the system no set gvrp adminmode This command disables GVRP set gvrp interfacemode This command enables GVRP on a single port Interface Config mode a range of ports Interface Range mode or all ports Global Config mode Default disabled Format set gvrp adminmode Mode Privileged EXEC Format no set gvrp admin...

Page 398: ...facemode Mode Interface Config Global Config Format show gvrp configuration slot port all Mode Privileged EXEC User EXEC Term Definition Interface slot port Join Timer The interval between the transmission of GARP PDUs registering or reregistering membership for an attribute Current attributes are a VLAN or multicast group There is an instance of this timer on a per Port per GARP participant basis...

Page 399: ...conds LeaveAll Timer This Leave All Time controls how frequently LeaveAll PDUs are generated A LeaveAll PDU indicates that all registrations will shortly be deregistered Participants will need to rejoin in order to maintain registration There is an instance of this timer on a per Port per GARP participant basis The Leave All Period Timer is set to a random value in the range of LeaveAllTime to 1 5...

Page 400: ...set gmrp adminmode This command enables GARP Multicast Registration Protocol GMRP on the system no set gmrp adminmode This command disables GARP Multicast Registration Protocol GMRP on the system set gmrp interfacemode This command enables GARP Multicast Registration Protocol on a single interface Interface Config mode a range of interfaces or all interfaces Global Config mode If an interface whic...

Page 401: ...s disabled and port channel LAG membership is removed from an interface that has GARP enabled show gmrp configuration This command displays Generic Attributes Registration Protocol GARP information for one or all interfaces Default disabled Format set gmrp interfacemode Mode Interface Config Global Config Format no set gmrp interfacemode Mode Interface Config Global Config Format show gmrp configu...

Page 402: ...order to maintain uninterrupted service There is an instance of this timer on a per Port per GARP participant basis Permissible values are 20 to 600 centiseconds 0 2 to 6 0 seconds The factory default is 60 centiseconds 0 6 seconds LeaveAll Timer This Leave All Time controls how frequently LeaveAll PDUs are generated A LeaveAll PDU indicates that all registrations will shortly be deregistered Part...

Page 403: ...or which the switch has forwarding and or filtering information The format is 6 two digit hexadecimal numbers that are separated by colons for example 01 23 45 67 89 AB Type The type of the entry Static entries are those that are configured by the end user Dynamic entries are added to the table as a result of a learning process or protocol Description The text description of this multicast table e...

Page 404: ...re as follows ias Uses the internal authentication server users database for authentication This method can be used in conjunction with any one of the existing methods like local radius etc local Uses the local username database for authentication none Uses no authentication radius Uses the list of all RADIUS servers for authentication The following is an example of the command Broadcom FASTPATH R...

Page 405: ...le EAPOL flood support on the switch no dot1x eapolflood This command disables EAPOL flooding on the switch dot1x dynamic vlan enable Use this command to enable the switch to create VLANs dynamically when a RADIUS assigned VLAN does not exist in the switch Format clear dot1x authentication history slot port Mode Privileged EXEC Format clear radius statistics Mode Privileged EXEC Default disabled F...

Page 406: ...ported by the platform no dot1x guest vlan This command disables Guest VLAN on the interface dot1x initialize This command begins the initialization sequence on the specified port This command is only valid if the control mode for the specified port is auto or mac based If the control mode is not auto or mac based an error will be returned Format no dot1x dynamic vlan enable Mode Global Config Def...

Page 407: ...dentity frame before timing out the supplicant dot1x max users Use this command to set the maximum number of clients supported on an interface or range of interfaces when MAC based dot1x authentication is enabled on the port The maximum users supported per port is dependent on the product The count value is in the range 1 48 no dot1x max users This command resets the maximum number of clients allo...

Page 408: ... 802 1X port control mode on the specified port to the default value dot1x port control all This command sets the authentication mode to use on all ports Select force unauthorized to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized Select force authorized to specify that the authenticator PAE unconditionally sets the controlled port to authorized Select a...

Page 409: ...dot1x mac auth bypass This command sets the MAB mode on the ports to the default value dot1x re authenticate This command begins the reauthentication sequence on the specified port This command is only valid if the control mode for the specified port is auto or mac based If the control mode is not auto or mac based an error will be returned dot1x re authentication This command enables reauthentica...

Page 410: ...nd to enable the 802 1X monitor mode on the switch The purpose of Monitor mode is to help troubleshoot port based authentication configuration issues without disrupting network access for hosts connected to the switch In Monitor mode a host is granted network access to an 802 1X enabled port even if it fails the authentication process The results of the process are logged for diagnostic purposes F...

Page 411: ... period The time in seconds for which the authenticator waits to see if any EAPOL packets are received on a port before authorizing the port and placing the port in the guest vlan if configured The guest vlan timer is only relevant when guest vlan has been configured on that specific port reauth period The value in seconds of the timer used by the authenticator state machine on this port to determ...

Page 412: ...te machine on this port to timeout the supplicant The supp timeout must be a value in the range 1 65535 server timeout The value in seconds of the timer used by the authenticator state machine on this port to timeout the authentication server The supp timeout must be a value in the range 1 65535 Default guest vlan period 90 seconds reauth period 3600 seconds quiet period 60 seconds tx period 30 se...

Page 413: ...o dot1x unauthenticated vlan This command resets the unauthenticated vlan associated with the port to its default value dot1x user This command adds the specified user to the list of users with access to the specified port or all ports The user parameter must be a configured user no dot1x user This command removes the user from the list of users with access to the specified port or all ports Mode ...

Page 414: ...rying to authenticate a new device connected to a port If one method is unsuccessful or timed out the next method is attempted Each method can only be entered once Ordering is only possible between 802 1x and MAB Captive portal can be configured either as a stand alone method or as the last method in the order no authentication order This command returns the port to the default authentication orde...

Page 415: ...restart This command sets the time in seconds after which reauthentication starts The default time is 300 seconds The timer restarts the authentication only after all the authentication methods fail At the expiration of this timer authentication is reinitiated for the port no authentication restart This command sets the reauthentication value to the default value of 3600 seconds Default authentica...

Page 416: ...or all interfaces or a specified port The following information is displayed for each interface Format show authentication authentication history slot port Mode Privileged EXEC Term Definition Time Stamp The time of the authentication Interface The interface MAC Address The MAC address for the interface Auth Status Method The authentication method and status for the interface Format show authentic...

Page 417: ...ured method order dot1x mab captive portal Enabled method order dot1x mab undefined Configured method order The order of authentication methods used on a port Enabled method order The order of authentication methods used on a port Configured method priority The priority for the authentication methods used on a port Enabled method priority The priority for the authentication methods used on a port ...

Page 418: ...erface 1 0 4 Authentication Restart timer 300 Configured method order dot1x mab captive portal Enabled method order dot1x mab undefined Configured method priority undefined undefined undefined Enabled method priority undefined undefined undefined Number of authenticated clients 0 show authentication methods Use this command to display information about the authentication methods Format show authen...

Page 419: ...efaultList enableList Telnet networkList enableList SSH networkList enableList DOT1X show authentication statistics Use this command to display the authentication statistics for an interface The following information is displayed for each interface Method 3 The third method in the specified authentication login list if any Term Definition Format show authentication statistics slot port Mode Privil...

Page 420: ...ce 802 1X failed attempts The number of failed Dot1x authentication attempts for the port Mab attempts The number of MAB MAC authentication bypass authentication attempts for the port Mab failed attempts The number of failed MAB authentication attempts for the port Captive portal attempts The number of captive portal authentication attempts for the port Captive portal failed attempts The number of...

Page 421: ...rts are displayed Format show dot1x summary slot port all detail slot port statistics slot port Mode Privileged EXEC Term Definition Administrative Mode Indicates whether authentication control on the switch is enabled or disabled VLAN Assignment Mode Indicates whether assignment of an authorized port to a RADIUS assigned VLAN is allowed enabled or not disabled Dynamic VLAN Creation Mode Indicates...

Page 422: ...abled Indicates whether reauthentication is enabled on this port Port Status Indicates whether the port is authorized or unauthorized Possible values are authorized unauthorized Term Definition Port The interface whose configuration is displayed Protocol Version The protocol version associated with this port The only possible value is 1 corresponding to the first version of the dot1x specification...

Page 423: ...rt this parameter is deprecated Quiet Period The timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant The value is expressed in seconds and will be in the range 0 and 65535 Transmit Period The timer used by the authenticator state machine on the specified port to determine when to send an EAPOL EAP Request Identit...

Page 424: ...al MAB Mode The operational mode of the MAC authentication bypass feature on the switch MAB might be administratively enabled but not operational if the control mode is not MAC based Vlan ID The VLAN assigned to the port by the radius server This is only valid when the port control mode is not Mac based VLAN Assigned Reason The reason the VLAN identified in the VLAN assigned field has been assigne...

Page 425: ...tication mode This value is used only when the port control mode is not MAC based Unauthenticated VLAN ID Indicates the unauthenticated VLAN configured for this port This value is valid for the port only when the port control mode is not MAC based Session Timeout Indicates the time for which the given session is valid The time period in seconds is returned by the RADIUS server on authentication of...

Page 426: ...LSE Control Direction both Maximum Users 16 Unauthenticated VLAN ID 0 Session Timeout 0 Session Termination Action Default For each client authenticated on the port the show dot1x detail slot port command will display the following MAC based dot1x parameters if the port control mode for that specific port is MAC based Term Definition Supplicant MAC Address The MAC address of the supplicant Authent...

Page 427: ...mes Received The number of EAPOL start frames that have been received by this authenticator EAPOL Logoff Frames Received The number of EAPOL logoff frames that have been received by this authenticator Last EAPOL Frame Version The protocol version number carried in the most recently received EAPOL frame Last EAPOL Frame Source The source MAC address carried in the most recently received EAPOL frame...

Page 428: ...ticator in which the frame type is not recognized EAP Length Error Frames Received The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized Term Definition Format show dot1x authentication history slot port all failed auth only detail Mode Privileged EXEC Term Definition Time Stamp The exact time at which the event occurs Interface Physical...

Page 429: ... port number associated with a client Interface The physical port to which the supplicant is associated User Name The user name used by the client to authenticate to the server Supplicant MAC Address The supplicant device MAC address Session Time The time since the supplicant is logged on Filter ID Identifies the Filter ID returned by the RADIUS server when the client was authenticated This is a c...

Page 430: ...d for the port only when the port control mode is not MAC based Session Termination Action This value indicates the action to be taken once the session timeout expires Possible values are Default and Radius Request If the value is Default the session is terminated and client details are cleared If the value is Radius Request then a reauthentication of the client is performed Term Definition Format...

Page 431: ... the ports are authenticators If the port s attribute needs to be moved from authenticator to supplicant or supplicant to authenticator use this command Format dot1x pae supplicant authenticator Mode Interface Config Format dot1x supplicant port control auto force authorized force_unauthorized Mode Interface Config Parameter Description auto The port is in the Unauthorized state until it presents ...

Page 432: ...t timeout start period This command configures the start period timer interval to wait for the EAP identity request from the authenticator no dot1x supplicant timeout start period This command sets the start period value to the default Default auto Format no dot1x supplicant port control Mode Interface Config Default 3 Format dot1x supplicant max start 1 10 Mode Interface Config Format no dot1x su...

Page 433: ...ext EAP request challenge from the authenticator no dot1x supplicant timeout auth period This command sets the auth period value to the default value dot1x supplicant user Use this command to map the given user to the port Default 60 seconds Format dot1x supplicant timeout held period 1 65535 seconds Mode Interface Config Format no dot1x supplicant timeout held period Mode Interface Config Default...

Page 434: ... the number of EAP Respond ID frames that have been received on the port EAP Response Frames Received Displays the number of valid EAP Respond frames received on the port EAP Req ID Frames Transmitted Displays the number of EAP Requested ID frames transmitted via the port EAP Req Frames Transmitted Displays the number of EAP Request frames transmitted via the port Invalid EAPOL Frames Received Dis...

Page 435: ...d 0 EAPOL Frames Transmitted 0 EAPOL Start Frames Transmitted 3 EAPOL Logoff Frames Received 0 EAP Resp Id frames transmitted 0 EAP Response frames transmitted 0 EAP Req Id frames transmitted 0 EAP Req frames transmitted 0 Invalid EAPOL frames received 0 EAP length error frames received 0 Last EAPOL Frame Version 0 Last EAPOL Frame Source 00 00 00 00 02 01 ...

Page 436: ...of packets through the switch on a per port per type basis Configuring a storm control level also enables that form of storm control Disabling a storm control level using the no version of the command sets the storm control level back to the default value and disables that form of storm control Using the no version of the storm control command not stating a level disables that form of storm contro...

Page 437: ...e of link speed and enable broadcast storm recovery If the mode is enabled broadcast storm recovery is active and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold the traffic is dropped Therefore the rate of broadcast traffic is limited to the configured threshold no storm control broadcast level This command sets the broadcast storm recovery...

