AT-9000 Series Gigabit Ethernet Switches AT-9000/12PoE AT-9000/28 AT-9000/28PoE AT-9000/28SP AT-9000/52 Management Software Command Line Interface User’s Guide AlliedWare Plus Version 2.1.8.0 613-001823 Rev.
Copyright Copyright © 2014, Allied Telesis, Inc. All rights reserved. This product includes software licensed under the BSD License. As such, the following language applies for those portions of the software licensed under the BSD License: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Allied Telesis is committed to meeting the requirements of the open source licenses including the GNU General Public License (GPL) and will make all required source code available. If you would like a copy of the GPL source code contained in this product, please send us a request by registered mail including a check for US$15 to cover production and shipping costs, and a CD with the GPL code will be mailed to you. GPL Code Request Allied Telesis, Inc.
Contents Preface .......................................................................................................................... 9 Document Conventions.............................................................................................................................. 10 Where to Find Web-based Guides............................................................................................................. 11 Contacting Allied Telesis....................................................
Contents Saving Your Changes .......................................................................................................................... 46 Ending a Management Session.................................................................................................................. 47 Chapter 3: Basic Command Line Management ........................................................................................... 49 Clearing the Screen........................................................
AT-9000 Switch Command Line User’s Guide CLOCK SET............................................................................................................................................. 112 ERASE STARTUP-CONFIG .................................................................................................................... 113 EXEC-TIMEOUT ...................................................................................................................................... 114 HELP.................
Contents NO FLOWCONTROL ...............................................................................................................................182 NO SHUTDOWN ......................................................................................................................................183 NO SNMP TRAP LINK-STATUS..............................................................................................................184 NO STORM-CONTROL ...................................................
AT-9000 Switch Command Line User’s Guide SHOW POWER-INLINE COUNTERS INTERFACE ................................................................................ 249 SHOW POWER-INLINE INTERFACE ..................................................................................................... 251 SHOW POWER-INLINE INTERFACE DETAIL........................................................................................ 252 SNMP-SERVER ENABLE TRAP POWER-INLINE...................................................
Contents Adding Static MAC Addresses .................................................................................................................318 Deleting MAC Addresses .........................................................................................................................320 Setting the Aging Timer ............................................................................................................................322 Displaying the MAC Address Table.........................
AT-9000 Switch Command Line User’s Guide Host Node Topology ................................................................................................................................ 398 Single-host Per Port .......................................................................................................................... 398 Multiple-hosts Per Port ...................................................................................................................... 398 Enabling IGMP Snooping.
Contents NO BOOT CONFIG-FILE .........................................................................................................................455 SHOW BOOT ...........................................................................................................................................456 SHOW STARTUP-CONFIG .....................................................................................................................458 WRITE .........................................................
AT-9000 Switch Command Line User’s Guide Guidelines.......................................................................................................................................... 518 Creating New Static Port Trunks or Adding Ports To Existing Trunks ..................................................... 520 Specifying the Load Distribution Method..................................................................................................
Contents Disabling the Spanning Tree Protocol ......................................................................................................587 Displaying STP Settings ...........................................................................................................................588 Chapter 42: STP Commands .......................................................................................................................589 NO SPANNING-TREE STP ENABLE ................................
AT-9000 Switch Command Line User’s Guide SPANNING-TREE RSTP ENABLE.......................................................................................................... 640 Chapter 45: Multiple Spanning Tree Protocol ........................................................................................... 641 Overview ..................................................................................................................................................
Contents Port VLAN Identifier ...........................................................................................................................697 Guidelines to Creating a Tagged VLAN .............................................................................................697 Tagged VLAN Example......................................................................................................................698 Creating VLANs.................................................................
AT-9000 Switch Command Line User’s Guide SHOW GVRP MACHINE ......................................................................................................................... 766 SHOW GVRP STATISTICS ..................................................................................................................... 767 SHOW GVRP TIMER...............................................................................................................................
Contents Provider Ports ....................................................................................................................................824 EtherType/Length...............................................................................................................................824 VLAN Stacking Process ...........................................................................................................................825 Example of VLAN Stacking ..............................
AT-9000 Switch Command Line User’s Guide Configuring Authenticator Ports ............................................................................................................... 882 Designating Authenticator Ports ........................................................................................................ 882 Designating the Authentication Methods ........................................................................................... 882 Configuring the Operating Modes...............
Contents Chapter 63: SNMPv1 and SNMPv2c Commands .......................................................................................945 NO SNMP-SERVER.................................................................................................................................947 NO SNMP-SERVER COMMUNITY..........................................................................................................948 NO SNMP-SERVER ENABLE TRAP ...............................................................
AT-9000 Switch Command Line User’s Guide Chapter 66: sFlow Agent Commands ...................................................................................................... 1007 NO SFLOW COLLECTOR IP................................................................................................................. 1008 NO SFLOW ENABLE............................................................................................................................. 1009 SFLOW COLLECTOR IP ........................
Contents NO LLDP TLV-SELECT ......................................................................................................................... 1087 NO LLDP TRANSMIT RECEIVE ............................................................................................................ 1088 NO LOCATION....................................................................................................................................... 1089 SHOW LLDP .......................................................
AT-9000 Switch Command Line User’s Guide SHOW RMON EVENT ........................................................................................................................... 1160 SHOW RMON HISTORY ....................................................................................................................... 1162 SHOW RMON STATISTICS ..................................................................................................................
Contents NO MLS QOS ENABLE.......................................................................................................................... 1247 NO WRR-QUEUE WEIGHT ................................................................................................................... 1248 SHOW MLS QOS INTERFACE.............................................................................................................. 1249 SHOW MLS QOS MAPS COS-QUEUE ..................................................
AT-9000 Switch Command Line User’s Guide Disabling the SSH Server ...................................................................................................................... 1307 Deleting Encryption Keys ....................................................................................................................... 1308 Displaying the SSH Server.....................................................................................................................
Contents Removing the Accounting Method List............................................................................................. 1368 Deleting Server IP Addresses .......................................................................................................... 1369 Displaying the RADIUS Client.......................................................................................................... 1369 Managing the TACACS+ Client ...........................................................
AT-9000 Switch Command Line User’s Guide RADIUS Client ....................................................................................................................................... 1432 Remote Manager Account Authentication.............................................................................................. 1433 RMON ....................................................................................................................................................
Contents 28
Figures Figure 1: Command Modes ................................................................................................................................................. 21 Figure 2: ENABLE Command.............................................................................................................................................. 24 Figure 3: CONFIGURE TERMINAL Command ...................................................................................................................
List of Figures Figure 50: SHOW INTERFACE Command........................................................................................................................ 194 Figure 51: SHOW INTERFACE BRIEF Command ............................................................................................................ 197 Figure 52: SHOW INTERFACE STATUS Command ........................................................................................................
AT-9000 Switch Command Line User’s Guide Figure 110: Edge Port ....................................................................................................................................................... Figure 111: Point-to-Point and Edge Port.......................................................................................................................... Figure 112: VLAN Fragmentation .......................................................................................................
List of Figures Figure 170: SHOW SNMP-SERVER Command................................................................................................................ 956 Figure 171: SHOW SNMP-SERVER COMMUNITY Command ........................................................................................ 957 Figure 172: SHOW SNMP-SERVER VIEW Command ..................................................................................................... 959 Figure 173: SHOW SNMP-SERVER Command...................
Tables Table 1. Remote Software Tool Settings ............................................................................................................................ 16 Table 2. AlliedWare Plus Modes ......................................................................................................................................... 22 Table 3. Adding a Management Address: Example 1 ........................................................................................................ 45 Table 4.
Tables Table 50. Event Log Commands ......................................................................................................................................487 Table 51. Event Message Severity Levels ........................................................................................................................489 Table 52. SHOW LOG Command .....................................................................................................................................493 Table 53.
AT-9000 Switch Command Line User’s Guide Table 110. Deleting ARP Entries .................................................................................................................................... 1114 Table 111. ARP Commands ........................................................................................................................................... 1117 Table 112. SHOW ARP Command ........................................................................................................
Tables 8
Preface This is the command line management guide for the AT-9000/12POE, AT-9000/28, AT-9000/28POE, AT-9000/28SP, and AT-9000/52 Managed Layer 2-4 Gigabit Ethernet EcoSwitches. The instructions in this guide explain how to start a management session and how to use the commands in the AlliedWare Plus command line interface to view and configure the features of the switch. For hardware installation instructions, refer to the AT-9000 Manager Layer 2 Fast Ethernet EcoSwitch Series Installation Guide.
Document Conventions This document uses the following conventions: Note Notes provide additional information. Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performing or omitting a specific action may result in bodily injury.
AT-9000 Switch Command Line User’s Guide Where to Find Web-based Guides The installation and user guides for all of the Allied Telesis products are available for viewing in portable document format (PDF) from our web site at www.alliedtelesis.com/support/documentation.
Contacting Allied Telesis If you need assistance with this product, you may contact Allied Telesis technical support by going to the Support & Services section of the Allied Telesis web site at www.alliedtelesis.com/support. You can find links for the following services on this page: 24/7 Online Support— Enter our interactive support center to search for answers to your product questions in our knowledge database, to check support tickets, to learn about RMAs, and to contact Allied Telesis experts.
Section I Getting Started This section contains the following chapters: Chapter 1, “AlliedWare Plus Command Line Interface” on page 15 Chapter 2, “Starting a Management Session” on page 37 Chapter 3, “Basic Command Line Management” on page 49 Chapter 4, “Basic Command Line Management Commands” on page 55 Chapter 5, “Temperature and Fan Control Overview” on page 73 Chapter 6, “Temperature and Fan Control Commands” on page 77 13
14
Chapter 1 AlliedWare Plus Command Line Interface This chapter has the following sections: “Management Sessions” on page 16 “Management Interfaces” on page 19 “Local Manager Account” on page 20 “AlliedWare Plus Command Modes” on page 21 “Moving Down the Hierarchy” on page 24 “Moving Up the Hierarchy” on page 28 “Port Numbers in Commands” on page 30 “Combo Ports 25 to 28” on page 32 “Command Format” on page 33 “Startup Messages” on page 34 15
Chapter 1: AlliedWare Plus Command Line Interface Management Sessions You can manage the switch locally or remotely. Local management is conducted through the Console port on the switch. Remote management is possible with a variety of management tools from workstations on your network. Local Management The switch has a Console port for local management of the unit.
AT-9000 Switch Command Line User’s Guide To support remote management, the switch must have a management IP address. For instructions on how to assign a management IP address to the switch, refer to “Adding a Management IP Address” on page 44. Remote Telnet Management The switch has a Telnet server that you can use to remotely manage the unit from Telnet clients on your management workstations.
Chapter 1: AlliedWare Plus Command Line Interface The switch supports the following MIBs for SNMP management: atistackinfo.mib atiEdgeSwtich.mib RFC 1155 MIB RFC 1213 MIB-II RFC 1493 Bridge MIB RFC 1643 Ethernet MIB RFC 2096 IP Forwarding Table MIB RFC 2790 Host MIB RFC 2863 Interface Group MIB RFC 3176 sFlow MIB IEEE 802.1x 2010 MIB The Allied Telesis managed switch MIBs (atistackinfo.mib and atiEdgeSwitch.mib) are available from the Allied Telesis web site.
AT-9000 Switch Command Line User’s Guide Management Interfaces The switch has two management interfaces: AlliedWare Plus command line Web browser windows The AlliedWare Plus command line is available from local management sessions, and remote Telnet and Secure Shell management sessions. The web browser windows are available from remote web browser management sessions.
Chapter 1: AlliedWare Plus Command Line Interface Local Manager Account You must log on to manage the switch. This requires a valid user name and password. The switch comes with one local manager account. The user name of the account is “manager” and the default password is “friend.” The user name and password are case sensitive. This account gives you access to all management modes and commands.
AT-9000 Switch Command Line User’s Guide AlliedWare Plus Command Modes The AlliedWare Plus command line interface consists of a series of modes that are arranged in the hierarchy shown in Figure 1. Figure 1. Command Modes The modes have different commands and support different management functions. The only exceptions are the User Exec mode and the Privileged Exec mode. The Privileged Exec mode contains all the same commands as the User Exec mode, plus many more.
Chapter 1: AlliedWare Plus Command Line Interface Note By default, the mode prompts are prefixed with the “awplus” string. To change this string, use the HOSTNAME command. See “What to Configure First” on page 42. Table 2. AlliedWare Plus Modes Mode User Exec mode Privileged Exec mode Global Configuration mode 22 Prompt awplus> awplus# awplus (config)# Function Displays the switch settings. Lists the files in the file system. Pings remote systems. Displays the switch settings.
AT-9000 Switch Command Line User’s Guide Table 2. AlliedWare Plus Modes (Continued) Mode Console Line mode Virtual Terminal Line mode Interface mode Prompt awplus (config-line)# awplus (config-line)# awplus (config-if)# Function Sets the session timer for local management sessions. Activates and deactivates remote manager authentication. Sets the session timers for remote Telnet and SSH management sessions. Activates and deactivates remote manager authentication.
Chapter 1: AlliedWare Plus Command Line Interface Moving Down the Hierarchy To move down the mode hierarchy, you have to step through each mode in sequence. Skipping modes is not permitted. Each mode has a different command. For instance, to move from the User Exec mode to the Privileged Exec mode, you use the ENABLE command. Some commands, like the INTERFACE PORT command, which is used to enter the Port Interface mode, require a value, such as a port number, a VLAN ID or a port trunk ID.
AT-9000 Switch Command Line User’s Guide LINE VTY Command You use this command to move from the Global Configuration mode to the Virtual Terminal Line mode to set the management session timer and to activate or deactivate remote authentication of manager accounts. The format of the command is: line vty line_id The range of the LINE_ID parameter is 0 to 9. For information on the VTY lines, refer to “VTY Lines” on page 41.
Chapter 1: AlliedWare Plus Command Line Interface awplus(config)# interface port1.0.11-port1.0.15,port1.0.22 awplus(config-if)# Figure 8. INTERFACE PORT Command - Multiple Ports The INTERFACE PORT command is also located in the Port Interface mode itself, so that you do not have to return to the Global Configuration mode to configure different ports. This example moves from the current Port Interface mode to the Port Interface mode for ports 7 and 10. awplus(config-if)# interface port1.0.7,port1.0.
AT-9000 Switch Command Line User’s Guide Note A VLAN must be identified in this command by its VID and not by its name. VLAN DATABASE Command You use this command to move from the Global Configuration mode to the VLAN Configuration mode, which has the commands for creating VLANs. The format of the command is: vlan database awplus(config)# vlan database awplus(config-vlan)# Figure 12.
Chapter 1: AlliedWare Plus Command Line Interface Moving Up the Hierarchy There are four commands for moving up the mode hierarchy. They are the EXIT, QUIT, END and DISABLE commands. EXIT and QUIT Commands These commands, which are functionally identical, are found in nearly all the modes. They move you up one level in the hierarchy, as illustrated in Figure 15. Figure 15.
AT-9000 Switch Command Line User’s Guide Figure 16. Returning to the Privileged Exec Mode with the END Command DISABLE Command To return to the User Exec mode from the Privileged Exec mode, use the DISABLE command. Figure 17.
Chapter 1: AlliedWare Plus Command Line Interface Port Numbers in Commands The ports on the switch are identified in the commands with the PORT parameter. The parameter has the format shown in Figure 18. Figure 18. PORT Parameter in the Command Line Interface The variables in the parameter are defined here: Switch ID: This number is used if the switch supports stacking. It is the switch’s ID number in a stack.
AT-9000 Switch Command Line User’s Guide You can also combine individual ports and port ranges in the same command, as illustrated in these commands, which enter the Port Interface mode for ports 5 to 11 and ports 16 and 18: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.5-port1.0.11,port1.0.16, port1.0.
Chapter 1: AlliedWare Plus Command Line Interface Combo Ports 25 to 28 Ports 25 to 28 on the AT-9000/28, AT-9000/28POE, and AT-9000/28SP Managed Layer 2 ecoSwitches are combo ports. Each combo consists of one 10/100/1000Base-T port and one SFP slot. The twisted pair ports have the letter R for Redundant as part of their port numbers on the front faceplates of the units.
AT-9000 Switch Command Line User’s Guide Command Format The following sections describe the command line interface features and the command syntax conventions. Command Line Interface Features Command Formatting Conventions Command Examples The command line interface has these features: Command history - Use the up and down arrow keys. Keyword abbreviations - Any keyword can be recognized by typing an unambiguous prefix, for example, type “sh” and the software responds with “show.
Chapter 1: AlliedWare Plus Command Line Interface Startup Messages The switch generates the following series of status messages whenever it is powered on or reset. The messages can be viewed on the Console port with a terminal or a computer with a terminal emulator program. CFE-NTSW-5.0.4 for BCM956218 (32bit,SP,BE,MIPS) Build Date: Thu May 20 12:22:14 PDT 2010 (jwong@tiramisu) Copyright (C) 2000-2008 Broadcom Corporation. Initializing Arena. Initializing Devices.
AT-9000 Switch Command Line User’s Guide Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing In
Chapter 1: AlliedWare Plus Command Line Interface Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing Initializing FTAB ................................... FTABV6 ................................. ACM .................................... Filter ................................. L3_MGMT ................................ L3APP_MGMT ............................. SFLOW .................................. NTP ..........................
Chapter 2 Starting a Management Session This chapter has the following sections: “Starting a Local Management Session” on page 38 “Starting a Remote Telnet or SSH Management Session” on page 40 “What to Configure First” on page 42 “Ending a Management Session” on page 47 Note You must do the initial configuration of the switch from a local management session.
Chapter 2: Starting a Management Session Starting a Local Management Session To start a local management session on the switch, perform the following procedure: 1. Connect the RJ-45 connector on the management cable that comes with the switch to the Console port, as shown in Figure 22. The Console port is located on the front panels on the AT-9000/12POE, AT-9000/28, AT-9000/28POE, and AT-9000/28SP Switches and on the back panel on the AT-9000/52 Switch. Figure 22.
AT-9000 Switch Command Line User’s Guide 5. Enter a user name and password. If this is the initial management session of the switch, enter “manager” as the user name “friend” as the password. The user name and password are case sensitive. The local management session has started when the AlliedWare Plus command line prompt, shown in Figure 23 is displayed. awplus> Figure 23.
Chapter 2: Starting a Management Session Starting a Remote Telnet or SSH Management Session Here are the requirements for remote management of the switch from a Telnet or SSH client on your network: You must assign the switch a management IP address. To initially assign the switch an address, use a local management session. For instructions, refer to “What to Configure First” on page 42 or Chapter 13, “IPv4 and IPv6 Management Addresses” on page 257.
AT-9000 Switch Command Line User’s Guide VTY Lines The switch has ten VTY (virtual teletypewriter) lines. Each line supports one remote Telnet or SSH management session. The switch allocates the lines, which are numbered 0 to 9, in ascending order, beginning with line 0, as remote sessions are initiated. The VTY lines cannot be reserved for particular remote workstations because the switch allocates them as needed.
Chapter 2: Starting a Management Session What to Configure First Here are a few suggestions on what to configure during your initial management session of the switch. The initial management session must be a local management session from the Console port on the switch. For instructions on how to start a local management session, refer to “Starting a Local Management Session” on page 38.
AT-9000 Switch Command Line User’s Guide Current Current Default Current software: v2.2.1.1 boot image: v2.2.1.1 boot config: boot.cfg boot config: switch1.cfg (file exists) Figure 24. SHOW BOOT Command The name of your new active boot configuration file is displayed in the “Current boot config” field. Changing the Login Password To protect the switch from unauthorized access, you should change the password of the manager account.
Chapter 2: Starting a Management Session This example assigns the name “Engineering_sw2” to the switch: awplus> enable awplus# configure terminal awplus(config)# hostname Engineering_sw2 Engineering_sw2(config)# Adding a Management IP Address You must assign the switch a management IP address to use the features in Table 26 on page 258. Here are the requirements: The switch can have one management IPv4 address and one management IPv6 address.
AT-9000 Switch Command Line User’s Guide Table 3. Adding a Management Address: Example 1 awplus> enable Move to the Privileged Exec mode. awplus# configure terminal Move to the Global Configuration mode. awplus(config)# interface vlan1 Use the INTERFACE VLAN command to move to the VLAN Interface mode of the Default_VLAN. awplus(config-if)# ip address 149.82.112.72/24 Assign the management IPv4 address to the switch using the IP ADDRESS command.
Chapter 2: Starting a Management Session Table 4. Adding a Management IP Address: Example 2 awplus(config-if)# switchport access vlan 5 Add the ports as untagged ports to the VLAN with the SWITCHPORT ACCESS VLAN command. awplus(config-if)# exit Return to the Global Configuration mode. awplus(config)# interface vlan5 Use the INTERFACE VLAN command to move to the VLAN Interface mode of VLAN 5. awplus(config-if)# ip address dhcp Activate the DHCP client on the switch with the IP ADDRESS DHCP command.
AT-9000 Switch Command Line User’s Guide Ending a Management Session To end a management session, go to either the Privileged Exec mode or the User Exec mode.
Chapter 2: Starting a Management Session 48
Chapter 3 Basic Command Line Management This chapter contains the following sections: “Clearing the Screen” on page 50 “Displaying the On-line Help” on page 51 “Saving Your Configuration Changes” on page 53 “Ending a Management Session” on page 54 49
Chapter 3: Basic Command Line Management Clearing the Screen If your screen becomes cluttered with commands, you can start fresh by entering the CLEAR SCREEN command in the User Exec or Privileged Exec mode. If you are in a lower mode, you have to move up the mode hierarchy to one of these modes to use the command.
AT-9000 Switch Command Line User’s Guide Displaying the On-line Help The command line interface has an on-line help system to assist you with the commands. The help system is displayed by typing a question mark. Typing a question mark at a command line prompt displays all the keywords in the current mode. This example displays all the keywords in the VLAN Configuration mode.
Chapter 3: Basic Command Line Management awplus> enable awplus# configure terminal awplus(config)# hostname ? Figure 27.
AT-9000 Switch Command Line User’s Guide Saving Your Configuration Changes To permanently save your changes to the parameter settings on the switch, you must update the active boot configuration file. This is accomplished with either the WRITE command or the COPY RUNNINGCONFIG STARTUP-CONFIG command, both of which are found in the Privileged Exec mode. When you enter either of these commands, the switch copies its running configuration into the active boot configuration file for permanent storage.
Chapter 3: Basic Command Line Management Ending a Management Session To end a management session, go to either the Privileged Exec mode or the User Exec mode.
Chapter 4 Basic Command Line Management Commands The basic command line commands are summarized in Table 5. Table 5. Basic Command Line Commands Command Mode Description “? (Question Mark Key)” on page 57 All modes Displays the on-line help. “CLEAR SCREEN” on page 59 User Exec and Privileged Exec Clears the screen. “CONFIGURE TERMINAL” on page 60 Privileged Exec Moves you from the Privileged Exec mode to the Global Configuration mode.
Chapter 4: Basic Command Line Management Commands Table 5. Basic Command Line Commands (Continued) Command Mode Description “QUIT” on page 70 All modes except the User Exec and Privileged Exec Moves you up one mode. “WRITE” on page 71 Privileged Exec Updates the active boot configuration file with the current settings of the switch.
AT-9000 Switch Command Line User’s Guide ? (Question Mark Key) Syntax ? Parameters None Modes All modes Description Use the question mark key to display on-line help messages. Typing the key at different points in a command displays different messages: Typing “?” at a command line prompt displays all the keywords in the current mode. Typing “?” after a keyword displays the available parameters. Note You must type a space between a keyword and the question mark.
Chapter 4: Basic Command Line Management Commands This example displays the class of the value for the SPANNING-TREE HELLO-TIME command in the Global Configuration mode: awplus> enable awplus# configure terminal awplus(config)# spanning-tree hello-time ? 58
AT-9000 Switch Command Line User’s Guide CLEAR SCREEN Syntax clear screen Parameters None Modes User Exec and Privileged Exec modes Description Use this command to clear the screen.
Chapter 4: Basic Command Line Management Commands CONFIGURE TERMINAL Syntax configure terminal Parameters None Mode Privileged Exec mode Description Use this command to move from the Privileged Exec mode to the Global Configuration mode.
AT-9000 Switch Command Line User’s Guide COPY RUNNING-CONFIG STARTUP-CONFIG Syntax copy running-config startup-config Parameters None Mode Privileged Exec mode Description Use this command to update the active boot configuration file with the switch’s current configuration, for permanent storage. When you enter the command, the switch copies its parameter settings into the active boot configuration file. The switch saves only those parameters that are not at their default settings.
Chapter 4: Basic Command Line Management Commands DISABLE Syntax disable Parameters None Mode Privileged Exec mode Description Use this command to return to the User Exec mode from the Privileged Exec mode.
AT-9000 Switch Command Line User’s Guide DO Syntax do command Parameter command Specifies the Privileged Exec mode command to perform. Mode Global Configuration mode Description Use this command to perform Privileged Exec mode commands from the Global Configuration mode. You may use the command to perform some, but not all, of the Privileged Exec mode commands. To view the available commands, type a question mark “?” after the DO command.
Chapter 4: Basic Command Line Management Commands ENABLE Syntax enable Parameters None Mode User Exec mode Description Use this command to move from the User Exec mode to the Privileged Exec mode.
AT-9000 Switch Command Line User’s Guide END Syntax end Parameters None Mode All modes below the Global Configuration mode. Description Use this command to return to the Privileged Exec mode.
Chapter 4: Basic Command Line Management Commands EXIT Syntax exit Parameters None Mode All modes Description Use this command to move down one mode in the mode hierarchy in all modes except the User Exec and Privileged Exec modes. Using the EXIT command in the User Exec and Privileged Exec modes terminates the management session.
AT-9000 Switch Command Line User’s Guide LENGTH Syntax length value Parameters value Specifies the maximum number of lines that the SHOW commands display at one time on the screen. The range is 0 to 512 lines. Use the value 0 if you do not want the SHOW commands to pause. Mode Console Line and Virtual Terminal Line modes Description Use this command to specify the maximum number of lines the SHOW commands display at one time on the screen during local or remote management sessions.
Chapter 4: Basic Command Line Management Commands This example returns the number of lines to the default setting for local management sessions: awplus> enable awplus# configure terminal awplus(config)# line console 0 awplus(config-line)# no length 68
AT-9000 Switch Command Line User’s Guide LOGOUT Syntax logout Parameters None Mode User Exec and Privileged Exec modes Description Use this command to end a management session. Note Entering the EXIT command in either the User Exec or Privileged Exec mode also ends a management session.
Chapter 4: Basic Command Line Management Commands QUIT Syntax quit Parameters None Mode All modes except the User Exec and Privileged Exec modes. Description Use this command to move up one mode in the mode hierarchy. This command is almost identical to the EXIT command. The difference is that unlike the EXIT command, the QUIT command cannot be used to end a management session.
AT-9000 Switch Command Line User’s Guide WRITE Syntax write Parameters None Mode Privileged Exec mode Description Use this command to update the active boot configuration file with the switch’s current configuration, for permanent storage. When you enter the command, the switch copies its parameter settings into the active boot configuration file. The switch saves only those parameters that are not at their default settings.
Chapter 4: Basic Command Line Management Commands 72
Chapter 5 Temperature and Fan Control Overview “Overview” on page 74 “Displaying the System Environmental Status” on page 75 “Controlling Eco-Mode LED” on page 76 73
Chapter 5: Temperature and Fan Control Overview Overview The switch monitors the environmental status, such as temperature and voltage, and the status of fan modules. Checking this information helps you to identify potential hardware issues before they become problems.
AT-9000 Switch Command Line User’s Guide Displaying the System Environmental Status The switch monitors the environmental status of the switch and any attached PSU, XEM, or expansion option. The environmental status covers information about temperatures, fans, and voltage. To display this information, go to User Exec or Privileged Exec mode and enter the command: awplus# show system environment Figure 28 shows an example of the information the command displays.
Chapter 5: Temperature and Fan Control Overview Controlling Eco-Mode LED AlliedWare Plus products provide an Eco-Mode LED control to conserve additional power on the port LEDs. The Eco-Mode LED is an eco-friendly feature that turns off the port LEDs when they are not necessary.
Chapter 6 Temperature and Fan Control Commands The temperature and fan control commands are summarized in Table 6. Table 6. Temperature and Fan Control Commands Command Mode Description “ECOFRIENDLY LED” on page 78 Global Configuration Turns off the port LEDs on the switch to save power. “NO ECOFRIENDLY LED” on page 79 Global Configuration Turns on the port LEDs on the switch. “SHOW ECOFRIENDLY” on page 80 Privileged Exec Displays the power saving status of the port LEDs.
Chapter 6: Temperature and Fan Control Commands ECOFRIENDLY LED Syntax ecofriendly led Parameters None Mode Global Configuration mode Description Use this command to turn off the port LEDs on the switch to save power.
AT-9000 Switch Command Line User’s Guide NO ECOFRIENDLY LED Syntax no ecofriendly led Parameters None Mode Global Configuration mode Description Use this command to turn on the port LEDs on the switch.
Chapter 6: Temperature and Fan Control Commands SHOW ECOFRIENDLY Syntax show ecofriendly Parameters None Mode Privileged Exec mode Description Use this command to display the power saving status of the port LEDs. An example of the information the command displays is shown in Figure 29. Front panel port LEDs: on Figure 29.
AT-9000 Switch Command Line User’s Guide SHOW SYSTEM ENVIRONMENT Syntax show system environment Parameters None Mode Privileged Exec mode Description Use this command to display the environmental information for the switch. Figure 30 shows an example of the information that the command displays.
Chapter 6: Temperature and Fan Control Commands Table 7. SHOW SYSTEM ENVIRONMENT Command Parameter Description Reading Indicates the current reading of the item. Status Indicates the status of the item.
Section II Basic Operations This section contains the following chapters: Chapter 7, “Basic Switch Management” on page 85 Chapter 8, “Basic Switch Management Commands” on page 103 Chapter 9, “Port Parameters” on page 143 Chapter 10, “Port Parameter Commands” on page 163 Chapter 11, “Power Over Ethernet” on page 215 Chapter 12, “Power Over Ethernet Commands” on page 227 Chapter 13, “IPv4 and IPv6 Management Addresses” on page 257 Chapter 14, “IPv4 and IPv6 Management Address
84
Chapter 7 Basic Switch Management This chapter contains the following: “Adding a Name to the Switch” on page 86 “Adding Contact and Location Information” on page 87 “Displaying Parameter Settings” on page 88 “Manually Setting the Date and Time” on page 89 “Pinging Network Devices” on page 90 “Resetting the Switch” on page 91 “Restoring the Default Settings to the Switch” on page 92 “Setting the Baud Rate of the Console Port” on page 94 “Configuring the Management Session
Chapter 7: Basic Switch Management Adding a Name to the Switch The switch will be easier to identify if you assign it a name. The switch displays its name in the command line prompt, in place of the default prefix “awplus.” To assign the switch a name, use the HOSTNAME command in the Global Configuration mode. A name can consist of up to 39 alphanumeric characters. Spaces, punctuation, special characters, and quotation marks are not permitted.
AT-9000 Switch Command Line User’s Guide Adding Contact and Location Information The commands for assigning the switch contact and location information are the SNMP-SERVER CONTACT and SNMP-SERVER LOCATION commands, both of which are found in the Global Configuration mode. Here are the formats of the commands: snmp-server contact contact snmp-server location location The variables can be from 1 to 255 alphanumeric characters in length. Spaces and special characters are allowed.
Chapter 7: Basic Switch Management Displaying Parameter Settings To display the current parameter settings on the switch, use the SHOW RUNNING-CONFIG command in the Privileged Exec mode. The settings, which are displayed in their equivalent command line commands, are limited to just those parameters that have been changed from their default values. The information includes new settings that have yet to be saved in the active boot configuration file.
AT-9000 Switch Command Line User’s Guide Manually Setting the Date and Time To manually set the date and time on the switch, use the CLOCK SET command in the Privileged Exec mode. Here is the format of the command: clock set hh:mm:ss dd mmm yyyy Here are the variables: hh:mm:ss: Use this variable to specify the hour, minute, and second for the switch’s time in 24-hour format. dd: Use this variable to specify the day of the month. mmm: Use this variable to specify the month.
Chapter 7: Basic Switch Management Pinging Network Devices If the switch is unable to communicate with a network device, such as a syslog server or a TFTP server, you can test for an active link between the two devices by instructing the switch to send ICMP Echo Requests and to listen for replies sent back from the other device. This is accomplished with the PING command in the Privileged Exec mode.
AT-9000 Switch Command Line User’s Guide Resetting the Switch To reset the switch, use either the REBOOT or RELOAD command in the Privileged Exec mode. You might reset the switch if it is experiencing a problem or if you want to reconfigure its settings after designating a new active boot configuration file. The commands display a confirmation prompt. Caution The switch will not forward network traffic while it initializes its management software. Some network traffic may be lost.
Chapter 7: Basic Switch Management Restoring the Default Settings to the Switch To restore the default settings to the switch, delete or rename the active boot configuration file and then reset the unit. Without an active boot configuration file, the switch will use the default parameter settings after it initializes the management software. Caution Restoring the default settings requires that you reset the switch. The unit will not forward network traffic while it initializes the management software.
AT-9000 Switch Command Line User’s Guide Another way to delete the file is with the ERASE STARTUP-CONFIG command, also in the Privileged Exec mode. The advantage of this command over the DELETE command is that you do not have to know the name of the active boot configuration file. When you enter the command, a confirmation prompt is displayed. If you enter “Y” for yes, the switch automatically deletes the active boot configuration file from the file system.
Chapter 7: Basic Switch Management Setting the Baud Rate of the Console Port The Console port is used for local management of the switch. To set its baud rate, use the BAUD-RATE SET command in the Global Configuration mode. Note If you change the baud rate of the Console port during a local management session, your session is interrupted. To resume the session you must change the speed of the terminal or the terminal emulator program to match the new speed of the serial terminal port on the switch.
AT-9000 Switch Command Line User’s Guide Note The baud rate is the only adjustable parameter on the Console port. For reference information, refer to “BAUD-RATE SET” on page 111 and “SHOW BAUD-RATE” on page 128.
Chapter 7: Basic Switch Management Configuring the Management Session Timers You should always conclude a management session by logging off so that if you leave your workstation unattended, someone cannot use it to change the switch’s configuration. If you forget to log off, the switch has management session timers that detect and log off inactive local and remote management sessions automatically.
AT-9000 Switch Command Line User’s Guide Both the first_line_id and the last_line_id parameters have value of 0 to 9. You can specify one VTY line or a range of VTY lines.
Chapter 7: Basic Switch Management Setting the Maximum Number of Manager Sessions The switch supports up to three manager sessions simultaneously so that more than one person can manage the unit at a time. You set the maximum number of sessions with the SERVICE MAXMANAGER command in the Global Configuration mode. The default is three manager sessions.
AT-9000 Switch Command Line User’s Guide Configuring the Banners The switch has banner messages you may use to identify the switch or to display other information about the unit. The banners are listed here: Message-of-the-day banner Login banner User Exec and Privileged Exec modes banner Message-of-the-day banner Login banner User Exec and Privileged Exec modes banner Display login banner This unit was updated to version 2.1.1 today, May 21, 2010.
Chapter 7: Basic Switch Management The commands for setting the banners are located in the Global Configuration mode with the exception of the SHOW BANNER LOGIN command which you access in the Privileged Exec mode. After you enter the BANNER EXEC, BANNER LOGIN, or BANNER MOTD command, the “Type CTRL/D to finish” prompt is displayed. When you see this message, enter the banner message.
AT-9000 Switch Command Line User’s Guide To remove messages without assigning new messages, use the NO versions of the commands.
Chapter 7: Basic Switch Management 102
Chapter 8 Basic Switch Management Commands The basic switch management commands are summarized in Table 8. Table 8. Basic Switch Management Commands Command Mode Description “BANNER EXEC” on page 105 Global Configuration Creates a User Exec and Privileged Exec modes banner. “BANNER LOGIN” on page 107 Global Configuration Creates a login banner. “BANNER MOTD” on page 109 Global Configuration Creates a message-of-the-day banner.
Chapter 8: Basic Switch Management Commands Table 8. Basic Switch Management Commands Command Mode Description “REBOOT” on page 124 Privileged Exec Resets the switch. “RELOAD” on page 125 Privileged Exec Resets the switch. “SERVICE MAXMANAGER” on page 126 Global Configuration Sets the maximum number of permitted manager sessions. “SHOW BANNER LOGIN” on page 127 Privileged Exec Displays the banner set with the BANNER LOGIN command.
AT-9000 Switch Command Line User’s Guide BANNER EXEC Syntax banner exec Parameters None Mode Global Configuration mode Description Use this command to create a banner for the User Exec and Privilege Exec modes. The message is displayed above the command line prompt when you log on or clear the screen with the CLEAR SCREEN command, in local, Telnet, and SSH management sessions. After you enter the command, the “Type CTRL/D to finish” prompt is displayed. Enter a banner message of up to 256 characters.
Chapter 8: Basic Switch Management Commands This example deletes the banner: awplus> enable awplus# configure terminal awplus(config)# no banner exec 106
AT-9000 Switch Command Line User’s Guide BANNER LOGIN Syntax banner login Parameters None Mode Global Configuration mode Description Use this command to configure the login banner. The message is displayed prior to the login user name and password prompts for local, Telnet, and SSH management sessions. If the switch also has a messageof-the-day banner, this message is displayed after the login banner. After you enter the command, the “Type CTRL/D to finish” prompt is displayed on your screen.
Chapter 8: Basic Switch Management Commands This example removes the login banner: awplus> enable awplus# configure terminal awplus(config)# no banner login 108
AT-9000 Switch Command Line User’s Guide BANNER MOTD Syntax banner motd Parameters None Mode Global Configuration mode Description Use this command to create a message-of-the-day banner. The message is displayed prior to the login user name and password prompts for local, Telnet, and SSH management sessions. If the switch also has a login banner, this message is displayed before the message-of-the-day banner. After you enter the command, the “Type CTRL/D to finish” prompt is displayed.
Chapter 8: Basic Switch Management Commands This example removes the message-of-the-day banner: awplus> enable awplus# configure terminal awplus(config)# no banner motd 110
AT-9000 Switch Command Line User’s Guide BAUD-RATE SET Syntax baud-rate set 1200|2400|4800|9600|19200|38400|57600|115200 Parameters None Mode Global Configuration mode Description Use this command to set the baud rate of the Console port, which is used for local management sessions of the switch. Note If you change the baud rate of the serial terminal port during a local management session, your session will be interrupted.
Chapter 8: Basic Switch Management Commands CLOCK SET Syntax clock set hh:mm:ss dd mmm yyyy Parameters hh:mm:ss Specifies the hour, minute, and second for the switch’s time in 24hour format. dd Specifies the day of the month. mmm Specifies the month. The month is specified by its first three letters. For example, June is Jun. The first letter must be uppercase and the second and third letters lowercase. year Specifies the year. The year must be specified in four digits (for example, 2011 or 2012).
AT-9000 Switch Command Line User’s Guide ERASE STARTUP-CONFIG Syntax erase startup-config Parameters None Mode Privileged Exec mode Description Use this command to delete the active boot configuration file to restore the default settings to all the parameters on the switch. After entering this command, enter the REBOOT command to reset the switch and restore the default settings. Caution The switch will not forward network traffic while it initializes its management software.
Chapter 8: Basic Switch Management Commands EXEC-TIMEOUT Syntax exec-timeout value Parameters exec-timeout Specifies the session timer in minutes. The range is 0 to 35,791 minutes. The default value is 10 minutes. Mode Line Console and Virtual Terminal Line modes Description Use this command to set the management session timers.
AT-9000 Switch Command Line User’s Guide This example sets the session timer for the first (vty 0) Telnet or SSH session to 5 minutes: awplus> enable awplus# configure terminal awplus(config)# line vty 0 awplus(config-line)# exec-timeout 5 115
Chapter 8: Basic Switch Management Commands HELP Syntax help Parameters None Mode All modes Description Use this command to learn how to use on-line help. Entering this command at a command line displays how to use the on-line help system. See Figure 34 for the description displayed on the screen. When you need help at the command line, press “?”. If nothing matches, the help list will be empty. Delete characters until entering a ‘?’ shows the available options.
AT-9000 Switch Command Line User’s Guide HOSTNAME Syntax hostname name Parameters name Specifies a name of up to 39 alphanumeric characters for the switch. Spaces, punctuation, special characters, and quotation marks are not permitted. Mode Global Configuration mode Description Use this command to assign the switch a name. The switch displays the name in the command line prompt, in place of the default prefix “awplus.
Chapter 8: Basic Switch Management Commands LINE CONSOLE Syntax line console 0 Parameters None Mode Global Configuration mode Description Use this command to enter the Line Console mode to set the session timer and to activate or deactivate remote authentication for local management sessions.
AT-9000 Switch Command Line User’s Guide LINE VTY Syntax line vty first_line_id [last_line_id] Parameters first_line_id Specifies the number of a VTY line. The range is 0 to 9. last_line_id Specifies the number of a VTY line. The range is 0 to 9. This is an optional parameter.
Chapter 8: Basic Switch Management Commands NO HOSTNAME Syntax no hostname Parameters None Mode Global Configuration mode Description Use this command to delete the switch’s name without assigning a new name.
AT-9000 Switch Command Line User’s Guide PING Syntax ping ipaddress|hostname Parameters ipaddress Specifies the IP address of the network device to receive the ICMP Echo Requests from the switch. You can specify only one IP address. hostname Specifies the host name of the network device to receive the ICMP Echo Requests from the switch. You can specify only one host name.
Chapter 8: Basic Switch Management Commands Note The switch sends the ICMP Echo Requests from the ports of the VLAN assigned the management IP address. The device the switch is pinging must be a member of that VLAN or must be accessible through routers or other Layer 3 devices. Example This command instructs the switch to ping a network device with the IP address 149.122.14.15: awplus> enable awplus# ping 149.122.14.15 The results of the ping are displayed on the screen.
AT-9000 Switch Command Line User’s Guide PING IPv6 Syntax ping ipv6 repeat <1-99> size <36-18024> Parameters ipv6-address Indicates the destination IPv6 address. The IPv6 address uses the format: nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn Where N is a hexadecimal digit from 0 to F. The eight groups of digits have to be separated by colons. Groups where all four digits are ‘0’ can be omitted. Leading ‘0’s in groups can also be omitted.
Chapter 8: Basic Switch Management Commands REBOOT Syntax reboot Parameters None Mode Privileged Exec mode Description Use this command to reset the switch. You might reset the unit if it is experiencing a problem or if you want to reconfigure its settings after you designate a new active boot configuration file.This command is identical to “RELOAD” on page 125. The command displays a confirmation prompt. Caution The switch does not forward network traffic while it initializes its management software.
AT-9000 Switch Command Line User’s Guide RELOAD Syntax reload Parameters None Mode Privileged Exec mode Description Use this command to reset the switch. You might reset the unit if it is experiencing a problem or if you want to reconfigure its settings after you designate a new active boot configuration file. This command is identical to “REBOOT” on page 124. The command displays a confirmation prompt. Caution The switch does not forward network traffic while it initializes its management software.
Chapter 8: Basic Switch Management Commands SERVICE MAXMANAGER Syntax service maxmanager value Parameters value Specifies the maximum number of manager sessions the switch will allow at one time. The range is 1 to 3. The default is 3. Mode Global Configuration mode Description Use this command to set the maximum number of manager sessions that can be open on the switch simultaneously. This feature makes it possible for more than one person to manage the unit at one time.
AT-9000 Switch Command Line User’s Guide SHOW BANNER LOGIN Syntax show banner login Parameters None Mode Privileged Exec mode Description Use this command to display the contents of the banner login file configured with the BANNER LOGIN command. A sample of the display is shown below. This switch is located on the third floor of building 4 in lab 2B. Figure 35.
Chapter 8: Basic Switch Management Commands SHOW BAUD-RATE Syntax show baud-rate Parameters None Mode User Exec mode and Privileged Exec mode Description Use this command to display the settings of the Console port, used for local management sessions of the switch. Here is an example of the information. Asynchronous Port (Console) Information: Baud Rate .................... 9600 Parity ....................... User Configured Data bits .................... 0 Stop bits .................... 1 Figure 36.
AT-9000 Switch Command Line User’s Guide SHOW CLOCK Syntax show clock Parameters None Modes User Exec mode Description Use this command to display the system’s current date and time.
Chapter 8: Basic Switch Management Commands SHOW RUNNING-CONFIG Syntax show running-config Parameters None Modes Privileged Exec mode Description Use this command to display the settings of the switch, in their equivalent command line commands. The command displays only the settings that have been changed from their default values and includes those values that have not yet been saved in the active boot configuration file.
AT-9000 Switch Command Line User’s Guide SHOW SWITCH Syntax show switch Parameters None Modes Privileged Exec mode Description Use this command to view the information in Figure 37. Switch Information: Application Software Version ......... Application Software Build date ...... MAC Address .......................... Console Disconnect Timer Interval .... Telnet Server status ................. MAC address aging time ............... Multicast Mode ....................... v1.0.
Chapter 8: Basic Switch Management Commands Table 9. SHOW SWITCH Command (Continued) Parameter Description Active Spanning Tree version The active spanning tree protocol on the switch. The protocol can be STP, RSTP, or MSTP. The active spanning tree protocol is set with “SPANNING-TREE MODE STP” on page 598, “SPANNINGTREE MODE RSTP” on page 634, and “SPANNING-TREE MODE MSTP” on page 676. Console Disconnect Timer Interval The current setting of the console timer.
AT-9000 Switch Command Line User’s Guide SHOW SYSTEM Syntax show system Parameters None Modes User Exec and Privileged Exec modes Description Use this command to view general information about the switch. Figure 38 is an example of the information.
Chapter 8: Basic Switch Management Commands SHOW SYSTEM SERIALNUMBER Syntax show system serialnumber Parameters None Mode User Exec and Privileged Exec modes Description Use this command to display the serial number of the switch. Figure 39 is an example of the output. S05525A023600001 Figure 39.
AT-9000 Switch Command Line User’s Guide SHOW USERS Syntax show users Parameters None Modes Privileged Exec mode Description Use this command to display the managers who are currently managing the switch locally through the Console port and remotely from Telnet and SSH sessions. This command does not display managers who are configuring the device with a web browser application or an SNMP application. Figure 40 displays an example of the information.
Chapter 8: Basic Switch Management Commands Table 10. SHOW USERS Command (Continued) Parameter Description Idle The number of hours, minutes, and seconds since the manager using the account entered a command on the switch. The value is always zero for your account because you just entered the SHOW USERS command. Location The network device from which the manager is accessing the switch.
AT-9000 Switch Command Line User’s Guide SHOW VERSION Syntax show version Parameters None Mode User Exec and Privileged Exec modes Description Use this command to display the software version number and build date of the management software. Figure 41 displays an example of the information. AlliedWare Plus (TM) 2.1.3.0 09/15/11 14:37:22 Application Build name : ats-9000-2.1.3.0.img Application Build date : Sep 15 2011 14:37:22 Application Build type : RELEASE Bootloader version : 5.0.4 Figure 41.
Chapter 8: Basic Switch Management Commands SNMP-SERVER CONTACT Syntax snmp-server contact contact Parameters contact Specifies the name of the person responsible for managing the switch. The name can be up to 255 alphanumeric characters in length. Spaces and special characters are allowed. Mode Global Configuration mode Description Use this command to add contact information to the switch. The contact information is usually the name of the person who is responsible for managing the unit.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER LOCATION Syntax snmp-server location location Parameters location Specifies the location of the switch. The location can be up to 255 alphanumeric characters. Spaces and special characters are allowed. Mode Global Configuration mode Description Use this command to add location information to the switch. To remove the current location information without adding new information, use the NO form of this command.
Chapter 8: Basic Switch Management Commands SYSTEM TERRITORY Syntax system territory territory Parameters territory Specifies the territory of the switch. The switch can have only one territory. You may choose from the following: australia china europe japan korea nz (New Zealand) usa Mode Global Configuration mode Description Use this command to specify the territory of the switch. The territory setting is not currently used by any of the features on the switch.
AT-9000 Switch Command Line User’s Guide This example removes the current territory information: awplus> enable awplus# configure terminal awplus(config)# no system territory 141
Chapter 8: Basic Switch Management Commands 142
Chapter 9 Port Parameters This chapter contains the following: “Adding Descriptions” on page 144 “Setting the Speed and Duplex Mode” on page 145 “Setting the MDI/MDI-X Wiring Configuration” on page 147 “Enabling or Disabling Ports” on page 148 “Enabling or Disabling Backpressure” on page 149 “Enabling or Disabling Flow Control” on page 150 “Resetting Ports” on page 153 “Configuring Threshold Limits for Ingress Packets” on page 154 “Displaying Threshold Limit Settings on
Chapter 9: Port Parameters Adding Descriptions The ports will be easier to identify if you give them descriptions. The descriptions are viewed with the SHOW INTERFACE command in the Privileged Exec mode. The command for adding descriptions is the DESCRIPTION command in the Port Interface mode. Here is the format: description description The DESCRIPTION parameter can be up to 80 alphanumeric characters. Spaces and special characters are allowed. You can assign a description to more than one port at a time.
AT-9000 Switch Command Line User’s Guide Setting the Speed and Duplex Mode The twisted pair ports on the switch can operate at 10, 100, or 1000 Mbps, in either half-duplex or full-duplex mode. You may set the speeds and duplex modes yourself or, since the ports support Auto-Negotiation, you may let the switch configure the ports automatically. The default setting for the ports is Auto-Negotiation for both speed and duplex mode.
Chapter 9: Port Parameters This example sets the speeds of ports 11 and 17 to 100Mbps: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.11,port1.0.17 awplus(config-if)# speed 100 This example configures port 1 to half-duplex: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.1 awplus(config-if)# duplex half This example configures ports 2 to 4 to 10 Mbps, full-duplex: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.2-port1.
AT-9000 Switch Command Line User’s Guide Setting the MDI/MDI-X Wiring Configuration The wiring configurations of twisted pair ports that operate at 10 or 100 Mbps are MDI (medium dependent interface) and MDI-X (medium dependent interface crossover). A port on the switch and a port on a link partner must have different settings. For instance, a switch port has to be using the MDI wiring configuration if the port on its link partner is using the MDIX wiring configuration.
Chapter 9: Port Parameters Enabling or Disabling Ports Disabling ports turns off their receivers and transmitters so that they cannot forward traffic. You might disable unused ports on the switch to protect them from unauthorized use, or if there is a problem with a cable or a network device. To disable ports, use the SHUTDOWN command in the Port Interface mode. To enable ports again, use the NO SHUTDOWN command.
AT-9000 Switch Command Line User’s Guide Enabling or Disabling Backpressure Ports use backpressure during periods of packet congestion, to prevent packet overruns. They use it to stop their link partners from sending any further packets to enable them to process the packets already in their buffers. Backpressure applies to ports that are operating in half-duplex mode at 10 or 100 Mbps. A port that is experiencing packet congestion initiates backpressure by transmitting a signal on the shared link.
