SignaMax SC30010 Cli Reference Manual Download Page 337

Page: 337 / 671

Chapter 10

| Access Control Lists

ARP ACLs

– 337 –

Command Usage

◆

When you create a new ACL or enter configuration mode for an existing
ACL, use the

permit

deny

command to add new rules to the bottom of

the list. To create an ACL, you must add at least one rule to the list.

◆

To remove a rule, use the

no permit

no deny

command followed by the

exact text of a previously configured rule.

◆

An ACL can contain up to 128 rules.

Example

Console(config)#access-list arp factory
Console(config-arp-acl)#

Related Commands

permit, deny (337)
show access-list arp (338)

permit, deny

(ARP ACL

)

This command adds a rule to an ARP ACL. The rule filters packets matching a
specified source or destination address in ARP messages. Use the

form to

remove a rule.

Syntax

[

] {

permit

deny

}

{

any

host

source-ip

source-ip ip-address-bitmask

}

{

any

host

destination-ip | destination-ip ip-address-bitmask

}

mac

{

any

host

source-mac

source-mac mac-address-bitmask

}

[

any

host

destination-mac

destination-mac mac-address-bitmask

]

[

log

]

This form indicates either request or response packets.

[

] {

permit

deny

}

request

{

any

host

source-ip

source-ip ip-address-bitmask

}

{

any

host

destination-ip | destination-ip ip-address-bitmask

}

mac

{

any

host

source-mac

source-mac mac-address-bitmask

}

[

any

host

destination-mac

destination-mac mac-address-bitmask

]

[

log

]

[

] {

permit

deny

}

response

{

any

host

source-ip

source-ip ip-address-bitmask

}

{

any

host

destination-ip | destination-ip ip-address-bitmask

}

mac

{

any

host

source-mac

source-mac mac-address-bitmask

}

[

any

host

destination-mac

destination-mac mac-address-bitmask

]

[

log

]

source-ip

– Source IP address.

destination-ip

– Destination IP address with bitmask.

Summary of Contents for SC30010

Page 1: ...C 300 Series Gigabit Managed Switch CLI Reference Guide SOFTWARE RELEASE V1 1 10 171 www signamax com ...

Page 2: ...CLI Reference Guide SC30010 C 300 48 Port Gigabit Managed Switch E122017 KS R01 ...

Page 3: ...ribes the switch s command line interface CLI For more detailed information on the switch s key features or information about the web browser management interface refer to the Web Management Guide The guide includes these sections Section I Getting Started Includes information on initial configuration Section II Command Line Interface Includes all management options available through the CLI Secti...

Page 4: ...ation Note Emphasizes important information or calls your attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Revision History This section summarizes the changes in each revision of this guide Revision Date Change Description v1 1 10 171 12 2017 Initial release ...

Page 5: ...nagement 39 Using the Network Interface 39 Setting an IP Address 39 Enabling SNMP Management Access 45 Managing System Files 47 Upgrading the Operation Code 48 Saving or Restoring Configuration Settings 48 Automatic Installation of Operation Code and Configuration Settings 50 Downloading Operation Code from a File Server 50 Specifying a DHCP Client Identifier 53 Downloading Configuration Files Oth...

Page 6: ... Commands 64 Partial Keyword Lookup 66 Negating the Effect of Commands 66 Using Command History 66 Understanding Command Modes 66 Exec Commands 67 Configuration Commands 68 Command Line Processing 69 Showing Status Information 70 CLI Command Groups 71 3 General Commands 73 prompt 73 reload Global Configuration 74 enable 75 quit 76 show history 76 configure 77 disable 78 reload Privileged Exec 78 s...

Page 7: ...g 90 show system 90 show tech support 92 show users 93 show version 93 show watchdog 94 watchdog software 94 Fan Control 95 fan speed force full 95 Frame Size 95 jumbo frame 95 File Management 96 General Commands 97 boot system 97 copy 98 delete 102 dir 103 whichboot 104 Automatic Code Upgrade Commands 105 upgrade opcode auto 105 upgrade opcode path 106 upgrade opcode reload 107 show upgrade 108 T...

Page 8: ...18 disconnect 118 terminal 119 show line 120 Event Logging 121 logging command 121 logging facility 122 logging history 122 logging host 123 logging on 124 logging trap 125 clear log 125 show log 126 show logging 127 SMTP Alerts 128 logging sendmail 129 logging sendmail destination email 129 logging sendmail host 129 logging sendmail level 130 logging sendmail source email 131 show logging sendmai...

Page 9: ...ds 139 clock summer time date 139 clock summer time predefined 141 clock summer time recurring 142 clock timezone 143 calendar set 144 show calendar 145 Time Range 145 time range 146 absolute 146 periodic 147 show time range 148 Switch Clustering 149 cluster 150 cluster commander 150 cluster ip pool 151 cluster member 152 rcommand 152 show cluster 153 show cluster members 153 show cluster candidat...

Page 10: ... show snmp server enable port traps 164 SNMPv3 Commands 165 snmp server engine id 165 snmp server group 166 snmp server user 167 snmp server view 169 show snmp engine id 170 show snmp group 170 show snmp user 171 show snmp view 172 Notification Log Commands 173 nlm 173 snmp server notify filter 174 show nlm oper status 175 show snmp notify filter 175 Additional Trap Commands 176 memory 176 process...

Page 11: ...192 enable password 192 username 193 privilege 195 show privilege 195 Authentication Sequence 196 authentication enable 196 authentication login 197 RADIUS Client 198 radius server acct port 199 radius server auth port 199 radius server host 199 radius server key 200 radius server retransmit 201 radius server timeout 201 show radius server 202 TACACS Client 202 tacacs server host 203 tacacs server...

Page 12: ...ands 215 authorization exec 216 show accounting 216 show authorization 217 Web Server 218 ip http authentication 219 ip http port 219 ip http server 220 ip http secure port 220 ip http secure server 221 Telnet Server 222 ip telnet max sessions 223 ip telnet port 223 ip telnet server 224 telnet client 224 show ip telnet 225 Secure Shell 225 ip ssh authentication retries 228 ip ssh server 228 ip ssh...

Page 13: ...operation mode 239 dot1x port control 240 dot1x re authentication 240 dot1x timeout quiet period 241 dot1x timeout re authperiod 241 dot1x timeout supp timeout 242 dot1x timeout tx period 242 dot1x re authenticate 243 Supplicant Commands 243 dot1x timeout auth period 243 dot1x timeout held period 244 Information Display Commands 244 show dot1x 244 Management IP Filter 247 management 247 show manag...

Page 14: ...network access mac address table 266 show network access mac filter 267 Web Authentication 267 web auth login attempts 268 web auth quiet period 269 web auth session timeout 269 web auth system auth control 270 web auth 270 web auth re authenticate Port 271 web auth re authenticate IP 271 show web auth 272 show web auth interface 272 show web auth summary 273 DHCPv4 Snooping 273 ip dhcp snooping 2...

Page 15: ...3 ip source guard mode 294 clear ip source guard binding blocked 295 show ip source guard 296 show ip source guard binding 296 ARP Inspection 297 ip arp inspection 298 ip arp inspection filter 299 ip arp inspection log buffer logs 300 ip arp inspection validate 301 ip arp inspection vlan 301 ip arp inspection limit 302 ip arp inspection trust 303 show ip arp inspection configuration 304 show ip ar...

Page 16: ...k to uplink 315 show traffic segmentation 315 10 Access Control Lists 317 IPv4 ACLs 317 access list ip 318 permit deny Standard IP ACL 319 permit deny Extended IPv4 ACL 320 ip access group 322 show ip access group 323 show ip access list 323 IPv6 ACLs 324 access list ipv6 324 permit deny Standard IPv6 ACL 325 permit deny Extended IPv6 ACL 326 ipv6 access group 329 show ipv6 access group 330 show i...

Page 17: ...n 348 shutdown 349 speed duplex 349 clear counters 350 show interfaces brief 351 show interfaces counters 352 show interfaces history 355 show interfaces status 357 show interfaces switchport 358 Transceiver Threshold Configuration 359 transceiver monitor 359 transceiver threshold auto 360 transceiver threshold current 360 transceiver threshold rx power 361 transceiver threshold temperature 362 tr...

Page 18: ... key Ethernet Interface 377 lacp port priority 378 lacp system priority 379 lacp admin key Port Channel 380 lacp timeout 380 Trunk Status Display Commands 381 show lacp 381 show port channel load balance 385 13 Port Mirroring Commands 386 Local Port Mirroring Commands 386 port monitor 386 show port monitor 387 RSPAN Mirroring Commands 388 rspan source 390 rspan destination 391 rspan remote vlan 39...

Page 19: ...lear collision mac address table 406 clear mac address table dynamic 406 show collision mac address table 406 show mac address table 407 show mac address table aging time 408 show mac address table count 408 17 Spanning Tree Commands 410 spanning tree 411 spanning tree cisco prestandard 412 spanning tree forward time 413 spanning tree hello time 413 spanning tree max age 414 spanning tree mode 415...

Page 20: ...0 spanning tree mst port priority 431 spanning tree port bpdu flooding 432 spanning tree port priority 433 spanning tree root guard 433 spanning tree spanning disabled 434 spanning tree tc prop stop 435 spanning tree loopback detection release 435 spanning tree protocol migration 436 show spanning tree 437 show spanning tree mst configuration 439 show spanning tree tc prop 439 18 VLAN Commands 441...

Page 21: ...group Configuring Groups 458 protocol vlan protocol group Configuring Interfaces 459 show protocol vlan protocol group 460 show interfaces protocol vlan protocol group 461 Configuring MAC Based VLANs 461 mac vlan 462 show mac vlan 463 Configuring Voice VLANs 463 voice vlan 464 voice vlan aging 465 voice vlan mac address 466 switchport voice vlan 467 switchport voice vlan priority 468 switchport vo...

Page 22: ... cos 490 service policy 491 show class map 491 show policy map 492 show policy map interface 493 21 Multicast Filtering Commands 494 IGMP Snooping 494 ip igmp snooping 496 ip igmp snooping priority 496 ip igmp snooping proxy reporting 497 ip igmp snooping querier 498 ip igmp snooping router alert option check 498 ip igmp snooping router port expire time 499 ip igmp snooping tcn flood 499 ip igmp s...

Page 23: ...r ip igmp snooping statistics 512 show ip igmp snooping 512 show ip igmp snooping group 513 show ip igmp snooping mrouter 514 show ip igmp snooping statistics 515 Static Multicast Routing 518 ip igmp snooping vlan mrouter 518 IGMP Filtering and Throttling 519 ip igmp filter Global Configuration 520 ip igmp profile 520 permit deny 521 range 521 ip igmp filter Interface Configuration 522 ip igmp max...

Page 24: ...lan static 536 clear ipv6 mld snooping groups dynamic 537 clear ipv6 mld snooping statistics 537 show ipv6 mld snooping 538 show ipv6 mld snooping group 539 show ipv6 mld snooping group source list 539 show ipv6 mld snooping mrouter 540 show ipv6 mld snooping statistics 541 MLD Filtering and Throttling 545 ipv6 mld filter Global Configuration 546 ipv6 mld profile 546 permit deny 547 range 547 ipv6...

Page 25: ...ot1 tlv proto ident 563 lldp dot1 tlv proto vid 564 lldp dot1 tlv pvid 564 lldp dot1 tlv vlan name 565 lldp dot3 tlv link agg 565 lldp dot3 tlv mac phy 566 lldp dot3 tlv max frame 566 lldp med location civic addr 567 lldp med notification 568 lldp med tlv inventory 569 lldp med tlv location 570 lldp med tlv med cap 570 lldp med tlv network policy 571 lldp notification 571 show lldp config 572 show...

Page 26: ...ynamic provision 589 ip dhcp client class id 590 ip dhcp restart client 592 show ip dhcp dynamic provision 592 DHCP for IPv6 593 ipv6 dhcp client rapid commit vlan 593 ipv6 dhcp restart client vlan 594 show ipv6 dhcp duid 595 show ipv6 dhcp vlan 595 DHCP Relay 596 ip dhcp relay server 596 ip dhcp restart relay 597 25 IP Interface Commands 599 IPv4 Interface 599 Basic IPv4 Configuration 600 ip addr...

Page 27: ...ig 613 ipv6 address eui 64 615 ipv6 address link local 617 ipv6 enable 618 ipv6 mtu 619 show ipv6 default gateway 620 show ipv6 interface 620 show ipv6 mtu 623 show ipv6 traffic 623 clear ipv6 traffic 628 ping6 628 traceroute6 629 Neighbor Discovery 631 ipv6 nd dad attempts 631 ipv6 nd ns interval 632 ipv6 nd reachable time 634 clear ipv6 neighbors 635 show ipv6 neighbors 635 26 IP Routing Command...

Page 28: ...ute 638 SECTION III APPENDICES 641 A Troubleshooting 642 Problems Accessing the Management Interface 642 Using System Logs 643 B License Information 644 The GNU General Public License 644 Glossary 648 Commands 656 Index 662 ...

Page 29: ...guard display description 86 Table 11 show system display description 91 Table 12 show version display description 94 Table 13 Fan Control Commands 95 Table 14 Frame Size Commands 95 Table 15 Flash File Commands 97 Table 16 File Directory Information 104 Table 17 Line Commands 110 Table 18 Event Logging Commands 121 Table 19 Logging Levels 123 Table 20 show logging flash ram display description 12...

Page 30: ...lnet Server Commands 222 Table 44 Secure Shell Commands 225 Table 45 show ssh display description 234 Table 46 802 1X Port Authentication Commands 235 Table 47 Management IP Filter Commands 247 Table 48 General Security Commands 250 Table 49 Management IP Filter Commands 251 Table 50 show port security display description 255 Table 51 Network Access Commands 256 Table 52 Dynamic QoS Profiles 259 T...

Page 31: ...r Port Commands 386 Table 78 RSPAN Commands 388 Table 79 Congestion Control Commands 395 Table 80 Rate Limit Commands Interface 395 Table 81 Rate Limit Commands Storm Control 396 Table 82 Loopback Detection Commands 398 Table 83 Address Table Commands 404 Table 84 Spanning Tree Commands 410 Table 85 Recommended STA Path Cost Range 425 Table 86 Default STA Path Costs 425 Table 87 VLAN Commands 441 ...

Page 32: ...oping statistics query display description 543 Table 112 show ipv6 MLD snooping statistics summary display description 544 Table 113 MLD Filtering and Throttling Commands 545 Table 114 LLDP Commands 554 Table 115 LLDP MED Location CA Types 567 Table 116 Address Table Commands 578 Table 117 show dns cache display description 585 Table 118 show hosts display description 586 Table 119 DHCP Commands 5...

Page 33: ...Contents 33 Table 160 IP Routing Commands 637 Table 161 Global Routing Configuration Commands 637 Table 162 Troubleshooting Chart 642 ...

Page 34: ...ction I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP This section includes these chapters Initial Switch Configuration on page 35 ...

Page 35: ...sing a standard web browser such as Internet Explorer 9 Mozilla Firefox 39 or Google Chrome 44 or more recent versions The switch s web management interface can be accessed from any computer attached to the network The CLI program can be accessed by a direct connection to the RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent ...

Page 36: ...ch provides an RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatible terminal or a PC running a terminal emulation program to the switch You can use the console cable provided with this package or use a null modem cable that complies with the wiring assignments show...

Page 37: ...level using the default user name and password perform these steps 1 To initiate your console connection press Enter The User Access Verification procedure starts 2 At the User Name prompt enter admin 3 At the Password prompt also enter admin The password characters are not displayed on the console screen 4 The session is opened and the CLI displays the Console prompt indicating you have access at...

Page 38: ... gateway use the ip default gateway command An IPv4 address for the switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignment via DHCP see Setting an IP Address on page 39 After configuring the switch s IP parameters you can access the onboard configuration program from anywhere within the attached network The onboard configuration program can b...

Page 39: ...he ip default gateway command Dynamic The switch can send IPv4 configuration requests to BOOTP or DHCP address allocation servers on the network or automatically generate a unique IPv6 host address based on the local subnet address prefix received in router advertisement messages An IPv6 link local address for use in a local network can also be dynamically generated as described in Obtaining an IP...

Page 40: ...nsole config if exit Console config ip default gateway 192 168 1 254 Assigning an IPv6 Address This section describes how to configure a link local address for connectivity within the local subnet only and also how to configure a global unicast address including a network prefix for use on a multi segment network and the host portion of the address An IPv6 prefix or address must be formatted accor...

Page 41: ...number of DAD attempts 3 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console Address for Multi segment Network Before you can assign an IPv6 address to the switch that will be used to connect to a multi segment netw...

Page 42: ...ch belongs type ipv6 default gateway gateway where gateway is the IPv6 address of the default gateway Press Enter Console config interface vlan 1 Console config if ipv6 address 2001 DB8 2222 7272 64 Console config if exit Console config ipv6 default gateway 2001 DB8 2222 7272 254 Console config end Console show ipv6 interface VLAN 1 is Administrative Up Link Up Address is 00 E0 0C 00 00 FD Index 1...

Page 43: ...necessary to use this command when DHCP is configured on a VLAN and the member ports which were previously shut down are now enabled If the bootp or dhcp option is saved to the startup config file step 6 then the switch will start broadcasting service requests as soon as it is powered on To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the net...

Page 44: ...80 FEBF This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet To generate an IPv6 link local address for the switch complete the following steps 1 From the Global Configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 Type ipv6 enable and press Enter Console config interface vlan 1 Console config ...

Page 45: ... the entire MIB tree However you may assign new views to version 1 or 2c community strings that suit your specific security requirements see snmp server view command Community Strings for SNMP version 1 and 2c clients Community strings are used to control management access to SNMP version 1 and 2c stations as well as to authorize SNMP stations to receive trap messages from the switch You therefore...

Page 46: ...e the snmp server host command The following example creates a trap host for each type of SNMP client Console config snmp server host 10 1 19 23 batman Console config snmp server host 10 1 19 98 robin version 2c Console config snmp server host 10 1 19 34 barbie version 3 auth Console config Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients you need to ...

Page 47: ...iguration settings from the factory defaults configuration file are copied to this file which is then used to boot the switch See Saving or Restoring Configuration Settings on page 48 for more information Operation Code System software that is executed after boot up also known as run time code This code runs the switch operations and provides the CLI and web management interfaces Diagnostic Code S...

Page 48: ...ogramming Write to FLASH finish Success Console config Console config boot system opcode m360 bix Console config exit Console dir File Name Type Startup Modified Time Size bytes Unit 1 SC3 52T_V1 1 10 171 bix OpCode Y 2017 11 01 05 35 52 8622340 Factory_Default_Config cfg Config N 2017 11 01 05 26 32 477 startup1 cfg Config Y 2017 11 01 05 26 35 2076 startup2 cfg Config N 2017 11 01 05 57 52 1700 ...

Page 49: ... config startup config and press Enter 2 Enter the name of the start up file Press Enter Console copy running config startup config Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console To restore configuration settings from a backup server enter the following command 1 From the Privileged Exec mode prompt type copy tftp startup config and press E...

Page 50: ...P TFTP service then use the to indicate this e g ftp 192 168 0 1 The file name must not be included in the upgrade file location URL The file name of the code stored on the remote server must be C 300 series bix using lower case letters as indicated The FTP connection is made with PASV mode enabled PASV mode is needed to traverse some fire walls even if FTP traffic is not blocked PASV mode cannot ...

Page 51: ...current file management operations are possible The upgrade operation code image is set as the startup image after it has been successfully written to the file system The switch will send an SNMP trap and make a log entry upon all upgrade successes and failures The switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image To enab...

Page 52: ...d the switch will follow these steps when it boots up a It will search for a new version of the image at the location specified by upgrade opcode path command The name for the new image stored on the FTP SFTP TFTP server must be C 300 series bix If the switch detects a code version newer than the one currently in use it will download the new image If two code images are already stored in the switc...

Page 53: ... start session Automatic Upgrade is looking for a new image No new image detected User Access Verification Username admin Password CLI session with the SC30010 is opened To end the CLI session enter Exit Console dir File Name Type Startup Modified Time Size bytes Unit 1 SC3 52T_V1 1 10 171 bix OpCode Y 2017 11 01 05 35 52 8622340 SC3 52T_V1 1 9 4 bix OpCode N 2017 07 15 07 21 11 8572590 Factory_De...

Page 54: ...face vlan 2 Console config if ip dhcp client class id hex 0000e8666572 Console config if Downloading Configuration Files Other Parameters from a DHCP Server Information passed on to the switch from a DHCP server may also include a configuration file to be downloaded and the TFTP servers where that file can be accessed as well as other parameters If the Factory Default Configuration file is used to...

Page 55: ...y with option 66 67 information the DHCP client request sent by this switch includes a parameter request list asking for this information Besides these items the client request also includes a vendor class identifier that allows the DHCP server to identify the device and select the appropriate configuration file for download This information is included in Option 55 and 124 The following configura...

Page 56: ...e name test Note Use sc30010 cfg for the vendor class identifier in the dhcpd conf file Setting the System Clock Simple Network Time Protocol SNTP or Network Time Protocol NTP can be used to set the switch s internal clock based on periodic updates from a time server Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries You can als...

Page 57: ... 2013 0 0 Console config To display the clock configuration settings enter the following command Console show calendar Current Time Jul 28 00 54 20 2015 Time Zone Japan 08 00 Summer Time SUMMER offset 60 minutes Apr 2 2013 00 00 to Jun 30 2015 00 00 Summer Time in Effect Yes Console Configuring SNTP Setting the clock based on an SNTP server can provide more accurate clock synchronization across ne...

Page 58: ...ation key 45 md5 thisiskey45 Console config ntp authenticate Console config ntp server 192 168 3 20 Console config ntp server 192 168 3 21 Console config ntp server 192 168 5 23 key 19 Console config exit Console show ntp Current Time Apr 29 13 57 32 2011 Polling 1024 seconds Current Mode unicast NTP Status Enabled NTP Authenticate Status Enabled Last Update NTP Server 192 168 0 88 Port 123 Last U...

Page 59: ...ommands on page 81 SNMP Commands on page 155 Remote Monitoring Commands on page 179 Flow Sampling Commands on page 186 Authentication Commands on page 191 General Security Measures on page 250 Access Control Lists on page 317 Interface Commands on page 342 Link Aggregation Commands on page 372 Power over Ethernet Commands on page 386 Port Mirroring Commands on page 386 Congestion Control Commands ...

Page 60: ...n page 441 Class of Service Commands on page 471 Quality of Service Commands on page 483 Multicast Filtering Commands on page 494 LLDP Commands on page 554 Domain Name Service Commands on page 578 DHCP Commands on page 588 IP Interface Commands on page 599 IP Routing Commands on page 637 ...

Page 61: ...the console port perform these steps 1 At the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI display...

Page 62: ...4 255 255 255 0 Console config if exit Console config ip default gateway 10 1 0 254 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isolated network then you can use any IP address that matches the network segment to which you are attached After you config...

Page 63: ...pe and 1 5 specifies the unit port You can enter commands as follows To enter a simple command enter the command keyword To enter multiple commands enter each command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter the following commands The default password super is used to change from Normal Exec to Privileged Exec mode Console...

Page 64: ...ts accounting Uses the specified accounting list arp Information of ARP cache authorization Enables EXEC accounting bridge ext Bridge extension information cable diagnostics Shows the information of cable diagnostics calendar Date and time information class map Displays class maps debug State of each debugging option dns DNS information dos protection Shows the system dos protection summary inform...

Page 65: ...Time range traffic segmentation Traffic segmentation information upgrade Shows upgrade information users Information about users logged in version System hardware and software versions vlan Shows virtual LAN settings voice Shows the voice VLAN information watchdog Displays watchdog status web auth Shows web authentication configuration Console show The command show interfaces will display the foll...

Page 66: ...ct for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or first modified and then executed Using the show history command displays a longer list of recently executed commands Understanding Comma...

Page 67: ...xec mode by entering the enable command followed by the privileged level password super To enter Privileged Exec mode enter the following user names and passwords Username admin Password admin login password CLI session with the SC30010 is opened To end the CLI session enter Exit Console Username guest Password guest login password CLI session with the SC30010 is opened To end the CLI session ente...