Page 438: ...r all interfaces Global Config mode or one or more interfaces Interface Config mode and disables broadcast storm recovery storm control multicast This command enables multicast storm recovery mode for all interfaces Global Config mode or one or more interfaces Interface Config mode If the mode is enabled multicast storm recovery is active and if the rate of L2 multicast traffic ingressing on an in...

Page 439: ...t traffic ingressing on an interface increases beyond the configured threshold the traffic will be dropped Therefore the rate of multicast traffic will be limited to the configured threshold no storm control multicast level This command sets the multicast storm recovery threshold to the default value for all interfaces Global Config mode or one or more interfaces Interface Config mode and disables...

Page 440: ...faces Global Config mode or one or more interfaces Interface Config mode and disables multicast storm recovery storm control unicast This command enables unicast storm recovery mode for all interfaces Global Config mode or one or more interfaces Interface Config mode If the mode is enabled unicast storm recovery is active and if the rate of unknown L2 unicast destination lookup failure traffic ing...

Page 441: ...re the rate of unknown unicast traffic will be limited to the configured threshold This command also enables unicast storm recovery mode for an interface no storm control unicast level This command sets the unicast storm recovery threshold to the default value for all interfaces Global Config mode or one or more interfaces Interface Config mode and disables unicast storm recovery storm control uni...

Page 442: ...lays switch configuration information If you do not use any of the optional parameters this command displays global storm control configuration parameters Broadcast Storm Recovery Mode may be enabled or disabled The factory default is disabled 802 3x Flow Control Mode may be enabled or disabled The factory default is disabled Use the all keyword to display the per port configuration parameters for...

Page 443: ...Mode Level Mode Level 0 1 Disable 5 Disable 5 Disable 5 The following shows an example of part of the CLI display output for the command CN1610 show storm control all Bcast Bcast Mcast Mcast Ucast Ucast Parameter Definition Bcast Mode Shows whether the broadcast storm control mode is enabled or disabled The factory default is disabled Bcast Level The broadcast storm control level Mcast Mode Shows ...

Page 444: ... Commands 441 Intf Mode Level Mode Level Mode Level 0 1 Disable 5 Disable 5 Disable 5 0 2 Disable 5 Disable 5 Disable 5 0 3 Disable 5 Disable 5 Disable 5 0 4 Disable 5 Disable 5 Disable 5 0 5 Disable 5 Disable 5 Disable 5 ...

Page 445: ...to block LLPF protocol s on a port no llpf Use this command to unblock LLPF protocol s on a port show llpf interface Use this command to display the status of LLPF rules configured on a particular port or on all ports Default Enabled for the blockudld parameter disabled for all others Format llpf blockisdp blockvtp blockdtp blockudld blockpagp blocksstp blockall Mode Interface Config Format nollpf...

Page 446: ...ks DTP PDUs Block UDLD Shows whether the port blocks UDLD PDUs Block PAGP Shows whether the port blocks PAgP PDUs Block SSTP Shows whether the port blocks SSTP PDUs Block All Shows whether the port blocks all proprietary PDUs available for the LLDP feature Term Definition ...

Page 447: ...atic or dynamic but not both All members of a port channel must participate in the same protocols A static port channel interface does not require a partner system to be able to aggregate its member ports Note If you configure the maximum number of supported dynamic port channels LAGs additional port channels that you configure are automatically static port channel This command configures a new po...

Page 448: ...ange of ports from the port channel LAG The interface is a logical slot port number of a configured port channel or range of port channels Instead of slot port lag lag intf num can be used as an alternate way to specify the LAG interface lag lag intf num can also be used to specify the LAG interface where lag intf num is the LAG port number deleteport Global Config This command deletes all configu...

Page 449: ...t channel lacp collector max delay Use this command to configure the port channel collector max delay This command can be used to configure a single interface or a range of interfaces The valid range of delay is 0 65535 Note This command is applicable only to port channel interfaces no lacp collector max delay Use this command to configure the default port channel collector max delay Default 0x800...

Page 450: ...ACP actor admin state to individual Note This command is applicable only to physical interfaces no lacp actor admin state individual Use this command to set the LACP actor admin state to aggregation lacp actor admin state longtimeout Use this command to set LACP actor admin state to longtimeout Default Internal Interface Number of this Physical Port Format lacp actor admin key key Mode Interface C...

Page 451: ...ommand is applicable only to physical interfaces no lacp actor admin state passive Use this command to set the LACP actor admin state to active lacp actor admin state Use this command to configure the administrative value of actor state as transmitted by the Actor in LACPDUs This command can be used to configure a single interfaces or a range of interfaces Mode Interface Config Format no lacp acto...

Page 452: ...igure the ports Consequently both commands will display in show running config lacp actor port priority Use this command to configure the priority value assigned to the Aggregation Port for an interface or range of interfaces The valid range for priority is 0 to 65535 Note This command is applicable only to physical interfaces Default 0x07 Format lacp actor admin state individual longtimeout passi...

Page 453: ... Note This command is applicable only to physical interfaces no lacp partner admin key Use this command to set the administrative value of the Key for the protocol partner to the default lacp partner admin state individual Use this command to set LACP partner admin state to individual Note This command is applicable only to physical interfaces Format no lacp actor port priority Mode Interface Conf...

Page 454: ...this command to set the LACP partner admin state to short timeout Note This command is applicable only to physical interfaces lacp partner admin state passive Use this command to set the LACP partner admin state to passive Note This command is applicable only to physical interfaces Format no lacp partner admin state individual Mode Interface Config Format lacp partner admin state longtimeout Mode ...

Page 455: ...r port id Use this command to set the LACP partner port id to the default lacp partner port priority Use this command to configure the LACP partner port priority This command can be used to configure a single interface or a range of interfaces The valid range for priority is 0 to 65535 Note This command is applicable only to physical interfaces Format no lacp partner admin state passive Mode Inter...

Page 456: ...es no lacp partner system id Use this command to configure the default value representing the administrative value of the Aggregation Port s protocol Partner s System ID lacp partner system priority Use this command to configure the administrative value of the priority associated with the Partner s System ID This command can be used to configure a single interface or a range of interfaces The vali...

Page 457: ...which means the port channel is static If the maximum number of allowable dynamic port channels are already present in the system the static mode for a new port channel is enabled which means the port channel is static You can only use this command on port channel interfaces no port channel static This command sets the static mode on a particular port channel LAG interface to the default value Thi...

Page 458: ...is command disables Link Aggregation Control Protocol LACP on all ports port lacptimeout Interface Config This command sets the timeout on a physical interface or range of interfaces of a particular device type actor or partner to either long or short timeout Default enabled Format port lacpmode Mode Interface Config Format no port lacpmode Mode Interface Config Format port lacpmode enable all Mod...

Page 459: ...g or short timeout no port lacptimeout This command sets the timeout for all physical interfaces of a particular device type actor or partner back to their default values Note Both the no portlacptimeout and the no lacp actor admin state commands set the values back to default regardless of the command used to configure the ports Consequently both commands will display in show running config port ...

Page 460: ...ll sets every configured port channel with the same administrative mode setting port channel load balance This command selects the load balancing option used on a port channel LAG Traffic is balanced on a port channel LAG by selecting one of the links in the channel over which to transmit specific packets The link is selected by creating a binary pattern from selected fields in a packet and associ...

Page 461: ...fig Global Config Term Definition 1 Source MAC VLAN EtherType and incoming port associated with the packet 2 Destination MAC VLAN EtherType and incoming port associated with the packet 3 Source Destination MAC VLAN EtherType and incoming port associated with the packet 4 Source IP and Source TCP UDP fields of the packet 5 Destination IP and Destination TCP UDP Port fields of the packet 6 Source De...

Page 462: ...priority Use this command to configure port channel system priority The valid range of priority is 0 65535 Mode Interface Config Global Config Term Definition slot port all Global Config Mode only The interface is a logical slot port number of a configured port channel All applies the command to all currently configured port channels Default 1 Format port channel min links 1 8 Mode Interface Confi...

Page 463: ...tner Use this command to display LACP partner attributes The following output parameters are displayed Format no port channel system priority Mode Global Config Format show lacp actor slot port all Mode Global Config Parameter Description System Priority The administrative value of the Key Actor Admin Key The administrative value of the Key Port Priority The priority value assigned to the Aggregat...

Page 464: ...the Key for protocol Partner Port ID The administrative value of the port number for the protocol Partner Admin State The administrative values of the actor state for the protocol Partner Parameter Description Format show port channel brief Mode User EXEC Term Definition Logical Interface The slot port of the logical interface Port channel Name The name of port channel LAG interface Link State Sho...

Page 465: ...es whether the Link is up or down Admin Mode May be enabled or disabled The factory default is enabled Type The status designating whether a particular port channel LAG is statically or dynamically maintained Static The port channel is statically maintained Dynamic The port channel is dynamically maintained Load Balance Option The load balance option associated with this LAG See port channel load ...

Page 466: ...ner long 1 0 2 actor long Auto True partner long 1 0 3 actor long Auto False partner long 1 0 4 actor long Auto False partner long show port channel system priority Use this command to display the port channel system priority show port channel counters Use this command to display port channel counters for the specified port Port Speed Speed of the port channel port Active Ports This field lists po...

Page 467: ... 7 0 0 8 0 Mode Privileged EXEC Term Definition Local Interface The valid slot port number Channel Name The name of this port channel LAG Link State Indicates whether the Link is up or down Admin Mode May be enabled or disabled The factory default is enabled Port Channel Flap Count The number of times the port channel was inactive Mbr Ports The slot port for the port member Mbr Flap Counters The n...

Page 468: ...member flap counters for the specified interface clear port channel all counters Use this command to clear and reset all port channel and member flap counters for the specified interface Format clear port channel lag intf num slot port counters Mode Privileged EXEC Format clear port channel all counters Mode Privileged EXEC ...

Page 469: ... mirroring is configured by adding the RSPAN VLAN ID At the source switch the destination is configured as the RSPAN VLAN and at the destination switch the source is configured as the RSPAN VLAN Note The source and destination cannot be configured as remote on the same device The reflector port is configured at the source switch The reflector port forwards the mirrored traffic towards the destinat...

Page 470: ...anually add the port to any desired VLANs Use the source interface slot port parameter or destination interface to remove the specified interface from the port monitoring session Use the mode parameter to disable the administrative mode of the session Note Since the current version of FASTPATH software only supports one session if you do not supply optional parameters the behavior of this command ...

Page 471: ...to identify the session and ranges from 1 4 Default enabled Format no monitor Mode Global Config Format show monitor session session id Mode Privileged EXEC Term Definition Session ID An integer value used to identify the session Its value can be anything between 1 and the maximum number of mirroring sessions allowed on the platform Monitor Session Mode Indicates whether the Port Mirroring feature...

Page 472: ...s and rx for receiving packets Src VLAN All member ports of this VLAN are mirrored If the source VLAN is not configured this field is blank Ref Port This port carries all the mirrored traffic at the source switch Src Remote VLAN The source VLAN is configured at the destination switch If the remote VLAN is not configured this field is blank Dst Remote VLAN The destination VLAN is configured at the ...

Page 473: ...470 Port Mirroring Commands 100 ...

Page 474: ...ent for MAC filters where source ports are configured and MAC filters where destination ports are configured For unicast MAC address filters and multicast MAC address filters with source port lists the maximum number of static MAC filters supported is 20 For multicast MAC address filters with destination ports configured the maximum number of static filters supported is 256 i e For current Broadco...

Page 475: ...ter with the given macaddr and VLAN of vlanid The macaddr parameter must be specified as a 6 byte hexadecimal number in the format of b1 b2 b3 b4 b5 b6 The vlanid parameter must identify a valid VLAN macfilter adddest all This command adds all interfaces to the destination filter set for the MAC filter with the given macaddr and VLAN of vlanid The macaddr parameter must be specified as a 6 byte he...

Page 476: ...alid VLAN no macfilter addsrc This command removes a port from the source filter set for the MAC filter with the MAC address of macaddr and VLAN of vlanid The macaddr parameter must be specified as a 6 byte hexadecimal number in the format of b1 b2 b3 b4 b5 b6 The vlanid parameter must identify a valid VLAN macfilter addsrc all This command adds all interfaces to the source filter set for the MAC ...

Page 477: ...ters If you specify all all the Static MAC Filters in the system are displayed If you supply a value for macaddr you must also enter a value for vlanid and the system displays Static MAC Filter information only for that MAC address and VLAN Note Only multicast address filters will have destination port lists Mode Global Config Format no macfilter addsrc all macaddr vlanid Mode Global Config Format...

Page 478: ...witch has forwarding and or filtering information As the data is gleaned from the MFDB the address will be a multicast address The format is 6 two digit hexadecimal numbers that are separated by colons for example 01 23 45 67 89 AB Type The type of the entry Static entries are those that are configured by the end user Dynamic entries are added to the table as a result of a learning process or prot...