Chapter 9: Port Parameters Enabling or Disabling Flow Control When a port that is operating in full-duplex mode needs to temporarily stop its local or remote counterpart from sending any further packets, it initiates flow control by sending what are known as pause packets. Pause packets instruct the link partner to stop sending packets to allow the sender of the packets time to process the packets already stored in its buffers. There are two aspects to flow control on the ports on the switch.
AT-9000 Switch Command Line User’s Guide This example configures port 21 not to send pause packets during periods of packet congestion: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.21 awplus(config-if)# speed 100 awplus(config-if)# duplex full awplus(config-if)# flowcontrol send off This example enables both the receive and send portions of flow control on port 7: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 9: Port Parameters If flow control is not configured on a port, this message is displayed: Flow control is not set on interface port1.0.
AT-9000 Switch Command Line User’s Guide Resetting Ports If a port is experiencing a problem, you may be able to correct it with the RESET command in the Port Interface mode. This command performs a hardware reset. The port parameter settings are retained. The reset takes just a second or two to complete. This example resets ports 16 and 17: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.16,port1.0.
Chapter 9: Port Parameters Configuring Threshold Limits for Ingress Packets You can set threshold limits for the ingress packets on the ports. The threshold limits control the number of packets the ports accept each second. Packets that exceed the limits are discarded by the ports. You can set different limits for broadcast, multicast, and unknown unicast traffic. This feature is useful in preventing bottlenecks from forming in a network.
AT-9000 Switch Command Line User’s Guide To remove threshold limits from the ports, use the NO STORM-CONTROL command, also in the Port Interface mode. This example removes the threshold limit for broadcast packets on port 12: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.12 awplus(config-if)# no storm-control broadcast This example disables unknown unicast rate limiting on port 5, 6, and 15: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.5,port1.
Chapter 9: Port Parameters Displaying Threshold Limit Settings on Ports To display the threshold settings for the ingress packets on the ports, use the SHOW STORM-CONTROL command in the Privileged Exec mode. Here is the format: show storm-control [port] This example of the command displays the broadcast, multicast and dif levels on ports 18: awplus# show storm-control port1.0.18 Here is an example of the information the command displays. Port Bcastlevel port1.0.
AT-9000 Switch Command Line User’s Guide Reinitializing Auto-Negotiation If you believe that a port set to Auto-Negotiation is not using the highest possible common speed and duplex-mode between itself and a network device, you can instruction it to repeat Auto-Negotiation. This is accomplished with the RENEGOTIATE command in the Port Interface mode. The command does not have any parameters. A port must already be set to Auto-Negotiation before you can use this command.
Chapter 9: Port Parameters Restoring the Default Settings To restore the default settings on a port, use the PURGE command in the Port Interface mode. This example returns ports 12, 13 and 15 to their default settings: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.12,port1.0.13,port1.0.15 awplus(config-if)# purge For reference information, refer to “PURGE” on page 188.
AT-9000 Switch Command Line User’s Guide Displaying Port Settings There are several ways to display port settings. See the following: Displaying Speed and Duplex Settings “Displaying Speed and Duplex Settings” on page 159 “Displaying Port Status” on page 159 “Displaying Port Configuration” on page 160 To display the speed and duplex mode settings of the ports, use the SHOW INTERFACE STATUS command in the Privileged Exec mode.
Chapter 9: Port Parameters Interface port1.0.1 Link is UP, administrative state is UP Address is 0015.77cc.e243 index 1 mtu 9198 SNMP link-status traps: Enabled (Suppressed in 0 sec.) Bandwidth 1g input packets 0, bytes 0, dropped 0, multicast packets 0 output packets 0, bytes 0, multicast packets 0 broadcast packets 0 Interface port1.0.2 Link is UP, administrative state is UP Address is 0015.77cc.e244 index 2 mtu 9198 SNMP link-status traps: Enabled (Suppressed in 0 sec.
AT-9000 Switch Command Line User’s Guide Displaying or Clearing Port Statistics To view packet statistics for the individual ports, use the SHOW PLATFORM TABLE PORT COUNTERS command in the Privileged Exec mode. Here is the format of the command: show platform table port [port] counters This example displays the statistics for ports 23 and 24: awplus# show platform table port port1.0.23,port1.0.24 counter The statistics are described in Table 16 on page 201.
Chapter 9: Port Parameters Displaying SFP Information To view information on a plugged SFP on the switch, use the SHOW SYSTEM PLUGGABLE command in the Privileged Exec mode. Here is the format of the command: show system pluggable For more information about this command, see “SHOW SYSTEM PLUGGABLE” on page 207. To view more detail information on a plugged SFP, use the following command: awplus# show system pluggable detail The fields are described in Table 16 on page 201.
Chapter 10 Port Parameter Commands The port parameter commands are summarized in Table 11. Table 11. Port Parameter Commands Command Mode Description “BACKPRESSURE” on page 166 Port Interface Enables or disables backpressure on ports that are operating in half-duplex mode. “BPLIMIT” on page 168 Port Interface Specifies threshold levels for backpressure on ports. “CLEAR PORT COUNTER” on page 169 User Exec and Privileged Exec Clears the packet counters.
Chapter 10: Port Parameter Commands Table 11. Port Parameter Commands (Continued) Command Mode Description “NO STORM-CONTROL” on page 185 Port Interface Removes threshold limits for broadcast, multicast, or unknown unicast packets. “POLARITY” on page 186 Port Interface Sets the MDI/MDI-X settings on twisted pair ports. “PURGE” on page 188 Port Interface Restores the default settings.
Table 11. Port Parameter Commands (Continued) Command “STORM-CONTROL” on page 213 Mode Port Interface Description Sets a maximum limit of the number of broadcast, multicast, or unknown unicast packets forwarded by a port.
Chapter 10: Port Parameter Commands BACKPRESSURE Syntax backpressure on|off Parameters on Activates backpressure on the ports. off Deactivates backpressure on the ports. Mode Port Interface mode Description Use this command to enable or disable backpressure on ports that are operating at 10 or 100 Mbps in half-duplex mode. Backpressure is used by ports during periods of packet congestion to temporarily stop their network counterparts from transmitting more packets.
AT-9000 Switch Command Line User’s Guide This example configures ports 8 and 21 to 100 Mbps, half-duplex mode, with backpressure disabled: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.8,port1.0.
Chapter 10: Port Parameter Commands BPLIMIT Syntax bplimit bplimit Parameters bplimit Specifies the number of cells for backpressure. A cell represents 128 bytes. The range is 1 to 7935 cells. The default value is 7935 cells. Mode Port Interface mode Description Use this command to specify a threshold level for backpressure on a port.
AT-9000 Switch Command Line User’s Guide CLEAR PORT COUNTER Syntax clear port counter port Parameters port Specifies the port whose packet counters you want to clear. You can specify more than one port at a time in the command. Mode User Exec mode and Privileged Exec mode Description Use this command to clear the packet counters of the ports. To display the counters, refer to “SHOW PLATFORM TABLE PORT COUNTERS” on page 201.
Chapter 10: Port Parameter Commands DESCRIPTION Syntax description description Parameters description Specifies a description of 1 to 240 alphanumeric characters for a port. Spaces and special characters are allowed. Mode Port Interface mode Description Use this command to add descriptions to the ports on the switch. The ports will be easier to identify if they have descriptions. Use the NO form of this command to remove descriptions from ports without assigning new descriptions.
AT-9000 Switch Command Line User’s Guide This example removes the current name from port 11 without assigning a new name: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 10: Port Parameter Commands DUPLEX Syntax duplex auto|half|full Parameters auto Activates Auto-Negotiation for the duplex mode, so that the duplex mode is set automatically. half Specifies half-duplex mode. full Specifies full-duplex mode. Mode Port Interface mode Description Use this command to set the duplex modes of the twisted pair ports.
AT-9000 Switch Command Line User’s Guide Examples This example sets the duplex mode on port 11 half-duplex: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.11 awplus(config-if)# duplex half This example configures the duplex mode with Auto-Negotiation on port 15: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 10: Port Parameter Commands EGRESS-RATE-LIMIT Syntax egress-rate-limit value Parameters value Specifies the maximum amount of traffic that can be transmitted from the port. The value is kilobits per second. The range is 64 to 1,000,000 kilobits per second. Mode Port Interface mode Description Use this command to set a limit on the amount of traffic that can be transmitted per second from the port.
AT-9000 Switch Command Line User’s Guide FCTRLLIMIT Syntax fctrllimit fctrllimit Parameters fctrllimit Specifies the number of cells for flow control. A cell represents 128 bytes. The range is 1 to 7935 cells. The default value is 7935 cells. Mode Port Interface mode Description Use this command to specify threshold levels for flow control on the ports.
Chapter 10: Port Parameter Commands FLOWCONTROL Syntax flowcontrol send|receive|both on|off Parameter send Controls whether a port sends pause packets during periods of packet congestion, to initiate flow control. receive Controls whether a port, when it receives pause packets from its network counterpart, stops sending packets. on Activates flow control. off Deactivates flow control.
AT-9000 Switch Command Line User’s Guide partner. If it is off, a port does not respond to pause packets and continues to transmit packets. At the default setting, the receive portion of flow control is off. The SEND parameter determines whether a port sends pause packets when it experiences traffic congestion. If send is on, a port sends pause packets to signal its link partner of the condition and to stop the transmission of more packets.
Chapter 10: Port Parameter Commands This example configures port 1 and 2 to 10 Mbps, full-duplex mode. The send portion of flow control is disabled so that the ports do not send pause packets during periods of traffic congestion. But the receive portion is enabled so that the ports respond to pause packets from their network counterparts by temporarily ceasing transmission: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.1,port1.0.
AT-9000 Switch Command Line User’s Guide HOLBPLIMIT Syntax holbplimit holbplimit Parameter holbplimit Specifies the threshold at which a port signals a head of line blocking event. The threshold is specified in cells. A cell is 128 bytes. The range is 1 to 8,191 cells; the default is 7,168 cells. Mode Port Interface mode Description Use this command to specify a threshold for head of line blocking events on the ports.
Chapter 10: Port Parameter Commands Figure 48. Head of Line Blocking The HOL Limit parameter can help prevent this problem from occurring. It sets a threshold on the utilization of a port’s egress queue. When the threshold for a port is exceeded, the switch signals other ports to discard packets to the oversubscribed port.
AT-9000 Switch Command Line User’s Guide NO EGRESS-RATE-LIMIT Syntax no egress-rate-limit Parameters None Mode Port Interface mode Description Use this command to disable egress rate limiting on the ports. Confirmation Command “SHOW RUNNING-CONFIG” on page 130 Example This example disable egress rate limiting on the ports 4 and 5: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.4,port1.0.
Chapter 10: Port Parameter Commands NO FLOWCONTROL Syntax no flowcontrol Parameter None Mode Port Interface mode Description Use this command to disable flow control on ports. Confirmation Command “SHOW FLOWCONTROL INTERFACE” on page 191 Example This example disables flow control on port 16: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide NO SHUTDOWN Syntax no shutdown Parameters None Mode Port Interface mode Description Use this command to enable ports so that they forward packets again. This is the default setting for a port. Confirmation Command “SHOW RUNNING-CONFIG” on page 130 Example This example enables port 22: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 10: Port Parameter Commands NO SNMP TRAP LINK-STATUS Syntax no snmp trap link-status Parameter None Mode Port Interface mode Description Use this command to deactivate SNMP link traps on the ports of the switch. The switch does not send traps when a port on which link trap is disabled experiences a change in its link state (i.e., goes up or down).
AT-9000 Switch Command Line User’s Guide NO STORM-CONTROL Syntax no storm-control broadcast|multicast|dlf Parameters broadcast Specifies broadcast packets. multicast Specifies multicast packets. dlf Specifies unknown unicast packets. Description Use this command to remove packet threshold levels that were set on the ports with “STORM-CONTROL” on page 213.
Chapter 10: Port Parameter Commands POLARITY Syntax polarity auto|mdi|mdix Parameters auto Activates auto-MDI/MDIX. mdi Sets a port’s wiring configuration to MDI. mdix Sets a port’s wiring configuration to MDI-X. Mode Port Interface mode Description Use this command to set the wiring configuration of twisted pair ports that are operating at 10 or 100 Mbps, in half- or full-duplex mode.
AT-9000 Switch Command Line User’s Guide This example sets ports 4 and 18 to the MDI-X wiring configuration: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.4,port1.0.18 awplus(config-if)# polarity mdix This example activates auto-MDI/MDIX on ports 1 to 3: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.1-port1.0.
Chapter 10: Port Parameter Commands PURGE Syntax purge Parameters None Mode Port Interface mode Description Use this command to restore the default settings to these port parameters: Enabled status (NO SHUTDOWN) Description Speed Duplex mode MDI/MDI-X Flow control Backpressure Head of line blocking threshold Backpressure cells Example This example restores the default settings to ports 5, 6 and 12: awplus> enable awplus# configure terminal awplus(config)# interface po
AT-9000 Switch Command Line User’s Guide RENEGOTIATE Syntax renegotiate Parameters None Mode Port Interface mode Description Use this command to prompt a port that is set to Auto-Negotiation to renegotiate its speed and duplex mode with its network device. You might use this command if you believe that a port and a network device did not establish the highest possible common settings during the AutoNegotiation process.
Chapter 10: Port Parameter Commands RESET Syntax reset Parameters None Mode Port Interface mode Description Use this command to perform a hardware reset on the ports. The ports retain their parameter settings. The reset takes only a second or two to complete. You might reset a port if it is experiencing a problem. Example This example resets port 14: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide SHOW FLOWCONTROL INTERFACE Syntax show flowcontrol interface port Parameter port Specifies the port whose flow control setting you want to view. You can specify just one port at a time. Modes Privileged Exec mode Description Use this command to display the current settings for flow control on the ports. An example of the information is shown in Figure 49. PortSendReceive RxPause adminadmin -------------------------1.0.13yesyes 6520 TxPause ------7823 Figure 49.
Chapter 10: Port Parameter Commands Table 12. SHOW FLOWCONTROL INTERFACE Command (Continued) Parameter Description RxPause The number of received pause packets. TxPause The number of transmitted pause packets. Example This command displays the flow control settings for port 2: awplus# show flowcontrol interface port1.0.
AT-9000 Switch Command Line User’s Guide SHOW INTERFACE Syntax show interface [port] Parameter port Specifies the port whose current status you want to view. You can display more than one port at a time. To display all the ports, do not include this parameter. Modes Privileged Exec mode Description Use this command to display the current operating status of the ports. An example of the information is shown in Figure 50 on page 194.
Chapter 10: Port Parameter Commands Interface port1.0.1 Link is UP, administrative state is UP Address is 0015.77cc.e243 Description: index 1 mtu 9198 Unknown Ingress Multicast Blocking: Disabled Unknown Egress Multicast Blocking: Disabled SNMP link-status traps: Enabled (Suppressed in 0 sec.) Bandwidth 1g input packets 0, bytes 0, dropped 0, multicast packets 0 output packets 0, bytes 0, multicast packets 0 broadcast packets 0 Interface port1.0.2 Link is UP, administrative state is UP Address is 0015.
AT-9000 Switch Command Line User’s Guide Table 13. SHOW INTERFACE Command (Continued) Parameter Description Link is The status of the link on the port. This field is UP when the port has a link with a network device, and DOWN when the port does not have a link. Administrative state The administrative state of the port. The administrative state will be DOWN if the port was disabled with the SHUTDOWN command. Otherwise, the administrative state of the port will be UP.
Chapter 10: Port Parameter Commands Examples This command displays the current operational state of all the ports: awplus# show interface This command displays the current operational state of ports 1 to 4: awplus# show interface port1.0.1-port1.0.
AT-9000 Switch Command Line User’s Guide SHOW INTERFACE BRIEF Syntax show interface brief Parameter None Modes Privileged Exec mode Description Use this command to display the administrative and link statuses of all of the ports on the switch. An example of the information is shown in Figure 51. Interface StatusProtocol port1.0.1admin up down port1.0.2admin up down port1.0.3admin up down port1.0.4admin up down port1.0.5admin up down port1.0.6admin up down Figure 51.
Chapter 10: Port Parameter Commands Table 14. SHOW INTERFACE BRIEF Command (Continued) Field Protocol Description Indicates the status of the link on the port. This field is UP when the port has a link with a network device, and DOWN when the port does not have a link.
AT-9000 Switch Command Line User’s Guide SHOW INTERFACE STATUS Syntax show interface [port] status Parameter port Specifies the port whose parameter settings you want to view. You can display more than one port at a time. To display all the ports, do not include a port number. Modes Privileged Exec mode Description Use this command to display the speed, duplex mode, and VLAN settings of the ports. An example of the information is shown in Figure 52. PortNameStatus Vlan port1.0.1Port_01down3 port1.0.
Chapter 10: Port Parameter Commands Table 15. SHOW INTERFACE STATUS Command (Continued) Parameter Description Duplex The duplex mode setting of the port. The setting can be half, full or auto for AutoNegotiation. To set the duplex mode, refer to “DUPLEX” on page 172. Speed The speed of the port. The settings are 10, 100, or 1000 Mbps, or auto for AutoNegotiation. Type The Ethernet standard of the port.
AT-9000 Switch Command Line User’s Guide SHOW PLATFORM TABLE PORT COUNTERS Syntax show platform table port [port] counters Parameter port Specifies the port whose statistics you want to view. You can specify more than one port at a time in the command. To view all the ports, omit this parameter. Modes Privileged Exec mode Description Use this command to display the packet statistics for the individual ports on the switch. The statistics are described in Table 16.
Chapter 10: Port Parameter Commands Table 16. SHOW PLATFORM TABLE PORT COUNTERS Command Parameter Description MulticastPkts Number of received and transmitted multicast packets. BroadcastPkts Number of received and transmitted broadcast packets PauseMACCtrlFrms Number of received and transmitted flow control pause packets. OversizePkts Number of received packets that exceeded the maximum size as specified by IEEE 802.3 (1518 bytes including the CRC).
AT-9000 Switch Command Line User’s Guide Table 16. SHOW PLATFORM TABLE PORT COUNTERS Command Parameter Description ifOutErrors Number of packets that were discarded prior to transmission because of an error. ipInHdrErrors Number of ingress packets that were discarded because of a hardware error. Miscellaneous Counters MAC TxErr Number of frames not transmitted correctly or dropped due to an internal MAC transmit error. MAC RxErr Number of Receive Error events seen by the receive side of the MAC.
Chapter 10: Port Parameter Commands SHOW RUNNING-CONFIG INTERFACE Syntax show running-config interface port Parameters port Specifies a port, multiple ports, or a range of ports. For a detailed explanation on how to specify ports, see “Port Numbers in Commands” on page 30. Modes Privileged Exec mode Description Use this command to display the configuration settings of the ports.
AT-9000 Switch Command Line User’s Guide SHOW STORM-CONTROL Syntax show storm-control [port] Parameters port Specifies the port whose storm-control, threshold limit settings you want to view. You can specify more than one port at a time. To display all the ports, do not include this parameter. Mode Privileged Exec mode Description Use this command to display information about the threshold limit settings on the ports.
Chapter 10: Port Parameter Commands Table 17. SHOW STORM-CONTROL Command (Continued) Column DlfLevel Description Indicates the maximum number of unknown unicast packets, destination lookup failure (DLF) packets per second for the port. DLF packets beyond this number are discarded. Examples This command displays the settings of all the ports: awplus# show storm-control This command displays the settings of ports 15 and 18: awplus# show storm-control port1.0.15,port1.0.
AT-9000 Switch Command Line User’s Guide SHOW SYSTEM PLUGGABLE Syntax show system pluggable Parameters None Mode Privileged Exec mode Description Use this command to display information about the SFP modules in the switch. System Pluggable Information PortVendorDevice Serial NumberDatecode Type --------------------------------------------------------1.0.49ATIAT-SPSX A03240R08420074120081018 1000BASE-SX 1.0.
Chapter 10: Port Parameter Commands SHOW SYSTEM PLUGGABLE DETAIL Syntax show system pluggable detail Parameters None Mode Privileged Exec mode Description Use this command to display information about the SFP modules in the switch. See Figure 56. The SHOW SYSTEM PLUGGABLE DETAIL command provides more detailed information than the SHOW SYSTEM PLUGGABLE command. See “SHOW SYSTEM PLUGGABLE” on page 207. Port1.0.
AT-9000 Switch Command Line User’s Guide SHUTDOWN Syntax shutdown Parameter None Mode Port Interface mode Description Use this command to disable ports. Ports that are disabled do not forward traffic. You might disable ports that are unused to secure them from unauthorized use or that are having problems with network cables or their link partners. The default setting for the ports is enabled. To reactivate a port, refer to “NO SHUTDOWN” on page 183.
Chapter 10: Port Parameter Commands SNMP TRAP LINK-STATUS Syntax snmp trap link-status Parameter None Mode Port Interface mode Description Use this command to activate SNMP link traps on the ports. The switch sends an SNMP trap to an SNMP trap receiver on your network whenever a port experiences a change in its link state. To disable link traps on a port, refer to “NO SNMP TRAP LINK-STATUS” on page 184.
AT-9000 Switch Command Line User’s Guide SPEED Syntax speed auto|10|100|1000 Parameters auto Activates Auto-Negotiation so that the speed is configured automatically. 10 Specifies 10 Mbps. 100 Specifies 100 Mbps. 1000 Specifies 1000 Mbps. This setting should not be used on twisted pair ports. For 1000Mbps, full duplex operation, a twisted pair port must be set to Auto-Negotiation.
Chapter 10: Port Parameter Commands This example activates Auto-Negotiation on port 15: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide STORM-CONTROL Syntax storm-control broadcast|multicast|dlf level value Parameters broadcast Specifies broadcast packets. multicast Specifies multicast packets. dlf Specifies unknown unicast packets. level Specifies the maximum number of ingress packets per second of the designated type the port will forward. The range is 0 to 33,554,431 packets. Mode Port Interface mode Description Use this command to set maximum thresholds for the ingress packets on the ports.
Chapter 10: Port Parameter Commands Examples This example sets the maximum threshold level of 5,000 packets per second for ingress broadcast packets on port 12: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.12 awplus(config-if)# storm-control broadcast level 5000 This example sets the maximum threshold level of 100,000 packets per second for ingress multicast packets on port 4: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 11 Power Over Ethernet “Overview” on page 216 “Enabling and Disabling PoE” on page 218 “Adding PD Descriptions to Ports” on page 220 “Prioritizing Ports” on page 221 “Managing the Maximum Power Limit on Ports” on page 222 “Managing Legacy PDs” on page 223 “Monitoring Power Consumption” on page 224 “Displaying PoE Information” on page 225 215
Chapter 11: Power Over Ethernet Overview The AT-9000/12PoE and AT-9000/28PoE switches feature Power over Ethernet (PoE) on the 10/100Base-Tx ports. PoE is used to supply power to network devices over the same twisted pair cables that carry the network traffic. The main advantage of PoE is that it can make it easier to install a network. The selection of a location for a network device is often limited by whether there is a power source nearby.
AT-9000 Switch Command Line User’s Guide The AT-9000/12POE switch has a power budget of 125 watts. The AT-9000/28POE switch has a power budget of 370 watts. These are the maximum amounts of power the switches can provide at one time to the powered devices. The AT-9000/28POE switch has two power supplies. Each power supply is responsible for providing 185 watts, or half, of the power budget. Both power supplies must be connected to AC power sources for the switch to provide the full 370 watts.
Chapter 11: Power Over Ethernet Enabling and Disabling PoE Enabling PoE on ports allows the switch to supply power to PDs connected to the ports. In order for PDs to receive power, PoE must be enabled on the ports. By default, PoE is enabled on all the ports on the PoE switch. The switch detects whether or not a network device connected to the port is a valid PD. If the device is not a valid PD, the port functions as a regular Ethernet port even when PoE is enabled on the port.
AT-9000 Switch Command Line User’s Guide This example disables PoE individually on port 5 to port 8: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.5-port1.0.
Chapter 11: Power Over Ethernet Adding PD Descriptions to Ports PDs connected to the ports are easier to identify if you give them descriptions. To add descriptions to PDs, use the POWER-INLINE DESCRIPTION command in the Port Interface mode. Here is the format: power-inline description description The description parameter can consist of up to 256 alphanumeric characters. Spaces and special characters are allowed. You can assign a description to more than one port at a time.
AT-9000 Switch Command Line User’s Guide Prioritizing Ports When the total power requirements of the PDs exceed the total available power of the switch, the switch denies power to one or more ports based on port prioritization.To guarantee power to the most critical PDs before any other PDs, the switch allows you to prioritize the ports for power supply. You can assign one of three priority levels to a port: Critical, High, and Low. See “Port Prioritization” on page 217 for details.
Chapter 11: Power Over Ethernet Managing the Maximum Power Limit on Ports To manage the switch’s power and optimize its power distribution, the switch allows you to adjust the power limit that the switch provides to each port. The switch automatically sets a default power limit to the port where a PD is connected and allows you to change the default settings. The switch detects the power class of a PD when the PD is connected to the port.
AT-9000 Switch Command Line User’s Guide Managing Legacy PDs The PoE switch automatically detects whether or not a device plugged into the PoE-enabled port is a valid PD. The switch supports PDs compliant with the IEEE 802.3af and IEEE 802.3at PoE standards. In addition, the switch supports legacy PDs that were designed before the IEEE standards were finalized. If the switch detects the connected device as an invalid PD, the port functions as a regular Ethernet port.
Chapter 11: Power Over Ethernet Monitoring Power Consumption You can monitor the power consumption of the switch and PDs by configuring the unit to transmit an SNMP power-inline trap if their combined power requirements exceed a defined threshold. The threshold is specified as a percentage of the switch’s nominal power, which is the total available power of the switch. You can view the nominal power with “SHOW POWER-INLINE” on page 246. The threshold has the range of 1 to 99%.
AT-9000 Switch Command Line User’s Guide Displaying PoE Information The switch allows you to display PoE information using three commands. Each command displays a different set of PoE information as described in Table 21. Table 21. PoE Show Commands Command Description SHOW POWER-INLINE Displays PoE information about the switch and all the ports on the switch. SHOW POWER-INLINE COUNTERS Displays the PoE event counters for the ports.
Chapter 11: Power Over Ethernet This example displays the PoE information of port 1 through port 4: awplus# show power inline interface port1.0.1-port1.0.4 Figure 58 shows an example of the information the command displays. The columns are described in Table 23 on page 247. Interface port1.0.1 port1.0.2 port1.0.3 port1.0.
Chapter 12 Power Over Ethernet Commands The Power over Ethernet (PoE) commands are summarized in Table 22. These commands are only supported on the PoE switches. Table 22. Power over Ethernet Commands Command Mode Description “CLEAR POWER-INLINE COUNTERS INTERFACE” on page 229 Privileged Exec Clears the PoE event counters on the ports. “NO POWER-INLINE ALLOWLEGACY” on page 230 Port Interface Configures ports to deny power to legacy powered devices (PDs).
Chapter 12: Power Over Ethernet Commands Table 22. Power over Ethernet Commands (Continued) Command Mode Description “POWER-INLINE PRIORITY” on page 242 Port Interface Assigns a PoE priority level to a port. “POWER-INLINE USAGETHRESHOLD” on page 244 Global Configuration Sets the power threshold for the SNMP power-inline trap. “SERVICE POWER-INLINE” on page 245 Global Configuration Activates PoE on all of the ports on the switch.
AT-9000 Switch Command Line User’s Guide CLEAR POWER-INLINE COUNTERS INTERFACE Syntax clear power-inline counters interface [port] Parameter port Specifies a port. You can specify more than one port and clear event counters for multiple ports. Mode Privileged Exec mode Description Use this command to clear the PoE port event counters. To clear all of the port counters, do not enter a port number.
Chapter 12: Power Over Ethernet Commands NO POWER-INLINE ALLOW-LEGACY Syntax no power-inline allow-legacy Parameters None Mode Port Interface mode Description Use this command to configure the ports to deny power to legacy PDs. Legacy PDs are PoE devices that were designed before the IEEE 802.3af and IEEE 802.3at PoE standards were finalized. This is the default setting for the ports.
AT-9000 Switch Command Line User’s Guide NO POWER-INLINE DESCRIPTION Syntax no power-inline description Parameters None Mode Port Interface mode Description Use this command to delete PD descriptions from the ports. Confirmation Commands “SHOW POWER-INLINE” on page 246 “SHOW POWER-INLINE INTERFACE” on page 251 “SHOW POWER-INLINE INTERFACE DETAIL” on page 252 Example The following example deletes the PD description from port 5: awplus> enable awplus# configure terminal awplus(config)# interface port1.
Chapter 12: Power Over Ethernet Commands NO POWER-INLINE ENABLE Syntax no power-inline enable Parameters None Mode Port Interface mode Description Use this command to disable PoE on the ports. Ports do not transmit power when PoE is disabled, but they do forward network traffic.
AT-9000 Switch Command Line User’s Guide NO POWER-INLINE MAX Syntax no power-inline max Parameters None Mode Port Interface mode Description Use this command to restore the default maximum power limits on the ports. The default power limits are based on the power classes of the PDs. See “Managing the Maximum Power Limit on Ports” on page 222 for details.
Chapter 12: Power Over Ethernet Commands NO POWER-INLINE PRIORITY Syntax no power-inline priority Parameters None Mode Port Interface mode Description Use this command to restore the default Low priority setting to the ports.
AT-9000 Switch Command Line User’s Guide NO POWER-INLINE USAGE-THRESHOLD Syntax no power-inline usage-threshold Parameters None Mode Global Configuration mode Description Use this command to reset the power usage threshold to the default 80%. The switch sends an SNMP power-inline trap if the power requirements of the switch and PDs exceed the defined threshold.
Chapter 12: Power Over Ethernet Commands NO SERVICE POWER-INLINE Syntax no service power-inline Parameters None Mode Global Configuration mode Description Use this command to disable PoE on the switch. The ports do not transmit power to the PDs when PoE is disabled, but they do forward network traffic. The default setting for PoE is enabled.
AT-9000 Switch Command Line User’s Guide NO SNMP-SERVER ENABLE TRAP POWER-INLINE Syntax no snmp-server enable trap power-inline Parameters None Mode Global Configuration mode Description Use this command to disable the transmission of SNMP power-inline traps.
Chapter 12: Power Over Ethernet Commands POWER-INLINE ALLOW-LEGACY Syntax power-inline allow-legacy Parameters None Mode Port Interface mode Description Use this command to configure the ports to support legacy PDs. Legacy PDs are PoE devices that were designed before the IEEE 802.3af and IEEE 802.3at PoE standards were finalized. The default setting is no support for legacy PDs.
AT-9000 Switch Command Line User’s Guide POWER-INLINE DESCRIPTION Syntax power-inline description description Parameters description Specifies a PD description of up to 256 alphanumeric characters. Spaces and special characters are allowed. Mode Port Interface mode Description Use this command to add PD descriptions to the ports to make the ports and PDs easier to identify. Note To add a general description to a port, use the DESCRIPTION command. For more information, see “DESCRIPTION” on page 170.
Chapter 12: Power Over Ethernet Commands POWER-INLINE ENABLE Syntax power-inline enable Parameters None Mode Port Interface mode Description Use this command to enable PoE on the ports. This is the default setting. Confirmation Commands “SHOW POWER-INLINE” on page 246 “SHOW POWER-INLINE INTERFACE” on page 251 “SHOW POWER-INLINE INTERFACE DETAIL” on page 252 Example This example enables PoE on port 12: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide POWER-INLINE MAX Syntax power-inline max max_power Parameters max_power Specifies the maximum power limit of the ports in milliwatts (mW). The range is 4000 to 30000 mW. Mode Port Interface mode Description Use this command to set the maximum power limits on the ports. The maximum power limit is the maximum amount of power a port may transmit to a PD. Ports can have different limits. The default power limits are based on the classes of the PDs.
Chapter 12: Power Over Ethernet Commands POWER-INLINE PRIORITY Syntax power-inline priority critical|high|low Parameters critical Sets ports to the Critical priority level for PoE ports. Ports set to the Critical level are guaranteed power before any of the ports assigned to the other priority levels. high Sets ports to the High priority level. Ports set to the High level receive power only when all of the ports assigned to the Critical level are already receiving power.
AT-9000 Switch Command Line User’s Guide Example This example assigns the Critical priority level to port 5: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 12: Power Over Ethernet Commands POWER-INLINE USAGE-THRESHOLD Syntax power-inline usage-threshold threshold Parameters threshold Specifies the power usage threshold in a percentage of the switch’s total available system and PoE power. The range is 1 to 99%. Mode Global Configuration mode Description Use this command to set a threshold of the switch’s total available system and PoE power. An SNMP trap is transmitted if the requirements of the switch and the PDs exceed the threshold.
AT-9000 Switch Command Line User’s Guide SERVICE POWER-INLINE Syntax service power-inline Parameters None Mode Global Configuration mode Description Use this command to enable PoE on the switch. This is the default setting.
Chapter 12: Power Over Ethernet Commands SHOW POWER-INLINE Syntax show power-inline Parameter None Mode Privileged Exec mode Description Use this command to display operational information about PoE. An example is shown in Figure 60. The fields are described in Table 23 on page 247. PoE Status: Nominal Power: 490W Power Allocated: 346.0W Actual Power Consumption: 151.0W Operational Status: On Power Usage Threshold: 80% (392W) PoE Interface: Interface Admin Pri Oper Power(mW) DeviceClassMax(mW) port1.0.
AT-9000 Switch Command Line User’s Guide Table 23. SHOW POWER-INLINE Command Field Description Nominal Power The switch’s total available power in watts (W). Power Allocated The available power in watts (W) for PDs. This value is updated every 5 seconds. Actual Power Consumption The current power consumption in watts (W) of the PDs. This value is updated every 5 seconds. Operational Status The operational status of the power supply units (PSU) in the switch.
Chapter 12: Power Over Ethernet Commands Table 23. SHOW POWER-INLINE Command (Continued) Field Oper Description The PoE operating status of the port. The possible status are listed here: Powered: The port is transmitting power to the PD. Denied: The port is not transmitting power to the PD because the switch has reached its maximum power capacity. Off: PoE is disabled on the port. Fault: The switch is exceeding the total available power. Test: The port is in a test mode.
AT-9000 Switch Command Line User’s Guide SHOW POWER-INLINE COUNTERS INTERFACE Syntax show power-inline counters interface port Parameter port Specifies a port. You can specify and display more than one port at a time. Omit this parameter to display all of the ports. Mode Privileged Exec mode Description Use this command to display the PoE event counters for the ports. An example is shown in Figure 61. PoE Counters: Interface MPSAbsent Overload Short Invalid Denied port1.0.4 0 0 0 0 0 port1.0.
Chapter 12: Power Over Ethernet Commands Table 24. SHOW POWER-INLINE COUNTERS INTERFACE Command Field Denied Description The number of times the port had to deny power to the PD because the switch had reached its maximum power capacity. Example This command displays the PoE event counters for ports 4 to 6: awplus# show power-inline counters interface port1.0.4port1.0.
AT-9000 Switch Command Line User’s Guide SHOW POWER-INLINE INTERFACE Syntax show power-inline interface port Parameter port Specifies a port. You can display more than one port at a time. Mode Privileged Exec mode Description Use this command to display the PoE information on the ports. An example is shown in Figure 62. Interface port1.0.1 port1.0.2 port1.0.3 port1.0.
Chapter 12: Power Over Ethernet Commands SHOW POWER-INLINE INTERFACE DETAIL Syntax show power-inline interface port detail Parameter port Specifies a port. You can display more than one port at a time. Mode Privileged Exec mode Description Use this command to display additional information about the ports. An example is shown in Figure 63. Interface port1.0.
AT-9000 Switch Command Line User’s Guide Table 25. SHOW POWER-INLINE INTERFACE DETAIL Command Field PoE admin Priority Detection status Description The status of PoE on the port. The status can be one of the following: Enabled: PoE is enabled. The port can transmit power to a PD. PoE is enabled with “POWERINLINE ENABLE” on page 240. Disabled: PoE is disabled. The port does not supply power to a PD, but it does forward network traffic. PoE is disabled with “NO POWER-INLINE ENABLE” on page 232.
Chapter 12: Power Over Ethernet Commands Table 25. SHOW POWER-INLINE INTERFACE DETAIL Command Field Detection of legacy devices Description The status of support for a legacy PD on the port: Enabled: The port supports legacy devices. Disabled: The port does not support legacy devices. Support for legacy devices is enabled with “POWER-INLINE ALLOW-LEGACY” on page 238 and disabled with “NO POWER-INLINE ALLOWLEGACY” on page 230. Powered pairs The twisted pairs used to transfer power to the PD.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER ENABLE TRAP POWER-INLINE Syntax snmp-server enable trap power-inline Parameters None Mode Global Configuration mode Description Use this command to activate the transmission of the SNMP power-inline trap. The trap is sent if the power requirements of the switch and PDs exceed the power limit threshold set with “POWER-INLINE USAGETHRESHOLD” on page 244.
Chapter 12: Power Over Ethernet Commands 256
Chapter 13 IPv4 and IPv6 Management Addresses This chapter contains the following information: “Overview” on page 258 “Assigning an IPv4 Management Address and Default Gateway” on page 261 “Assigning an IPv6 Management Address and Default Gateway” on page 266 257
Chapter 13: IPv4 and IPv6 Management Addresses Overview This chapter explains how to assign the switch an IP address. The switch must have an IP address to perform the features in Table 26. It uses the address as its source address when it communicates with other network devices, such as TFTP servers, and Telnet management workstations. You may assign the switch an IPv4 or IPv6 address, or both. The switch supports only one address of each version.
AT-9000 Switch Command Line User’s Guide Table 26. Features Requiring an IP Management Address on the Switch (Continued) Feature Description Supported by IPv4 Address Supported by IPv6 Address SNMPv1, v2c, and v3 Used to remotely manage the switch with SNMP. yes yes SNTP client Used to set the date and time on the switch from an NTP or SNTP server on your network or the Internet. yes no Static ARP entries Used to add static ARP entries to the switch.
Chapter 13: IPv4 and IPv6 Management Addresses 260 If you assign both IPv4 and IPv6 addresses to the switch, they must be assigned to the same VLAN. An IPv4 management address can be assigned manually or from a DHCP server on your network. (To learn the switch’s MAC address to add to a DHCP server, refer to “SHOW SWITCH” on page 131.) An IPv6 address must be assigned manually. The switch does not support the assignment of an IPv6 management address from a DHCP server or by IPv6 auto assignment.
AT-9000 Switch Command Line User’s Guide Assigning an IPv4 Management Address and Default Gateway This section covers the following topics: Adding an IPv4 Management Address “Adding an IPv4 Management Address” next “Adding an IPv4 Default Gateway Address” on page 263 “Deleting an IPv4 Management Address and Default Gateway” on page 264 “Displaying an IPv4 Management Address and Default Gateway” on page 265 The command to assign the switch an IPv4 management address is the IP ADDRESS comma
Chapter 13: IPv4 and IPv6 Management Addresses Here are several examples of the command. The first example assigns the switch the management IPv4 address 149.121.43.56/24 to the Default_VLAN, which has the VID number 1. Note By default, the switch is configured with the Default_VLAN which has a VID number of 1 and includes all ports on the switch. The Default_VLAN only has default values and cannot be created, modified or deleted.
AT-9000 Switch Command Line User’s Guide The next series of commands assigns the management address 143.24.55.67 and subnet mask 255.255.255.0 to the new VLAN. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# interface vlan17 Use the INTERFACE VLAN command to move to the VLAN Interface. awplus(config-if)# ip address 143.24.55.67/24 Use the IP ADDRESS command to assign the management address 143.24.55.67 and subnet mask 255.255.255.0 to the VLAN.
Chapter 13: IPv4 and IPv6 Management Addresses Note If an IPv4 default gateway is already assigned to the switch, you must delete it prior to entering the new address. For instructions, refer to “Deleting an IPv4 Management Address and Default Gateway” on page 264. This example assigns the switch the default gateway address 149.121.43.23: awplus> enable awplus# configure terminal awplus(config)# ip route 0.0.0.0/0 149.121.43.
AT-9000 Switch Command Line User’s Guide awplus> enable awplus# configure terminal awplus(config)# no ip route 0.0.0.0/0 149.121.43.23 Displaying an IPv4 Management Address and Default Gateway The easiest way to view the IPv4 management address and default gateway address of the switch is with the SHOW IP ROUTE command. It displays both addresses at the same time.
Chapter 13: IPv4 and IPv6 Management Addresses Assigning an IPv6 Management Address and Default Gateway This section covers the following topics: Adding an IPv6 Management Address “Adding an IPv6 Management Address” next “Adding an IPv6 Default Gateway Address” on page 267 “Deleting an IPv6 Management Address and Default Gateway” on page 268 “Displaying an IPv6 Management Address and Default Gateway” on page 269 The command to assign the switch an IPv6 management address is the IPv6 ADDRE
AT-9000 Switch Command Line User’s Guide Note If there is a management IPv6 address already assigned to the switch, you must delete it prior to entering the new address. For instructions, refer to “Deleting an IPv6 Management Address and Default Gateway” on page 268. Here are several examples of the command. The first example assigns the switch this static management IPv6 address to the Default_VLAN with VID number 1.
Chapter 13: IPv4 and IPv6 Management Addresses The IPADDDRESS parameter is the default gateway to be assigned the switch. The address must be an IPv6 address and it must be a member of the same subnet as the management IPv6 address. Note This configuration is different in the AT-8000GS switch where the gateway is specified as the Link Local address. Note If there is an IPv6 default gateway already assigned to the switch, you must delete it prior to entering the new default gateway.
AT-9000 Switch Command Line User’s Guide Displaying an IPv6 Management Address and Default Gateway There are two commands for displaying a management IPv6 address and default gateway. If the switch has both an IPv6 address and default gateway, you can display both of them with the SHOW IPV6 ROUTE command, in the Privileged Exec mode, as shown here: awplus# show ipv6 route Here is an example of the information. The default route is displayed first, followed by the management address.
Chapter 13: IPv4 and IPv6 Management Addresses 270
Chapter 14 IPv4 and IPv6 Management Address Commands The IPv4 and IPv6 management address commands are summarized in Table 27. Table 27. Management IP Address Commands Command Mode Description “CLEAR IPV6 NEIGHBORS” on page 273 Privileged Exec Clears all dynamic IPv6 neighbor entries. “IP ADDRESS” on page 274 VLAN Interface Assigns the switch a static IPv4 management address.
Chapter 14: IPv4 and IPv6 Management Address Commands Table 27. Management IP Address Commands (Continued) Command Mode Description “SHOW IPV6 INTERFACE” on page 292 Privileged Exec Displays the IPv4 management address. “SHOW IPV6 ROUTE” on page 293 Privileged Exec Displays the IPv6 management address and default gateway.
AT-9000 Switch Command Line User’s Guide CLEAR IPV6 NEIGHBORS Syntax clear ipv6 neighbors Parameters None Mode Privileged Exec mode Description Use this command to clear all of the dynamic IPv6 neighbor entries.
Chapter 14: IPv4 and IPv6 Management Address Commands IP ADDRESS Syntax ip address ipaddress/mask Parameters ipaddress Specifies a management IPv4 address for the switch. The address is specified in the following format: nnn.nnn.nnn.nnn Where each NNN is a decimal number from 0 to 255. The numbers must be separated by periods. mask Specifies the subnet mask for the address.
AT-9000 Switch Command Line User’s Guide Examples This example assigns the switch the IPv4 management address 142.35.78.21 and subnet mask 255.255.255.0. The address is assigned to the Default_VLAN, which has the VID 1: awplus> enable awplus# configure terminal awplus(config)# interface vlan1 awplus(config-if)# ip address 142.35.78.21/24 This example assigns the switch the IPv4 management address 116.152.173.45 and subnet mask 255.255.255.0.
Chapter 14: IPv4 and IPv6 Management Address Commands IP ADDRESS DHCP Syntax ip address dhcp Parameters None Mode VLAN Interface mode Description Use this command to assign the switch an IPv4 management address from a DHCP server. This command activates the DHCP client, which automatically queries the network for a DHCP server. The client also queries for a DHCP server whenever you reset or power cycle the switch.
AT-9000 Switch Command Line User’s Guide Example This example activates the DHCP client so that the switch obtains its IPv4 management address from a DHCP server on your network.
Chapter 14: IPv4 and IPv6 Management Address Commands IP ROUTE Syntax ip route 0.0.0.0/0 ipaddress Parameters ipaddress Specifies an IPv4 default gateway address. Mode Global Configuration mode Description Use this command to assign the switch an IPv4 default gateway address. A default gateway is an address of an interface on a router or other Layer 3 device.
AT-9000 Switch Command Line User’s Guide Example This example assigns the switch the IPv4 default gateway address 143.87.132.45: awplus> enable awplus# configure terminal awplus(config)# ip route 0.0.0.0/0 143.87.132.
Chapter 14: IPv4 and IPv6 Management Address Commands IPV6 ADDRESS Syntax ipv6 address ipaddress/mask Parameters ipaddress Specifies an IPv6 management address for the switch. The address is entered in this format: nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn Where N is a hexadecimal digit from 0 to F. The eight groups of digits have to be separated by colons. Groups where all four digits are ‘0’ can be omitted. Leading ‘0’s in groups can also be omitted.
AT-9000 Switch Command Line User’s Guide and syslog servers). The VLAN must already exist on the switch before you use this command.
Chapter 14: IPv4 and IPv6 Management Address Commands IPV6 ROUTE Syntax ipv6 route ::/0 ipaddress Parameters ipaddress Specifies an IPv6 address of a default gateway. The address is entered in this format: nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn Where N is a hexadecimal digit from 0 to F. The eight groups of digits have to be separated by colons. Groups where all four digits are ‘0’ can be omitted. Leading ‘0’s in groups can also be omitted.
AT-9000 Switch Command Line User’s Guide Example This example assigns the switch the IPv6 default gateway address 45ab:672:934c::78:17cb: awplus> enable awplus# configure terminal awplus(config)# ipv6 route ::/0 45ab:672:934c::78:17cb 283
Chapter 14: IPv4 and IPv6 Management Address Commands NO IP ADDRESS Syntax no ip address Parameters None Mode VLAN Interface mode Description Use this command to delete the current IPv4 management address from the switch if the address was assigned manually. If a DHCP server supplied the address, refer to “NO IP ADDRESS DHCP” on page 285. You must perform this command from the VLAN Interface mode of the VLAN to which the address is attached.
AT-9000 Switch Command Line User’s Guide NO IP ADDRESS DHCP Syntax no ip address dhcp Parameters None Mode VLAN Interface mode Description Use this command to delete the current IPv4 management address from the switch if the address was assigned by a DHCP server. You must perform this command from the VLAN Interface mode of the VLAN to which the address is attached. This command also disables the DHCP client.
Chapter 14: IPv4 and IPv6 Management Address Commands NO IP ROUTE Syntax no ip route 0.0.0.0/0 ipaddress Parameters ipaddress Specifies the current default gateway. Mode Global Configuration mode Description Use this command to delete the current IPv4 default gateway. The command must include the current default gateway. Confirmation Command “SHOW IP ROUTE” on page 290 Example This example deletes the default route 121.114.17.
AT-9000 Switch Command Line User’s Guide NO IPV6 ADDRESS Syntax no ipv6 address Parameters None Mode VLAN Interface mode Description Use this command to delete the current IPv6 management address from the switch. You must perform this command from the VLAN Interface mode of the VLAN to which the address is attached. Note The switch uses the IPv6 management address to perform the features listed Table 26 on page 258.
Chapter 14: IPv4 and IPv6 Management Address Commands NO IPV6 ROUTE Syntax no ipv6 route ::/0 ipaddress Parameters ipaddress Specifies the current IPv6 default gateway. Mode Global Configuration mode Description Use this command to delete the current IPv6 default gateway from the switch. The command must include the current default gateway.
AT-9000 Switch Command Line User’s Guide SHOW IP INTERFACE Syntax show ip interface Parameters None Mode Privileged Exec mode Description Use this command to display the management IP address on the switch. Figure 68 is an example of the information. Interface VLAN14-0 IP Address 123.94.146.72 Figure 68. SHOW IP INTERFACE Command The Interface field is the VID of the VLAN to which the management IP address is assigned. The IP Address field is the management IP address of the switch.
Chapter 14: IPv4 and IPv6 Management Address Commands SHOW IP ROUTE Syntax show ip route Parameters None Mode Privileged Exec mode Description Use this command to display the routes on the switch. Figure 69 displays an example of the information. ----------------------------------------Mask NextHop Interface ----------------------------------------255.255.255.0 192.168.1.1 vlan1-0 ---------------------------------------- Figure 69. SHOW IP ROUTE Command The fields are described in Table 28. Table 28.
AT-9000 Switch Command Line User’s Guide Example The following example displays the routes on the switch: awplus# show ip route 291
Chapter 14: IPv4 and IPv6 Management Address Commands SHOW IPV6 INTERFACE Syntax show ipv6 interface Parameters None Mode Privileged Exec mode Description Use this command to display the IPv6 management address on the switch. Figure 70 is an example of the information. Interface VLAN3-0 IPv6-Address 832a:5821:b34a:0:0:0:187:95a/64 Figure 70. SHOW IPV6 INTERFACE Command The fields are described in Table 29. Table 29.
AT-9000 Switch Command Line User’s Guide SHOW IPV6 ROUTE Syntax show ipv6 route Parameters None Mode Privileged Exec mode Description Use this command to display the IPv6 management address and default gateway on the switch. Figure 71 is an example of the information. The default route is display first, followed by the management address.
Chapter 14: IPv4 and IPv6 Management Address Commands 294
Chapter 15 Simple Network Time Protocol (SNTP) Client This chapter contains the following information: “Overview” on page 296 “Activating the SNTP Client and Specifying the IP Address of an NTP or SNTP Server” on page 297 “Configuring Daylight Savings Time and UTC Offset” on page 298 “Disabling the SNTP Client” on page 300 “Displaying the SNTP Client” on page 301 “Displaying the Date and Time” on page 302 295
Chapter 15: Simple Network Time Protocol (SNTP) Client Overview The switch has a Simple Network Time Protocol (SNTP) client for setting its date and time from an SNTP or NTP server on your network or the Internet. The date and time are added to the event messages that are stored in the event log and sent to syslog servers. The switch polls the SNTP or NTP server for the date and time when you configure the client and when the unit is powered on or reset.
AT-9000 Switch Command Line User’s Guide Activating the SNTP Client and Specifying the IP Address of an NTP or SNTP Server To activate the SNTP client on the switch and to specify the IP address of an NTP or SNTP server, use the NTP PEER command in the Global Configuration mode. You can specify the IP address of only one server. This example of the command specifies 1.77.122.54 as the IP address of the server: awplus> enable awplus# configure terminal awplus(config)# ntp peer 1.77.122.
Chapter 15: Simple Network Time Protocol (SNTP) Client Configuring Daylight Savings Time and UTC Offset If the time that the NTP or SNTP server provides to the switch is in Coordinated Universal Time (UTC), it has to be converted into local time. To do that, the switch needs to know whether to use Standard Time (ST) or Daylight Savings Time (DST), and the number of hours and minutes it is ahead of or behind UTC, referred to as the UTC offset.