Page 68: ...ied traffic type IGMP Profile Sets a profile group and enters IGMP filter profile configuration mode Interface Configuration These commands modify the port configuration such as speed duplex and negotiation Line Configuration These commands modify the console port and Telnet configuration and include command such as parity and databits Multiple Spanning Tree Configuration These commands configure ...

Page 69: ...ng Table 2 Configuration Command Modes Mode Command Prompt Page Access Control List access list arp access list ip standard access list ip extended access list ipv6 standard access list ipv6 extended access list mac Console config arp acl Console config std acl Console config ext acl Console config std ipv6 acl Console config ext ipv6 acl Console config mac acl 336 318 318 324 324 331 Class Map cl...

Page 70: ...g end Console show ip igmp snooping mrouter VLAN M cast Router Ports Type Console configure Console config ip igmp snooping Console config end Console show ip igmp snooping mrouter VLAN M cast Router Ports Type 1 Eth 1 11 Static Console Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the h...

Page 71: ...revents unauthorized access by configuring valid static or dynamic addresses MAC address authentication filtering DHCP requests and replies and discarding invalid ARP responses 250 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code IPv6 frames based on address DSCP traffic class or next header or non IP frames based on MAC addre...

Page 72: ...eue also sets priority for DSCP 471 Quality of Service Configures Differentiated Services 483 Multicast Filtering Configures IGMP multicast filtering query profile and proxy parameters specifies ports attached to a multicast router also configures multicast VLAN registration and IPv6 MLD snooping 494 Link Layer Discovery Protocol Configures LLDP settings to enable information discovery about neigh...

Page 73: ...s the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffer NE PE configure Activates global configuration mode PE disable Returns to normal mode from privileged mode PE reload Restarts the system immediately PE show reload Displays the current reload settings ...

Page 74: ...od daily weekly day of week monthly day of month cancel at in regulary reload at A specified time at which to reload the switch hour The hour at which to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at which to reload Range 1970 2037 reload in An interval af...

Page 75: ...inutes Console config reload in minute 30 Rebooting at January 1 02 10 43 2016 Are you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additional information See Understanding Command Modes on page 66 Syntax enable level level Privilege level to log into the devi...

Page 76: ...ault Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Example This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verification Username show history This command shows the contents of the command history buffer Default Setting None Command Mode Normal Exec Privileged...

Page 77: ...story buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the other c...

Page 78: ...ed to the end of the prompt to indicate that the system is in normal access mode Example Console disable Console Related Commands enable 75 reload Privileged Exec This command restarts the system Note When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config comman...

Page 79: ...ays 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode Default Setting None Command Mode Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console config if end Console exit ...

Page 80: ... Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username ...

Page 81: ...eed Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud rate and console time out Event Logging Controls logging of error messages SMTP Alerts Configures SMTP email alerts Time System Clock Sets the system clock automatically via NTP SNTP server or manually Time Range Sets...

Page 82: ...ommand line prompt Example Console config hostname RD 1 Console config System Status This section describes commands used to display system information Table 8 System Status Commands Command Function Mode show access list tcam utilization Shows utilization parameters for TCAM PE show license file Shows information on the installed license file required for the network ports PE show memory Shows me...

Page 83: ...s IPv4 ACL AE6S Egress IPv6 standard ACL AE6E Egress IPv6 extended ACL DEM Egress MAC diffServ DE4 Egress IPv4 diffServ DE6S Egress IPv6 standard diffServ DE6E Egress IPv6 extended diffServ W Web authentication I IP source guard C CPU interface L Link local MV Mac based VLAN PV Protocol based VLAN VV Voice VLAN R Routing QINQ QinQ Reserved Reserved ALL All supported function Unit Device Pool Total...

Page 84: ...00 00 00 2018 License Access List s 7N2DPboNoVfpYtNd5VASzli8yVdxD136 BV1 wfMkCdKjUZxUEypJYDi CrYkqqjupTX13XZnOykPj JI8rSCExCB6weC2LsvoKl3 MMxA4tY2hFhY7eEZsGeMXg 6ttHTlVGte3JAhKd38TWrb1GwgmVWubpaxiYI5Y6S TScnZ6VMiB2bSha349ejlk6BXgZx7Jsv G aoHnNYo HZwcjZrUIvjAPmzNfd94oM1ko5H4EgIGDOwbEhwIy bhSzLIhTKYgKXtC3nshvl1o l9Gw9Uv7qRVTROXasdfdfdfbvxbvsergerwert3453ferLwNwK3B75iyO5ZQMR33Vjzor3AveHue Table 9 sho...

Page 85: ...ers and alarm thresholds Command Mode Normal Exec Privileged Exec Command Usage This command shows the amount of memory currently free for use the amount of memory allocated to active processes the total amount of system memory and the alarm thresholds Example Console show memory Status Bytes Free 111706112 41 Used 156729344 59 Total 268435456 Alarm Configuration Rising Threshold 95 Falling Thresh...

Page 86: ...ent Threshold 500 packets per second Console Table 10 show process cpu guard display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled High Watermark If the percentage of CPU usage time is higher than the high watermark the switch stops packet flow to the CPU allowing it to catch up with packets already in the buffer until usage time falls below the l...

Page 87: ... 00 0 00 HTTP_TD 0 00 0 00 5 00 HW_WTDOG_TD 0 00 0 00 0 00 IML_TX 0 00 0 00 0 00 IP_SERVICE_GROU 0 00 0 00 0 00 KEYGEN_TD 0 00 0 00 0 00 L2_L4_PROCESS 0 00 0 00 4 00 L2MCAST_GROUP 0 00 0 00 0 00 L2MUX_GROUP 0 00 0 00 0 00 L4_GROUP 0 00 0 00 0 00 LACP_GROUP 0 00 0 00 0 00 MSL_TD 0 00 0 00 0 00 NETACCESS_GROUP 0 00 0 00 0 00 NETACCESS_NMTR 0 00 0 25 2 00 NETCFG_GROUP 0 00 0 00 0 00 NETCFG_PROC 0 00 ...

Page 88: ...0 0 00 SWCTRL_TD 0 00 0 00 0 00 SWDRV_MONITOR 21 00 19 25 21 00 SYS_MGMT_PROC 0 00 0 00 0 00 SYSDRV 0 00 0 00 0 00 SYSLOG_TD 0 00 0 00 0 00 SYSMGMT_GROUP 0 00 0 00 0 00 SYSTEM 0 00 0 00 0 00 UDLD_GROUP 0 00 0 00 0 00 WTDOG_PROC 0 00 0 00 0 00 XFER_GROUP 0 00 0 00 0 00 XFER_TD 0 00 0 00 0 00 Console show running config This command displays the configuration information currently in use Syntax show...

Page 89: ...iguration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for VLANs Spanning tree settings Interface settings Any configured settings for the console port and Telnet For security reasons user passwords are only displayed in encrypted format Example Console show running config stackingDB 00 stackingDB stackingMac 01_00 e0 0c 00 00 fd_03 stackin...

Page 90: ...figuration mode command and corresponding commands This command displays the following information MAC address for SNMP community strings SNMP trap authentication Users names and access levels VLAN database VLAN ID name and state Multiple spanning tree instances name and interfaces Interface settings and VLAN configuration settings for each interface IP address for VLANs Any configured settings fo...

Page 91: ...system System Up Time Length of time the management agent has been up System Name Name assigned to the switch system System Location Specifies the system location System Contact Administrator responsible for the system MAC Address MAC address assigned to this switch Web Server Port Shows administrative status of web server and UDP port number Web Secure Server Port Shows administrative status of s...

Page 92: ...opened To end the CLI session enter Exit Vty 2 show tech support dir File Name Type Startup Modified Time Size bytes Unit 1 SC3 52T_V1 1 10 171 bix OpCode Y 2017 11 01 05 35 52 8622340 Factory_Default_Config cfg Config N 2017 11 01 05 26 32 477 startup1 cfg Config Y 2017 11 01 05 26 35 2076 startup2 cfg Config N 2017 11 01 05 57 52 1700 Total space 32 MB show arp ARP Cache Timeout 1200 seconds IP ...

Page 93: ...Name Accounts User Name Privilege Public Key admin 15 None guest 0 None Online Users Line Session ID User Name Idle Time h m s Remote IP Addr Console 0 admin 0 00 01 Web Online Users Line User Name Idle Time h m s Remote IP Addr Console show version This command displays hardware and software version information for the system Command Mode Normal Exec Privileged Exec Example Console show version U...

Page 94: ...og software disable enable Default Setting Disabled Command Mode Privileged Exec Example Console watchdog software disable Console Table 12 show version display description Parameter Description Serial Number The serial number of the switch Hardware Version Hardware version of the main board Number of Ports Number of built in ports Main Power Status Displays the status of the internal power supply...

Page 95: ... Configuration Example Console config fan speed force full Console config Frame Size This section describes commands used to configure the Ethernet frame size on the switch jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports Use the no form to disable it Syntax no jumbo frame Table 13 Fan Control Commands Command Function Mode fan speed force...

Page 96: ...end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames The current setting for jumbo frames can be displayed with the show system command Example Console config jumbo frame Console config Related Commands show system 90 show ipv6 mtu 623 File Management Managing Firmware Firmware can be uploade...

Page 97: ...s boot system Specifies the file or image used to start up the system GC copy Copies a code image or a switch configuration to or from flash memory or an FTP SFTP TFTP server PE delete Deletes a file or code image PE dir Displays a list of files in flash memory PE whichboot Displays the files booted PE Automatic Code Upgrade Commands upgrade opcode auto Automatically upgrades the current image whe...

Page 98: ...le can later be downloaded to the switch to restore system operation The success of the file transfer depends on the accessibility of the FTP SFTP TFTP server and the quality of the network connection Syntax copy file file ftp running config sftp startup config tftp copy ftp add to running config file https certificate public key running config sftp startup config copy running config file startup ...

Page 99: ...ation code files but the maximum number of user defined configuration files is 16 You can use Factory_Default_Config cfg as the source to copy from the factory default configuration file but you cannot use it as the destination To replace the startup configuration you must use startup config as the destination The Boot ROM and Loader cannot be uploaded or downloaded from the FTP SFTP TFTP server Y...

Page 100: ...TP connection setup includes verification of the DSS signature creation of session keys creation of client server and server client ciphers SSH key exchange and user authentication An SFTP channel is then opened the SFTP protocol version compatibility verified and SFTP finally initialized The reload command will not be accepted during copy operations to flash memory Example The following example s...

Page 101: ...s example shows how to copy a secure site certificate from an TFTP server It then reboots the switch to activate the certificate Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public ke...

Page 102: ...code 1 Source file name startup2 cfg Destination file name startup2 cfg Login User Name admin Login User Password Press y to allow connect to new sftp server and N to deny connect to new sftp server y Success Console delete This command deletes a file or image Syntax delete file name filename https certificate public key username dsa rsa file Keyword that allows you to delete a file name Keyword i...

Page 103: ... test2 cfg configuration file from flash memory Console delete test2 cfg Console Related Commands dir 103 delete public key 230 dir This command displays a list of files in flash memory Syntax dir config opcode filename config Switch configuration file opcode Run time operation code image file filename Name of configuration file or code image If this file exists but contains errors information on ...

Page 104: ...5 2076 startup2 cfg Config N 2017 11 01 05 57 52 1700 Free space for user config files 2617187 Total space 32 MB Total space 32 MB Console whichboot This command displays which files were booted when the system powered up Syntax whichboot Default Setting None Command Mode Privileged Exec Table 16 File Directory Information Column Heading Description File Name The name of the file File Type File ty...

Page 105: ...etting Disabled Command Mode Global Configuration Command Usage This command is used to enable or disable automatic upgrade of the operational code When the switch starts up and automatic image upgrade is enabled by this command the switch will follow these steps when it boots up 1 It will search for a new version of the image at the location specified by upgrade opcode path command The name for t...

Page 106: ...succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart upgrade opcode path This command specifies an TFTP server and directory in which the new opcode is stored Use the no form of this command to clear the current setting Syntax upgrade opcode path opcode dir url no upgrade opcode path opcode dir url The location of the new code Default Set...

Page 107: ...a null string will be used for the connection Example This shows how to specify a TFTP server where new code is stored Console config upgrade opcode path tftp 192 168 0 1 sm24 Console config This shows how to specify an FTP server where new code is stored Console config upgrade opcode path ftp admin billy 192 168 0 1 sm24 Console config upgrade opcode reload This command reloads the switch automat...

Page 108: ... Commands ip tftp retry This command specifies the number of times the switch can retry transmitting a request to a TFTP server after waiting for the configured timeout period and receiving no response Use the no form to restore the default setting Syntax ip tftp retry retries no ip tftp retry retries The number of times the switch can resend a request to a TFTP server before it aborts the connect...

Page 109: ...no ip tftp timeout seconds The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out Range 1 65535 seconds Default Setting 5 seconds Command Mode Global Configuration Example Console config ip tftp timeout 10 Console config show ip tftp This command displays information about the TFTP settings configured on this switch Syntax show ip tftp Comm...

Page 110: ...umber of data bits per character that are interpreted and generated by hardware LC exec timeout Sets the interval that the command interpreter waits until user input is detected LC login Enables password checking at login LC parity Defines the generation of a parity bit LC password Specifies a password on a line LC password thresh Sets the password intrusion threshold which limits the number of fa...

Page 111: ...hown as VTY in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Console config line console Console config line Related Commands show line 120 show users 93 databits This command sets the number of data bits per character that are interpreted and generated by t...

Page 112: ... exec timeout This command sets the interval that the system waits until user input is detected Use the no form to restore the default Syntax exec timeout seconds no exec timeout seconds Integer that specifies the timeout interval Range 60 65535 seconds 0 no timeout Default Setting 10 minutes Command Mode Line Configuration Command Usage If user input is detected within the timeout interval the se...

Page 113: ...on by a single global password as specified by the password line configuration command When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When using this method the management interface starts in Normal Exec NE or Privileged Exec PE mode depending on th...

Page 114: ...e Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting Example To specify no parity enter this command Console config line console parity none Console config line console password This command specifies the password for a line Use the no form to remove the password Syntax password 0 7 password no password 0 7 0 means plain password 7 ...

Page 115: ...n FTP SFTP server during system bootup There is no need for you to manually configure encrypted passwords Example Console config line console password 0 secret Console config line console Related Commands login 113 password thresh 115 password thresh This command sets the password intrusion threshold which limits the number of failed logon attempts Use the no form to remove the threshold value Syn...

Page 116: ...ent console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command Use the no form to remove the silent time value Syntax silent time seconds no silent time seconds The number of seconds to disable console response Range 0 65535 where 0 means disabled Default Setting Disabled Command Mode Line Configuration Example To set the silent...

Page 117: ...nd Usage Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported Example To specify 57600 bps enter this command Console config line console speed 57600 Console config line console stopbits This command sets the number of the stop...

Page 118: ...nterval Range 10 300 seconds Default Setting 300 seconds Command Mode Line Configuration Command Usage If a login attempt is not detected within the timeout interval the connection is terminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting E...

Page 119: ...istory Use the no form with the appropriate keyword to restore the default setting Syntax terminal escape character ascii number character history size size length length terminal type ansi bbs vt 100 vt 102 width width escape character The keyboard character used to escape from current line input ascii number ASCII decimal equivalent Range 0 255 character Any valid keyboard character history The ...

Page 120: ...he terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec Example To show all lines enter this command Console show line Terminal Configuration for this session Length 24 Width 80 History Size 10 Escape Character ASCII number 27 Terminal ...

Page 121: ...de Global Configuration Table 18 Event Logging Commands Command Function Mode logging command Stores CLI command execution records in syslog RAM and flash GC logging facility Sets the facility type for remote logging of syslog messages GC logging history Limits syslog messages saved to switch memory based on severity GC logging host Adds a syslog server host IP address that will receive logging me...

Page 122: ...o logging facility type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the s...

Page 123: ...Console config logging host This command adds a syslog server host IP address that will receive logging messages Use the no form to remove a syslog server host Syntax logging host host ip address port udp port no logging host host ip address host ip address The IPv4 or IPv6 address of a syslog server Table 19 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informati...

Page 124: ...or messages sending debug or error messages to a logging process The no form disables the logging process Syntax no logging on Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers You can use the logging history command to control the type of error messages that are stored in memory ...

Page 125: ...evel through level 0 Default Setting Disabled Level 7 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example Console config logging trap level 4 Console confi...

Page 126: ...d Mode Privileged Exec Command Usage All log messages are retained in RAM and Flash after a warm restart i e power is reset through the command interface All log messages are retained in Flash and purged from RAM after a cold restart i e power is turned off and then on through the power source Example The following example shows the event message stored in RAM Console show log ram 1 00 01 30 2001 ...

Page 127: ... None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 and the message level for RAM is debugging i e default level 7 0 Console show logging flash Global Configuration Syslog Logging Enabled Flash Logging Configuration History Logging in Flash Level Errors 3 Console show logging ram Gl...

Page 128: ...a the logging on command Remote Logging Configuration Status Shows if remote logging has been enabled via the logging trap command Facility Type The facility type for remote logging of syslog messages as specified in the logging facility command Level Type The severity threshold for syslog messages sent to a remote server as specified in the logging trap command Table 22 Event Logging Commands Com...

Page 129: ...a recipient Syntax no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Example Console config logging sendmail destination...

Page 130: ...g the last connection or the first server configured by this command If it fails to send mail the switch selects the next server in the list and tries to send mail again If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example Console config logging sendmail host 192 168 1 19 Console config logg...

Page 131: ...ield in alert messages Use the no form to restore the default value Syntax logging sendmail source email email address no logging sendmail source email email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch or the address of an administr...

Page 132: ...GC show sntp Shows current SNTP configuration settings NE PE sntp server Specifies one or more time servers GC NTP Commands ntp authenticate Enables authentication for NTP traffic GC ntp authentication key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current...

Page 133: ...itch only records the time starting from the factory default set at the last bootup e g Dec 31 07 32 04 2014 This command enables client time requests to time servers specified via the sntp server command It issues time synchronization requests based on the interval set via the sntp poll command Example Console config sntp server 10 1 0 19 Console config sntp poll 60 Console config sntp client Con...

Page 134: ...h SNTP time requests are issued Use the this command with no arguments to clear all time servers from the current list Use the no form to clear all time servers from the current list or to clear a specific server Syntax sntp server ip1 ip2 ip3 no sntp server ip1 ip2 ip3 ip IPv4 or IPv6 address of a time server NTP or SNTP Range 1 3 addresses Default Setting None Command Mode Global Configuration C...

Page 135: ...s command displays the current time the poll interval used for sending time synchronization requests and the current SNTP mode i e unicast Example Console show sntp Current Time Nov 5 18 51 22 2015 Poll Interval 16 seconds Current Mode Unicast SNTP Status Enabled SNTP Server 137 92 140 80 137 92 140 90 137 92 140 99 Current Server 137 92 140 80 Console NTP Commands ntp authenticate This command en...

Page 136: ...n key or all keys from the current list Syntax ntp authentication key number md5 key no ntp authentication key number number The NTP authentication key ID number Range 1 65535 md5 Specifies that authentication is provided by using the message digest algorithm 5 key An MD5 authentication key string The key string can be up to 32 case sensitive printable ASCII characters no spaces Default Setting No...

Page 137: ...ing Disabled Command Mode Global Configuration Command Usage The SNTP and NTP clients cannot be enabled at the same time First disable the SNTP client before using this command The time acquired from time servers is used to record accurate dates and times for log events Without NTP the switch only records the time starting from the factory default set at the last bootup e g Dec 10 16 04 43 2014 Th...

Page 138: ...ient mode It issues time synchronization requests based on the interval set with the ntp poll command The client will poll all the time servers configured the responses received are filtered and compared to determine the most reliable and accurate time update for the switch You can configure up to 50 NTP servers on the switch Re enter this command for each server you want to configure NTP authenti...

Page 139: ...rver 192 168 4 22 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Console Manual Configuration Commands clock summer time date This command sets the start end and offset times of summer time daylight savings time for the switch on a one time basis Use the no form to disable summer time Syntax clock summer time name date b date b month b year b hour b minute e date e mo...

Page 140: ...ugh the summer months so that afternoons have more daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn This command sets the summer time time zone relative to the currently configured time zone To specify a time corresponding to your local time when summe...

Page 141: ... forward one hour at the start of spring and then adjusted backward in autumn This command sets the summer time time relative to the configured time zone To specify the time corresponding to your local time when summer time is in effect select the predefined summer time time zone appropriate for your location or manually configure summer time if these predefined configurations do not apply to your...

Page 142: ... 1 30 characters b week The week of the month when summer time will begin Range 1 5 b day The day of the week when summer time will begin Options sunday monday tuesday wednesday thursday friday saturday b month The month when summer time will begin Options january february march april may june july august september october november december b hour The hour when summer time will begin Range 0 23 ho...

Page 143: ...te the number of minutes your summer time time zone deviates from your regular time zone that is the offset Example The following example sets a recurring 60 minute offset summer time to begin on the Friday of the 1st week of March at 01 59 hours and summer time to end on the Saturday of the 2nd week of November at 01 59 hours Console config clock summer time MESZ recurring 1 friday march 01 59 3 ...

Page 144: ...ore or west after of UTC Example Console config clock timezone Japan hours 8 minute 0 after UTC Console config Related Commands show sntp 135 calendar set This command sets the system clock It may be used if there is no time server on your network or if you have not configured the switch to receive signals from a time server Syntax calendar set hour min sec day month year month day year hour Hour ...

Page 145: ...mple Console show calendar Current Time May 13 14 08 18 2014 Time Zone UTC 08 00 Summer Time Not configured Summer Time in Effect No Console Time Range This section describes the commands used to sets a time range for use by other functions such as Access Control Lists Table 25 Time Range Commands Command Function Mode time range Specifies the name of a time range and enters time range configurati...

Page 146: ...ximum of eight rules can be configured for a time range Example Console config time range r d Console config time range Related Commands Access Control Lists 317 absolute This command sets the absolute time range for the execution of a command Use the no form to remove a previously specified time Syntax absolute start hour minute day month year end hour minutes day month year absolute end hour min...

Page 147: ...res the time for the single occurrence of an event Console config time range r d Console config time range absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console config time range periodic This command sets the time range for the periodic execution of a command Use the no form to remove a previously specified time range Syntax no periodic daily friday monday saturday sunday thursday tuesday ...

Page 148: ... current time is within the absolute time range and one of the periodic time ranges Example This example configures a time range for the periodic occurrence of an event Console config time range sales Console config time range periodic daily 1 1 to 2 1 Console config time range show time range This command shows configured time ranges Syntax show time range name name Name of the time range Range 1...

Page 149: ...N 4093 Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate switches only become cluster Members when manually selected by the administrator through the management station The cluster VLAN 4093 is not configured by default Before using clustering take the following actions to set up this VLAN 1 Create V...

Page 150: ...is enabled on the switch the default is disabled then set the switch as a Cluster Commander Set a Cluster IP Pool that does not conflict with any other IP subnets in the network Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander Switch clusters are limited to the same Ethernet broadcast domain There can be...

Page 151: ... prompt use the rcommand id command to connect to the Member switch Example Console config cluster commander Console config cluster ip pool This command sets the cluster IP address pool Use the no form to reset to the default address Syntax cluster ip pool ip address no cluster ip pool ip address The base IP address for IP addresses assigned to cluster Members The IP address must start 10 x x x De...

Page 152: ...didate switch as a cluster Member Use the no form to remove a Member switch from the cluster Syntax cluster member mac address mac address id member id no cluster member id member id mac address The MAC address of the Candidate switch member id The ID number to assign to the Member switch Range 1 36 Default Setting No Members Command Mode Global Configuration Command Usage The maximum number of cl...

Page 153: ...LI session with the SC30010 is opened To end the CLI session enter Exit Vty 0 show cluster This command shows the switch clustering configuration Command Mode Privileged Exec Example Console show cluster Role commander Interval Heartbeat 30 Heartbeat Loss Count 3 seconds Number of Members 1 Number of Candidates 2 Console show cluster members This command shows the current switch cluster members Co...