Page 479: ...lay is enabled no dhcp l2relay This command disables DHCP Layer 2 relay agent for an interface or range of interfaces dhcp l2relay circuit id subscription This command sets the Option 82 Circuit ID for a given service subscription identified by subscription string on a given interface The subscription string is a character string which needs to be matched with a configured DOT1AD subscription stri...

Page 480: ...2 circuit id dhcp l2relay circuit id vlan This parameter sets the DHCP Option 82 Circuit ID for a VLAN When enabled the interface number is added as the Circuit ID in DHCP option 82 no dhcp l2relay circuit id vlan This parameter clears the DHCP Option 82 Circuit ID for a VLAN Mode Interface Config Format no dhcp l2relay circuit id subscription subscription string Mode Interface Config Format dhcp ...

Page 481: ...tion 82 Remote ID string for a given service subscription identified by subscription string on a given interface The subscription string is a character string which needs to be matched with a configured DOT1AD subscription string for correct operation When remote id string is reset using this command the Client DHCP requests that fall under this service subscription are not added with Option 82 Re...

Page 482: ...for Option 82 reception dhcp l2relay vlan Use this command to enable the DHCP L2 Relay agent for a set of VLANs All DHCP packets which arrive on interfaces in the configured VLAN are subject to L2 Relay processing Parameter Description vlan list The VLAN ID The range is 1 4093 Separate nonconsecutive IDs with a comma no spaces and no zeros in between the range Use a dash for the range Format no dh...

Page 483: ...led Interface L2RelayMode TrustMode 0 2 Enabled untrusted 0 4 Disabled trusted VLAN Id L2 Relay CircuitId RemoteId 3 Disabled Enabled NULL 5 Enabled Enabled NULL 6 Enabled Enabled broadcom 7 Enabled Disabled NULL Format dhcp l2relay vlan vlan list Mode Global Config Parameter Description vlan list The VLAN ID The range is 1 4093 Separate nonconsecutive IDs with a comma no spaces and no zeros in be...

Page 484: ...l2relay interface all DHCP L2 Relay is Enabled Interface L2RelayMode TrustMode 0 2 Enabled untrusted 0 4 Disabled trusted show dhcp l2relay remote id vlan This command displays DHCP Remote id vlan configuration Format show dhcp l2relay circuit id vlan vlan list Mode Privileged EXEC Parameter Description vlan list Enter VLAN IDs in the range 1 4093 Use a dash to specify a range or a comma to separa...

Page 485: ...r TrustedClient MsgsWithOpt82 MsgsWithOpt82 MsgsWithoutOpt82 MsgsWithoutOpt82 0 1 0 0 0 0 0 2 0 0 3 7 0 3 0 0 0 0 0 4 0 12 0 0 0 5 0 0 0 0 0 6 3 0 0 0 0 7 0 0 0 0 0 8 0 0 0 0 0 9 0 0 0 0 show dhcp l2relay agent option vlan This command displays the DHCP L2 Relay Option 82 configuration specific to VLAN Parameter Description vlan list Enter VLAN IDs in the range 1 4093 Use a dash to specify a range...

Page 486: ...d displays DHCP vlan configuration clear dhcp l2relay statistics interface Use this command to reset the DHCP L2 relay counters to zero Specify the port with the counters to clear or use the all keyword to clear the counters on all ports Format show dhcp l2relay agent option vlan vlan range Mode Privileged EXEC Format show dhcp l2relay vlan vlan list Mode Privileged EXEC Parameter Description vlan...

Page 487: ...484 DHCP L2 Relay Agent Commands Mode Privileged EXEC ...

Page 488: ...mmand disables the inclusion of DHCP Option 60 Vendor Class Identifier included in the requests transmitted to the DHCP server by the DHCP client operating in the FASTPATH switch dhcp client vendor id option string This parameter sets the DHCP Vendor Option 60 string to be included in the requests transmitted to the DHCP server by the DHCP client operating in the FASTPATH switch no dhcp client ven...

Page 489: ...or id string to be included in Option 43 in DHCP requests The following shows example CLI display output for the command Broadcom FASTPATH Switching show dhcp client vendor id option DHCP Client Vendor Identifier Option is Enabled DHCP Client Vendor Identifier Option string is FastpathClient Format show dhcp client vendor id option Mode Privileged EXEC ...

Page 490: ...Snooping on a list of comma separated VLAN ranges no ip dhcp snooping vlan Use this command to disable DHCP Snooping on VLANs ip dhcp snooping verify mac address Use this command to enable verification of the source MAC address with the client hardware address in the received DCHP message Default disabled Format ip dhcp snooping Mode Global Config Format no ip dhcp snooping Mode Global Config Defa...

Page 491: ... the interval in seconds at which the DHCP Snooping database will be persisted The interval value ranges from 15 to 86400 seconds no ip dhcp snooping database write delay Use this command to set the write delay value to the default value Default enabled Format ip dhcp snooping verify mac address Mode Global Config Format no ip dhcp snooping verify mac address Mode Global Config Default local Forma...

Page 492: ...o control the rate at which the DHCP Snooping messages come on an interface or range of interfaces By default rate limiting is disabled When enabled the rate can range from 0 to 300 packets per second The burst level range is 1 to 15 seconds Mode Global Config Format ip dhcp snooping binding mac address vlan vlan id ip address interface interface id Mode Global Config Format no ip dhcp snooping bi...

Page 493: ...aces no ip dhcp snooping log invalid Use this command to disable the logging DHCP messages filtration by the DHCP Snooping application ip dhcp snooping trust Use this command to configure an interface or range of interfaces as trusted Default disabled no limit Format ip dhcp snooping limit rate pps burst interval seconds Mode Interface Config Format no ip dhcp snooping limit Mode Interface Config ...

Page 494: ...MAC addresses This command can be used to configure a single interface or a range of interfaces no ip verify source Use this command to disable the IPSG configuration in the hardware You cannot disable port security alone if it is configured show ip dhcp snooping Use this command to display the DHCP Snooping global configurations and per port configurations Mode Interface Config Format no ip dhcp ...

Page 495: ...ries To restrict the output use the following options Dynamic Restrict the output based on DCHP snooping Interface Restrict the output based on a specific interface Static Restrict the output based on static entries VLAN Restrict the output based on VLAN Term Definition Interface The interface for which data is displayed Trusted If it is enabled DHCP snooping considers the port as trusted The fact...

Page 496: ...n related to the database persistency Term Definition MAC Address Displays the MAC address for the binding that was added The MAC address is the key to the binding database IP Address Displays the valid IP address for the binding rule VLAN The VLAN for the binding rule Interface The interface to add a binding into the DHCP snooping interface Type Binding type statically configured from the CLI or ...

Page 497: ...ow ip dhcp snooping interfaces Interface Trust State Rate LimitBurst Interval pps seconds 1 g1No151 1 g2No151 1 g3No151 CN1610 show ip dhcp snooping interfaces ethernet 1 g15 Interface Trust State Rate LimitBurst Interval pps seconds 1 g15Yes151 show ip dhcp snooping statistics Use this command to list statistics for DHCP Snooping security violations on untrusted ports Write Delay The maximum writ...

Page 498: ...15 0 0 0 1 0 16 0 0 0 1 0 17 0 0 0 1 0 18 0 0 0 1 0 19 0 0 0 1 0 20 0 0 0 Mode Privileged EXEC User EXEC Term Definition Interface The IP address of the interface in slot port format MAC Verify Failures Represents the number of DHCP messages that were filtered on an untrusted interface because of source MAC address and client HW address mismatch Client Ifc Mismatch Represents the number of DHCP re...

Page 499: ...ode Privileged EXEC User EXEC Format clear ip dhcp snooping statistics Mode Privileged EXEC User EXEC Format show ip verify source Mode Privileged EXEC User EXEC Term Definition Interface Interface address in slot port format Filter Type Is one of two values ip mac User has configured MAC address filtering on this interface ip Only IP address filtering on this interface IP Address IP address of th...

Page 500: ...r a specific interface show ip source binding Use this command to display the IPSG bindings VLAN The VLAN for the binding rule Term Definition Format show ip verify interface slot port Mode Privileged EXEC User EXEC Term Definition Interface Interface address in slot port format Filter Type Is one of two values ip mac User has configured MAC address filtering on this interface ip Only IP address f...

Page 501: ... snooping 2 1 0 1 00 00 00 00 00 09 1 2 3 4 dhcp snooping 3 1 0 1 00 00 00 00 00 0A 1 2 3 4 dhcp snooping 4 1 0 1 Term Definition MAC Address The MAC address for the entry that is added IP Address The IP address of the entry that is added Type Entry type statically configured from CLI or dynamically learned from DHCP Snooping VLAN VLAN for the entry Interface IP address of the interface in slot po...

Page 502: ... in the DHCP snooping bindings database You can optionally configure additional ARP packet validation ip arp inspection vlan Use this command to enable Dynamic ARP Inspection on a list of comma separated VLAN ranges no ip arp inspection vlan Use this command to disable Dynamic ARP Inspection on a list of comma separated VLAN ranges ip arp inspection validate Use this command to enable additional v...

Page 503: ... of invalid ARP packets on a list of comma separated VLAN ranges ip arp inspection trust Use this command to configure an interface or range of interfaces as trusted for Dynamic ARP Inspection Default disabled Format ip arp inspection validate src mac dst mac ip Mode Global Config Format no ip arp inspection validate src mac dst mac ip Mode Global Config Default enabled Format ip arp inspection vl...

Page 504: ...you need to understand the switch performance and configure the maximum rate pps accordingly Note The user interface will accept a rate limit for a trusted interface but the limit will not be enforced unless the interface is configured to be untrusted no ip arp inspection limit Use this command to set the rate limit and burst interval values for an interface to the default values of 15 pps and 1 s...

Page 505: ...ated VLAN ranges arp access list Use this command to create an ARP ACL no arp access list Use this command to delete a configured ARP ACL permit ip host mac host Use this command to configure a rule for a valid IP address and MAC address combination used in ARP packet validation Default No ARP ACL is configured on a VLAN Format ip arp inspection filter acl name vlan vlan list static Mode Global Co...

Page 506: ...ion and invalid IP validation information Mode ARP Access list Config Format no permit ip host sender ip mac host sender mac Mode ARP Access list Config Format show ip arp inspection vlan vlan list Mode Privileged EXEC User EXEC Term Definition Source MAC Validation Displays whether Source MAC Validation of ARP frame is enabled or disabled Destination MAC Validation Displays whether Destination MA...

Page 507: ...ve the vlan list argument and the command displays the statistics on all DAI enabled VLANs in that list Give the single vlan argument and the command displays the statistics on that VLAN If no argument is included the command lists a summary of the forwarded and dropped ARP packets ACL Name The ARP ACL Name if configured on the VLAN Static Flag If the ARP ACL is configured static on the VLAN Term ...

Page 508: ...mits Permits MAC MAC IP 10 11 1 65 25 1 1 0 20 1 0 8 2 0 1 1 DHCP Drops The number of packets dropped due to DHCP snooping binding database match failure ACL Drops The number of packets dropped due to ARP ACL rule match failure DHCP Permits The number of packets permitted due to DHCP snooping binding database match ACL Permits The number of packets permitted due to ARP ACL rule match Bad Src MAC T...

Page 509: ...hat interface whether the interface is enabled for DAI or not The following shows example CLI display output for the command CN1610 show ip arp inspection interfaces Interface Trust State Rate Limit Burst Interval pps seconds 0 1 Untrusted 15 1 0 2 Untrusted 10 10 Default none Format clear ip arp inspection statistics Mode Privileged EXEC Format show ip arp inspection interfaces slot port Mode Pri...

Page 510: ...les in that ARP ACL The following shows example CLI display output for the command CN1610 show arp access list ARP access list H2 permit ip host 1 1 1 1 mac host 00 01 02 03 04 05 permit ip host 1 1 1 2 mac host 00 03 04 05 06 07 ARP access list H3 ARP access list H4 permit ip host 2 1 1 2 mac host 00 03 04 05 06 08 Format show arp access list acl name Mode Privileged EXEC User EXEC ...

Page 511: ...ables IGMP Snooping on the system Global Config Mode an interface or a range of interfaces This command also enables IGMP snooping on a particular VLAN VLAN Config Mode and can enable IGMP snooping on all interfaces participating in a VLAN If an interface has IGMP Snooping enabled and you enable this interface for routing or enlist it as a member of a port channel LAG IGMP Snooping functionality i...

Page 512: ...ps packets that do not include this option The presence of the router alert option 9404 and ToS Byte 0xC0 Internet Control in the IP packet header of IGMPv3 message and drops packets that do not include these options no set igmp header validation This command disables header validation for IGMP messages set igmp interfacemode This command enables IGMP Snooping on all interfaces If an interface has...