AT-9000 Switch Command Line User’s Guide In this example, the client is configured for ST and a UTC offset of +2 hours and 45 minutes: awplus> enable awplus# configure terminal awplus(config)# no clock summer-time awplus(config)# clock timezone +02:45 299
Chapter 15: Simple Network Time Protocol (SNTP) Client Disabling the SNTP Client To disable the SNTP client so that the switch does not obtain its date and time from an NTP or SNTP server, use the NO PEER command in the Global Configuration mode: awplus> enable awplus# configure terminal awplus(config)# no ntp peer 300
AT-9000 Switch Command Line User’s Guide Displaying the SNTP Client To display the settings of the SNTP client on the switch, use the SHOW NTP ASSOCIATIONS command in the Privileged Exec mode. awplus# show ntp associations The following is displayed: SNTP Configuration: Status ........................ Server ........................ UTC Offset .................... Daylight Savings Time (DST) ... Enabled 149.134.23.154 +2 Enabled Figure 72.
Chapter 15: Simple Network Time Protocol (SNTP) Client Displaying the Date and Time To display the date and time, use the SHOW CLOCK command in the User Exec mode or Privileged Exec mode: awplus# show clock 302
Chapter 16 SNTP Client Commands The SNTP commands are summarized in Table 31. Table 31. Simple Network Time Protocol Commands Command Mode Description “CLOCK SUMMER-TIME” on page 304 Global Configuration Activates Daylight Savings Time on the SNTP client. “CLOCK TIMEZONE” on page 305 Global Configuration Sets the UTC offset value, the time difference in hours and minutes between local time and Coordinated Universal Time (UTC).
Chapter 16: SNTP Client Commands CLOCK SUMMER-TIME Syntax clock summer-time Parameters None Mode Global Configuration mode Description Use this command to enable Daylight Savings Time (DST) on the SNTP client. Note The switch does not set the DST automatically. If the switch is in a locale that uses DST, you must remember to enable this when DST begins and disable when DST ends. If the switch is in a locale that does not use DST, set this option to disabled all the time.
AT-9000 Switch Command Line User’s Guide CLOCK TIMEZONE Syntax clock timezone +hh:mm|-hh:mm Parameters hh:mm Specifies the number of hours and minutes difference between Coordinated Universal Time (UTC) and local time. HH are hours in the range of -12 to +12, and MM are minutes in the range of increments of 15. The value is specified as ahead of (positive) or behind (negative) UTC. You must include both the hours and minutes, and both must have two digits. The default is 00:00.
Chapter 16: SNTP Client Commands NO CLOCK SUMMER-TIME Syntax no clock summer-time Parameters None Mode Global Configuration mode Description Use this command to disable Daylight Savings Time (DST) and activate Standard Time (ST) on the SNTP client.
AT-9000 Switch Command Line User’s Guide NO NTP PEER Syntax no ntp server Parameter None Mode Global Configuration mode Description Use this command to deactivate the SNTP client on the switch. When the client is disabled, the switch does not obtain its date and time from an SNTP or NTP server the next time it is reset or power cycled.
Chapter 16: SNTP Client Commands NTP PEER Syntax ntp peer ipaddress Parameter ipaddress Specifies an IP address of an SNTP or NTP server. Mode Global Configuration mode Description Use this command to activate the NTP client on the switch and to specify the IP address of the SNTP or NTP server from which it is to obtain its date and time. You can specify only one SNTP or NTP server. After you enter this command, the switch automatically begins to query the network for the defined server.
AT-9000 Switch Command Line User’s Guide PURGE NTP Syntax purge ntp Parameter None Mode Global Configuration mode Description Use this command to disable the SNTP client, delete the IP address of the SNTP or NTP server, and restore the client settings to the default values.
Chapter 16: SNTP Client Commands SHOW CLOCK Syntax show clock Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to display the switch’s date and time. Example The following example displays the switch’s date and time.
AT-9000 Switch Command Line User’s Guide SHOW NTP ASSOCIATIONS Syntax show ntp associations Parameters None Mode Privileged Exec mode Description Use this command to display the settings of the SNTP client. The information the command displays is shown in Figure 74. NTP Configuration: Status ........................ Server ........................ UTC Offset .................... Daylight Savings Time (DST) ... Enabled 192.168.20.27 +02:00 Enabled Figure 74.
Chapter 16: SNTP Client Commands Table 32. SHOW NTP ASSOCIATIONS Command (Continued) Parameter Description UTC Offset The time difference in hours between UTC and local time. The range is -12 to +12 hours. The default is 0 hours. This value is set with “CLOCK TIMEZONE” on page 305. Daylight Savings Time (DST) The status of the daylight savings time setting. The status can be enabled or disabled. This value is set with “CLOCK TIMEZONE” on page 305.
AT-9000 Switch Command Line User’s Guide SHOW NTP STATUS Syntax show ntp status Parameters None Mode Privileged Exec mode Description Use this command to display the status of an NTP or SNTP server assigned to the switch. The display states whether or not the switch has synchronized its time with an NTP or SNTP server. An example of the display is shown in Figure 75. Clock is synchronized, reference is 192.168.20.27 Clock offset is +2:00 Figure 75.
Chapter 16: SNTP Client Commands 314
Chapter 17 MAC Address Table This chapter discusses the following topics: “Overview” on page 316 “Adding Static MAC Addresses” on page 318 “Deleting MAC Addresses” on page 320 “Setting the Aging Timer” on page 322 “Displaying the MAC Address Table” on page 323 315
Chapter 17: MAC Address Table Overview The MAC address table stores the MAC addresses of all the network devices that are connected to the switch’s ports. Each entry in the table consists of a MAC address, a port number where an address was learned by the switch, and an ID number of a VLAN where a port is a member. The switch learns the MAC addresses of the network devices by examining the source addresses in the packets as they arrive on the ports.
AT-9000 Switch Command Line User’s Guide The period of time the switch waits before purging inactive dynamic MAC addresses is called the aging time. This value is adjustable on the switch. The default value is 300 seconds (5 minutes). You can also enter addresses manually into the table. These addresses are referred to as static addresses. Static MAC addresses remain in the table indefinitely and are never deleted, even when the network devices are inactive.
Chapter 17: MAC Address Table Adding Static MAC Addresses The command for adding static unicast MAC addresses to the switch is MAC ADDRESS-TABLE STATIC in the Global Configuration mode. Here is the format of the command: mac address-table static macaddress forward|discard interface port [vlan vlan-name|vid] Here are the variables of the command: macaddress - Use this variable to specify the unicast or multicast MAC address you want to add to the table. You can add only one address at a time.
AT-9000 Switch Command Line User’s Guide awplus> enable awplus# configure terminal awplus(config)# mac address-table static 00:a0:d2:18:1a:11 discard interface port1.0.
Chapter 17: MAC Address Table Deleting MAC Addresses To delete MAC addresses from the switch, use the CLEAR MAC ADDRESS-TABLE command in the Privileged Exec mode. The format of the command is: clear mac address-table dynamic|static [address macaddress]|[interface port]|[vlan vid] Here are the variables: dynamic - This variable lets you delete dynamic addresses. static - This parameter lets you delete static addresses. address - You can use this parameter to delete specific addresses.
AT-9000 Switch Command Line User’s Guide This example deletes all of the dynamic addresses learned on port 20: awplus> enable awplus# clear mac address-table dynamic interface port1.0.20 This example deletes all of the static addresses added to ports 2 to 5: awplus> enable awplus# clear mac address-table static interface port1.0.2port1.0.
Chapter 17: MAC Address Table Setting the Aging Timer The aging timer defines the length of time that inactive dynamic MAC addresses remain in the table before they are deleted by the switch. The switch deletes inactive addresses to insure that the table contains only active and current addresses. The aging timer does not apply to static addresses because static addresses are not deleted by the switch, even when the network devices are inactive.
AT-9000 Switch Command Line User’s Guide Displaying the MAC Address Table To view the aging time or the MAC address table, use the SHOW MAC ADDRESS-TABLE command in the Privileged Exec mode. Here is its format: show mac address-table [interface port]|[vlan vid] An example of the table is shown in Figure 76. Aging Interval: 300 second(s) Switch Forwarding Database -----------------------------------------------------------VLAN Port MAC Fwd -----------------------------------------------------------1 1.0.
Chapter 17: MAC Address Table This example displays the addresses learned on the ports in a VLAN with the VID 8: awplus# show mac address-table vlan 8 324
Chapter 18 MAC Address Table Commands The MAC address table commands are summarized in Table 33. Table 33. MAC Address Table Commands Command Mode Description “CLEAR MAC ADDRESS-TABLE” on page 326 Privileged Exec Deletes MAC addresses from the MAC address table. “MAC ADDRESS-TABLE AGEINGTIME” on page 328 Global Configuration Sets the aging timer, which is used by the switch to identify inactive dynamic MAC addresses for deletion from the table.
Chapter 18: MAC Address Table Commands CLEAR MAC ADDRESS-TABLE Syntax clear mac address-table dynamic|static [address macaddress]|[interface port]|[vlan vid] Parameters dynamic Deletes dynamic MAC addresses. static Deletes static addresses. address Deletes a specific address. macaddress Specifies the address to be deleted. The address must be specified in either one of the following formats: xx:xx:xx:xx:xx:xx or xxxx.xxxx.xxxx interface Deletes MAC addresses learned on a specific port.
AT-9000 Switch Command Line User’s Guide Examples This example deletes all of the dynamic addresses from the table: awplus> enable awplus# clear mac address-table dynamic This example deletes all of the static addresses: awplus> enable awplus# clear mac address-table static This example deletes a single dynamic address: awplus> enable awplus# clear mac address-table dynamic address 00:12:a3:34:8b:32 This example deletes a single static address: awplus> enable awplus# clear mac address-table static addre
Chapter 18: MAC Address Table Commands MAC ADDRESS-TABLE AGEING-TIME Syntax mac address-table ageing-time value|none Parameter ageing-time Specifies the aging timer in seconds for the MAC address table. The range is 10 to 1000000 seconds. The default is 300 seconds (5 minutes). Mode Global Configuration mode Description Use this command to set the aging timer.
AT-9000 Switch Command Line User’s Guide This example disables the aging timer so that the switch does not delete inactive dynamic MAC addresses from the table: awplus> enable awplus# configure terminal awplus(config)# mac address-table ageing-time none This example returns the aging timer to its default setting of 300 seconds: awplus> enable awplus# configure terminal awplus(config)# no mac address-table ageing-time 329
Chapter 18: MAC Address Table Commands MAC ADDRESS-TABLE STATIC Syntax mac address-table static macaddress forward|discard interface port [vlan vlan-name|vid] Parameters macaddress Specifies the static unicast address you want to add to the switch’s MAC address table. The address must be specified in either one of the following formats: xx:xx:xx:xx:xx:xx or xxxx.xxxx.xxxx forward Forwards packets containing the designated source MAC address.
AT-9000 Switch Command Line User’s Guide Confirmation Command “SHOW MAC ADDRESS-TABLE” on page 334 Examples This example adds the static MAC address 44:c3:22:17:62:a4 to port 4 in the Production VLAN. The port forwards the packets from the specified node: awplus> enable awplus# configure terminal awplus(config)# mac address-table static 44:c3:22:17:62:a4 forward interface port1.0.
Chapter 18: MAC Address Table Commands NO MAC ADDRESS-TABLE STATIC Syntax no mac address-table static macaddress forward|discard interface port [vlan vlan-name|vid] Parameters macaddress Specifies the static unicast address you want to delete from the switch’s MAC address table. The address must be specified in either one of the following formats: xx:xx:xx:xx:xx:xx or xxxx.xxxx.xxxx forward Forwards packets containing the designated source MAC address.
AT-9000 Switch Command Line User’s Guide Confirmation Command “SHOW MAC ADDRESS-TABLE” on page 334 Examples This example deletes the MAC address 00:A0:D2:18:1A:11 from port 12 in the Default_VLAN, which has the VID 1. The port is forwarding packets of the owner of the address: awplus> enable awplus# configure terminal awplus(config)# no mac address-table static 00:a0:d2:18:1a:11 forward interface port1.0.12 vlan 1 This example deletes the MAC address 86:24:3c:79:52:32 from port 16 in the Sales VLAN.
Chapter 18: MAC Address Table Commands SHOW MAC ADDRESS-TABLE Syntax show mac address-table begin|exclude|include [interface port]|[vlan vid] Parameters begin Specifies the first line that matches the MAC address is displayed. The address must be specified in either one of the following formats: xx:xx:xx:xx:xx:xx or xxxx.xxxx.xxxx exclude Indicates the specified MAC address is excluded from the display. The address must be specified in either one of the following formats: xx:xx:xx:xx:xx:xx or xxxx.xxxx.
AT-9000 Switch Command Line User’s Guide An example of the table is shown in Figure 77. Aging Interval: 300 second(s) Switch Forwarding Database -----------------------------------------------------------VLAN Port MAC Fwd -----------------------------------------------------------1 1.0.1 00a0.d218.1ac8 Forward Dynamic 1 1.0.2 00a0.c416.3b80 Forward Dynamic 1 1.0.3 00a0.12c2.10c6 Forward Dynamic 1 1.0.4 00a0.c209.10d8 Forward Dynamic 1 1.0.4 00a0.3343.a187 Forward Dynamic 1 1.0.4 00a0.12a7.
Chapter 18: MAC Address Table Commands Table 34. SHOW MAC ADDRESS-TABLE Command - Unicast Addresses Parameter Description Fwd The status of the address. MAC addresses have the status of Forward, meaning that they are used by the switch to forward packets. (unlabeled) The type of address: static or dynamic. The Multicast Switch Forwarding Database contains the multicast addresses. The columns are defined in this table. Table 35.
Chapter 19 Enhanced Stacking This chapter discusses the following topics: “Overview” on page 338 “Configuring the Command Switch” on page 341 “Configuring a Member Switch” on page 344 “Managing the Member Switches of an Enhanced Stack” on page 346 “Changing the Enhanced Stacking Mode” on page 348 “Uploading Boot Configuration Files from the Command Switch to Member Switches” on page 350 “Uploading the Management Software from the Command Switch to Member Switches” on page 357
Chapter 19: Enhanced Stacking Overview Enhanced stacking is a management tool that allows you to manage different AT-9000 Switches from one management session. With enhanced stacking you can start a management session on one switch and then redirect the session to any of the other switches in the stack, without having to start a new session. It is important to understand that enhanced stacking is simply a management tool. The switches of an enhanced stack continue to function as stand-alone devices.
AT-9000 Switch Command Line User’s Guide A member switch can be any distance from the command switch, so long as the distance adheres to Ethernet cabling standards. For background information on port-based and tagged virtual LANs, refer to Chapter 47, “Port-based and Tagged VLANs” on page 687. Guidelines General Steps Here are the enhanced stacking guidelines for the AT-9000 Switch: A stack can have up to 24 AT-9000 Switches.
Chapter 19: Enhanced Stacking 2. On the switch chosen to be the command switch, activate enhanced stacking and change its stacking status to command switch. The commands are ESTACK RUN and ESTACK COMMAND-SWITCH, both in the Global Configuration mode. 3. On the member switches, activate enhanced stacking. You do not have to set the enhanced stacking mode on the member switch because the member mode is the default setting. 4. Create a common port-based or tagged VLAN on the command and member switches.
AT-9000 Switch Command Line User’s Guide Configuring the Command Switch Here is an example on how to configure the switch as the command switch of the enhanced stack. The example creates a common VLAN and assigns it a management IP address. Here are the specifications for this command switch: Common VLAN name: Tech_Support VID: 12 Untagged VLAN ports: 18 to 22 Management IP address and subnet mask: 149.22.88.5 and 255.255.255.0 Default gateway: 149.22.88.
Chapter 19: Enhanced Stacking 2. After creating the common VLAN on the switch, assign it the management IP address and default gateway: awplus# configure terminal Enter the Global Configuration mode. awplus(config)# interface vlan12 From the Global Configuration mode, enter the VLAN Interface mode for the Tech_Support VLAN. awplus(config-if)# ip address 149.22.88.5/24 Assign the VLAN the management IP address, 149.22.88.5 and the subnet mask, 255.255.255.0.
AT-9000 Switch Command Line User’s Guide awplus# write Save the configuration.
Chapter 19: Enhanced Stacking Configuring a Member Switch This example shows you how to configure the switch as a member switch of an enhanced stack. It configures the switch to be part of the same enhanced stack with the same common VLAN as the command switch in the previous example. Here are the specifications for the member switch: Common VLAN name: Tech_Support VID: 12 Untagged VLAN ports: 4 and 5 1. This step creates the common VLAN.
AT-9000 Switch Command Line User’s Guide awplus(config)# estack run Activate enhanced stacking on the switch. awplus(config)# exit Return to the Privileged Exec mode. awplus# show estack Confirm the stack mode of the switch. 3. To save the configuration, enter the WRITE command in the Privileged Executive mode. awplus# write Save the configuration. 4. Connect the switches together using ports of the common VLAN.
Chapter 19: Enhanced Stacking Managing the Member Switches of an Enhanced Stack Here are the steps on how to manage the member switches of an enhanced stack. 1. Start a local or remote management session on the command switch of the enhanced stack. After logging on, you can view and configure the settings of just the command switch. 2. To manage a member switch in the enhanced stack, enter the SHOW ESTACK REMOTELIST command in the Privileged Exec mode.
AT-9000 Switch Command Line User’s Guide 6. When you are finished managing the member switch, enter the EXIT command from the User Exec mode or Privileged Exec mode to return the management session to the command switch. 7. To manage another member switch in the enhanced stack, repeat this procedure starting with step 2. 8. To end the management session, return to the User Exec mode or Privileged Exec mode on the command switch and enter the EXIT command.
Chapter 19: Enhanced Stacking Changing the Enhanced Stacking Mode If you want to change the enhanced stacking mode of a switch from command to member, all you have to do is enter the NO ESTACK COMMAND-SWITCH command in the Global Configuration mode, as shown here: awplus> enable awplus# configure terminal awplus(config)# no estack command-switch You can enter this command even if the enhanced stack is functional.
AT-9000 Switch Command Line User’s Guide 2. On the member switch, change its mode from member to command with the ESTACK COMMAND-SWITCH command. 3. On the original command switch, restart enhanced stacking with the ESTACK RUN command and, if desired, reestablish its command mode with the ESTACK COMMAND-SWITCH command. (Disabling enhanced stacking changes the mode on a command switch from command to member.
Chapter 19: Enhanced Stacking Uploading Boot Configuration Files from the Command Switch to Member Switches You may use the enhanced stacking feature to transfer boot configuration files from the file system in the command switch of the enhanced stack to member switches.
AT-9000 Switch Command Line User’s Guide The second prompt is shown here: Enter the list of switches -> At the prompt, enter the enhanced stack numbers of the member switches to receive the file. You may upload a file to more than one member switch at a time by separating the numbers with commas. The numbers are viewed with the SHOW ESTACK REMOTELIST command. There are certain things to know prior to using this feature: The transfer works from the command switch to the member switches.
Chapter 19: Enhanced Stacking Here are the steps to perform on the command switch to upload the configuration file from its file system to the member switch: awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# show estack remotelist Display the member switches of the enhanced stack with the SHOW ESTACK REMOTELIST command to learn the ID number of the switch to receive the configuration file.
AT-9000 Switch Command Line User’s Guide Here is another example of the feature. This example uploads a configuration file to a new switch in an enhanced stack, such as a replacement switch for a failed unit. This example is more complicated than the previous example because the stack is not using the Default VLAN as the common VLAN, and the new switch will not be using BOOT.CFG as the name of its active boot configuration file.
Chapter 19: Enhanced Stacking awplus(config-if)# end Return to the Privileged Exec mode. awplus# show vlan 12 Verify the new VLAN. 3. Use the ESTACK RUN command in the Global Configuration mode to activate enhanced stacking on the switch. It is not necessary to set the switch to the member mode because that is the default setting. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# estack run Activate enhanced stacking on the new switch.
AT-9000 Switch Command Line User’s Guide awplus# dir List the files in the file system of the command switch to confirm that it has the configuration file you want to upload to the member switch. In this example, the filename is Eng12c.cfg file. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# upload config remotelist Enter the UPLOAD CONFIG REMOTELIST command to begin the file transfer. Enter the configuration file name -> SalesE4.
Chapter 19: Enhanced Stacking awplus# show estack remotelist Reconfirm the enhanced stacking ID number of the replacement member switch. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# rcommand 3 Use the RCOMMAND command to start a remote management session on the replacement member switch. In this example the ID number of the switch is 3. Login: manager Password: ****** Log on the replacement member switch. awplus> enable Enter the Privileged Exec mode.
AT-9000 Switch Command Line User’s Guide Uploading the Management Software from the Command Switch to Member Switches You may use enhanced stacking to install new releases of the management software on the member switches from the command switch. After you update the command switch with the new management software, you can instruct it to upload the software to the member switches for you.
Chapter 19: Enhanced Stacking Caution A member switch stops forwarding network traffic after it receives the management software from the command switch and begins writing it to flash memory. Some network traffic may be lost. Caution Do not power off a member switch while it is writing the software to flash memory. Here in this example of the command, the command switch uploads its management software to two member switches that have the ID numbers, 5 and 6.
AT-9000 Switch Command Line User’s Guide Disabling Enhanced Stacking The command that disables enhanced stacking on a switch is the NO ESTACK RUN command in the Global Configuration mode, and the confirmation command is the SHOW ESTACK command in the Privileged Exec mode. You may not use the NO ESTACK RUN command when you are managing a member switch through enhanced stacking.
Chapter 19: Enhanced Stacking 360
Chapter 20 Enhanced Stacking Commands The enhanced stacking commands are summarized in Table 36. Table 36. Enhanced Stacking Commands Command Mode Description “ESTACK COMMAND-SWITCH” on page 363 Global Configuration Designates the switch as the command switch. “ESTACK RUN” on page 364 Global Configuration Activates enhanced stacking on the switch. “NO ESTACK COMMAND-SWITCH” on page 365 Global Configuration Returns the switch to the state of being a member switch.
Chapter 20: Enhanced Stacking Commands Table 36. Enhanced Stacking Commands Command “UPLOAD IMAGE REMOTELIST” on page 376 362 Mode Global Configuration Description Uploads the management software on the command switch of an enhanced stack to the member switches.
AT-9000 Switch Command Line User’s Guide ESTACK COMMAND-SWITCH Syntax estack command-switch Parameter None Mode Global Configuration mode Description Use this command to set the enhanced stacking mode on the switch to the command mode. This command has the following guidelines: Enhanced stacking must be activated on the switch. To activate enhanced stacking, refer to “ESTACK RUN” on page 364. A switch that is a member of an active enhanced stack cannot be changed to the command mode.
Chapter 20: Enhanced Stacking Commands ESTACK RUN Syntax estack run Parameter None Mode Global Configuration mode Description Use this command to activate enhanced stacking on the switch.
AT-9000 Switch Command Line User’s Guide NO ESTACK COMMAND-SWITCH Syntax no estack command-switch Parameter None Mode Global Configuration mode Description Use this command to return the enhanced stacking mode on the switch to member switch from command switch. This command has the following guidelines: The default setting for the enhanced stacking mode on the switch is member. So you would only use this command if you set the mode to command mode and now want to return it to member mode.
Chapter 20: Enhanced Stacking Commands NO ESTACK RUN Syntax no estack run Parameter None Mode Global Configuration mode Description Use this command to disable enhanced stacking on the switch. The switch cannot use enhanced stacking when the feature is disabled. If you disable enhanced stacking on the command switch, you cannot use that switch to manage the switches in the stack. When you disable enhanced stacking on the command switch, its mode is reset to member mode.
AT-9000 Switch Command Line User’s Guide RCOMMAND Syntax rcommand switch_id Parameters switch_id Specifies the ID number of a member switch you want to manage in the enhanced stack. This number is displayed with “SHOW ESTACK REMOTELIST” on page 373. You can enter only one ID number. Mode Global Configuration mode Description Use this command to redirect the management session from the command switch to a member switch in the enhanced stack.
Chapter 20: Enhanced Stacking Commands REBOOT ESTACK MEMBER Syntax reboot estack member id_number | all Parameters id_number Specifies the enhanced stack ID number of a switch. The number is displayed with “SHOW ESTACK REMOTELIST” on page 373. You may specify the ID number of only one switch. all Specifies all of the switches of the enhanced stack, except the command switch.
AT-9000 Switch Command Line User’s Guide Examples This example reboots a member switch that has the ID number 3: awplus> enable awplus# configure terminal awplus(config)# reboot estack member 3 This example reboots all of the member switches of the enhanced stack: awplus> enable awplus# configure terminal awplus(config)# reboot estack member all 369
Chapter 20: Enhanced Stacking Commands SHOW ESTACK Syntax show estack Parameters None Mode Privileged Exec mode Description Use this command to display whether enhanced stacking is enabled or disabled on the switch and whether the switch’s mode is command or member. Figure 80 is an example of the information the command displays. Enhanced Stacking mode MAC address Model Type Version Number Member [1] 00:15:77:cc:e2:42 AT-9000/52 AWPLUS 2.1.8.0 Figure 80.
AT-9000 Switch Command Line User’s Guide Table 37. SHOW ESTACK Command (Continued) Parameter Enhanced Stacking mode (Continued) Description Member [1] - Enhanced stacking is enabled on the switch, and the switch is set to the member mode. If there is a number in the brackets, the switch detected a command switch on the common VLAN of the enhanced stack. The number is the switch’s stack ID number.
Chapter 20: Enhanced Stacking Commands SHOW ESTACK COMMAND-SWITCH Syntax show estack command-switch Parameters None Mode Privileged Exec mode Description Use this command on a member switch in an enhanced stack to display the enhanced stacking information about the command switch. This command is equivalent to issuing the SHOW ESTACK command on the command switch. Figure 81 is an example of the information the command displays.
AT-9000 Switch Command Line User’s Guide SHOW ESTACK REMOTELIST Syntax show estack remotelist [name] [series] Parameters name Sorts the list of switches by the host name. series Sorts the list of switches by the model name. Mode Privileged Exec mode Description Use this command on the command switch to display the member switches of an enhanced stack. You may sort the names by MAC address, host name, or model series. The default is MAC address. An example is shown in Figure 82.
Chapter 20: Enhanced Stacking Commands This example sorts the switches by host name: awplus> enable awplus# configure terminal awplus(config)# show estack remotelist name This example sorts the switches by model series: awplus> enable awplus# configure terminal awplus(config)# show estack remotelist series 374
AT-9000 Switch Command Line User’s Guide UPLOAD CONFIG REMOTELIST Syntax upload config remotelist Parameters None Mode Global Configuration mode Description Use this command to upload boot configuration files from the file system in the command switch of an enhanced stack to the member switches. The member switches store the files in their file systems as BOOT.CFG. The command displays two prompts.
Chapter 20: Enhanced Stacking Commands UPLOAD IMAGE REMOTELIST Syntax upload image remotelist Parameters None Mode Global Configuration mode Description Use this command to upload the management software on the command switch of an enhanced stack to the member switches. The command displays the following prompt: Remote switches will reboot after load is complete...
AT-9000 Switch Command Line User’s Guide Caution The member switches stop forwarding network traffic after they receive the management software from the command switch and as they write the file to their flash memory. Some network traffic may be lost. Caution Do not power off the member switches while they are writing the software to their flash memory.
Chapter 20: Enhanced Stacking Commands 378
Chapter 21 Port Mirror This chapter discusses the following topics: “Overview” on page 380 “Creating the Port Mirror or Adding New Source Ports” on page 381 “Removing Source Ports or Deleting the Port Mirror” on page 382 “Combining the Port Mirror with Access Control Lists” on page 383 “Displaying the Port Mirror” on page 385 379
Chapter 21: Port Mirror Overview The port mirror is a management tool that allows you to monitor the traffic on one or more ports on the switch. It works by copying the traffic from designated ports to another port where the traffic can be monitored with a network analyzer. The port mirror can be used to troubleshoot network problems or to investigate possible unauthorized network access. The performance and speed of the switch is not affected by the port mirror.
AT-9000 Switch Command Line User’s Guide Creating the Port Mirror or Adding New Source Ports The command to create the port mirror is the MIRROR INTERFACE command. You must perform this command from the Port Interface mode of the destination port of the port mirror.
Chapter 21: Port Mirror Removing Source Ports or Deleting the Port Mirror To remove source ports from the port mirror, enter the Port Interface mode of the destination port and issue the NO MIRROR INTERFACE command. Here is the format of the command: no mirror interface source_ports This example removes source port 2 from the port mirror. The destination port is port 11: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.11 awplus(config-if)# no mirror interface port1.0.
AT-9000 Switch Command Line User’s Guide Combining the Port Mirror with Access Control Lists You may combine the port mirror with an access control list to monitor a subset of the ingress traffic on a port. The access control list is used to specify the ingress traffic to be coped to the destination port of the port mirror. This feature only works on ingress packets because access control lists are only effective on those types of packets. You cannot use it to copy a subset of the egress packets on a port.
Chapter 21: Port Mirror awplus(config)# interface port1.0.14,port1.0.15 Enter the Port Interface modes for ports 14 and 15. awplus(config-if)# access-group 3008 Assign the access control list to the ports. awplus(config-if)# end Return to the Privileged Exec mode. awplus# show mirror Use the SHOW MIRROR command to confirm that port 18 is the destination port of the port mirror. Mirror-To-Port Name: Port1.0.
AT-9000 Switch Command Line User’s Guide Displaying the Port Mirror To display the port mirror, go to the Privileged Exec mode and enter the SHOW MIRROR command: awplus# show mirror In this example of the information, the port mirror is enabled, and the ingress and egress packets on ports 1 and 3, as well as the egress traffic on ports 11 to 13, are being copied to destination port 22. Destination Port Source Port Destination Port Source Port Mirror Test Port Name: port1.0.
Chapter 21: Port Mirror 386
Chapter 22 Port Mirror Commands The port mirror commands are summarized in Table 38. Table 38. Port Mirror Commands Command Mode Description “MIRROR” on page 388 Port Interface Designates the destination port for access control lists that use the copyto-mirror action. “MIRROR INTERFACE” on page 389 Port Interface Creates the port mirror and adds ports to the port mirror. “NO MIRROR INTERFACE” on page 391 Port Interface Removes source ports from the port mirror and deletes the port mirror.
Chapter 22: Port Mirror Commands MIRROR Syntax mirror Parameters None Mode Port Interface mode Description Use this command to designate the destination port for the copy-to-mirror action in access control lists. You can designate only one destination port.
AT-9000 Switch Command Line User’s Guide MIRROR INTERFACE Syntax mirror interface source_ports direction receive|transmit|both Parameters source_ports Specifies a source port for the port mirror. You can specify more than one source port. direction Specifies the traffic to be mirrored from a source port to the destination port. The options are: receive: Copies the ingress packets on a source port. transmit: Copies the egress packets on a source port.
Chapter 22: Port Mirror Commands Example This example configures the port mirror to copy the ingress traffic on ports 3 and 4, the source ports, to port 5, the destination port. If port 5 is already acting as the destination port of the port mirror, the commands add ports 3 and 4 to the port mirror: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.5 awplus(config-if)# mirror interface port1.0.3,port1.0.
AT-9000 Switch Command Line User’s Guide NO MIRROR INTERFACE Syntax no mirror interface source_ports Parameters source_ports Specifies a source port of the port mirror. You can specify more than one source port at a time in the command. Mode Port Interface mode Description Use this command to remove source ports from the port mirror or to delete the port mirror. You should enter this command in the Port Interface mode of the destination port of the port mirror.
Chapter 22: Port Mirror Commands SHOW MIRROR Syntax show mirror Parameters None Modes Privileged Exec mode Description Use this command to display the source and destination ports of the port mirror on the switch. An example is shown in Figure 85. Destination Port Mirror Test Port Name: port1.0.22 Mirror option: Enabled Mirror direction: both Monitored Port Name: port1.0.1 Mirror Test Port Name: port1.0.22 Mirror option: Enabled Mirror direction: receive Monitored Port Name: port1.0.
AT-9000 Switch Command Line User’s Guide Table 39. SHOW MIRROR Command (Continued) Parameter Mirror direction Monitored Port Name Description The packets to be mirrored to the destination port. The states are listed here: Receive - The ingress packets of the source port are mirrored to the destination port. Transmit - The egress packets of the source port are mirrored to the destination port. Both - Both the ingress and egress packets of the source port are mirrored to the destination port.
Chapter 22: Port Mirror Commands 394
Chapter 23 Internet Group Management Protocol (IGMP) Snooping This chapter discusses the following topics: “Overview” on page 396 “Host Node Topology” on page 398 “Enabling IGMP Snooping” on page 399 “Configuring the IGMP Snooping Commands” on page 400 “Disabling IGMP Snooping” on page 402 “Displaying IGMP Snooping” on page 403 395
Chapter 23: Internet Group Management Protocol (IGMP) Snooping Overview IGMP snooping allows the switch to control the flow of multicast packets from its ports. It enables the switch to forward packets of multicast groups to only ports that have host nodes that want to join the multicast groups. IGMP is used by IPv4 routers to create lists of nodes that are members of multicast groups. (A multicast group is a group of end nodes that want to receive multicast packets from a multicast application.
AT-9000 Switch Command Line User’s Guide improves switch performance and network security by restricting the flow of multicast packets to only those switch ports that are connected to host nodes. If the switch is not using IGMP snooping and receives multicast packets, it floods the packets out all its ports, except the port on which it received the packets. Such flooding of packets can negatively impact network performance.
Chapter 23: Internet Group Management Protocol (IGMP) Snooping Host Node Topology The switch has a host node topology setting. You use this setting to define whether there is more than one host node on each port on the switch. The switch refers to the topology to determine whether or not to continue transmitting multicast packets from ports that receive leave requests or where host nodes time out due to inactivity.
AT-9000 Switch Command Line User’s Guide Enabling IGMP Snooping The command to enable IGMP Snooping on the switch is the IP IGMP SNOOPING command in the Global Configuration mode. After you enter the command, the switch begins to build its multicast table as queries from the multicast router and reports from the host nodes arrive on its ports.
Chapter 23: Internet Group Management Protocol (IGMP) Snooping Configuring the IGMP Snooping Commands This table lists the IGMP Snooping commands with the exception of the enable, disable, and display commands which are described in other sections of this chapter. Table 40. IGMP Snooping Commands To Use This Command Range Clear all IGMP group membership records. CLEAR IP IGMP none Specify the maximum number of multicast groups the switch will support.
AT-9000 Switch Command Line User’s Guide This example limits the switch to two multicast groups and specifies that there is only one host node per port: awplus> enable awplus# configure terminal awplus(config)# ip igmp limit 2 awplus(config)# ip igmp status single For more information about these commands, see “IP IGMP LIMIT” on page 407 and “IP IGMP STATUS” on page 413.
Chapter 23: Internet Group Management Protocol (IGMP) Snooping Disabling IGMP Snooping The command to disable IGMP Snooping on the switch is the NO IP IGMP SNOOPING command in the Global Configuration mode. To disable IGMP Snooping: awplus> enable awplus# configure terminal awplus(config)# no ip igmp snooping When IGMP Snooping is disabled, the switch floods the multicast packets on all ports, except on ports that receive the packets.
AT-9000 Switch Command Line User’s Guide Displaying IGMP Snooping To display the settings of IGMP Snooping and its status, use the SHOW IP IGMP SNOOPING command in the User Exec mode or Privileged Exec mode: awplus# show ip igmp snooping Here is an example of the information the command displays: IGMP Snooping Configuration: IGMP Snooping Status ............... Host Topology ...................... Host/Router Timeout Interval ....... Maximum IGMP Multicast Groups ...... Router Port(s) ....................
Chapter 23: Internet Group Management Protocol (IGMP) Snooping 404
Chapter 24 IGMP Snooping Commands The IGMP snooping commands are summarized in Table 41 and are described in detail within the chapter. Table 41. Internet Group Management Protocol Snooping Commands Command Mode Description “CLEAR IP IGMP” on page 406 Privileged Exec Clears all IGMP group membership records. “IP IGMP LIMIT” on page 407 Global Configuration Specifies the maximum number of multicast addresses the switch is allowed to learn.
Chapter 24: IGMP Snooping Commands CLEAR IP IGMP Syntax clear ip igmp Parameters None Mode Privileged Exec mode Description Use this command to clear all IGMP group membership records on all VLANs.
AT-9000 Switch Command Line User’s Guide IP IGMP LIMIT Syntax ip igmp limit multicastgroups Parameter multicastgroups Specifies the maximum number of multicast addresses the switch is allowed to learn. The range is 0 to 255 multicast addresses; the default is 64 addresses. Mode Global Configuration mode Description Use this command to specify the maximum number of multicast addresses the switch can learn.
Chapter 24: IGMP Snooping Commands IP IGMP QUERIER-TIMEOUT Syntax ip igmp querier-timeout timeout Parameters timeout Specifies the time period in seconds used by the switch to identify inactive host nodes and multicast routers. The range is from 0 to 65535 seconds. The default is 255 seconds. Setting the timeout to zero (0) disables the timer. Mode Global Configuration mode Description Use this command to specify the time period the switch uses to identify inactive host nodes and multicast routers.
AT-9000 Switch Command Line User’s Guide IP IGMP SNOOPING Syntax ip igmp snooping Parameters None Mode Global Configuration mode Description Use this command to activate IGMP snooping on the switch. Caution The IP IGMP SNOOPING FLOOD-UNKNOWN-MCAST command is enabled by default when IGMP Snooping is activated. This may cause a slow-down of network data. If you want to disable flooding of unknown multicast packets, you must enter the NO IP IGMP SNOOPING FLOOD-UNKNOWN-MCAST command.
Chapter 24: IGMP Snooping Commands IP IGMP SNOOPING FLOOD-UNKNOWN-MCAST Syntax ip igmp snooping flood-unknown-mcast Parameter None Mode Global Configuration mode Description This command disables the automatic suppression of unknown multicast traffic on the switch. By default, IGMP Snooping does not suppress all unknown multicast traffic except for IPv4 reserved addresses 224.0.0.1 through 224.0.0.255.
AT-9000 Switch Command Line User’s Guide awplus> enable awplus# configure terminal awplus(config)# ip igmp snooping awplus(config)# ip igmp snooping flood-unknown-mcast This example enables the automatic suppression of unknown multicast traffic on the switch: awplus> enable awplus# configure terminal awplus(config)# no ip igmp snooping flood-unknown-mcast 411
Chapter 24: IGMP Snooping Commands IP IGMP SNOOPING MROUTER Syntax ip igmp snooping mrouter interface port Parameter port Specifies a port connected to a multicast router. You can specify more than one port. Mode Global Configuration mode Description Use this command to manually specify ports that are connected to multicast routers. Manually specifying multicast router ports deactivates auto-detect. To reactivate auto-detect, remove all static multicast router ports.
AT-9000 Switch Command Line User’s Guide IP IGMP STATUS Syntax ip igmp status single | multiple Parameters single Activates the single-host per port setting, which is used when the ports on the switch have only one host node each. multiple Activates the multiple-host per port setting, which is used when the ports have more than one host node. Mode Global Configuration mode Description Use this command to specify the IGMP host node topology.
Chapter 24: IGMP Snooping Commands NO IP IGMP SNOOPING Syntax no ip igmp snooping Parameters None Mode Global Configuration mode Description Use this command to deactivate IGMP snooping on the switch. When IGMP snooping is disabled, the switch floods multicast packets on all ports, except on ports that receive the packets.
AT-9000 Switch Command Line User’s Guide NO IP IGMP SNOOPING MROUTER Syntax no ip igmp snooping mrouter interface port Parameter port Specifies a multicast router port. Mode Global Configuration mode Description Use this command to remove static multicast router ports. Removing all multicast router ports activates auto-detect.
Chapter 24: IGMP Snooping Commands SHOW IP IGMP SNOOPING Syntax show ip igmp snooping Parameters None Mode Privileged Exec mode Description Use this command to display the IGMP snooping parameters. Figure 88 illustrates the information. IGMP Snooping Configuration: IGMP Snooping Status ............... Host Topology ...................... Host/Router Timeout Interval ....... Maximum IGMP Multicast Groups ...... Router Port(s) .....................
AT-9000 Switch Command Line User’s Guide The information the command displays is explained in Table 42. Table 42. SHOW IP IGMP SNOOPING Command Parameter Description IGMP Snooping Configuration IGMP Snooping Status The status of IGMP snooping on the switch. To enable or disable the feature, refer to “IP IGMP SNOOPING” on page 409 and “NO IP IGMP SNOOPING” on page 414, respectively. Host Topology The IGMP host node topology on the switch.
Chapter 24: IGMP Snooping Commands Table 42. SHOW IP IGMP SNOOPING Command (Continued) Parameter Description Port/Trunk ID The port of a multicast router. If the switch learned a router on a port trunk, the trunk ID number, instead of a port number, is displayed. Router IP The IP addresses of the multicast routers. Exp. Time The number of seconds remaining before the switch times out a multicast router if there are no further IGMP queries from it.
Chapter 25 Multicast Commands The multicast commands are summarized in Table 43. Table 43. Multicast Commands Command Mode Description “NO SWITCHPORT BLOCK EGRESS-MULTICAST” on page 420 Port Interface Resumes forwarding egress multicast packets on ports. “NO SWITCHPORT BLOCK INGRESS-MULTICAST” on page 421 Port Interface Resumes forwarding ingress multicast packets on ports. “SWITCHPORT BLOCK EGRESSMULTICAST” on page 422 Port Interface Blocks egress multicast packets on ports.
Chapter 25: Multicast Commands NO SWITCHPORT BLOCK EGRESS-MULTICAST Syntax no switchport block egress-multicast Parameters None Mode Port Interface mode Description Use this command to resume forwarding of egress multicast packets on ports. By default, this is the default setting on all of the ports on the switch.
AT-9000 Switch Command Line User’s Guide NO SWITCHPORT BLOCK INGRESS-MULTICAST Syntax no switchport block ingress-multicast Parameters None Mode Port Interface mode Description Use this command to resume forwarding of ingress multicast packets on ports. Confirmation Command “SHOW INTERFACE” on page 193 Example This example resumes forwarding of ingress multicast packets on ports 2 and 8: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.2,port1.0.
Chapter 25: Multicast Commands SWITCHPORT BLOCK EGRESS-MULTICAST Syntax switchport block egress-multicast Parameters None Mode Port Interface mode Description Use this command to block egress multicast packets on ports. By default, all ports on the switch are set to allow multicast packets. Note This feature does not block multicast packets that have reserved multicast addresses in the range of 01:80:C2:00:00:00 to 01:80:C2:00:00:0F.
AT-9000 Switch Command Line User’s Guide SWITCHPORT BLOCK INGRESS-MULTICAST Syntax switchport block ingress-multicast Parameters None Mode Port Interface mode Description Use this command to block ingress multicast packets on ports. Note This feature does not block multicast packets that have reserved multicast addresses in the range of 01:80:C2:00:00:00 to 01:80:C2:00:00:0F. Note If IGMP snooping is disabled on the switch, all reports are suppressed on a port even if you enable this command.
Chapter 25: Multicast Commands 424
Section III File System This section contains the following chapters: Chapter 26, “File System” on page 427 Chapter 27, “File System Commands” on page 435 Chapter 28, “Boot Configuration Files” on page 443 Chapter 29, “Boot Configuration File Commands” on page 449 Chapter 30, “File Transfer” on page 461 Chapter 31, “File Transfer Commands” on page 473 425
426
Chapter 26 File System This chapter discusses the following topics: “Overview” on page 428 “Copying Boot Configuration Files” on page 429 “Renaming Boot Configuration Files” on page 430 “Deleting Boot Configuration Files” on page 431 “Displaying the Specifications of the File System” on page 432 “Listing the Files in the File System” on page 433 427
Chapter 26: File System Overview The file system in the switch stores the following types of files: Boot configuration files Encryption key pairs The file system has a flat directory structure. All the files are stored in the root directory. The file system does not support subdirectories. Table 44. File Extensions and File Types Extension 428 File Type .cfg Configuration file .cer Certificate file .pem Certificate enrollment request .key Public encryption key .
AT-9000 Switch Command Line User’s Guide Copying Boot Configuration Files Maintaining a history of the configuration settings of the switch can prove useful in the event you need to undo recent changes and return the device to an earlier configuration. The best way to compile a configuration history of the unit is by periodically copying the active boot configuration file. The command for copying boot configuration files is the COPY command in the Privileged Exec mode. Here is the format: copy sourcefile.
Chapter 26: File System Renaming Boot Configuration Files To rename boot configuration files in the file system, use the MOVE command, found in the Privileged Exec mode. Here is the format: move filename1.cfg filename2.cfg The FILENAME1 variable is the name of the file to be renamed and the FILENAME2 variable is the file’s new name. The filenames cannot contain spaces or special characters. This example renames the “Sales2sw.cfg” boot configuration file to “unit12a.
AT-9000 Switch Command Line User’s Guide Deleting Boot Configuration Files If the file system becomes cluttered with unnecessary configuration files, you use the DELETE command in the Privileged Exec mode to delete them. The format of the command is: delete filename.ext This example deletes the configuration file “unit2a.cfg”: awplus# delete unit2a.
Chapter 26: File System Displaying the Specifications of the File System The User Exec mode and the Privileged Exec mode have a command that lets you display the size of the file system, the amount of free space, and the amount of space used by the files currently stored in the file system. It is the SHOW FILE SYSTEMS command. Here is an example of the information. Size (b) Free (b) Type Flags Prefixes S/D/V Lcl/Ntwk Avail ------------------------------------------------------------------------2.0M 1.
AT-9000 Switch Command Line User’s Guide Listing the Files in the File System To view the names of the files in the file system of the switch, use the DIR command in the Privileged Exec mode: awplus# dir The command does not accept wildcards.
Chapter 26: File System 434
Chapter 27 File System Commands The file system commands are summarized in Table 45. Table 45. File System Commands Command Mode Description “COPY” on page 436 Privileged Exec Copies boot configuration files. “DELETE” on page 437 Privileged Exec Deletes boot configuration files from the file system. “DELETE FORCE” on page 438 Privileged Exec Deletes boot configuration files from the file system. “DIR” on page 439 Privileged Exec Lists the files in the file system.
Chapter 27: File System Commands COPY Syntax copy sourcefile.cfg destinationfile.cfg Parameters sourcefile.cfg Specifies the name of the boot configuration file you want to copy. destinationfile.cfg Specifies the name of the new copy of the file. The filename can be from 1 to 16 alphanumeric characters. The extension must be “.cfg”. Spaces and special characters are not allowed.
AT-9000 Switch Command Line User’s Guide DELETE Syntax delete filename.cfg Parameter filename.cfg Specifies the name of the boot configuration file to be deleted. You can use the wildcard “*” to replace any part of a filename to delete multiple configuration files. Mode Privileged Exec mode Description Use this command to delete boot configuration files from the file system in the switch. This command is equivalent to “DELETE FORCE” on page 438.
Chapter 27: File System Commands DELETE FORCE Syntax delete force filename.ext Parameter filename.ext Specifies the name of the boot configuration file to be deleted. You can use the wildcard “*” to replace any part of a filename to delete multiple configuration files. Mode Privileged Exec mode Description Use this command to delete boot configuration files from the file system in the switch. This command is equivalent to “DELETE” on page 437.
AT-9000 Switch Command Line User’s Guide DIR Syntax dir Parameter None Mode Privileged Exec mode Description Use this command to list the names of the files stored in the file system on the switch.
Chapter 27: File System Commands MOVE Syntax move filename1.cfg filename2.cfg Parameters filename1.cfg Specifies the name of the boot configuration file to be renamed. filename2.cfg Specifies the new name for the file. The filename can be from 1 to 16 alphanumeric characters, not including the filename extension, which must be “.cfg”. The filename cannot contain spaces or special characters.
AT-9000 Switch Command Line User’s Guide SHOW FILE SYSTEMS Syntax show file systems Parameter None Mode Privileged Exec mode Description Use this command to display the specifications of the file system in the switch. An example is shown in Figure 90. Size (b) Free (b) Type Flags Prefixes S/D/V Lcl/Ntwk Avail ------------------------------------------------------------------------2.0M 1.4M flash rw /cfg/ static local Y Figure 90. SHOW FILE SYSTEMS Command The fields are described in Figure 46.
Chapter 27: File System Commands Table 46. SHOW FILE SYSTEMS Command (Continued) Parameter Description S/D/V The memory type: static, dynamic, or virtual. Lcl/Ntwk Whether the memory is located locally or via a network connection. This is always Local.
Chapter 28 Boot Configuration Files This chapter discusses the following topics: “Overview” on page 444 “Specifying the Active Boot Configuration File” on page 445 “Creating a New Boot Configuration File” on page 447 “Displaying the Active Boot Configuration File” on page 448 443
Chapter 28: Boot Configuration Files Overview The changes that you make to the parameters settings of the switch are saved as a series of commands in a special file in the file system. The file is referred to as the active boot configuration file. This file is updated by the switch with your latest changes whenever you issue the WRITE command or the COPY RUNNING-CONFIG STARTUP-CONFIG command in the Privileged Exec mode.
AT-9000 Switch Command Line User’s Guide Specifying the Active Boot Configuration File To create or designate a new active boot configuration file for the switch, use the BOOT CONFIG-FILE command in the Global Configuration mode. Here is the format of the command; boot config-file filename.cfg The FILENAME.CFG parameter is the file name of the configuration file to act as the active boot configuration file for the switch.
Chapter 28: Boot Configuration Files Here are a couple examples of the command. The first example creates a new active boot configuration file called “sw_product4.cfg”: awplus> enable awplus# configure terminal awplus(config)# boot config-file sw_product4.cfg After you enter the command, the switch creates the file in its file system, updates it with the current parameter settings, and finally marks it as the active boot configuration file.
AT-9000 Switch Command Line User’s Guide Creating a New Boot Configuration File It is a good idea to periodically make copies of the current configuration of the switch so that you can return the switch to an earlier configuration, if necessary. For this there is the COPY RUNNING-CONFIG command in the Privileged Exec mode. The command has this format: copy running-config filename.
Chapter 28: Boot Configuration Files Displaying the Active Boot Configuration File To display the name of the active boot configuration file on the switch, go to the Privileged Exec mode and enter the SHOW BOOT command. Here is the command: awplus# show boot Here is an example of the information. Current software : Current boot image : Backup boot image : Default boot config: Current boot config: v2.1.1 v2.1.1 Not set /cfg/boot.cfg /cfg/switch2.cfg (file exists) Figure 91.
Chapter 29 Boot Configuration File Commands The boot configuration file commands are summarized in Table 47 and described in detail within the chapter. Table 47. Boot Configuration File Commands Command Mode Description “BOOT CONFIG-FILE” on page 450 Global Configuration Designates or creates a new active boot configuration file for the switch. “COPY RUNNING-CONFIG” on page 452 Privileged Exec Creates new boot configuration files that contain the current settings of the switch.
Chapter 29: Boot Configuration File Commands BOOT CONFIG-FILE Syntax boot config-file filename.cfg Parameter filename Specifies the name of a boot configuration file that is to act as the active boot configuration file on the switch. The filename can be from 1 to 16 alphanumeric characters. The extension must be “.cfg”. Mode Global Configuration mode Description Use this command to designate the active boot configuration file on the switch.