Page 154: ...didates This command shows the discovered Candidate switches in the network Command Mode Privileged Exec Example Console show cluster candidates Cluster Candidates Role MAC Address Description Candidate join 00 E0 0C 00 00 FE SC30010 Candidate 00 12 CF 0B 47 A0 SC30010 Console ...

Page 155: ...ty Sets up the community access string to permit access to SNMP commands GC snmp server contact Sets the system contact string GC snmp server location Sets the system location string GC show snmp Displays the status of SNMP communications NE PE SNMP Target Host Commands snmp server enable traps Enables the device to send SNMP traps i e SNMP notifications GC snmp server host Specifies the recipient...

Page 156: ...falls outside the specified thresholds IC Port transceiver threshold temperature Sends a trap when the transceiver temperature falls outside the specified thresholds IC Port transceiver threshold tx power Sends a trap when the power level of the transmitted signal power outside the specified thresholds IC Port transceiver threshold voltage Sends a trap when the transceiver voltage falls outside th...

Page 157: ...mmunity string Syntax snmp server community string ro rw no snmp server community string string Community string that acts like a password and permits access to the SNMP protocol Maximum length 32 characters case sensitive Maximum number of strings 5 ro Specifies read only access Authorized management stations are only able to retrieve MIB objects rw Specifies read write access Authorized manageme...

Page 158: ...em contact information Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Console config snmp server contact Paul Console config Related Commands snmp server location 158 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp server location text no snmp server location text String that d...

Page 159: ... the snmp server enable traps command Example Console show snmp SNMP Agent Enabled SNMP Traps Authentication Enabled MAC notification Disabled MAC notification interval 1 second s SNMP Communities 1 public and the access level is read only 2 private and the access level is read write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supp...

Page 160: ...d Usage If you do not enter an snmp server enable traps command no notifications controlled by this command are sent In order to configure this device to send SNMP notifications you must enter at least one snmp server enable traps command If you enter the command with no keywords both authentication notifications are enabled If you enter the command with a keyword only the notification type relate...

Page 161: ...e recipient does not acknowledge receipt Range 0 255 Default 3 seconds The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by its...

Page 162: ...rap message does not send a response to the switch Traps are therefore not as reliable as inform messages which include a request for acknowledgement of receipt Informs can be used to ensure that critical information is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic Yo...

Page 163: ... an SNMPv3 group will be automatically created by the snmp server host command using the name of the specified community string and default settings for the read write and notify view Example Console config snmp server host 10 1 19 23 batman Console config Related Commands snmp server enable traps 160 snmp server enable port traps link up down This command enables the device to send SNMP traps i e...

Page 164: ...on traps on the current interface only if they are also enabled at the global level with the snmp server enable traps mac authentication command Example Console config interface ethernet 1 1 Console config if snmp server enable port traps mac notification Console config show snmp server enable port traps This command shows if SNMP traps are enabled or disabled for the specified interfaces Syntax s...

Page 165: ...esides either on this switch or on a remote device This engine protects against message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See the snmp server host command The remote engine ID is used to compute the security...

Page 166: ...yview no snmp server group groupname groupname Name of an SNMP group Range 1 32 characters v1 v2c v3 Use SNMP version 1 2c or 3 auth noauth priv This group uses SNMPv3 with authentication no authentication or with authentication and privacy See Simple Network Management Protocol in the Web Management Guide for further information about these authentication and encryption options readview Defines t...

Page 167: ...ve a user from an SNMP group Syntax snmp server user username groupname v1 v2c v3 encrypted auth md5 sha auth password priv 3des aes128 aes192 aes256 des56 priv password snmp server user username groupname remote ip address v3 encrypted auth md5 sha auth password priv 3des aes128 aes192 aes256 des56 priv password no snmp server user username v1 v2c v3 remote ip address v3 username Name of user con...

Page 168: ... i e the command specifies a remote engine identifier must be configured to identify the source of SNMPv3 inform messages sent from the local switch The SNMP engine ID is used to compute the authentication privacy digests from the password You should therefore configure the engine ID with the snmp server engine id command before using this configuration command Before you configure a remote user u...

Page 169: ... a branch within the MIB tree Wild cards can be used to mask a specific portion of the OID string Refer to the examples included Defines an included view excluded Defines an excluded view Default Setting defaultview includes access to the entire MIB tree Command Mode Global Configuration Command Usage Views are used in the snmp server group command to restrict user access to specified portions of ...

Page 170: ...ups are provided SNMPv1 read only access and read write access and SNMPv2c read only access and read write access Command Mode Privileged Exec Example Console show snmp group Group Name r d Security Model v3 Security Level Authentication and privacy Read View No readview specified Write View No writeview specified Notify View No notifyview specified Table 28 show snmp engine id display description...

Page 171: ...Volatile Row Status Active Group Name private Security Model v2c Read View defaultview Write View defaultview Notify View No notifyview specified Storage Type Volatile Row Status Active Console show snmp user This command shows information on SNMP users Command Mode Privileged Exec Table 29 show snmp group display description Field Description Group Name Name of an SNMP group Security Model The SN...

Page 172: ...ation on the SNMP views Command Mode Privileged Exec Example Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type permanent Table 30 show snmp user display description Field Description Engine ID String identifying the engine ID User Name Name of user connecting to the SNMP agent Group Name Name of an SNMP group Security Model The user security model SNM...

Page 173: ...enabled by default but will not start recording information until a logging profile specified by the snmp server notify filter command is enabled by the nlm command Disabling logging with this command does not delete the entries stored in the notification log Example This example enables the notification log A1 Console config nlm A1 Console config Table 31 show snmp view display description Field ...

Page 174: ... or Informs that may exceed retransmission limits The Notification Log MIB NLM RFC 3014 provides an infrastructure in which information from other MIBs may be logged Given the service provided by the NLM individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost and applications can poll th...

Page 175: ...he show snmp notify filter command Example This example first creates an entry for a remote host and then instructs the switch to record this device as the remote host for the specified notification log Console config snmp server host 10 1 19 23 batman Console config snmp server notify filter A1 remote 10 1 19 23 Console show nlm oper status This command shows the operational status of configured ...

Page 176: ...larm expressed in percentage Range 1 100 falling threshold Falling threshold for memory utilization alarm expressed in percentage Range 1 100 Default Setting Rising Threshold 90 Falling Threshold 70 Command Mode Global Configuration Command Usage Once the rising alarm threshold is exceeded utilization must drop beneath the falling threshold before the alarm is terminated and then exceed the rising...

Page 177: ...ld again before another alarm is triggered Example Console config process cpu rising 80 Console config process cpu falling 60 Console Related Commands show process cpu 85 process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second Use the no form of this co...

Page 178: ...e if CPU utilization exceeds the high watermark in percentage of CPU usage time or exceeds the maximum threshold in the number of packets being processed by the CPU Default Setting Guard Status Disabled High Watermark 90 Low Watermark 70 Maximum Threshold 500 packets per second Minimum Threshold 50 packets per second Trap Status Disabled Command Mode Global Configuration Command Usage Once the hig...

Page 179: ...Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent then periodically communicates with the switch using the SNMP protocol However if the switch encounters a critical event it can automatically send a trap message to the management agent which can then re...

Page 180: ...acted from the current value and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 0 2147483647 event index The index of the event to use if an alarm is triggered If there is no corresponding entry in the event control table then no event will be generated Range 1 65535 name Name of the person who created this entry Range 1 127 characters...

Page 181: ...orm to remove an event Syntax rmon event index log trap community description string owner name no rmon event index index Index to this entry Range 1 65535 log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see Event Logging on page 121 trap Sends a trap message to all configured trap managers see the...

Page 182: ...econds interval seconds owner name buckets number interval seconds no rmon collection history controlEntry index index Index to this entry Range 1 65535 number The number of buckets requested for this entry Range 1 65536 seconds The polling interval Range 1 3600 seconds name Name of the person who created this entry Range 1 32 characters Default Setting 1 3 6 1 4 1 259 10 1 43 104 1 1 3 6 1 4 1 25...

Page 183: ...le for port 8 Console config interface ethernet 1 5 Console config if rmon collection history controlEntry 15 Console config if end Console show running config interface ethernet 1 5 rmon collection history controlEntry 15 buckets 50 interval 1800 interface ethernet 1 8 no rmon collection history controlEntry 15 Example Console config interface ethernet 1 1 Console config if rmon collection histor...

Page 184: ...s Example Console config interface ethernet 1 1 Console config if rmon collection rmon1 controlentry 1 owner mike Console config if show rmon alarms This command shows the settings for all configured alarms Command Mode Privileged Exec Example Console show rmon alarms Alarm 1 is valid owned by Monitors 1 3 6 1 2 1 16 1 1 1 6 1 every 30 seconds Taking delta samples last value was 0 Rising threshold...

Page 185: ...ragments and 0 jabbers packets 0 CRC alignment errors and 0 collisions of dropped packet events is 0 Network utilization is estimated at 0 show rmon statistics This command shows the information collected for all configured entries in the statistics group Command Mode Privileged Exec Example Console show rmon statistics Interface 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 which has Rec...

Page 186: ... the sFlow datagrams generated by the sFlow agent of the switch sflow owner This command creates an sFlow collector on the switch Use the no form to remove the sFlow receiver Syntax sflow owner owner name timeout timeout value destination ipv4 address ipv6 address port destination udp port max datagram size max datagram size version v4 v5 no sflow owner owner name owner name Name of the collector ...

Page 187: ...er Default Setting No owner is configured UDP Port 6343 Version v4 Maximum Datagram Size 1400 bytes Command Mode Privileged Exec Command Usage Use the sflow owner command to create an owner instance of an sFlow collector If the socket port maximum datagram size and datagram version are not specified then the default values are used Once an owner is created the sflow owner command can again be used...

Page 188: ...ples will be taken at specified intervals and sent to a collector ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 instance id An instance ID used to identify the sampling source Range 1 owner name The associated receiver to which the samples will be sent Range 1 30 alphanumeric characters polling interval The time interval at which the sFlow process adds counter ...

Page 189: ...ort Port number Range 1 52 instance id An instance ID used to identify the sampling source Range 1 owner name The associated receiver to which the samples will be sent Range 1 30 alphanumeric characters sample rate The packet sampling rate or the number of packets out of which one sample will be taken Range 256 16777215 packets max header size The maximum size of the sFlow datagram header Range 64...

Page 190: ...r name The associated receiver to which the samples are sent Range 1 30 alphanumeric characters interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 Command Mode Privileged Exec Example Console show sflow interface ethernet 1 2 Receiver Owner Name stat1 Receiver Timeout 99633 sec Receiver Destination 192 168 32 32 Receiver Socket Port 6343 Maximum Datagram S...

Page 191: ...s and passwords for management access and assigns a privilege level to specified command groups or individual commands Authentication Sequence Defines logon authentication method and precedence RADIUS Client Configures settings for authentication via a RADIUS server TACACS Client Configures settings for authentication via a TACACS server AAA Configures authentication authorization and accounting f...

Page 192: ... designed for users guest managers network maintenance and administrators top level access The other levels can be used to configured specialized access profiles Level 0 7 provide the same default access privileges all within Normal Exec mode under the Console command prompt Level 8 14 provide the same default access privileges including additional commands in Normal Exec mode and a subset of comm...

Page 193: ...ally configure encrypted passwords Example Console config enable password level 15 0 admin Console config Related Commands enable 75 authentication enable 196 username This command adds named users requires authentication at login specifies or changes a user s password or specify that no password is required or specifies or changes a user s access level Use the no form to remove a user name Syntax...

Page 194: ...privilege level 8 can access all commands assigned to privilege levels 7 0 according to default settings and to any other commands assigned to levels 7 0 using the privilege command nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 32 characters plain text or enc...

Page 195: ... the default settings described for the access level parameter under the username command Range 0 15 command Specifies any command contained within the specified mode Default Setting Privilege level 0 provides access to a limited number of the commands which display the current status of the switch as well as several database clear and reset functions Level 8 provides access to all display status ...

Page 196: ...n can be used to define the authentication method and sequence authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command Use the no form to restore the default Syntax authentication enable local radius tacacs no authentication enable local Use local password only radius Use...

Page 197: ...le radius tacacs local the user name and password on the RADIUS server is verified first If the RADIUS server is not available then authentication is attempted on the TACACS server If the TACACS server is not available the local user name and password is checked Example Console config authentication enable radius Console config Related Commands enable password sets the password for changing comman...

Page 198: ...cked Example Console config authentication login radius Console config Related Commands username for setting the local user names and passwords 193 RADIUS Client Remote Authentication Dial in User Service RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS aware devices on the network An authentication server contains a database of m...

Page 199: ... port 181 Console config radius server auth port This command sets the RADIUS server network port Use the no form to restore the default Syntax radius server auth port port number no radius server auth port port number RADIUS server UDP port used for authentication messages Range 1 65535 Default Setting 1812 Command Mode Global Configuration Example Console config radius server auth port 181 Conso...

Page 200: ...ining blank spaces in double quotes Maximum length 48 characters retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting auth port 1812 acct port 1813 timeout 5 seconds retransmit 2 Command Mode Global Configuration Example Console con...

Page 201: ... Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example Console config radius server retransmit 5 Console config radius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeo...

Page 202: ...ation Port Number 1812 Accounting Port Number 1813 Retransmit Times 2 Request Timeout 5 Server 1 Server IP Address 192 168 1 1 Authentication Port Number 1812 Accounting Port Number 1813 Retransmit Times 2 Request Timeout 5 RADIUS Server Group Group Name Member Index radius 1 Console TACACS Client Terminal Access Controller Access Control System TACACS is a logon authentication protocol that uses ...

Page 203: ...imum length 48 characters port number TACACS server TCP port used for authentication messages Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 timeout Number of seconds the switch waits for a reply before resending a request Range 1 540 Default Setting authentication port 49 timeout 5 seconds retransmit 2 Command Mode Global...

Page 204: ...enticate logon access for the client Enclose any string containing blank spaces in double quotes Maximum length 48 characters Default Setting None Command Mode Global Configuration Example Console config tacacs server key green Console config tacacs server port This command specifies the TACACS server network port Use the no form to restore the default Syntax tacacs server port port number no taca...

Page 205: ...S server Range 1 30 Default Setting 2 Command Mode Global Configuration Example Console config tacacs server retransmit 5 Console config tacacs server timeout This command sets the interval between transmitting authentication requests to the TACACS server Use the no form to restore the default Syntax tacacs server timeout number of seconds no tacacs server timeout number of seconds Number of secon...

Page 206: ...d Accounting AAA feature provides the main framework for configuring access control on the switch The AAA functions require the use of configured RADIUS or TACACS servers in the network Table 40 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands GC aaa accounting dot1x Enables accounting of 802 1X services GC aaa accounting exec Enables accounting o...

Page 207: ...mand server group Specifies the name of a server group configured with the aaa group server command Range 1 64 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration server Configures the IP address of a server in a group list SG accounting dot1x Applies an accounting method to an interface for 802 1X service requests IC accounting commands ...

Page 208: ...adius tacacs server group no aaa accounting dot1x default method name default Specifies the default accounting method for service requests method name Specifies an accounting method for service requests Range 1 64 characters start stop Records accounting from starting point and stopping point group Specifies the server group to use radius Specifies all RADIUS hosts configure with the radius server...

Page 209: ...e 1 64 characters start stop Records accounting from starting point and stopping point group Specifies the server group to use radius Specifies all RADIUS hosts configure with the radius server host command tacacs Specifies all TACACS hosts configure with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1 64 charact...

Page 210: ...ues periodic interim accounting records for all users on the system Using the command without specifying an interim interval enables updates but does not change the current interval setting Example Console config aaa accounting update periodic 30 Console config aaa authorization commands This command enables the authorization of Exec mode commands Use the no form to disable the authorization servi...

Page 211: ...ACS servers Note that the default and method name fields are only used to describe the authorization method s configured on the specified TACACS server and do not actually send any information to the server about the methods to use Example Console config aaa authorization commands 15 default start stop group tacacs Console config aaa authorization exec This command enables the authorization for Ex...

Page 212: ...enabled before authorization is enabled If this command is issued without a specified named method the default method list is applied to all interfaces or lines where this authorization type applies except those that have a named method explicitly defined Example Console config aaa authorization exec default group tacacs Console config aaa group server Use this command to name a group of security ...

Page 213: ...rver that server index must already be defined by the radius server host command When specifying the index for a TACACS server that server index must already be defined by the tacacs server host command Example Console config aaa group server radius tps Console config sg radius server 10 2 68 120 Console config sg radius accounting dot1x This command applies an accounting method for 802 1X service...

Page 214: ... executing commands Range 0 15 default Specifies the default method list created with the aaa accounting commands command list name Specifies a method list created with the aaa accounting commands command Default Setting None Command Mode Line Configuration Example Console config line console Console config line accounting commands 15 default Console config line accounting exec This command applie...

Page 215: ...es an authorization method to entered CLI commands Use the no form to disable authorization for entered CLI commands Syntax authorization commands level default list name no authorization commands level level The privilege level for executing commands Range 0 15 default Specifies the default method list created with the aaa authorization commands command list name Specifies a method list created w...

Page 216: ... config line console Console config line authorization exec tps Console config line exit Console config line vty Console config line authorization exec default Console config line show accounting This command displays the current accounting settings per function and per port Syntax show accounting commands level dot1x statistics username user name interface interface exec statistics statistics com...

Page 217: ...counting Type EXEC Method List default Group List tacacs Interface vty Accounting Type Commands 0 Method List default Group List tacacs Interface Accounting Type Commands 15 Method List default Group List tacacs Interface Console show authorization This command displays the current authorization settings per function and per port Syntax show authorization commands level exec commands Displays comm...

Page 218: ... the switch Note Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 300 seconds Table 41 Web Server Commands Command Function Mode ip http authentication Sets the method list for EXEC authorization of an EXEC session GC ip http port Specifies the port to be used by the web browser interface GC ip http server Allows the switch to be monitored or config...

Page 219: ...uests list name Specifies a method list created with the aaa authorization commands command Default Setting None Command Mode Global Configuration Example Console config ip http authentication aaa exec authorization default Console config Related Commands aaa authorization commands 210 ip http server 220 show system 90 ip http port This command specifies the TCP port number used by the web browser...

Page 220: ...erver Default Setting Enabled Command Mode Global Configuration Example Console config ip http server Console config Related Commands ip http authentication 219 show system 90 ip http secure port This command specifies the TCP port number used for HTTPS connection to the switch s web interface Use the no form to restore the default port Syntax ip http secure port port_number no ip http secure port...

Page 221: ...e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch However you cannot configure the HTTP and HTTPS servers to use the same UDP port If you enable HTTPS you must indicate this in t...

Page 222: ...ated Commands ip http secure port 220 copy tftp https certificate 98 show system 90 Telnet Server This section describes commands used to configure Telnet management access to the switch Table 42 HTTPS System Support Web Browser Operating System Internet Explorer 11 or later Windows 7 8 10 Mozilla Firefox 40 or later Windows 7 8 10 Linux Google Chrome 45 or later Windows 7 8 10 Table 43 Telnet Ser...

Page 223: ...n count no ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 8 Default Setting 8 sessions Command Mode Global Configuration Command Usage A maximum of eight sessions can be concurrently opened for Telnet and Secure Shell i e both Telnet and SSH share a maximum number of eight sessions Example Console config ip telnet max sessions 1 Console config ip telnet p...

Page 224: ...function Syntax no ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console config ip telnet server Console config telnet client This command accesses a remote device using a Telnet connection Syntax telnet host host IP address or alias of a remote device Command Mode Privileged Exec Example Console telnet 192 168 2 254 Connect To 192 168 2 254 WARNING MONITORED A...

Page 225: ...h authentication retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh server key size Sets the SSH server key size GC ip ssh timeout Specifies the authentication timeout for the SSH server GC copy tftp public key Copies the user s public key from a TFTP server to the switch PE delete public key Deletes the public key for the sp...

Page 226: ...sts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 108259132128902337654680172627257141342876294130119619556678259566410486957427 888146206519417467729848654686157177393901647793559423035774130980227370877945 4524083971752646358058176716709574804776117 3 Import Clien...

Page 227: ...ding to the public keys stored on the switch can access it The following exchanges take place during this process Authenticating SSH v1 5 Clients a The client sends its RSA public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses its secret key to generate a random 256 bit string as a challenge encrypts this string with ...

Page 228: ...rface address on the switch ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting Syntax ip ssh authentication retries count no ip ssh authentication retries count The number of authentication attempts permitted after which the interface is reset Range 1 5 Default Setting 3 Command M...

Page 229: ...DSA and RSA host keys before enabling the SSH server Example Console ip ssh crypto host key generate dsa Console configure Console config ip ssh server Console config Related Commands ip ssh crypto host key generate 231 show ssh 234 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting Syntax ip ssh server key size key size no ip ssh server...

Page 230: ...Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Console config ip ssh timeout 60 Console config Related Commands exec timeout 112 show ip ssh 233 delete publi...

Page 231: ... switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and ...

Page 232: ...emory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Console ip ssh crypto zeroize dsa Console Related Commands ip ssh crypto host key generate 231 ip ssh save host key 232 no ip ssh server 228 ip ssh save host key This command saves the host key from RAM to flash memory Syntax ip ssh s...

Page 233: ...hows all public keys Command Mode Privileged Exec Command Usage If no parameters are entered all keys are displayed If the user keyword is entered but no user name is specified then the public keys for all users are displayed When an RSA key is displayed the first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 35 and the last string is the enc...

Page 234: ...fdrKX7YKBw Kjw6Bm iFq7O jAhf1Dg45loAc27s6TLdtny1wRq ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF DjKGWtPNIQqabKgYCw2 o dVzX4Gg yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 w0W Console show ssh This command displays the current SSH server connections Command Mode Privileged Exec Example Console show ssh Connection Version State User...

Page 235: ...packet to the client before it times out the authentication session IC dot1x operation mode Allows single or multiple hosts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re authentication Enables re authentication for all ports IC dot1x timeout quiet period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting ...

Page 236: ...apol pass through dot1x port control dot1x port control multi host max count dot1x operation mode dot1x max req dot1x timeout quiet period dot1x timeout tx period dot1x timeout re authperiod dot1x timeout sup timeout dot1x re authentication dot1x intrusion action Example Console config dot1x default Console config dot1x system auth control This command enables IEEE 802 1X port authentication globa...

Page 237: ...o dot1x intrusion action block traffic Blocks traffic on this port guest vlan Assigns the user to the Guest VLAN Default block traffic Command Mode Interface Configuration Command Usage For guest VLAN assignment to be successful the VLAN must be configured and set as active see the vlan database command and assigned as the guest VLAN for the port see the network access guest vlan command A port ca...

Page 238: ...t 2 Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x max reauth req 2 Console config if dot1x max req This command sets the maximum number of times the switch port will retransmit an EAP request identity packet to the client before it times out the authentication session Use the no form to restore the default Syntax dot1x max req count no dot1x ...

Page 239: ...ws multiple hosts to connect to this port with each host needing to be authenticated Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command In multi host mode only one host connected to a port needs to pass authentication for all other hosts to be g...

Page 240: ...t force authorized Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x port control auto Console config if dot1x re authentication This command enables periodic re authentication for a specified port Use the no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Command Usage The re authenticatio...

Page 241: ...fault Syntax dot1x timeout quiet period seconds no dot1x timeout quiet period seconds The number of seconds Range 1 65535 Default 60 seconds Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x timeout quiet period 350 Console config if dot1x timeout re authperiod This command sets the time period after which a connected client must be re authentica...

Page 242: ...er than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authentication when the port link state comes up It will send an EAP request identity frame to the client to request its identity followed by one or more requests for authentication information It may also send other EAP request frames to the client during an active connection as required for ...

Page 243: ... Privileged Exec Command Usage The re authentication process verifies the connected client s user ID and password on the RADIUS server During re authentication the client remains connected the network and the process is handled transparently by the dot1x client software Only if re authentication fails is the port blocked Example Console dot1x re authenticate Console Supplicant Commands dot1x timeo...