Page 513: ...ing table entry upon receiving an IGMP leave message for that multicast group without first sending out MAC based general queries to the interface You should enable fast leave admin mode only on VLANs where only one host is connected to each layer 2 LAN port This prevents the inadvertent dropping of the other hosts that were connected to the same layer 2 LAN port but were still interested in recei...

Page 514: ...MPv3 Maximum Response time value The range is 2 to 3600 seconds no set igmp groupmembership interval This command sets the IGMPv3 Group Membership Interval time to the default value set igmp maxresponse This command sets the IGMP Maximum Response time for the system on a particular interface or VLAN or on a range of interfaces The Maximum Response time is the amount of time in seconds that a switc...

Page 515: ...r the system on a particular interface or VLAN or on a range of interfaces This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached The range is 0 to 3600 seconds A value of 0 indicates an infinite time out i e no expiration Default 10 seconds Format set igmp maxr...

Page 516: ...N ID vlan_id set igmp mrouter interface This command configures the interface or range of interfaces as a multicast router interface When configured as a multicast router interface the interface is treated as a multicast router interface in all VLANs Format no set igmp mcrtrexpiretime vlan_id Mode Global Config Interface Config VLAN Config Format no set igmp mcrtrexpiretime vlan_id Mode VLAN Confi...

Page 517: ... within the max response time only the first response is forwarded to the query and others are suppressed at the switch The following shows an example of the command Broadcom FASTPATH Switching vlan database Broadcom FASTPATH Switching Vlan set igmp report suppression 1 4093 Enter VLAN ID Broadcom FASTPATH Switching Vlan set igmp report suppression 1 no set igmp report suppression Use this command...

Page 518: ...nooping is active on the switch Multicast Control Frame Count The number of multicast control frames that are processed by the CPU Interface Enabled for IGMP Snooping The list of interfaces on which IGMP Snooping is enabled VLANS Enabled for IGMP Snooping The list of VLANS on which IGMP Snooping is enabled Term Definition IGMP Snooping Admin Mode Indicates whether IGMP Snooping is active on the in...

Page 519: ...AN Fast Leave Mode Indicates whether IGMP Snooping Fast leave is active on the VLAN Group Membership Interval secs The amount of time in seconds that a switch will wait for a report from a particular group on a particular interface which is participating in the VLAN before deleting the interface from the entry This value may be configured Maximum Response Time secs The amount of time the switch wa...

Page 520: ... command displays information about Source Specific Multicasting SSM by entry group or statistics SSM delivers multicast packets to receivers that originated from a source address specified by the receiver SSM is only available with IGMPv3 and MLDv2 Report Suppression Mode Indicates whether IGMP reports set by the command set igmp report suppression on page 514 in enabled or not Term Definition Fo...

Page 521: ...MAC Address A multicast MAC address for which the switch has forwarding or filtering information The format is 6 two digit hexadecimal numbers that are separated by colons for example 01 23 45 67 89 AB Type The type of the entry which is either static added by the user or dynamic added to the table as a result of a learning process or protocol Description The text description of this multicast tab...

Page 522: ...ailable both in the Interface and VLAN modes Operationally the system chooses or prefers the VLAN configured values over the Interface configured values for most configurations when the interface participates in the VLAN set igmp querier Use this command to enable IGMP Snooping Querier on the system using Global Config mode or on a VLAN Using this command you can specify the IP Address that the Sn...

Page 523: ...mmand to set the IGMP Querier Query Interval time to its default value set igmp querier timer expiry Use this command to set the IGMP Querier timer expiration period It is the time period that the switch remains in Non Querier mode once it has discovered that there is a Multicast Querier in the network Mode Global Config VLAN Mode Format no set igmp querier vlan id address Mode Global Config VLAN ...

Page 524: ... Snooping Querier to participate in the Querier Election process when it discovers the presence of another Querier in the VLAN When this mode is enabled if the Snooping Querier finds that the other Querier s source address is better less than the Snooping Querier s address it stops sending periodic queries If the Snooping Querier wins the election then it will continue sending periodic queries For...

Page 525: ...information Format no set igmp querier election participate Mode VLAN Config Format show igmpsnooping querier detail vlan vlanid Mode Privileged EXEC Field Description Admin Mode Indicates whether or not IGMP Snooping Querier is active on the switch Admin Version The version of IGMP that will be used while sending out the queries Querier Address The IP Address which will be used in the IPv4 header...

Page 526: ...it before removing a Leave from a host upon receiving a Leave request This value is calculated dynamically from the Queries received from the network If the Snooping Switch is in Querier state then it is equal to the configured value Querier Election Participation Indicates whether the IGMP Snooping Querier participates in querier election if it discovers the presence of a querier in the VLAN Quer...

Page 527: ...gured values over the Interface configured values for most configurations when the interface participates in the VLAN set mld This command enables MLD Snooping on the system Global Config Mode or an Interface Interface Config Mode This command also enables MLD Snooping on a particular VLAN and enables MLD Snooping on all interfaces participating in a VLAN If an interface has MLD Snooping enabled a...

Page 528: ...nooping functionality is disabled on that interface MLD Snooping functionality is re enabled if you disable routing or remove port channel LAG membership from an interface that has MLD Snooping enabled no set mld interfacemode Use this command to disable MLD Snooping on all interfaces Mode Global Config Interface Config VLAN Mode Format set mld vlanid Mode Global Config Interface Config VLAN Mode ...

Page 529: ... in receiving multicast traffic directed to that group Note Fast leave processing is supported only with MLD version 1 hosts no set mld fast leave Use this command to disable MLD Snooping fast leave admin mode on a selected interface set mld groupmembership interval Use this command to set the MLD Group Membership Interval time on a VLAN one interface or all interfaces The Group Membership Interva...

Page 530: ...ecause it did not receive a report for a particular group in that interface This value must be less than the MLD Query Interval time value The range is 1 to 65 seconds no set mld maxresponse Use this command to set the max response time on the interface or VLAN to the default value Format set mld groupmembership interval vlanid 2 3600 Mode Interface Config Global Config VLAN Mode Format no set mld...

Page 531: ... no set mld mcrtexpiretime Use this command to set the Multicast Router Present Expiration time to 0 The time is set for the system on a particular interface or a VLAN set mld mrouter Use this command to configure the VLAN ID for the VLAN that has the multicast router attached mode enabled no set mld mrouter Use this command to disable multicast router attached mode for a VLAN with a particular VL...

Page 532: ... interface show mldsnooping Use this command to display MLD Snooping information Configured information is displayed whether or not MLD Snooping is enabled When the optional arguments unit slot port or vlanid are not used the command displays the following information Format no set mld mrouter vlanid Mode Interface Config Default disabled Format set mld mrouter interface Mode Interface Config Form...

Page 533: ... VLAN Group Membership Interval Shows the amount of time in seconds that a switch will wait for a report from a particular group on a particular interface which is participating in the VLAN before deleting the interface from the entry This value may be configured Max Response Time Displays the amount of time the switch waits after it sends a query on an interface participating in the VLAN because ...

Page 534: ...LD Snooping is active on the VLAN Format show mldsnooping mrouter interface unit slot port Mode Privileged EXEC Term Definition Interface Shows the interface on which multicast router information is being displayed Multicast Router Attached Indicates whether multicast router is statically enabled on the interface Format show mldsnooping mrouter vlan unit slot port Mode Privileged EXEC Term Definit...

Page 535: ...ned Group The IPv6 multicast group address Source The IPv6 source address Source Filter Mode The source filter mode Include Exclude for the specified group Interfaces 1 If Source Filter Mode is Include specifies the list of interfaces on which a incoming packet is forwarded If it s source IP address is equal to the current entry s Source the destination IP address is equal to the current entry s G...

Page 536: ...D snooping s SSMFDB Current Entries The current number of entries in the MLD snooping s SSMFDB Format show mldsnooping ssm groups Mode Privileged EXEC Term Definition VLAN VLAN on which the MLD v2 report is received Group The IPv6 multicast group address Interface The interface on which the MLD v2 report is received Reporter The IPv6 address of the host that sent the MLDv2 report Source Filter Mod...

Page 537: ...AC address is learned MAC Address A multicast MAC address for which the switch has forwarding or filtering information The format is 6 two digit hexadecimal numbers that are separated by colons for example 01 23 45 67 89 AB Type The type of entry which is either static added by the user or dynamic added to the table as a result of a learning process or protocol Description The text description of ...

Page 538: ...ng Configurations Many of the IGMP MLD Snooping commands are available both in the Interface and VLAN modes Operationally the system chooses or prefers the VLAN configured values over the Interface configured values for most configurations when the interface participates in the VLAN set mld querier Use this command to enable MLD Snooping Querier on the system Global Config Mode or on a VLAN Using ...

Page 539: ...o its default value set mld querier timer expiry Use this command to set the MLD Querier timer expiration period It is the time period that the switch remains in Non Querier mode once it has discovered that there is a Multicast Querier in the network no set mld querier timer expiry Use this command to set the MLD Querier timer expiration period to its default value Format no set mld querier vlan i...

Page 540: ...cipate Use this command to set the snooping querier not to participate in querier election but go into a non querier mode as soon as it discovers the presence of another querier in the same VLAN show mldsnooping querier Use this command to display MLD Snooping Querier information Configured information is displayed whether or not MLD Snooping Querier is enabled When the optional arguments vlandid ...

Page 541: ...periodic general query Querier Timeout Displays the amount of time to wait in the Non Querier operational state before moving to a Querier state Field Description VLAN Admin Mode Indicates whether MLD Snooping Querier is active on the VLAN VLAN Operational State Indicates whether MLD Snooping Querier is in Querier or Non Querier state When the switch is in Querier state it will send out periodic g...

Page 542: ... in the VLAN Querier VLAN Address The IP address will be used in the IPv6 header while sending out MLD queries on this VLAN It can be configured using the appropriate command Operational Version This version of IPv6 will be used while sending out MLD queriers on this VLAN Last Querier Address Indicates the IP address of the most recent Querier from which a Query was received Last Querier Version I...

Page 543: ...lation on page 91 port security This command enables port locking on an interface a range of interfaces or at the system level no port security This command disables port locking for one Interface Config or all Global Config ports port security max dynamic This command sets the maximum number of dynamically locked MAC addresses allowed on a specific port The valid range is 0 600 Default disabled F...

Page 544: ...ocked MAC addresses to the default value port security mac address This command adds a MAC address to the list of statically locked MAC addresses for an interface or range of interfaces The vid is the VLAN ID no port security mac address This command removes a MAC address from the list of statically locked MAC addresses Mode Interface Config Format no port security max dynamic Mode Interface Confi...

Page 545: ... LAG There is no global sticky mode as such Sticky addresses that are dynamically learned will appear in show running config on page 177 as port security mac address sticky mac vid entries This distinguishes them from static entries The following shows an example of the command CN1610 Config port security mac address sticky CN1610 Interface port security mac address sticky CN1610 Interface port se...

Page 546: ...e you specify the following information appears The following shows example CLI display output for the command CN1610 show port security 0 1 Format no port security mac address sticky mac address vid Mode Global Config Interface Config Format show port security slot port all Mode Privileged EXEC Term Definition Admin Mode Port Locking mode for the entire system This field displays if you do not su...

Page 547: ...cally locked MAC addresses for port Instead of slot port lag lag intf num can be used as an alternate way to specify the LAG interface lag lag intf num can also be used to specify the LAG interface where lag intf num is the LAG port number Format show port security dynamic slot port Mode Privileged EXEC Term Definition MAC Address MAC Address of dynamically locked MAC Format show port security sta...

Page 548: ...f the last packet discarded on a locked port Instead of slot port lag lag intf num can be used as an alternate way to specify the LAG interface lag lag intf num can also be used to specify the LAG interface where lag intf num is the LAG port number Format show port security violation slot port lag lag id Mode Privileged EXEC Term Definition MAC Address The source MAC address of the last frame that...

Page 549: ...ansmit Use this command to enable the LLDP advertise capability on an interface or a range of interfaces no lldp transmit Use this command to return the local data transmission capability to the default lldp receive Use this command to enable the LLDP receive capability on an interface or a range of interfaces no lldp receive Use this command to return the reception of LLDPDUs to the default value...

Page 550: ...v Use this command to specify which optional type length values TLVs in the 802 1AB basic management set are transmitted in the LLDPDUs from an interface or range of interfaces Use sys name to transmit the system name TLV To configure the system name see snmp server on page 89 Use sys desc to transmit the system description TLV Use sys cap to transmit the system capabilities TLV Use port desc to t...

Page 551: ...s command to include transmission of the local system management address information in the LLDPDUs Use this command to cancel inclusion of the management information in LLDPDUs lldp notification Use this command to enable remote data change notifications on an interface or a range of interfaces no lldp notification Use this command to disable notifications Format no lldp transmit tlv sys desc sys...

Page 552: ...ification interval to the default value clear lldp statistics Use this command to reset all LLDP statistics including MED related information clear lldp remote data Use this command to delete all information from the LLDP remote data table including MED related information Format no lldp notification Mode Interface Config Default 5 Format lldp notification interval interval Mode Global Config Form...