AT-9000 Switch Command Line User’s Guide Confirmation Command “SHOW BOOT” on page 456. Examples This example designates a file called “region2asw.cfg” as the switch’s active configuration file. This example assumes that the file is completely new. The switch creates the file, with its current parameter settings, and then designates it as the active boot configuration file: awplus> enable awplus# configure terminal awplus(config)# boot config-file region2asw.cfg This example designates the file “sw12a.
Chapter 29: Boot Configuration File Commands COPY RUNNING-CONFIG Syntax copy running-config filename.cfg Parameter filename Specifies a name for a new boot configuration file. The name can be from 1 to 16 alphanumeric characters. The extension must be “.cfg”. Mode Privileged Exec mode Description Use this command to create new boot configuration files. Stored in the file system on the switch, the files contain the current settings of the switch.
AT-9000 Switch Command Line User’s Guide COPY RUNNING-CONFIG STARTUP-CONFIG Syntax copy running-config startup-config Parameters None Mode Privileged Exec mode Description Use this command to update the active boot configuration file with the switch’s current configuration, for permanent storage. When you enter the command, the switch copies its parameter settings into the active boot configuration file. The switch saves only those parameters that have been changed from their default settings.
Chapter 29: Boot Configuration File Commands ERASE STARTUP-CONFIG Syntax erase startup-config Parameters None Mode Privileged Exec mode Description Use this command to restore the default settings to all the parameters on the switch. Review the following information before using this command: This command does not delete the files in the switch’s file system or the encryption keys in the key database. To delete those files, refer to “DELETE” on page 437 and “CRYPTO KEY DESTROY HOSTKEY” on page 1312.
AT-9000 Switch Command Line User’s Guide NO BOOT CONFIG-FILE Syntax no boot config-file Parameter None Mode Global Configuration mode Description Use this command to configure the switch with the settings in the default BOOT.CFG file. Caution This command causes the switch to reset. It does not forward network traffic while it initializes the management software. Some network packets may be lost. After the switch finishes initializing its management software, it uses the BOOT.
Chapter 29: Boot Configuration File Commands SHOW BOOT Syntax show boot Parameter None Mode Privileged Exec mode Description Use this command to display the name of the active boot configuration file and the version numbers of the management software and bootloader. Figure 92 is an example of the information. Current Current Default Current software: v2.1.1 boot image: v2.1.1 boot config: /cfg/boot.cfg boot config: /cfg/switch2.cfg (file exists) Figure 92.
AT-9000 Switch Command Line User’s Guide Example This command displays the name of the active boot configuration file and the version numbers of the management software and bootloader.
Chapter 29: Boot Configuration File Commands SHOW STARTUP-CONFIG Syntax show startup-config Parameters None Mode Privileged Exec mode Description Use this command to display the contents of the active boot configuration file.
AT-9000 Switch Command Line User’s Guide WRITE Syntax write Parameters None Mode Privileged Exec mode Description Use this command to update the active boot configuration file with the switch’s current configuration, for permanent storage. When you enter the command, the switch copies its parameter settings into the active boot configuration file. The switch saves only those parameters that have been changed from their default settings.
Chapter 29: Boot Configuration File Commands 460
Chapter 30 File Transfer This chapter discusses the following topics: “Overview” on page 462 “Uploading or Downloading Files with TFTP” on page 463 “Uploading or Downloading Files with Zmodem” on page 467 “Downloading Files with Enhanced Stacking” on page 470 461
Chapter 30: File Transfer Overview This chapter discusses how to download files onto the switch and upload files onto the switch. You can download the following file types to the switch: New versions of the management software Boot configuration files (Refer to Chapter 28, “Boot Configuration Files” on page 443.) Public or private CA certificates (Refer to Chapter 86, “Secure HTTPS Web Browser Server” on page 1333.
AT-9000 Switch Command Line User’s Guide Uploading or Downloading Files with TFTP “Downloading New Management Software with TFTP” next “Downloading Files to the Switch with TFTP” on page 464 “Uploading Files from the Switch with TFTP” on page 465 These procedures can be performed from a local management session or a remote Telnet or SSH session. Here are the TFTP requirements: Downloading New Management Software with TFTP The switch must have a management IP address.
Chapter 30: File Transfer The IPADDRESS parameter is the IP address of the TFTP server, and the FILENAME parameter is the name of the new management software file to be downloaded to the switch from the TFTP server. The filename must include the “.img” extension and cannot contain spaces. In this example of the command, the IP address of the TFTP server is 149.11.124.5 and the filename of the new management software to be downloaded from the server is “at-9000_sw.img”: awplus# copy tftp flash 149.11.124.
AT-9000 Switch Command Line User’s Guide In this example of the command, the IP address of the TFTP server is 152.34.67.8, and the filename of the boot configuration to be downloaded from the server is “switch2a.cfg”: awplus# copy tftp flash 152.34.67.8 switch2a.cfg After receiving the entire file, the switch stores it in the file system. 4. To confirm that the switch received the file, use the DIR command in the Privileged Exec mode to list the files in the file system. 5.
Chapter 30: File Transfer To upload a file from the file system of the switch using TFTP: 1. Start a local or remote management session on the switch. 2. Use the DIR command in the Privileged Exec mode to confirm the name of the file you want to upload from the file system in the switch. 3. The command for uploading files from the switch with TFTP is the COPY FLASH TFTP command in the Privileged Exec mode.
AT-9000 Switch Command Line User’s Guide Uploading or Downloading Files with Zmodem “Downloading Files to the Switch with Zmodem” next “Uploading Files from the Switch with Zmodem” on page 468 Note You may not use Zmodem to download new versions of the management software to the switch. For that, you must use TFTP. Downloading Files to the Switch with Zmodem You may use Zmodem to download boot configuration files and encryption key certificates to the file system in the switch.
Chapter 30: File Transfer 7. At this point, do one of the following: To configure the switch using the settings in the newly designated active boot configuration file, reset the switch with the REBOOT command in the Privileged Exec mode. Caution The switch does not forward packets while it is initializing its management software. Some network traffic may be lost.
AT-9000 Switch Command Line User’s Guide After you enter the command, the switch displays this message: Waiting to send ... 4. Use your terminal or terminal emulator program to begin the upload. The upload must be Zmodem. The upload should take only a few moments. The upload is finished when the Privileged Exec prompt is displayed again.
Chapter 30: File Transfer Downloading Files with Enhanced Stacking If you are using the enhanced stacking feature, you can automate the process of updating the management software in the switches by having the command switch download its management software to the other switches in the stack. Caution The switch automatically resets when it receives a new version of the management software. It does not forward network traffic while it writes the new software to flash memory and initializes the software.
AT-9000 Switch Command Line User’s Guide 4. Enter the ID numbers of the switches to receive the management software from the command switch. The ID numbers are the numbers in the Num column in the SHOW ESTACK REMOTELIST command. You can update more than one switch at a time. For example, to update switches 1 and 2 in Figure 93, you would enter: Remote switches will reboot after load is complete. Enter the list of switches -> 1,2 The command switch starts the download process with the first switch.
Chapter 30: File Transfer 472
Chapter 31 File Transfer Commands The file transfer commands are summarized in Table 49 and described in detail within the chapter. Table 49. File Transfer Commands Command Mode Description “COPY FILENAME ZMODEM” on page 474 Privileged Exec Uses Zmodem to upload files from the file system in the switch. “COPY FLASH TFTP” on page 475 Privileged Exec Uses TFTP to upload files from the switch.
Chapter 31: File Transfer Commands COPY FILENAME ZMODEM Syntax: copy filename.cfg zmodem Parameters filename Specifies the filename of a configuration file to upload from the file system in the switch. The filename cannot contain spaces and include the extension “.cfg”. You can specify one filename. Mode Privileged Exec mode Description Use this command together with a Zmodem utility to upload boot configuration files from the file system in the switch to your terminal or computer.
AT-9000 Switch Command Line User’s Guide COPY FLASH TFTP Syntax copy flash tftp ipaddress filename Parameters ipaddress Specifies the IP address of a TFTP server on your network. filename Specifies the filename of a configuration file to upload from the file system in the switch to a TFTP server. The filename cannot contain spaces and must include the extension “.cfg”. You can specify one filename.
Chapter 31: File Transfer Commands COPY TFTP FLASH Syntax copy tftp flash ipaddress filename Parameters ipaddress Specifies the IP address of a TFTP server on your network. filename Specifies the filename of the file on the TFTP server to download to the switch. The file can be a new version of the management software, a boot configuration file or a CA certificate. The filename extensions are “.img” for management software, “.cfg” for boot configuration files, and “.pem” for CA certificates.
AT-9000 Switch Command Line User’s Guide Examples This example downloads the new management software file “at9000_app.img” to the switch from a TFTP server that has the IP address 149.22.121.45: awplus> enable awplus# copy tftp flash 149.22.121.45 at9000_app.img This example downloads the boot configuration file “sw12a.cfg” to the switch from a TFTP server with the IP address 112.141.72.11: awplus> enable awplus# copy tftp flash 112.141.72.11 sw12a.
Chapter 31: File Transfer Commands COPY ZMODEM Syntax copy zmodem Parameters None Mode Privileged Exec mode Description Use this command together with a Zmodem utility to download boot configuration files or CA certificates to the file system in the switch. This command must be performed from a local management session. For instructions on how to use this command, refer to “Downloading Files to the Switch with Zmodem” on page 467.
AT-9000 Switch Command Line User’s Guide UPLOAD IMAGE REMOTELIST Syntax upload image remotelist Parameters None Mode Global Configuration mode Description Use this command to download the management software on the command switch to other switches in an enhanced stack. For background information on enhanced stacking, refer to Chapter 19, “Enhanced Stacking” on page 337.
Chapter 31: File Transfer Commands 480
Section IV Event Messages This section contains the following chapters: Chapter 32, “Event Log” on page 483 Chapter 33, “Event Log Commands” on page 487 Chapter 34, “Syslog Client” on page 499 Chapter 35, “Syslog Client Commands” on page 507 481
482
Chapter 32 Event Log This chapter covers the following topics: “Overview” on page 484 “Displaying the Event Log” on page 485 “Clearing the Event Log” on page 486 483
Chapter 32: Event Log Overview A managed switch is a complex piece of computer equipment that includes both hardware and software components. Multiple software features operate simultaneously, inter-operating with each other and processing large amounts of network traffic. It is often difficult to determine exactly what is happening when a switch appears not to be operating normally, or what happened when a problem occurred.
AT-9000 Switch Command Line User’s Guide Displaying the Event Log There are two commands to display the messages stored in the event log. Both display the same messages and both are found in the Privileged Exec mode. The only difference is that one displays the messages from oldest to newest and the other from newest to oldest. The first command is the SHOW LOG command. If you are more interested in the older messages, this is the command to use.
Chapter 32: Event Log Clearing the Event Log To clear all the messages from the event log, use the CLEAR LOG BUFFERED command in the Privileged Exec mode.
Chapter 33 Event Log Commands The event log commands are summarized in Table 50 and described in detail within this chapter. Table 50. Event Log Commands Command Mode Description “CLEAR LOG BUFFERED” on page 488 Privileged Exec Deletes all entries in the event log. “LOG BUFFERED” on page 489 Global Configuration Specifies the types of event messages to be stored in the event log. “NO LOG BUFFERED” on page 491 Global Configuration Cancels the settings set by the LOG BUFFERED command.
Chapter 33: Event Log Commands CLEAR LOG BUFFERED Syntax clear log buffered Parameters None. Mode Privileged Exec mode Description Use this command to delete the event messages in the event log.
AT-9000 Switch Command Line User’s Guide LOG BUFFERED Syntax log buffered level level program program Parameters level Specifies the minimum severity level of the event messages to be stored in the event log. The log stores the messages of the specified level and all higher levels. For instance, if you specify level 4, the log stores the messages for levels 0 and 4. The available severity levels are listed in Table 51.
Chapter 33: Event Log Commands Confirmation Command “SHOW LOG CONFIG” on page 496 Examples This example configures the log to save event messages that have the severity level 0 or 4: awplus> enable awplus# configure terminal awplus(config)# log buffered level 4 This example configures the event log to save event messages that are generated by IGMP snooping (IGMPSNOOP), LACP (LACP) and port configuration (PCFG): awplus> enable awplus# configure terminal awplus(config)# log buffered program igmpsnoop,lacp,
AT-9000 Switch Command Line User’s Guide NO LOG BUFFERED Syntax no log buffered [level level]|[program program]| [msgtext msgtext] Parameters level Specifies the severity level setting. program Specifies the management software module setting. To specify more than one module, separate the modules with commas. msgtext Specifies a text string setting. Mode Global Configuration mode Description Use this command to cancel the settings set by the log buffered command.
Chapter 33: Event Log Commands OUtputID Type Status 1 Temporary Enabled Details --------------------------------------------------------------------------------------------------------------------------Wrap on Full.
AT-9000 Switch Command Line User’s Guide SHOW LOG Syntax show log Parameters None Mode Privileged Exec mode Description Use this command to display the messages in the buffered event log. The event messages are displayed from oldest to newest, one screen at a time. To cancel the display, type ‘q’ for quit. You cannot filter the log for specific types of messages. An example of the log is shown in Figure 95.
Chapter 33: Event Log Commands Table 52. SHOW LOG Command Parameter Severity (continued) Description Warning: The issue reported by the message may require manager attention. Debug: Messages intended for technical support and software development. Program The module listed in Table 53 that generated the event message. Message The event message. Table 53 lists the modules and their abbreviations. Table 53.
AT-9000 Switch Command Line User’s Guide Table 53.
Chapter 33: Event Log Commands SHOW LOG CONFIG Syntax show log config Parameters None Modes Privileged Exec mode Description Use this command to display the configuration of the event log. awplus# show log config Figure 96. SHOW LOG CONFIG Command The fields in the display are described here: Table 54. SHOW LOG CONFIG Command Field Description Level The severity levels of the messages to be stored in the log. The default is level 6, Informational, and higher.
AT-9000 Switch Command Line User’s Guide SHOW LOG REVERSE Syntax show log reverse Parameters None Mode Privileged Exec mode Description Use this command to display the event messages in the buffered log from newest to oldest. This command and the SHOW LOG command display the same messages, but in different order. The SHOW LOG command displays the messages from oldest to newest. To cancel the display, type ‘q’ for quit. You cannot filter the log for specific types of messages.
Chapter 33: Event Log Commands SHOW LOG TAIL Syntax show log tail [number] Parameter number Specifies the number of event messages to display. The range is 10 to 250 messages. The default is 10 messages. Mode Privileged Exec mode Description Use this command to display the most recent event messages in the buffered event log. The NUMBER parameter is used to specify the number of messages to display. The messages are displayed from oldest to newest.
Chapter 34 Syslog Client This chapter covers the following topics: “Overview” on page 500 “Creating Syslog Server Definitions” on page 501 “Deleting Syslog Server Definitions” on page 504 “Displaying the Syslog Server Definitions” on page 505 499
Chapter 34: Syslog Client Overview The switch has a syslog client. The client enables the switch to send its event messages to syslog servers on your network, for permanent storage. To store the switch’s event messages on a syslog server, you have to create a syslog server definition. The contents of a definition consist of an IP address of a syslog server and other information, such as the types of event messages the switch is to send.
AT-9000 Switch Command Line User’s Guide Creating Syslog Server Definitions To configure the switch to send event messages to a syslog server, create a syslog server definition with the LOG HOST command in the Global Configuration mode. Here is the format of the command: log host ipaddress [level level] [program program] This command creates just one definition at a time. The IPADDRESS parameter is the IP address of a syslog server you want to receive event messages. You can specify just one address.
Chapter 34: Syslog Client Table 56. Program Abbreviations Abbreviation 502 Program ENCO Encryption keys ESTACK Enhanced stacking EVTLOG Event log FILE File system GARP GARP GVRP HTTP Web server IGMPSNOOP IGMP snooping IP System IP configuration LACP Link Aggregation Control Protocol LLDP LLDP and LLDP-MED MAC MAC address table PACCESS 802.
AT-9000 Switch Command Line User’s Guide Table 56. Program Abbreviations Abbreviation Program TACACS TACACS+ authentication protocol TELNET Telnet TFTP TFTP TIME System time and SNTP VLAN Port-based and tagged VLANs, and multiple VLAN modes WATCHDOG Watchdog timer This example of the command creates a new syslog definition for a syslog server that has the IP address 149.24.111.23. The definition sends all event messages to the designated server.
Chapter 34: Syslog Client Deleting Syslog Server Definitions To delete syslog server definitions from the switch, use the NO LOG HOST command in the Global Configuration mode. The format of the command is: no log host ipaddress To view the IP addresses of the syslog servers of the definitions, use the SHOW LOG CONFIG command. You can delete just one definition at a time with this command. The switch stops sending event messages to a syslog server as soon as you delete a definition.
AT-9000 Switch Command Line User’s Guide Displaying the Syslog Server Definitions To view the IP addresses of the syslog servers use the SHOW LOG CONFIG command in the Privileged Exec mode: awplus# show log config Here is an example of the information. Permanent log: Status ................ Filter: Level .............. Program ............ Message Text ....... Host 149.132.45.75: Filter: Level .............. Program ............ Message Text ....... Host 149.132.101.128: Filter: Level ..............
Chapter 34: Syslog Client 506
Chapter 35 Syslog Client Commands The syslog client commands are summarized in Table 57 and described in detail within the chapter. Table 57. Syslog Client Commands Command Mode Description “LOG HOST” on page 508 Global Configuration Creates syslog server definitions. “NO LOG HOST” on page 510 Global Configuration Deletes syslog server definitions. “SHOW LOG CONFIG” on page 511 Privileged Exec Displays the syslog server definitions.
Chapter 35: Syslog Client Commands LOG HOST Syntax log host ipaddress [level level] [program program] Parameters ipaddress Specifies the IP address of a syslog server. You can specify one address. level Specifies the minimum severity level of the messages to be sent to the designated syslog server. The severity levels are listed in Table 55 on page 501. You can specify only one severity level. Omit this parameter to send messages of severity levels 0, 4, and 6.
AT-9000 Switch Command Line User’s Guide This example creates a new syslog definition for a syslog server that has the IP address 149.152.122.143. The definition sends only those messages that have a minimum severity level of 4 and that are generated by the RADIUS client (RADIUS) and static port trunks (PTRUNK): awplus> enable awplus# configure terminal awplus(config)# log host 149.152.122.
Chapter 35: Syslog Client Commands NO LOG HOST Syntax no log host ipaddress Parameters ipaddress Specifies an IP address of a syslog server. Mode Global Configuration mode Description Use this command to delete syslog server definitions from the switch. Confirmation Command “SHOW LOG CONFIG” on page 511 Example This example deletes a syslog server definition with the server IP address 149.122.45.78: awplus> enable awplus# configure terminal awplus(config)# no log host 149.122.45.
AT-9000 Switch Command Line User’s Guide SHOW LOG CONFIG Syntax show log config Parameters None Modes Privileged Exec mode Description Use this command to display the syslog server definitions on the switch. Here is an example of the information. Figure 98 is an example of the information displayed. Permanent log: Status ................ Filter: Level .............. Program ............ Message Text ....... Host 149.132.45.75: Filter: Level .............. Program ............ Message Text .......
Chapter 35: Syslog Client Commands Example This example displays the configurations of the syslog server entries: awplus# show log config 512
Section V Port Trunks This section contains the following chapters: Chapter 36, “Static Port Trunks” on page 515 Chapter 37, “Static Port Trunk Commands” on page 525 Chapter 38, “Link Aggregation Control Protocol (LACP)” on page 533 Chapter 39, “LACP Commands” on page 545 513
514
Chapter 36 Static Port Trunks This chapter covers the following topics: “Overview” on page 516 “Creating New Static Port Trunks or Adding Ports To Existing Trunks” on page 520 “Specifying the Load Distribution Method” on page 521 “Removing Ports from Static Port Trunks or Deleting Trunks” on page 522 “Displaying Static Port Trunks” on page 523 515
Chapter 36: Static Port Trunks Overview Static port trunks are groups of two to eight ports that act as single virtual links between the switch and other network devices. Static port trunks are commonly used to improve network performance by increasing the available bandwidth between the switch and other network devices and to enhance the reliability of the connections between network devices. Figure 99 is an example of a static port trunk of four links between two AT9000 Switches.
AT-9000 Switch Command Line User’s Guide Source MAC Address / Destination MAC Address (Layer 2) Source IP Address (Layer 3) Destination IP Address (Layer 3) Source IP Address / Destination IP Address (Layer 3) The load distribution methods examine the last three bits of a packet’s MAC or IP address and compare the bits against mappings assigned to the ports in the trunk. The port mapped to the matching bits is selected as the transmission port for a packet.
Chapter 36: Static Port Trunks For example, assume you selected source and destination MAC addresses for the load distribution method in our previous example, and that a packet for transmission over the trunk had a source MAC address that ended in 9 and a destination address that ended in 3. The binary values are: 9 = 1001 3 = 0011 Applying the XOR rules above on the last three bits result in 010, or 2. An examination of the table above shows that the packet is transmitted from port 9.
AT-9000 Switch Command Line User’s Guide are compatible with the device to which the trunk will be connected. When you create a static port trunk, the management software copies the current settings of the lowest numbered port in the trunk to the other ports, so that all the ports have the same settings. For example, if you create a port trunk of ports 5 to 8, the parameter settings for port 5 are copied to ports 6, 7, and 8 so that all the ports of the trunk have the same settings.
Chapter 36: Static Port Trunks Creating New Static Port Trunks or Adding Ports To Existing Trunks The command to create new static port trunks or to add ports to existing trunks is the STATIC-CHANNEL-GROUP command. Here is the format of the command: static-channel-group id_number You perform the command from the Port Interface mode of the ports the trunk is to contain.
AT-9000 Switch Command Line User’s Guide Specifying the Load Distribution Method The load distribution method defines how the switch distributes the traffic among the ports of a trunk. The command for this is the PORT-CHANNEL LOAD-BALANCE command, in the Static Port Trunk Interface mode. The command’s format is shown here: port-channel load-balance dst-ip|dst-mac|src-dst-ip| src-dst-mac|src-ip|src-mac The variables are defined here: src-mac Specifies source MAC address as the load distribution method.
Chapter 36: Static Port Trunks Removing Ports from Static Port Trunks or Deleting Trunks To remove ports from a static port trunk, enter the Port Interface mode of the ports to be removed and issue the NO STATIC-CHANNEL-GROUP command. This example removes ports 4 and 5 from their current static port trunk assignment: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.4,port1.0.5 awplus(config-if)# no static-channel-group To delete a static port trunk, remove all its member ports.
AT-9000 Switch Command Line User’s Guide Displaying Static Port Trunks To display the member ports of static port trunks, use the SHOW STATICCHANNEL-GROUP command in the User Exec mode or Privileged Exec mode: awplus# show static-channel-group Here is an example of the information. % Static Aggregator: sa1 % Member: port1.0.5 port1.0.6 port1.0.7 % Static Aggregator: sa2 % Member: port1.0.19 port1.0.20 port1.0.21 port1.0.22 Figure 100.
Chapter 36: Static Port Trunks 524
Chapter 37 Static Port Trunk Commands The static port trunk commands are summarized in Table 58 and described in detail within the chapter. . Table 58. Static Port Trunk Commands Command Mode Description “NO STATIC-CHANNEL-GROUP” on page 526 Port Interface Removes ports from existing static port trunks and deletes trunks from the switch. “PORT-CHANNEL LOAD-BALANCE” on page 527 Static Port Trunk Interface Sets the load distribution methods of static port trunks.
Chapter 37: Static Port Trunk Commands NO STATIC-CHANNEL-GROUP Syntax no static-channel-group Parameters None Mode Port Interface mode Description Use this command to remove ports from static port trunks and to delete trunks. To delete a trunk, remove all its ports. Caution To prevent the formation of loops in your network topology, do not remove ports from a static port trunk without first disconnecting their network cable.
AT-9000 Switch Command Line User’s Guide PORT-CHANNEL LOAD-BALANCE Syntax port-channel load-balance src-mac|dst-mac|src-dst-mac|srcip|dst-ip|src-dst-ip Parameters src-mac Specifies source MAC address as the load distribution method. dst-mac Specifies destination MAC address. src-dst-mac Specifies source address/destination MAC address. src-ip Specifies source IP address. dst-ip Specifies destination IP address. src-dst-ip Specifies source address/destination IP address.
Chapter 37: Static Port Trunk Commands Example This example sets the load distribution method to destination MAC address for a trunk with an ID number 4: awplus> enable awplus# configure terminal awplus(config)# interface sa4 awplus(config-if)# port-channel load-balance dst-mac 528
AT-9000 Switch Command Line User’s Guide SHOW STATIC-CHANNEL-GROUP Syntax show static-channel-group Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to display the member ports of static port trunks on the switch. An example of the command is shown in Figure 101. % Static Aggregator: sa1 % Member: port1.0.5 port1.0.6 port1.0.7 % Static Aggregator: sa2 % Member: port1.0.19 port1.0.20 port1.0.21 port1.0.22 Figure 101.
Chapter 37: Static Port Trunk Commands STATIC-CHANNEL-GROUP Syntax static-channel-group id_number Parameters id_number Specifies an ID number of a static port trunk. The range is 1 to 32. You can specify just one ID number. Mode Port Interface mode Description Use this command to create new static port trunks and to add ports to existing trunks. To create a new trunk, specify an unused ID number. To add ports to an existing trunk, specify an ID number of an existing trunk.
AT-9000 Switch Command Line User’s Guide Ports can be members of just one static port trunk at a time. A port that is already a member of a trunk cannot be added to another trunk until it is first removed from its current trunk assignment. To remove ports from static port trunks, see “NO STATIC-CHANNELGROUP” on page 526. Allied Telesis does not recommend using twisted pair ports 25R to 28R on the AT-9000/28 and AT-9000/28SP Managed Layer 2 ecoSwitches in static port trunks.
Chapter 37: Static Port Trunk Commands 532
Chapter 38 Link Aggregation Control Protocol (LACP) This chapter covers the following topics: “Overview” on page 534 “Creating New Aggregators” on page 537 “Setting the Load Distribution Method” on page 538 “Adding Ports to Aggregators” on page 539 “Removing Ports from Aggregators” on page 540 “Deleting Aggregators” on page 541 “Displaying Aggregators” on page 542 533
Chapter 38: Link Aggregation Control Protocol (LACP) Overview The Link Aggregation Control Protocol (LACP) is used to increase the bandwidth between the switch and other LACP-compatible devices by grouping ports together to form single virtual links. LACP trunks are similar in function to static port trunks, but they are more flexible. The implementations of static trunks tend to be vendor specific and so may not always be compatible.
AT-9000 Switch Command Line User’s Guide Base Port The lowest numbered port in an aggregator is referred to as the base port. You cannot change the base port of an aggregator. You can neither delete it from an aggregator nor add any ports that are below it. For example, if an aggregator consists of ports 5 to 12, you cannot delete port 5 because it is the base port, and you are not allowed to add ports 1 to 4 to the aggregator.
Chapter 38: Link Aggregation Control Protocol (LACP) 536 The lowest numbered port in an aggregator is called the base port. You cannot add ports that are below the base port of an aggregator. For example, you cannot add ports 1 to 3 to an aggregator that consists of ports 4 to 8. You must delete and recreate an aggregator to change its base port. The load distribution method is applied at the aggregator level. For further information, refer to “Load Distribution Methods” on page 516.
AT-9000 Switch Command Line User’s Guide Creating New Aggregators To create a new aggregator, move to the Port Interface mode of the aggregator’s member ports and issue the CHANNEL-GROUP command, which has this format: channel-group id_number The ID_NUMBER parameter has a range of 1 to 32. Each aggregator must be assigned a unique ID number.
Chapter 38: Link Aggregation Control Protocol (LACP) Setting the Load Distribution Method The load distribution method determines the manner in which the switch distributes the egress packets among the active ports of an aggregator. The packets can be distributed by source MAC or IP address, destination MAC or IP address, or by both source and destination addresses. The distribution methods are discussed in “Load Distribution Methods” on page 516.
AT-9000 Switch Command Line User’s Guide Adding Ports to Aggregators The command to add ports to existing aggregators is the same command to create new aggregators, the CHANNEL-GROUP command in the Port Interface mode. To use the command, move to the Port Interface mode of the ports you want to add to an aggregator and issue the command. Note You cannot add to an aggregator any ports that are below the base port. For instance, you cannot add any ports below port 15 to an aggregator that has ports 15 to 22.
Chapter 38: Link Aggregation Control Protocol (LACP) Removing Ports from Aggregators To remove ports from an aggregator, use the NO CHANNEL-GROUP command, in the Port Interface mode. Move to the Port Interface mode for those ports you want to remove from an aggregator and enter the command. You can remove ports from only one aggregator at a time. Caution Do not remove a port from an aggregator without first disconnecting the network cable.
AT-9000 Switch Command Line User’s Guide Deleting Aggregators To delete an aggregator, remove all its ports with the NO CHANNELGROUP command, in the Port Interface mode. Caution Do not delete an aggregator without first disconnecting the network cables from its ports. Leaving the network cables connected may result in a network loop, which can cause a broadcast storm.
Chapter 38: Link Aggregation Control Protocol (LACP) Displaying Aggregators There are five SHOW commands for LACP. Two of them are mentioned here. For descriptions of all the commands, refer to Chapter 39, “LACP Commands” on page 545. The first command is the SHOW ETHERCHANNEL DETAIL command in the Privileged Exec mode. It displays configuration information and operation status about the aggregators on the switch.
AT-9000 Switch Command Line User’s Guide Here is an example of the information. System Priority: 0x0080 (32768) Mac Address: EC-CD-6D-1E-52-28 Figure 103. SHOW LACP SYS-ID Command It should be mentioned that while the system priority value is set as an integer with the LACP SYSTEM-PRIORITY command, this command displays it in hexadecimal format.
Chapter 38: Link Aggregation Control Protocol (LACP) 544
Chapter 39 LACP Commands The LACP port trunk commands are summarized in Table 59 and described in detail within the chapter. Table 59. LACP Port Trunk Commands Command Mode Description “CHANNEL-GROUP” on page 546 Port Interface Creates new aggregators and adds ports to existing aggregators. “LACP SYSTEM-PRIORITY” on page 548 Global Configuration Sets the LACP system priority value for the switch.
Chapter 39: LACP Commands CHANNEL-GROUP Syntax channel-group id_number Parameters id_number Specifies the ID number of a new or an existing aggregator. The range is 1 to 32. Mode Port Interface mode Description Use this command to create new aggregators or to add ports to existing aggregators. The lowest numbered port in an aggregator is called the base port. When adding ports to an existing aggregator, you cannot add ports that are below the base port.
AT-9000 Switch Command Line User’s Guide Examples These commands create a new aggregator consisting of ports 11 to 16. The ID number of the aggregator is 2. awplus> enable awplus# configure terminal awplus(config)# interface port1.0.11-port1.0.16 awplus(config-if)# channel-group 2 This example adds port 15 to an existing aggregator that has the ID number 4: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 39: LACP Commands LACP SYSTEM-PRIORITY Syntax lacp system-priority priority Parameters priority Specifies the LACP system priority value for the switch. The range is 1 to 65535. Mode Global Configuration mode Description Use this command to set the LACP priority of the switch. The switch uses the LACP priority to resolve conflicts with other network devices when it creates aggregate trunks.
AT-9000 Switch Command Line User’s Guide NO CHANNEL-GROUP Syntax no channel-group Parameters None Mode Port Interface mode Description Use this command to remove ports from aggregators and to delete aggregators. To delete an aggregator, remove all its ports. You cannot remove the base port of the aggregator. Changing the base port requires deleting and recreating the aggregator.
Chapter 39: LACP Commands PORT-CHANNEL LOAD-BALANCE Syntax port-channel load-balance src-mac|dst-mac|src-dst-mac| src-ip|dst-ip|src-dst-ip Parameters src-mac Specifies source MAC address as the load distribution method. dst-mac Specifies destination MAC address. src-dst-mac Specifies source address/destination MAC address. src-ip Specifies source IP address. dst-ip Specifies destination IP address. src-dst-ip Specifies source address/destination IP address.
AT-9000 Switch Command Line User’s Guide Confirmation Command “SHOW ETHERCHANNEL DETAIL” on page 553 Example This example sets the load distribution method to source MAC address for the LACP trunk that has the ID number 22: awplus> enable awplus# configure terminal awplus(config)# interface po22 awplus(config-if)# port-channel load-balance src-mac 551
Chapter 39: LACP Commands SHOW ETHERCHANNEL Syntax show etherchannel id_number Parameters id_number Specifies the ID number of the aggregator. Mode Privileged Exec mode Description Use this command to display the ports of specific aggregators on the switch. Figure 104 illustrates the information. Aggregator #2 .... po2 Admin Key: 0xff01 - Oper Key: 0x0101 Link: Port1.0.2 sync Link: Port1.0.3 sync Link: Port1.0.4 sync Link: Port1.0.5 sync Link: Port1.0.6 sync Figure 104.
AT-9000 Switch Command Line User’s Guide SHOW ETHERCHANNEL DETAIL Syntax show etherchannel detail Parameters None Mode Privileged Exec mode Description Use this command to display detailed information about the aggregators on the switch. Figure 105 illustrates the information. Aggregator # 1 ..... po1 Mac address: (00-15-77-d8-43-60,0000) Admin Key: 0xff01 - Oper Key: 0x0101 Receive link count: 4 - Transmit link count: 4 Individual: 0 - Ready: 0 Distribution Mode ..
Chapter 39: LACP Commands Example This example displays detailed information about aggregators: awplus# show etherchannel detail 554
AT-9000 Switch Command Line User’s Guide SHOW ETHERCHANNEL SUMMARY Syntax show etherchannel summary Parameters None Mode Privileged Exec mode Description Use this command to display the states of the member ports of the aggregators. Figure 106 illustrates the information. Aggregator #2 .... po2 Admin Key: 0xff01 - Oper Key: 0x0101 Link: Port1.0.2 sync Link: Port1.0.3 sync Link: Port1.0.4 sync Link: Port1.0.5 sync Link: Port1.0.6 sync Aggregator #21 .... po21 Admin Key: 0xff16 - Oper Link: Port1.0.
Chapter 39: LACP Commands SHOW LACP SYS-ID Syntax show lacp sys-id Parameters None Mode Privileged Exec mode Description Use this command to display the LACP priority value and MAC address of the switch. Figure 107 provides an example of the display. System Priority: 0x0080 (32768) Mac Address: EC-CD-6D-1E-52-28 Figure 107. SHOW LACP SYS-ID Command Note The LACP priority value is set as an integer with “LACP SYSTEMPRIORITY” on page 548 and displayed in hexadecimal format by this command.
AT-9000 Switch Command Line User’s Guide SHOW PORT ETHERCHANNEL Syntax show port etherchannel [interface port] Parameters port Specifies the port of an aggregator. You can display more than one port at a time. Mode Privileged Exec mode Description Use this command to display the LACP port information. Figure 108 illustrates the information. Refer to the IEEE 802.3ad standard for definitions of the fields. Link: port: 1.0.
Chapter 39: LACP Commands 558
Section VI Spanning Tree Protocols This section contains the following chapters: Chapter 40, “STP, RSTP and MSTP Protocols” on page 561 Chapter 41, “Spanning Tree Protocol (STP) Procedures” on page 581 Chapter 42, “STP Commands” on page 589 Chapter 43, “Rapid Spanning Tree Protocol (RSTP) Procedures” on page 605 Chapter 44, “RSTP Commands” on page 617 Chapter 45, “Multiple Spanning Tree Protocol” on page 641 Chapter 46, “MSTP Commands” on page 661 559
560
Chapter 40 STP, RSTP and MSTP Protocols This chapter covers the following topics: “Overview” on page 562 “Bridge Priority and the Root Bridge” on page 563 “Path Costs and Port Costs” on page 564 “Port Priority” on page 565 “Forwarding Delay and Topology Changes” on page 566 “Hello Time and Bridge Protocol Data Units (BPDU)” on page 567 “Point-to-Point and Edge Ports” on page 568 “Mixed STP and RSTP Networks” on page 570 “Spanning Tree and VLANs” on page 571 “RSTP and
Chapter 40: STP, RSTP and MSTP Protocols Overview The Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) guard against the formation of loops in an Ethernet network topology. A topology has a loop when two or more nodes can transmit packets to each other over more than one data path.
AT-9000 Switch Command Line User’s Guide Bridge Priority and the Root Bridge The first task that bridges perform when a spanning tree protocol is activated on a network is the selection of a root bridge. A root bridge distributes network topology information to the other network bridges and is used by the other bridges to determine if there are redundant paths in the network. A root bridge is selected by the bridge priority number, also referred to as the bridge identifier.
Chapter 40: STP, RSTP and MSTP Protocols Path Costs and Port Costs After the root bridge has been selected, the bridges determine if the network contains redundant paths and, if one is found, select a preferred path while placing the redundant paths in a backup or blocking state. A bridge that has only one path between itself and the root bridge is referred to as the designated bridge. And the port through which it is communicating with the root bridge is referred to as the root port.
AT-9000 Switch Command Line User’s Guide Port Priority If two paths have the same port cost, the bridges must select a preferred path. In some instances this can involve the use of the port priority parameter. This parameter is used as a tie breaker when two paths have the same cost. The port priority has a range from 0 to 240 in increments of 16. The priority values can be set only in increments of 16. The default value is 128, which is increment 8.
Chapter 40: STP, RSTP and MSTP Protocols Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, or addition of any active components, the active topology also changes. This may trigger a change in the state of some blocked ports. However, a change in a port state is not activated immediately. It might take time for the root bridge to notify all bridges that a topology change has occurred, especially if it is a large network.
AT-9000 Switch Command Line User’s Guide Hello Time and Bridge Protocol Data Units (BPDU) The bridges that are part of a spanning tree domain communicate with each other using a bridge broadcast frame that contains a special section devoted to carrying STP or RSTP information. This portion of the frame is referred to as the bridge protocol data unit (BPDU).
Chapter 40: STP, RSTP and MSTP Protocols Point-to-Point and Edge Ports Part of the task of configuring RSTP or MSTP is defining the port types on the switch. This relates to the devices connected to the ports. With the port types defined, RSTP or MSTP can reconfigure a network much quicker than STP when a change in network topology is detected. Note This section applies only to RSTP and MSTP.
AT-9000 Switch Command Line User’s Guide Edge Port Figure 110. Edge Port A port can be both a point-to-point and an edge port at the same time. It operates in full-duplex and has no spanning tree devices connected to it. Figure 111 illustrates a port functioning as both a point-to-point and edge port. Point-to-Point and Edge Port Workstation (Full-duplex Mode) Figure 111. Point-to-Point and Edge Port Determining whether a bridge port is point-to-point, edge, or both, can be a bit confusing.
Chapter 40: STP, RSTP and MSTP Protocols Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. A network can have both protocols. If both RSTP and STP are present in a network, they operate together to create a single spanning tree domain. Given this, if you decide to activate spanning tree on the switch, there is no reason not to use RSTP, even if the other switches are running STP.
AT-9000 Switch Command Line User’s Guide Spanning Tree and VLANs STP and RSTP support a single-instance spanning tree that encompasses all the ports on the switch. If the ports are divided into different VLANs, the spanning tree protocol crosses the VLAN boundaries. This point can pose a problem in networks that contain multiple VLANs that span different switches and that are connected with untagged ports.
Chapter 40: STP, RSTP and MSTP Protocols RSTP and MSTP BPDU Guard This feature monitors the RSTP or MSTP edge ports on the switch for BPDU packets. Edge ports that receive BPDU packets are disabled by the switch. The benefit of this feature is that it prevents the use of edge ports by RSTP or MSTP devices. This reduces the possibility of unwanted changes to a network topology. Note This section applies only to RSTP and MSTP.
AT-9000 Switch Command Line User’s Guide Here are the guidelines to this feature: BPDU guard is configured for each port and has only two possible settings: enabled or disabled. The default setting is disabled. This feature is supported on the base ports of the switch and any fiber optic transceivers installed in the unit. Note A port disabled by the BPDU guard feature remains in that state until you enable it with the management software.
Chapter 40: STP, RSTP and MSTP Protocols STP, RSTP, MSTP Loop Guard Although spanning tree is designed to detect and prevent the formation of loops in a network topology, it is possible in certain circumstances for the protocol to inadvertently create loops. This can happen in the unlikely situation where a link between two spanning tree devices remains active when there is an cessation of BPDUs because of a hardware or software problem.
AT-9000 Switch Command Line User’s Guide If you configured the SNMP community strings on the switch, an SNMP trap is sent to your management workstations to notify you of the event. However, this event does not generate an entry in the switch’s log. This feature is supported on the base ports of the switch as well as on any fiber optic transceivers installed in the unit. The following figures illustrate this feature.
Chapter 40: STP, RSTP and MSTP Protocols Switch 2 Port 17 Stops transmitting BDPUs Switch 1 Root bridge Port 14 Transitions to the forwarding state from the blocking state Switch 3 Figure 114. Loop Guard Example 2 But if loop guard is enabled on port 14 on switch 3, the port, instead of changing to the forwarding state, stays in the blocking state, preventing the formation of the loop.
AT-9000 Switch Command Line User’s Guide In the first example, the root bridge stops transmitting BPDUs. If switch 3 is not using loop guard, it continues to forward traffic on port 4. But since no BPDUs are received on the port, it assumes that the device connected to the port is not an RSTP device. Since switch 2 becomes the new root bridge, port 14 on switch 3 transitions to the forwarding state from the blocking state to become the new root port for the switch. The result is a network loop.
Chapter 40: STP, RSTP and MSTP Protocols Switch 2 New root bridge Switch 1 Old root bridge RSTP stops operating Port 14 Transitions from the blocking state to the forwarding state Port 4 Loop guard changes the port to the blocking state from the forwarding state Switch 3 Figure 117.
AT-9000 Switch Command Line User’s Guide STP and RSTP Root Guard The Root Guard feature enforces the root bridge placement in a network. It ensures the port that you have configured with the Root Guard feature is a designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected. If the bridge receives a superior BPDU on a root-designated port, the Root Guard feature changes the state of the port to a “root inconsistent” STP state.
Chapter 40: STP, RSTP and MSTP Protocols 580
Chapter 41 Spanning Tree Protocol (STP) Procedures This chapter provides the following procedures: “Designating STP as the Active Spanning Tree Protocol” on page 582 “Enabling the Spanning Tree Protocol” on page 583 “Setting the Switch Parameters” on page 584 “Setting the Port Parameters” on page 586 “Disabling the Spanning Tree Protocol” on page 587 “Displaying STP Settings” on page 588 581
Chapter 41: Spanning Tree Protocol (STP) Procedures Designating STP as the Active Spanning Tree Protocol Before you can configure the STP parameters or enable the protocol on the switch, you have to designate STP as the active spanning tree protocol. The switch supports other spanning tree protocols in addition to STP, but only one of them can be active at a time on the device.
AT-9000 Switch Command Line User’s Guide Enabling the Spanning Tree Protocol To enable STP on the switch, use the SPANNING-TREE STP ENABLE command in the Global Configuration mode. Here is the command: awplus> enable awplus# configure terminal awplus(config)# spanning-tree stp enable The switch immediately begins to send BPDUs from its ports to participate in the spanning tree domain.
Chapter 41: Spanning Tree Protocol (STP) Procedures Setting the Switch Parameters This table lists the STP functions that are controlled at the switch level. These commands are located in the Global Configuration mode and apply to the entire switch. Table 60. STP Switch Parameter Commands To Use This Command Range Specify how long the ports remain in the listening and learning states before entering the forwarding state.
AT-9000 Switch Command Line User’s Guide This example of the command sets the switch’s priority value to 8,192: awplus> enable awplus# configure terminal awplus(config)# spanning-tree priority 8192 585
Chapter 41: Spanning Tree Protocol (STP) Procedures Setting the Port Parameters This table lists the STP functions that are controlled at the port level. You set these parameters in the Port Interface mode of the individual ports. Table 61. STP Port Parameter Commands To Use This Command Range Specify the cost of a port to the root bridge. SPANNING-TREE PATH-COST pathcost 1 to 200000000 Assign a priority value, which is used as a tie breaker when two or more ports have equal costs to the root bridge.
AT-9000 Switch Command Line User’s Guide Disabling the Spanning Tree Protocol To disable STP on the switch, use the NO SPANNING-TREE STP ENABLE command in the Global Configuration mode. Here is the command: awplus> enable awplus# configure terminal awplus(config)# no spanning-tree stp enable Note Before disabling the spanning tree protocol on the switch, display the STP states of the ports and disconnect the network cables from any ports that are in the discarding state.
Chapter 41: Spanning Tree Protocol (STP) Procedures Displaying STP Settings To view the STP settings on the switch, use the SHOW SPANNING-TREE in the Privileged Exec mode. The command has this format: show spanning-tree [interface port] Use the INTERFACE parameter to view the settings of the specified ports. Otherwise, omit the parameter to view all the ports.
Chapter 42 STP Commands The STP commands are summarized in Table 62 and described in detail within the chapter. Table 62. Spanning Tree Protocol Commands Command Mode Description “NO SPANNING-TREE STP ENABLE” on page 591 Global Configuration Disables STP on the switch. “SHOW SPANNING-TREE” on page 592 User Exec and Privileged Exec Displays the STP settings.
Chapter 42: STP Commands Table 62. Spanning Tree Protocol Commands (Continued) Command Mode Description “SPANNING-TREE PORTFAST BPDU-GUARD” on page 601 Port Interface Enables the BPDU guard feature on a port so that the switch monitors edge ports and disables them if they receive BPDUs. “SPANNING-TREE PRIORITY (Bridge Priority)” on page 602 Global Configuration Assigns the switch a priority number.
AT-9000 Switch Command Line User’s Guide NO SPANNING-TREE STP ENABLE Syntax no spanning-tree stp enable Parameters None Mode Global Configuration mode Description Use this command to disable STP on the switch. To view the current status of STP, refer to “SHOW SPANNING-TREE” on page 592. The default setting is disabled. Note Before disabling the spanning tree protocol on the switch, display the STP states of the ports and disconnect the network cables from any ports that are in the discarding state.
Chapter 42: STP Commands SHOW SPANNING-TREE Syntax show spanning-tree [interface port] Parameters port Specifies a port. You can specify more than one port at a time in the command. The switch displays the STP settings for all the ports if you omit this parameter. Modes Privileged Exec mode Description Use this command to display the STP settings on the switch. An example of the display is shown in Figure 119.
AT-9000 Switch Command Line User’s Guide Examples This command displays the STP settings for all the ports: awplus# show spanning-tree This command displays the STP settings for ports 1 and 4: awplus# show spanning-tree interface port1.0.1,port1.0.
Chapter 42: STP Commands SPANNING-TREE FORWARD-TIME Syntax spanning-tree forward-time forwardtime Parameters forwardtime Specifies the forward time. The range is 4 to 30 seconds. The default is 15 seconds. Mode Global Configuration mode Description Use this command to set the forward time parameter on the switch. This parameter specifies how long the ports remain in the listening and learning states before they transition to the forwarding state.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE GUARD ROOT Syntax spanning-tree guard root Parameters None Mode Port Interface mode Description Use this command to enable the Root Guard feature on the specified port. The Root Guard feature ensures that the port on which it is enabled is a designated port. If a Root-Guard-enabled port receives a superior BPDU that may cause it to become a root port, then the port traffic is placed in a “root inconsistent” state.
Chapter 42: STP Commands SPANNING-TREE HELLO-TIME Syntax spanning-tree hello-time hellotime Parameters hellotime Specifies the hello time. The range is 1 to 10 seconds. The default is 2 seconds. Mode Global Configuration mode Description Use this command to set the hello time parameter on the switch. This parameter controls how frequently the switch sends spanning tree configuration information when it is the root bridge or is trying to become the root bridge.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE MAX-AGE Syntax spanning-tree max-age maxage Parameters maxage Specifies the max-age parameter. The range is 6 to 40 seconds. The default is 20 seconds. Mode Global Configuration mode Description Use this command to set the maximum age parameter. This parameter determines how long bridge protocol data units (BPDUs) are stored by the switch before they are deleted.
Chapter 42: STP Commands SPANNING-TREE MODE STP Syntax spanning-tree mode stp Parameters None Mode Global Configuration mode Description Use this command to designate STP as the active spanning tree protocol on the switch. You must select STP as the active spanning tree protocol before you can enable it or configure its parameters. Only one spanning tree protocol can be active on the switch at a time.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE PATH-COST Syntax spanning-tree path-cost path-cost Parameters path-cost Specifies the cost of a port to the root bridge. The range is 1 to 200000000. Mode Port Interface mode Description Use this command to specify the cost of a port to the root bridge. This cost is combined with the costs of the other ports in the path to the root bridge, to determine the total path cost. The lower the numeric value, the higher the priority of the path.
Chapter 42: STP Commands SPANNING-TREE PORTFAST Syntax spanning-tree portfast Parameters None Mode Port Interface mode Description Use this command to designate an edge port on the switch. Edge ports are not connected to spanning tree devices or to LANs that have spanning tree devices. As a consequence, edge ports do not receive BPDUs. If an edge port starts to receive BPDUs, it is no longer considered to be an edge port.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE PORTFAST BPDU-GUARD Syntax spanning-tree portfast bpdu-guard Parameters None Mode Port Interface mode Description Use this command to enable the BPDU guard feature so that the switch monitors edge ports and disables them if they receive BPDU packets. To disable an edge port that was disabled by the BPDU guard feature, use the NO SPANNING-TREE PORTFAST BPDU-GUARD command. See “NO SPANNING-TREE PORTFAST BPDU-GUARD” on page 622.
Chapter 42: STP Commands SPANNING-TREE PRIORITY (Bridge Priority) Syntax spanning-tree priority priority Parameters priority Specifies a priority number for the switch. Mode Global Configuration mode Description Use this command to assign the switch a priority number. The device that has the lowest priority number in the spanning tree domain becomes the root bridge. If two or more devices have the same priority value, the device with the numerically lowest MAC address becomes the root bridge.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE Priority (Port Priority) Syntax spanning-tree priority priority Parameters priority Specifies the priority value for a port. The range is 0 to 240, in increments of 16. Mode Port Interface mode Description Use this command to set the priority value of a port. This parameter is used as a tie breaker when two or more ports have equal costs to the root bridge. The range is 0 to 240 in increments of 16.
Chapter 42: STP Commands SPANNING-TREE STP ENABLE Syntax spanning-tree stp enable Parameters None Mode Global Configuration mode Description Use this command to enable STP on the switch. You must designate STP as the active spanning tree protocol on the switch before you can enable it or configure its parameters. For instructions, refer to “SPANNING-TREE MODE STP” on page 598.
Chapter 43 Rapid Spanning Tree Protocol (RSTP) Procedures This chapter provides the following procedures: “Designating RSTP as the Active Spanning Tree Protocol” on page 606 “Enabling the Rapid Spanning Tree Protocol” on page 607 “Configuring the Switch Parameters” on page 608 “Configuring the Port Parameters” on page 611 “Disabling the Rapid Spanning Tree Protocol” on page 615 “Displaying RSTP Settings” on page 616 605
Chapter 43: Rapid Spanning Tree Protocol (RSTP) Procedures Designating RSTP as the Active Spanning Tree Protocol The first step to using RSTP on the switch is to designate it as the active spanning tree protocol. This is accomplished with the SPANNING-TREE MODE RSTP command in the Global Configuration mode. Afterwards, you can configure its settings and enable the protocol.