Page 244: ...licant port waits before resending its credentials to find a new an authenticator Use the no form to reset the default Syntax dot1x timeout held period seconds no dot1x timeout held period seconds The number of seconds Range 1 65535 Default 60 seconds Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x timeout held period 120 Console config if Info...

Page 245: ...ion Periodic re authentication page 240 Reauth Period Time after which a connected client must be re authenticated page 241 Quiet Period Time a port waits after Max Request Count is exceeded before attempting to acquire a new client page 241 TX Period Time a port waits during authentication session before re transmitting EAP packet page 242 Supplicant Timeout Supplicant timeout Server Timeout Serv...

Page 246: ...t received from the Authentication Server Reauthentication State Machine State Current state including initialize reauthenticate Example Console show dot1x Global 802 1X Parameters System Auth Control Enabled Authenticator Parameters EAPOL Pass Through Disabled 802 1X Port Summary Port Type Operation Mode Control Mode Authorized Eth 1 1 Disabled Single Host Force Authorized Yes Eth 1 2 Disabled Si...

Page 247: ...d Use the no form to restore the default setting Syntax no management all client http client snmp client telnet client start address end address all client Adds IP address es to all groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group start address A single IP address or the starting address of ...

Page 248: ...ing addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and re enter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address Example This example restricts management access to the indicated a...

Page 249: ... Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 SNMP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 TELNET Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 Console ...

Page 250: ...hentication Access Control Lists DHCP Snooping and then IPv4 Source Guard Configures secure addresses for a port 802 1X Port Authentication Configures host authentication on specific ports using 802 1X Network Access Configures MAC authentication and dynamic VLAN assignment Web Authentication Configures Web authentication Access Control Lists Provides filtering for IP frames based on address proto...

Page 251: ...ll be detected and the switch can automatically take action by disabling the port and sending a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC address learning Syntax no mac learning Default Setting Enabled Command Mode Interface Configuration Ethernet or Port Channel Command Usage The no mac learning command immediately...

Page 252: ...address learning for port 2 Console config interface ethernet 1 2 Console config if no mac learning Console config if Related Commands show interfaces status 357 port security This command enables or configures port security Use the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation...

Page 253: ...will learn up to the maximum number of allowed address pairs source MAC address VLAN for frames received on the port The specified maximum address count is effective when port security is enabled or disabled Note that you can manually add additional secure addresses to a port using the mac address table static command When the port has reached the maximum number of MAC addresses the port will stop...

Page 254: ...w port security interface interface interface Specifies a port interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports Console show port security Global Port Security Parameters Secure MAC Aging Mode Disabled Port Security Port Summary...

Page 255: ... 2 Port Security Enabled Port Status Secure Up Intrusion Action None Max MAC Count 0 Current MAC Count 0 MAC Filter Disabled Last Intrusion MAC NA Last Time Detected Intrusion MAC NA Console This example shows information about a detected intrusion Console show port security interface ethernet 1 2 Global Port Security Parameters Secure MAC Aging Mode Disabled Port Security Details Port 1 2 Port Se...

Page 256: ...od after which a connected MAC address must be re authenticated GC network access dynamic qos Enables the dynamic quality of service feature IC network access dynamic vlan Enables dynamic VLAN assignment from a RADIUS server IC network access guest vlan Specifies the guest VLAN IC network access max mac count Sets the maximum number of MAC addresses that can be authenticated on a port via all form...

Page 257: ...nfigured by the MAC Address Authentication process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host or MAC Based authentication as described on page 239 The maximum number of secure MAC addresses supported for the switch system is 1024 Example Console config network access aging Console config ne...

Page 258: ...filter table Example Console config network access mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authenticated Use the no form of this command to restore the default value Syntax mac authentication reauth time seconds no mac authentication reauth time seconds The reauth...

Page 259: ...nment the switch restores the original QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a port has an assigned dynamic QoS profile any manual QoS configuration changes only take effect after all users have logged off of the port Table 52 Dyn...

Page 260: ...rface Configuration Command Usage When enabled the VLAN identifiers returned by the RADIUS server through the 802 1X authentication process will be applied to the port providing the VLANs have already been created on the switch The VLAN settings specified by the first authenticated MAC address are implemented for a port Other authenticated MAC addresses on the port must have same VLAN configuratio...

Page 261: ...isabled Command Mode Interface Configuration Command Usage The VLAN to be used as the guest VLAN must be defined and set as active See the vlan database command When used with 802 1X authentication the intrusion action must be set for guest vlan to be effective see the dot1x intrusion action command A port can only be assigned to the guest VLAN in case of failed authentication if switchport mode i...

Page 262: ...on Use this command to enable network access authentication on a port Use the no form of this command to disable network access authentication Syntax no network access mode mac authentication Default Setting Disabled Command Mode Interface Configuration Command Usage When enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server...

Page 263: ...ifier list is carried in the Tunnel Private Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t where u indicates untagged VLAN and t tagged VLAN The Tunnel Type attribute should be set to VLAN and the Tunnel Medium Type attribute set to 802 Example Console config if network access mode mac authentication Console config if network access port mac filter Use t...

Page 264: ... action Default Setting Block Traffic Command Mode Interface Configuration Example Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication Use the no form of this command to restore the default Syntax mac authenticatio...

Page 265: ...x xx xx interface Specifies a port interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 Default Setting None Command Mode Privileged Exec Example Console clear network access mac address table interface ethernet 1 1 Console show network access Use this command to display the MAC authentication settings for port interfaces Syntax show network access interface...

Page 266: ...namic address mac address mask interface interface sort address interface static Specifies static address entries dynamic Specifies dynamic address entries mac address Specifies a MAC address entry Format xx xx xx xx xx xx mask Specifies a MAC address bit mask for filtering displayed addresses interface Specifies a port interface ethernet unit port unit Unit identifier Range Always 1 port Port num...

Page 267: ...and Mode Privileged Exec Example Console show network access mac filter Filter ID MAC Address MAC Mask 1 00 00 01 02 03 08 FF FF FF FF FF FF Console Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802 1X or Network Access authentication are infeasible or impractical The web authentication feature allows unauthenticated hosts to reque...

Page 268: ...eb auth login attempts Defines the limit for failed web authentication login attempts GC web auth quiet period Defines the amount of time to wait after the limit for failed login attempts is exceeded GC web auth session timeout Defines the amount of time a session remains valid GC web auth system auth control Enables web authentication globally for the switch GC web auth Enables web authentication...

Page 269: ...cation again Range 1 180 seconds Default Setting 60 seconds Command Mode Global Configuration Example Console config web auth quiet period 120 Console config web auth session timeout This command defines the amount of time a web authentication session remains valid When the session timeout has been reached the host is logged off and must re authenticate itself the next time data transmission takes...

Page 270: ... system auth control for the switch and web auth for an interface must be enabled for the web authentication feature to be active Example Console config web auth system auth control Console config web auth This command enables web authentication for an interface Use the no form to restore the default Syntax no web auth Default Setting Disabled Command Mode Interface Configuration Command Usage Bot...

Page 271: ...Command Mode Privileged Exec Example Console web auth re authenticate interface ethernet 1 2 Console web auth re authenticate IP This command ends the web authentication session associated with the designated IP address and forces the user to re authenticate Syntax web auth re authenticate interface interface ip interface Specifies a port interface ethernet unit port unit Unit identifier Range Alw...

Page 272: ...Console show web auth interface This command displays interface specific web authentication parameters and statistics Syntax show web auth interface interface interface Specifies a port interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 Command Mode Privileged Exec Example Console show web auth interface ethernet 1 2 Web Auth Status Enabled Host Summary IP...

Page 273: ...ping globally GC ip dhcp snooping information option Enables or disables the use of DHCP Option 82 information and specifies frame format for the remote id GC ip dhcp snooping information option encode no subtype Disables use of sub type and sub length for the CID RID in Option 82 information GC ip dhcp snooping information option remote id Sets the remote ID to the switch s IP address MAC address...

Page 274: ...amic entries learned via DHCP snooping ip dhcp snooping information option circuit id Enables or disables the use of DHCP Option 82 information circuit id suboption IC ip dhcp snooping trust Configures the specified interface as trusted IC ip dhcp snooping max number configures the maximum number of DHCP clients which can be supported per interface IC ip dhcp snooping information option circuit id...

Page 275: ...client such as a DECLINE or RELEASE message the switch forwards the packet only if the corresponding entry is found in the binding table If the DHCP packet is from client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address verification is disabled as specified by the ip dhcp snooping verify mac address command However if MAC address verification is e...

Page 276: ...no form with the encode no subtype keyword to enable use of sub type and sub length in CID RID fields or the no form with the remote id keyword to set the remote ID to the switch s MAC address encoded in hexadecimal Syntax ip dhcp snooping information option encode no subtype remote id ip address encode ascii hex mac address encode ascii hex string string no ip dhcp snooping information option enc...

Page 277: ...ed rather than just their MAC address DHCP client server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets When enabled the switch will only add remove option 82 information in incoming DHCP packets but not relay them Packets are pro...

Page 278: ... node identifier ASCII string Default is the MAC address of the switch s CPU This field is set by the ip dhcp snooping information option command eth The second field is the fixed string eth slot The slot represents the stack unit for this system port The port which received the DHCP request If the packet arrives over a trunk the value is the ifIndex of the trunk vlan Tag of the VLAN which receive...

Page 279: ...nooping information option remote id ip address encode mac address encode tr101 no vlan field mac address Inserts a MAC address in the remote ID sub option for the DHCP snooping agent that is the MAC address of the switch s CPU ip address Inserts an IP address in the remote ID sub option for the DHCP snooping agent that is the IP address of the management interface encode Indicates encoding in ASC...

Page 280: ...n remote id tr101 node identifier ip Console config ip dhcp snooping information option tr101 board id This command sets the board identifier used in Option 82 information based on TR 101 syntax Use the no form to remove the board identifier Syntax ip dhcp snooping information option tr101 board id board id no ip dhcp snooping information option tr101 board id board id TR101 Board ID Range 0 9 Def...

Page 281: ...switch can be configured to set the action policy for these packets The switch can either drop the DHCP packets keep the existing information or replace it with the switch s relay information Example Console config ip dhcp snooping information policy drop Console config ip dhcp snooping verify mac address This command verifies the client s hardware address stored in the DHCP packet against the sou...

Page 282: ...de Global Configuration Command Usage When DHCP snooping is enabled globally using the ip dhcp snooping command and enabled on a VLAN with this command DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command When the DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes w...

Page 283: ...system name as the node identifier tr101 no vlan field Do not add VLAN in TR101 field for untagged packets Default Setting VLAN Unit Port Command Mode Interface Configuration Ethernet Port Channel Command Usage DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server DHCP Option 82 allows compatible DHCP servers to use the information when as...

Page 284: ...fault settings described above The format for TR101 option 82 is IP eth SID PORT VLAN Note that the SID Switch ID is always 0 By default the PVID is added to the end of the TR101 field for untagged packets For tagged packets the VLAN ID is always added Use the ip dhcp snooping information option remote id tr101 no vlan field command to remove the VLAN ID from the end of the TR101 field for untagge...

Page 285: ...according to the default status or as specifically configured for an interface with the no ip dhcp snooping trust command When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Additional considerations when the switch itself is a DHCP client The port s through which it submits a client request to the DHCP server must be con...

Page 286: ...e is an interface that is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall Set all ports connected to DHCP servers within the local network or fire wall to trusted and all other ports outside the local network or fire wall to untrusted When DHCP snooping is enabled globall...

Page 287: ...ding This command clears DHCP snooping binding table entries from RAM Use this command without any optional keywords to clear all entries from the binding table Syntax clear ip dhcp snooping binding mac address ip address mac address Specifies a MAC address entry Format xx xx xx xx xx xx ip address Specifies the IP address bound to this entry Command Mode Privileged Exec Example Console clear ip d...

Page 288: ...guration settings Command Mode Privileged Exec Example Console show ip dhcp snooping Global DHCP Snooping Status disabled DHCP Snooping Information Option Status disabled DHCP Snooping Information Option Sub option Format extra subtype included DHCP Snooping Information Option Remote ID MAC Address hex encoded DHCP Snooping Information Option Remote ID TR101 VLAN Field enabled DHCP Snooping Inform...

Page 289: ...ies to use the IPv4 address of a neighbor to access the network This section describes commands used to configure IPv4 Source Guard Table 57 IPv4 Source Guard Commands Command Function Mode ip source guard binding Adds a static address to the source guard binding table GC ip source guard Configures the switch to filter inbound traffic based on source IP address or source IP address and correspondi...

Page 290: ...s Range 1 4094 ip address A valid unicast IP address including classful types A B or C unit Unit identifier Range Always 1 port list Physical port number or list of port numbers Separate nonconsecutive port numbers with a comma and no spaces or use a hyphen to designate a range of port numbers Range 1 52 Default Setting No configured entries Command Mode Global Configuration Command Usage If the b...

Page 291: ...g binding then the new entry will replace the old one and the entry type will be changed to static IP source guard binding A valid static IP source guard entry will be added to the binding table in MAC mode if one of the following conditions are true If there is no binding entry with the same IP address and MAC address a new entry will be added to the binding table using the type of static IP sour...

Page 292: ...selected port Use the sip option to check the VLAN ID source IP address and port number against all entries in the binding table Use the sip mac option to check these same parameters plus the source MAC address Use the no ip source guard command to disable this function on the selected port When enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses co...

Page 293: ... learned via DHCP snooping or manually configured are not yet configured the switch will drop all IP traffic on that port except for DHCP packets allowed by DHCP snooping Only unicast addresses are accepted for static bindings Example This example enables IP source guard on port 5 Console config interface ethernet 1 5 Console config if ip source guard sip Console config if Related Commands ip sour...

Page 294: ...be created but will not be active The maximum binding for MAC mode restricts the number of MAC addresses learned per port Authenticated IP traffic with different source MAC addresses cannot be learned if it would exceed this maximum number Example This example sets the maximum number of allowed entries in the binding table for port 5 to one entry The mode is not specified and therefore defaults to...

Page 295: ...5 Console config if ip source guard mode mac Console config if clear ip source guard binding blocked This command clears source guard binding table entries from RAM Syntax clear ip source guard binding blocked Command Mode Privileged Exec Command Usage When IP Source Guard detects an invalid packet it creates a blocked record These records can be viewed using the show ip source guard binding block...

Page 296: ...ax show ip source guard binding dhcp snooping static acl mac blocked vlan vlan id interface interface dhcp snooping Shows dynamic entries configured with DHCP Snooping commands see page 273 static Shows static entries configured with the ip source guard binding command acl Shows static entries in the ACL binding table mac Shows static entries in the MAC address binding table blocked Shows MAC addr...

Page 297: ...globally on the switch GC ip arp inspection filter Specifies an ARP ACL to apply to one or more VLANs GC ip arp inspection log buffer logs Sets the maximum number of entries saved in a log message and the rate at these messages are sent GC ip arp inspection validate Specifies additional validation of address components in an ARP packet GC ip arp inspection vlan Enables ARP Inspection for a specifi...

Page 298: ...s are redirected to the CPU and their switching is handled by the ARP Inspection engine When ARP Inspection is disabled globally it becomes inactive for all VLANs including those where ARP Inspection is enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then re enab...

Page 299: ...L address bindings in the DHCP snooping database is not checked Default Setting ARP ACLs are not bound to any VLAN Static mode is not enabled Command Mode Global Configuration Command Usage ARP ACLs are configured with the commands described on page 10 336 If static mode is enabled the switch compares ARP packets to the specified ARP ACLs Packets matching an IP to MAC address binding in a permit o...

Page 300: ... By default logging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses If multiple identical invalid ARP packets are received consecutively on the same VLAN then the ...

Page 301: ...ses are checked in all ARP requests and responses while target IP addresses are checked only in ARP responses allow zeros Allows sender IP address to be 0 0 0 0 src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as inva...

Page 302: ...s enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs ...

Page 303: ...fig if ip arp inspection limit rate 150 Console config if ip arp inspection trust This command sets a port as trusted and thus exempted from ARP Inspection Use the no form to restore the default setting Syntax no ip arp inspection trust Default Setting Untrusted Command Mode Interface Configuration Port Static Aggregation Command Usage Packets arriving on untrusted ports are subject to any configu...

Page 304: ... Interval 1 s Log Message Number 5 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspection interface This command shows the trust status and ARP Inspection rate limit for ports Syntax show ip arp inspection interface interface interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 Command Mode Privileg...

Page 305: ...istics ARP packets received 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by ARP Inspection 150 ARP packets dropped by additional validation source MAC address 0 ARP packets dropped by additional validation destination MAC address 0 ARP packets dropped by additional validation IP address 0 ARP packets dropped by ARP ACLs 0 ARP packets dropped by DHCP snooping 0 Console sho...

Page 306: ... intended users and the target so that they can no longer communicate adequately This section describes commands used to protect against DoS attacks Table 59 DoS Protection Commands Command Function Mode dos protection echo chargen Protects against DoS echo chargen attacks GC dos protection smurf Protects against DoS smurf attacks GC dos protection tcp flooding Protects against DoS TCP flooding at...

Page 307: ... Maximum allowed rate Range 64 2000 kbits second Default Setting Disabled 1000 kbits second Command Mode Global Configuration Example Console config dos protection echo chargen bit rate in kilo 65 Console config dos protection smurf This command protects against DoS smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP ad...

Page 308: ...mum allowed rate Range 64 2000 kbits second Default Setting Disabled 1000 kbits second Command Mode Global Configuration Example Console config dos protection tcp flooding bit rate in kilo 65 Console config dos protection tcp null scan This command protects against DoS TCP null scan attacks in which a TCP NULL scan message is used to identify listening TCP ports The scan uses a series of strangely...

Page 309: ...n fin scan Default Setting Disabled Command Mode Global Configuration Example Console config dos protection syn fin scan Console config dos protection tcp xmas scan This command protects against DoS TCP xmas scan in which a so called TCP XMAS scan message is used to identify listening TCP ports This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the...

Page 310: ...ion Example Console config dos protection udp flooding bit rate in kilo 65 Console config dos protection win nuke This command protects against DoS WinNuke attacks in which affected the Microsoft Windows 3 1x 95 NT operating systems In this type of attack the perpetrator sends the string of OOB out of band OOB packets contained a TCP URG flag to the target computer on TCP port 139 NetBIOS casing i...

Page 311: ...for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider port based traffic segmentation can be used to isolate traffic for individual clients Traffic belonging to each client is isolated to the allocated downlink ports But the switch can be configured to either isolate traffic passing across a client s allocated uplink po...

Page 312: ...n traffic segmentation is enabled the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below traffic segmentation uplink to uplink Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions GC show traffic segmentation Displays the configured traffic segments PE Table 60 Commands for Configuring Traf...

Page 313: ...nables traffic segmentation globally on the switch Console config traffic segmentation Console config traffic segmentation session This command creates a traffic segmentation client session Use the no form to remove a client session Syntax no traffic segmentation session session id session id Traffic segmentation session Range 1 4 Default Setting None Command Mode Global Configuration Command Usag...

Page 314: ... 52 port channel channel id Range 1 26 Default Setting Session 1 if not defined No segmented port groups are defined Command Mode Global Configuration Command Usage A port cannot be configured in both an uplink and downlink list A port can only be assigned to one traffic segmentation session When specifying an uplink or downlink a list of ports may be entered by using a hyphen or comma in the port...

Page 315: ... no traffic segmentation uplink to uplink blocking forwarding blocking Blocks traffic between uplink ports assigned to different sessions forwarding Forwards traffic between uplink ports assigned to different sessions Default Setting Blocking Command Mode Global Configuration Example This example enables forwarding of traffic between uplink ports assigned to different client sessions Console confi...

Page 316: ...Chapter 9 General Security Measures Port based Traffic Segmentation 316 Uplink to Uplink Mode Forwarding Session Uplink Ports Downlink Ports 1 Ethernet 1 1 Ethernet 1 2 Ethernet 1 3 Ethernet 1 4 Console ...

Page 317: ...s Control List Commands Command Group Function IPv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses DSCP traffic class or next header type MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type ARP ACLs Configures ACLs based on ARP messages addresses ACL Information D...

Page 318: ... length 32 characters Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 1K rules Example Consol...

Page 319: ...ing None Command Mode Standard IPv4 ACL Command Usage New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each I...

Page 320: ...port port bitmask permit deny tcp any source address bitmask host source any destination address bitmask host destination dscp dscp precedence precedence source port sport bitmask destination port dport port bitmask control flag control flags flag bitmask time range time range name no permit deny tcp any source address bitmask host source any destination address bitmask host destination dscp dscp ...

Page 321: ...s bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned The control code bitmask is a decimal number representing an equivalent bit mask that is applied to the control code Enter a decimal number where the equivalent binary bit 1 means to match a bit and 0 means to ignore a bit The following ...

Page 322: ... 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 2 Console config ext acl Related Commands access list ip 318 Time Range 145 ip access group This command binds an IPv4 ACL to a port Use the no form to remove...

Page 323: ...elated Commands show ip access list 323 Time Range 145 show ip access group This command shows the ports assigned to IP ACLs Command Mode Privileged Exec Example Console show ip access group Interface ethernet 1 2 IP access list david in Console show ip access list This command displays the rules for configured IPv4 ACLs Syntax show ip access list standard extended acl name standard Specifies a st...

Page 324: ...d extended acl name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the destination IP address and other more specific criteria acl name Name of the ACL Maximum length 32 characters Table 64 IPv6 ACL Commands Command Function Mode access list ipv6 Creates an IPv6 ACL and enters configuration mode for standard or ...

Page 325: ...v6 ACL This command adds a rule to a Standard IPv6 ACL The rule sets a filter condition for packets emanating from the specified source Use the no form to remove a rule Syntax permit deny any host source ipv6 address source ipv6 address prefix length time range time range name no permit deny any host source ipv6 address source ipv6 address prefix length any Any source IP address host Keyword follo...

Page 326: ...y Extended IPv6 ACL This command adds a rule to an Extended IPv6 ACL The rule sets a filter condition for packets with specific source or destination IP addresses or next header type Use the no form to remove a rule Syntax permit deny any host source ipv6 address source ipv6 address prefix length any destination ipv6 address prefix length dscp dscp next header next header source port sport bitmask...

Page 327: ...ork portion of the address Range 0 128 for source prefix 0 128 for destination prefix dscp DSCP traffic class Range 0 63 next header Identifies the type of header immediately following the IPv6 header Range 0 255 sport Protocol source port number Range 0 65535 dport Protocol destination port number Range 0 65535 port bitmask Decimal number representing the port bits to match Range 0 65535 time ran...

Page 328: ... ipv6 acl Here is a more detailed example for setting the CPU rate limit for SNMP packets Set ACL Console config access list ip extended snmp acl Console config ext acl permit any any destination port 161 Console config ext acl permit any any destination port 162 Console config ext acl exit Set class map Console config class map snmp class Console config cmap match access list snmp acl Console con...

Page 329: ...ters in Indicates that this list applies to ingress packets time range name Name of the time range Range 1 32 characters counter Enables counter for ACL statistics Default Setting None Command Mode Interface Configuration Ethernet Command Usage If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Console config int...

Page 330: ...s command displays the rules for configured IPv6 ACLs Syntax show ipv6 access list standard extended acl name standard Specifies a standard IPv6 ACL extended Specifies an extended IPv6 ACL acl name Name of the ACL Maximum length 32 characters Command Mode Privileged Exec Example Console show ipv6 access list standard IPv6 standard access list david permit host 2009 DB9 2229 79 permit 2009 DB9 2229...

Page 331: ...yntax no access list mac acl name acl name Name of the ACL Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the no permit or no deny command followed by the exact text of a previousl...

Page 332: ...pe ethertype ethertype bitmask time range time range name no permit deny any host source source address bitmask any host destination destination address bitmask cos cos cos bitmask vid vid vid bitmask ethertype ethertype ethertype bitmask Note The default is for Ethernet II packets permit deny tagged eth2 any host source source address bitmask any host destination destination address bitmask cos c...