Page 553: ...ltiplier The multiplier on the transmit interval that sets the TTL in local data LLDPDUs Re initialization Delay The delay before reinitialization in seconds Notification Interval How frequently the system sends remote data change notifications in seconds Format show lldp interface slot port all Mode Privileged EXEC Term Definition Interface The interface in a slot port format Link Shows whether t...

Page 554: ... address information in the LLDPDUs Term Definition Format show lldp statistics slot port all Mode Privileged EXEC Term Definition Last Update The amount of time since the last update to the remote table in days hours minutes and seconds Total Inserts Total number of inserts to the remote data table Total Deletes Total number of deletes from the remote data table Total Drops Total number of times ...

Page 555: ...er of invalid LLDP frames received on the port Ageouts Total number of times a complete remote data entry was deleted for the port because the Time to Live interval expired TVL Discards The number of TLVs discarded TVL Unknowns Total number of LLDP TLVs received on the port where the type value is in the reserved range and not recognized TLV MED The total number of LLDP MED TLVs received on the in...

Page 556: ... 01 13 0 7 5 00 FC E3 90 01 0F 00 FC E3 90 01 14 0 7 1 00 FC E3 90 01 0F 00 FC E3 90 03 11 0 7 6 00 FC E3 90 01 0F 00 FC E3 90 04 11 0 8 0 9 0 10 0 11 0 12 More or q uit Term Definition Local Interface The interface that received the LLDPDU from the remote device RemID An internal identifier to the switch to mark each remote device to the system Chassis ID The ID that is sent by a remote device as...

Page 557: ...pe The type of port on the remote device Port ID The port number that transmitted the LLDPDU System Name The system name of the remote device System Description Describes the remote system by identifying the system name and versions of hardware operating system and networking software supported in the device Port Description Describes the port in an alpha numeric format The port description is con...

Page 558: ...bilities Enabled Time to Live 24 seconds show lldp local device Use this command to display summary information about the advertised LLDP local data This command can display summary information or detail for each interface Time To Live The amount of time in seconds the remote device s information received in the LLDPDU should be treated as valid information Term Definition Format show lldp local d...

Page 559: ... on the local device Port ID The port number that transmitted the LLDPDU System Name The system name of the local device System Description Describes the local system by identifying the system name and versions of hardware operating system and networking software supported in the device Port Description Describes the port in an alpha numeric format System Capabilities Supported Indicates the prima...

Page 560: ...nge of interfaces By enabling MED you will be effectively enabling the transmit and receive function of LLDP no lldp med Use this command to disable MED lldp med confignotification Use this command to configure an interface or a range of interfaces to send the topology change notification no ldp med confignotification Use this command to disable notifications Default disabled Format lldp med Mode ...

Page 561: ... the capabilities and network policy TLVs are included Format lldp med transmit tlv capabilities ex pd ex pse inventory location network policy Mode Interface Config Term Definition capabilities Transmit the LLDP capabilities TLV ex pd Transmit the LLDP extended PD TLV ex pse Transmit the LLDP extended PSE TLV inventory Transmit the LLDP inventory TLV location Transmit the LLDP location TLV networ...

Page 562: ...ansmit tlv all Use this command to specify which optional Type Length Values TLVs in the LLDP MED set will be transmitted in the Link Layer Discovery Protocol Data Units LLDPDUs Format lldp med confignotification all Mode Global Config Default 3 Format lldp med faststartrepeatcount count Mode Global Config Format no lldp med faststartrepeatcount Mode Global Config Default By default the capabiliti...

Page 563: ...s command to display a summary of the current LLDP MED configuration for a specific interface unit slot port indicates a specific physical interface all indicates all valid LLDP interfaces ex pse Transmit the LLDP extended PSE TLV inventory Transmit the LLDP inventory TLV location Transmit the LLDP location TLV network policy Transmit the LLDP network policy TLV Term Definition Format no lldp med ...

Page 564: ...d Disabled 0 1 1 0 11 Down Disabled Disabled Disabled 0 1 1 0 12 Down Disabled Disabled Disabled 0 1 1 0 13 Down Disabled Disabled Disabled 0 1 1 0 14 Down Disabled Disabled Disabled 0 1 TLV Codes 0 Capabilities 1 Network Policy 2 Location 3 Extended PSE 4 Extended Pd 5 Inventory More or q uit CN1610 show lldp med interface 1 0 2 Interface Link configMED operMED ConfigNotify TLVsTx 1 0 2 Up Disabl...

Page 565: ...alse Tagged True Media Policy Application Type streamingvideo Vlan ID 20 Priority 1 DSCP 2 Unknown False Tagged True Inventory Hardware Rev xxx xxx xxx Firmware Rev xxx xxx xxx Software Rev xxx xxx xxx Serial Num xxx xxx xxx Mfg Name xxx xxx xxx Model Name xxx xxx xxx Asset ID xxx xxx xxx Location Subtype elin Info xxx xxx xxx Extended POE Device Type pseDevice Extended POE PSE Available 0 3 Watts...

Page 566: ...llowing shows example CLI display output for the command CN1610 show lldp med remote device all LLDP MED Remote Device Summary Local Interface Remote ID Device Class 1 0 8 1Class I 1 0 9 2Not Defined 1 0 10 3Class II 1 0 11 4Class III 1 0 12 5 Network Con Format show lldp med remote device slot port all Mode Privileged EXEC Term Definition Local Interface The interface that received the LLDPDU fro...

Page 567: ...es Supported capabilities networkpolicy location extendedpse MED Capabilities Enabled capabilities networkpolicy Device Class Endpoint Class I Network Policies Media Policy Application Type voice Vlan ID 10 Priority 5 DSCP 1 Unknown False Tagged True Media Policy Application Type streamingvideo Vlan ID 20 Priority 1 DSCP 2 Unknown False Tagged True Inventory Hardware Rev xxx xxx xxx Firmware Rev x...

Page 568: ...tching Commands 565 Subtype elin Info xxx xxx xxx Extended POE Device Type pseDevice Extended POE PSE Available 0 3 Watts Source primary Priority critical Extended POE PD Required 0 2 Watts Source local Priority low ...

Page 569: ...set and TCP Sequence Number 0 or TCP Flags SYN and FIN set L4 Port Source TCP UDP Port Destination TCP UDP Port ICMP Limiting the size of ICMP Ping packets SMAC DMAC Source MAC address Destination MAC address TCP Port Source TCP Port Destination TCP Port UDP Port Source UDP Port Destination UDP Port TCP Flag Sequence TCP Flag SYN set and Source Port 1024 or TCP Control Flags 0 and TCP Sequence Num...

Page 570: ...ial of Service prevention dos control firstfrag This command enables Minimum TCP Header Size Denial of Service protection If the mode is enabled Denial of Service prevention is active for this type of attack If packets ingress having a TCP Header Size smaller then the configured value the packets will be dropped if the mode is enabled The default is disabled If you enable dos control firstfrag but...

Page 571: ...ment Denial of Service protection dos control tcpflag This command enables TCP Flag Denial of Service protections If the mode is enabled Denial of Service prevention is active for this type of attacks If packets ingress having TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN URG and PSH set and TCP Seque...

Page 572: ...520 for both If you enable dos control l4port applications such as RIP may experience packet loss which would render the application inoperable no dos control l4port This command disables L4 Port Denial of Service protections dos control smacdmac This command enables Source MAC address Destination MAC address SMAC DMAC Denial of Service protection If the mode is enabled Denial of Service preventio...

Page 573: ...d no dos control tcpport This command disables TCP L4 source destination port number Source TCP Port Destination TCP Port Denial of Service protection dos control udpport This command enables UDP L4 source destination port number Source UDP Port Destination UDP Port DoS protection If the mode is enabled Denial of Service prevention is active for this type of attack If packets ingress with Source U...

Page 574: ...set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN URG and PSH set and TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set the packets will be dropped if the mode is enabled no dos control tcpflagseq This command sets disables TCP Flag and Sequence Denial of Service protection Default disabled Format ...

Page 575: ...command enables TCP SYN and L4 source 0 1023 Denial of Service protection If the mode is enabled Denial of Service prevention is active for this type of attack If packets ingress having TCP flag SYN set and an L4 source port from 0 to 1023 the packets will be dropped if the mode is enabled no dos control tcpsyn This command sets disables TCP SYN and L4 source 0 1023 Denial of Service protection De...

Page 576: ...N and URG and PSH and SEQ 0 checking Denial of Service protections If the mode is enabled Denial of Service prevention is active for this type of attack If packets ingress having TCP FIN URG and PSH all set and TCP Sequence Number set to 0 the packets will be dropped if the mode is enabled no dos control tcpfinurgpsh This command sets disables TCP FIN and URG and PSH and SEQ 0 checking Denial of S...

Page 577: ...ontrol icmpv6 This command enables Maximum ICMPv6 Packet Size Denial of Service protections If the mode is enabled Denial of Service prevention is active for this type of attack If ICMPv6 Echo Request PING packets ingress having a size greater than the configured value the packets will be dropped if the mode is enabled no dos control icmpv6 This command disables Maximum ICMP Packet Size Denial of ...

Page 578: ...sabled Format dos control icmpfrag Mode Global Config Format no dos control icmpfrag Mode Global Config Format show dos control Mode Privileged EXEC Term Definition First Fragment Mode The administrative mode of First Fragment DoS prevention When enabled this causes the switch to drop packets that have a TCP header smaller then the configured Min TCP Hdr Size Min TCP Hdr Size The minimum TCP heade...

Page 579: ...this causes the switch to drop packets that have the TCP source port equal to the TCP destination port UDP Port Mode The administrative mode of UDP Port DoS prevention When enabled this causes the switch to drop packets that have the UDP source port equal to the UDP destination port SIPDIP Mode The administrative mode of SIP DIP DoS prevention Enabling this causes the switch to drop packets that h...

Page 580: ... this causes the switch to drop packets that have the TCP source port equal to the TCP destination port UDP Port Mode The administrative mode of UDP Port DoS prevention When enabled this causes the switch to drop packets that have the UDP source port equal to the UDP destination port SIPDIP Mode The administrative mode of SIP DIP DoS prevention Enabling this causes the switch to drop packets that ...

Page 581: ... FIN Mode The administrative mode of TCP SYN FIN DoS prevention Enabling this causes the switch to drop packets that have TCP Flags SYN and FIN set TCP Fragment Mode The administrative mode of TCP Fragment DoS prevention Enabling this causes the switch to drop packets that have a TCP payload in which the IP payload length minus the IP header size is less than the minimum allowed TCP header size TC...

Page 582: ... not used and will be ignored if entered In an SVL system the fdbid all parameter is not used and will be ignored if entered no bridge aging time This command sets the forwarding database address aging timeout to the default value In an SVL system the fdbid all parameter is not used and will be ignored if entered show forwardingdb agetime This command displays the timeout for address aging Default...

Page 583: ...in which the MAC address is learned MAC Address A multicast MAC address for which the switch has forwarding or filtering information The format is 6 two digit hexadecimal numbers that are separated by colons for example 01 23 45 67 89 AB Source The component that is responsible for this entry in the Multicast Forwarding Database The source can be IGMP Snooping GMRP and Static Filtering Type The ty...

Page 584: ...ilter Static Mgmt Config Fwd Fwd 1 0 1 1 0 1 1 0 2 1 0 2 1 0 3 1 0 3 1 0 4 1 0 4 1 0 5 1 0 5 1 0 6 1 0 6 1 0 7 1 0 7 1 0 8 1 0 8 1 0 9 1 0 9 1 0 10 1 0 10 More or q uit show mac address table stats This command displays the Multicast Forwarding Database MFDB statistics Fwd Interface The resultant forwarding list is derived from combining all the component s forwarding interfaces and removing the i...

Page 585: ...tal number of entries that can possibly be in the Multicast Forwarding Database table Most MFDB Entries Ever Used The largest number of entries that have been present in the Multicast Forwarding Database table This value is also known as the MFDB high water mark Current Entries The current number of entries in the MFDB ...

Page 586: ...packets that the switch transmits The hold time specifies how long a receiving device should store information sent in the ISDP packet before discarding it The range is given in seconds isdp timer This command sets the period of time between sending new ISDP packets The range is given in seconds Default Enabled Format isdp run Mode Global Config Format no isdp run Mode Global Config Default 180 se...

Page 587: ...smit ISDP packets If ISDP is globally disabled on the switch the interface will not transmit ISDP packets regardless of the ISDP status on the interface To enable ISDP globally use the command isdp run on page 583 no isdp enable This command disables ISDP on the interface clear isdp counters This command clears ISDP counters Default Enabled Format isdp advertise v2 Mode Global Config Format no isd...

Page 588: ...ting for sending ISDPv2 packets If disabled version 1 packets are transmitted Neighbors table time since last change The amount of time that has passed since the ISPD neighbor table changed Device ID The Device ID advertised by this device The format of this Device ID is characterized by the value of the Device ID Format object Device ID Format Capability Indicates the Device ID format capability ...