AT-9000 Switch Command Line User’s Guide Enabling the Rapid Spanning Tree Protocol To enable RSTP on the switch, use the SPANNING-TREE RSTP ENABLE command in the Global Configuration mode. Here is the command: awplus> enable awplus# configure terminal awplus(config)# spanning-tree rstp enable After you enter the command, the switch immediately begins to participate in the spanning tree domain.
Chapter 43: Rapid Spanning Tree Protocol (RSTP) Procedures Configuring the Switch Parameters This table lists the RSTP parameters that are set in the Global Configuration mode and apply to all the ports on the switch. Table 63. RSTP Switch Parameters To Use This Command Range Specify how long the ports remain in the listening and learning states before they transition to the forwarding state.
AT-9000 Switch Command Line User’s Guide This example increases the forward time to 25 seconds and the hello time to 8 seconds.
Chapter 43: Rapid Spanning Tree Protocol (RSTP) Procedures To disable the BPDU guard feature on the switch, use the NO SPANNING-TREE BPDU-GUARD command in the Global Configuration mode.
AT-9000 Switch Command Line User’s Guide Configuring the Port Parameters This table lists the RSTP port parameters. These parameters are set on the individual ports in the Port Interface mode. Table 64. RSTP Port Parameters To Use This Command Range Specify port costs. SPANNING-TREE PATH-COST pathcost 1 to 200000000 Assign a priority value to be used as a tie breaker when two or more paths have equal costs to the root bridge.
Chapter 43: Rapid Spanning Tree Protocol (RSTP) Procedures Configuring Port Priorities If RSTP discovers a loop in the topology, but the two paths that constitute the loop have the same path cost, the spanning tree protocol uses port priorities to determine which path to make active and which to place in the blocking state. The lower the priority value, the higher the priority and the greater the likelihood of a port being the active, designated port in the event of duplicate paths.
AT-9000 Switch Command Line User’s Guide This example uses the NO SPANNING-TREE command to remove port 21 as an edge port: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.21 awplus(config-if)# no spanning-tree portfast Enabling or Disabling RSTP Loop-guard The RSTP loop guard feature disables ports if they stop receiving spanning tree BPDUs from their link partners when there is no change to the link state.
Chapter 43: Rapid Spanning Tree Protocol (RSTP) Procedures Edge ports that are disabled by the feature remain disabled until you manually enable them again with the NO SHUTDOWN command. As an alternative, you can activate the BPDU guard timer so that the switch automatically reactivates disabled ports after the specified period of time.
AT-9000 Switch Command Line User’s Guide Disabling the Rapid Spanning Tree Protocol To disable RSTP on the switch, use the NO SPANNING-TREE RSTP ENABLE command in the Global Configuration mode. Here is the command: awplus> enable awplus# configure terminal awplus(config)# no spanning-tree rstp enable To view the current status of RSTP, refer to “Displaying RSTP Settings” on page 616.
Chapter 43: Rapid Spanning Tree Protocol (RSTP) Procedures Displaying RSTP Settings To view the RSTP settings on the switch, use the SHOW SPANNINGTREE in the Privileged Exec mode. The command has this format: show spanning-tree [interface port] Use the INTERFACE parameter to view the settings of the specified ports. Otherwise, omit the parameter to view all the ports.
Chapter 44 RSTP Commands The RSTP commands are summarized in Table 65 and described in detail within the chapter. Table 65. Rapid Spanning Tree Protocol Commands Command Mode Description “NO SPANNING-TREE PORTFAST” on page 619 Port Interface Removes ports as edge ports on the switch. “NO SPANNING-TREE ERRDISABLE-TIMEOUT ENABLE” on page 620 Global Configuration Deactivates the RSTP BPDU guard timer.
Chapter 44: RSTP Commands Table 65. Rapid Spanning Tree Protocol Commands (Continued) Command Mode Description “SPANNING-TREE LINK-TYPE” on page 631 Port Interface Designates point-to-point ports and shared ports. “SPANNING-TREE LOOP-GUARD” on page 632 Port Interface Enables the BPDU loop-guard feature on the ports.
AT-9000 Switch Command Line User’s Guide NO SPANNING-TREE PORTFAST Syntax no spanning-tree portfast Parameters None Mode Port Interface mode Description Use this command to remove ports as edge ports on the switch. Confirmation Command “SHOW RUNNING-CONFIG” on page 130 Example This example removes port 21 as an edge port: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 44: RSTP Commands NO SPANNING-TREE ERRDISABLE-TIMEOUT ENABLE Syntax no spanning-tree errdisable-timeout enable Parameters None Mode Global Configuration mode Description Use this command to deactivate the timer for the RSTP BPDU guard feature. When the timer is deactivated, ports that the feature disables because they receive BPDU packets remain disabled until you manually activate them again with the NO SHUTDOWN command.
AT-9000 Switch Command Line User’s Guide NO SPANNING-TREE LOOP-GUARD Syntax no spanning-tree loop-guard Parameters None Mode Port Interface mode Description Use this command to disable the BPDU loop-guard feature on the ports. The default setting is disabled. Note Ports that are disabled by the loop-guard feature do not forward traffic again when you disable the feature. They only forward traffic if they start to receive BPDUs again or you reset the switch.
Chapter 44: RSTP Commands NO SPANNING-TREE PORTFAST BPDU-GUARD Syntax no spanning-tree portfast bpdu-guard Parameters None Mode Port Interface mode Description Use this command to disable the BPDU guard feature on a port. Note Edge ports disabled by the BPDU guard feature remain disabled until you enable them with the management software. For instructions, refer to “NO SHUTDOWN” on page 183.
AT-9000 Switch Command Line User’s Guide NO SPANNING-TREE RSTP ENABLE Syntax no spanning-tree rstp enable Parameters None Mode Global Configuration mode Description Use this command to disable RSTP on the switch. Note Before disabling the spanning tree protocol on the switch, display the RSTP states of the ports and disconnect the network cables from any ports that are in the discarding state. Ports that are in the discarding state begin to forward traffic again when RSTP is disabled.
Chapter 44: RSTP Commands SHOW SPANNING-TREE Syntax show spanning-tree Parameters None Modes Privileged Exec mode Description Use this command to display the RSTP settings on the switch. An example of the display is shown in Figure 121.
AT-9000 Switch Command Line User’s Guide Example This example displays the RSTP settings on the switch: awplus# show spanning-tree 625
Chapter 44: RSTP Commands SPANNING-TREE ERRDISABLE-TIMEOUT ENABLE Syntax spanning-tree errdisable-timeout enable Parameters None Mode Global Configuration mode Description Use this command to activate the timer for the RSTP BPDU guard feature. The BPDU guard feature prevents unnecessary RSTP domain convergences by disabling edge ports if they receive BPDUs. When the timer is activated, the switch will automatically reactivate disabled ports.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE ERRDISABLE-TIMEOUT INTERVAL Syntax spanning-tree errdisable-timeout interval interval Parameters interval Specifies the number of seconds that ports remain disabled by the RSTP BPDU guard feature. The range is 10 to 1000000 seconds. The default is 300 seconds.
Chapter 44: RSTP Commands SPANNING-TREE FORWARD-TIME Syntax spanning-tree forward-time forwardtime Parameters forwardtime Specifies the forward time. The range is 4 to 30 seconds. The default is 15 seconds. Mode Global Configuration mode Description Use this command to set the forward time parameter to control how fast the ports change their spanning tree states when moving towards the forwarding state.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE GUARD ROOT Syntax spanning-tree guard root Parameters None Mode Port Interface mode Description Use this command to enable the Root Guard feature on the specified port. The Root Guard feature ensures that the port on which it is enabled is a designated port. If a Root-Guard-enabled port receives a superior BPDU that may cause it to become a root port, then the port traffic is placed in a “root inconsistent” state.
Chapter 44: RSTP Commands SPANNING-TREE HELLO-TIME Syntax spanning-tree hello-time hellotime Parameters hellotime Specifies the hello time. The range is 1 to 10 seconds. The default is 2 seconds. Mode Global Configuration mode Description Use this command to set the hello time parameter on the switch. This parameter controls how frequently the switch sends spanning tree configuration information when it is the root bridge or is trying to become the root bridge.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE LINK-TYPE Syntax spanning-tree link-type point-to-point|shared Parameters point-to-point Allows for rapid transition of a port to the forwarding state during the convergence process of the spanning tree domain. shared Disables rapid transition of a port. You may want to set link type to shared if a port is connected to a hub with multiple switches connected to it.
Chapter 44: RSTP Commands SPANNING-TREE LOOP-GUARD Syntax spanning-tree loop-guard Parameters None Mode Port Interface mode Description Use this command to enable the BPDU loop-guard feature on the ports. If a port that has this feature activated stops receiving BPDU packets, the switch automatically disables it. A port that has been disabled by the feature remains in that state until it begins to receive BPDU packets again or the switch is reset.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE MAX-AGE Syntax spanning-tree max-age maxage Parameters maxage Specifies the maximum age parameter. The range is 6 to 40 seconds. The default is 20 seconds. Mode Global Configuration mode Description Use this command to set the maximum age parameter on the switch. This parameter determines how long the switch retains bridge protocol data units (BPDUs) before it deletes them.
Chapter 44: RSTP Commands SPANNING-TREE MODE RSTP Syntax spanning-tree mode rstp Parameters None Mode Global Configuration mode Description Use this command to designate RSTP as the active spanning tree protocol on the switch. After activating the protocol, you can enable or disable the spanning tree protocol and set the switch or port parameters.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE PATH-COST Syntax spanning-tree path-cost path-cost Parameters path-cost Specifies the cost of a port to the root bridge. The range is 1 to 200000000. Mode Port Interface mode Description Use this command to specify the cost of a port to the root bridge. This cost is combined with the costs of the other ports in the path to the root bridge, to determine the total path cost. The lower the numeric value, the higher the priority of a path.
Chapter 44: RSTP Commands SPANNING-TREE PORTFAST Syntax spanning-tree portfast Parameters None Mode Port Interface mode Description Use this command to designate edge ports on the switch. Edge ports are not connected to spanning tree devices or to LANs that have spanning tree devices. As a consequence, edge ports do not receive BPDUs. If an edge port starts to receive BPDUs, it is no longer considered an edge port by the switch.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE PORTFAST BPDU-GUARD Syntax spanning-tree portfast bpdu-guard Parameters None Mode Port Interface mode Description Use this command to enable the BPDU guard feature so that the switch monitors edge ports and disables them if they receive BPDU packets. To disable an edge port that was disabled by the BPDU guard feature, use the NO SPANNING-TREE PORTFAST BPDU-GUARD command.
Chapter 44: RSTP Commands SPANNING-TREE PRIORITY (Bridge Priority) Syntax spanning-tree priority priority Parameters priority Specifies a priority number for the switch. The range is 0 to 61440, in increments of 4096. Mode Global Configuration mode Description Use this command to assign the switch a priority number. The device that has the lowest priority number in the spanning tree domain becomes the root bridge.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE PRIORITY (Port Priority) Syntax spanning-tree priority priority Parameters priority Specifies the priority value for a port. The range is 0 to 240, in increments of 16. Mode Port Interface mode Description Use this command to set the priority value of a port. This parameter is used as a tie breaker when two or more ports have equal costs to the root bridge. The range is 0 to 240 in increments of 16.
Chapter 44: RSTP Commands SPANNING-TREE RSTP ENABLE Syntax spanning-tree rstp enable Parameters None Mode Global Configuration mode Description Use this command to enable the Rapid Spanning Tree Protocol on the switch. You cannot enable RSTP until you have activated it with “SPANNING-TREE MODE RSTP” on page 634.
Chapter 45 Multiple Spanning Tree Protocol This chapter provides background information about the Multiple Spanning Tree Protocol (MSTP).
Chapter 45: Multiple Spanning Tree Protocol Overview As mentioned in Chapter 40, “STP, RSTP and MSTP Protocols” on page 561, STP and RSTP are referred to as single-instance spanning trees that search for physical loops across all VLANs in a bridged network. When loops are detected, the protocols stop the loops by placing one or more bridge ports in a blocking state.
AT-9000 Switch Command Line User’s Guide Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MSTIs). An MSTI can span any number of AT9000 Switches. The switch can support up to 15 MSTIs at a time. To create an MSTI, you first assign it a number, referred to as the MSTI ID. The range is 1 to 15. (The switch is shipped with a default MSTI with an MSTI ID of 0.
Chapter 45: Multiple Spanning Tree Protocol Figure 123. MSTP Example of Two Spanning Tree Instances An MSTI can contain more than one VLAN. This is illustrated in Figure 124 where there are two AT-9000 Switches with four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains the Sales and Presales VLANs and MSTI 2 contains the Design and Engineering VLANs. Figure 124.
AT-9000 Switch Command Line User’s Guide MSTI Guidelines Following are several guidelines to keep in mind about MSTIs: The AT-9000 Switch can support up to 15 spanning tree instances, including the Common and Internal Spanning Tree (CIST). An MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time. A switch port can belong to more than one spanning tree instance at a time by being an untagged and tagged member of VLANs belonging to different MSTIs.
Chapter 45: Multiple Spanning Tree Protocol VLAN and MSTI Associations Part of the task to configuring MSTP involves assigning VLANs to spanning tree instances. The mapping of VLANs to MSTIs is called associations. A VLAN, either port-based or tagged, can belong to only one instance at a time, but an instance can contain any number of VLANs.
AT-9000 Switch Command Line User’s Guide Ports in Multiple MSTIs A port can be a member of more than one MSTI at a time if it is a tagged member of one or more VLANs assigned to different MSTIs. In this circumstance, a port might be have to operate in different spanning tree states simultaneously, depending on the requirements of the MSTIs. For example, a port that belongs to two different VLANs in two different MSTIs might operate in the forwarding state in one MSTI and the blocking state in the other.
Chapter 45: Multiple Spanning Tree Protocol Multiple Spanning Tree Regions Another important concept of MSTP is regions. An MSTP region is defined as a group of bridges that share exactly the same MSTI characteristics. These characteristics are: Configuration name Revision number VLANs VLAN to MSTI ID associations A configuration name is a name assigned to a region to identify it. You must assign each bridge in a region exactly the same name, even the same upper and lowercase lettering.
AT-9000 Switch Command Line User’s Guide Table 66 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9000 Switches. Each switch in the region has the same configuration name and revision level. The switches also have the same five VLANs, and the VLANs are associated with the same MSTIs. Table 66.
Chapter 45: Multiple Spanning Tree Protocol Region Guidelines 650 Following are several points to remember about regions. A network can contain any number of regions, and a region can contain any number of AT-9000 Switches. The AT-9000 Switch can belong to only one region at a time. A region can contain any number of VLANs. All of the bridges in a region must have the same configuration name, revision level, VLANs, and VLAN to MSTI associations. An MSTI cannot span multiple regions.
AT-9000 Switch Command Line User’s Guide Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree instance called the Common and Internal Spanning Tree (CIST). This instance has an MSTI ID of 0. This instance has unique features and functions that make it different from the MSTIs that you create yourself. Firstly, you cannot delete this instance, and you cannot change its MSTI ID.
Chapter 45: Multiple Spanning Tree Protocol An MSTP region can be considered as a virtual bridge. The implication is that other MSTP regions and STP and RSTP single-instance spanning trees cannot discern the topology or constitution of an MSTP region. The only bridge they are aware of is the regional root of the CIST instance.
AT-9000 Switch Command Line User’s Guide Summary of Guidelines Careful planning is essential for the successful implementation of MSTP. This section reviews all the rules and guidelines mentioned in earlier sections, and contains a few new ones: The AT-9000 Switch can support up to 15 spanning tree instances, including the CIST. An MSTI can contain any number of VLANs. A VLAN can belong to only one MSTI at a time. The range of an MSTI ID is from 1 to 15. The CIST ID is 0.
Chapter 45: Multiple Spanning Tree Protocol Note The AlliedWare Plus MSTP implementation complies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AlliedWare Plus implementation.
AT-9000 Switch Command Line User’s Guide Associating VLANs to MSTIs Allied Telesis recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN assigned to just the CIST, including the Default_VLAN. This is to prevent the blocking of a port that should be in the forwarding state. The reason for this guideline is explained below. An MSTP BPDU contains the instance to which the port transmitting the packet belongs. By default, all ports belong to the CIST instance.
Chapter 45: Multiple Spanning Tree Protocol Figure 126. CIST and VLAN Guideline - Example 2 When port 4 on switch B receives a BPDU, the switch notes the port sending the packet belongs only to CIST. Therefore, switch B uses CIST in determining whether a loop exists. The result would be that the switch detects a loop because the other port is also receiving BPDU packets from CIST 0. Switch B would block a port to cancel the loop.
AT-9000 Switch Command Line User’s Guide Connecting VLANs Across Different Regions Special consideration needs to be taken into account when you connect different MSTP regions or an MSTP region and a single-instance STP or RSTP region. Unless planned properly, VLAN fragmentation can occur between the VLANS of your network. As mentioned previously, only the CIST can span regions. An MSTI cannot.
Chapter 45: Multiple Spanning Tree Protocol There are several ways to address this issue. The first is to have only one MSTP region for each subnet in your network. Another approach is to group those VLANs that need to span regions into the same MSTI. In this case, VLANs that do not span regions can be assigned to other MSTIs. Here is an example. Assume that you have two regions that contain the following VLANS: Table 67.
AT-9000 Switch Command Line User’s Guide MSTP Root Guard The Root Guard feature enforces the root bridge placement in a network. It ensures the port that you have configured with the Root Guard feature is a designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected. If the bridge receives a superior BPDU on a root-designated port, the Root Guard feature changes the state of the port to a “root inconsistent” STP state.
Chapter 45: Multiple Spanning Tree Protocol 660
Chapter 46 MSTP Commands The MSTP commands are summarized in Table 68 and described in detail within the chapter. Table 68. Multiple Spanning Tree Protocol Commands Command Mode Description “INSTANCE MSTI-ID PRIORITY” on page 663 Interface Configuration Sets the port priority for an MST instance (MSTI). “INSTANCE MSTI-ID VLAN” on page 665 MST Configuration Create an MSTI instance and associate a VLAN with it.
Chapter 46: MSTP Commands Table 68. Multiple Spanning Tree Protocol Commands (Continued) Command Mode Description “SPANNING-TREE MSTP ENABLE” on page 677 Global Configuration Designates the MSTP mode on the switch. “SPANNING-TREE MST CONFIGURATION” on page 678 Global Configuration Enters the MST Configuration mode. “SPANNING-TREE MST INSTANCE” on page 679 Interface Configuration Associates an MSTI with a port.
AT-9000 Switch Command Line User’s Guide INSTANCE MSTI-ID PRIORITY Syntax instance msti-id priority priority Parameters priority Specifies a port priority. The range is 0 to 61440, in increments of 4096. Mode Interface Configuration mode Description Use this command to set the port priority for an MST instance (MSTI). This command sets the value of the priority field contained in the port identifier. The MST algorithm uses the port priority when determining the root port for the switch in the MSTI.
Chapter 46: MSTP Commands Table 69. MSTP Bridge Priority Value Increments (Continued) Bridge Priority Increment 7 28672 Increment 15 Bridge Priority 61440 Use the no command, NO INSTANCE MSTI-ID PRIORITY, to restore the default priority value of 32768.
AT-9000 Switch Command Line User’s Guide INSTANCE MSTI-ID VLAN Syntax instance msti-id vlan vid|vidlist Parameters vid Specifies a VLAN ID. vidlist Specifies a list of VLAN IDs. Mode Port Interface mode Description Use this command to permit MSTP to create an instance and associate an instance with one or more VLANs. The switch supports up to 15 MSTIs. An instance can contain any number of VLANs, but a VLAN can belong to only one MSTI at a time.
Chapter 46: MSTP Commands NO SPANNING-TREE ERRDISABLE-TIMEOUT ENABLE Syntax spanning-tree errdisable-timeout enable Parameters None Mode Global Configuration mode Description Use this command to deactivate the timer for the MSTP BPDU guard feature. When the timer is deactivated, ports that the feature disables because they receive BPDU packets remain disabled until you manually activate them again with the NO SHUTDOWN command.
AT-9000 Switch Command Line User’s Guide NO SPANNING-TREE PORTFAST Syntax no spanning-tree portfast Parameters None Mode Port Interface mode Description Use this command to remove ports as edge ports on the switch. This command is equivalent to “NO SPANNING-TREE PORTFAST” on page 619. Example This example removes port 21 as an edge port: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 46: MSTP Commands NO SPANNING-TREE MSTP ENABLE Syntax no spanning-tree mstp enable Parameters None Mode Global Configuration mode Description Use this command to disable MSTP on the switch. Note Before disabling the spanning tree protocol on the switch, display the MSTP states of the ports and disconnect the network cables from any ports that are in the discarding state. Ports that are in the discarding state begin to forward traffic again when MSTP is disabled.
AT-9000 Switch Command Line User’s Guide SHOW SPANNING-TREE Syntax show spanning-tree Parameters None Modes Privileged Exec mode Description Use this command to display the MSTP settings on the switch. An example of the display is shown in Figure 129.
Chapter 46: MSTP Commands SHOW SPANNING-TREE MST CONFIG Syntax show spanning-tree mst config Parameters None Mode Privileged Executive Mode Description Use this command to display the MSTP configuration information for a bridge. Use the display to check that the digest is the same on this device as for all other devices in the same region.
AT-9000 Switch Command Line User’s Guide SHOW SPANNING-TREE MST Syntax show spanning-tree mst Parameters None Mode Privileged Executive Mode Description Use this command to display the MST to VLAN port mapping. Example This example displays the MST to VLAN port mappings: awplus> enable awplus# show spanning-tree mst An example of the display is shown in Figure 131.
Chapter 46: MSTP Commands SHOW SPANNING-TREE MST INSTANCE Syntax show spanning-tree mst instance Parameters instance Specifies an instance ID. The range is from 1 to 15. Mode Privileged Executive Mode Description Use this command to display detailed information for a particular instance and all switch ports associated with that instance.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE ERRDISABLE-TIMEOUT ENABLE Syntax spanning-tree errdisable-timeout enable Parameters None Mode Global Configuration mode Description Use this command to activate the timer for the BPDU guard feature. The BPDU guard feature prevents unnecessary domain convergences by disabling edge ports if they receive BPDUs. When the timer is activated, the switch will automatically reactivate disabled ports.
Chapter 46: MSTP Commands SPANNING-TREE ERRDISABLE-TIMEOUT INTERVAL Syntax spanning-tree errdisable-timeout interval interval Parameters interval Specifies the number of seconds that ports remain disabled by the BPDU guard feature. The range is 10 to 1000000 seconds. The default is 300 seconds. Mode Global Configuration mode Description Use this command to specify the number of seconds that must elapse before the switch automatically enables ports that are disabled by the BPDU guard feature.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE GUARD ROOT Syntax spanning-tree guard root Parameters None Mode Port Interface mode Description Use this command to enable the Root Guard feature on the specified port. The Root Guard feature ensures that the port on which it is enabled is a designated port. If a Root-Guard-enabled port receives a superior BPDU, that may cause it to become a root port, then the port traffic is placed in a “root inconsistent” state.
Chapter 46: MSTP Commands SPANNING-TREE MODE MSTP Syntax spanning-tree mode mstp Parameters None Mode Global Configuration mode Description Use this command to set MSTP as the spanning tree protocol mode.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE MSTP ENABLE Syntax spanning-tree mstp enable Parameters None Mode Global Configuration mode Description Use this command to designate MSTP as the active spanning tree protocol on the switch. After activating the protocol, you can enable or disable the spanning tree protocol and set the switch or port parameters.
Chapter 46: MSTP Commands SPANNING-TREE MST CONFIGURATION Syntax spanning-tree mst configuration Parameters None Mode Global Configuration mode Description Use this command to enter the MST mode. Note Only one spanning tree protocol, STP, RSTP, or MSTP, can be active on the switch.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE MST INSTANCE Syntax spanning-tree mst instance <1-15> Parameters instance Specifies an instance ID. The range is from 1 to 15. Mode Interface Configuration mode Description Use this command to associate a Multiple Spanning Tree instance (MSTI) with a port. Before you assign an instance ID to a port, you must create an instance. To create an instance, use the INSTANCE MSTI-ID VLAN command. See “INSTANCE MSTI-ID VLAN” on page 665.
Chapter 46: MSTP Commands SPANNING-TREE PATH-COST Syntax spanning-tree path-cost path-cost Parameters path-cost Specifies the cost of a port to the root bridge. The range is 1 to 200000000. Mode Port Interface mode Description Use this command to specify the cost of a port to the root bridge. This cost is combined with the costs of the other ports in the path to the root bridge, to determine the total path cost. For MSTP, this command only applies to the path cost for CIST.
AT-9000 Switch Command Line User’s Guide SPANNING-TREE PORTFAST Syntax spanning-tree portfast Parameters None Mode Port Interface mode Description Use this command to designate edge ports on the switch. Edge ports are not connected to spanning tree devices or to LANs that have spanning tree devices. As a consequence, edge ports do not receive BPDUs. If an edge port starts to receive BPDUs, it is no longer considered an edge port by the switch.
Chapter 46: MSTP Commands SPANNING-TREE PORTFAST BPDU-GUARD Syntax spanning-tree portfast bpdu-guard Parameters None Mode Global Configuration mode Description Use this command to enable the Root Guard feature on the switch which protects the switch from receiving superior BPDUs. Use the no version of this command, NO SPANNING-TREE PORTFAST BPDU-GUARD, to disable the root guard feature on a switch.
AT-9000 Switch Command Line User’s Guide REGION Syntax region Parameters region-name Specifies the name of an MST region. Up to 32 characters. Mode MSTP Configuration mode Description Use this command to name the MSTP Region.
Chapter 46: MSTP Commands REVISION Syntax revision Parameters revision-number Specifies the revision number. The range is 0 to 255. Mode MST Configuration mode Description Use this command to specify the revision number of the current MST configuration. This value is an arbitrary value that you assign to an MST region. Use the revision number to track the number of times an MST configuration has been updated on the network.
Section VII Virtual LANs This section contains the following chapters: Chapter 47, “Port-based and Tagged VLANs” on page 687 Chapter 48, “Port-based and Tagged VLAN Commands” on page 711 Chapter 49, “GARP VLAN Registration Protocol” on page 731 Chapter 50, “GARP VLAN Registration Protocol Commands” on page 749 Chapter 51, “MAC Address-based VLANs” on page 771 Chapter 52, “MAC Address-based VLAN Commands” on page 787 Chapter 53, “Private Port VLANs” on page 801 Chapter 54, “P
686
Chapter 47 Port-based and Tagged VLANs This chapter covers the following topics: “Overview” on page 688 “Port-based VLAN Overview” on page 690 “Tagged VLAN Overview” on page 696 “Creating VLANs” on page 701 “Adding Untagged Ports to VLANs” on page 702 “Adding Tagged Ports to VLANs” on page 704 “Removing Untagged Ports from VLANs” on page 706 “Removing Tagged Ports from VLANs” on page 707 “Deleting VLANs” on page 708 “Displaying the VLANs” on page 709 687
Chapter 47: Port-based and Tagged VLANs Overview A VLAN is a group of ports that form a logical Ethernet segment on an Ethernet switch. The ports of a VLAN form an independent traffic domain in which the traffic generated by the nodes remains within the VLAN. VLANs let you segment your network through the switch’s management software so that you can group nodes with related functions into their own separate, logical LAN segments.
AT-9000 Switch Command Line User’s Guide Virtual LANs can also span more than one switch. This makes it possible to create VLANs of end nodes that are connected to switches located in different physical locations. The switch supports the following types of VLANs you can create yourself: Port-based VLANs Tagged VLANs These VLANs are described in the following sections.
Chapter 47: Port-based and Tagged VLANs Port-based VLAN Overview As the “Overview” on page 688 explains, a VLAN consists of a group of ports that form an independent traffic domain on one or more Ethernet switches. Traffic generated by the end nodes remain within their respective VLANs and does not cross over to the end nodes of other VLANs unless there is an interconnection device, such as a router or Layer 3 switch.
AT-9000 Switch Command Line User’s Guide For example, if you had a port-based VLAN named Marketing that spanned three switches, assign the Marketing VLAN on each switch the same VID. You can assign this number manually or allow the management software to do it automatically. If you allow the management software to do it automatically, it selects the next available VID. This is acceptable when you are creating a new, unique VLAN.
Chapter 47: Port-based and Tagged VLANs Guidelines to Creating a Portbased VLAN Drawbacks of Port-based VLANs 692 Below are the guidelines to creating a port-based VLAN. Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switches, each part of the VLAN on the different switches should be assigned the same VID. A port can be an untagged member of only one port-based VLAN at a time.
AT-9000 Switch Command Line User’s Guide Port-based Example 1 Figure 132 illustrates an example of one AT-9000 switch with three portbased VLANs. (The Default VLAN is not shown in the following examples.) Engineering VLAN (VID 3) Sales VLAN (VID 2) Production VLAN (VID 4) AT-9000/28 Gigabit Ethernet Switch Router Figure 132. Port-based VLAN - Example 1 The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switch.
Chapter 47: Port-based and Tagged VLANs Port-based Example 2 Figure 133 illustrates more port-based VLANs. In this example, two VLANs, Sales and Engineering, span two switches. Engineering VLAN (VID 3) Sales VLAN (VID 2) Production VLAN (VID 4) AT-9000/28 Gigabit Ethernet Switch Router AT-9000/28 Gigabit Ethernet Switch Sales VLAN (VID 2) Engineering VLAN (VID 3) Figure 133.
AT-9000 Switch Command Line User’s Guide The table below lists the port assignments for the Sales, Engineering, and Production VLANs on the switches: Switch Sales VLAN (VID 2) Engineering VLAN (VID 3) Production VLAN (VID 4) AT-9000 Switch (top) Ports 1 - 6 (PVID 2) Ports 9 - 13 (PVID 3) Ports 17, 19 - 21 (PVID 4) AT-9000 Switch (bottom) Ports 2 - 4, 6, 8 (PVID 2) Ports 16, 18-20, 22 (PVID 3) none Sales VLAN - This VLAN spans both switches.
Chapter 47: Port-based and Tagged VLANs Tagged VLAN Overview The second type of VLAN is the tagged VLAN. VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assigned to the ports determine VLAN membership. The VLAN information within an Ethernet frame is referred to as a tag or tagged header.
AT-9000 Switch Command Line User’s Guide Note For explanations of VLAN name and VLAN identifier, refer back to “VLAN Name” on page 690 and “VLAN Identifier” on page 690. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, it is usually a combination of both untagged ports and tagged ports. You specify which ports are tagged and which are untagged when you create the VLAN.
Chapter 47: Port-based and Tagged VLANs Tagged VLAN Example Figure 134 illustrates how tagged ports can be used to interconnect IEEE 802.1q based products. Engineering VLAN (VID 3) Sales VLAN (VID 2) Production VLAN (VID 4) Legacy Server AT-9000/28 Gigabit Ethernet Switch IEEE 802.1Q-compliant Server Router AT-9000/28 Gigabit Ethernet Switch Sales VLAN (VID 2) Engineering VLAN (VID 3) Figure 134.
AT-9000 Switch Command Line User’s Guide The port assignments for the VLANs are described in Table 70. Table 70.
Chapter 47: Port-based and Tagged VLANs This example is nearly identical to the “Port-based Example 2” on page 694. Tagged ports have been added to simplify network implementation and management. One of the tagged ports is port 2 on the top switch. This port has been made a tagged member of the three VLANs. It is connected to an IEEE 802.1q compliant server, meaning the server can handle frames from multiple VLANs.
AT-9000 Switch Command Line User’s Guide Creating VLANs To create VLANs, use the VLAN command in the VLAN Configuration mode. You must specify a name and a VID for a new VLAN in the command. A name can have up to 20 characters. Giving the VLANs unique names make them easier to identify. A new VLAN also needs a VID number, which has a range of 2 to 4094. (The VID 1 is reserved for the Default_VLAN.) Each VLAN on the switch must be assigned a unique VID.
Chapter 47: Port-based and Tagged VLANs Adding Untagged Ports to VLANs To add a port to a VLAN as an untagged port, it may be necessary to first set its mode with the SWITCHPORT MODE ACCESS command in the Port Interface mode. Once a port’s mode is set to access, it functions as an untagged port. However, this step may not be necessary because the default mode setting for all ports is as untagged ports.
AT-9000 Switch Command Line User’s Guide This example designates ports 11 to 18 as untagged ports of a VLAN with the VID 4. The SWITCHPORT MODE ACCESS command is omitted because the example assumes the ports are already designated as untagged ports: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.11-port1.0.
Chapter 47: Port-based and Tagged VLANs Adding Tagged Ports to VLANs There are three steps to adding ports as tagged ports to VLANs: 1. Set the mode of the ports to trunk so that they function as tagged ports. This is performed with the SWITCHPORT MODE TRUNK command. 2. Assign the ports to VLANs with the SWITCHPORT TRUNK ALLOWED VLAN command. 3. Specify the VLAN for untagged ingress packets. This VLAN is referred to as the native VLAN. The command is the SWITCHPORT TRUNK NATIVE VLAN command.
AT-9000 Switch Command Line User’s Guide This example adds ports 18 to 21 as tagged members to VLANs with the VIDs 7 and 13: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.18-port1.0.21 awplus(config-if)# switchport mode trunk awplus(config-if)# switchport trunk allowed vlan add 7,13 Although tagged ports are primarily intended to handle tagged packets, they may also handle untagged packets. These are packets that do not have any VLAN IDs.
Chapter 47: Port-based and Tagged VLANs Removing Untagged Ports from VLANs To remove untagged ports from their current VLAN assignments and return them back to the Default VLAN, use the NO SWITCHPORT ACCESS VLAN command in the Port Interface mode. You do not specify a VLAN ID number in the command because a port can be an untagged member of just one VLAN at a time. The switch removes the designated port from whichever VLAN it is an untagged member and returns it back to the Default_VLAN.
AT-9000 Switch Command Line User’s Guide Removing Tagged Ports from VLANs Use the SWITCHPORT TRUNK ALLOWED VLAN command to remove ports as tagged members from VLANs. This command is actually used for both adding and removing tagged ports. The format of the command when it is used to remove ports is shown here: switchport trunk allowed vlan none|remove vid To remove a port from all its tagged VLAN assignments, use the NONE parameter.
Chapter 47: Port-based and Tagged VLANs Deleting VLANs To delete VLANs from the switch, use the NO VLAN command in the VLAN Configuration mode. You cannot delete the Default_VLAN. The untagged ports of deleted VLANs are automatically returned back to the Default_VLAN.
AT-9000 Switch Command Line User’s Guide Displaying the VLANs To display the VLANs on the switch, use the SHOW VLAN ALL command in the User Exec mode and Privileged Exec mode: awplus# show vlan all An example of the information is shown in Figure 135.
Chapter 47: Port-based and Tagged VLANs 710
Chapter 48 Port-based and Tagged VLAN Commands The VLAN commands are summarized in Table 71 and described in detail within the chapter. Table 71. Port-based and Tagged VLAN Commands Command Mode Description “NO SWITCHPORT ACCESS VLAN” on page 712 Port Interface Removes untagged ports from VLANs. “NO SWITCHPORT TRUNK” on page 713 Port Interface Removes the tagged designation from ports.
Chapter 48: Port-based and Tagged VLAN Commands NO SWITCHPORT ACCESS VLAN Syntax no switchport access vlan Parameters None Mode Port Interface mode Description Use this command to return untagged ports to the Default_VLAN. Note You cannot return ports to the Default_VLAN if they are set to the authenticator role for 802.1x port-based network access control. You must first remove the authenticator role. For instructions, refer to “NO DOT1X PORT-CONTROL” on page 922.
AT-9000 Switch Command Line User’s Guide NO SWITCHPORT TRUNK Syntax no switchport trunk Parameters None Mode Port Interface mode Description Use this command to remove the trunk mode from ports. Ports cannot be assigned as tagged ports to VLANs once the trunk mode has been removed. Note You must first remove a port from all tagged VLAN assignments before you can remove its tagged designation. For instructions, refer to “SWITCHPORT TRUNK ALLOWED VLAN” on page 723.
Chapter 48: Port-based and Tagged VLAN Commands NO SWITCHPORT TRUNK NATIVE VLAN Syntax no switchport trunk native vlan Parameters None Mode Port Interface mode Description Use this command to reestablish the Default_VLAN as the native VLAN of tagged ports. The native VLAN of a tagged port specifies the appropriate VLAN for ingress and egress untagged packets. A tagged port can have only one native VLAN.
AT-9000 Switch Command Line User’s Guide NO VLAN Syntax no vlan vid Parameters vid Specifies the VID of the VLAN you want to delete. Mode VLAN Configuration mode Description Use this command to delete port-based or tagged VLANs from the switch. Here are the guidelines to this command: You cannot delete the Default_VLAN. The switch automatically returns the untagged ports of a deleted VLAN to the Default_VLAN, as untagged ports.
Chapter 48: Port-based and Tagged VLAN Commands SHOW VLAN Syntax show vlan vid |all Parameters vid Specifies the VID of the VLAN you want to display. all Specifies all the VLANs on the switch to display. Modes User Exec mode and Privileged Exec mode Description Use this command to display all the tagged and untagged VLANs on the switch. An example of the information is shown in Figure 136.
AT-9000 Switch Command Line User’s Guide Table 72. SHOW VLAN Command (Continued) Parameter Description State The states of the VLANs. A VLAN has an Active state if it has at least one tagged or untagged port and an Inactive state if it does not have any ports. Member Ports The untagged (u) and tagged (t) ports of the VLANs.
Chapter 48: Port-based and Tagged VLAN Commands SWITCHPORT ACCESS VLAN Syntax switchport access vlan vid Parameters vid Specifies the ID number of the VLAN to which you want to add untagged ports. You can specify only one VID. Mode Port Interface mode Description Use this command to add untagged ports to VLANs. Please review the following information before using this command: The specified VLAN must already exist. A port can be an untagged member of only one VLAN at a time.
AT-9000 Switch Command Line User’s Guide Examples This example adds ports 5 and 7 as untagged ports to a VLAN with the VID 12: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.5,port1.0.7 awplus(config-if)# switchport access vlan 12 This example returns port 15 as an untagged port to the Default_VLAN, which has the VID 1: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 48: Port-based and Tagged VLAN Commands SWITCHPORT MODE ACCESS Syntax switchport mode access [ingress-filter enable|disable] Parameters enable Activates ingress filtering. disable Disables ingress filtering. Mode Port Interface mode Description Use this command to designate ports as untagged ports. This is the first command to adding ports as untagged ports to VLANs. The second command is “SWITCHPORT ACCESS VLAN” on page 718. The access mode is the default setting for all ports on the switch.
AT-9000 Switch Command Line User’s Guide SWITCHPORT MODE TRUNK Syntax switchport mode trunk [ingress-filter enable|disable] Parameters enable Activates ingress filtering so the tagged port accepts only tagged packets that have one of its tagged VIDs. disable Disables ingress filtering so the tagged port accepts all tagged packets. Mode Port Interface mode Description Use this command to label ports as tagged ports. This is the first command to adding ports as tagged ports to VLANs.
Chapter 48: Port-based and Tagged VLAN Commands This example designates port 18 as a tagged port and disables ingress filtering so that it accepts all tagged packets: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide SWITCHPORT TRUNK ALLOWED VLAN Syntaxes for Adding Tagged Ports to VLANs switchport trunk allowed vlan all switchport trunk allowed vlan add vid switchport trunk allowed vlan except vid Syntaxes for Removing Tagged Ports from VLANs switchport trunk allowed vlan remove vid switchport trunk allowed vlan none Parameters vlan all Adds the port as a tagged port to all the VLANs on the switch. add vid Adds the port as a tagged port to the designated VLAN.
Chapter 48: Port-based and Tagged VLAN Commands Ports can be tagged members of more than one VLAN at a time. The specified VLANs must already exist. To create VLANs, see “VLAN” on page 728. Adding a port as a tagged member of a VLAN does not change its other tagged and untagged VLAN assignments, because ports can be tagged members of more than one VLAN at a time.
AT-9000 Switch Command Line User’s Guide This example adds ports 22 to 24 as tagged ports to all the VLANs, except for the VLAN with a VID of 11. The example assumes that the ports are already designated as tagged ports: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.22-port1.0.
Chapter 48: Port-based and Tagged VLAN Commands SWITCHPORT TRUNK NATIVE VLAN Syntax switchport trunk native vlan vid|none Parameters vid Specifies the VID of the VLAN that will act as the default VLAN for all ingress and egress untagged packets on the tagged port. You can enter just one VID. none Reestablishes the Default_VLAN as the native VLAN of the port. This is equivalent to the NO form of this command.
AT-9000 Switch Command Line User’s Guide This example reestablishes the Default_VLAN as the native VLAN for tagged ports 18 and 20: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.18,port1.0.
Chapter 48: Port-based and Tagged VLAN Commands VLAN Syntax vlan vid [name name] Parameters vid Specifies a VLAN identifier. The range is 2 to 4094. The VID 1 is reserved for the Default_VLAN. The VID cannot be the same as the VID of an existing VLAN on the switch. You can specify more than one VID to create more than one VLAN at a time. If this VLAN will be unique in your network, its VID should also be unique.
AT-9000 Switch Command Line User’s Guide Description Use this command to create port-based and tagged VLANs. You can create just one VLAN at a time.
Chapter 48: Port-based and Tagged VLAN Commands 730
Chapter 49 GARP VLAN Registration Protocol This chapter covers the following topics: “Overview” on page 732 “Guidelines” on page 735 “GVRP and Network Security” on page 736 “GVRP-inactive Intermediate Switches” on page 737 “Enabling GVRP on the Switch” on page 738 “Enabling GIP on the Switch” on page 739 “Enabling GVRP on the Ports” on page 740 “Setting the GVRP Timers” on page 741 “Disabling GVRP Timers on the Switch” on page 742 “Disabling GVRP on the Ports” on pag
Chapter 49: GARP VLAN Registration Protocol Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information and to use the information to modify existing VLANs or create new VLANs, automatically. This makes it easier to manage VLANs that span more than one switch. Without GVRP, you have to manually configure your switches to ensure that the various parts of the VLANs can communicate with each other across the different switches.
AT-9000 Switch Command Line User’s Guide Figure 137 provides an example of how GVRP works. Port 1 Switch #1 Static VLAN Sales VID 11 Port 4 Switch #3 Static VLAN Sales VID 11 Port 3 Switch #2 Port 2 Figure 137. GVRP Example The example consists of three switches. Switches #1 and #3 have the Sales VLAN, but switch #2 does not. Consequently, the end nodes of the two parts of the Sales VLANs cannot communicate with each other.
Chapter 49: GARP VLAN Registration Protocol Without GVRP, you would have to manually add the Sales VLAN to switch #2. But with GVRP, the VLAN is added automatically. Here is how GVRP would resolve the problem in the example. 1. Port 1 on switch #1 sends to port 2 on switch #2 a PDU that contains the VIDs of all the VLANs on the switch, including VID 11 for the Sales VLAN. 2. Switch #2 examines the PDU it receives on port 2 and notes that it does not have a VLAN with a VID 11.
AT-9000 Switch Command Line User’s Guide Guidelines Here are the guidelines to GVRP: GVRP is supported with STP, RSTP, MSTP or without spanning tree. Both ports that constitute a network link between the switch and the other device must be running GVRP. You cannot modify or delete dynamic GVRP VLANs. You cannot remove dynamic GVRP ports from static or dynamic VLANs.
Chapter 49: GARP VLAN Registration Protocol GVRP and Network Security GVRP should be used with caution because it can expose your network to unauthorized access. If a network intruder were to connect to a switch port running GVRP and transmit a bogus GVRP PDU containing VIDs of restricted VLANs, GVRP would make the port a member of the VLANs, giving the intruder access to restricted areas of your network.
AT-9000 Switch Command Line User’s Guide GVRP-inactive Intermediate Switches If two GVRP-active devices are separated by a GVRP-inactive switch, the GVRP-active devices may not be able to share VLAN information. There are two issues involved. The first is whether the intermediate switch forwards the GVRP PDUs that it receives from the GVRP-active switches. GVRP PDUs are management frames, intended for the switch’s CPU.
Chapter 49: GARP VLAN Registration Protocol Enabling GVRP on the Switch The command for enabling GVRP on the switch is found in the Global Configuration mode. It is the GVRP ENABLE command. After the command is entered, the switch immediately begins to transmit PDUs from those ports where GVRP is enabled and to learn dynamic GVRP VLANs. Here is the command: awplus> enable awplus# configure terminal awplus(config)# gvrp enable For reference information, refer to “GVRP ENABLE” on page 754.
AT-9000 Switch Command Line User’s Guide Enabling GIP on the Switch The GARP Information Propagation (GIP) component can be enabled separately from GVRP on the switch. GIP must be enabled if the switch is using GVRP. The command for activating GIP is the GVRP APPLICANT STATE ACTIVE command in the Global Configuration mode. Here is the command: awplus> enable awplus# configure terminal awplus(config)# gvrp applicant state active For reference information, refer to “GVRP APPLICANT STATE ACTIVE” on page 752.
Chapter 49: GARP VLAN Registration Protocol Enabling GVRP on the Ports To activate GVRP on the ports so that they transmit GVRP PDUs, use the GVRP REGISTRATION NORMAL command in the Port Interface mode. Because the default setting for GVRP on the ports is enabled, you should only need to use this command if you want to enable GVRP after disabling it on a port. This example of the command activates GVRP on ports 12, 13 and 17: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide Setting the GVRP Timers The switch has a Join Timer, a Leave Timer, and a Leave All Timer. You should not change the timers unless you understand their functions. (Refer to the IEEE 802.1p standard for the definitions.
Chapter 49: GARP VLAN Registration Protocol Disabling GVRP Timers on the Switch To disable GVRP timer configurations, use the NO GVRP TIMER commands in the Global Configuration mode. They are: no gvrp timer join no gvrp timer leave no gvrp timer leaveall Use these commands to reset GVRP timers to the default values for each individual parameter.
AT-9000 Switch Command Line User’s Guide Disabling GVRP on the Ports To disable GVRP on the ports, use the GVRP REGISTRATION NONE command in the Port Interface mode. This example of the command deactivates GVRP on ports 4 and 5: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.4-1.0.5 awplus(config-if)# gvrp registration none For reference information, refer to “GVRP REGISTRATION” on page 755.
Chapter 49: GARP VLAN Registration Protocol Disabling GIP on the Switch You can disable the GARP Information Propagation (GIP) component separately from GVRP on the switch. GIP must be enabled if the switch is using GVRP. There is never any reason to disable GIP. Even if the switch is not performing GVRP, you can still leave GIP enabled. The command for disabling GIP is GVRP APPLICANT STATE NORMAL command.
AT-9000 Switch Command Line User’s Guide Disabling GVRP on the Switch To disable GVRP to stop the switch from learning any further dynamic VLANs or GVRP ports, use the NO GVRP ENABLE command in the Global Configuration mode. Here is the command. awplus> enable awplus# configure terminal awplus(config)# no gvrp enable For reference information, refer to “NO GVRP ENABLE” on page 759.
Chapter 49: GARP VLAN Registration Protocol Restoring the GVRP Default Settings To disable GVRP and to return the timers to their default settings, use the PURGE GVRP command in the Global Configuration mode: awplus> enable awplus# configure terminal awplus(config)# purge gvrp For reference information, refer to “PURGE GVRP” on page 763.
AT-9000 Switch Command Line User’s Guide Displaying GVRP Although there are five commands that display GVRP information, you will probably only need the SHOW GVRP TIMER command in the Privileged Exec mode. This command displays the status of GVRP and GIP on the switch and the three timer settings. Here is the command: awplus# show gvrp timer Here is an example of the information the command provides. GVRP GVRP GVRP GVRP GVRP Status ............ GIP Status ........ Join Timer ........ Leave Timer .......
Chapter 49: GARP VLAN Registration Protocol 748
Chapter 50 GARP VLAN Registration Protocol Commands The GARP VLAN registration protocol commands are summarized in Table 73 and described in detail within the chapter. Table 73. GARP VLAN Registration Protocol Commands Command Mode Description “CONVERT DYNAMIC VLAN” on page 751 VLAN Configuration Converts dynamic GVRP VLANs and port assignments to static. “GVRP APPLICANT STATE ACTIVE” on page 752 Global Configuration Enables GIP on the switch.
Chapter 50: GARP VLAN Registration Protocol Commands Table 73. GARP VLAN Registration Protocol Commands (Continued) Command Mode Description “SHOW GVRP APPLICANT” on page 764 User Exec and Privileged Exec Displays parameters for the GIPconnected ring for the GARP application: “SHOW GVRP CONFIGURATION” on page 765 User Exec and Privileged Exec Displays parameters for the internal database for the GARP application.
AT-9000 Switch Command Line User’s Guide CONVERT DYNAMIC VLAN Syntax convert dynamic vlan Parameters None Mode VLAN Configuration mode Description Use this command to convert dynamic GVRP VLANs and dynamic GVRP port assignments to static VLANs and static port assignments.
Chapter 50: GARP VLAN Registration Protocol Commands GVRP APPLICANT STATE ACTIVE Syntax gvrp applicant state active Parameters None Mode Global Configuration mode Description Use this command to enable GIP on the switch. GIP must be enabled for GVRP to operate properly.
AT-9000 Switch Command Line User’s Guide GVRP APPLICANT STATE NORMAL Syntax gvrp applicant state normal Parameters None Mode Global Configuration mode Description Use this command to disable GIP on the switch. Note Do not disable GIP if the switch is running GVRP. GIP is required for proper GVRP operation.
Chapter 50: GARP VLAN Registration Protocol Commands GVRP ENABLE Syntax gvrp enable Parameters None Mode Global Configuration mode Description Use this command to enable GVRP on the switch.
AT-9000 Switch Command Line User’s Guide GVRP REGISTRATION Syntax gvrp registration normal|none Parameters normal Enables GVRP on a port. This is the default setting. none Disables GVRP on a port. Mode Port Interface mode Description Use this command to enable or disable GVRP on a port. A port where GVRP is enabled transmits GVRP PDUs. A port where GVRP is disabled does not send GVRP PDUs.
Chapter 50: GARP VLAN Registration Protocol Commands GVRP TIMER JOIN Syntax gvrp timer join value Parameters value Specifies the Join Timer in centiseconds, which are one hundredths of a second. The range is 20 to 60 centiseconds. The default is 20 centiseconds. Mode Global Configuration mode Description Use this command to set the GARP Join Timer.
AT-9000 Switch Command Line User’s Guide GVRP TIMER LEAVE Syntax gvrp timer leave value Parameters value Specifies the Leave Timer in centiseconds, which are one hundredths of a second. The range is 30 to 180 centiseconds. The default is 60 centiseconds. Mode Global Configuration mode Description Use this command to set the GARP Leave Timer. Note The setting for this timer must be the same on all GVRP-active network devices. Example This command sets the Leave Timer to 0.
Chapter 50: GARP VLAN Registration Protocol Commands GVRP TIMER LEAVEALL Syntax gvrp timer leaveall value Parameters value Specifies the Leave All Timer in centiseconds. The range is 500 to 3000 centiseconds. The default is 1000 centiseconds. Mode Global Configuration mode Description Use this command to set the GARP Leave All timer. Note The settings for this timer must be the same on all GVRP-active network devices.