Page 333: ...hernet II packets untagged eth2 Untagged Ethernet II packets tagged 802 3 Tagged Ethernet 802 3 packets untagged 802 3 Untagged Ethernet 802 3 packets any Any MAC IPv4 or IPv6 source or destination address host A specific MAC IPv4 or IPv6 address source Source MAC IPv4 or IPv6 address destination Destination MAC IPv4 or IPv6 address address bitmask Bitmask for MAC address in hexadecimal format net...

Page 334: ...me packet and these rules specify a permit entry and deny entry the deny action takes precedence Example This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Console config mac acl permit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl Related Commands access list mac 331 Time Range 145 mac access group ...

Page 335: ...xample Console config interface ethernet 1 2 Console config if mac access group jerry in Console config if Related Commands show mac access list 335 Time Range 145 show mac access group This command shows the ports assigned to MAC ACLs Command Mode Privileged Exec Example Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console Related Commands mac access group 334 show m...

Page 336: ...and then bind the access list to one or more VLANs using the ip arp inspection vlan command access list arp This command adds an ARP access list and enters ARP ACL configuration mode Use the no form to remove the specified ACL Syntax no access list arp acl name acl name Name of the ACL Maximum length 32 characters Default Setting None Command Mode Global Configuration Table 66 ARP ACL Commands Com...

Page 337: ...m to remove a rule Syntax no permit deny ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac destination mac mac address bitmask log This form indicates either request or response packets no permit deny request ip any host source ip source ip ip address bitmask a...

Page 338: ...e This rule permits packets from any source IP and MAC address to the destination subnet address 192 168 0 0 Console config arp acl permit response ip any 192 168 0 0 255 255 0 0 mac any any Console config mac acl Related Commands access list arp 336 show access list arp This command displays the rules for configured ARP ACLs Syntax show access list arp acl name acl name Name of the ACL Maximum le...

Page 339: ...interface interface name acl name in Clears counter for ingress rules interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 acl name Name of the ACL Maximum length 32 characters Command Mode Privileged Exec Example Console clear access list hardware counters Console Table 67 ACL Information Commands Command Function Mode clear access list hardware counters Cl...

Page 340: ...rs Shows statistics for all ACLs ip extended Shows ingress or egress rules for Extended IPv4 ACLs ip standard Shows ingress or egress rules for Standard IPv4 ACLs ipv6 extended Shows ingress or egress rules for Extended IPv6 ACLs ipv6 standard Shows ingress or egress rules for Standard IPv6 ACLs mac Shows ingress or egress rules for MAC ACLs tcam utilization Shows the percentage of user configured...

Page 341: ...y permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 MAC access list jerry permit any host 00 30 29 94 34 de ethertype 800 800 IP extended access list A6 deny tcp any any control flag 2 2 permit any any Console ...

Page 342: ... given interface when autonegotiation is disabled IC clear counters Clears statistics on an interface PE show interfaces brief Displays a summary of key information including operational status native VLAN ID default priority speed duplex mode and port type PE show interfaces counters Displays statistics for the specified interfaces NE PE show interfaces history Displays periodic sampling of stati...

Page 343: ...r threshold temperature Sets thresholds for the transceiver temperature which can be used to trigger an alarm or warning message IC transceiver threshold tx power Sets thresholds for the transceiver power level of the transmitted signal which can be used to trigger an alarm or warning message IC transceiver threshold voltage Sets thresholds for the transceiver voltage which can be used to trigger ...

Page 344: ...bps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control Default Setting 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX LHX ZX SFP 1000full Command Mode Interface Configuration Ethernet Port Channel Command Usage The 1000BASE T standard do...

Page 345: ...to remove the description Syntax description string no description string Comment or a description to help you remember what is attached to this interface Range 1 64 characters Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage The description is displayed by the show interfaces status command and in the running configuration file An example of the value ...

Page 346: ...essure is used for half duplex operation and IEEE 802 3 2002 formally IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities comman...

Page 347: ...fault Setting 15min 15 minute interval 96 buckets 1day 1 day interval 7 buckets Command Mode Interface Configuration Ethernet Port Channel Example This example sets a interval of 15 minutes for sampling standard statistical values on port 1 Console config interface ethernet 1 1 Console config if history 15min 15 10 Console config if media type This command forces the transceiver mode to use for SF...

Page 348: ...n Ethernet Port Channel Command Usage 1000BASE T does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk When auto negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex...

Page 349: ... resolved You may also want to disable a port for security reasons Example The following example disables port 5 Console config interface ethernet 1 5 Console config if shutdown Console config if speed duplex This command configures the speed and duplex mode of a given interface when auto negotiation is disabled Use the no form to restore the default Syntax speed duplex 100full 100half 10full 10ha...

Page 350: ...egotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To set the speed duplex mode under auto negotiation the required mode must be specified in the capabilities list for an interface Example The following example configures port 5 to 100 Mbps half duplex operation Console config interf...

Page 351: ...d Mode Privileged Exec Command Usage If an SFP transceiver is inserted in a port the Type field will show the SFP type as interpreted from Ethernet Compliance Codes Data Byte 6 in Address A0h The Ethernet Compliance Code is a bitmap value of which one bit is supposedly turned on However if the read out is not recognizable e g 2 or more bits on or all 0s the Type field just displays the raw data he...

Page 352: ...show interfaces counters ethernet 1 1 Ethernet 1 1 IF table Stats 2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input Extended Iftable Stats 23 Multi cast Input 5525 Multi cast Output 170 Broadcast Input 11 Broadcast Output Ether like Stats 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 Deferred T...

Page 353: ...s including those that were discarded or not sent Discard Input The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for discarding such a packet could be to free up buffer space Discard Output The number of outbound packets which were chosen to be discarded even tho...

Page 354: ...rames received on a particular interface that exceed the maximum permitted frame size Symbol Errors For an interface operating at 100 Mb s the number of times there was an invalid data symbol when a valid carrier was present For an interface operating in half duplex mode at 1000 Mb s the number of times the receiving media is non idle a carrier event for a period of time equal to or greater than s...

Page 355: ...rror CRC Align Errors Collisions The best estimate of the total number of collisions on this Ethernet segment 64 Octets The total number of packets including bad packets received and transmitted that were less than 64 octets in length excluding framing bits but including FCS octets 65 127 Octets 128 255 Octets 256 511 Octets 512 1023 Octets 1024 1518 Octets The total number of packets including ba...

Page 356: ...faces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed Example Console show interfaces history ethernet 1 1 15min Interface Eth 1 1 Name 15min Interval 900 second s Buckets Requested 96 Buckets Granted 1 Status Active Current Entries Start Time Octets Input Unicast Multicast Broadcast 00d 00 15 04 0 00 72675 524 35 41 Di...

Page 357: ...interfaces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed Example Console show interfaces status ethernet 1 1 Information of Eth 1 1 Basic Information Port Type 1000BASE T MAC Address 00 E0 0C 00 00 FE Configuration Name Port Admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Broadcast Storm...

Page 358: ...l id Range 1 24 Default Setting Shows all interfaces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed Example This example shows the configuration setting for port 1 Console show interfaces switchport ethernet 1 1 Information of Eth 1 1 Broadcast Threshold Enabled 500 packets second Multicast Threshold Disabled Unknown U...

Page 359: ... it also shows the threshold level page 397 LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled page 375 Ingress Egress Rate Limit Shows if rate limiting is enabled and the current rate limit page 1023 VLANMembership Mode Indicates membership mode as Trunk or Hybrid page 447 Ingress Rule Shows if ingress filtering is enabled or disabled page 446 Acceptable Frame Typ...

Page 360: ...e config if transceiver threshold auto Console transceiver threshold current This command sets thresholds for transceiver current which can be used to trigger an alarm or warning message Syntax transceiver threshold current high alarm high warning low alarm low warning threshold value high alarm Sets the high current threshold for an alarm message high warning Sets the high current threshold for a...

Page 361: ...en above the low threshold and reaches the high threshold Threshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold Trap messages enabled by the transceiver monitor command are sent to any management station configured by the ...

Page 362: ...n configuring transceiver thresholds Trap messages enabled by the transceiver monitor command are sent to any management station configured by the snmp server host command Example The following example sets alarm thresholds for the signal power received at port 1 Console config interface ethernet 1 1 Console config if transceiver threshold rx power low alarm 21 Console config if transceiver thresh...

Page 363: ...ment station configured by the snmp server host command Example The following example sets alarm thresholds for the transceiver temperature at port 1 Console config interface ethernet 1 1 Console config if transceiver threshold temperature low alarm 97 Console config if transceiver threshold temperature high alarm 83 Console transceiver threshold tx power This command sets thresholds for the trans...

Page 364: ...ement station configured by the snmp server host command Example The following example sets alarm thresholds for the signal power transmitted at port 1 Console config interface ethernet 1 1 Console config if transceiver threshold tx power low alarm 8 Console config if transceiver threshold tx power high alarm 3 Console transceiver threshold voltage This command sets thresholds for the transceiver ...

Page 365: ... the snmp server host command Example The following example sets alarm thresholds for the transceiver voltage at port 1 Console config interface ethernet 1 1 Console config if transceiver threshold voltage low alarm 4 Console config if transceiver threshold voltage high alarm 2 Console show interfaces transceiver This command displays identifying information for the specified transceiver including...

Page 366: ...nce Codes 1000BASE ZX Baud Rate 1300 MBd Vendor OUI 00 00 5F Vendor Name SumitomoElectric Vendor PN SCP6G94 FN BWH Vendor Rev Z Vendor SN SE08T712Z00006 Date Code 10 09 14 DDM Info Temperature 35 64 degree C Vcc 3 25 V Bias Current 12 13 mA TX Power 2 36 dBm RX Power 24 20 dBm DDM Thresholds Low Alarm Low Warning High Warning High Alarm Temperature Celsius 45 00 40 00 85 00 90 00 Voltage Volts 2 9...

Page 367: ...d only apply to ports which have a DDM compliant transceiver inserted Example Console show interfaces transceiver threshold ethernet 1 25 Information of Eth 1 25 DDM Thresholds Transceiver monitor Disabled Transceiver threshold auto Enabled Low Alarm Low Warning High Warning High Alarm Temperature Celsius 123 00 0 00 70 00 75 00 Voltage Volts 3 10 3 15 3 45 3 50 Current mA 6 00 7 00 90 00 100 00 T...

Page 368: ...ncluding common cable failures as well as the status and approximate length of each cable pair Ports are linked down while running cable diagnostics To ensure more accurate measurement of the length to a fault first disable power saving mode using the no power save command on the link partner before running cable diagnostics Example Console test cable diagnostics interface ethernet 1 24 Console sh...

Page 369: ...eters Pair B Open length 2 meters Pair C Short length 0 meters Pair D Short length 0 meters Last Update 0n 2011 02 16 02 32 56 Console Power Savings power save This command enables power savings mode on the specified port Use the no form to disable this feature Syntax no power save Default Setting Enabled Command Mode Interface Configuration Ethernet ports 1 22 48 Command Usage IEEE 802 3 defines ...

Page 370: ... up the MAC interface Power saving when there is a link partner Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter When cable length is shorter power consumption can be reduced since signal attenuation is proportional to cable length When power savings mode is enabled the switch analyzes c...

Page 371: ...Chapter 11 Interface Commands 371 Command Mode Privileged Exec Example Console show power save interface ethernet 1 24 Power Saving Status Ethernet 1 24 Enabled Console ...

Page 372: ...to 8 ports Table 71 Link Aggregation Commands Command Function Mode Manual Configuration Commands interface port channel Configures a trunk and enters interface configuration mode for the trunk GC port channel load balance Sets the load distribution method among ports in aggregated links GC channel group Adds a port to a trunk IC Ethernet Dynamic Configuration Commands lacp Configures LACP for the...

Page 373: ...t Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key is set then the port admin key must be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port prio...

Page 374: ...destined for many different hosts Do not use this mode for switch to router trunk links where the destination MAC address is the same for all traffic src dst ip All traffic with the same source and destination IP address is output on the same link in a trunk This mode works best for switch to router trunk links where traffic through the switch is received from and destined for many different hosts...

Page 375: ...o EtherChannel standard Use no channel group to remove a port group from a trunk Use no interface port channel to remove a trunk from the switch Example The following example creates trunk 1 and then adds port 10 Console config interface port channel 1 Console config if exit Console config interface ethernet 1 10 Console config if channel group 1 Console config if Dynamic Configuration Commands la...

Page 376: ...fig if lacp Console config if interface ethernet 1 2 Console config if lacp Console config if interface ethernet 1 3 Console config if lacp Console config if end Console show interfaces status port channel 1 Information of Trunk 1 Basic Information Port Type 1000BASE T MAC Address 12 34 12 34 12 3F Configuration Name Port Admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000fu...

Page 377: ...l key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Once the remote side of a link has been established LACP operational settings are already in use on that s...

Page 378: ...eplace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port If an LAG already exists with the maximum number of allowed port members and LACP is subsequently enabled on another port using a higher priority than an existing member the newly configured port will replace an existing port member ...

Page 379: ...and Mode Interface Configuration Ethernet Command Usage Port must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already...

Page 380: ...when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 If the port channel admin key is set to a non default value the operational key is based upon LACP PDUs received from the...

Page 381: ...ACP group When a dynamic port channel member leaves a port channel the default timeout value will be restored on that port When a dynamic port channel is torn down the configured timeout value will be retained When the dynamic port channel is constructed again that timeout value will be used Example Console config interface port channel 1 Console config if lacp timeout short Console config if Trun...

Page 382: ...ay description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group MarkerResponsePD U Sent Number of valid MarkerResponse PDUs transmitted...

Page 383: ...f the actor s state parameters Expired The actor s receive machine is in the expired state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of admini...

Page 384: ...l Partner Partner Oper Port ID Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operationa...

Page 385: ...385 show port channel load balance This command shows the load distribution method used on aggregated links Command Mode Privileged Exec Example Console show port channel load balance Trunk Load Balance Mode Destination IP address Console ...

Page 386: ...x tx both no port monitor interface interface ethernet unit port source port unit Unit identifier Range Always 1 port Port number Range 1 52 rx Mirror received packets tx Mirror transmitted packets both Mirror both received and transmitted packets vlan id VLAN ID Range 1 4094 Table 76 Port Mirroring Commands Command Function Local Port Mirroring Mirrors data to another port for analysis without af...

Page 387: ...to specify the source of the traffic to mirror Note that the destination port cannot be a trunk or trunk member port When mirroring traffic from a port the mirror port and monitor port speeds should match otherwise traffic may be dropped from the monitor port Spanning Tree BPDU packets are not mirrored to the target port You can create multiple mirror sessions but all sessions must share the same ...

Page 388: ...ing Commands Remote Switched Port Analyzer RSPAN allows you to mirror traffic from remote switches for analysis on a local destination port Configuration Guidelines Take the following steps to configure an RSPAN session 1 Use the rspan source command to specify the interfaces and the traffic type RX TX or both to be monitored Table 78 RSPAN Commands Command Function Mode rspan source Specifies the...

Page 389: ...ror The destination of a local mirror session created with the port monitor command cannot be used as the destination for RSPAN traffic Spanning Tree If the spanning tree is disabled BPDUs will not be flooded onto the RSPAN VLAN MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch Therefore even if spanning tree is enabled after RSPAN has been configured ...

Page 390: ...to indicate a consecutive list of ports or a comma between non consecutive ports ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 rx Mirror received packets tx Mirror transmitted packets both Mirror both received and transmitted packets Default Setting Both TX and RX traffic is mirrored Command Mode Global Configuration Command Usage One or more source ports can b...

Page 391: ...1 3 Three sessions are allowed including both local and remote mirroring using different VLANs for RSPAN sessions interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 tagged Traffic exiting the destination port carries the RSPAN VLAN tag untagged Traffic exiting the destination port is untagged Default Setting Traffic exiting the destination port is untagged...

Page 392: ...on uplink interface session id A number identifying this RSPAN session Range 1 3 Three sessions are allowed including both local and remote mirroring using different VLANs for RSPAN sessions vlan id ID of configured RSPAN VLAN Range 1 4094 Use the vlan rspan command to reserve a VLAN for RSPAN mirroring before enabling RSPAN with this command source Specifies this device as the source of remotely ...

Page 393: ...ot display any members for an RSPAN VLAN but will only show configured RSPAN VLAN identifiers Example The following example enables RSPAN on VLAN 2 specifies this device as an RSPAN destination switch and the uplink interface as port 3 Console config rspan session 1 remote vlan 2 destination uplink ethernet 1 3 Console config no rspan session Use this command to delete a configured RSPAN session S...

Page 394: ...sion Range 1 Three sessions are allowed including both local and remote mirroring using different VLANs for RSPAN sessions Command Mode Privileged Exec Example Console show rspan session RSPAN Session ID 1 Source Ports mirrored ports None RX Only None TX Only None BOTH None Destination Port monitor port Eth 1 2 Destination Tagged Mode Untagged Switch Role Destination RSPAN VLAN 2 RSPAN Uplink Port...

Page 395: ...eptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped rate limit This command defines the rate limit for a specific interface Use this command without specifying a rate to enable rate limiting Use the ...

Page 396: ...Related Command show interfaces switchport 358 Storm Control Commands Storm control commands can be used to configure broadcast multicast and unknown unicast storm control thresholds Traffic storms may occur when a device on your network is malfunctioning or if application programs are not well designed or properly configured If there is too much traffic on your network performance can be severely...

Page 397: ... e Range 1 262142 pps Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back down beneath the threshold Using both rate limiting and storm control on the same interface may lead to unexpe...

Page 398: ... interface or when a interface is released from a shutdown state caused by a loopback event a trap message is sent and the event recorded in the system log Loopback detection must be enabled both globally and on an interface for loopback detection to take effect Table 82 Loopback Detection Commands Command Function Mode loopback detection Enables loopback detection globally on the switch or on a s...

Page 399: ...general loopback detection on the switch disables loopback detection provided for the spanning tree protocol on port 1 and then enables general loopback detection for that port Console config loopback detection Console config interface ethernet 1 1 Console config if no spanning tree loopback detection Console config if loopback detection Console config loopback detection action This command specif...

Page 400: ... config loopback detection action shutdown Console config loopback detection recover time This command specifies the interval to wait before the switch automatically releases an interface from shutdown state Use the no form to restore the default setting Syntax loopback detection recover time seconds no loopback detection recover time seconds Recovery time from shutdown state Range 60 1 000 000 se...

Page 401: ...onfiguration Example Console config loopback detection transmit interval 60 Console config loopback detection trap This command sends a trap when a loopback condition is detected or when the switch recovers from a loopback condition Use the no form to restore the default state Syntax loopback detection trap both detect none recover no loopback detection trap both Sends an SNMP trap message when a ...

Page 402: ...back detection feature Syntax loopback detection release Command Mode Privileged Exec Example Console loopback detection release Console config show loopback detection This command shows loopback detection configuration settings for the switch or for a specified interface Syntax show loopback detection interface interface ethernet unit port unit Unit identifier Range Always 1 port Port number Rang...

Page 403: ...Detection Port Information Port Admin State Oper State Eth 1 1 Enabled Normal Eth 1 2 Disabled Disabled Eth 1 3 Disabled Disabled Console show loopback detection ethernet 1 1 Loopback Detection Information of Eth 1 1 Admin State Enabled Oper State Normal Looped VLAN None Console ...

Page 404: ...warding information Table 83 Address Table Commands Command Function Mode mac address table aging time Sets the aging time of the address table GC mac address table static Maps a static address to a port in a VLAN GC clear collision mac address table Removes all entries from the collision MAC address table PE clear mac address table dynamic Removes any learned entries from the forwarding database ...

Page 405: ...l the switch is reset permanent Assignment is permanent Default Setting No static addresses are defined The default mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Stati...

Page 406: ...nsole clear mac address table dynamic This command removes any learned entries from the forwarding database Default Setting None Command Mode Privileged Exec Command Usage Even if a hash collision for a MAC address is resolved entries in collision MAC address table are not removed until this command is issued to reset the table or the system is reset Example Console clear mac address table dynamic...

Page 407: ...52 port channel channel id Range 1 24 vlan id VLAN ID Range 1 4094 sort Sort by address vlan or interface Default Setting None Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learn Dynamic address entries Config Static entry Security Port Security The mask should be h...

Page 408: ...time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console show mac address table aging time Aging Status Enabled Aging Time 300 sec Console show mac address table count This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface Syntax show mac address table count interface in...

Page 409: ...Address Count 0 Console show mac address table count Compute the number of MAC Address Maximum number of MAC Address which can be created in the system Total Number of MAC Address 16384 Number of Static MAC Address 1024 Current number of entries which have been created in the system Total Number of MAC Address 3 Number of Static MAC Address 1 Number of Dynamic MAC Address 2 Console ...

Page 410: ...iority Configures the spanning tree bridge priority GC spanning tree system bpdu flooding Floods BPDUs to all other ports or just to all other ports in the same VLAN when global spanning tree is disabled GC spanning tree transmission limit Configures the transmission limit for RSTP MSTP GC max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST mst prior...

Page 411: ...rity of an instance in the MST IC spanning tree port bpdu flooding Floods BPDUs to other ports when global spanning tree is disabled IC spanning tree port priority Configures the spanning tree priority of an interface IC spanning tree root guard Prevents a designated port from passing superior BPDUs IC spanning tree spanning disabled Disables spanning tree for an interface IC spanning tree tc prop...

Page 412: ...nable the Spanning Tree Algorithm for the switch Console config spanning tree Console config spanning tree cisco prestandard This command configures spanning tree operation to be compatible with Cisco prestandard versions Use the no form to restore the default setting no spanning tree cisco prestandard Default Setting Disabled Command Mode Global Configuration Command Usage Cisco prestandard versi...

Page 413: ...ing to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops might result Example Console config spanning tree forward time 20 Console config spanning tree hello ti...

Page 414: ...gher of 6 or 2 x hello time 1 The maximum value is the lower of 40 or 2 x forward time 1 Default Setting 20 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconverge All device ports except for designated ports should receive configuration messages at regular inte...

Page 415: ...operating multiple VLANs we recommend selecting the MSTP option Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU after a port s migration delay timer expires the switch assume...

Page 416: ...t the switch s MAC address Command Mode Global Configuration Example Console config spanning tree mst configuration Console config mstp Related Commands mst vlan 421 mst priority 420 name 422 revision 422 max hops 420 spanning tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default Syntax spann...

Page 417: ...ong Console config spanning tree priority This command configures the spanning tree priority globally for this switch Use the no form to restore the default Syntax spanning tree priority priority no spanning tree priority priority Priority of the bridge Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 Default Setting 3...

Page 418: ...ll other ports in the same VLAN Command Mode Global Configuration Command Usage The spanning tree system bpdu flooding command has no effect if BPDU flooding is disabled on a port see the spanning tree port bpdu flooding command Example Console config spanning tree system bpdu flooding Console config spanning tree tc prop This command configures a topology change propagation domain Use the no form...

Page 419: ... topology change Example Console config spanning tree tc prop group 1 ethernet 1 1 5 Console config spanning tree transmission limit This command configures the minimum interval between the transmission of consecutive RSTP MSTP BPDUs Use the no form to restore the default Syntax spanning tree transmission limit count no spanning tree transmission limit count The transmission limit in seconds Range...

Page 420: ...connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the hop count by one before passing on the BPDU When the hop count reaches zero the message is dropped Example Console config mstp max hops 30 Console config mstp mst priority This command configures the priority of a spanning tree instance Use the no form to restore ...

Page 421: ...tance id vlan vlan range instance id Instance identifier of the spanning tree Range 0 4094 vlan range Range of VLANs Range 1 4094 Default Setting none Command Mode MST Configuration Command Usage Use this command to group VLANs into spanning tree instances MSTP generates a unique spanning tree for each instance This provides multiple pathways across the network thereby balancing the traffic load p...

Page 422: ...ting Switch s MAC address Command Mode MST Configuration Command Usage The MST region name and revision number page 422 are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances Example Console config mstp name R D Console config mstp R...