Page 589: ...Device ID format of the device serialNumber indicates that the value is in the form of an ASCII string containing the device serial number macAddress indicates that the value is in the form of a Layer 2 MAC address other indicates that the value is in the form of a platform specific ASCII string containing info that identifies the device For example ASCII string contains serialNumber appended prep...

Page 590: ...nterface Mode 0 1 Enabled 0 2 Enabled 0 3 Enabled 0 4 Enabled 0 5 Enabled 0 6 Enabled 0 7 Enabled 0 8 Enabled show isdp entry This command displays ISDP entries If the device id is specified then only entries for that device are shown Format show isdp entry all deviceid Mode Privileged EXEC Term Definition Device ID The device ID associated with the neighbor which advertised the information IP Add...

Page 591: ...y ISDP Functional Capabilities advertised by the neighbor Platform The hardware platform advertised by the neighbor Interface The interface slot port on which the neighbor s advertisement was received Port ID The port ID of the interface from which the neighbor sent the advertisement Hold Time The hold time advertised by the neighbor Version The software version that the neighbor is running Advert...

Page 592: ...with the neighbor which advertised the information IP Addresses The IP addresses associated with the neighbor Capability ISDP functional capabilities advertised by the neighbor Platform The hardware platform advertised by the neighbor Interface The interface slot port on which the neighbor s advertisement was received Port ID The port ID of the interface from which the neighbor sent the advertisem...

Page 593: ...y last changed time 0 days 00 01 59 Version 05 00 56 show isdp traffic This command displays ISDP statistics Format show isdp traffic Mode Privileged EXEC Term Definition ISDP Packets Received Total number of ISDP packets received ISDP Packets Transmitted Total number of ISDP packets transmitted ISDPv1 Packets Received Total number of ISDPv1 packets received ISDPv1 Packets Transmitted Total number...

Page 594: ...ckets processed by the switch ISDP must be enabled on both the device and the interface in order to monitor packets for a particular interface ISDP Bad Header Number of packets received with a bad header ISDP Checksum Error Number of packets received with a checksum error ISDP Transmission Failure Number of packets which failed to transmit ISDP Invalid Format Number of invalid packets received ISD...

Page 595: ...92 ISDP Commands no debug isdp packet This command disables tracing of ISDP packets on the receive or the transmit sides or on both sides Format no debug isdp packet receive transmit Mode Privileged EXEC ...

Page 596: ...mmands in this chapter are in one of three functional groups Show commands display switch settings statistics and other information Configuration commands configure features and options of the switch For every configuration command there is a show command that displays the configuration setting Clear commands clear some or all of the settings to factory defaults ...

Page 597: ...an send SNMP traps and queries via the service network port The user can manage a device via the network port in addition to a Routing Interface or the Service port serviceport ipv6 enable Use this command to enable IPv6 operation on the service port By default IPv6 operation is enabled on the service port no serviceport ipv6 enable Use this command to disable IPv6 operation on the service port ne...

Page 598: ...figured IPv6 prefixes on the service port interface Use the command with the address option to remove the manually configured IPv6 global address on the network port interface Use the command with the autoconfig option to disable the stateless global address autoconfiguration on the service port Format no network ipv6 enable Mode Privileged EXEC Format serviceport ipv6 address address prefix lengt...

Page 599: ...ice port interface no serviceport ipv6 gateway Use this command to remove IPv6 gateways on the service port interface serviceport ipv6 neighbor Use this command to manually add IPv6 neighbors to the IPv6 neighbor table for the service port If an IPv6 neighbor already exists in the neighbor table the entry is automatically converted to a static entry Static entries are not modified by the Format no...

Page 600: ...stateless global address autoconfiguration and to enable disable dhcpv6 client protocol information for the network port Multiple IPv6 addresses can be configured on the network port Format serviceport ipv6 neighbor ipv6 address macaddr Mode Privileged EXEC Parameter Description ipv6 address The IPv6 address of the neighbor or interface macaddr The link layer address Format no serviceport ipv6 nei...

Page 601: ...nt protocol on the network port network ipv6 gateway Use this command to configure IPv6 gateway i e default routers information for the network port no network ipv6 gateway Use this command to remove IPv6 gateways on the network port interface autoconfig Configure stateless global address autoconfiguration capability dhcp Configure dhcpv6 client protocol Parameter Description Format no network ipv...

Page 602: ...ding interface is operationally active no network ipv6 neighbor Use this command to remove IPv6 neighbors from the neighbor table show network ipv6 neighbors Use this command to display the information about the IPv6 neighbor entries cached on the network port The information is updated to show the type of the entry Format no network ipv6 gateway Mode Privileged EXEC Format network ipv6 neighbor i...

Page 603: ... IPv6 address of the neighbor MAC Address The MAC Address of the neighbor isRtr Shows if the neighbor is a router If TRUE the neighbor is a router FALSE it is not a router Neighbor State The state of the neighbor cache entry Possible values are Incomplete Reachable Stale Delay Probe and Unknown Age The time in seconds that has elapsed since an entry was added to the cache Last Updated The time in ...

Page 604: ...rough the default VLAN VLAN 1 as long as there is a physical path between the switch and the workstation The terminal interface sends three pings to the target station Use the ipv6 address hostname parameter to ping an interface by using the global IPv6 address of the interface The argument slot port corresponds to a physical routing Field Description IPv6 Address The IPv6 address of the neighbor ...

Page 605: ...network in band connection The source and target devices must have the ping utility enabled and running on top of TCP IP The switch can be pinged from any IP workstation with which the switch is connected through the default VLAN VLAN 1 as long as there is a physical path between the switch and the workstation The terminal interface sends three pings to the target station You can use a network por...

Page 606: ...ce Use the interface keyword to ping an interface by using the link local address or the global IPv6 address of the interface size Use the optional size keyword to specify the size of the ping packet ipv6 address The link local IPv6 address of the device you want to query ...

Page 607: ...604 IPv6 Management Commands ...

Page 608: ... Policy Commands on page 628 DiffServ Service Commands on page 636 DiffServ Show Commands on page 638 MAC Access Control List Commands on page 648 IP Access Control List Commands on page 655 Time Range Commands for Time Based ACLs on page 687 Note The commands in this chapter are in one of two functional groups Show commands display switch settings statistics and other information Configuration co...

Page 609: ...can range from 0 7 The trafficclass values range from 0 7 no classofservice dot1p mapping This command maps each 802 1p priority to its default internal traffic class value classofservice ip dscp mapping This command maps an IP DSCP value to an internal traffic class The ipdscp value is specified as either an integer from 0 to 63 or symbolically through one of the following keywords af11 af12 af13...

Page 610: ...upported in future releases of the software because Dot1p is the default value Use the no classofservice trust command to set the mode to the default value no classofservice trust This command sets the interface mode to the default value cos queue min bandwidth This command specifies the minimum transmission bandwidth guarantee for each interface queue on an interface a range of interfaces or all ...

Page 611: ...o more than n queue id values are specified with this command Duplicate queue id values are ignored Each queue id value ranges from 0 to n 1 where n is the total number of queues supported per interface The number n 7 and corresponds to the number of supported queues traffic classes no cos queue random detect Use this command to disable WRED thereby restoring the default tail drop operation for th...

Page 612: ...per queue WRED activation control is not supported by the device Specific WRED parameters are configured using the random detect queue parms and the random detect exponential weighting constant commands When specified in Interface Config mode this command affects a single interface only whereas in Global Config mode it applies to all interfaces Modes Global Config Interface Config Format cos queue...

Page 613: ...d to configure WRED parameters for each drop precedence level supported by a queue It is used only when per COS queue configuration is enabled using the cos queue random detect command Format no random detect Modes Global Config Interface Config Format random detect exponential weighting constant 0 15 Modes Global Config Interface Config Format no random detect exponential weighting constant Modes...

Page 614: ...interfaces Also known as rate shaping traffic shaping has the effect of smoothing temporary traffic bursts over time so that the transmitted traffic rate is bounded Term Definition min thresh The minimum threshold the queue depth as a percentage where WRED starts marking and dropping traffic max thresh The maximum threshold is the queue depth as a percentage above which WRED marks drops all traffi...

Page 615: ...ce VLAN Commands on page 382 The following information is repeated for each user priority show classofservice ip dscp mapping This command displays the current IP DSCP mapping to internal traffic classes for the global configuration settings Modes Global Config Interface Config Format no traffic shape Modes Global Config Interface Config Format show classofservice dot1p mapping slot port Mode Priv...

Page 616: ...erface If specified the class of service queue configuration of the interface is displayed If omitted the most recent global configuration settings are displayed Term Definition IP DSCP The IP DSCP value Traffic Class The traffic class internal queue identifier to which the IP DSCP value is mapped Format show classofservice trust slot port Mode Privileged EXEC Term Definition Class of Service Trus...

Page 617: ...is a configured value Scheduler Type Indicates whether this queue is scheduled for transmission using a strict priority or a weighted scheme This is a configured value Queue Management Type The queue depth management technique used for this queue tail drop Term Definition Interface The slot port of the interface If displaying the global configuration this output line is replaced with a Global Conf...

Page 618: ...red 0 to n 1 WRED Minimum Threshold The configured minimum threshold the queue depth as a percentage where WRED starts marking and dropping traffic WRED Maximum Threshold The configured maximum threshold is the queue depth as a percentage above which WRED marks drops all traffic WRED Drop Probability The configured percentage probability that WRED will mark drop a packet when the queue depth is at...

Page 619: ...acket processing begins when the switch tests the match criteria for a packet The switch applies a policy to a packet when it finds a class match within that policy The following rules apply when you create a DiffServ class Each class can contain a maximum of one referenced nested class Class definitions do not support hierarchical service policies A given class definition can contain a maximum of...

Page 620: ... layer 2 packet header diffserv This command sets the DiffServ operational mode to active While disabled the DiffServ configuration is retained and can be changed but it is not activated When enabled DiffServ services are activated no diffserv This command sets the DiffServ operational mode to inactive While disabled the DiffServ configuration is retained and can be changed but it is not activated...

Page 621: ...te and re create the entire class The CLI command root is class map class map This command defines a DiffServ class of type match all When used without any match condition this command enters the class map mode The class map name is a case sensitive alphanumeric string from 1 to 31 characters uniquely identifying an existing DiffServ class Note The class map name default is reserved and must not b...

Page 622: ...erv class The class map name is the name of an existing DiffServ class The new class map name parameter is a case sensitive alphanumeric string from 1 to 31 characters uniquely identifying the class match ethertype This command adds to the specified class definition a match condition based on the value of the ethertype The ethertype value is specified as one of the following keywords appletalk arp...

Page 623: ...Note The match class map command has the following criteria The parameters refclassname and class map name can not be the same Only one other class may be referenced by a class Any attempts to delete the refclassname class while the class is still referenced by any class map name fails The combined match criteria of class map name and refclassname must be an allowed combination based on the class ...

Page 624: ...ing DiffServ class whose match conditions are being referenced by the specified class definition match cos This command adds to the specified class definition a match condition for the Class of Service value the only tag in a single tagged packet or the first or outer 802 1Q tag of a double VLAN tagged packet The value may be from 0 to 7 Use the not option to negate the match condition match secon...

Page 625: ... a packet The ipaddr parameter specifies an IP address The ipmask parameter specifies an IP address bit mask and must consist of a contiguous set of leading 1 bits Use the not option to negate the match condition match dstl4port This command adds to the specified class definition a match condition based on the destination layer 4 port of a packet using a single keyword or numeric notation To speci...

Page 626: ... af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 be cs0 cs1 cs2 cs3 cs4 cs5 cs6 cs7 ef Use the not option to negate the match condition Note The IP DSCP IP Precedence and IP ToS match conditions are alternative ways to specify a match criterion for the same Service Type field in the IP header but with a slightly different user notation match ip precedence This command adds to the specified class...

Page 627: ... in tosbits that are used for comparison against the IP TOS field in a packet For example to check for an IP TOS value having bits 7 and 5 set and bit 1 clear where bit 7 is most significant use a tosbits value of a0 hex and a tosmask of a2 hex Use the not option to negate the match condition Note The IP DSCP IP Precedence and IP ToS match conditions are alternative ways to specify a match criteri...

Page 628: ...not option to negate the match condition Note This command does not validate the protocol number value against the current list defined by IANA match source address mac This command adds to the specified class definition a match condition based on the source MAC address of a packet The address parameter is any layer 2 MAC address formatted as six two digit hexadecimal numbers separated by colons e...

Page 629: ...ey values are domain echo ftp ftpdata http smtp snmp telnet tftp www Each of these translates into its equivalent port number which is used as both the start and end of a port range To specify the match condition as a numeric value one layer 4 port number is required The port number is an integer from 0 to 65535 Use the not option to negate the match condition match vlan This command adds to the s...