AT-9000 Switch Command Line User’s Guide NO GVRP ENABLE Syntax no gvrp enable Parameters None Mode Global Configuration mode Description Use this command to disable GVRP on the switch.
Chapter 50: GARP VLAN Registration Protocol Commands NO GVRP TIMER JOIN Syntax no gvrp timer join Parameters None Mode Global Configuration mode Description Use this command to disable GVRP Join Timer configurations and return the GVRP Join Timer to its default value. This timer must only be disabled in relation to the GVRP Leave Timer according to the following equation: Join Timer <= (2 x (GVRP Leave Timer)) Note The setting for this timer must be the same on all GVRP-active network devices.
AT-9000 Switch Command Line User’s Guide NO GVRP TIMER LEAVE Syntax no gvrp timer leave value Parameters None Mode Global Configuration mode Description Use this command to disable the GARP Leave Timer and return the GVRP Leave Timer to its default value. This timer must only be disabled in relation to the GVRP Join Timer according to the following equation: Join Timer <= (2 x (GVRP Leave Timer)) Note The setting for this timer must be the same on all GVRP-active network devices.
Chapter 50: GARP VLAN Registration Protocol Commands NO GVRP TIMER LEAVEALL Syntax no gvrp timer leaveall Parameters None Mode Global Configuration mode Description Use this command to disable the GARP Leave All timer and return the GVRP Leave All timer to its default value. Note The settings for this timer must be the same on all GVRP-active network devices.
AT-9000 Switch Command Line User’s Guide PURGE GVRP Syntax purge gvrp Parameters None Mode Global Configuration mode Description Use this command to disable GVRP on the switch and to return the timers to their default values.
Chapter 50: GARP VLAN Registration Protocol Commands SHOW GVRP APPLICANT Syntax show gvrp applicant Parameter None Mode Privileged Exec mode Description Use this command to display the following parameters for the GIPconnected ring for the GARP application: GARP Application GIP contact STP ID Example This example displays the GIP-connected ring parameters: awplus# show gvrp applicant 764
AT-9000 Switch Command Line User’s Guide SHOW GVRP CONFIGURATION Syntax show gvrp configuration Parameters None Mode Privileged Exec mode Description Use this command to display the following parameters for the internal database for the GARP application. Each attribute is represented by a GID index within the GARP application.
Chapter 50: GARP VLAN Registration Protocol Commands SHOW GVRP MACHINE Syntax show gvrp machine Parameter None Mode Privileged Exec mode Description Use this command to display the following parameters for the GID state machines for the GARP application. The output is shown on a per-GID index basis; each attribute is represented by a GID index within the GARP application.
AT-9000 Switch Command Line User’s Guide SHOW GVRP STATISTICS Syntax show gvrp statistics Parameter None Mode Privileged Exec mode Description Use this command to display the current values of the following GARP packet and message counters: GARP application Receive: Total GARP Packets Transmit: Total GARP Packets Receive: Invalid GARP Packets Receive Discarded: GARP Disabled Receive Discarded: Port Not Listening Transmit Discarded: Port Not Sending Receive Discarded: Inval
Chapter 50: GARP VLAN Registration Protocol Commands Receive GARP Messages: Empty Transmit GARP Messages: Empty Receive GARP Messages: Bad Message Receive GARP Messages: Bad Attribute Example This example displays the values of GARP packet and message counters: awplus# show gvrp statistics 768
AT-9000 Switch Command Line User’s Guide SHOW GVRP TIMER Syntax show gvrp timer Parameter None Mode Privileged Exec mode Description Use this command to display the current values for the following GARP application parameters: GARP application protocol GVRP status GVRP GIP status GVRP Join Time GVRP Leave Time GVRP Leaveall Time Port information Mode Example This example displays the values of the GARP application parameters: awplus# show gvrp timer 769
Chapter 50: GARP VLAN Registration Protocol Commands 770
Chapter 51 MAC Address-based VLANs This chapter contains the following topics: “Overview” on page 772 “Guidelines” on page 777 “General Steps” on page 778 “Creating MAC Address-based VLANs” on page 779 “Adding MAC Addresses to VLANs and Designating Egress Ports” on page 780 “Removing MAC Addresses” on page 781 “Deleting VLANs” on page 782 “Displaying VLANs” on page 783 “Example of Creating a MAC Address-based VLAN” on page 784 771
Chapter 51: MAC Address-based VLANs Overview As explained in Chapter 47, “Port-based and Tagged VLANs” on page 687, VLANs are used to create independent LAN segments within a network and are typically employed to improve network performance or security. The AT-9000 Switch offers several different types of VLANs, including port-based, tagged, and private VLANs.
AT-9000 Switch Command Line User’s Guide Table 74.
Chapter 51: MAC Address-based VLANs Table 75.
AT-9000 Switch Command Line User’s Guide VLANs that Span Switches If the packet’s destination MAC address is in the MAC address table, but the port where the address was learned is not one of the VLAN’s egress ports, the switch discards the packet. To create a MAC address-based VLAN that spans switches, you must replicate the MAC addresses of the VLAN nodes on all the switches where the VLAN exists. The same MAC address-based VLAN on different switches must have the same list of MAC addresses.
Chapter 51: MAC Address-based VLANs Table 76.
AT-9000 Switch Command Line User’s Guide Guidelines Here are the guidelines to MAC address-based VLANs: The switch can support up to a total of 4094 port-based, tagged, private, and MAC address-based VLANs. The egress ports of a MAC address-based VLAN function as a community in that assigning a port to one MAC address implicitly defines that port as an egress port of all the addresses in the same VLAN.
Chapter 51: MAC Address-based VLANs General Steps There are three main steps to creating a MAC address-based VLAN: 1. Use the VLAN MACADDRESS command in the VLAN Configuration mode to assign a name and a VID to the new VLAN, and to designate the VLAN as a MAC address-based VLAN. 2. Use the VLAN SET MACADDRESS command in the Global Configuration mode to assign the MAC addresses to the VLAN. 3. Use the VLAN SET MACADDRESS command in the Port Interface mode to assign the MAC addresses to the egress ports.
AT-9000 Switch Command Line User’s Guide Creating MAC Address-based VLANs The VLAN MACADDRESS command in the VLAN Configuration mode is the first command to creating this type of VLAN. This command assigns a new VLAN a name and a VID. Here is the format of the command: vlan vid name name type macaddress The range of the VID is 2 to 4094. The VID of the VLAN must be unique from all other VLANs on the switch. The name of a VLAN can be up to 20 characters.
Chapter 51: MAC Address-based VLANs Adding MAC Addresses to VLANs and Designating Egress Ports The MAC addresses and egress ports are specified with the VLAN SET MACADDRESS command in the Global Configuration mode and Port Interface mode. Enter the command in the Global Configuration mode when you want to add MAC addresses to VLANs. To designate the egress ports of addresses, enter the same command in the Port Interface mode.
AT-9000 Switch Command Line User’s Guide Removing MAC Addresses To remove MAC addresses from egress ports in a MAC address-based VLAN, use the NO VLAN MACADDRESS command in the Port Interface mode. This example of the command removes the MAC address 11:8A:92:CE:76:28 from ports 6 to 8, in a VLAN that has the VID 23: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.6-port1.0.
Chapter 51: MAC Address-based VLANs Deleting VLANs To delete MAC address-based VLANs from the switch, use the NO VLAN command in the VLAN Configuration mode. You can delete only one VLAN at a time.
AT-9000 Switch Command Line User’s Guide Displaying VLANs To display the MAC address-based VLANS on the switch, use the SHOW VLAN MACADDRESS command in the Privileged Exec mode: awplus# show vlan macaddress An example is shown in Figure 140. VLAN 5 MAC Associations: Total number of associated MAC addresses: 5 ------------------------------------------------MAC Address Ports ------------------------------------------------5A:9E:84:31:23:85 port1.0.13-port1.0.18 1A:87:9B:52:36:D5 port1.0.
Chapter 51: MAC Address-based VLANs Example of Creating a MAC Address-based VLAN Here is an example of how to create this type of VLAN. This example creates the VLAN detailed in Table 75 on page 774. The example is named Sales and given the VID 21: awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# vlan database Use the VLAN DATABASE command to enter the VLAN Configuration mode.
AT-9000 Switch Command Line User’s Guide Use the VLAN SET MACADDRESS command in the Port Interface mode to designate port 1 as an egress port of all the MAC addresses.
Chapter 51: MAC Address-based VLANs 786
Chapter 52 MAC Address-based VLAN Commands The MAC address-based VLAN commands are summarized in Table 77 and described in detail within the chapter. Table 77. MAC Address-based VLAN Commands Command Mode Description “NO VLAN” on page 788 VLAN Configuration Deletes VLANs from the switch. “NO VLAN MACADDRESS (Global Configuration Mode)” on page 789 Global Configuration Removes MAC addresses from VLANs.
Chapter 52: MAC Address-based VLAN Commands NO VLAN Syntax no vlan vid Parameters vid Specifies the VID of the VLAN you want to delete. You can specify just one VID. Mode VLAN Configuration mode Description Use this command to delete MAC address-based VLANs from the switch. You can delete only one VLAN at a time with this command.
AT-9000 Switch Command Line User’s Guide NO VLAN MACADDRESS (Global Configuration Mode) Syntax no vlan vid macaddress|destaddress mac-address Parameters vid Specifies the VID of the VLAN to be modified. mac-address Specifies the MAC address to be removed from the VLAN. The MAC address must be entered in this format: xx:xx:xx:xx:xx:xx Note The MACADDRESS and DESTADDRESS keywords are equivalent.
Chapter 52: MAC Address-based VLAN Commands NO VLAN MACADDRESS (Port Interface Mode) Syntax no vlan vid macaddress|destaddress mac-address Parameters vid Specifies the VID of the VLAN to be modified. mac-address Specifies the MAC address to be removed from the VLAN. The MAC address must be entered in this format: xx:xx:xx:xx:xx:xx Note The MACADDRESS and DESTADDRESS keywords are equivalent.
AT-9000 Switch Command Line User’s Guide This example removes the MAC address 00:30:84:75:11:B2 from the egress port 11 to 14 in a VLAN with the VID 24: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.11-port1.0.
Chapter 52: MAC Address-based VLAN Commands SHOW VLAN MACADDRESS Syntax show vlan macaddress Parameters None Mode Privileged Exec mode Description Use this command to display the MAC addresses and the egress ports of the MAC address-based VLANs on the switch. An example is shown in Figure 141. VLAN 11 MAC Associations: Total number of associated MAC addresses: 5 ------------------------------------------------MAC Address Ports ------------------------------------------------5A:9E:84:31:23:85 port1.0.
AT-9000 Switch Command Line User’s Guide The information is described here. Table 78. SHOW VLAN MACADDRESS Command Parameter Description VLAN VID MAC Associations The VID of the MAC address-based VLAN. Total Number of Associate MAC Addresses Total number of MAC addresses that are assigned to the VLAN. MAC Address The MAC addresses of the VLAN. Ports The egress ports of the MAC addresses.
Chapter 52: MAC Address-based VLAN Commands VLAN MACADDRESS Syntax vlan vid name name type macaddress Parameters vid Specifies a VLAN identifier in the range of 2 to 4094. VID 1 is reserved for the Default_VLAN. You can specify only one VID. The VID of a VLAN should be unique from all other VLANs in a network, unless a VLAN spans multiple switches, in which case its VID should be the same on all switches on which the VLAN resides.
AT-9000 Switch Command Line User’s Guide Example This example creates a MAC address-based VLAN that has the name Sales and the VID 3: awplus> enable awplus# configure terminal awplus(config)# vlan database awplus(config-vlan)# vlan 3 name Sales type macaddress 795
Chapter 52: MAC Address-based VLAN Commands VLAN SET MACADDRESS (Global Configuration Mode) Syntax vlan set vid macaddress|destaddress mac-address Parameters vid Specifies the VID of the VLAN to be modified. mac-address Specifies the MAC address to be added to the VLAN. The MAC address must be entered in this format: xx:xx:xx:xx:xx:xx Note The MACADDRESS and DESTADDRESS keywords are equivalent. Mode Global Configuration mode Description Use this command to add MAC addresses to MAC address-based VLANs.
AT-9000 Switch Command Line User’s Guide This example adds the MAC address 00:30:84:32:76:1A to a MAC address-based VLAN with the VID 12: awplus> enable awplus# configure terminal awplus(config)# vlan set 12 macaddress 00:30:84:32:76:1a 797
Chapter 52: MAC Address-based VLAN Commands VLAN SET MACADDRESS (Port Interface Mode) Syntax vlan set vid macaddress|destaddress mac-address Parameters vid Specifies the VID of the VLAN to be modified. mac-address Specifies the MAC address to assign to an egress port. The MAC address must be entered in this format: xx:xx:xx:xx:xx:xx Note The MACADDRESS and DESTADDRESS keywords are equivalent.
AT-9000 Switch Command Line User’s Guide This example assigns the MAC address 00:30:84:75:11:B2 to ports 11 to 14 in a VLAN that has the VID 24: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.1,port1.0.
Chapter 52: MAC Address-based VLAN Commands 800
Chapter 53 Private Port VLANs This chapter provides the following topics: “Overview” on page 802 “Guidelines” on page 804 “Creating Private VLANs” on page 805 “Adding Host and Uplink Ports” on page 806 “Deleting VLANs” on page 807 “Displaying Private VLANs” on page 808 801
Chapter 53: Private Port VLANs Overview Private VLANs (also called private port VLANs) create special broadcast domains in which the traffic of the member ports is restricted to just uplink ports. Ports in a private VLAN are only allowed to forward traffic to and receive traffic from a designated uplink port, and are prohibited from forwarding traffic to each other. An example application of a private VLAN would be a library in which user booths each have a computer with Internet access.
AT-9000 Switch Command Line User’s Guide Private VLAN Functionality The following describes host and uplink port functionality in a private VLAN, and how private VLANs can be configured. Host ports: Cannot communicate with each other. Can communicate with uplink ports. Can communicate with appropriately configured trunk ports. Uplink ports: Promiscuous ports: – Promiscuous ports act as untagged trunk ports. – A private VLAN can have more than one promiscuous port.
Chapter 53: Private Port VLANs Guidelines Here are the guidelines to private VLANs: 804 A private VLAN can have any number of host ports, up to all the ports on the switch, minus the uplink port. A promiscuous port can be an uplink port of just one private VLAN at a time, however, a private VLAN can have more than one uplink port. The host ports of private VLANs are untagged ports, and as such, transmit only untagged traffic.
AT-9000 Switch Command Line User’s Guide Creating Private VLANs The command to initially create private VLANs is the PRIVATE-VLAN command in the VLAN Configuration mode. Here is the command’s format: private-vlan vid The VID number has the range of 2 to 4094. The VID of a private VLAN must be unique from all other VLANs on the switch.
Chapter 53: Private Port VLANs Adding Host and Uplink Ports Private VLANs have host ports and uplink ports. A private VLAN can have more than one uplink port. The devices connected to the hosts ports of a private VLAN can only communicate with the uplink port, and not with each other. The host ports and the uplink port can be added in any order to a private VLAN. The SWITCHPORT MODE PRIVATE-VLAN HOST command in the Port Interface mode is used to add host ports to private VLANs.
AT-9000 Switch Command Line User’s Guide Deleting VLANs To delete private VLANs from the switch, use the NO VLAN command in the VLAN Configuration mode. The host and uplink ports of deleted private VLANs are automatically returned by the switch to the Default_VLAN. Here is the format of the command: no vlan vid The VID parameter is the VID of the private VLAN you want to delete. The command lets you delete only one VLAN at a time. You cannot delete the Default_VLAN.
Chapter 53: Private Port VLANs Displaying Private VLANs The SHOW VLAN PRIVATE-VLAN command in the Privileged Exec mode displays the private VLANs currently existing on the switch, along with their host and uplink ports. Here is the command: awplus# show vlan private-vlan Here is an example of the display. Private VLANs: VID Ports ------------------------------------------------12 4-8 28 17-24 Figure 142.
Chapter 54 Private Port VLAN Commands The private port VLAN commands are summarized in Table 79 and described in detail within the chapter. Table 79. Private Port VLAN Commands Command Mode Description “NO VLAN” on page 810 VLAN Configuration Deletes VLANs from the switch. “PRIVATE-VLAN” on page 811 VLAN Configuration Creates private port VLANs. “SHOW VLAN PRIVATE-VLAN” on page 812 Privileged Exec Displays the private port VLANs on the switch.
Chapter 54: Private Port VLAN Commands NO VLAN Syntax no vlan vid Parameters vid Specifies the VID of the VLAN you want to delete. You can specify just one VID. Mode VLAN Configuration mode Description Use this command to delete private port VLANs from the switch. You can delete one VLAN at a time with this command.
AT-9000 Switch Command Line User’s Guide PRIVATE-VLAN Syntax private-vlan vid Parameters vid Specifies a VLAN identifier. The range is 2 to 4094. The VID 1 is reserved for the Default_VLAN. The VID must be unique from all VIDs of VLANs that currently exist on the switch. You can specify only one VID. Mode VLAN Configuration mode Description Use this command to create new private port VLANs. You can create just one VLAN at a time.
Chapter 54: Private Port VLAN Commands SHOW VLAN PRIVATE-VLAN Syntax show vlan private-vlan Parameters None Mode Privileged Exec mode Description Use this command to display the private-port VLANs on the switch. Here is an example of the information. Private VLANs: VID Ports ------------------------------------------------12 4-8 28 17-24 Figure 143.
AT-9000 Switch Command Line User’s Guide SWITCHPORT MODE PRIVATE-VLAN HOST Syntax switchport mode private-vlan host vid Parameters vid Specifies the VID of a private port VLAN to which ports are to be added as hosts. Specify a value between 1 and 4094. Mode Port Interface mode Description Use this command to add host ports to private port VLANs. Devices connected to host ports in a private port VLAN can only communicate with the uplink port.
Chapter 54: Private Port VLAN Commands SWITCHPORT MODE PRIVATE-VLAN PROMISCUOUS Syntax switchport mode private-vlan promiscuous vid Parameters vid Specifies the VID of a private port VLAN to which you are adding a promiscuous uplink port. Mode Port Interface mode Description Use this command to add a promiscuous uplink port to a private port VLAN. A promiscuous port can be an uplink port of just one private VLAN at a time.
Chapter 55 Voice VLAN Commands The voice VLAN commands are summarized in Table 80 and described in detail within the chapter. Table 80. Voice VLAN Commands Command Mode Description “NO SWITCHPORT VOICE VLAN” on page 816 Port Interface Removes ports from voice VLANs. “SWITCHPORT VOICE DSCP” on page 817 Port Interface Assigns a DSCP value to a port in a VLAN that carries voice traffic. “SWITCHPORT VOICE VLAN” on page 818 Port Interface Adds ports to voice VLANs.
Chapter 55: Voice VLAN Commands NO SWITCHPORT VOICE VLAN Syntax no switchport voice vlan Parameters None Mode Port Interface mode Description Use this command to remove a port from a voice VLAN. A port retains the CoS priority and DSCP values that were assigned to it when it was a voice VLAN member. Confirmation Command “SHOW VLAN” on page 716 Example This example removes ports 7 and 8 from their voice VLAN assignment: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide SWITCHPORT VOICE DSCP Syntax switchport voice dscp value Parameters value Specifies a DSCP value of 0 to 63. You can specify only one DSCP value. Mode Port Interface mode Description Use this command to assign a DSCP value to a port in a voice VLAN. A port transmits this value in its LLDP-MED network policy TLV to an IP phone, which, in turn, sends its packets using this DSCP value. A port can have only one DSCP value.
Chapter 55: Voice VLAN Commands SWITCHPORT VOICE VLAN Syntax switchport voice vlan vid Parameters vid Specifies the ID number (VID) of the VLAN that functions as the voice VLAN for ports. You can specify only one VID. Mode Port Interface mode Description Use this command to add a port to a voice VLAN. The VLAN, which must already exist, is identified by its VID. A port is added as a tagged port to the designated VLAN.
AT-9000 Switch Command Line User’s Guide Example This example adds ports 5 through 16 to a voice VLAN that has a VID of 12: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.5-port1.0.
Chapter 55: Voice VLAN Commands SWITCHPORT VOICE VLAN PRIORITY Syntax switchport voice vlan priority value Parameters value Specifies a Class of Service (CoS) value of 0 to 7. You can specify only one CoS value. Mode Port Interface mode Description Use this command to assign a CoS priority value to a port that is a member of a voice VLAN. The port transmits this value in the LLDP-MED network policy TLV to an IP phone, which, in turn, sends its packets using this CoS value.
Chapter 56 VLAN Stacking This chapter provides the following topics: “Overview” on page 822 “Components” on page 824 “VLAN Stacking Process” on page 825 “Example of VLAN Stacking” on page 826 821
Chapter 56: VLAN Stacking Overview VLAN stacking is a way to label tagged and untagged packets with new 802.1Q headers. In the case of tagged packets, which already contain 802.1Q headers, VLAN stacking adds the new headers so that they coexist with the native headers in the packets. This feature is intended for metro Ethernet providers. It allows them to uniquely label the individual packets of the customer traffic they transport over their networks, without having to delete any existing headers.
AT-9000 Switch Command Line User’s Guide when they exit the network. The inner VID is native to the packets, but is ignored by the metro provider network. Figure 144. Metro Provider 802.1Q Header in Tagged Packets VLAN stacking may also be used with untagged ports, which do not contain 802.1Q headers. The new header is added after the source MAC address and remains in the packets only while the packets are being transported across a metro network.
Chapter 56: VLAN Stacking Components There are four components to VLAN stacking: VLAN VLAN Customer ports Provider port EtherType/Length value The boundary between the customer’s network and the metro provider’s network is marked by a VLAN. In cases where the switch is connected to more than one customer, there has to be a different VLAN for each customer. The VID the VLAN is assigned has to be the VID that the metro provider wants to assign to the 802.
AT-9000 Switch Command Line User’s Guide VLAN Stacking Process Figure 146 illustrates the VLAN stacking process. Figure 146. VLAN Stacking Process The actions are described in Table 81. Table 81. VLAN Stacking Process Step Section III: File System Action 1 A tagged or an untagged packet from the customer network is received by the customer port on switch A. 2 The customer port adds the new 802.1Q header, giving it the same VID number as the VLAN in which the customer port is a member.
Chapter 56: VLAN Stacking Example of VLAN Stacking Here is an example of how to configure VLAN stacking. In the example, the customer’s network is connected to ports 5 and 6 on the switch, and the provider’s network is connected to port 7. Thus, ports 5 and 6 will be designated as customer ports and port 7 as the provider port. The service provider wants to use VID 79 to identify the packets of this customer. So the VID for the new VLAN has to be 79. The VLAN will be assigned the name ABC_Inc.
AT-9000 Switch Command Line User’s Guide The next steps add the customer ports to the VLAN. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# interface port1.0.5-port1.0.6 Enter the Port Interface mode for ports 5 and 6. awplus(config-if)# switchport mode access Use the SWITCHPORT MODE ACCESS command to designate the ports as untagged ports.
Chapter 56: VLAN Stacking awplus(config-if)# switchport trunk allowed vlan add 79 Add the port to the VLAN with the SWITCHPORT TRUNK ALLOWED VLAN command. awplus(config-if)# switchport vlan-stacking provider-port Use the SWITCHPORT VLANSTACKING command to designate it as a provider port. awplus(config-if)# end Return to the Privileged Exec mode. awplus# show vlan vlan-stacking Use the SHOW VLAN VLANSTACKING command to confirm the port configurations.
AT-9000 Switch Command Line User’s Guide awplus(config)# platform vlan-stacking-tpid 8100 Change the EtherType/Length value to 0x8100 with the PLATFORM VLAN-STACKINGTPID command. awplus# exit Return to the Privileged Exec mode. awplus# show vlan vlan-stacking Use the SHOW VLAN VLANSTACKING command to confirm the change to the EtherType/ Length (TPID) value. TPID ==== 0x8100 0x8100 0x8100 Section III: File System INTERFACES (c)-Customer-Edge Port, (p)-Provider Port ========= port1.0.5(c) port1.0.
Chapter 56: VLAN Stacking 830 Section III: File System
Chapter 57 VLAN Stacking Commands The VLAN stacking commands are summarized in Table 82. Table 82. VLAN Stacking Commands Command Mode Description “NO SWITCHPORT VLANSTACKING” on page 832 Port Interface Removes ports from VLAN stacking. “PLATFORM VLAN-STACKING-TPID” on page 833 Global Configuration Specifies the Tag Protocol Identifier (TPID) value.
Chapter 57: VLAN Stacking Commands NO SWITCHPORT VLAN-STACKING Syntax no switchport vlan-stacking Parameters None. Mode Port Interface mode Description Use this command to remove ports from VLAN stacking. Confirmation Command “SHOW VLAN VLAN-STACKING” on page 834 Example This example removes ports 3 to 16 and 21 from VLAN stacking: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.3-port1.0.16,port1.0.
AT-9000 Switch Command Line User’s Guide PLATFORM VLAN-STACKING-TPID Syntax platform vlan-stacking-tpid tpid Parameters tpid Specifies the Tag Protocol Identifier (TPID) value that applies to all frames carrying double tagged VLANs. The range is 0x0 to 0xFFFF. The switch can have just one TPID value. The value must be entered in hexadecimal format.
Chapter 57: VLAN Stacking Commands SHOW VLAN VLAN-STACKING Syntax show vlan vlan-stacking Parameters None. Mode Port Interface mode Description Use this command to display the port assignments of VLAN stacking. Here is an example of the information. TPID ==== 0x9000 0x9000 0x9000 0x9000 0x9000 0x9000 0x9000 0x9000 INTERFACES (c)-Customer-Edge Port, (p)-Provider Port ========= port1.0.1(c) port1.0.2(c) port1.0.3(c) port1.0.4(c) port1.0.5(c) port1.0.6(c) port1.0.7(c) port1.0.23(p) Figure 147.
AT-9000 Switch Command Line User’s Guide SWITCHPORT VLAN-STACKING Syntax switchport vlan-stacking customer-edge-port|provider-port Parameters None. Mode Port Interface mode Description Use this command to enable VLAN stacking on a port and designate it as a customer-edge-port or provider-port. This is sometimes referred to as VLAN double-tagging, nested VLANs, or QinQ.
Chapter 57: VLAN Stacking Commands 836 Section III: File System
Section VIII Port Security This section contains the following chapters: Chapter 58, “MAC Address-based Port Security” on page 839 Chapter 59, “MAC Address-based Port Security Commands” on page 849 Chapter 60, “802.1x Port-based Network Access Control” on page 863 Chapter 61, “802.
838
Chapter 58 MAC Address-based Port Security This chapter contains the following topics: “Overview” on page 840 “Configuring Ports” on page 842 “Enabling MAC Address-based Security on Ports” on page 844 “Disabling MAC Address-based Security on Ports” on page 845 “Displaying Port Settings” on page 846 839
Chapter 58: MAC Address-based Port Security Overview This feature lets you control access to the ports on the switch based on the source MAC addresses of the network devices. You specify the maximum number of source MAC addresses that ports can learn. Ports that learn their maximum number of addresses discard packets that have new, unknown addresses, preventing access to the switch by any further devices.
AT-9000 Switch Command Line User’s Guide after learning three addresses. The switch also sends an SNMP trap. Guidelines Here are the guidelines to MAC address-based port security: The filtering of a packet occurs on the ingress port, not on the egress port. You cannot use MAC address-based port security and 802.1x portbased access control on the same port. To configure a port as an Authenticator or Supplicant in 802.1x port-based access control, you must remove MAC address-based port security.
Chapter 58: MAC Address-based Port Security Configuring Ports There are three things you need to decide before you configure MAC address-based port security on the ports. They are: What is the maximum number of source MAC addresses the ports can learn? Should the source MAC addresses learned by the ports be stored as dynamic or static addresses in the MAC address table? Is the intrusion action protect, restrict, or shutdown? See Table 83 for a list of the commands. Table 83.
AT-9000 Switch Command Line User’s Guide awplus> enable awplus# configure terminal awplus(config)# interface port1.0.4,port1.0.5 awplus(config-if)# switchport port-security maximum 25 awplus(config-if)# no switchport port-security aging awplus(config-if)# switchport port-security violation protect This example configures port 16 to learn 45 MAC addresses. The addresses are stored as dynamic addresses in the table so that inactive addresses are deleted, permitting the port to learn new addresses.
Chapter 58: MAC Address-based Port Security Enabling MAC Address-based Security on Ports After you have configured a port for MAC address-based security, as explained in “Configuring Ports” on page 842, and confirmed the settings, as explained in “Displaying Port Settings” on page 846, you are ready to activate the feature on the ports. This is accomplished with the SWITCHPORT PORT-SECURITY command in the Port Interface mode.
AT-9000 Switch Command Line User’s Guide Disabling MAC Address-based Security on Ports To remove MAC address-based security from ports, use the NO SWITCHPORT PORT-SECURITY command in the Port Interface mode. This example of the command removes port security from port 23: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.23 awplus(config-if)# no switchport port-security Note To activate ports that were disabled by the shutdown intrusion action, refer to “NO SHUTDOWN” on page 183.
Chapter 58: MAC Address-based Port Security Displaying Port Settings There are two commands that display information about the MAC address-based port security on the ports on the switch. The one that you are likely to use the most often is the SHOW PORT-SECURITY INTERFACE command in the Privileged Exec mode. It displays all the possible information.
AT-9000 Switch Command Line User’s Guide Figure 149 on page 847 is an example of the information. Port Security Intrusion List (Last 256 Intrusions) -------------------------------------------------------Interface: Port 1.0.17 2 intrusion(s) detected 0015.77b1.8510 eccd.6d48.4488 Figure 149.
Chapter 58: MAC Address-based Port Security 848
Chapter 59 MAC Address-based Port Security Commands The MAC address-based port security commands are summarized in Table 84 and described in detail within the chapter. Table 84. MAC Address-based Port Security Commands Command Mode Description “NO SWITCHPORT PORTSECURITY” on page 850 Port Interface Removes MAC address-based security from ports.
Chapter 59: MAC Address-based Port Security Commands NO SWITCHPORT PORT-SECURITY Syntax no switchport port-security Parameters None Mode Port Interface mode Description Use this command to remove MAC address-based security from the ports. Note To activate ports that were disabled by the shutdown intrusion action, refer to “NO SHUTDOWN” on page 183.
AT-9000 Switch Command Line User’s Guide NO SWITCHPORT PORT-SECURITY AGING Syntax no switchport port-security aging Parameters None Mode Port Interface mode Description Use this command to configure ports to add source MAC addresses as static addresses in the MAC address table. Because static addresses are never deleted from the table, ports that learn their maximum numbers of source MAC addresses cannot learn new addresses, even when the source nodes of the learned addresses are inactive.
Chapter 59: MAC Address-based Port Security Commands SHOW PORT-SECURITY INTERFACE Syntax show port-security interface port Parameters port Specifies the port whose security mode settings you want to view. You can display more than one port at a time. Mode Privileged Exec mode Description Use this command to display the security settings of the ports on the switch. An example of the information is shown in Figure 150. Port Security Configuration - Port1.0.
AT-9000 Switch Command Line User’s Guide Table 85. SHOW PORT-SECURITY INTERFACE Command (Continued) Field Description Port Status The status of the port. The status can be Enabled or Disabled. A port that has a status of Enabled can forward network traffic. A port that has a Disabled status was shut down by the switch because it has an intrusion action of shutdown, and it received a packet with an unknown source MAC address after learning its maximum number of addresses.
Chapter 59: MAC Address-based Port Security Commands Table 85. SHOW PORT-SECURITY INTERFACE Command (Continued) Field Description Maximum MAC Addresses The maximum number of dynamic MAC addresses the port is allowed to learn. To set this parameter, refer to “SWITCHPORT PORT-SECURITY MAXIMUM” on page 859. Current Learned Addresses The number of MAC addresses that have been learned on the port. Lock Status Whether or not the port has learned its maximum number of MAC addresses.
AT-9000 Switch Command Line User’s Guide SHOW PORT-SECURITY INTRUSION INTERFACE Syntax show port-security intrusion interface port Parameter port Specifies a port. You can specify more than one port at a time. Modes Privileged Exec mode Description Use this command to display the number of packets the ports have had to discard because the packets had unknown source MAC addresses. The ports begin to discard packets after learning their maximum number of source MAC addresses.
Chapter 59: MAC Address-based Port Security Commands Port Security Intrusion List Port Security Intrusion List (Last 10 Intrusions) -------------------------------------------------------Interface: Port 1.0.5 132 intrusion(s) detected 000:0900:127E 000:0900:127F 000:0900:027D 000:0900:027E 000:0900:027F 000:0900:1279 000:0900:127A 000:0900:127B 000:0900:127C 000:0900:127D Figure 152.
AT-9000 Switch Command Line User’s Guide SWITCHPORT PORT-SECURITY Syntax switchport port-security Parameters None Mode Port Interface mode Description Use this command to activate MAC address-based security on ports. Confirmation Command “SHOW PORT-SECURITY INTERFACE” on page 852 Example This example activates MAC address-based security on port 3 and ports 16 to 18: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.3,port1.0.16-port1.0.
Chapter 59: MAC Address-based Port Security Commands SWITCHPORT PORT-SECURITY AGING Syntax switchport port-security aging Parameters None Mode Port Interface mode Description Use this command to configure the ports to add the source MAC addresses as dynamic MAC address in the MAC address table. Ports that learn their maximum numbers of addresses can learn new addresses as inactive addresses are deleted from the table.
AT-9000 Switch Command Line User’s Guide SWITCHPORT PORT-SECURITY MAXIMUM Syntax switchport port-security maximum value Parameters value Specifies the maximum number of dynamic MAC addresses ports can learn. The range is 0 to 255 addresses. The default is 0 addresses. Mode Port Interface mode Description Use this command to specify the maximum number of dynamic MAC addresses that ports can learn. Ports that learn their maximum numbers of MAC addresses discard ingress packets with unknown MAC addresses.
Chapter 59: MAC Address-based Port Security Commands SWITCHPORT PORT-SECURITY VIOLATION Syntax switchport port-security violation protect|restrict| shutdown Parameters protect Discards invalid frames. This is the default setting. restrict Discards invalid frames and sends SNMP traps. shutdown Sends SNMP traps and disables the ports. Mode Port Interface mode Description Use this command to specify the intrusion actions of the switch.
AT-9000 Switch Command Line User’s Guide This example sets the intrusion action for ports 22 to 24 to restrict. After learning their maximum numbers of MAC addresses, the ports discard packets with unknown source MAC addresses, and the switch sends SNMP traps: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.22-port1.0.24 awplus(config-if)# switchport port-security violation restrict This example sets the intrusion action on port 2 to shutdown.
Chapter 59: MAC Address-based Port Security Commands 862
Chapter 60 802.
Chapter 60: 802.1x Port-based Network Access Control Overview This chapter explains 802.1x port-based network access control. This port security feature lets you control who can send traffic through and receive traffic from the individual switch ports. The switch does not allow an end node to send or receive traffic through a port until the user of the node has been authenticated by a RADIUS server.
AT-9000 Switch Command Line User’s Guide Authentication Process Below is a brief overview of the authentication process that occurs between a supplicant, authenticator, and authentication server. For further details, refer to the IEEE 802.1x standard. Either the authenticator (that is, a switch port) or the supplicant initiates an authentication message exchange.
Chapter 60: 802.1x Port-based Network Access Control Port Roles Part of the task to implementing this feature is specifying the roles of the ports on the switch. The roles are listed here: None Role None Authenticator Switch ports in the none role do not participate in port-based access control. They forward traffic without authenticating the clients of the network devices. This is the default setting for the switch ports.
AT-9000 Switch Command Line User’s Guide Authentication Methods for Authenticator Ports Authenticator ports support two authentication methods: 802.1x username and password combination This authentication mode requires that the supplicants be assigned unique username and password combinations on the RADIUS server. A supplicant must provide the information either manually or automatically when initially passing traffic through an authenticator port and during reauthentications. The 802.
Chapter 60: 802.1x Port-based Network Access Control Operational Settings for Authenticator Ports An authenticator port can have one of three possible operational settings: Auto - Activates port-based authentication. The port begins in the unauthorized state, forwarding only EAPOL frames and discarding all other traffic. The authentication process begins when the link state of the port changes or the port receives an EAPOL-Start packet from a supplicant.
AT-9000 Switch Command Line User’s Guide Operating Modes for Authenticator Ports Authenticator ports have three modes: Single Host Mode Single host mode Multi host mode Multi supplicant mode An authenticator port set to the single host mode permits only one supplicant to log on and forwards only the traffic of that supplicant. After one supplicant has logged on, the port discards packets from any other supplicant. In Figure 153, port 6 is an authenticator port set to the single host mode.
Chapter 60: 802.1x Port-based Network Access Control Note, however, that should the client who performed the initial log on fail to periodically reauthenticate or log out, the authenticator port reverts to the unauthenticated state. It bars all further traffic to and from all the clients until the initial client or another client logs on. Figure 154 is an example of this mode. Port 6 is connected to an Ethernet hub or non-802.1x compliant switch, which in turn is connected to several supplicants.
AT-9000 Switch Command Line User’s Guide As mentioned earlier, should the client who performed the initial logon fail to reauthenticate when necessary or log out, the port reverts to the unauthenticated state, blocking all traffic to and from all clients. Another client must be authenticated in order for all remaining clients to continue to forward traffic through the port. Multi Supplicant Mode This mode authenticates all the clients on an authenticator port.
Chapter 60: 802.1x Port-based Network Access Control RADIUS Authentication Server Port 6 Role: Authenticator Operating Mode: Multi Supplicant Mode Ethernet Hub or Non-802.1x-compliant Switch Authenticated Clients Figure 155.
AT-9000 Switch Command Line User’s Guide Supplicant and VLAN Associations One of the challenges to managing a network is accommodating end users who roam. These are individuals whose work requires that they access the network resources from different points at different times. The difficulty arises in providing them with access to the same network resources and, conversely, restricting them from unauthorized areas, regardless of the workstation from where they access the network.
Chapter 60: 802.1x Port-based Network Access Control Single Host Mode Multi Host Mode Multi Supplicant Mode Here are the operating characteristics for the switch when an authenticator port is set to the single host mode: If the switch receives a valid VLAN ID or VLAN name from the RADIUS server, it moves the authenticator port to the designated guest VLAN and changes the port to the authorized state. Only the authenticated supplicant is allowed to use the port. All other supplicants are denied entry.
AT-9000 Switch Command Line User’s Guide Supplicant VLAN Attributes on the RADIUS Server The following information must be entered as part of a supplicant’s account on the RADIUS server when associating a supplicant to a VLAN. Tunnel-Type The protocol to be used by the tunnel specified by Tunnel-PrivateGroup-Id. The only supported value is VLAN (13). Tunnel-Medium-Type The transport medium to be used for the tunnel specified by Tunnel-Private-Group-Id. The only supported value is 802 (6).
Chapter 60: 802.1x Port-based Network Access Control Guest VLAN An authenticator port in the unauthorized state typically accepts and transmits only 802.1x packets while waiting to authenticate a supplicant. However, you can configure an authenticator port to be a member of a Guest VLAN when no supplicant is logged on. Any client using the port is not required to log on and has full access to the resources of the Guest VLAN. If the switch receives 802.
AT-9000 Switch Command Line User’s Guide RADIUS Accounting The switch supports RADIUS accounting on authenticator ports. This feature sends information about the status of the supplicants to the RADIUS server so that you can monitor network activity and use.
Chapter 60: 802.1x Port-based Network Access Control General Steps Here are the general steps to implementing 802.1x Port-based Network Access Control and RADIUS accounting on the switch: 1. You must install a RADIUS server on one or more of your network servers or management stations. Authentication protocol server software is not available from Allied Telesis. Funk Software SteelBelted Radius and Free Radius have been verified as fully compatible with the switch’s management software.
AT-9000 Switch Command Line User’s Guide Guidelines Here are the general guidelines to this feature: Ports operating under port-based access control do not support dynamic MAC address learning. A port that is connected to a RADIUS authentication server must not be set to the authenticator role because an authentication server cannot authenticate itself. The authentication method of an authenticator port can be either 802.1x username and password combination or MAC addressbased, but not both.
Chapter 60: 802.1x Port-based Network Access Control Authenticator and supplicant ports must be untagged ports. They cannot be tagged ports. Authenticator ports cannot use MAC address-based port security. For further information, refer to Chapter 58, “MAC Address-based Port Security” on page 839. Authenticator ports cannot be members of static port trunks, LACP port trunks, or a port mirror.
AT-9000 Switch Command Line User’s Guide Enabling 802.1x Port-Based Network Access Control on the Switch To activate 802.1x Port-based Network Access Control on the switch, go to the Global Configuration mode and enter the AAA AUTHENTICATION DOT1X DEFAUT GROUP RADIUS command. The command has no parameters.
Chapter 60: 802.1x Port-based Network Access Control Configuring Authenticator Ports Designating Authenticator Ports You have to designate ports as authenticator ports before you can configure their settings. There are three DOT1X PORT-CONTROL commands for designating authenticator ports. The command you use is determined by whether or not the switch is part of an active network.
AT-9000 Switch Command Line User’s Guide awplus> enable awplus# configure terminal awplus(config)# interface port1.0.16 awplus(config-if)# auth-mac enable If, after configuring an authenticator port for MAC address authentication, you decide to change it back to 802.1x username and password authentication, use the NO AUTH-MAC ENABLE command. This example of the command restores 802.
Chapter 60: 802.1x Port-based Network Access Control This example configures port 8 to use the multi host mode so that it forwards traffic from all clients after just one supplicant logs on: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide Configuring Reauthentication Table 86 lists the commands in the Port Interface mode for configuring reauthentication on authenticator ports. Reauthentication causes authenticator ports to periodically revert to an unauthorized status and to stop forwarding traffic until clients reauthenticate themselves. This is an additional security feature that protects your network by having clients periodically repeat the authentication process. Table 86.
Chapter 60: 802.1x Port-based Network Access Control Removing Ports from the Authenticator Role To remove ports from the authenticator role so that they forward traffic without authenticating clients, go to the Port Interface mode of the ports and enter the NO DOT1X PORT-CONTROL command. This example removes the authenticator role from ports 1 to 4 and 18: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.1-port1.0.4,port1.0.
AT-9000 Switch Command Line User’s Guide Disabling 802.1x Port-Based Network Access Control on the Switch To disable 802.1x port-based network access control on the switch so that the ports forward packets without authentication, go to the Global Configuration mode and enter the NO AAA AUTHENTICATION DOT1X DEFAULT GROUP RADIUS command.
Chapter 60: 802.1x Port-based Network Access Control Displaying Authenticator Ports To view the settings of authenticator ports on the switch, use the SHOW DOT1X INTERFACE or SHOW AUTH-MAC INTERFACE command in the Privileged Exec mode. Both commands display the same information. This example displays the authenticator settings for port 2: awplus# show dot1x interface port1.0.2 Figure 156 is an example of what you will see. Authentication Info for interface port1.0.
AT-9000 Switch Command Line User’s Guide Displaying EAP Packet Statistics To display EAP packet statistics of authenticator ports, use the SHOW DOT1X STATISTICS INTERFACE command or the SHOW AUTH-MAC STATISTICS INTERFACE command. Both commands display the same information. Here is an example of the information. This example displays the authenticator settings for port 2: awplus> enable awplus# show dot1x statistics interface port1.0.2 Authentication Statistics for interface port1.0.
Chapter 60: 802.
Chapter 61 802.1x Port-based Network Access Control Commands The 802.1x port-based network access control commands are summarized in Table 87 and described in detail within the chapter. Table 87. 802.1x Port-based Network Access Control Commands Command Mode Description “AAA AUTHENTICATION DOT1X DEFAULT GROUP RADIUS” on page 894 Global Configuration Activates 802.1x port-based network access control on the switch.
Chapter 61: 802.1x Port-based Network Access Control Commands Table 87. 802.1x Port-based Network Access Control Commands (Continued) Command Mode Description “AUTH-MAC REAUTHRELEARNING” on page 906 Port Interface Forces ports that are using MAC address authentication into the unauthorized state. “DOT1X CONTROL-DIRECTION” on page 907 Port Interface Specifies whether authenticator ports in the unauthorized state should forward or discard egress broadcast and multicast packets.
AT-9000 Switch Command Line User’s Guide Table 87. 802.1x Port-based Network Access Control Commands (Continued) Command Mode Description “NO AUTH-MAC ENABLE” on page 921 Port Interface Deactivates MAC address-based authentication on authenticator ports. “NO DOT1X PORT-CONTROL” on page 922 Port Interface Removes ports from the authenticator role. “SHOW AUTH-MAC INTERFACE” on page 923 Privileged Exec Displays the parameter settings of authenticator ports.
Chapter 61: 802.1x Port-based Network Access Control Commands AAA AUTHENTICATION DOT1X DEFAULT GROUP RADIUS Syntax aaa authentication dot1x default group radius Parameters None Mode Global Configuration mode Description Use this command to activate 802.1x port-based network access control on the switch. The default setting for this feature is disabled. Note You should activate and configure the RADIUS client software on the switch before activating port-based access control.
AT-9000 Switch Command Line User’s Guide AUTH DYNAMIC-VLAN-CREATION Syntax auth dynamic-vlan-creation single| multi Parameters single Specifies that an authenticator port forwards packets of only those supplicants that have the same VID as the supplicant who initially logged on. multi Specifies that an authenticator port forwards packets of all supplicants, regardless of the VIDs in their client accounts on the RADIUS server.
Chapter 61: 802.1x Port-based Network Access Control Commands This example activates dynamic VLAN assignment on authenticator port 4. When the initial client logs on, the switch moves the port to the VLAN specified in the client’s account on RADIUS server. At the multi setting, the authenticator port forwards all packets of supplicants, regardless of their VLAN assignments: awplus> enable awplus# configure terminal awplus(config)# dot1x port-control auto awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide AUTH GUEST-VLAN Syntax auth guest-vlan vid Parameters vid Specifies the ID number of a VLAN that is the guest VLAN of an authenticator port. You can enter just one VID. Mode Port Interface mode Description Use this command to specify the VID of the VLAN that acts as the guest VLAN of an authenticator port.
Chapter 61: 802.1x Port-based Network Access Control Commands AUTH HOST-MODE Syntax auth host-mode single-host| multi-host| multi-supplicant Parameters single-host Specifies the single operating mode. An authenticator port set to this mode forwards only those packets from the one client who initially logs on. This is the default setting. multi-host Specifies the multi host operating mode. An authenticator port set to this mode forwards all packets after one client logs on.
AT-9000 Switch Command Line User’s Guide This example configures authenticator port 8 to the multi host operating mode, so that networks users can use the port after just one user logs on: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 61: 802.1x Port-based Network Access Control Commands AUTH REAUTHENTICATION Syntax auth reauthentication Parameters None Mode Port Interface mode Description Use this command to activate reauthentication on the authenticator ports. The clients must periodically reauthenticate according to the time interval set with “AUTH TIMEOUT REAUTH-PERIOD” on page 902.
AT-9000 Switch Command Line User’s Guide AUTH TIMEOUT QUIET-PERIOD Syntax auth timeout quiet-period value Parameters quiet-period Sets the number of seconds that an authenticator port remains in the quiet state following a failed authentication exchange with a client. The range is 1 to 65,535 seconds. The default value is 60 seconds.
Chapter 61: 802.1x Port-based Network Access Control Commands AUTH TIMEOUT REAUTH-PERIOD Syntax auth timeout reauth-period value Parameters reauth-period Specifies the time interval that an authenticator port requires a client to reauthenticate. The range is 1 to 65,535 seconds. The default value is 3600 seconds. Mode Port Interface mode Description Use this command to specify the time interval for reauthentication of clients on an authenticator port.
AT-9000 Switch Command Line User’s Guide AUTH TIMEOUT SERVER-TIMEOUT Syntax auth timeout server-timeout value Parameters server-timeout Sets the timer used by the switch to determine authentication server timeout conditions. The range is 1 to 65535 seconds. The default value is 30 seconds. Mode Port Interface mode Description Use this command to set the amount of time the switch waits for a response from a RADIUS authentication server.
Chapter 61: 802.1x Port-based Network Access Control Commands AUTH TIMEOUT SUPP-TIMEOUT Syntax auth timeout supp-timeout value Parameters supp-timeout Sets the switch-to-client retransmission time for EAP-request frames. The range is 1 to 65,535 seconds. The default value is 30 seconds. Mode Port Interface mode Description Use this command to set the retransmission time for EAP-request frames from authenticator ports.
AT-9000 Switch Command Line User’s Guide AUTH-MAC ENABLE Syntax auth-mac enable Parameters None Mode Port Interface mode Description Use this command to activate MAC address-based authentication on authenticator ports. An authenticator port that uses this type of authentication extracts the source MAC address from the initial frames from a supplicant and automatically sends it as the supplicant’s username and password to the authentication server. This authentication method does not require 802.
Chapter 61: 802.1x Port-based Network Access Control Commands AUTH-MAC REAUTH-RELEARNING Syntax auth-mac reauth-relearning Parameters None Mode Privileged Exec mode Description Use this command to force ports that are using MAC address authentication into the unauthorized state. You might use this command to reauthenticate the nodes on authenticator ports.
AT-9000 Switch Command Line User’s Guide DOT1X CONTROL-DIRECTION Syntax dot1x control-direction in|both Parameters dir Specifies whether authenticator ports that are in the unauthorized state should forward egress broadcast and multicast traffic: The options are: in: Specifies that authenticator ports in the unauthorized state should forward egress broadcast and multicast traffic and discard the ingress broadcast and multicast traffic. This is the default setting.
Chapter 61: 802.1x Port-based Network Access Control Commands broadcast and multicast packets while discarding ingress broadcast and multicast traffic. This is the default setting. Authenticator ports set to the BOTH option discard both ingress and egress broadcast traffic until a client has logged on. This command is only available on authenticator ports that are set to the single operating mode.
AT-9000 Switch Command Line User’s Guide DOT1X EAP Syntax dot1x eap discard|forward|forward-untagged-vlan| forward-vlan Parameters discard Discards all ingress EAP packets on all ports. forward Forwards ingress EAP packets across all VLANs and ports. forward-untagged-vlan Forwards ingress EAP packets only to untagged ports in the same VLAN as the ingress port. forward-vlan Forwards ingress EAP packets to tagged and untagged ports in the same VLAN as the ingress port.
Chapter 61: 802.1x Port-based Network Access Control Commands This example configures the switch to discard all EAP packets when 802.
AT-9000 Switch Command Line User’s Guide DOT1X INITIALIZE INTERFACE Syntax dot1x initialize interface port Parameters port Specifies a port. You can enter more than one port. Mode Privileged Exec mode Description Use this command to force authenticator ports into the unauthorized state. You might use this command to force supplicants on authenticator ports to reauthenticate themselves again by logging in with their user names and passwords.
Chapter 61: 802.1x Port-based Network Access Control Commands DOT1X MAX-REAUTH-REQ Syntax dot1x max-reauth-req value Parameters max-reauth-req Specifies the maximum number of times the switch retransmits EAP Request packets to a client before it times out an authentication session. The range is 1 to 10 retransmissions. The default value is 2.