Page 423: ...tax no spanning tree bpdu filter Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command stops all Bridge Protocol Data Units BPDUs from being transmitted on configured edge ports to save CPU processing time This function is designed to work in conjunction with edge ports which should only connect end stations to the switch and therefore do no...

Page 424: ...terface Range 30 86400 seconds Default Setting BPDU Guard Disabled Auto Recovery Disabled Auto Recovery Interval 300 seconds Command Mode Interface Configuration Ethernet Port Channel Command Usage An edge port should only be connected to end nodes which do not generate BPDUs If a BPDU is received on an edge port this indicates an invalid network configuration or that the switch may be under attac...

Page 425: ... is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 Command Mode Interface Configuration Ethernet Port Channel Table 85 Recommended STA Path Cost Range Port Type Short Path Cost IEEE 802 1D 1998 Long Path Cost IEEE 802 1D 2004 Ethernet 50 600 200 000 20 000 000 Fast Ethernet 10 60 20 000 2 000 000 Gigabit Ethernet 3 10 2 000 200...

Page 426: ...dge port auto Automatically determines if an interface is an edge port Default Setting Auto Command Mode Interface Configuration Ethernet Port Channel Command Usage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding ...

Page 427: ...o Automatically derived from the duplex mode setting point to point Point to point link shared Shared medium Default Setting auto Command Mode Interface Configuration Ethernet Port Channel Command Usage Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection is selected ...

Page 428: ...Spanning Tree is disabled on the switch Example Console config interface ethernet 1 5 Console config if spanning tree loopback detection spanning tree loopback detection action This command configures the response for loopback detection to shut down the interface Use the no form to restore the default Syntax spanning tree loopback detection action block shutdown duration no spanning tree loopback ...

Page 429: ...spanning tree loopback detection release mode auto Allows a port to automatically be released from the discarding state when the loopback state ends manual The port can only be released from the discarding state manually Default Setting auto Command Mode Interface Configuration Ethernet Port Channel Command Usage If the port is configured for automatic loopback release then the port will only be r...

Page 430: ...fault Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console config interface ethernet 1 5 Console config if spanning tree loopback detection trap spanning tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree Use the no form to restore the default auto configuration mode Syntax spanning tree mst instance id co...

Page 431: ...ine the best path between devices Therefore lower values should be assigned to interfaces attached to faster media and higher values assigned to interfaces with slower media Use the no spanning tree mst cost command to specify auto configuration mode Path cost takes precedence over interface priority Example Console config interface Ethernet 1 5 Console config if spanning tree mst 1 cost 50 Consol...

Page 432: ...Related Commands spanning tree mst cost 430 spanning tree port bpdu flooding This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port Use the no form to restore the default setting Syntax no spanning tree port bpdu flooding Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage When enabled BPDUs are f...

Page 433: ... lowest value will be configured as an active link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled The criteria used for determining the port role is based on root bridge ID root path cost designated bridge designated port port priority and port number in that order and as applicable to the role under question E...

Page 434: ... and forming a new spanning tree topology It could also be used to form a border around part of the network where the root bridge is allowed When spanning tree is initialized globally on the switch or on an interface the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard Example Console config interface ethernet 1 5 Console config if spanning ...

Page 435: ...et Port Channel Command Usage When this command is enabled on an interface topology change information originating from the interface will still be propagated This command should not be used on an interface which is purposely configured in a ring topology Example Console config interface ethernet 1 1 Console config if spanning tree tc prop stop Console config if spanning tree loopback detection re...

Page 436: ...nterface Syntax spanning tree protocol migration interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 52 port channel channel id Range 1 24 Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatib...

Page 437: ...for interfaces for which STP is enabled Default Setting None Command Mode Privileged Exec Command Usage Use the show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the...

Page 438: ...sabled Eth 1 1 Information Admin Status Enabled Role Disabled State Discarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 100000 Designated Port 128 1 Designated Root 32768 0 0001ECF8D8C6 Designated Bridge 32768 0 123412341234 Forward Transitions 4 Admin Edge Port Disabled Oper Edge Port Disabled ...

Page 439: ...10000 EN DISB BLK No Eth 1 3 128 32768 0000E89382A0 128 3 10000 EN DISB BLK No Eth 1 4 128 32768 0000E89382A0 128 4 10000 EN DISB BLK No Eth 1 5 128 32768 0000E89382A0 128 5 10000 EN DISB BLK No show spanning tree mst configuration This command shows the configuration of the multiple spanning tree Command Mode Privileged Exec Example Console show spanning tree mst configuration Mstp Configuration ...

Page 440: ...Chapter 17 Spanning Tree Commands 440 Example Console show spanning tree tc prop group 1 Group 1 Eth 1 1 Eth 1 2 Eth 1 3 Eth 1 4 Eth 1 5 Console ...

Page 441: ...aying VLAN Information Displays VLAN groups status port members and MAC addresses Configuring IEEE 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunneling Configuring Protocol based VLANs If a packet matches the rules defined by more than one of these functions only one of them is applied with the precedence being MAC based protocol based and then native port based see the switchport priority ...

Page 442: ...ults of these commands are written to the running configuration file and you can display this file by entering the show running config command Example Console config vlan database Console config vlan Related Commands show vlan 449 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN Syntax vlan vlan id name vlan name media ethernet state active suspe...

Page 443: ... Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration Command Usage no vlan vlan id deletes the VLAN no vlan vlan id name removes the VLAN name no vlan vlan id state returns the VLAN to the default state i e active You can configure up to 4094 VLANs on the switch Example The following example adds a VLAN using VLAN ID 105 and name RD5 The VLAN is activated b...

Page 444: ...and save the configuration settings To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command Example The following example shows how to set the interface configuration mode to VLAN 1 and then assign an IP address to the VLAN Console config interface vlan 1 Console config if ip address 192 168 1 254 255 255 255 0 Console config if Related Commands shutdown 349 interface 3...

Page 445: ...eived on port 1 to tagged frames Console config interface ethernet 1 1 Console config if switchport acceptable frame types tagged Console config if Related Commands switchport mode 447 switchport allowed vlan This command configures VLAN groups on the selected interface Use the no form to restore the default Syntax switchport allowed vlan vlan list add vlan list tagged untagged remove vlan list no...

Page 446: ... to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection supports VLANs the interface should be added to these VLANs as an untagged member Othe...

Page 447: ...ent BPDU frames such as GMRP Example The following example shows how to set the interface to port 1 and then enable ingress filtering Console config interface ethernet 1 1 Console config if switchport ingress filtering Console config if switchport mode This command configures the VLAN membership mode for a port Use the no form to restore the default Syntax switchport mode access hybrid trunk no sw...

Page 448: ... a port Use the no form to restore the default Syntax switchport native vlan vlan id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4094 Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage When using Access mode and an interface is assigned to a new VLAN its PVID is automatically set to the identifier for that VLAN When using Hybrid...

Page 449: ...Ns Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Console show vlan id 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 ...

Page 450: ... Configure the QinQ tunnel access port to dot1Q tunnel access mode switchport dot1q tunnel mode 4 Set the Tag Protocol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 See switchport dot1q tunnel tpid Table 91 802 1Q Tunneling Commands Command ...

Page 451: ...rvice VLANs can be set on both tunnel port types IGMP Snooping should not be enabled on a tunnel access port If the spanning tree protocol is enabled be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tree structure is automatically reconfigured to overcome a break in the tree It is therefore advisable to disable spanning tree on these ports dot1q tunnel system tun...

Page 452: ...ing the dot1q tunnel system tunnel control command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag regardless of whether there are one or more tag layers is retained in the inner tag and the service provider s tag added to the outer tag When a tunnel uplink port receives a packet from the service...

Page 453: ...rnet 1 1 Console config if switchport dot1q tunnel priority map Console config if switchport dot1q tunnel service match cvid This command creates a CVLAN to SPVLAN mapping entry Use the no form to delete a VLAN mapping entry Syntax switchport dot1q tunnel service svid match cvid cvid svid VLAN ID for the outer VLAN tag Service Provider VID Range 1 4094 cvid VLAN ID for the inner VLAN tag Customer ...

Page 454: ...q tunnel mode uplink command to set an interface to access or uplink mode Example This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet s CVID is 2 Console config interface ethernet 1 1 Console config if switchport dot1q tunnel service 99 match cvid 2 Console config if The following example maps C VLAN 10 to S VLAN 100 C VLAN 20 to S VLAN 200 and C VLA...

Page 455: ...with VID 10 20 or 30 on port 1 Console config interface ethernet 1 1 Console config if switchport allowed vlan add 10 20 30 7 Verify configuration settings Console show dot1q tunnel service 802 1Q Tunnel Service Subscriptions Port Match C VID S VID Eth 1 1 10 100 Eth 1 1 20 200 Eth 1 1 30 300 Step 2 Configure Switch C 1 Create VLAN 100 200 and 300 Console config vlan database Console config vlan v...

Page 456: ...ng any other ethertype are looked upon as untagged frames and assigned to the native VLAN of that port The specified ethertype only applies to ports configured in Uplink mode using the switchport dot1q tunnel mode command If the port is in normal mode i e unspecified the TPID is always 8100 If the port is in Access mode received packets are processes as untagged packets Example Console config inte...

Page 457: ...l Service Subscriptions Port Match C VID S VID Eth 1 5 1 100 Eth 1 6 1 100 Console Related Commands switchport dot1q tunnel mode 452 Configuring Protocol based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN This may require non standard devices to pass traffic between different VLANs in order to encompass all the devices participating i...

Page 458: ...ax protocol vlan protocol group group id add remove frame type frame protocol type protocol no protocol vlan protocol group group id group id Group identifier of this protocol group Range 1 2147483647 frame Frame type used by this protocol Options ethernet rfc_1042 llc_other protocol Protocol type The only option for the llc_other frame type is ipx_raw The options for all other frames types includ...

Page 459: ... vlan group id Group identifier of this protocol group Range 1 2147483647 vlan id VLAN to which matching protocol traffic is forwarded Range 1 4094 priority The priority assigned to untagged ingress traffic Range 0 7 where 7 is the highest priority Default Setting No protocol groups are mapped for any interface Priority 0 Command Mode Interface Configuration Ethernet Port Channel Command Usage Whe...

Page 460: ... the protocol type specified in protocol group 1 to VLAN 2 Console config interface ethernet 1 1 Console config if protocol vlan protocol group 1 vlan 2 priority 0 Console config if show protocol vlan protocol group This command shows the frame and protocol type associated with protocol groups Syntax show protocol vlan protocol group group id group id Group identifier for a protocol group Range 1 ...

Page 461: ...fications for protocol group 1 will be mapped to VLAN 2 Console show interfaces protocol vlan protocol group Port Protocol Group ID VLAN ID Priority Eth 1 1 1 vlan2 0 Console Configuring MAC Based VLANs When using IEEE 802 1Q port based VLAN classification all untagged frames received by a port are classified as belonging to the VLAN whose VID PVID is associated with that port When MAC based VLAN ...

Page 462: ...re vlan id VLAN to which the matching source MAC address traffic is forwarded Range 1 4094 priority The priority assigned to untagged ingress traffic Range 0 7 where 7 is the highest priority Default Setting None Command Mode Global Configuration Command Usage The MAC to VLAN mapping applies to all ports on the switch Source MAC addresses can be mapped to only one VLAN ID Configured MAC addresses ...

Page 463: ...an This command displays MAC address to VLAN assignments Command Mode Privileged Exec Command Usage Use this command to display MAC address to VLAN mappings Example The following example displays all configured MAC address based VLANs Console show mac vlan MAC Address VLAN ID Priority 00 00 00 11 22 33 10 0 Console Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the netwo...

Page 464: ... ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member of the Voice VLAN Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN Table 94 Voice VLAN Commands Com...

Page 465: ...ed from the Voice VLAN when VoIP traffic is no longer received on the port The VoIP aging time starts to count down when the OUI s MAC address expires from the MAC address table Therefore the MAC address aging time should be added to the overall aging time For example if you configure the MAC address table aging time to 30 seconds and voice VLAN aging time to 5 minutes then after 5 5 minutes a por...

Page 466: ...resses Range 80 00 00 00 00 00 to FF FF FF FF FF FF description User defined text that identifies the VoIP devices Range 1 32 characters Default Setting None Command Mode Global Configuration Command Usage VoIP devices attached to the switch can be identified by the manufacturer s Organizational Unique Identifier OUI in the source MAC address of received packets OUI numbers are assigned to manufac...

Page 467: ...d on the port Default Setting Disabled Command Mode Interface Configuration Command Usage When auto is selected you must select the method to use for detecting VoIP traffic either OUI or 802 1AB LLDP using the switchport voice vlan rule command When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac address command All ports are set to VL...

Page 468: ...s active for the port Example The following example sets the CoS priority to 5 on port 1 Console config interface ethernet 1 1 Console config if switchport voice vlan priority 5 Console config if switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port Use the no form to disable the detection method on the port Syntax no switchport voice vlan rule oui lldp oui ...

Page 469: ...tering on a port Syntax no switchport voice vlan security Default Setting Disabled Command Mode Interface Configuration Command Usage Security filtering discards any non VoIP packets received on the port that are tagged with the voice VLAN ID VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list or through LLDP that discovers VoIP devices attached to the switch Pa...

Page 470: ...ow voice vlan status Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age minutes Eth 1 1 Auto Enabled OUI 6 100 Eth 1 2 Disabled Disabled OUI 6 NA Eth 1 3 Manual Enabled OUI 5 100 Eth 1 4 Auto Disabled OUI 6 Not Start Eth 1 5 Disabled Disabled OUI 6 NA Eth 1 6 Disabled Disabl...

Page 471: ...Layer 2 Configures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Sets the default priority processing method CoS or DSCP maps priority tags for internal processing maps values from internal priority table to CoS values used in tagged egress packets for Layer 2 interfaces maps internal per hop behavior to hardware queues Table 96 Priority Comm...

Page 472: ...rmal or strict type Options 0 indicates a normal queue 1 indicates a strict queue Default Setting WRR Command Mode Interface Configuration Ethernet Port Channel Command Usage The switch can be set to service the port queues based on strict priority WRR or a combination of strict and weighted queueing Strict priority requires all traffic in a higher priority queue to be processed before lower prior...

Page 473: ...Commands queue weight 473 show queue mode 475 queue weight This command assigns weights to the eight class of service CoS priority queues when using weighted queuing or one of the queuing modes that use a combination of strict and weighted queuing Use the no form to restore the default weights Syntax queue weight weight0 weight7 no queue weight weight0 weight7 The ratio of weights for queues 0 7 d...

Page 474: ... Interface Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP DSCP and then default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN ta...

Page 475: ...et 1 3 Console config if switchport priority default 5 Console config if Related Commands show interfaces switchport 358 show queue mode This command shows the current queue mode Command Mode Privileged Exec Example Console show queue mode Unit Port queue mode 1 1 Weighted Round Robin show queue weight This command displays the weights used for the weighted queues Command Mode Privileged Exec Exam...

Page 476: ...e frame is in canonical format Range 0 1 Table 97 Priority Commands Layer 3 and 4 Command Function Mode qos map cos queue Maps CoS CFI values in incoming packets to per hop behavior or the queue used for this router hop IC qos map dscp queue Maps DSCP values in incoming packets to per hop behavior or the queue used for this router hop IC qos map trust mode Sets QoS mapping to DSCP or CoS IC show q...

Page 477: ...e keyword from and then up to eight CoS CFI paired values separated by spaces If a packet arrives with a 802 1Q header but it is not an IP packet then the CoS CFI to Queue mapping table is used to generate priority for processing Note that priority tags in the original packet are not modified by this command Example Console config interface ethernet 1 2 Console config if qos map cos dscp 0 0 from ...

Page 478: ...and and the ingress packet type is IPv4 Two QoS domains can have different DSCP definitions so the DSCP to Queue map can be used to modify one set of DSCP values to match the definition of another domain This map should be applied at the receiving port at the boundary of a QoS administrative domain Table 99 Default Mapping of DSCP CFI Values to Queue ingress dscp10 ingress dscp1 0 1 2 3 4 5 6 7 8 ...

Page 479: ... Interface Configuration Ethernet Port Channel Command Usage If the QoS mapping mode is set to DSCP with this command and the ingress packet type is IPv4 then priority processing will be based on the DSCP value in the ingress packet If the QoS mapping mode is set to DSCP and a non IP packet is received the packet s CoS and CFI Canonical Format Indicator values are used for priority processing if t...

Page 480: ...ap Syntax show qos map cos queue interface interface interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 Command Mode Privileged Exec Example Console show qos map cos queue interface ethernet 1 1 CoS Information of Eth 1 1 CoS Queue map CoS CFI 0 1 0 2 2 1 0 0 2 1 1 3 3 3 4 4 4 5 5 5 6 6 6 7 7 7 Console show qos map dscp queue This command shows the ingress...

Page 481: ...ntersecting cell in the table Console show qos map dscp queue interface ethernet 1 1 Information of Eth 1 1 DSCP to queue map d1 d2 0 1 2 3 4 5 6 7 8 9 0 2 2 2 2 2 2 2 2 0 0 1 0 0 0 0 0 0 1 1 1 1 2 1 1 1 1 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 6 6 5 6 6 6 6 6 6 7 7 7 7 6 7 7 7 7 Console show qos map trust mode This command shows the QoS mapping mode Syntax show qos map trust mode int...

Page 482: ...Chapter 19 Class of Service Commands Priority Commands Layer 3 and 4 482 ...

Page 483: ... Specifies the description of a class map CM match Defines the criteria used to classify traffic CM rename Redefines the name of a class map CM policy map Creates a policy map for multiple interfaces GC description Specifies the description of a policy map PM class Defines a traffic classification for the policy to act on PM rename Redefines the name of a policy map PM police rate Defines an enfor...

Page 484: ...a policy map to a specific interface Note Create a Class Map before creating a Policy Map class map This command creates a class map used for matching packets to the specified class and enters Class Map configuration mode Use the no form to delete a class map Syntax no class map class map name class map name Name of the class map Range 1 32 characters Default Setting match any Command Mode Global ...

Page 485: ...p Configuration Example Console config class map rd class 1 Console config cmap description matches packets marked for DSCP service value 3 Console config cmap match This command defines the criteria used to classify traffic Use the no form to delete the matching criteria Syntax no match access list acl name cos cos ip dscp dscp ip precedence ip precedence ipv6 dscp dscp vlan vlan acl name Name of...

Page 486: ...n neither an IP ACL nor IP priority rule can be included in the same class map Up to 16 match entries can be included in a class map Example This example creates a class map called rd class 1 and sets it to match packets marked for DSCP service value 3 Console config class map rd class 1 Console config cmap match ip dscp 3 Console config cmap This example creates a class map call rd class 2 and se...

Page 487: ...cy map Range 1 32 characters Default Setting None Command Mode Global Configuration Command Usage Use the policy map command to specify the name of the policy map and then use the class command to configure policies for traffic that matches the criteria defined in a class map A policy map can contain multiple class statements that can be applied to the same interface with the service policy comman...

Page 488: ...ter Policy Map Class configuration mode And finally use the set command and one of the police commands to specify the match criteria where the set cos command sets the class of service value in matching packets This modifies packet priority in the VLAN tag police commands define parameters such as the maximum throughput burst rate and response to non conforming traffic Up to 16 classes can be incl...

Page 489: ...rst before the bucket overflows and the average rate tokens that are added to the bucket is by specified by the committed rate option Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698 The behavior of the meter is specified in terms of one token bucket C the rate at which the tokens are incremented CIR Committed Information Rate and the maximum size of the toke...

Page 490: ...lue for a matching packet as specified by the match command in the packet s VLAN tag Use the no form to remove this setting Syntax no set cos cos value cos value Class of Service value Range 0 7 Default Setting None Command Mode Policy Map Class Configuration Command Usage The set cos command is used to set the CoS value in the VLAN tag for matching packets Example This example creates a policy ca...

Page 491: ...Channel Command Usage First define a class map then define a policy map and finally use the service policy command to bind the policy map to the required interface Example This example applies a service policy to an ingress interface Console config interface ethernet 1 1 Console config if service policy input rd policy Console config if show class map This command displays the QoS class maps which...

Page 492: ...or egress traffic and may include policers for bandwidth limitations Syntax show policy map policy map name class class map name policy map name Name of the policy map Range 1 32 characters class map name Name of the class map Range 1 32 characters Default Setting Displays all policy maps and all classes Command Mode Privileged Exec Example Console show policy map Policy Map rd policy Description ...

Page 493: ...it identifier Range Always 1 port Port number Range 1 52 Command Mode Privileged Exec Example Console show policy map interface 1 5 input Service policy rd policy Console show policy map interface Interface ethernet 1 2 service policy input policy map Interface ethernet 1 3 service policy input policy map Interface ethernet 1 4 service policy input policy map Interface ethernet 1 5 service policy ...

Page 494: ...ping settings and displays the multicast service and group members Static Multicast Routing Configures static multicast router ports which forward all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling MLD Snooping Configures multicast snooping for IPv6 MLD Filtering and Throttling Configures MLD filtering and throttling for IPv6 ...

Page 495: ...emb query count Configures the number of IGMP proxy query messages that are sent out before the system assumes there are no local members GC ip igmp snooping vlan last memb query intvl Configures the last member query interval GC ip igmp snooping vlan mrd Sends multicast router solicitation messages GC ip igmp snooping vlan proxy address Configures a static address for proxy IGMP query and reporti...

Page 496: ...en IGMP snooping is disabled globally snooping can still be configured per VLAN interface but the interface settings will not take effect until snooping is re enabled globally Example The following example enables IGMP snooping globally Console config ip igmp snooping Console config ip igmp snooping priority This command assigns a priority to all multicast traffic Use the no form to restore the de...

Page 497: ...lan vlan id proxy reporting vlan id VLAN ID Range 1 4094 enable Enable on the specified VLAN disable Disable on the specified VLAN Default Setting Global Disabled VLAN Based on global setting Command Mode Global Configuration Command Usage When proxy reporting is enabled with this command the switch performs IGMP Snooping with Proxy Reporting as defined in DSL Forum TR 101 April 2006 including las...

Page 498: ...ards any IGMPv2 v3 packets that do not include the Router Alert option Use the no form to ignore the Router Alert Option when receiving IGMP messages Syntax no ip igmp snooping router alert option check Default Setting Disabled Command Mode Global Configuration Command Usage As described in Section 9 1 of RFC 3376 for IGMP Version 3 the Router Alert Option can be used to protect against DOS attack...

Page 499: ...ire time seconds no ip igmp snooping router port expire time seconds The time the switch waits after the previous querier stops before it considers it to have expired Range 1 65535 Recommended Range 300 500 Default Setting 300 seconds Command Mode Global Configuration Example The following shows how to configure the timeout to 400 seconds Console config ip igmp snooping router port expire time 400...

Page 500: ...nds unsolicited reports for all current learned channels out through the new uplink port By default the switch immediately enters into multicast flooding mode when a spanning tree topology change occurs In this mode multicast traffic will be flooded to all VLAN ports If many ports have subscribed to different multicast groups flooding may cause excessive loading on the link between the switch and ...

Page 501: ...he VLAN where the spanning tree change occurred When an upstream multicast router receives this solicitation it will also immediately issues an IGMP general query The ip igmp snooping tcn query solicit command can be used to send a query solicitation whenever it notices a topology change even if the switch is not the root bridge in the spanning tree Example The following example instructs the swit...

Page 502: ... often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled Use the no form to restore the default value Syntax ip igmp snooping unsolicited report interval seconds no ip igmp snooping unsolicited report interval seconds The interval at which to issue unsolicited reports Range 1 65535 seconds Default Setting 400 seconds Command Mode Global Configuration C...

Page 503: ...and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed If the IGMP snooping version is configured on a VLAN this setting takes precedence over the global configuration Example The following configures the global setting for IGMP snooping to version 1 Console config ip igmp snooping version 1 Console config ip igmp snoop...