Page 630: ...e value of the layer 2 secondary VLAN Identifier field the inner 802 1Q tag of a double VLAN tagged packet The secondary VLAN ID is an integer from 0 to 4093 Use the not option to negate the match condition Mode Class Map Config Ipv6 Class Map Config Default none Format match not secondary vlan 0 4093 Mode Class Map Config Ipv6 Class Map Config ...

Page 631: ... more than one class preference is based on the order in which you add the classes to the policy The first class you add has the highest precedence This set of commands consists of policy creation deletion class addition removal and individual policy attributes Note The only way to remove an individual policy attribute from a class instance within a policy is to remove the class instance and re ad...

Page 632: ...cific egress interface physical port or port channel conform color Use this command to enable color aware traffic policing and define the conform color class map Used in conjunction with the police command where the fields for the conform level are specified The class map name parameter is the name of an existing DiffServ class map Format drop Mode Policy Class Map Config Incomp atibilitie s Assig...

Page 633: ...and causes the specified policy to create a reference to the class definition Note The CLI mode is changed to Policy Class Map Config when this command is successfully executed no class This command deletes the instance of a particular class and its defined treatment from the specified policy classname is the names of an existing DiffServ class Note This command removes the reference to the class ...

Page 634: ...ssentially means that the inner VLAN tag CoS is copied to the outer VLAN tag CoS The following shows an example of the command CN1610 Config policy classmap mark cos as sec cos mark ip dscp This command marks all packets for the associated traffic stream with the specified IP DSCP value The dscpval value is specified as either an integer from 0 to 63 or symbolically through one of the following ke...

Page 635: ...pecified in kilobits per second Kbps and is an integer from 1 to 4294967295 The conforming burst size is specified in kilobytes KB and is an integer from 1 to 128 For each outcome the only possible actions are drop set cos as sec cos set cos transmit set sec cos transmit set dscp transmit set prec transmit or transmit In this simple form of the police command the conform action defaults to transmi...

Page 636: ...form of the police command and is used to establish the traffic policing style for the specified class For each outcome the only possible actions are drop set cos as sec cost set cos transmit set sec cos transmit set dscp transmit set prec transmit or transmit In this single rate form of the police command the conform action defaults to send the exceed action defaults to drop and the violate actio...

Page 637: ... direction as indicated by the out parameter respectively Format police single rate 1 4294967295 1 128 1 128 conform action drop set cos as sec cos set cos transmit 0 7 set sec cos transmit 0 7 set prec transmit 0 7 set dscp transmit 0 63 transmit exceed action drop set cos as sec cos set cos transmit 0 7 set sec cos transmit 0 7 set prec transmit 0 7 set dscp transmit 0 63 transmit violate action...

Page 638: ...y is currently referenced by one or more interface service attachments this delete attempt fails policy map rename This command changes the name of a DiffServ policy The policyname is the name of an existing DiffServ class The newpolicyname parameter is a case sensitive alphanumeric string from 1 to 31 characters uniquely identifying the policy Format policy map policyname in out Mode Global Confi...

Page 639: ...ed by the in parameter or the outbound direction as indicated by the out parameter respectively The policyname parameter is the name of an existing DiffServ policy This command causes a service to create a reference to the policy Note This command effectively enables DiffServ on an interface in the inbound direction There is no separate interface administrative mode command for DiffServ Note This ...

Page 640: ...pectively The policyname parameter is the name of an existing DiffServ policy Note This command causes a service to remove its reference to the policy This command effectively disables DiffServ on an interface in the inbound direction or an interface in the outbound direction There is no separate interface administrative mode command for DiffServ Format no service policy in out policymapname Modes...

Page 641: ...n Class Name The name of this class Class Type A class type of all means every match criterion defined for the class is evaluated simultaneously and must all be true to indicate a class match Class Layer3 Protocol The Layer 3 protocol for this class Possible values are IPv4 and IPv6 Match Criteria The Match Criteria fields are only displayed if they have been configured Match criteria values are d...

Page 642: ...y the same order in which they were created Class Type A class type of all means every match criterion defined for the class is evaluated simultaneously and must all be true to indicate a class match Ref Class Name The name of an existing DiffServ class whose match conditions are being referenced by the specified class definition Format show diffserv Mode Privileged EXEC Term Definition DiffServ A...

Page 643: ...imum number of entries rows for the Policy Instance Table Policy Attribute Table Max Current Max The current and maximum number of entries rows for the Policy Attribute Table Service Table Size Current Max The current and maximum number of entries rows in the Service Table Term Definition Format show policy map policyname Mode Privileged EXEC Term Definition Policy Name The name of this policy Pol...

Page 644: ...ming packet Color aware mode takes into consideration the current packet marking when determining the policing outcome Conform COS The CoS mark value if the conform action is set cos transmit Conform DSCP Value The DSCP mark value if the conform action is set dscp transmit Conform IP Precedence Value The IP Precedence mark value if the conform action is set prec transmit Drop Drop a packet upon ar...

Page 645: ...P Precedence for traffic matching this class This is not displayed if mark ip precedence is not specified Mirror Copies a classified traffic stream to a specified egress port physical port or LAG This can occur in addition to any marking or policing action It may also be specified along with a QoS queue assignment Non Conform Action The current setting for the action taken on a packet considered t...

Page 646: ...ng transmission stream for an AP traffic class although average rate shaping could also be used Peak Burst Size PBS The network administrator can set the PBS as a means to limit the damage expedited forwarding traffic could inflict on other traffic e g a token bucket rate limiter Traffic that exceeds this limit is discarded Policing Style The style of policing if any used simple Redirect Forces a ...

Page 647: ...ction Mark CoS as Secondary CoS Exceed Action Mark CoS as Secondary CoS Non Conform Action Mark CoS as Secondary CoS Conform Color Mode Blind Exceed Color Mode Blind show diffserv service This command displays policy service information for the specified interface and direction The slot port parameter specifies a valid slot port number for the system Format show diffserv service slot port in Mode ...

Page 648: ...e indicated direction Policy Details Attached policy details whose content is identical to that described for the show policy map policymapname command content not repeated here for brevity Term Definition Format show diffserv service brief in Mode Privileged EXEC Term Definition DiffServ Mode The current setting of the DiffServ administrative mode An attached policy is only active on an interface...

Page 649: ...ed for each class instance within this policy show service policy This command displays a summary of policy oriented statistics information for all interfaces in the specified direction Format show policy map interface slot port in Mode Privileged EXEC Term Definition Interface slot port Direction The traffic direction of this interface service Operational Status The current operational status of ...

Page 650: ...nterface and direction only those interfaces configured with an attached policy are shown Mode Privileged EXEC Term Definition Interface slot port Operational Status The current operational status of this DiffServ service interface Policy Name The name of the policy attached to the interface ...

Page 651: ...command creates a MAC Access Control List ACL identified by name consisting of classification fields defined for the Layer 2 header of an Ethernet frame The name parameter is a case sensitive alphanumeric string from 1 to 31 characters uniquely identifying the MAC access list The rate limit attribute configures the committed rate and the committed burst size If a MAC ACL by this name already exist...

Page 652: ...ield The remaining command parameters are all optional but the most frequently used parameters appear in the same relative order as shown in the command format Note The no form of this command is not supported since the rules within a MAC ACL cannot be deleted individually Rather the entire MAC ACL must be deleted and respecified Note An implicit deny all MAC rule always terminates the access list...

Page 653: ... then the ACL rule is applied when the time range with specified name becomes active The ACL rule is removed when the time range with specified name becomes inactive For information about configuring time ranges see Time Range Commands for Time Based ACLs on page 687 The assign queue parameter allows specification of a particular hardware queue for handling traffic that matches this rule The allow...

Page 654: ...ied to indicate the order of this mac access list relative to other mac access lists already assigned to this interface and direction A lower number indicates higher precedence order If a sequence number is already in use for this interface and direction the specified mac access list replaces the currently attached mac access list using that sequence number If the sequence number is not specified ...

Page 655: ...es that are defined for the MAC ACL Use the name parameter to identify a specific MAC ACL to display The rate limit attribute displays committed rate and committed burst size Note The command output varies based on the match criteria configured within the rules of an ACL Format mac access group name control plane in out vlan vlan id in out Modes Global Config Interface Config Parameter Description...

Page 656: ...ommitted burst size defined by the rate limit attribute Destination MAC Address The destination MAC address for this rule Ethertype The Ethertype keyword or custom value for this rule VLAN ID The VLAN identifier value or range for this rule COS The COS 802 1p value for this rule Log Displays when you enable logging for the rule Assign Queue The queue identifier to which packets matching this rule ...

Page 657: ...and CN1610 show mac access lists mac1 ACL Name mac1 Outbound Interface s control plane Rule Number 1 Action permit Source MAC Address 00 00 00 00 AA BB Source MAC Mask FF FF FF FF 00 00 Committed Rate 32 Committed Burst Size 16 Rule Status Status Active Inactive of the MAC ACL rule Term Definition ...

Page 658: ...rd masking for ACLs operates differently from a subnet mask A wildcard mask is in essence the inverse of a subnet mask With a subnet mask the mask has ones 1 s in the bit positions that are used for the network address and has zeros 0 s for the bit positions that are not used In contrast a wildcard mask has 0 s in a bit position that must be checked A 1 in a bit position of the ACL mask indicates ...

Page 659: ...psh ack ack urg urg established icmp type icmp type icmp code icmp code icmp message icmp message igmp type igmp type fragments precedence precedence tos tos tosmask dscp dscp time range time range name log assign queue queue id mirror redirect slot port rate limit rate burst size Mode Global Config Parameter Description 1 99 or 100 199 Range 1 to 99 is the access list number for an IP standard AC...

Page 660: ...t scrip Specifies a source IP address and source netmask for match condition of the IP ACL rule Specifying any specifies srcip as 0 0 0 0 and srcmask as 255 255 255 255 Specifying host A B C D specifies srcip as A B C D and srcmask as 0 0 0 0 Parameter Description ...

Page 661: ... the port range They have values from 0 to 65535 The ending port must have a value equal or greater than the starting port The starting port ending port and all ports in between will be part of the layer 4 port range When eq is specified the IP ACL rule matches only if the layer 4 port number is equal to the specified port number or portkey When lt is specified IP ACL rule matches if the layer 4 p...

Page 662: ...rs dscp precedence tos tosmask Note tosmask is an optional parameter flag fin fin syn syn rst rst psh psh ack ack urg urg established Note This option is available only if the protocol is tcp Specifies that the IP ACL rule matches on the TCP flags When tcpflagname is specified a match occurs if the specified tcpflagname flag is set in the TCP header When tcpflagname is specified a match occurs if ...

Page 663: ...message implies that both icmp type and icmp code are specified The following icmp messages are supported echo echo reply host redirect mobile redirect net redirect net unreachable redirect packet too big port unreachable source quench router solicitation router advertisement time exceeded ttl exceeded and unreachable igmp type igmp type This option is available only if the protocol is igmp When i...

Page 664: ... this ACL rule is applied to an interface or bound to a VLAN the ACL rule is applied when the time range with specified name becomes active The ACL rule is removed when the time range with specified name becomes inactive For information about configuring time ranges see Time Range Commands for Time Based ACLs on page 687 assign queue queue id Specifies the assign queue which is the queue identifie...

Page 665: ...d deletes the IP ACL identified by name from the system ip access list rename This command changes the name of an IP Access Control List ACL The name parameter is the names of an existing IP ACL The newname parameter is a case sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IP access list This command fails is an IP ACL by the name newname already exists deny permit ...

Page 666: ...e specified time range If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN then the ACL rule is applied immediately If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN then the ACL rule is applied when the time range Format deny permit ever...

Page 667: ... queue parameter is valid only for a permit rule The permit command s optional attribute rate limit allows you to permit only the allowed rate of traffic as per the configured rate in kbps and burst size in kbytes Parameter Description deny permit Specifies whether the IP ACL rule permits or denies the matching traffic Every Match every packet eigrp gre icmp igmp ip ipinip ospf pim tcp udp 0 255 S...

Page 668: ... value equal to or greater than the starting port The starting port ending port and all ports in between will be part of the layer 4 port range When eq is specified IP ACL rule matches only if the layer 4 port number is equal to the specified port number or portkey When lt is specified IP ACL rule matches if the layer 4 port number is less than the specified port number or portkey It is equivalent...

Page 669: ...ameters dscp precedence tos tosmask tosmask is an optional parameter flag fin fin syn syn rst rst psh psh ack ack urg urg established Specifies that the IP ACL rule matches on the tcp flags When tcpflagname is specified a match occurs if specified tcpflagname flag is set in the TCP header When tcpflagname is specified a match occurs if specified tcpflagname flag is NOT set in the TCP header When e...

Page 670: ...are specified The following icmp messages are supported echo echo reply host redirect mobile redirect net redirect net unreachable redirect packet too big port unreachable source quench router solicitation router advertisement time exceeded ttl exceeded and unreachable The ICMP message is decoded into corresponding ICMP type and ICMP code within that ICMP type igmp type igmp type Note This option ...