AT-9000 Switch Command Line User’s Guide DOT1X PORT-CONTROL AUTO Syntax dot1x port-control auto Parameters None Mode Port Interface mode Description Use this command to set the ports to the 802.1x port-based authenticator role. Ports begin in the unauthorized state, forwarding only EAPOL frames, until a client has successfully logged on. For background information, refer to “Operational Settings for Authenticator Ports” on page 868.
Chapter 61: 802.1x Port-based Network Access Control Commands DOT1X PORT-CONTROL FORCE-AUTHORIZED Syntax dot1x port-control force-authorized Parameters None Mode Port Interface mode Description Use this command to configure ports to the 802.1x authenticator role, in the force-authorized state. Ports that are set to the force-authorized state transition to the authorized state without any authentication exchanges required. The ports transmit and receive traffic normally without 802.
AT-9000 Switch Command Line User’s Guide DOT1X PORT-CONTROL FORCE-UNAUTHORIZED Syntax dot1x port-control force-unauthorized Parameters None Mode Port Interface mode Description Use this command to configure the ports to the 802.1x authenticator role, in the unauthorized state. Although the ports are in the authenticator role, the switch blocks all authentication on the ports, which means that no clients can log on and forward packets through them.
Chapter 61: 802.1x Port-based Network Access Control Commands DOT1X TIMEOUT TX-PERIOD Syntax dot1x timeout tx-period value Parameters value Sets the number of seconds an authenticator port waits for a response to an EAP-request/identity frame from a client before retransmitting the request. The default value is 30 seconds. The range is 1 to 65,535 seconds.
AT-9000 Switch Command Line User’s Guide NO AAA AUTHENTICATION DOT1X DEFAULT GROUP RADIUS Syntax no aaa authentication dot1x default group radius Parameters None Mode Global Configuration mode Description Use this command to disable 802.1x port-based network access control on the switch. All authenticator ports forward packets without any authentication. This is the default setting. Confirmation Command “SHOW DOT1X” on page 927 Example This example disables 802.
Chapter 61: 802.1x Port-based Network Access Control Commands NO AUTH DYNAMIC-VLAN-CREATION Syntax no auth dynamic-vlan-creation Parameters None Mode Port Interface mode Description Use this command to disable dynamic VLAN assignments of authentication ports. For background information, refer to “Supplicant and VLAN Associations” on page 873.
AT-9000 Switch Command Line User’s Guide NO AUTH GUEST-VLAN Syntax no auth guest-vlan Parameters None Mode Port Interface mode Description Use this command to remove the VID of a guest VLAN from an authenticator port. Confirmation Command “SHOW AUTH-MAC INTERFACE” on page 923 “SHOW DOT1X INTERFACE” on page 928 Example This example removes the guest VLAN from ports 23 and 24: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.23,port1.0.
Chapter 61: 802.1x Port-based Network Access Control Commands NO AUTH REAUTHENTICATION Syntax no auth reauthentication Parameters None Mode Port Interface mode Description Use this command to remove reauthentication from authenticator ports so that clients do not have to periodically reauthenticate after the initial authentication. Reauthentication is still required if there is a change to the status of the link between a client and the switch or the switch is reset or power cycled.
AT-9000 Switch Command Line User’s Guide NO AUTH-MAC ENABLE Syntax no auth-mac enable Parameters None Mode Port Interface mode Description Use this command to deactivate MAC address-based authentication on authenticator ports. The ports continue to function as authenticator ports, but authentication is based on the usernames and passwords provided by the supplicants and not on the MAC addresses of the nodes. To completely remove authentication from ports, refer to “NO DOT1X PORTCONTROL” on page 922.
Chapter 61: 802.1x Port-based Network Access Control Commands NO DOT1X PORT-CONTROL Syntax no dot1x port-control Parameters None Mode Port Interface mode Description Use this command to remove ports from the authenticator role so that they forward traffic without authentication.
AT-9000 Switch Command Line User’s Guide SHOW AUTH-MAC INTERFACE Syntax show auth-mac interface port Parameters port Specifies a port. You can display more than one port at a time. Modes Privileged Exec mode Description Use this command to display the parameter settings of the authenticator ports. This command is equivalent to “SHOW DOT1X INTERFACE” on page 928. An example is shown in Figure 158. Authentication Info for interface port1.0.
Chapter 61: 802.1x Port-based Network Access Control Commands SHOW AUTH-MAC SESSIONSTATISTICS INTERFACE Syntax show auth-mac sessionstatistics interface port Parameters port Specifies a port. You can enter more than one port. Mode Privileged Exec mode Description Use this command to display session status of the authenticator ports. An example is shown in Figure 159.
AT-9000 Switch Command Line User’s Guide SHOW AUTH-MAC STATISTICS INTERFACE Syntax show auth-mac statistics interface port Parameters port Specifies a port. You can enter more than one port. Mode Privileged Exec mode Description Use this command to display EAP packet statistics of authenticator ports. This command is equivalent to “SHOW DOT1X STATISTICS INTERFACE Command” on page 929. An example is shown in Figure 160. Authentication Statistics for interface port1.0.
Chapter 61: 802.1x Port-based Network Access Control Commands SHOW AUTH-MAC SUPPLICANT INTERFACE Syntax show auth-mac supplicant interface port Parameters port Specifies a port. You can enter more than one port. Mode Privileged Exec mode Description Use this command to display the number and types of supplicants on the authenticator ports. This command is equivalent to “SHOW DOT1X SUPPLICANT INTERFACE Command” on page 930. An example is shown in Figure 161. Interface port1.0.
AT-9000 Switch Command Line User’s Guide SHOW DOT1X Syntax show dot1x Parameters None Mode Privileged Exec mode Description Use this command to display whether 802.1x port-based network access control is enabled or disabled on the switch and the IP address of the RADIUS server. Only the first IP address in the server table on the switch is displayed. To view all the server IP addresses, refer to “SHOW RADIUS” on page 1396. An example is shown in Figure 162. 802.
Chapter 61: 802.1x Port-based Network Access Control Commands SHOW DOT1X INTERFACE Syntax show dot1x interface port Parameters port Specifies a port. You can display more than one port at a time. Modes Privileged Exec mode Description Use this command to display the parameter settings of authenticator ports. This command is equivalent to “SHOW AUTH-MAC INTERFACE” on page 923. Figure 163 displays an example of the information. Authentication Info for interface port1.0.
AT-9000 Switch Command Line User’s Guide SHOW DOT1X STATISTICS INTERFACE Syntax show dot1x statistics interface port Parameters port Specifies a port. You can enter more than one port. Mode Privileged Exec mode Description Use this command to display EAP packet statistics of authenticator ports. This command is equivalent to “SHOW AUTH-MAC STATISTICS INTERFACE” on page 925. An example is shown in Figure 164. Authentication Statistics for interface port1.0.
Chapter 61: 802.1x Port-based Network Access Control Commands SHOW DOT1X SUPPLICANT INTERFACE Syntax show dot1x supplicant interface port [brief] Parameters port Specifies a port. You can enter more than one port. [brief] Displays an abbreviated form of this window. This is an optional parameter. Mode Privileged Exec mode Description Use this command to display the number and types of supplicants on authenticator ports.
Section IX Simple Network Management Protocols This section contains the following chapters: Chapter 62, “SNMPv1 and SNMPv2c” on page 933 Chapter 63, “SNMPv1 and SNMPv2c Commands” on page 945 Chapter 64, “SNMPv3 Commands” on page 969 931
932
Chapter 62 SNMPv1 and SNMPv2c This chapter contains the following topics: “Overview” on page 934 “Enabling SNMPv1 and SNMPv2c” on page 936 “Creating Community Strings” on page 937 “Adding or Removing IP Addresses of Trap or Inform Receivers” on page 938 “Deleting Community Strings” on page 940 “Disabling SNMPv1 and SNMPv2c” on page 941 “Displaying SNMPv1 and SNMPv2c” on page 942 933
Chapter 62: SNMPv1 and SNMPv2c Overview The Simple Network Management Protocol (SNMP) is another way for you to monitor and configure the switch. This method lets you view and change the individual objects in the Management Information Base (MIB) in the management software on the switch, without having to use the command line commands. The switch supports three versions of SNMP— SNMPv1, SNMPv2c, and SNMPv3. This chapter discusses SNMPv1 and SNMPv2c.
AT-9000 Switch Command Line User’s Guide To configure the switch to send trap or inform messages, you have to add to one or more of the community strings the IP addresses of the trap and inform receivers on your network. For trap messages, you must also specify the format in which the switch should send the messages. The format can be either SNMPv1 or SNMPv2c. For inform messages, the format is always SNMPv2c.
Chapter 62: SNMPv1 and SNMPv2c Enabling SNMPv1 and SNMPv2c To enable SNMP on the switch, use the SNMP-SERVER command, found in the Global Configuration mode. The command has no parameters. The switch begins to send trap and inform messages to the receivers and permits remote management from SNMP workstations as soon as you enter the command. This assumes, of course, you have already created the community strings and added the IP addresses of trap and inform receivers.
AT-9000 Switch Command Line User’s Guide Creating Community Strings To create SNMPv1 and SNMPv2c community strings, use the SNMPSERVER COMMUNITY command. This command is found in the Global Configuration mode. Here is the format of the command: snmp-server community community rw|ro You can create only one string at a time with the command. The COMMUNITY parameter is the name of the new string. It can be up to 15 alphanumeric characters and special characters, such as, !@#$%^&*?<>, and is case sensitive.
Chapter 62: SNMPv1 and SNMPv2c Adding or Removing IP Addresses of Trap or Inform Receivers The command to add IP addresses of trap or inform receivers to community strings is the SNMP-SERVER HOST command. Here is the format: snmp-server host ipaddress traps|informs version 1|2c community The IPADDRESS parameter is the IP address of a receiver. The COMMUNITY parameter is an existing community string to which you want to add the address. The community string is case sensitive.
AT-9000 Switch Command Line User’s Guide This example assigns the IP address 143.154.76.17 as an inform message receiver to the community string “st_bldg2.” Inform messages must be sent in SNMPv2c format: awplus> enable awplus# configure terminal awplus(config)# snmp-server host 143.154.76.17 informs version 2c st_bldg2 To remove IP addresses of trap or inform receivers from community strings, use the NO form of the command. This example removes the IP address 121.12.142.
Chapter 62: SNMPv1 and SNMPv2c Deleting Community Strings To delete community strings, use the NO SNMP-SERVER COMMUNITY command. Here is the format: no snmp-server community community You can delete only one community string at a time with the command, which is found in the Global Configuration mode. The COMMUNITY parameter is case sensitive.
AT-9000 Switch Command Line User’s Guide Disabling SNMPv1 and SNMPv2c To disable SNMP on the switch, use the NO SNMP-SERVER command. You cannot remotely manage the switch with an SNMP application when SNMP is disabled. Furthermore, the switch stops transmitting trap and inform messages to your SNMP applications.
Chapter 62: SNMPv1 and SNMPv2c Displaying SNMPv1 and SNMPv2c To learn whether SNMP is enabled or disabled on the switch, go to the Privileged Exec mode and issue the SHOW SNMP-SERVER command: awplus# show snmp-server Here is an example of what is displayed. SNMP Server ....... Enabled IP Protocol ....... IPv4 SNMPv3 Engine ID (Configured) ........ Not set SNMPv3 Engine ID (actual) ............ 0x80001f8880241d7f08386d438e Figure 166.
AT-9000 Switch Command Line User’s Guide To view the trap and inform receivers assigned to the community strings, use the SHOW RUNNING-CONFIG SNMP command in the Privileged Exec mode: awplus# show running-config snmp Here is an example of command display: snmp-server no snmp-server enable trap auth snmp-server community sw12eng1 rw snmp-server community sw12eng1limit rw snmp-server community westplnm7 ro snmp-server community site12pl4 ro snmp-server host 149.198.74.
Chapter 62: SNMPv1 and SNMPv2c 944
Chapter 63 SNMPv1 and SNMPv2c Commands The SNMPv1 and SNMPv2c commands are summarized in Table 88 and described in detail within the chapter. Table 88. SNMPv1 and SNMPv2c Commands Command Mode Description “NO SNMP-SERVER” on page 947 Global Configuration Disables SNMPv1 and SNMPv2c on the switch. “NO SNMP-SERVER COMMUNITY” on page 948 Global Configuration Deletes SNMPv1 and SNMPv2c community strings.
Chapter 63: SNMPv1 and SNMPv2c Commands Table 88. SNMPv1 and SNMPv2c Commands (Continued) Command Mode Description “SHOW SNMP-SERVER VIEW” on page 959 Privileged Exec Displays the SNMP views. “SNMP-SERVER” on page 960 Global Configuration Enables SNMPv1 and SNMPv2c on the switch. “SNMP-SERVER COMMUNITY” on page 961 Global Configuration Creates new SNMPv1 and SNMPv2c community strings.
AT-9000 Switch Command Line User’s Guide NO SNMP-SERVER Syntax no snmp-server Parameters None Mode Global Configuration mode Description Use this command to disable SNMPv1, SNMPv2c and SNMPv3 on the switch. The switch does not permit remote management from SNMP applications when SNMP is disabled. It also does not send SNMP trap or inform messages. Confirmation Command “SHOW SNMP-SERVER” on page 956.
Chapter 63: SNMPv1 and SNMPv2c Commands NO SNMP-SERVER COMMUNITY Syntax no snmp-server community community Parameter community Specifies an SNMP community string to be deleted from the switch. This parameter is case sensitive. Mode Global Configuration mode Description Use this command to delete SNMPv1 and SNMPv2c community strings from the switch. Deleting community strings with this command also deletes any IP addresses of SNMP trap or inform receivers assigned to the community strings.
AT-9000 Switch Command Line User’s Guide NO SNMP-SERVER ENABLE TRAP Syntax no snmp-server enable trap Parameters None Mode Global Configuration mode Description Use this command to disable the transmission of SNMP traps, except for the link status and authentication traps, which are disabled separately.
Chapter 63: SNMPv1 and SNMPv2c Commands NO SNMP-SERVER ENABLE TRAP AUTH Syntax no snmp-server enable trap auth Parameters None Mode Global Configuration mode Description Use this command to disable the transmission of SNMP traps.
AT-9000 Switch Command Line User’s Guide NO SNMP-SERVER HOST Syntax no snmp-server host ipaddress traps|informs version 1|2c community_string Parameters ipaddress Specifies the IPv4 or IPv6 address of a trap or inform receiver to be removed from a community string. You can specify only one IP address. traps|informs Specifies the type of messages the switch is sending to the receiver. 1|2c Specifies the format of the messages that the switch is transmitting to the receiver.
Chapter 63: SNMPv1 and SNMPv2c Commands Examples This example removes the IPv4 address 115.124.187.4 of a trap receiver from the private community string: awplus> enable awplus# configure terminal awplus(config)# no snmp-server host 115.124.187.4 traps version 1 private This example removes the IPv4 address 171.42.182.102 of a trap receiver from the community string “station12a”: awplus> enable awplus# configure terminal awplus(config)# no snmp-server host 115.124.187.
AT-9000 Switch Command Line User’s Guide NO SNMP-SERVER VIEW Syntax no snmp-server view viewname oid Parameters viewname Specifies the name of the view to be deleted. The name is case sensitive. oid Specifies the OID of the view. Mode Global Configuration mode Description Use this command to delete SNMP views. You can delete just one view at a time with this command. Confirmation Command “SHOW SNMP-SERVER VIEW” on page 959 Example This example deletes the view AlliedTelesis with the OID 1.3.6.1.4.1.
Chapter 63: SNMPv1 and SNMPv2c Commands NO SNMP TRAP LINK-STATUS Syntax no snmp trap link-status Parameters None Mode Port Interface mode Description Use this command to disable the transmission of SNMP link status notifications (traps) when ports establish links (linkUp) or lose links (linkDown) to network devices.
AT-9000 Switch Command Line User’s Guide SHOW RUNNING-CONFIG SNMP Syntax show running-config snmp Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv1 and SNMPv2c community strings and the IP addresses of trap and inform receivers. An example is shown in Figure 169.
Chapter 63: SNMPv1 and SNMPv2c Commands SHOW SNMP-SERVER Syntax show snmp-server Parameters None Mode Privileged Exec mode Description Use this command to display the current status of SNMP on the switch. An example is shown in Figure 170. The first field displays whether SNMP is enabled or disabled on the switch. You can remotely manage the switch with SNMPv1 or v2c when the server is enabled. Remote management is not possible when the server is disabled.
AT-9000 Switch Command Line User’s Guide SHOW SNMP-SERVER COMMUNITY Syntax show snmp-server community Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv1 and SNMPv2c community strings on the switch. Here is an example of the display. SNMP community information: Community Name ............. Access .................. View .................... Community Name ............. Access .................. View ....................
Chapter 63: SNMPv1 and SNMPv2c Commands Example This example displays the SNMPv1 and SNMPv2c community strings: awplus# show snmp-server community 958
AT-9000 Switch Command Line User’s Guide SHOW SNMP-SERVER VIEW Syntax show snmp-server view Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv1 and SNMPv2c views on the switch. Here is an example of the display. SNMP View information: View Name ............. OID ................ Type ............... View Name ............. OID ................ Type ............... system 1.3.6.12.1.1 excluded AlliedTelesis 1.3.6.1.4.1.207 excluded Figure 172.
Chapter 63: SNMPv1 and SNMPv2c Commands SNMP-SERVER Syntax snmp-server Parameters None Mode Global Configuration mode Description Use this command to activate SNMPv1, SNMPv2c and SNMPv3 on the switch. The switch permits remote management from SNMP applications when SNMP is enabled. The switch also sends SNMP messages to trap and inform receivers.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER COMMUNITY Syntax snmp-server community community rw|ro Parameters community Specifies a new community string. The maximum length is 40 alphanumeric and/or special characters, such as, !@#$%^&*?<>. The name is case sensitive. Spaces are not allowed. rw|ro Specifies the access level of a new community string, of read-write (RW) or read-only (RO).
Chapter 63: SNMPv1 and SNMPv2c Commands SNMP-SERVER ENABLE TRAP Syntax snmp-server enable trap Parameters None Mode Global Configuration mode Description Use this command to activate the transmission of all SNMP traps, except for power-inline, link status, and authentication traps, which are activated separately.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER ENABLE TRAP AUTH Syntax snmp-server enable trap auth Parameters None Mode Global Configuration mode Description Use this command to activate the transmission of SNMP authentication failure traps.
Chapter 63: SNMPv1 and SNMPv2c Commands SNMP-SERVER HOST Syntax snmp-server host ipaddress traps|informs version 1|2c community Parameters ipaddress Specifies the IPv4 or IPv6 address of a network device to receive trap or inform messages from the switch. traps|informs Specifies the type of messages. 1|2c Specifies the format of the traps sent by the switch. For trap messages, the format can be SNMPv1 (1) or SNMPv2c (2c). For inform messages, the format must be SNMPv2c (2c).
AT-9000 Switch Command Line User’s Guide Examples This example assigns the IPv4 address 149.44.12.44 of a trap receiver to the private community string. The traps are sent in the SNMPv2c format: awplus> enable awplus# configure terminal awplus(config)# snmp-server host 149.44.12.44 traps version 2c private This example assigns the IPv4 address 152.34.32.18 as a trap receiver to the community string “tlpaac78”.
Chapter 63: SNMPv1 and SNMPv2c Commands SNMP-SERVER VIEW Syntax snmp-server view viewname oid excluded|included Parameters viewname Specifies the name of a new view. The maximum length is 64 alphanumeric and/or special characters. The string is case sensitive. Spaces are not allowed. oid Specifies the OID of the view. The OID must be in decimal format. excluded Denies access to the part of the MIB tree specified by the OID. included Permits access to the part of the MIB tree specified by the OID.
AT-9000 Switch Command Line User’s Guide This example creates the new view “AlliedTelesis” that limits the available MIB objects to those in the OID 1.3.6.1.4.1.207: awplus> enable awplus# configure terminal awplus(config)# snmp-server view AlliedTelesis 1.3.6.1 excluded awplus(config)# snmp-server view AlliedTelesis 1.3.6.1.4.1.
Chapter 63: SNMPv1 and SNMPv2c Commands SNMP TRAP LINK-STATUS Syntax snmp trap link-status Parameters None Mode Port Interface mode Description Use this command to enable SNMP to transmit link status notifications (traps) when ports establish links (linkUp) or lose links (linkDown) to network devices.
Chapter 64 SNMPv3 Commands The SNMPv3 commands are summarized in Table 91 and described in detail within the chapter. Table 91. SNMPv3 Commands Command Mode Description “NO SNMP-SERVER” on page 971 Global Configuration Disables SNMPv1, v2c and v3 on the switch. “NO SNMP-SERVER ENGINEID LOCAL” on page 972 Global Configuration Returns the SNMP engine ID value to the default value: “NO SNMP-SERVER GROUP” on page 973 Global Configuration Deletes SNMPv3 groups from the switch.
Chapter 64: SNMPv3 Commands Table 91. SNMPv3 Commands (Continued) Command Mode Description “SNMP-SERVER GROUP” on page 985 Global Configuration Creates SNMPv3 groups. “SNMP-SERVER HOST” on page 987 Global Configuration Creates SNMPv3 host entries. “SNMP-SERVER USER” on page 989 Global Configuration Creates SNMPv3 users. “SNMP-SERVER VIEW” on page 991 Global Configuration Creates SNMPv3 views.
AT-9000 Switch Command Line User’s Guide NO SNMP-SERVER Syntax no snmp-server Parameters None Mode Global Configuration mode Description Use this command to disable SNMPv1, SNMPv2c, and SNMPv3 on the switch. The switch does not permit remote management from SNMP applications when SNMP is disabled. It also does not send SNMP trap or inform messages. Confirmation Command “SHOW SNMP-SERVER” on page 978.
Chapter 64: SNMPv3 Commands NO SNMP-SERVER ENGINEID LOCAL Syntax no snmp-server engineid local Parameters None Mode Global Configuration mode Description Use this command to return the SNMP engine ID value to the default value.
AT-9000 Switch Command Line User’s Guide NO SNMP-SERVER GROUP Syntax no snmp-server group name noauth|auth|priv Parameters name Specifies the name of a group you want to delete from the switch. The name is case sensitive. auth/noauth/priv Specifies the minimum security level of the group to be deleted. The options are: auth: Indicates authentication, but no privacy. noauth: Indicates no authentication or privacy. priv: Indicates authentication and privacy.
Chapter 64: SNMPv3 Commands NO SNMP-SERVER HOST Syntax no snmp-server host ipaddress informs|traps v3 auth|noauth|priv username Parameters ipaddress Specifies the IP address of a trap receiver. The address can be IPv4 or IPv6. You can specify just one address. informs/trap Specifies the type of message the switch sends. The options are: informs: Sends inform messages. trap: Sends trap messages. noauth/auth/priv Specifies the minimum security level of the user associated with this entry.
AT-9000 Switch Command Line User’s Guide Example This example deletes the host entry with the IPv4 address 187.87.165.12. The user name associated with this entry is “jones:” awplus> enable awplus# configure terminal awplus(config)# snmp-server host 187.87.165.
Chapter 64: SNMPv3 Commands NO SNMP-SERVER USER Syntax no snmp-server user user Parameters user Specifies the name of a user you want to delete from the switch. The name is case sensitive. Mode Global Configuration mode Description Use this command to delete SNMPv3 users. You can delete just one user at a time with this command.
AT-9000 Switch Command Line User’s Guide NO SNMP-SERVER VIEW Syntax no snmp-server view view OID Parameters view Specifies the name of a view to be deleted from the switch. The name is case sensitive. OID Specifies the OID of the subtree of the view to be deleted. Mode Global Configuration mode Description Use this command to delete SNMPv3 views from the switch. Confirmation Command “SHOW SNMP-SERVER VIEW” on page 982 Example This example deletes the view All, which has the OID 1.3.6.
Chapter 64: SNMPv3 Commands SHOW SNMP-SERVER Syntax show snmp-server Parameters None Mode Privileged Exec mode Description Use this command to display the current status of SNMP on the switch. An example is shown in Figure 173. The first field displays whether SNMP is enabled or disabled on the switch. You can remotely manage the switch with SNMPv1 or v2c when the server is enabled. Remote management is not possible when the server is disabled.
AT-9000 Switch Command Line User’s Guide SHOW SNMP-SERVER GROUP Syntax show snmp-server group Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 groups.
Chapter 64: SNMPv3 Commands SHOW SNMP-SERVER HOST Syntax show snmp-server host Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 host entries.
AT-9000 Switch Command Line User’s Guide SHOW SNMP-SERVER USER Syntax show snmp-server user Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 users.
Chapter 64: SNMPv3 Commands SHOW SNMP-SERVER VIEW Syntax show snmp-server view Parameter None Mode Privileged Exec mode Description Use this command to display the SNMPv3 views on the switch.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER Syntax snmp-server Parameters None Mode Global Configuration mode Description Use this command to activate SNMPv1, SNMPv2c, and SNMPv3 on the switch. The switch permits remote management from SNMP applications when SNMP is enabled. The switch also sends SNMP messages to trap and inform receivers.
Chapter 64: SNMPv3 Commands SNMP-SERVER ENGINEID LOCAL Syntax snmp-server engineid local engine-id|default Parameters engine-id Specifies the SNMPv3 engine ID. The value can be up to 32 characters. default Returns the SNMPv3 engine ID to the system-generated value. Mode Global Configuration mode Description Use this command to configure the SNMPv3 engine ID. Note Changing the SNMPv3 engine ID from its default value is not recommended because the SNMP server on the switch may fail to operate properly.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER GROUP Syntax snmp-server group name auth|noauth|priv read readview| write writeview Parameters name Specifies a name for a new group. A name can be up to 64 alphanumeric and/or special characters, such as, !@#$%^&*?<>, and is case sensitive. auth/noauth/priv Specifies the minimum security level that users must have to gain access to the switch through the group. The options are: auth: Indicates authentication, but no privacy.
Chapter 64: SNMPv3 Commands Examples This example creates a group called “sta5west” with a minimum security level of privacy. The group has a read view named “internet” and a write view named “private”: awplus> enable awplus# configure terminal awplus(config)# snmp-server group sta5west priv read internet write private This example creates a group called “swengineering” with a minimum security level of authentication and privacy.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER HOST Syntax snmp-server host ipaddress informs|traps version 3 auth|noauth|priv username Parameters ipaddress Specifies the IP address of a trap receiver. The address can be IPv4 or IPv6. You can specify just one address. informs/trap Specifies the type of message the switch sends. The options are: informs: Sends inform messages. traps: Sends trap messages. noauth/auth/priv Specifies the minimum security level of the user associated with this entry.
Chapter 64: SNMPv3 Commands Example This example configures SNMPv3 to send trap messages to an end node with the IPv4 address 149.157.192.12. The user name associated with this entry is “sthompson:” awplus> enable awplus# configure terminal awplus(config)# snmp-server host 149.157.192.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER USER Syntax snmp-server user username groupname [auth sha|md5 auth_password] [priv des priv_password] Parameters username Specifies a name for a new SNMPv3 user. A name can have up to 32 alphanumeric and/or special characters and is case sensitive. Spaces are not allowed. groupname Specifies a name of a group for a new user. A group name can have up to 32 alphanumeric and/or special characters and is case sensitive. Spaces are not allowed.
Chapter 64: SNMPv3 Commands To create a user that has authentication but not privacy, include the AUTH keyword but not the PRIV keyword. To create a user that has both authentication and privacy, include both the AUTH and PRIV keywords. You cannot create a user that has privacy but not authentication. Confirmation Command “SHOW SNMP-SERVER USER” on page 981 Examples This example creates the user “dcraig”.
AT-9000 Switch Command Line User’s Guide SNMP-SERVER VIEW Syntax snmp-server view viewname oid excluded|included Parameters viewname Specifies the name of a new view. The maximum length is 64 alphanumeric and/or special characters. The string is case sensitive. Spaces are not allowed. oid Specifies the OID of the view. The OID must be in decimal format. Each decimal equals 1 character, for example, 1.3.6.1.1 would be equivalent to 9 characters.
Chapter 64: SNMPv3 Commands This example creates the new view “AlliedTelesis” that limits the available MIB objects to those in the OID 1.3.6.1.4.1.207: awplus> enable awplus# configure terminal awplus(config)# snmp-server view AlliedTelesis 1.3.6.1 excluded awplus(config)# snmp-server view AlliedTelesis 1.3.6.1.4.1.
Section X Network Management This section contains the following chapters: Chapter 65, “sFlow Agent” on page 995 Chapter 66, “sFlow Agent Commands” on page 1007 Chapter 67, “LLDP and LLDP-MED” on page 1019 Chapter 68, “LLDP and LLDP-MED Commands” on page 1051 Chapter 69, “Address Resolution Protocol (ARP)” on page 1111 Chapter 70, “Address Resolution Protocol (ARP) Commands” on page 1117 Chapter 71, “RMON” on page 1125 Chapter 72, “RMON Commands” on page 1141 Chapter 73,
994
Chapter 65 sFlow Agent This chapter contains the following topics: “Overview” on page 996 “Configuring the sFlow Agent” on page 998 “Configuring the Ports” on page 999 “Enabling the sFlow Agent” on page 1001 “Disabling the sFlow Agent” on page 1002 “Displaying the sFlow Agent” on page 1003 “Configuration Example” on page 1004 995
Chapter 65: sFlow Agent Overview The sFlow agent allows the switch to gather data about the traffic on the ports and to send the data to an sFlow collector on your network for analysis. You can use the information to monitor the performance of your network or identify traffic bottlenecks.
AT-9000 Switch Command Line User’s Guide Number of ingress and egress packets with errors Number of ingress packets with unknown protocols To configure the agent to forward these port statistics to a collector, you have to specify polling rates, which define the maximum amount of time permitted between successive queries of the counters of a port by the agent. Different ports can have different polling rates.
Chapter 65: sFlow Agent Configuring the sFlow Agent The command for defining the IP address of the sFlow collector is the SFLOW COLLECTOR IP command. The command, which is located in the Global Configuration mode, has this format: sflow collector ip ipaddress port udp_port The IPADDRESS parameter specifies the IP address of the collector and the UDP_PORT parameter its UDP port. This example specifies the IP address of the sFlow collector as 154.122.11.
AT-9000 Switch Command Line User’s Guide Configuring the Ports To configure the ports so that their performance data is collected by the sFlow agent, you have to define two variables, one of which is optional. The variables are listed here: Sampling rate (optional) Polling rate (required) Note If the sFlow agent is already enabled on the switch, it will be necessary to disable it while you set these parameters. For instructions, refer to “Disabling the sFlow Agent” on page 1002.
Chapter 65: sFlow Agent Configuring the Polling Interval The polling interval determines how frequently the agent queries the packet counters of the ports and sends the data to the collector. This is the maximum amount of time allowed between successive queries of the counters by the agent on the switch. The range is 0 to 16777215 seconds.
AT-9000 Switch Command Line User’s Guide Enabling the sFlow Agent Use the SFLOW ENABLE command in the Global Configuration mode to activate the sFlow agent so that the switch begins to gather packet samples and packet counters and to transmit the data to the sFlow collector on your network.
Chapter 65: sFlow Agent Disabling the sFlow Agent To stop the sFlow agent from collecting performance data on the ports on the switch and from sending the data to the collector on your network, use the NO SFLOW ENABLE command in the Global Configuration mode.
AT-9000 Switch Command Line User’s Guide Displaying the sFlow Agent To view the IP addresses and UDP port settings of the collectors as defined in the sFlow agent on the switch, use the SHOW SFLOW command in the Global Configuration mode. Here is the command: awplus(config)# show sflow Here is an example of the display. Number of Collectors: Collector_address ================== 149.122.78.
Chapter 65: sFlow Agent Configuration Example Here is an example of how to configure the sFlow agent. The IP address of the sFlow collector is 152.232.56.11. The ports from which performance data will be collected will be ports 3, 11, 12, and 21 to 23. Ports 3, 11,and 12 will have a polling rate of 120 seconds and sampling rate of 1 packet in an average of 10.000 packets. Ports 21 to 23 will have a polling rate of 1800 seconds and sampling rate of 1 packet in every 50.000 packets.
AT-9000 Switch Command Line User’s Guide awplus(config-if)# sflow sampling-rate 50000 Use the SFLOW SAMPLINGRATE command to set the sampling rate of the ports to 1 packet for every 50000 packets. awplus(config-if)# sflow polling-interval 1800 Use the SFLOW POLLINGINTERVAL command to set the polling rate of the statistics counters of the ports to 1800 seconds. awplus(config-if)# exit Return to the Global Configuration mode.
Chapter 65: sFlow Agent 1006
Chapter 66 sFlow Agent Commands The sFlow agent commands are summarized in Table 92 and described in detail within the chapter. Table 92. sFlow Agent Commands Command Mode Description “NO SFLOW COLLECTOR IP” on page 1008 Global Configuration Deletes the IP address of an sFlow collector from the switch. “NO SFLOW ENABLE” on page 1009 Global Configuration Disables the sFlow agent on the switch.
Chapter 66: sFlow Agent Commands NO SFLOW COLLECTOR IP Syntax no sflow collector ip ipaddress Parameters ipaddress Specifies the IP address of an sFlow collector. Mode Global Configuration mode Description Use this command to delete the IP address of an sFlow collector from the switch. Confirmation Command “SHOW SFLOW” on page 1016 Example This example deletes the IP address 152.42.175.
AT-9000 Switch Command Line User’s Guide NO SFLOW ENABLE Syntax no sflow enable Parameters None Mode Global Configuration mode Description Use this command to disable the sFlow agent to stop the switch from transmitting sample and counter data to the sFlow collector on your network.
Chapter 66: sFlow Agent Commands SFLOW COLLECTOR IP Syntax sflow collector ip ipaddress [port udp_port] Parameters ipaddress Specifies the IP address of the sFlow collector on your network. udp_port Specifies the UDP port number of the sFlow collector. The default is UDP port 6343. Mode Global Configuration mode Description Use this command to specify the IP address and UDP port of an sFlow collector on your network.
AT-9000 Switch Command Line User’s Guide SFLOW ENABLE Syntax sflow enable Parameters None Mode Global Configuration mode Description Use this command to activate the sFlow agent on the switch. The switch uses the agent to gather packet sampling data and packet counters from the designated ports and to transmit the data to the sFlow collector on your network.
Chapter 66: sFlow Agent Commands SFLOW POLLING-INTERVAL Syntax sflow polling-interval polling-interval Parameters polling-interval Specifies the maximum amount of time permitted between successive pollings of the packet counters of a port by the agent. The range is 0 to 16777215 seconds. Mode Port Interface mode Description Use this command to set the polling intervals for the ports.
AT-9000 Switch Command Line User’s Guide This example removes sFlow monitoring on port 21 using the NO form of the command: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 66: sFlow Agent Commands SFLOW SAMPLING-RATE Syntax sflow sampling-rate sampling-rate Parameters sampling-rate Specifies the sampling rate on a port. The possible values are 0 and 256 to 16441700 packets. The value 0 means no sampling. Mode Port Interface mode Description Use this command to enable or disable packet sampling on the ports and to set the sampling rates.
AT-9000 Switch Command Line User’s Guide This example disables packet sampling on port 7: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 66: sFlow Agent Commands SHOW SFLOW Syntax show sflow [database] Parameters None Mode Privileged Exec mode Description Use this command to display the settings of the sFlow agent on the switch. The command displays the same information with or without the DATABASE keyword. Here is an example of the information. Number of Collectors: Collector_address ================== 149.122.78.
AT-9000 Switch Command Line User’s Guide The fields are described in Table 93. Table 93. SHOW SFLOW Command Parameter Description Number of Collectors Number of sFlow collectors that have been defined on the switch by having their IP addresses entered in the agent. The agent can contain up to four IP addresses of sFlow collectors. Collector_address The IP address of the sFlow collector on your network. To set this parameter, refer to “SFLOW COLLECTOR IP” on page 1010.
Chapter 66: sFlow Agent Commands Example This example displays the settings of the sFlow agent: awplus> enable awplus# show sflow 1018
Chapter 67 LLDP and LLDP-MED This chapter contains the following topics “Overview” on page 1020 “Enabling LLDP and LLDP-MED on the Switch” on page 1025 “Configuring Ports to Only Receive LLDP and LLDP-MED TLVs” on page 1026 “Configuring Ports to Send Only Mandatory LLDP TLVs” on page 1027 “Configuring Ports to Send Optional LLDP TLVs” on page 1028 “Configuring Ports to Send Optional LLDP-MED TLVs” on page 1030 “Configuring Ports to Send LLDP-MED Civic Location TLVs” on page 1032
Chapter 67: LLDP and LLDP-MED Overview Link Layer Discovery Protocol (LLDP) and Link Layer Discovery Protocol for Media Endpoint Devices (LLDP-MED) allow Ethernet network devices, such as switches and routers, to receive and transmit device-related information to directly connected devices on the network that are also using the protocols, and to store the information that is learned about other devices. The data sent and received by LLDP and LLDP-MED are useful for many reasons.
AT-9000 Switch Command Line User’s Guide Mandatory LLDP TLVs Mandatory LLDP TLVs are sent by default on ports that send TLVs. The TLVs are defined in Table 94. Table 94. Mandatory LLDP TLVs TLV Optional LLDP TLVs Description Chassis ID The device's chassis ID number. For Allied Telesis devices, this is the MAC address of the switch. Port ID The number of the port that transmitted the advertisements.
Chapter 67: LLDP and LLDP-MED Table 95. Optional LLDP TLVs (Continued) TLV 1022 Description System capabilities The device’s router and bridge functions, and whether or not these functions are currently enabled. The value for this TLV on the AT-9000 Switch is Bridge, Router. Management address The address of the local LLDP agent. This can be used to obtain information related to the local device. Port VLAN The VID of the VLAN in which the transmitting port is an untagged member.
AT-9000 Switch Command Line User’s Guide The switch does not verify whether a device connected to a port is LLDPcompatible prior to sending mandatory and optional LLDPs. Optional LLDPMED TLVs LLDP-MED is an extension of LLDP that is used between LAN network connectivity devices, such as this switch, and media endpoint devices connected to them, such as IP phones.
Chapter 67: LLDP and LLDP-MED Table 96. Optional LLDP-MED TLVs (Continued) TLV Extended power management Inventory management 1024 Description The following PoE information: Power Type field: Power Sourcing Entity (PSE). Power Source field: current power source, either Primary Power Source or Backup Power Source. Power Priority field: power priority configured on the port.
AT-9000 Switch Command Line User’s Guide Enabling LLDP and LLDP-MED on the Switch To enable LLDP and LLDP-MED on the switch, use the LLDP RUN command in the Global Configuration mode. The switch begins to transmit advertisements from those ports that are configured to send TLVs, and begins to populate its neighbor information table as advertisements from the neighbors arrive on the ports. The command does not support any parameters.
Chapter 67: LLDP and LLDP-MED Configuring Ports to Only Receive LLDP and LLDP-MED TLVs This is the first in a series of examples that show how to configure the ports for LLDP and LLDP-MED. In this first example, ports 4 and 18 are configured to accept advertisements from their neighbors, but not to send any advertisements. awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide Configuring Ports to Send Only Mandatory LLDP TLVs This example illustrates how to configure the ports to receive and send only the mandatory LLDP TLVs. Since the default is for ports to send all mandatory and optional TLVs, you must remove the optional TLVs. This example configures port 16 to 20: awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode.
Chapter 67: LLDP and LLDP-MED Configuring Ports to Send Optional LLDP TLVs This example illustrates how to configure the ports to send optional LLDP TLVs along with the mandatory TLVs, to their neighbors. Refer to Table 95 for the list of optional LLDP TLVs. Table 97.
AT-9000 Switch Command Line User’s Guide Here are the commands to configure the ports to send the TLVs: awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# interface port1.0.18,port1.0.24 Enter the Port Interface mode for ports 18 and 24. awplus(config-if)# lldp transmit receive Configure the ports to accept and send TLVs to and from their neighbors.
Chapter 67: LLDP and LLDP-MED Configuring Ports to Send Optional LLDP-MED TLVs This section explains how to configure the ports to send these optional LLDP-MED TLVs: Capabilities Network-policy For instructions on how to create LLDP-MED civic, coordinate, and ELIN location entries, refer to the following sections.
AT-9000 Switch Command Line User’s Guide awplus# show lldp interface port1.0.3,port1.0.4 Use the SHOW LLDP INTERFACE command to confirm the configuration.
Chapter 67: LLDP and LLDP-MED Configuring Ports to Send LLDP-MED Civic Location TLVs Civic location TLVs specify the physical addresses of network devices. Country, state, street, and building number are only a few examples of the various types of information civic location TLVs can include. Unlike some of the other LLDP-MED TLVs, such as the capabilities and network policy TLVs, which have pre-set values that you cannot change, a civic location TLV has to be configured before a port will send it.
AT-9000 Switch Command Line User’s Guide Table 98. Abbreviated List of LLDP-MED Civic Location Entry Parameters Parameter Example seat cube-411a state CA street-suffix Blvd unit A11 3. Move to the Port Interface mode of the ports to which the entry is to be assigned. (A civic location entry can be applied to more than one port.) 4. Use the LLDP LOCATION command in the Port Interface mode to attach the location entry to the port. 5.
Chapter 67: LLDP and LLDP-MED awplus(config_civic)# exit Return to the Global Configuration mode. awplus(config)# exit Return to the Privileged Exec mode. awplus# show location civic-location identifier 8 Use the SHOW LOCATION command to verify the configuration of the new location entry. This series of commands adds the new location entry to port 14 and configures the port to include the location TLV in its advertisements: awplus# configure terminal Enter the Global Configuration mode.
AT-9000 Switch Command Line User’s Guide Configuring Ports to Send LLDP-MED Coordinate Location TLVs Coordinate location TLVs specify the locations of network devices by their latitudes and longitudes. Here are the main steps to creating coordinate location TLVs: 1. Starting from the Global Configuration mode, use the LOCATION COORD-LOCATION command to assign the new entry an ID number. The command automatically takes you to the Coordinate mode. 2.
Chapter 67: LLDP and LLDP-MED Table 99. LLDP-MED Coordinate Location Entry Parameters Parameter Value alt-resolution Altitude resolution as number of valid bits. The range is 0 to 30 bits. datum nad83-mllw|nad83navd| wgs84 The geodetic system (or datum) of the coordinates. The selections are: nad83-mllw - Mean lower low water datum 1983 nad83-navd - North American vertical datum 1983 wgs84 - World Geodetic System 1984 3.
AT-9000 Switch Command Line User’s Guide awplus(config)# location coord-location identifier 16 Use the LOCATION COORDLOCATION command to assign an ID number in the range of 1 to 256 to the new location entry, and to enter the Coordinate mode. The entry in this example is assigned the ID number 16. awplus(config_coord)# awplus(config-coord)# awplus(config_coord)# awplus(config-coord)# awplus(config_coord)# awplus(config_coord)# awplus(config-coord)# Use the parameter commands to define the entry.
Chapter 67: LLDP and LLDP-MED awplus# show location coord-location interface port1.0.15 Use the SHOW LOCATION command to confirm the configuration. ID Element Type Element Value ------------------------------------------16 Latitude Resolution 12 bits Latitude 37.29153547 degrees Longitude Resolution 33 bits Longitude 121.9152832 degrees Altitude Resolution 23 bits Altitude 10.25000000 meters Map Datum NAD83-NAVD awplus# show lldp interface port1.0.
AT-9000 Switch Command Line User’s Guide Configuring Ports to Send LLDP-MED ELIN Location TLVs This type of TLV specifies the location of a network device by its ELIN (emergency location identifier number). Here are the main steps to creating ELIN location TLVs: 1. Starting from the Global Configuration mode, use the LOCATION ELIN-LOCATION command to create the new entry. 2. In the Port Interface mode, use the LLDP LOCATION command to add the entry to the appropriate ports.
Chapter 67: LLDP and LLDP-MED This series of commands adds the entry to port 5 and configures the port to include the TLV in its advertisements: awplus# configure terminal Enter the Global Configuration mode. awplus(config)# interface port1.0.5 Enter the Port Interface mode for port 5. awplus(config-if)# lldp transmit receive Configure the port to send and receive LLDP advertisements.
AT-9000 Switch Command Line User’s Guide Removing LLDP TLVs from Ports To stop ports from sending optional LLDP TLVs, use this command: no lldp tlv-select all|tlv The command is located in the Port Interface mode. You can specify only one TLV at a time in the command. This example stops ports 4 and 5 from including the system capabilities and the management address TLVs in their advertisements: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.4,port1.0.
Chapter 67: LLDP and LLDP-MED Removing LLDP-MED TLVs from Ports To remove optional LLDP-MED TLVs from ports, use the NO LLDP MEDTLV-SELECT command: no lldp med-tlv-select capabilities|networkpolicy|location|power-management-ext|inventorymanagement|all You can specify only one TLV at a time in the command, which is located in the Port Interface mode.
AT-9000 Switch Command Line User’s Guide Deleting LLDP-MED Location Entries The command for deleting LLDP-MED location entries from the switch is: no location civic-location|coord-location|elin-location identifier id_number The command, which is located in the Global Configuration mode, can delete only one entry at a time and must include both the type and the ID number of the location entry to be deleted.
Chapter 67: LLDP and LLDP-MED Disabling LLDP and LLDP-MED on the Switch To disable LLDP and LLDP-MED on the switch, use the NO LLDP RUN command in the Global Configuration mode. The command has no parameters. After the protocols are disabled, the switch neither sends advertisements to nor collects information from its neighbors. The switch retains its LLDP settings.
AT-9000 Switch Command Line User’s Guide Displaying General LLDP Settings To view the timers and other general LLDP and LLDP-MED settings, use the SHOW LLDP command in the User Exec mode or the Privileged Exec mode. Here is the command: awplus# show lldp Here is an example of the information. LLDP Global Configuration: [Default Values] LLDP Status ............... Enabled [Disabled] Notification Interval ..... 5 secs [5] Tx Timer Interval ......... 30 secs [30] Hold-time Multiplier ......
Chapter 67: LLDP and LLDP-MED Displaying Port Settings To view the LLDP and LLDP-MED settings of the individual ports on the switch, use the SHOW LLDP INTERFACE command. The command has this format: show lldp interface [port] If you omit the PORT variable, as in this example, the command displays the settings for all the ports. awplus# show lldp interface This example displays the settings for ports 17 and 19: show lldp interface port1.0.17,port1.0.19 Here is an example of the information.
AT-9000 Switch Command Line User’s Guide Displaying or Clearing Neighbor Information There are two commands for displaying the information the switch has collected from the LLDP and LLDP-MED-compatible neighbors connected to its ports. To view a summary of the information, use the SHOW LLDP NEIGHBORS command in the User Exec mode or the Privileged Exec mode.
Chapter 67: LLDP and LLDP-MED This example clears the information the switch has received from all the neighbors: awplus> enable awplus# clear lldp table This example clears the information the switch has received from the neighbor connected to port 11: awplus> enable awplus# clear lldp table interface port1.0.
AT-9000 Switch Command Line User’s Guide Displaying Port TLVs To view the TLVs of the individual ports on the switch, use the SHOW LLDP LOCAL-INFO INTERFACE command in the User Exec mode or the Privileged Exec mode. This command is useful whenever you want to confirm the TLVs on the ports, such as after you have configured the ports or if you believe that ports are not sending the correct information.
Chapter 67: LLDP and LLDP-MED Displaying and Clearing Statistics The switch maintains LLDP and LLDP-MED performance statistics for the the individual ports and the entire unit. The command to display the statistics for the entire switch is the SHOW LLDP STATISTICS command in the Privileged Exec mode. (The LLDP and LLDP-MED SHOW commands, unlike the SHOW commands for the other features, are not available in the User Exec mode.
Chapter 68 LLDP and LLDP-MED Commands The Link Layer Discovery Protocol commands are summarized in Table 100 and described in detail within the chapter. Table 100. LLDP and LLDP-MED Commands Command Mode Description “CLEAR LLDP STATISTICS” on page 1054 Privileged Exec Clears the LLDP statistics (packet and event counters) on the ports. “CLEAR LLDP TABLE” on page 1055 Privileged Exec Clears the LLDP information the switch has received from its neighbors.
Chapter 68: LLDP and LLDP-MED Commands Table 100. LLDP and LLDP-MED Commands (Continued) Command Mode Description “LLDP NOTIFICATION-INTERVAL” on page 1066 Global Configuration Sets the notification interval, which is the minimum interval between LLDP SNMP notifications (traps). “LLDP REINIT” on page 1067 Global Configuration Sets the re-initialization delay, which is the number of seconds that must elapse after LLDP is disabled on a port before it can be re-initialized.
AT-9000 Switch Command Line User’s Guide Table 100. LLDP and LLDP-MED Commands (Continued) Command Mode Description “NO LLDP MED-TLV-SELECT” on page 1083 Port Interface Stops ports from transmitting specified LLDP-MED TLVs. “NO LLDP NOTIFICATIONS” on page 1085 Port Interface Prevents ports from sending LLDP SNMP notifications (traps). “NO LLDP RUN” on page 1086 Global Configuration Disables LLDP on the switch.
Chapter 68: LLDP and LLDP-MED Commands CLEAR LLDP STATISTICS Syntax clear lldp statistics [interface port] Parameters port Specifies a port. You can specify more than one port at a time in this command. Omitting this parameter. specifies all the ports. Mode Privileged Exec mode Description Use this command to clear the LLDP statistics (packet and event counters) on the ports. You can delete the statistics from all ports or from selected ports.
AT-9000 Switch Command Line User’s Guide CLEAR LLDP TABLE Syntax clear lldp table [interface port] Parameters port Specifies a port. You can specify more than one port at a time in this command. Omitting this parameter specifies all the ports. Mode Privileged Exec mode Description Use this command to clear the LLDP and LLDP-MED information the switch has received from its neighbors. You can delete all the information the switch has amassed or only the information from neighbors on selected ports.
Chapter 68: LLDP and LLDP-MED Commands LLDP HOLDTIME-MULTIPLIER Syntax lldp holdtime-multiplier holdtime-multiplier Parameters holdtime-multiplier Specifies the holdtime multiplier value. The range is 2 to 10. Mode Global Configuration mode Description Use this command to set the holdtime multiplier value. The transmit interval is multiplied by the holdtime multiplier to give the Time To Live (TTL) the switch advertises to the neighbors. The transmit interval is set with “LLDP TIMER” on page 1069.
AT-9000 Switch Command Line User’s Guide LLDP LOCATION Syntax lldp location civic-location-id|coord-location-id|elinlocation-id location_id Parameters civic-location-id Adds a civic location to the ports. coord-location-id Adds a coordinate location to the ports. elin-location-idA dds an ELIN location to the ports. location-id Specifies the ID number of the location information to be added to the ports. You can add only one location at a time.
Chapter 68: LLDP and LLDP-MED Commands This example adds the coordinate location ID 11 to port 2: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.2 awplus(config_if)# lldp location coord-location-id 11 This example adds the ELIN location ID 27 to port 21: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide LLDP MANAGEMENT-ADDRESS Syntax lldp management-address ipaddress Parameters ipaddress Specifies an IP address. Mode Port Interface mode Description Use this command to replace the default management IP address TLV of a port. The management IP address TLV is optional. A port must be configured to transmit it. A port can have one of two possible default values for the management IP address TLV.