Page 504: ...ooping vlan general query suppression This command suppresses general queries except for ports attached to downstream multicast hosts Use the no form to flood general queries to all ports except for the multicast router port Syntax no ip igmp snooping vlan vlan id general query suppression vlan id VLAN ID Range 1 4094 Default Setting Disabled Command Mode Global Configuration Command Usage By defa...

Page 505: ...traffic for that group only if no host replies to the query within the timeout period The timeout for this release is defined by Last Member Query Interval fixed at one second Robustness Variable fixed at 2 as defined in RFC 2236 If immediate leave is used the switch assumes that only one host is connected to the interface Therefore immediate leave should only be enabled on an interface if it is c...

Page 506: ...here are no more group members Range 1 255 Default Setting 2 Command Mode Global Configuration Command Usage This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled page 497 Example Console config ip igmp snooping vlan 1 last memb query count 7 Console config ip igmp snooping vlan last memb query intvl This command configures the last member query interval Us...

Page 507: ...on messages Use the no form to disable these messages Syntax no ip igmp snooping vlan vlan id mrd vlan id VLAN ID Range 1 4094 Default Setting Disabled Command Mode Global Configuration Command Usage Multicast Router Discovery MRD uses multicast router advertisement multicast router solicitation and multicast router termination messages to discover multicast routers Devices send solicitation messa...

Page 508: ...static source address for locally generated query and report messages used by IGMP proxy reporting Use the no form to restore the default source address Syntax no ip igmp snooping vlan vlan id proxy address source address vlan id VLAN ID Range 1 4094 source address The source address used for proxied IGMP query and report and leave messages Any valid IP unicast address Default Setting 0 0 0 0 Comm...

Page 509: ... multicast router port If a proxy query address is not configured the switch will use the VLAN s IP address as the IP source address in general and group specific query messages sent downstream and use the source address of the last IGMP message received from a downstream host in report and leave messages sent upstream from the multicast router port Example The following example sets the source ad...

Page 510: ...gmp snooping vlan query resp intvl This command configures the maximum time the system waits for a response to general queries Use the no form to restore the default Syntax ip igmp snooping vlan vlan id query resp intvl interval no ip igmp snooping vlan vlan id query resp intvl vlan id VLAN ID Range 1 4094 interval The maximum time the system waits for a response to general queries Range 10 31740 ...

Page 511: ...d Usage Static multicast entries are never aged out When a multicast entry is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Example The following shows how to statically configure a multicast group on a port Console config ip igmp snooping vlan 1 static 224 0 0 12 ethernet 1 5 Console config clear ip igmp snooping groups dynam...

Page 512: ... id Range 1 24 vlan vlan id VLAN identifier Range 1 4094 Command Mode Privileged Exec Example Console clear ip igmp snooping statistics Console show ip igmp snooping This command shows the IGMP snooping proxy and query configuration settings Syntax show ip igmp snooping vlan vlan id vlan id VLAN ID 1 4094 Command Mode Privileged Exec Command Usage This command displays global and VLAN specific IGM...

Page 513: ... 1 10s Proxy Query Address 0 0 0 0 Proxy Reporting Using global status Disabled Multicast Router Discovery Disabled VLAN Static Group Port 1 224 1 1 1 Eth 1 1 show ip igmp snooping group This command shows known multicast group source and host port mappings for the specified VLAN interface or for all interfaces if none is specified Syntax show ip igmp snooping group host ip addr ip address interfa...

Page 514: ...apsed time d h m s Expire Group remaining time m s VLAN Group Port Up time Expire Count 1 224 1 1 1 00 00 00 37 2 P Eth 1 1 R Eth 1 2 M 0 H Console show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports Syntax show ip igmp snooping mrouter vlan vlan id vlan id VLAN ID Range 1 4094 Default Setting Displays multicast ro...

Page 515: ...AN ID Range 1 4094 query Displays IGMP snooping related statistics Default Setting None Command Mode Privileged Exec Example The following shows IGMP protocol statistics input Console show ip igmp snooping statistics input interface ethernet 1 1 Input Statistics Interface Report Leave G Query G S S Query Drop Join Succ Group Eth 1 1 23 11 4 10 5 14 5 Console Table 103 show ip igmp snooping statist...

Page 516: ...cessfully joined Group The number of multicast groups active on this interface Table 104 show ip igmp snooping statistics output display description Field Description Interface Shows interface Report The number of IGMP membership reports sent from this interface Leave The number of leave messages sent from this interface G Query The number of general query messages sent from this interface G S S Q...

Page 517: ...ace Self Querier Expire Time after which local querier is assumed to have expired Self Querier Uptime Time local querier has been up General Query Received The number of general queries received on this interface General Query Sent The number of general queries sent from this interface Specific Query Received The number of specific queries received on this interface Specific Query Sent The number ...

Page 518: ...Default Setting No static multicast router ports are configured Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router or switch connected over the network to an interface port or trunk on this switch that interface can be manually configured to j...

Page 519: ...and throttling on the switch GC ip igmp profile Sets a profile number and enters IGMP filter profile configuration mode GC permit deny Sets a profile access mode to permit or deny IPC range Specifies one or a range of multicast addresses for a profile IPC ip igmp filter Assigns an IGMP filter profile to an interface IC ip igmp max groups Specifies an IGMP throttling number for an interface IC ip i...

Page 520: ...ainst the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups Example Console config ip igmp filter Console config ip igmp profile This command...

Page 521: ...er permit or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGMP join reports are only processed when a multicast group is not in the controlled range Example Console config ip igmp profile 19 Console config igmp profile permit Console config igmp profile range This command spec...

Page 522: ...o an interface on the switch Use the no form to remove a profile from an interface Syntax no ip igmp filter profile number profile number An IGMP filter profile number Range 1 4294967295 Default Setting None Command Mode Interface Configuration Command Usage The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface Only one pro...

Page 523: ...y or replace see the ip igmp max groups action command If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group IGMP throttling can also be set on a trunk interface When ports are configured as trunk members the trunk uses the throttling settings of the first por...

Page 524: ... ip igmp query drop This command drops any received IGMP query packets Use the no form to restore the default setting Syntax no ip igmp query drop Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command can be used to drop any query packets received on the specified interface If this switch is acting as a Querier this prevents it from being af...

Page 525: ... multicast data drop Console config if show ip igmp filter This command displays the global and interface settings for IGMP filtering Syntax show ip igmp filter interface interface interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 port channel channel id Range 1 24 Default Setting None Command Mode Privileged Exec Example Console show ip igmp filter IGMP ...

Page 526: ...P Profile 19 IGMP Profile 50 Console show ip igmp profile 19 IGMP Profile 19 Deny Range 239 1 1 1 239 1 1 1 Range 239 2 3 1 239 2 3 100 Console show ip igmp query drop This command shows if the specified interface is configured to drop IGMP query packets Syntax show ip igmp throttle interface interface interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 por...

Page 527: ...mp throttle interface interface interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 port channel channel id Range 1 24 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces Example Console show ip igmp throttle interface ethernet 1 1 Eth 1 1 Information Stat...

Page 528: ...ping Multicast Listener Discovery MLD snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4 That is MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it This reduces the flooding of IPv6 multicast packets in the specified VLANs There are two versions of the MLD...

Page 529: ...d report interval Specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled GC ipv6 mld snooping version Configures the MLD Snooping version GC ipv6 mld snooping vlan immediate leave Removes a member port of an IPv6 multicast service if a leave packet is received at that port and MLD immediate leave is enabled for the parent VLAN GC ipv6 ml...

Page 530: ...hen proxy reporting is enabled with this command reports received from downstream hosts are summarized and used to build internal membership states Proxy reporting devices may use the all zeros IP source address when forwarding any summarized reports upstream For this reason IGMP membership reports received by the snooping switch must not be rejected because the source IP address is set to 0 0 0 0...

Page 531: ...ig ipv6 mld snooping querier Console config ipv6 mld snooping query interval This command configures the interval between sending MLD general queries Use the no form to restore the default Syntax ipv6 mld snooping query interval interval no ipv6 mld snooping query interval interval The interval between sending MLD general queries Range 60 125 seconds Default Setting 125 seconds Command Mode Global...

Page 532: ...d to an MLD Query message before the switch deletes the group if it is the last member Example Console config ipv6 mld snooping query max response time seconds 15 Console config ipv6 mld snooping robustness This command configures the MLD Snooping robustness variable Use the no form to restore the default value Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value The num...

Page 533: ... The router port expire time is the time the switch waits after the previous querier stops before it considers the router port i e the interface that had been receiving query packets to have expired Example Console config ipv6 mld snooping router port expire time 300 Console config ipv6 mld snooping unknown multicast mode This command sets the action for dealing with unknown multicast packets Use ...

Page 534: ...ies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled Use the no form to restore the default value Syntax ipv6 mld snooping unsolicited report interval seconds no ipv6 mld snooping unsolicited report interval seconds The interval at which to issue unsolicited reports Range 1 65535 seconds Default Setting 400 seconds Command Mode Global Config...

Page 535: ...e default Syntax no ipv6 mld snooping vlan vlan id immediate leave vlan id A VLAN identification number Range 1 4094 Default Setting Disabled Command Mode Global Configuration Command Usage If MLD immediate leave is not used a multicast router or querier will send a group specific query message when an MLD group leave message is received The router querier stops forwarding traffic for that group o...

Page 536: ...mand Mode Global Configuration Command Usage Depending on your network connections MLD snooping may not always be able to locate the MLD querier Therefore if the MLD querier is a known multicast router switch connected over the network to an interface port or trunk on the switch you can manually configure that interface to join all the current multicast groups Example The following shows how to co...

Page 537: ... 3 4 5 6 ethernet 1 6 Console config clear ipv6 mld snooping groups dynamic This command clears multicast group information dynamically learned through MLD snooping Syntax clear ipv6 mld snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though MLD snooping Statically configured multicast address are not cleared Example Console clear ipv6 ml...

Page 538: ...AN ID 1 4094 Command Mode Privileged Exec Command Usage This command displays global and VLAN specific MLD snooping configuration settings Example The following shows MLD Snooping configuration information Console show ipv6 mld snooping Service Status Disabled Proxy Reporting Disabled Querier Status Disabled Robustness 2 Query Interval 125 sec Query Max Response Time 10 sec Router Port Expiry Time...

Page 539: ...figuration information Console show ipv6 mld snooping group Total Entries 3 limit 255 VLAN Multicast IPv6 Address Member Port Type 1 FF02 01 01 01 01 Eth 1 1 MLD Snooping 1 FF02 01 01 01 02 Eth 1 1 Multicast Data 1 FF02 01 01 01 02 Eth 1 1 User Console show ipv6 mld snooping group source list This command shows known multicast groups member ports the means by which each group was learned and the c...

Page 540: ...4 01 02 03 05 01 02 03 06 01 02 03 07 Exclude List 02 02 03 04 02 02 03 05 02 02 03 06 02 02 03 07 if include filter mode Include List 02 02 03 04 02 02 03 05 02 02 03 06 02 02 03 06 Option Filter Mode Include Exclude Console show ipv6 mld snooping mrouter This command shows MLD Snooping multicast router information Syntax show ipv6 mld snooping mrouter vlan vlan id vlan id A VLAN identification n...

Page 541: ...ated message statistics Console show ipv6 mld snooping statistics input interface ethernet 1 1 Input Statistics Interface Report Leave G Query G S S Query Drop Join Succ Group Eth 1 1 4 0 0 0 0 0 2 Console Table 109 show ipv6 MLD snooping statistics input display description Field Description Interface The unit port or VLAN interface Report The number of MLD membership reports received on this int...

Page 542: ...up was successfully joined Group The number of MLD groups active on this interface Table 110 show ipv6 MLD snooping statistics output display description Field Description Interface The unit port or VLAN interface Report The number of MLD membership reports transmitted from this interface Leave The number of leave messages transmitted from this interface G Query The number of general query message...

Page 543: ... Recieved Recieved General 0 Report 4 Group Specific 0 Leave 0 join Success 0 Filter Drop 0 Source Port Drop 0 Others Drop 0 Console Table 111 show ipv6 MLD snooping statistics query display description Field Description Other Querier Address IP address of remote querier on this interface Other Querier Expire Time after which remote querier is assumed to have expired Other Querier Uptime Time remo...

Page 544: ...is interface Recieved Report The number of MLD membership reports received on this interface Leave The number of leave messages received on this interface join Success The number of times a multicast group was successfully joined Filter Drop The number of messages dropped by an MLD filtering profile Source Port Drop The number of dropped messages that are received on MVR source port or mrouter por...

Page 545: ... Description Table 113 MLD Filtering and Throttling Commands Command Function Mode ipv6 mld filter Enables MLD filtering and throttling on the switch GC ipv6 mld profile Sets a profile number and enters MLD filter profile configuration mode GC permit deny Sets a profile access mode to permit or deny IPC range Specifies one or a range of multicast addresses for a profile IPC iipv6 mld filter Interf...

Page 546: ...ved on the port are checked against the filter profile If a requested multicast group is permitted the MLD join report is forwarded as normal If a requested multicast group is denied the MLD join report is dropped MLD filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups The MLD filtering feature operates in the same manner ...

Page 547: ... the access mode for an MLD filter profile Use the no form to delete a profile number Syntax permit deny Default Setting deny Command Mode MLD Profile Configuration Command Usage Each profile has only one access mode either permit or deny When the access mode is set to permit MLD join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny...

Page 548: ... ff01 0202 Console config mld profile ipv6 mld filter Interface Configuration This command assigns an MLD filtering profile to an interface on the switch Use the no form to remove a profile from an interface Syntax no ipv6 mld filter profile number profile number An MLD filter profile number Range 1 4294967295 Default Setting None Command Mode Interface Configuration Command Usage The MLD filterin...

Page 549: ...ame time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set to deny any new MLD join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group MLD throttling can also be set on a trunk interface When ports are configured as ...

Page 550: ... is set to deny any new MLD join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Example Console config interface ethernet 1 1 Console config if ipv6 mld max groups action replace Console config if ipv6 mld query drop This command drops any received MLD query packets Use the no form to restore the de...

Page 551: ... Range Always 1 port Port number Range 1 52 port channel channel id Range 1 24 Default Setting None Command Mode Privileged Exec Example Console show ipv6 mld filter MLD filter Enabled Console show ipv6 mld filter interface ethernet 1 3 Ethernet 1 3 information MLD Profile 19 Deny Range ff01 101 ff01 faa Console show ipv6 mld profile This command displays MLD filtering profiles created on the swit...

Page 552: ...w ipv6 mld query drop interface interface interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 port channel channel id Range 1 24 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces Example Console show ipv6 mld query drop interface ethernet 1 1 Ethernet 1 1 Enabled Consol...

Page 553: ...1 52 port channel channel id Range 1 24 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces Example Console show ipv6 mld throttle interface ethernet 1 3 Eth 1 3 Information Status TRUE Action Replace Max Multicast Groups 10 Current Multicast Groups 0 Console ...

Page 554: ...ooting enhance network management and maintain an accurate network topology Table 114 LLDP Commands Command Function Mode lldp Enables LLDP globally on the switch GC lldp holdtime multiplier Configures the time to live TTL value sent in LLDP advertisements GC lldp med fast start count Configures how many medFastStart packets are transmitted GC lldp notification interval Configures the allowed inte...

Page 555: ...civic addr Configures an LLDP MED enabled port to advertise its location identification details IC lldp med notification Enables the transmission of SNMP trap notifications about LLDP MED changes IC lldp med tlv inventory Configures an LLDP MED enabled port to advertise its inventory identification details IC lldp med tlv location Configures an LLDP MED enabled port to advertise its location ident...

Page 556: ...he default setting Syntax lldp holdtime multiplier value no lldp holdtime multiplier value Calculates the TTL in seconds based on the following rule minimum of Transmission Interval Holdtime Multiplier or 65536 Range 2 10 Default Setting Holdtime multiplier 4 TTL 4 30 120 seconds Command Mode Global Configuration Command Usage The time to live tells the receiving LLDP agent how long to retain all ...

Page 557: ...the port LLDP MED Fast Start is critical to the timely startup of LLDP and therefore integral to the rapid availability of Emergency Call Service Example Console config lldp med fast start count 6 Console config lldp notification interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes Use the no form to restore the default setting Syntax lldp not...

Page 558: ...e periodic transmit interval for LLDP advertisements Use the no form to restore the default setting Syntax lldp refresh interval seconds no lldp refresh delay seconds Specifies the periodic interval at which LLDP advertisements are sent Range 5 32768 seconds Default Setting 30 seconds Command Mode Global Configuration Example Console config lldp refresh interval 60 Console config lldp reinit delay...

Page 559: ...Use the no form to restore the default setting Syntax lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds Default Setting 2 seconds Command Mode Global Configuration Command Usage The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probabilit...

Page 560: ...anagement address for this device Use the no form to disable this feature Syntax no lldp basic tlv management ip address Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The management address protocol packet includes the IPv4 address of the switch If no management address is available the address should be the MAC address for the CPU or for the port...

Page 561: ...config interface ethernet 1 1 Console config if lldp basic tlv management ip address Console config if lldp basic tlv port description This command configures an LLDP enabled port to advertise its port description Use the no form to disable this feature Syntax no lldp basic tlv port description Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The por...

Page 562: ...ple Console config interface ethernet 1 1 Console config if lldp basic tlv system capabilities Console config if lldp basic tlv system description This command configures an LLDP enabled port to advertise the system description Use the no form to disable this feature Syntax no lldp basic tlv system description Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Comma...

Page 563: ...and is in turn based on the hostname command Example Console config interface ethernet 1 1 Console config if lldp basic tlv system name Console config if lldp dot1 tlv proto ident This command configures an LLDP enabled port to advertise the supported protocols Use the no form to disable this feature Syntax no lldp dot1 tlv proto ident Default Setting Enabled Command Mode Interface Configuration E...

Page 564: ...page 457 Example Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto vid Console config if lldp dot1 tlv pvid This command configures an LLDP enabled port to advertise its default VLAN ID Use the no form to disable this feature Syntax no lldp dot1 tlv pvid Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The port s default ...

Page 565: ...ge 459 Example Console config interface ethernet 1 1 Console config if no lldp dot1 tlv vlan name Console config if lldp dot3 tlv link agg This command configures an LLDP enabled port to advertise link aggregation capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv link agg Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Thi...

Page 566: ...s and operational Multistation Access Unit MAU type Example Console config interface ethernet 1 1 Console config if no lldp dot3 tlv mac phy Console config if lldp dot3 tlv max frame This command configures an LLDP enabled port to advertise its maximum frame size Use the no form to disable this feature Syntax no lldp dot3 tlv max frame Default Setting Enabled Command Mode Interface Configuration E...

Page 567: ... value Range 0 255 ca value Description of a location Range 1 32 characters Default Setting Not advertised No description Command Mode Interface Configuration Ethernet Port Channel Command Usage Use this command without any keywords to advertise location identification details Use the ca type to advertise the physical location of the device that is the city street number building and room informat...

Page 568: ...sole config if lldp med location civic addr 4 West Irvine Console config if lldp med location civic addr 6 Exchange Console config if lldp med location civic addr 18 Avenue Console config if lldp med location civic addr 19 320 Console config if lldp med location civic addr 27 5 Console config if lldp med location civic addr 28 509B Console config if lldp med location civic addr country US Console ...

Page 569: ...re included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss Example Console config interface ethernet 1 1 Console config if lldp med notification Console config if lldp med tlv inventory This command configures an LLDP MED enabled po...

Page 570: ...ole config if lldp med tlv location Console config if lldp med tlv med cap This command configures an LLDP MED enabled port to advertise its Media Endpoint Device capabilities Use the no form to disable this feature Syntax no lldp med tlv med cap Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises LLDP MED TLV capabilities allowin...

Page 571: ...te service disruption Example Console config interface ethernet 1 1 Console config if lldp med tlv network policy Console config if lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes Use the no form to disable LLDP notifications Syntax no lldp notification Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command U...

Page 572: ... configuration settings for all ports Syntax show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Unit identifier Range Always 1 port Port number Range 1 52 port channel channel id Range 1 24 Command Mode Privileged Exec Example The following example shows all basic LLDP parameters are enabled on Port 1 Console show lldp config LLDP Global Configua...

Page 573: ...us Enabled MED Enabled TLVs Advertised med cap network policy location inventory MED Location Identification Location Data Format Civic Address LCI Civic Address Status Enabled Country Name US What 2 CA Type 1 CA Value Alabama CA Type 2 CA Value Tuscaloosa Console show lldp info local device This command shows LLDP global and interface specific configuration settings for this device Syntax show ll...

Page 574: ...rt 3 Eth 1 4 MAC Address 00 12 CF DA FC EC Ethernet Port on unit 0 port 4 Console show lldp info local device detail ethernet 1 1 LLDP Local Port Information Detail Port Eth 1 1 Port ID Type MAC Address Port ID 00 12 CF DA FC E9 Port Description Ethernet Port on unit 1 port 1 MED Capability LLDP MED Capabilities Network Policy Location Identification Inventory Console show lldp info remote device ...

Page 575: ...e MAC Address Port ID 70 72 CF 91 1C B4 Time To Live 120 seconds Port Description Ethernet Port on unit 1 port 2 System Description SC30010 System Capabilities Bridge Enabled Capabilities Bridge Management Address 192 168 0 4 IPv4 Port VLAN ID 1 Port and Protocol VLAN ID supported disabled VLAN Name VLAN 1 DefaultVlan Protocol Identity Hex 88 CC MAC PHY Configuration Status Port Auto neg Supported...

Page 576: ...dress LCI Country Name TW What 2 Extended Power via MDI Power Type PSE Power Source Unknown Power Priority Unknown Power Value 0 Watts Inventory Hardware Revision R0A Firmware Revision 1 2 6 0 Software Revision 1 2 6 0 Serial Number S123456 Manufacture Name Prye Model Name VP101 Asset ID 340937 Console show lldp info statistics This command shows statistics based on traffic received through all at...

Page 577: ...ped Count 0 Neighbor Entries Ageout Count 1 LLDP Port Statistics Port NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 12 12 0 Eth 1 2 17 17 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 Console show lldp info statistics detail ethernet 1 1 LLDP Port Statistics Detail Port Name Eth 1 1 Frames Discarded 0 Frames Invalid 0 Frames Received 12 Frames Sent 12 TLVs Unrecognized 0 TLVs Discarded 0 N...

Page 578: ...mands Command Function Mode DNS ip domain list Defines a list of default domain names for incomplete host names GC ip domain lookup Enables DNS based host name to address translation GC ip domain name Defines a default domain name for incomplete host names GC ip host Creates a static IPv4 host name to address mapping GC ip name server Specifies the address of one or more name servers to use for ho...

Page 579: ...tch it will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a match If there is no domain list the domain name specified with the ip domain name command is used If there is a domain list the default domain name is not used Example This example adds two domain names to the current list and then displays the list C...

Page 580: ...t enabled and the switch receives a DHCP packet containing a DNS field with a list of DNS servers then the switch will automatically enabled DNS host name to address translation If all name servers are deleted DNS will automatically be disabled Example This example enables DNS and then displays the configuration Console config ip domain lookup Console config end Console show dns Domain Lookup Stat...

Page 581: ...Range 1 127 characters Default Setting None Command Mode Global Configuration Example Console config ip domain name sample com Console config end Console show dns Domain Lookup Status DNS Disabled Default Domain Name sample com Domain Name List Name Server List Console Related Commands ip domain list 578 ip name server 582 ip domain lookup 580 ip host This command creates a static entry in the DNS...

Page 582: ...o address resolution Use the no form to remove a name server from this list Syntax no ip name server server address1 server address2 server address6 server address1 IPv4 or IPv6 address of domain name server server address2 server address6 IPv4 or IPv6 address of additional domain name servers Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried ...

Page 583: ...v6 host Range 1 127 characters ipv6 address Corresponding IPv6 address This address must be entered according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields Default Setting No static entries Command Mode Global Configuration Examp...

Page 584: ...TTL Host Console clear host This command deletes dynamic entries from the DNS table Syntax clear host name name Name of the host Range 1 127 characters Removes all entries Default Setting None Command Mode Privileged Exec Command Usage Use the clear host command to clear dynamic entries or the no ip host command to clear static entries Example This example clears all dynamic entries from the DNS t...