Page 671: ...imitation on the ACL rule as defined by the parameter time range name If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN the ACL rule is applied immediately If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN the ACL rule is applied when t...

Page 672: ... of the list To overcome this permit rules must be added to allow the IPv4 control packets Note The keyword control plane is only available in Global Config mode The following shows an example of the command CN1610 Config ip access group ip1 control plane no ip access group This command removes a specified IP ACL from an interface Default none Format ip access group accesslistnumber name control p...

Page 673: ...itch To view more detailed information about a specific access list specify the ACL number or name that is used to identify the IP ACL The rate limit attribute displays committed rate and committed burst size Mode Interface Config Global Config Default disabled Format acl trapflags Mode Global Config Format no acl trapflags Mode Global Config Format show ip access lists accesslistnumber name Mode ...

Page 674: ...L is applied ACL interface bindings VLAN s Identifies the VLANs to which the ACL is applied ACL VLAN bindings Term Definition Rule Number The number identifier for each rule that is defined for the IP ACL Action The action associated with each rule The possible values are Permit or Deny Match All Indicates whether this access list applies to every packet Possible values are True or False Protocol ...

Page 675: ... by the rate limit attribute Source IP Address The source IP address for this rule Source IP Mask The source IP Mask for this rule Source L4 Port Keyword The source port for this rule Destination IP Address The destination IP address for this rule Destination IP Mask The destination IP Mask for this rule Destination L4 Port Keyword The destination port for this rule IP DSCP The value specified for...

Page 676: ...be used as an alternate way to specify the LAG interface lag lag intf num can also be used to specify the LAG interface where lag intf num is the LAG port number Use the control plane keyword to display the ACLs applied on the CPU port Mirror Interface The unit slot port to which packets matching this rule are copied Redirect Interface The unit slot port to which packets matching this rule are for...

Page 677: ... Sequence Number An optional sequence number may be specified to indicate the order of this access list relative to other access lists already assigned to this interface and direction A lower number indicates higher precedence order If a sequence number is already in use for this interface and direction the specified access list replaces the currently attached access list using that sequence numbe...

Page 678: ...te the order of this access list relative to other access lists already assigned to this interface and direction A lower number indicates higher precedence order If a sequence number is already in use for this interface and direction the specified access list replaces the currently attached access list using that sequence number If the sequence number is not specified by the user a sequence number...

Page 679: ... an IPv6 Access Control List ACL identified by name consisting of classification fields defined for the IP header of an IPv6 frame The name parameter is a case sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IPv6 access list The rate limit attribute configures the committed rate and the committed burst size If an IPv6 ACL by this name already exists this command ente...

Page 680: ... on any value in that field The remaining command parameters are all optional but the most frequently used parameters appear in the same relative order as shown in the command format Note The no form of this command is not supported since the rules within an IPv6 ACL cannot be deleted individually Rather the entire IPv6 ACL must be deleted and respecified Format ipv6 access list rename name newnam...

Page 681: ...e for handling traffic that matches this rule The allowed queue id value is 0 n 1 where n is the number of user configurable queues available for the hardware platform The assign queue parameter is valid only for a permit rule The mirror parameter allows the traffic matching this rule to be copied to the specified slot port while the redirect parameter allows the traffic matching this rule to be f...

Page 682: ...and prefix length to match for the IPv6 ACL rule Specifying any implies specifying 0 Specifying host source ipv6 address implies matching the specified IPv6 address This source ipv6 address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16 bit values between colons Parameter Description ...

Page 683: ... ending port must have a value equal or greater than the starting port The starting port ending port and all ports in between are part of the layer 4 port range When eq is specified IPv6 ACL rule matches only if the layer 4 port number is equal to the specified port number or portkey When lt is specified IPv6 ACL rule matches if the layer 4 port number is less than the specified port number or por...

Page 684: ...t values between colons dscp dscp Specifies the dscp value to match for for the IPv6 rule flag fin fin syn syn rst rst psh psh ack ack urg urg established Specifies that the IPv6 ACL rule matches on the tcp flags When tcpflagname is specified a match occurs if specified tcpflagname flag is set in the TCP header When tcpflagname is specified a match occurs if specified tcpflagname flag is NOT set i...

Page 685: ... icmp messages are supported destination unreachable echo reply echo request header hop limit mld query mld reduction mld report nd na nd ns next header no admin no route packet too big port unreachable router solicitation router advertisement router renumbering time exceeded and unreachable The ICMP message is decoded into the corresponding ICMP type and ICMP code within that ICMP type Fragments ...

Page 686: ...s imposing a time limitation on the ACL rule as defined by the parameter time range name If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN the ACL rule is applied immediately If a time range with the specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN the ACL...

Page 687: ...ike IGMPv6 are also dropped because of the implicit deny all rule added at the end of the list To overcome this permit rules must be added to allow the IPv6 control packets Note The keyword control plane is only available in Global Config mode The following shows an example of the command CN1610 Config ipv6 traffic filter ip61 control plane no ipv6 traffic filter This command removes an IPv6 ACL i...

Page 688: ...on Rule Number The ordered rule number identifier defined within the IPv6 ACL Action The action associated with each rule The possible values are Permit or Deny Match All Indicates whether this access list applies to every packet Possible values are True or False Protocol The protocol to filter for this rule Committed Rate The committed rate defined by the rate limit attribute Committed Burst Size...

Page 689: ...e value specified for IPv6 Flow Label Log Displays when you enable logging for the rule Assign Queue The queue identifier to which packets matching this rule are assigned Mirror Interface The slot port to which packets matching this rule are copied Redirect Interface The slot port to which packets matching this rule are forwarded Time Range Name Displays the name of the time range if the IPv6 ACL ...

Page 690: ...r one or more periodic time entries The name parameter is a case sensitive alphanumeric string from 1 to 31 characters that uniquely identifies the time range An alpha numeric string is defined as consisting of only alphabetic numeric dash underscore or space characters If a time range by this name already exists this command enters Time Range config mode to allow updating the time range entries N...

Page 691: ...olute time entry in the time range periodic Use this command to add a periodic time entry to a time range The time parameter is based off of the currently configured time zone The first occurrence of the days of the week argument is the starting day s from which the configuration that referenced the time range starts going into effect The second occurrence is the ending day or days from which the ...

Page 692: ...e periodic time entries that are defined for the time range Use the name parameter to identify a specific time range to display When name is not specified all the time ranges defined in the system are displayed The information in the following table displays when no time range name is specified Format periodic days of the week time to time Mode Time Range Config Format no periodic days of the week...

Page 693: ...me of the time range Status Status of the time range active inactive Periodic Entry count The number of periodic entries configured for the time range Absolute Entry Indicates whether an absolute entry has been configured for the time range Exists Term Definition ...

Page 694: ...e line 245 capture line wrap 247 capture remote port 247 capture start 244 capture stop 244 class 630 class map 618 class map rename 619 classofservice dot1p mapping 606 classofservice ip dscp mapping 606 classofservice ip precedence mapping 607 classofservice trust 607 clear aaa ias users 84 clear accounting statistics 87 clear authentication authentication history 417 clear authentication statis...

Page 695: ...receive 259 debug spanning tree bpdu transmit 260 debug tacacs 261 debug transfer 262 delete 143 deleteport Global Config 445 deleteport Interface Config 445 description 310 dhcp client vendor id option 485 dhcp client vendor id option string 485 dhcp l2relay 476 dhcp l2relay circuit id subscription 476 dhcp l2relay circuit id vlan 477 dhcp l2relay remote id subscription 478 dhcp l2relay remote id...

Page 696: ...y 224 filedescr 143 flowcontrol 386 flowcontrol symmetric asymmetric 386 H hostname 133 I interface 309 interface lag 454 ip access group 668 ip access list 662 ip access list rename 662 ip address conflict detect run 243 ip arp inspection filter 502 ip arp inspection limit 501 ip arp inspection trust 500 ip arp inspection validate 499 ip arp inspection vlan 499 ip arp inspection vlan logging 500 ...

Page 697: ...8 lldp transmit tlv 547 llpf 442 logging buffered 193 logging buffered wrap 193 logging cli command 194 logging console 194 logging email 202 logging email from addr 203 logging email logtime 204 logging email message type subject 204 logging email message type to addr 203 logging email test message type 205 logging email urgent 202 logging host 194 logging host reconfigure 195 logging host remove...

Page 698: ...s 107 no auto negotiate 309 no auto negotiate all 310 no boot host autoreboot 138 no boot host autosave 138 no boot host dhcp 137 no boot host retrycount 137 no bridge aging time 579 no capture line wrap 247 no class 630 no class map 619 no classofservice dot1p mapping 606 no classofservice ip dscp mapping 607 no classofservice trust 607 no clock summer time 233 no clock timezone 234 no cos queue ...

Page 699: ... no dvlan tunnel ethertype Interface Config 369 no enable authentication 60 no enable password Privileged EXEC 73 no exception core file 265 no exception dump compression 266 no exception dump filepath 264 no exception dump ftp server 266 no exception dump nfs 264 no exception dump tftp server 263 no exception protocol 263 no flowcontrol 386 no flowcontrol symmetric asymmetric 386 no ip access gro...

Page 700: ... no login authentication 69 no mac access group 652 no mac access list extended 648 no macfilter 471 no macfilter adddest 472 no macfilter adddest all 473 no macfilter addsrc 473 no macfilter addsrc all 474 no mail server 207 no match class map 621 no mode dot1q tunnel 370 no mode dvlan tunnel 370 no monitor 468 no monitor session 467 no mtu 311 no network ipv6 address 598 no network ipv6 enable 5...

Page 701: ...p groupmembership interval 511 no set igmp header validation 509 no set igmp interfacemode 510 no set igmp maxresponse 512 no set igmp mcrtrexpiretime 513 no set igmp mrouter 513 no set igmp mrouter interface 514 no set igmp querier 520 no set igmp querier election participate 522 no set igmp querier query interval 520 no set igmp querier timer expiry 521 no set igmp querier version 521 no set igm...

Page 702: ...orm control unicast 438 no storm control unicast level 438 no storm control unicast rate 439 no switchport access vlan 379 no switchport mode private vlan 374 no switchport mode 376 no switchport private vlan 374 no switchport protected Global Config 388 no switchport protected Interface Config 389 no switchport trunk allowed vlan 378 no switchport trunk native vlan 378 no tacacs server host 125 n...

Page 703: ... name 459 port channel static 454 port channel system priority 459 port security 540 port security mac address 541 port security mac address move 542 port security mac address sticky 542 port security max dynamic 540 port security max static 541 priority TACACS Config 128 private vlan 374 process cpu threshold 172 protocol group 358 protocol vlan group 359 protocol vlan group all 359 Q quit 218 R ...

Page 704: ...sflow receiver owner notimeout 277 sflow receiver owner timeout 276 sflow sampler 278 show aaa ias users 85 show access lists 673 show access lists vlan 674 show accounting 86 show accounting methods 87 show arp access list 507 show arp switch 145 show authentication authentication history 413 show authentication interface 413 show authentication methods 415 show authentication statistics 416 show...

Page 705: ...rce binding 497 show ip ssh 49 show ip verify interface 497 show ip verify source 496 show ipv6 access lists 685 show isdp 585 show isdp entry 587 show isdp interface 586 show isdp neighbors 589 show isdp traffic 590 show lacp actor 460 show lacp partner 460 show lldp 550 show lldp interface 550 show lldp local device 555 show lldp local device detail 556 show lldp med 560 show lldp med interface ...

Page 706: ...nfig 177 show running config interface 179 show serial 39 show service policy 646 show serviceport 35 show serviceport ipv6 neighbors 600 show sflow agent 280 show sflow pollers 281 show sflow receivers 281 show sflow samplers 283 show snmp 101 show snmp engineID 103 show snmp filters 103 show snmp group 104 show snmp source interface 104 show snmp user 105 show snmp views 105 show sntp 228 show s...

Page 707: ...spanning tree backbonefast 319 spanning tree bpdufilter 320 spanning tree bpdufilter default 321 spanning tree bpduflood 321 spanning tree bpduguard 321 spanning tree bpdumigrationcheck 322 spanning tree configuration name 322 spanning tree configuration revision 323 spanning tree cost 323 spanning tree edgeport 324 spanning tree forceversion 324 spanning tree forward time 325 spanning tree guard ...

Page 708: ...63 username snmpv3 authentication 63 username snmpv3 encryption 64 username snmpv3 encryption encrypted 65 username unlock 63 V vlan 351 vlan acceptframe 352 vlan association mac 362 vlan association subnet 361 vlan database 351 vlan ingressfilter 352 vlan makestatic 353 vlan name 353 vlan participation 353 vlan participation all 354 vlan port acceptframe all 355 vlan port ingressfilter all 356 vl...

Reviews:

No comments

Brands by name

Popular brands

Load more brands