Page 585: ...L Host 3 4 Host 209 131 36 158 115 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 115 www yahoo com 5 4 CNAME POINTER TO 3 115 www wa1 b yahoo com Console Table 117 show dns cache display description Field Description No The entry number for each resource record Flag The flag is always 4 indicating a cache entry and therefore unreliable Type This field includes Host which specifies the primary na...

Page 586: ...oo com Console Multicast DNS Commands ip mdns This command enables multicast DNS Use the no form to disable this feature Syntax no ip mdns Default Setting Disabled Table 118 show hosts display description Field Description No The entry number for each resource record Flag The field displays 2 for a static entry or 4 for a dynamic entry stored in the cache Type This field includes Address which spe...

Page 587: ...ddress mapping on the local network without the need for a dedicated DNS server For more information on this command refer to the Web Management Guide Example Console config ip mdns Console config show ip mdns This command displays the configuration state multicast DNS service Command Mode Privileged Exec Example Console show ip mdns Multicast DNS Status Enabled Console ...

Page 588: ...e IP address information DHCP Relay Relays DHCP requests from local hosts to a remote DHCP server Table 120 DHCP Client Commands Command Function Mode DHCP for IPv4 ip dhcp dynamic provision Enables dynamic provision via DHCP GC ip dhcp client class id Specifies the DHCP client identifier for an interface IC ip dhcp restart client Submits a BOOTP or DHCP client request PE show ip dhcp dynamic prov...

Page 589: ...sioning process By default the parameters for DHCP option 66 67 are not carried by the reply sent from the DHCP server To ask for a DHCP reply with option 66 67 the client can inform the server that it is interested in option 66 67 by sending a DHCP request that includes a parameter request list option Besides this the client can also send a DHCP request that includes a vendor class identifier opt...

Page 590: ...following example enables dhcp dynamic provisioning Console config ip dhcp dynamic provisioning Console config ip dhcp client class id This command specifies the DCHP client vendor class identifier for the current interface Use the no form to remove the class identifier from the DHCP packet Syntax ip dhcp client class id text text hex hex no ip dhcp client class id text A text string Range 1 32 ch...

Page 591: ...class identifier set by the ip dhcp client class id command that allows the DHCP server to identify the device and select the appropriate configuration file for download This information is included in Option 55 and 124 The server should reply with Option 66 attributes including the TFTP server name and boot file name Note that the vendor class identifier can be formatted in either text or hexadec...

Page 592: ...ed to a different domain the network portion of the address provided to the client will be based on this new domain Example In the following example the device is reassigned the same address Console config interface vlan 1 Console config if ip address dhcp Console config if exit Console ip dhcp restart client Console show ip interface VLAN 1 is Administrative Up Link Up Address is 00 E0 00 00 00 0...

Page 593: ...mand Mode Global Configuration Command Usage DHCPv6 clients can obtain configuration parameters from a server through a normal four message exchange solicit advertise request reply or through a rapid two message exchange solicit reply The rapid commit option must be enabled on both client and server for the two message exchange to be used This command allows two message exchange method for prefix ...

Page 594: ...a client request to a DHCPv6 server the switch should be configured with a link local address using the ipv6 address autoconfig command The state of the Managed Address Configuration flag M flag and Other Stateful Configuration flag O flag received in Router Advertisement messages will determine the information this switch should attempt to acquire from the DHCPv6 server as described below Both M ...

Page 595: ... autoconfig 613 show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch Command Mode Privileged Exec Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier DUID included in the client identifier and server identifier options Static or dynamic address prefixes may be assigned by a DHCPv6 server based on the client s DUID Example Console show ip...

Page 596: ...ID 0001 0001 38CF5AB0 F48F2A003917 Console RELATED COMMANDS ipv6 address 612 DHCP Relay This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server ip dhcp relay server This command specifies the DHCP server or relay server addresses to use Use the no form to clear all addresses Syntax ip dhcp relay server address1 address2 address3 ...

Page 597: ... This switch then passes the DHCP response received from the server to the client You must specify the IP address for at least one active DHCP server Otherwise the switch s DHCP relay agent will not be able to forward client requests to a DHCP server Up to five DHCP servers can be specified in order of preference If any of the specified DHCP server addresses are not located in the same network seg...

Page 598: ...allocates a free IP address for the DHCP client from its defined scope for the DHCP client s subnet and sends a DHCP response back to the DHCP relay agent i e this switch This switch then broadcasts the DHCP response received from the server to the client Example In the following example the device is reassigned the same address Console ip dhcp restart relay Console show ip interface VLAN 1 is Adm...

Page 599: ... Interface There are no IP addresses assigned to this switch by default You must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment if routing is not enabled This section includes c...

Page 600: ...the subnet 255 255 224 0 would be 19 secondary Specifies a secondary IP address default gateway The default gateway Refer to the ip default gateway command which provides the same function bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP Default Setting 192 168 2 10 24 Command Mode Interface Configuration VLAN Table 126 Basic IP Configuration Commands Command Function Mode ip ...

Page 601: ...itches in that segment must also use a secondary address from the same network or subnet address space If bootp or dhcp options are selected the system will immediately start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP IP is enabled but will not function until a BOOTP or DHCP reply has been received Requests are broadcast periodically ...

Page 602: ...ddress Static routes can also be defined using the ip route command to ensure that traffic to the designated address or subnet passes through a preferred gateway A default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the router The same link local address may be used by different interfaces nodes in different zones RFC 4...

Page 603: ... Console Related Commands ip default gateway 602 show ipv6 default gateway 620 show ip interface This command displays the settings of an IPv4 interface Command Mode Privileged Exec Example Console show ip interface VLAN 1 is Administrative Up Link Up Address is 00 E0 00 00 00 01 Index 1001 MTU 1500 Address Mode is DHCP IP Address 192 168 0 2 Mask 255 255 255 0 DHCP Client Vendor Class ID text SC3...

Page 604: ... ICMP Statistics ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors destination unreachable messages time exceeded messages p...

Page 605: ... This causes the first router to discard the datagram and return an error message The trace function then sends several probe messages at each subsequent TTL level and displays the round trip time for each message Not all devices respond correctly to probes by returning an ICMP port unreachable message If the timer goes off before a response is returned the trace function prints a series of asteri...

Page 606: ...2 512 The actual packet size will be eight bytes larger than the size specified because the switch adds header information Default Setting count 5 size 32 bytes Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached The following are some results of the ping command Normal response The normal response occurs in one to ten se...

Page 607: ...erage 8 ms Console Related Commands interface 343 ARP Configuration This section describes commands used to configure the Address Resolution Protocol ARP on the switch arp This command adds a static entry in the Address Resolution Protocol ARP cache Use the no form to remove an entry from the cache Syntax arp ip address hardware address no arp ip address ip address IP address to map to a specified...

Page 608: ... to time out Static entries will not be aged out nor deleted when power is reset A static entry can only be removed through the configuration interface Example Console config arp 10 1 0 19 01 02 03 04 05 06 Console config Related Commands clear arp cache 609 show arp 609 ip proxy arp This command enables proxy Address Resolution Protocol ARP Use the no form to disable proxy ARP Syntax no ip proxy ...

Page 609: ...ache This operation will delete all the dynamic entries in ARP Cache Do you want to continue this operation y n Console show arp This command displays entries in the Address Resolution Protocol ARP cache Command Mode Normal Exec Privileged Exec Command Usage This command displays information about the ARP cache The first line shows the cache timeout It also shows each cache entry including the IP ...

Page 610: ...n of IPv6 addresses on an interface and enables IPv6 on the interface IC ipv6 address eui 64 Configures an IPv6 global unicast address for an interface using an EUI 64 interface ID in the low order 64 bits and enables IPv6 on the interface IC ipv6 address link local Configures an IPv6 link local address for an interface and enables IPv6 on the interface IC ipv6 enable Enables IPv6 on an interface ...

Page 611: ...address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies VLAN 1 as the interface traceroute6 Shows the route packets take to the specified host PE Neighbor Discovery ipv6 nd dad attempts Configures the number of consec...

Page 612: ...no form with a specific IPv6 address to remove that address from the interface Syntax no ipv6 address ipv6 address prefix length ipv6 address A full IPv6 address including the network prefix and host address bits prefix length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address Default Setting No IPv6 addresses...

Page 613: ...s 2001 db8 2222 7272 72 96 subnet is 2001 db8 2222 7272 96 Joined group address es ff02 1 ff00 72 ff02 1 ff83 3466 ff02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lif...

Page 614: ...nts have the other stateful configuration flag set the switch may also attempt to acquire other non address configuration information such as a default gateway from a DHCPv6 server when DHCPv6 is restarted Example This example assigns a dynamic global unicast address of to the switch Console config if ipv6 address autoconfig Console config if end Console show ipv6 interface VLAN 1 is up IPv6 is st...

Page 615: ...mand Usage The prefix must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields If a link local address has not yet been assigned to this interface this command will dynamically generate a global unicast address a...

Page 616: ... be used on multiple IP interfaces of a single device as long as those interfaces are attached to different subnets Example This example uses the network prefix of 2001 0DB8 0 1 64 and specifies that the EUI 64 interface identifier be used in the lower 64 bits of the address Console config interface vlan 1 Console config if ipv6 address 2001 0DB8 0 1 64 eui 64 Console config if end Console show ip...

Page 617: ...fined fields And the address prefix must be in the range of FE80 FEBF The address specified with this command replaces a link local address that was automatically generated for the interface You can configure multiple IPv6 global unicast addresses per interface but only one link local address per interface If a duplicate address is detected a warning message is sent to the console Example This exa...

Page 618: ...terface that has not been configured with an explicit IPv6 address Syntax no ipv6 enable Default Setting IPv6 is disabled Command Mode Interface Configuration VLAN Command Usage This command enables IPv6 on the current VLAN interface and automatically generates a link local unicast address The address prefix uses FE80 and the host portion of the address is generated by converting the switch s MAC ...

Page 619: ...Pv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console Related Commands ipv6 address link local 617 show ipv6 interface 620 ipv6 mtu This command se...

Page 620: ...r VLAN 1 to 1280 bytes Console config interface vlan 1 Console config if ipv6 mtu 1280 Console config if Related Commands show ipv6 mtu 623 jumbo frame 95 show ipv6 default gateway This command displays the current IPv6 default gateway Command Mode Normal Exec Privileged Exec Example The following shows the default gateway configured for this device Console show ipv6 default gateway IPv6 default g...

Page 621: ...s 2001 db8 2222 7272 96 Joined group address es ff02 1 ff19 6779 ff02 1 ff00 72 ff02 1 ff83 3466 ff02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seco...

Page 622: ... the high order bits e g due to multiple high order prefixes associated with different aggregations will map to the same solicited node address thereby reducing the number of multicast addresses a node must join In this example FF02 1 FF90 0 104 is the solicited node multicast address which is formed by taking the low order 24 bits of the address and appending those bits to the prefix ND DAD Indic...

Page 623: ...d Mode Privileged Exec Example The following example shows statistics for all IPv6 unicast and multicast traffic as well as ICMP UDP and TCP statistics Console show ipv6 traffic IPv6 Statistics IPv6 received 3 total received header errors too big errors no routes address errors unknown protocols truncated packets discards delivers Table 130 show ipv6 mtu display description No information is displ...

Page 624: ...tisement messages neighbor solicit messages neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages ICMPv6 sent 6 output destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages 3 router solicit messages router a...

Page 625: ... truncated packets The number of input datagrams discarded because datagram frame didn t carry enough data discards The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing but which were discarded e g for lack of buffer space Note that this counter does not include any datagrams discarded while awaiting re assembly delivers The total number o...

Page 626: ...is output interface fragment succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface fragment failed The number of IPv6 datagrams that have been discarded because they needed to be fragmented at this output interface but could not be ICMPv6 Statistics ICMPv6 received input The total number of ICMP messages received by the interface which includes all ...

Page 627: ...interface packet too big messages The number of ICMP Packet Too Big messages sent by the interface time exceeded messages The number of ICMP Time Exceeded messages sent by the interface parameter problem message The number of ICMP Parameter Problem messages sent by the interface echo request messages The number of ICMP Echo request messages sent by the interface echo reply messages The number of I...

Page 628: ...One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields host name A host name string which can be resolved into an IPv6 address through a domain name server count Number of packets to send Range 1 16 multicast listener discovery version 2 reports The number of MLDv2 reports sent by the interface UDP Statistics input The total nu...

Page 629: ...see page 580 If necessary local devices can also be specified in the DNS static host table see page 581 When using ping6 with a host name the switch first attempts to resolve the alias into an IPv6 address before trying to resolve it into an IPv4 address Example Console ping6 FE80 2E0 CFF FE00 FC 1 Press ESC to abort PING to FE80 2E0 CFF FE00 FC 1 64 by 5 32 byte payload ICMP packets timeout is 3 ...

Page 630: ...r after the delimiter For example FE80 7272 1 identifies VLAN 1 as the interface from which the ping is sent A trace terminates when the destination responds when the maximum timeout TTL is exceeded or the maximum number of hops is exceeded The traceroute command first sends probe datagrams with the TTL value set at one This causes the first router to discard the datagram and return an error messa...

Page 631: ...licate address detection is stopped on any interface that has been suspended see the vlan command While an interface is suspended all unicast IPv6 addresses assigned to that interface are placed in a pending state Duplicate address detection is automatically restarted when the interface is administratively re activated An interface that is re activated restarts duplicate address detection for all ...

Page 632: ...6 is enabled Link local address fe80 200 e8ff fe90 0 64 Global unicast address es 2009 db9 2229 79 subnet is 2009 db9 2229 0 64 Joined group address es ff01 1 16 ff02 1 16 ff02 1 ff00 79 104 ff02 1 ff90 0 104 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 5 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 300...

Page 633: ...t the configured time is unspecified by this router Example The following sets the interval between sending neighbor solicitation messages to 30000 milliseconds Console config interface vlan 1 Console config ipv6 nd ns interval 30000 Console config end Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link local address fe80 200 e8ff FE90 0 64 Global unicast address es 2009 db9 2229 79 subn...

Page 634: ...y this parameter allows the router to detect unavailable neighbors During the neighbor discover process an IPv6 node will multicast neighbor solicitation messages to search for neighbor nodes For a neighbor node to be considered reachable it must respond to the neighbor soliciting node with a neighbor advertisement message to become a confirmed neighbor after which the reachable timer will be cons...

Page 635: ...ighbor device You can specify either a link local or global unicast address formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields Default Setting All IPv6 neighbor discovery cache entries are displayed Command Mode Pr...

Page 636: ...pecial action when sending packets S Stale More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning While in STALE state the device takes no action until a packet is sent D Delay More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning A pa...

Page 637: ...sk next hop distance no ip route destination ip netmask next hop destination ip IP address of the destination network subnetwork or host netmask Network mask for the associated IP subnet This mask identifies the host address bits used for routing to specific subnets next hop IP address of the next hop router used for this route distance An administrative distance indicating that this route can be ...

Page 638: ...54 using the default metric of 1 Console config ip route 192 168 1 0 255 255 255 0 192 168 5 254 Console config show ip route This command displays information in the Forwarding Information Base FIB Syntax show ip route connected database static summary connected Displays all currently connected entries database All known routes including inactive routes static Displays all static entries summary ...

Page 639: ... type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate default C 127 0 0 0 8 is directly connected lo C 192 168 1 0 24 is directly connected VLAN1 Console The RIB contains all available routes learned through directly attached networks and any additionally configured routes such as static routes T...

Page 640: ...Chapter 26 IP Routing Commands Global Routing Configuration 640 IP routing table maximum paths is 1 Connected 2 Total 2 Console ...

Page 641: ... 641 Section III Appendices This section provides additional information and includes these items Troubleshooting on page 642 License Information on page 644 ...

Page 642: ...ting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured on the management station Be sure you hav...

Page 643: ...6 Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set up your terminal emulation software so that it can capture all console output to a file Then enter the show tech support command to record all system settings in this file 9 Contact your distributor ...

Page 644: ... of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to ce...

Page 645: ...t you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announceme...

Page 646: ...s These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Program or works based on it 7 Each time you redistribute the Program or any work based on the Program the recipien...

Page 647: ...sk for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 1 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THE...

Page 648: ...hability among autonomous systems AS BGP makes routing decisions based on path network policies and or rule sets CoS Class of Service is supported by prioritizing packets based on the required level of service and then placing them in the appropriate output queue Data is transmitted from the queues using weighted round robin service to enforce priority service and prevent blockage of lower level q...

Page 649: ...fferent kinds of traffic can be marked for different kinds of forwarding The DSCP bits are mapped to the Class of Service categories and then into the output queues EAPOL Extensible Authentication Protocol over LAN EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch A user name and password is requested by...

Page 650: ...otocol is a network layer protocol that reports errors in processing IP packets ICMP is also used by routers to feed back information about better routing choices IEEE 802 1D Specifies a general method for the operation of MAC bridges including the Spanning Tree Protocol IEEE 802 1Q VLAN Tagging Defines Ethernet frame tags which carry VLAN information It allows switches to assign endstations to di...

Page 651: ...ls in an simple tree that uses IGMP Proxy IGMP Query On each subnetwork one IGMP capable device will act as the querier that is the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong The elected querier will be the device with the lowest IP address in the subnetwork IGMP Snooping Listening to IGMP Query and IGMP Report packets transfer...

Page 652: ...han the MD4 algorithm which has been broken MD5 is a one way hash function meaning that it takes a message and converts it into a fixed string of digits also called a message digest MIB Management Information Base An acronym for Management Information Base It is a set of database objects that contains information about a specific device MRD Multicast Router Discovery is a A protocol used by IGMP s...

Page 653: ...nd Variable Length Subnet Masks VLSM Out of Band Management Management of the network from a station not attached to the network Port Authentication See IEEE 802 1X Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe This allows data on the target port to be studied unobstructively Port Trunk Defines a network ...

Page 654: ...host to host mail transport protocol that operates over TCP port 25 SNMP Simple Network Management Protocol The application protocol in the Internet suite of protocols which offers network management services SNTP Simple Network Time Protocol allows a device to set its internal clock based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP serv...

Page 655: ...le that couples Greenwich Mean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not have daylight saving time VLAN Virtual LAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allow...

Page 656: ... table dynamic 406 clear network access 265 clock summer time date 139 clock summer time predefined 141 clock summer time recurring 142 clock timezone 143 cluster 150 cluster commander 150 cluster ip pool 151 cluster member 152 configure 77 copy 98 databits 111 delete 102 delete public key 230 description 485 description 345 dir 103 disable 78 disconnect 118 dos protection echo chargen 307 dos pro...

Page 657: ...igmp snooping vlan general query suppression 504 ip igmp snooping vlan immediate leave 505 ip igmp snooping vlan last memb query count 506 ip igmp snooping vlan last memb query intvl 506 ip igmp snooping vlan mrd 507 ip igmp snooping vlan mrouter 518 ip igmp snooping vlan proxy address 508 ip igmp snooping vlan query interval 509 ip igmp snooping vlan query resp intvl 510 ip igmp snooping vlan sta...

Page 658: ...ion action 399 loopback detection recover time 400 loopback detection release 402 loopback detection transmit interval 401 mac access group 334 mac address table aging time 404 mac address table static 405 mac authentication intrusion action 264 mac authentication max mac count 264 mac authentication reauth time 258 mac learning 251 mac vlan 462 management 247 match 485 max hops 420 media type 347...

Page 659: ...ration 304 show ip arp inspection interface 304 show ip arp inspection log 305 show ip arp inspection statistics 305 show ip arp inspection vlan 305 show ip default gateway 603 show ip dhcp dynamic provision 592 show ip dhcp snooping 288 show ip dhcp snooping binding 289 show ip igmp filter 525 show ip igmp profile 526 show ip igmp query drop 526 show ip igmp snooping 512 show ip igmp snooping gro...

Page 660: ...interface 272 show web auth summary 273 shutdown 349 silent time 116 snmp server 157 snmp server community 157 snmp server contact 158 snmp server enable port traps link up down 163 snmp server enable port traps mac notification 164 snmp server enable traps 160 snmp server engine id 165 snmp server group 166 snmp server host 161 snmp server location 158 snmp server notify filter 174 snmp server us...

Page 661: ...e 605 traceroute6 629 traffic segmentation 312 traffic segmentation session 313 traffic segmentation uplink downlink 314 traffic segmentation uplink to uplink 315 transceiver monitor 359 transceiver threshold current 360 transceiver threshold rx power 361 transceiver threshold temperature 362 transceiver threshold tx power 363 transceiver threshold voltage 364 transceiver threshold auto 360 upgrad...

Page 662: ... IPv6 Extended 324 326 IPv6 Standard 324 325 MAC 331 time range 145 address table 404 aging time 404 aging time displaying 408 aging time setting 404 administrative users displaying 93 ARP proxy 608 ARP ACL 299 ARP configuration 607 ARP inspection 297 ACL filter 299 additional validation criteria 301 ARP ACL 336 enabling globally 298 enabling per VLAN 301 trusted ports 303 ARP statistics 604 ATC 1...

Page 663: ...ing 274 global configuration 274 information option 276 279 information option policy 280 information option enabling 276 279 information option remote ID 276 policy selection 280 remote ID 279 specifying trusted interfaces 284 286 sub length field 278 sub option format 278 sub type and sub length disabling 278 subtype field 278 verifying MAC addresses 281 VLAN configuration 282 DiffServ 483 bindi...

Page 664: ...21 filtering interface settings 522 523 groups displaying 513 Layer 2 494 query 498 query enabling 498 snooping 494 snooping query parameters 494 snooping configuring 494 snooping enabling 496 snooping immediate leave 505 IGMP snooping configuring 494 enabling per interface 496 forwarding entries 513 immediate leave status 505 interface attached to multicast router 514 518 last member query count ...

Page 665: ...P link type STA 427 LLDP 554 device statistics details displaying 576 device statistics displaying 576 display device information 574 displaying remote information 574 interface attributes configuring 560 571 local device information displaying 573 message attributes 554 message statistics 576 remote information displaying 574 remote port information displaying 574 timing attributes configuring 55...

Page 666: ...4 interface settings displaying 437 path cost 430 MTU for IPv6 619 Multicast Domain Name Service See mDNS multicast filtering 494 enabling IGMP snooping 496 enabling IGMP snooping per interface 496 enabling MLD snooping 529 router configuration 518 multicast groups 513 static 511 513 Multicast Listener Discovery See MLD snooping multicast router discovery 507 multicast router port displaying 514 m...

Page 667: ...QoS policy committed information rate 489 queue weight assigning to CoS 473 R RADIUS logon authentication 198 settings 198 rate limit port 395 setting 395 remote engine ID 165 remote logging 125 Remote Monitoring See RMON rename DiffServ 486 restarting the system 74 78 at scheduled times 74 showing restart time 79 RMON 179 alarm displaying settings 184 alarm setting thresholds 180 commands 179 eve...

Page 668: ...uring 423 434 interface settings displaying 437 link type 427 loopback detection 428 MSTP interface settings configuring 420 422 MSTP path cost 430 path cost 416 425 path cost method 416 port priority 433 port trunk loopback detection 428 protocol migration 436 transmission limit 419 startup files creating 98 displaying 90 104 setting 97 static addresses setting 405 static routes configuring 637 s...

Page 669: ... displaying port members 449 dynamic assignment 260 egress mode 447 ingress filtering 446 interface configuration 445 448 MAC based 461 mirroring 386 port members displaying 449 protocol 457 protocol configuring 458 459 protocol configuring groups 458 protocol interface configuration 459 protocol system configuration 458 PVID 448 voice 463 voice VLANs 463 detecting VoIP devices 464 enabling for po...

Page 670: ......

Page 671: ...E122017 KS R01 ...

Search results

Summary of Contents for SC30010

Reviews:

Related manuals for SC30010

Brands by name

Popular brands

SignaMax SC30010, Cli Reference Manual

Search results

Summary of Contents for SC30010

Reviews:

Related manuals for SC30010

Brands by name

Popular brands