Chapter 68: LLDP and LLDP-MED Commands Examples This example configures port 2 to transmit the IP address 149.122.54.2 as its management IP address TLV: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.2 awplus(config-if)# lldp management-address 149.122.54.
AT-9000 Switch Command Line User’s Guide LLDP MED-NOTIFICATIONS Syntax lldp med-notifications Parameters None Mode Port Interface mode Description Use this command to configure the switch to send LLDP-MED topology change notifications when devices are connected to, or disconnected from, the specified ports. To prevent the switch from transmitting topology change notifications, refer to “NO LLDP NOTIFICATIONS” on page 1085.
Chapter 68: LLDP and LLDP-MED Commands LLDP MED-TLV-SELECT Syntax lldp med-tlv-select capabilities|networkpolicy|location|power-management-ext|inventorymanagement|all Parameters capabilities Specifies the capabilities TLV. network-policy Specifies the network policy TLV. location Specifies the location identification TLV. power-management-ext Specifies the extended power-via-MDI TLV. inventory-management Specifies the inventory management TLV. all Configures a port to send all LLDP-MED TLVs.
AT-9000 Switch Command Line User’s Guide Examples This example configures ports 3 to 8 to send the inventory management TLV to their neighbors: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.3-port1.0.8 awplus(config-if)# lldp med-tlv-select inventory-management This example configures port 2 to send the capabilities and the location TLVs to its neighbor: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 68: LLDP and LLDP-MED Commands LLDP NON-STRICT-MED-TLV-ORDER-CHECK Syntax lldp non-strict-med-tlv-order-check Parameters None Mode Global Configuration mode Description Use this command to configure the switch to accept LLDP-MED advertisements even if the TLVs are not in the standard order, as specified in ANSI/TIA-1057. This configuration is useful if the switch is connected to devices that send LLDP-MED advertisements in which the TLVs are not in the standard order.
AT-9000 Switch Command Line User’s Guide LLDP NOTIFICATIONS Syntax lldp notifications Parameters None Mode Port Interface mode Description Use this command to configure ports to send LLDP SNMP notifications (traps). To prevent ports from transmitting LLDP SNMP notifications, refer to “NO LLDP NOTIFICATIONS” on page 1085.
Chapter 68: LLDP and LLDP-MED Commands LLDP NOTIFICATION-INTERVAL Syntax lldp notification-interval interval Parameters interval Specifies the notification interval. The range is 5 to 3600 seconds. Mode Global Configuration mode Description Use this command to set the notification interval. This is the minimum interval between LLDP SNMP notifications (traps).
AT-9000 Switch Command Line User’s Guide LLDP REINIT Syntax lldp reinit delay Parameters delay Specifies the re-initialization delay value. The range is 1 to 10 seconds. Mode Global Configuration mode Description Use this command to set the re-initialization delay. This is the number of seconds that must elapse after LLDP is disabled on a port before it can be re-initialized. Confirmation Command “SHOW LLDP” on page 1091.
Chapter 68: LLDP and LLDP-MED Commands LLDP RUN Syntax lldp run Parameters None Mode Global Configuration mode Description Use this command to activate LLDP on the switch. Once you have activated LLDP, the switch begins to transmit and accept advertisements on its ports. To deactivate LLDP, refer to “NO LLDP RUN” on page 1086. Confirmation Command “SHOW LLDP” on page 1091.
AT-9000 Switch Command Line User’s Guide LLDP TIMER Syntax lldp timer interval Parameters interval Specifies the transmit interval. The range is 5 to 32768 seconds. Mode Global Configuration mode Description Use this command to set the transmit interval. This is the interval between regular transmissions of LLDP advertisements. The transmit interval must be at least four times the transmission delay timer, set with “LLDP TXDELAY” on page 1074.
Chapter 68: LLDP and LLDP-MED Commands LLDP TLV-SELECT Syntax lldp tlv-select all|tlv Parameters all Configures a port to send all optional TLVs. tlv Specifies an optional TLV that a port should transmit to its neighbor. You can specify only one TLV per command. Mode Port Interface mode Description Use this command to specify the optional LLDP TLVs that ports are to transmit to their neighbors. You can specify only one TLV in a command. To select all the TLVs, use the ALL option.
AT-9000 Switch Command Line User’s Guide Table 101. Optional TLVs (Continued) TLV Description port-description Sends a port’s description. To configure a port’s description, refer to “Adding Descriptions” on page 144 or “DESCRIPTION” on page 170. port-vlan Sends the ID number (VID) of the portbased or tagged VLAN where the port is an untagged member. power-management Transmits Power over Ethernet (PoE) information. protocol-ids Transmits the protocols that are accessible through the port.
Chapter 68: LLDP and LLDP-MED Commands Examples This example configures ports 3 to 5 to transmit all the optional LLDP TLVs: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.3-port1.0.5 awplus(config-if)# lldp tlv-select all This example configures ports 14 and 22 to transmit the optional LLDP port-description, port-vlan, and system-description TLVs: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.14,port1.0.
AT-9000 Switch Command Line User’s Guide LLDP TRANSMIT RECEIVE Syntax lldp transmit receive|transmit Parameters transmit Configures ports to send LLDP advertisements. receive Configures ports to accept LLDP advertisements. Mode Port Interface mode Description Use this command to configure ports to transmit and/or accept LLDP advertisements. Ports configured to transmit LLDP advertisements send the mandatory TLVs and any optional LLDP TLVs they have been configured to send.
Chapter 68: LLDP and LLDP-MED Commands LLDP TX-DELAY Syntax lldp tx-delay tx-delay Parameters tx-delay Specifies the transmission delay timer in seconds. The range is 1 to 8192 seconds. Mode Global Configuration mode Description Use this command to set the value of the transmission delay timer. This is the minimum time interval between transmissions of LLDP advertisements due to a change in LLDP local information.
AT-9000 Switch Command Line User’s Guide LOCATION CIVIC-LOCATION Syntax location civic-location identifier id_number Parameters id_number Specifies an ID number for an LLDP-MED civic location entry on the switch. The range is 1 to 256. (This range is separate from the ID number ranges for coordinate and ELIN location entries.) You can specify only one ID number. Mode Global Configuration mode Description Use this command to create or modify LLDP-MED civic location entries on the switch.
Chapter 68: LLDP and LLDP-MED Commands Table 102. LLDP-MED Civic Location Entry Parameters (Continued) Parameter Example leading-street-direction West name J-Smith neighborhood Cliffside place-type Business-district post-office-box 102 postal-code 95134 postal-community-name Lyton primary-road-name Eastwood road-section North room 402 seat cube-411a state CA street-group Addison street-name-post-modifier Div.
AT-9000 Switch Command Line User’s Guide After you create a location entry, use “LLDP LOCATION” on page 1057 to assign the location entry to a port, or ports, on the switch. To remove a civic location entry, use “NO LOCATION” on page 1089.
Chapter 68: LLDP and LLDP-MED Commands LOCATION COORD-LOCATION Syntax location coordinate-location identifier id_number Parameters id_number Specifies an ID number for an LLDP-MED coordinate location entry. The range is 1 to 256. (This range is independent from the ID number ranges for civic and ELIN location entries.) You can specify only one ID number. Mode Global Configuration mode Description Use this command to create or modify LLDP-MED coordinate location entries on the switch.
AT-9000 Switch Command Line User’s Guide Table 103. LLDP-MED Coordinate Location Entry Parameters (Continued) Parameter altitude floors Value Altitude in number of floors. The range is -2097151.0 to 2097151.0. The value for this parameter must be specified between the two keywords, as shown here: altitude n floors altitude meters Altitude in meters. The range is -2097151.0 to 2097151.0 meters. The parameter accepts up to eight digits to the right of the decimal point.
Chapter 68: LLDP and LLDP-MED Commands Examples This example creates a new coordinate location entry with these specifications. ID number: Latitude: Longitude: Datum: Altitude: 16 37.29153547 --121.91528320 nad83-navd 10.25 meters awplus> enable awplus# configure terminal awplus(config)# location coord-location identifier 16 awplus(config_coord)# latitude 37.29153547 awplus(config_coord)# longitude -121.91528320 awplus(config_coord)# datum nad83-navd awplus(config_coord)# altitude 10.
AT-9000 Switch Command Line User’s Guide LOCATION ELIN-LOCATION Syntax location elin-location elin_id identifier id_number Parameters elin_id Specifies the ELIN (Emergency Location Identification Number) of 10 to 25 digits. id_number Specifies an ID number for an LLDP-MED coordinate location entry on the switch. The range is 1 to 256. (This range is separate from the ranges for civic and coordinate entries.) You can specify only one ID number.
Chapter 68: LLDP and LLDP-MED Commands NO LLDP MED-NOTIFICATIONS Syntax no lldp med-notifications Parameters None Mode Port Interface mode Description Use this command to configure the switch not to send LLDP-MED topology change notifications when devices are connected to or disconnected from the specified ports.
AT-9000 Switch Command Line User’s Guide NO LLDP MED-TLV-SELECT Syntax no lldp med-tlv-select capabilities|network- policy|location|power-management-ext|inventorymanagement|all Parameters capabilities Specifies the capabilities TLV. network-policy Specifies the network policy TLV. location Specifies the location identification TLV. power-management-ext Specifies the extended power-via-MDI TLV. inventory-management Specifies the inventory management TLV.
Chapter 68: LLDP and LLDP-MED Commands Examples This example stops port 8 from transmitting all LLDP-MED TLVs: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.8 awplus(config-if)# no lldp med-tlv-select all This example stops ports 2 and 16 from transmitting the LLDP-MED capabilities and network policy TLVs: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.2,port1.0.
AT-9000 Switch Command Line User’s Guide NO LLDP NOTIFICATIONS Syntax no lldp notifications Parameters None Mode Port Interface mode Description Use this command to prevent ports from sending LLDP SNMP notifications (traps). Confirmation Command “SHOW LLDP INTERFACE” on page 1093 Example This example prevents port 14 from transmitting SNMP notifications: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 68: LLDP and LLDP-MED Commands NO LLDP RUN Syntax no lldp run Parameters None Mode Global Configuration mode Description Use this command to disable LLDP and LLDP-MED on the switch. The switch, when LLDP and LLDP-MED are disabled, neither sends advertisements to nor collects information from its neighbors. The LLDP settings are retained by the switch.
AT-9000 Switch Command Line User’s Guide NO LLDP TLV-SELECT Syntax no lldp tlv-select all|tlv Parameters all Removes all optional LLDP TLVs from a port. tlv Removes an optional TLV from a port. You can specify only one TLV. To remove more than one TLV from a port, repeat the command as many times as needed. Mode Port Interface mode Description Use this command to stop ports from sending optional LLDP TLVs to their neighbors. The optional TLVs are listed in Table 101 on page 1070.
Chapter 68: LLDP and LLDP-MED Commands NO LLDP TRANSMIT RECEIVE Syntax no lldp transmit|receive Parameters transmit Stops ports from sending LLDP and LLDP-MED advertisements. receive Stops ports from accepting LLDP and LLDP-MED advertisements. Mode Port Interface mode Description Use this command to stop ports from transmitting and/or accepting LLDP and LLDP-MED advertisements to or from their neighbors.
AT-9000 Switch Command Line User’s Guide NO LOCATION Syntax no location civic-location|coord-location|elin-location identifier id_number Parameters civic-location Deletes a civic location from the switch. coord-location Deletes a coordinate location. elin-location Deletes an ELIN location. id_number Specifies the ID number of the location information to be deleted from the switch. You can specify only one location entry at a time.
Chapter 68: LLDP and LLDP-MED Commands This example removes the ELIN location IDs 3 and 4: awplus> enable awplus# configure terminal awplus(config)# no location elin-location-id 3 awplus(config)# no location elin-location-id 4 1090
AT-9000 Switch Command Line User’s Guide SHOW LLDP Syntax show lldp Parameters None. Mode Privileged Exec mode Description Use this command to display general LLDP settings. Here is an example of the information. LLDP Global Configuration: [Default Values] LLDP Status ............... Enabled [Disabled] Notification Interval ..... 5 secs [5] Tx Timer Interval ......... 30 secs [30] Hold-time Multiplier ...... 4 [4] (Computed TTL value ....... 120 secs) Reinitialization Delay .... 2 secs [2] Tx Delay ....
Chapter 68: LLDP and LLDP-MED Commands Table 104. SHOW LLDP Command (Continued) Field Description Hold-time Multiplier The holdtime multiplier. The transmit interval is multiplied by the holdtime multiplier to give the Time To Live (TTL) value that is advertised to neighbors. Reinitialization Delay The re-initialization delay. This is the minimum time that must elapse after LLDP has been disabled before it can be initialized again. Tx Delay The transmission delay.
AT-9000 Switch Command Line User’s Guide SHOW LLDP INTERFACE Syntax show lldp interface [port] Parameters port Specifies a port, You can specify more than one port at a time with this command. Omitting this variable displays the LLDP settings for all ports. Mode Privileged Exec mode Description Use this command to display the LLDP port settings. Here is an example of the information.
Chapter 68: LLDP and LLDP-MED Commands Examples This example displays the LLDP settings for all the ports on the switch: awplus# show lldp interface This example displays the LLDP settings for ports 5, 6 and 11: awplus# show lldp interface port1.0.5,port1.0.6,port1.0.
AT-9000 Switch Command Line User’s Guide SHOW LLDP LOCAL-INFO INTERFACE Syntax show lldp local-info [interface port] Parameters port Specifies a port, You can specify more than one port at a time with this command. Omitting this parameter displays the LLDP information for all the ports. Mode Privileged Exec mode Description Use this command to display the LLDP and LLDP-MED TLVs that the local ports are actively transmitting to their LLDP-compatible neighbors.
Chapter 68: LLDP and LLDP-MED Commands Figure 181. SHOW LLDP LOCAL-INFO INTERFACE Command Power Via MDI (PoE) .............. Link Aggregation ................. Maximum Frame Size ............... LLDP-MED Device Type ............. LLDP-MED Capabilities ............ Not Supported Supported / Disabled 1522 (Octets) Network Connectivity LLDP-MED Capabilities, Network Policy, Location Identification, Inventory 1 Voice Untagged 1 0 0 [not advertised] Not Supported Network Policy ...................
AT-9000 Switch Command Line User’s Guide SHOW LLDP NEIGHBORS DETAIL Syntax show lldp neighbors detail [interface port] Parameters port Specifies a port. You can specify more than one port. Mode Privileged Exec mode Description Use this command to display the information the switch has gathered from its LLDP and LLDP-MED neighbors. To display the information for all the neighbors, do not include the INTERFACE parameter. See Figure 183.
Chapter 68: LLDP and LLDP-MED Commands Figure 183. SHOW LLDP NEIGHBORS DETAIL Command LLDP-MED Device Type ............. Network Connectivity LLDP-MED Capabilities ............ LLDP-MED Capabilities, Network Policy, Location Identification, Inventory Network Policy ................... 1 Application Type ........... Voice Frame Format ............... Untagged VLAN ID .................... 1 Layer 2 Priority ........... 0 DSCP Value ................. 0 Location Identifier ..............
AT-9000 Switch Command Line User’s Guide Table 105. SHOW LLDP NEIGHBORS DETAIL Command (Continued) Parameter Description System Capabilities (Supported) The device’s functions supported by the switch. System Capabilities (Enabled) The device’s functions, and whether or not these functions are currently enabled. Management Address The IP address of the neighbor. Port VLAN ID (PVID) The VLAN ID of the port. Port & Protocol VLAN (Supported) The protocol VLANs supported by the switch.
Chapter 68: LLDP and LLDP-MED Commands Table 105. SHOW LLDP NEIGHBORS DETAIL Command (Continued) Parameter Description LLDP-MED Capabilities The LLDP-MED TLVs that are supported and enabled on the switch, and the device type, which for this switch is Network Connectivity Device. Network Policy The network policy information configured on the port for connected media endpoint devices.
AT-9000 Switch Command Line User’s Guide Table 105. SHOW LLDP NEIGHBORS DETAIL Command (Continued) Parameter Description Software Revision The revision number of the management software on the chassis. Serial Number The serial number of the device. Manufacturer Name The name of the company that manufactured the device. Model Name The model name. Asset ID The asset ID number.
Chapter 68: LLDP and LLDP-MED Commands SHOW LLDP NEIGHBORS INTERFACE Syntax show lldp neighbors interface [port] Parameters port Specifies a port. You can specify more than one port at a time with this command. Mode Privileged Exec mode Description Use this command to view a summary of the information gathered by the switch from its LLDP and LLDP-MED neighbors. To display the information from all the neighbors, do not include a port number. Total number of neighbors on these ports ....
AT-9000 Switch Command Line User’s Guide Table 106. SHOW LLDP NEIGHBORS INTERFACE Command Parameter Description Neighbor Port Name The number of the neighbor’s port that sent the information. Neighbor System Name The neighbor’s system name. Neighbor Capability Capabilities that are supported and enabled on the neighbor.
Chapter 68: LLDP and LLDP-MED Commands SHOW LLDP STATISTICS Syntax show lldp statistics Parameters None Mode User Exec mode and Privileged Exec mode Description Use this command to display the LLDP statistics for the switch. Here is an example of the information. Global LLDP Packet and Event counters: Frames: TLVs: Neighbors: Out ................... In .................... In Errored ............ In Dropped ............ Unrecognized .......... Discarded ............. New Entries ...........
AT-9000 Switch Command Line User’s Guide Table 107. SHOW LLDP STATISTICS Command (Continued) Statistic Description TLVs Unrecognized Number of LLDP TLVs received that were not recognized, but the TLV types were in the range of reserved TLV types TLVs Discarded Number of discarded TLVs. Neighbors New Entries Number of times the information advertised by neighbors has been inserted into the neighbor table.
Chapter 68: LLDP and LLDP-MED Commands SHOW LLDP STATISTICS INTERFACE Syntax show lldp statistics interface [port] Parameters port Specifies a port. You can specify more than one port. Mode User Exec mode and Privileged Exec mode Description Use this command to display the LLDP statistics for the individual ports. Here is an example of the information. LLDP Packet and Event counters: Port 2.0.2 Frames: TLVs: Neighbors: Out ................... In .................... In Errored ............
AT-9000 Switch Command Line User’s Guide Table 108. SHOW LLDP STATISTICS INTERFACE Command Statistic Description Frame In Dropped Number of LLDPDU frames the port received and discarded. TLVs Unrecognized Number of LLDP TLVs received that were not recognized, but the TLV types were in the range of reserved TLV types TLVs Discarded Number of TLVs discarded by the port.
Chapter 68: LLDP and LLDP-MED Commands SHOW LOCATION Syntax show location civic-location|coord-location|elin-location [identifier id-number|interface port] Parameters id-number Specifies an ID number of a location entry. port Specifies a port. You can specify more than one port. Mode User Exec mode and Privileged Exec mode Description Use this command to display the civic, coordinate or ELIN location entries on the switch. Here is an example of a civic location entry.
AT-9000 Switch Command Line User’s Guide Examples The following example displays all the civic location entries on the switch: awplus# show location civic-location The following example displays only civic location entry 8: awplus# show location civic-location identifier 8 The following example displays the civic location entry assigned to port 13: awplus# show location civic-location interface port1.0.
Chapter 68: LLDP and LLDP-MED Commands 1110
Chapter 69 Address Resolution Protocol (ARP) This chapter contains the following topics: “Overview” on page 1112 “Adding Static ARP Entries” on page 1113 “Deleting Static and Dynamic ARP Entries” on page 1114 “Displaying the ARP Table” on page 1115 1111
Chapter 69: Address Resolution Protocol (ARP) Overview The Address Resolution Protocol (ARP) is used to associate an IPv4 address with a MAC address used by network nodes. ARP gathers information about mapping between an IPv4 address and a MAC address and stores them in the ARP cache. The ARP cache is located in the RAM of a node. When the node receives a packet from the Network layer, then the node encapsulates the packet into a frame.
AT-9000 Switch Command Line User’s Guide Adding Static ARP Entries In most cases, the ARP table can be populated dynamically; however, the switch allows you to add an ARP entry to the ARP cache manually because there are cases in which you want to add static ARP entries. One case is when a node connected to the switch does not support ARP. The node does not reply to the ARP request that the switch broadcasts, and an ARP entry for the node cannot be created dynamically.
Chapter 69: Address Resolution Protocol (ARP) Deleting Static and Dynamic ARP Entries The ARP cache contains two types of ARP entries: dynamic and static. These types of ARP entries are deleted using different commands shown in Table 110. Table 110. Deleting ARP Entries To Do This Task Use This Command Delete dynamic ARP entries. CLEAR ARP-CACHE Delete static ARP entries. NO ARP (IP ADDRESS) The CLEAR ARP-CACHE command deletes all dynamic ARP entries at once.
AT-9000 Switch Command Line User’s Guide Displaying the ARP Table To display the ARP table on the switch, use the SHOW ARP command in the User Exec mode or the Privileged Exec mode. Here is the format of the command: awplus# show arp An example is shown in Figure 189. IP ARP ARP Cache Timeout ......... 300 seconds Total ARP Entries ......... 215 IP Address MAC Address Interface Port Type ----------------------------------------------------------------149.122.34.4 0006.5bb2.4421 vlan2 port1.0.
Chapter 69: Address Resolution Protocol (ARP) 1116
Chapter 70 Address Resolution Protocol (ARP) Commands The ARP commands are summarized in Table 111 and described in detail within the chapter. Table 111. ARP Commands Command Mode Description “ARP” on page 1118 Global Configuration Adds static ARP entries to the ARP cache. “CLEAR ARP-CACHE” on page 1120 User Exec and Privileged Exec Deletes all dynamic ARP entries from the ARP cache. “NO ARP (IP ADDRESS)” on page 1121 Global Configuration Deletes a static ARP entry from the ARP cache.
Chapter 70: Address Resolution Protocol (ARP) Commands ARP Syntax arp ipaddress macaddress port_number Parameters ipaddress Specifies the IP address of the host. macaddress Specifies the MAC address of the host. The MAC address must be entered in one of the following formats: xx:xx:xx:xx:xx:xx or zzzz.zzzz.zzzz port_number Specifies the port number associated with the IP address. Mode Global Configuration mode Description Use this command to add the static ARP entry of a host to the ARP cache.
AT-9000 Switch Command Line User’s Guide Example The following example creates an ARP entry for the IP address 192.168.1.3 and the MAC address 7a:54:2b:11:65:72 on port 25: awplus> enable awplus# configure terminal awplus(config)# arp 192.168.1.3 7a:54:2b:11:65:72 port1.0.
Chapter 70: Address Resolution Protocol (ARP) Commands CLEAR ARP-CACHE Syntax clear arp-cache Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to delete all dynamic ARP entries from the ARP cache on the switch.
AT-9000 Switch Command Line User’s Guide NO ARP (IP ADDRESS) Syntax no arp ipaddress Parameters ipaddress Specifies the IP address of a static ARP entry. Mode Global Configuration mode Description Use this command to delete a static ARP entry from the ARP cache. Static ARP entries do not expire, and you must remove them manually. This command can delete only one ARP entry at a time.
Chapter 70: Address Resolution Protocol (ARP) Commands SHOW ARP Syntax show arp Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to display the ARP entries in the ARP cache. Figure 190 is an example of the information displayed by this command. IP ARP ARP Cache Timeout ......... 300 seconds Total ARP Entries ......... 2 IP Address MAC Address Interface Port Type ----------------------------------------------------------------10.0.0.1 eccd.6d41.9e57 vlan1 port1.
AT-9000 Switch Command Line User’s Guide Table 112. SHOW ARP Command (Continued) Parameter Type Description Indicates the type of entry. The type is one of the following: Static: Static entry added with the ARP (IP ADDRESS MAC ADDRESS) command. Dynamic: Dynamic entry learned from ARP request/reply exchanges. Invalid: Possible nonexistent entry. Other: Entry automatically generated by the system.
Chapter 70: Address Resolution Protocol (ARP) Commands 1124
Chapter 71 RMON This chapter contains the following topics: “Overview” on page 1126 “RMON Port Statistics” on page 1127 “RMON Histories” on page 1129 “RMON Alarms” on page 1132 1125
Chapter 71: RMON Overview The RMON (Remote MONitoring) MIB is used with SNMP applications to monitor the operations of network devices. The switch supports the four RMON MIB groups listed here: Statistic group. This group is used to view port statistics remotely with SNMP programs. For instructions, refer to “RMON Port Statistics” on page 1127. History group. This group is used to collect histories of port statistics to identify traffic trends or patterns.
AT-9000 Switch Command Line User’s Guide RMON Port Statistics To view port statistics using an SNMP program and the RMON section in the MIB, you must configure the switch to reserve areas of memory in which to store the statistics for remote viewing with your SNMP program. These areas of memory are referred to as statistics groups. The switch can have up to eight statistics groups, and each group can store the statistics of a single port.
Chapter 71: RMON awplus(config-if)# rmon collection stats 16 awplus(config-if)# exit awplus(config)# interface port1.0.20 awplus(config-if)# rmon collection stats 20 You can now use your SNMP program and the RMON section of the MIB tree to view the RMON statistics of the ports. This assumes, of course, that SNMP is activated and configured on the switch.
AT-9000 Switch Command Line User’s Guide RMON Histories RMON histories are snapshots of port statistics. They are taken by the switch at predefined intervals and can be used to identify trends or patterns in the numbers or types of ingress packets on the ports on the switch. The snapshots can be viewed with your SNMP program, in the history group of the RMON portion of the MIB tree. (Port histories cannot be viewed through the command line interface.
Chapter 71: RMON snapshot every minute for five minutes on a port, you specify five buckets (one bucket for each minute) and an interval of sixty seconds. After you enter the command, the switch checks its memory to determine whether it has sufficient memory resources to create the history group. If its memory resources are insufficient, it reduces the number of buckets to an amount that can be accommodated by the resources. If there are no available resources, the switch cancels the history group.
AT-9000 Switch Command Line User’s Guide Here is an example of the information. History Index = 7 Data source ifindex = 7 Buckets requested = 8 Buckets granted = 8 Interval = 1800 Owner Agent History Index = 23 Data source ifindex = 23 Buckets requested = 15 Buckets granted = 15 Interval = 3600 Owner Agent Figure 192. SHOW RMON HISTORY Command The fields are defined in Table 118 on page 1162.
Chapter 71: RMON RMON Alarms RMON alarms are used to generate alert messages when packet activity on designated ports rises above or falls below specified threshold values. The alert messages can take the form of messages that are entered in the event log on the switch or traps that are sent to SNMP programs. The switch supports up to eight alarms. Each RMON alarm can monitor one port and one RMON statistic. RMON alarms consist of two thresholds. There is a rising threshold and a falling threshold.
AT-9000 Switch Command Line User’s Guide The following sections explain how to create and manage the various elements of an alarm: “Creating RMON Statistics Groups” next “Creating RMON Events” on page 1133 “Creating RMON Alarms” on page 1134 “Creating an Alarm - Example 1” on page 1135 “Creating an Alarm - Example 2” on page 1137 Creating RMON Statistics Groups The port of an alarm must have an RMON statistics group.
Chapter 71: RMON The owner parameter is useful in situations where more than one person is managing the switch. You can use it to identify who created the event. This parameter is optional in all three commands. Creating RMON Alarms After you have added a statistics group to a port and created the event, you are ready to create the alarm with the RMON ALARM command, located in the Global Configuration mode. Here is the format of the command: rmon alarm alarm_id oid.
AT-9000 Switch Command Line User’s Guide The range is 1 to 65535 seconds. The DELTA and ABSOLUTE parameters define the type of change that has to occur for the monitored statistic to trigger the alarm. The DELTA setting compares a threshold against the difference between the current and previous values of the statistic, while the ABSOLUTE setting compares a threshold against the current value of the statistic.
Chapter 71: RMON The next series of steps creates the event, which enters a message in the event log whenever the thresholds are crossed: awplus# configure terminal Enter the Global Configuration mode. awplus(config)# rmon event 3 log description Enter_log_message Create the event with the RMON EVENT LOG command. awplus(config)# exit Return to the Privileged Exec mode. awplus# show rmon event Use the SHOW RMON EVENT command to verify the configuration of the new event.
AT-9000 Switch Command Line User’s Guide Here are the steps to creating the alarm: awplus# configure terminal Enter the Global Configuration mode. awplus(config)# rmon alarm 1 1.3.6.1.2.1.16.1.1.1.5.22 interval 60 delta rising-threshold 20000 event 3 falling-threshold 1000 event 3 Create the alarm with the RMON ALARM command. awplus(config)# exit Return to the Privileged Exec mode. awplus# show rmon alarm Use the SHOW RMON ALARM command to verify the configuration of the new alarm.
Chapter 71: RMON awplus(config)# snmp-server host 149.211.243.12 traps version 2c Station12ap awplus(config)# snmp-server host 149.211.243.75 traps version 2c Station12ap Add the IP addresses of the trap receivers to the community string with the SNMP-SERVER HOST command. awplus(config)# exit Return to the Privileged Exec mode. awplus# show snmp-server Verify that SNMP is enabled on the switch with the SHOW SNMPSERVER command.
AT-9000 Switch Command Line User’s Guide Phase 3: Creating the Event The event in this example is to send an SNMP trap and to log a message in the event log. The event is assigned the ID number 2. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# rmon event 2 log trap Station12ap description trap_and_log_event Create the event with the RMON EVENT LOG TRAP command. It is important to remember that the community string is case sensitive.
Chapter 71: RMON awplus# show rmon alarm 1140 Use the SHOW RMON ALARM command to verify the new alarm.
Chapter 72 RMON Commands The RMON commands are summarized in Table 114 and described in detail within the chapter. Table 114. RMON Commands Command Mode Description “NO RMON ALARM” on page 1143 Global Configuration Deletes alarms from the switch. “NO RMON COLLECTION HISTORY” on page 1144 Port Interface Deletes history groups from the ports on the switch. “NO RMON COLLECTION STATS” on page 1145 Port Interface Deletes statistics groups from the ports on the switch.
Chapter 72: RMON Commands Table 114. RMON Commands (Continued) Command Mode Description “SHOW RMON HISTORY” on page 1162 Privileged Exec Displays the RMON history groups that are assigned to the ports on the switch. “SHOW RMON STATISTICS” on page 1164 Privileged Exec Displays the statistics groups that are assigned to the ports.
AT-9000 Switch Command Line User’s Guide NO RMON ALARM Syntax no rmon alarm alarm_id Parameters alarm_id Specifies the ID number of the alarm you want to delete. You can delete only one alarm at a time. The range is 1 to 65535. Mode Global Configuration mode Description Use this command to delete alarms from the switch.
Chapter 72: RMON Commands NO RMON COLLECTION HISTORY Syntax no rmon collection history collection_id Parameters collection_id Specifies the ID number of the history group you want to delete. You can delete only one group at a time. The range is 1 to 65535. Mode Port Interface mode Description Use this command to delete history groups from ports on the switch.
AT-9000 Switch Command Line User’s Guide NO RMON COLLECTION STATS Syntax no rmon collection stats stats_id Parameters stats_id Specifies the ID number of the statistics group you want to delete. The range is 1 to 65535. Mode Port Interface mode Description Use this command to delete statistics groups from ports on the switch.
Chapter 72: RMON Commands NO RMON EVENT Syntax no rmon event event_id Parameters event_id Specifies the ID number of the event you want to delete from the switch. You can delete only one event at a time. The range is 1 to 65535. Mode Global Configuration mode Description Use this command to delete events from the switch.
AT-9000 Switch Command Line User’s Guide RMON ALARM Syntax rmon alarm alarm_id oid.stats_id interval interval delta|absolute rising-threshold rising-threshold event rising_event_id falling-threshold falling-threshold event falling_event_id [owner owner] Parameters alarm_id Specifies the ID number of a new alarm. The range is 1 to 65535. oid Specifies the OID of the RMON statistic the alarm should monitor. You can specify just one statistic.
Chapter 72: RMON Commands rising_event_id Specifies the ID number of the event the switch is to perform when the falling threshold is crossed. The event must already exist. owner Specifies the owner of the alarm. Mode Global Configuration mode Description Use this command to create RMON alarms. RMON alarms monitor the values of SNMP objects and trigger events when the values of the monitored objects cross specified thresholds.
AT-9000 Switch Command Line User’s Guide Table 115. MIB Object Names and ID Numbers (Continued) MIB Name OID Number etherStatsMulticastPkts 1.3.6.1.2.1.16.1.1.1.7.stats_id etherStatsCRCAlignErrors 1.3.6.1.2.1.16.1.1.1.8.stats_id etherStatsUndersizePkts 1.3.6.1.2.1.16.1.1.1.9.stats_id etherStatsOversizePkts 1.3.6.1.2.1.16.1.1.1.10.stats_id etherStatsFragments 1.3.6.1.2.1.16.1.1.1.11.stats_id etherStatsJabbers 1.3.6.1.2.1.16.1.1.1.12.stats_id etherStatsCollisions 1.3.6.1.2.1.16.1.1.1.13.
Chapter 72: RMON Commands RMON COLLECTION HISTORY Syntax rmon collection history history_id [buckets buckets] [interval interval] [owner owner] Parameters history_id Specifies the ID number of a new history group. The range is 1 to 65535. buckets Specifies the number of requested buckets to store snapshots. The range is 1 to 50 buckets. interval Specifies the polling interval in seconds. The range is 1 to 3600 seconds. owner Specifies an owner of up to 20 alphanumeric characters for the event.
AT-9000 Switch Command Line User’s Guide RMON statistics histories are only viewable from an SNMP application program. There are no commands in the command line interface for viewing histories. Confirmation Command “SHOW RMON HISTORY” on page 1162 Examples This example creates a history group that takes a snapshot of the RMON statistics on port 14 every fifteen minutes (900 seconds) for two hours. The group requires eight buckets because there are eight fifteen-minute intervals in two hours.
Chapter 72: RMON Commands RMON COLLECTION STATS Syntax rmon collection stats stats_id [owner owner] Parameters stats_id Specifies the ID number of a new statistics group. The range is 1 to 65535. owner Specifies an owner of up to 20 alphanumeric characters for the group. Spaces and special characters are not allowed. Mode Port Interface mode Description Use this command to create RMON statistics groups on the ports of the switch.
AT-9000 Switch Command Line User’s Guide RMON EVENT LOG Syntax rmon event event_id log description description [owner owner] Parameters event_id Specifies the ID number of a new event. The range is 1 to 65535. description Specifies a description of up to 20 alphanumeric characters for the event. Spaces and special characters are not allowed. owner Specifies an owner of up to 20 alphanumeric characters for the event. Spaces and special characters are not allowed.
Chapter 72: RMON Commands RMON EVENT LOG TRAP Syntax rmon event event_id log trap community_string [description description] [owner owner] Parameters event_id Specifies the ID number of a new event. The range is 1 to 65535. community_string Specifies the community string assigned the IP addresses of the network devices that are to receive the trap. You can specify just one community string. The community string is case sensitive and must already exist on the switch.
AT-9000 Switch Command Line User’s Guide Example This example creates an event for RMON alarms with an ID of 2, a community string of “station43a,” a description of “broadcast_packets,” and an owner named, “jones:” awplus> enable awplus# configure terminal awplus(config)# rmon event 2 log trap station43a description broadcast_packets owner jones 1155
Chapter 72: RMON Commands RMON EVENT TRAP Syntax rmon event event_id trap community_string [description description] [owner owner] Parameters event_id Specifies the ID number of a new event. The range is 1 to 65535. community_string Specifies the community string assigned the IP addresses of the network devices that are to receive the trap. You can specify just one community string. The community string is case sensitive and must already exist on the switch.
AT-9000 Switch Command Line User’s Guide Example The following example creates an event with an ID of 4, a community string of “st_west8,” and a description of “router_north:” awplus> enable awplus# configure terminal awplus(config)# rmon event 4 trap st_west8 description router_north 1157
Chapter 72: RMON Commands SHOW RMON ALARM Syntax show rmon alarm Parameters None Mode Privileged Exec mode Description Use this command to display the RMON alarms on the switch. Here is an example of the information. Alarm Index = 2 Variable etherStatsBroadcastPkts.2 Interval 80 Alarm Type rising and falling Rising Threshold = 1000 Event Index = 5 Falling Threshold = 100 Event Index = 5 Owner Agent Alarm Index = 5 Variable etherStatsBroadcastPkts.
AT-9000 Switch Command Line User’s Guide The fields are described in Table 116. Table 116. SHOW RMON ALARM Command Parameter Description Alarm Index The ID number of the alarm. Variable The MIB object the alarm is monitoring, and the ID number of the statistics group used to monitor the port and MIB object. Interval The polling interval in seconds. Alarm Type The alarm type. This is always “rising and falling,” meaning the alarm has both a rising threshold and a falling threshold.
Chapter 72: RMON Commands SHOW RMON EVENT Syntax show rmon event Parameters None Mode Privileged Exec mode Description Use this command to display the RMON events on the switch. Here is an example of the information. Event index = 2 Description: broadcast_packets Event type: log & trap Event community name: wkst12a Last Time Sent = 0 Owner: Agent Event index = 3 Description: port24_traffic Event type: log Event community name: Last Time Sent = 0 Owner: Wilson Figure 194.
AT-9000 Switch Command Line User’s Guide Table 117. SHOW RMON EVENT Command (Continued) Parameter Description Event type (continued) Log & Trap - The event enters a message in the event log and sends an SNMP trap. Event community name The SNMP community string used to send SNMP traps. Last Time Sent The number of seconds the switch had been operating when it last sent the event trap. Owner The owner of the event. The owner is Agent if no owner was specified when the event was created.
Chapter 72: RMON Commands SHOW RMON HISTORY Syntax show rmon history Parameters None Mode Privileged Exec mode Description Use this command to display the history groups that are assigned to the ports on the switch. Here is an example of the information.
AT-9000 Switch Command Line User’s Guide Table 118. SHOW RMON HISTORY Command (Continued) Parameter Description Data source ifindex The port of the history group. Buckets requested The number of buckets that were requested in the command that created the history group. Buckets granted The number of buckets allocated by the switch for the history group.
Chapter 72: RMON Commands SHOW RMON STATISTICS Syntax show rmon statistics Parameters None Mode Privileged Exec mode Description Use this command to display the RMON statistics groups on the switch ports. Here is an example of the command. Stats Index = 5 Data source ifindex = 5 Owner Agent Stats Index = 16 Data source ifindex = 16 Owner Agent Figure 196. SHOW RMON STATISTICS Command The fields are described in Table 119. Table 119.
Chapter 73 Advanced Access Control Lists (ACLs) This chapter describes the following topics: “Overview” on page 1166 “Creating ACLs” on page 1169 “Assigning ACLs to Ports” on page 1184 “Removing ACLs from Ports” on page 1187 “Restricting Remote Access” on page 1189 “Unrestricting Remote Access” on page 1194 “Deleting Numbered IP and MAC Address ACLs” on page 1195 “Displaying the ACLs” on page 1196 1165
Chapter 73: Advanced Access Control Lists (ACLs) Overview Access Control Lists (ACLs) act as filters to control the ingress packets on ports. They are commonly used to restrict the types of packets ports accept to increase port security and create physical links dedicated to carrying specific types of traffic. For instance, you can configure ACLs to permit ports to accept only ingress packets that have a specific source or destination IP address.
AT-9000 Switch Command Line User’s Guide Actions ID Numbers The action defines the response to packets that match the filtering criterion of the ACL. There are three possible actions: Permit— A permit action instructs ports to forward ingress packets that match the specified traffic flow of the ACL. By default, all ingress packets are forwarded by the ports. Deny— A deny action instructs ports to discard the specified ingress packets.
Chapter 73: Advanced Access Control Lists (ACLs) Guidelines 1168 Here are the ACL guidelines: An ACL can have a permit, deny, or copy-to-mirror action. The permit action allows ports to forward ingress packets of the designated traffic flow while the deny action causes ports to discard packets. The copy-to-mirror action causes a port to copy all ingress packets that match the ACL to the destination port of the mirror port. A port can have more than one ACL.
AT-9000 Switch Command Line User’s Guide Creating ACLs This section provides examples of how to create all of the ACL types. See the following: “Creating Numbered IPv4 ACLs” on page 1169 “Creating Numbered MAC ACLs” on page 1181 For descriptions of the commands mentioned in these procedures, refer to Chapter 74, “ACL Commands” on page 1199. Creating Numbered IPv4 ACLs Depending on the type of filter that you want to create, there are five commands for creating Numbered IPv4 ACLs.
Chapter 73: Advanced Access Control Lists (ACLs) Numbered IPv4 ACL with IP Packets Examples This is the command format for creating ACLs that filter IP packets based on source and destination IPv4 addresses: access-list id_number action ip src_ipaddress dst_ipaddress [vlan vid] The ID_NUMBER parameter assigns the ACL a unique ID number in the range of 3000 to 3699. Within this range, you can number ACLs in any order.
AT-9000 Switch Command Line User’s Guide host ipaddress— Matches packets with a specified IPv4 address and is an alternative to the IPADRESS/MASK variable for addresses of end nodes. The HOST keyword indicates that the IPv4 address is assigned to a specific end node and that no mask is required. The VLAN parameter determines if an ACL filters VLANs. You use the parameter to specify the VID. You can specify one VID per command. If you omit this parameter, the ACL applies to all traffic.
Chapter 73: Advanced Access Control Lists (ACLs) deny ACL for the denied traffic flow. This is illustrated in the example in Table 124 on page 1172 in which port 15 is configured to forward only ingress packets from the 149.55.65.0/24 subnet and to discard all other traffic. The permit ACL, which has the ID number 3015, specifies the packets from the permitted subnet, while the deny ACL, with the ID number 3011, specifies all traffic.
AT-9000 Switch Command Line User’s Guide Note The permit ACLS are added to the ports before the deny ACL to ensure that packets are compared against them first. Table 125. Permit ACLs IPv4 Packets Example Description Command awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# access-list 3021 permit ip 149.124.242.52/32 any Create the three permit ACLs with the ACCESS-LIST command.
Chapter 73: Advanced Access Control Lists (ACLs) Here is an example of an ACL that filters tagged packets. See Table 126. It blocks all tagged packets with the VID 14 from ports 5 and 6. The ACL is assigned an ID number of 3122: Table 126. ACL Filters Tagged IPv4 Packets Example Command Description awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode.
AT-9000 Switch Command Line User’s Guide is only necessary when you want a port to forward a subset of packets that are otherwise discarded. deny— Discards all ingress packets that match the ACL. copy-to-mirror— Copies all ingress packets that match the ACL to the destination port of the mirror port. This action must be used together with the port mirror feature, explained in Chapter 21, “Port Mirror” on page 379.
Chapter 73: Advanced Access Control Lists (ACLs) Numbered IPv4 ACL with Protocol Packets Example This is the command format for creating Numbered IPv4 ACLs that filter packets of the specified protocol based on source and destination IPv4 addresses: access-list id_number action proto protocol_number src_ipaddress dst_ipaddress [vlan vid] The ID_NUMBER parameter assigns the ACL a unique ID number in the range of 3000 to 3699. Within this range, you can number ACLs in any order.
AT-9000 Switch Command Line User’s Guide The VLAN parameter determines if an ACL filters VLANs. You use the parameter to specify the VID. You can specify one VID per command. If you omit this parameter, the ACL applies to all traffic. In other words, no filtering is done by the ACL based on the VLAN. This example creates a deny access list to ports 5 and 6 so that they discard all tagged ingress packets that contain protocol 17, a VID of 12, and originate from the 152.12.45.0 subnet.
Chapter 73: Advanced Access Control Lists (ACLs) The SRC_IPADDRESS and DST_IPADDRESS parameters specify the source and destination IPv4 addresses. Choose from the following options: any— Matches any IPv4 address. ipaddress/mask— Matches packets that have an IPv4 address of a subnet or an end node. The mask is a decimal number that represents the number of bits in the address, from left to right, that constitute the network portion of the address. For example, the subnet address 149.11.11.
AT-9000 Switch Command Line User’s Guide The following example configures two Numbered IPv4 ACLs. ACL 3017 permits packets from TCP port 67 to 87 on IPv4 addresses 154.11.234.0/ 24 to 154.11.235.0/24. ACL 3005 denies packets from TCP ports 67 through 87 to any IPv4 address. This example requires a permit ACL because the permitted traffic is a subset of all TCP packets on the port: Table 129.
Chapter 73: Advanced Access Control Lists (ACLs) together with the port mirror feature, explained in Chapter 21, “Port Mirror” on page 379. The SRC_IPADDRESS and DST_IPADDRESS parameters specify the source and destination IPv4 addresses. Choose from the following options: any— Matches any IPv4 address. ipaddress/mask— Matches packets that have an IPv4 address of a subnet or an end node.
AT-9000 Switch Command Line User’s Guide The VLAN parameter determines if an ACL filters VLANs. You use the parameter to specify the VID. You can specify one VID per command. If you omit this parameter, the ACL applies to all traffic. In other words, no filtering is done by the ACL based on the VLAN. The following example configures two ACLs.
Chapter 73: Advanced Access Control Lists (ACLs) copy-to-mirror— Copies all ingress packets that match the ACL to the destination port of the mirror port. This action must be used together with the port mirror feature, explained in Chapter 21, “Port Mirror” on page 379. The src_mac_address parameter specifies the source MAC address of the ingress packets. Here are the possible options: src_mac_address— Specifies the source MAC address of the packets.
AT-9000 Switch Command Line User’s Guide The example in Table 131 configures port 19 to reject packets containing destination MAC addresses starting with A4:54:86:12: Table 131. Numbered MAC ACL Example Command Description awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode.
Chapter 73: Advanced Access Control Lists (ACLs) Assigning ACLs to Ports Before you can assign an ACL to a port, you must first create an ACL. The command that you use to assign an ACL to a port depends on which type of ACL you have created.
AT-9000 Switch Command Line User’s Guide In this example, ports 12 and 13 are assigned an ACL, ID number 3075, that blocks all untagged ingress packets with a destination address in the 149.107.22.0 subnet. See Table 132. Table 132. Assigning Numbered IPv4 ACLs Command Description awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# access-list 3075 deny ip any 149.107.22.
Chapter 73: Advanced Access Control Lists (ACLs) Table 133. Assigning MAC Address ACLs Example (Continued) Command 1186 Description awplus(config)# interface port1.0.7 Move to the Port Interface mode for port 7. awplus(config_if)# mac accessgroup 4025 Apply the ACL to the port with the ACCESSGROUP command. awplus(config_if)# mac accessgroup 4055 Apply the ACL to the port with the ACCESSGROUP command.
AT-9000 Switch Command Line User’s Guide Removing ACLs from Ports The command that you use to remove an ACL from a port depends on which type of ACL you have created. See the following sections: Removing Numbered IPv4 ACLs “Removing Numbered IPv4 ACLs” on page 1187 “Removing MAC Address ACLs” on page 1187 To remove Numbered IPv4 ACLs from ports so that the ports stop filtering traffic, use the NO ACCESS-GROUP command in the Port Interface mode.
Chapter 73: Advanced Access Control Lists (ACLs) This example removes a MAC ACL with an ID number of 4037 from port 5: Table 135. Removing MAC Address ACLs Example Command 1188 Description awplus> enable Enter the Privileged Executive mode from the User Executive mode. awplus# configure terminal Enter the Global Configuration mode. awplus(config)# interface port1.0.5 Enter the Port Interface mode for port 5. awplus(config_if)# no mac accessgroup 4037 Remove MAC ACL 4037 from port 5.
AT-9000 Switch Command Line User’s Guide Restricting Remote Access You can access the switch remotely through the VTY lines. Unrestricted remote access is available through Telnet and the Web interfaces as well as through the SNMP and SSH protocols by default. The ACCESS-LIST command allows you to control remote access to the switch through VTY lines. First you create an ACL and then you use the ACCESS-LIST command to make the assignment to the VTY lines.
Chapter 73: Advanced Access Control Lists (ACLs) Table 136. Assigning Numbered IP ACLs to VTY Lines Example (Continued) Command Description awplus(config)# access-list 3000 permit ip host 10.0.0.3 host 10.0.0.20 Creates an ACL with an ID number of 3000 that allows IP address 10.0.0.3 full access to the switch. awplus(config)# access-list 3001 deny ip any host 10.0.0.20 Creates an ACL with an ID number of 3001 that denies all IP addresses access to the switch.
AT-9000 Switch Command Line User’s Guide Table 137. Assigning MAC ACLs to VTY Lines Example (Continued) Command Description awplus(config)# mac access-list 4000 permit ip host 10.0.0.5 host 10.0.0.20 Creates an ACL with an ID number of 4000 that allows IP address 10.0.0.5 full access to the switch. awplus(config)# mac access-list 4001 deny ip any host 10.0.0.20 Creates an ACL with an ID number of 4001 that denies all IP addresses access to the switch.
Chapter 73: Advanced Access Control Lists (ACLs) Table 138. Assigning Named IPv4 ACLs to VTY Lines Example (Continued) Command Description awplus(config_if)# ip address 10.0.0.20/24 Assign VLAN 10 an IP address and subnet mask of 10.0.0.20/24. awplus(config_if)# q Quit the Port Interface mode. awplus(config)# ip access-list deny-all-but-one Creates a Named IPv4 ACL call “deny-allbut-one and enters the IP ACL command mode. awplus(config-ip-acl)# permit ip host 10.0.0.7 host 10.0.0.
AT-9000 Switch Command Line User’s Guide Table 139. Assigning Named IPv4 ACLs to VTY Lines Example (Continued) Command Description awplus(config)# ipv6 access-list deny-all-but-one Creates a Named IPv6 ACL call “deny-allbut-one-ipv6” and enters the Configuration IPv6 ACL command mode. awplus(config-ipv6-acl)# permit ip host 2001:odb8::a2/64 host 2001:odb8::a5/64 Allows IPv6 address and subnet mask 2001:odb8::a2/64 full access to the switch.
Chapter 73: Advanced Access Control Lists (ACLs) Unrestricting Remote Access To restore unrestricted remove access to VTY lines through the Telnet and Web GUI interfaces as well as through SSH and SNMP protocols, use the NO ACCESS-LIST command. In the following example, Numbered IP ACLs 3000 and 3001 are removed from VTY Lines 0 through 9. See Table 140. Table 140.
AT-9000 Switch Command Line User’s Guide Deleting Numbered IP and MAC Address ACLs The NO ACCESS-LIST command in the Global Configuration mode is the command that deletes Numbered IP and MAC Address ACLs from the switch. It has the following format: no access-list id_number You can delete one ACL at a time with this command. Before you can delete ACLs that are assigned to ports, you must remove them from their port assignments.
Chapter 73: Advanced Access Control Lists (ACLs) Displaying the ACLs There are several ways of displaying information about ACLs on the switch. You can use one command to display a list the Numbered IP IP ACLs. In addition, you can display the port assignments of all the ACLs and the ACLs assigned to VTY lines.
AT-9000 Switch Command Line User’s Guide awplus# show interface port1.0.1-port1.0.5 accessgroup Interface port1.0.1 access-group 3010 access-group 3002 Interface port1.0.2 access-group 3025 Figure 198. SHOW INTERFACE ACCESS-GROUP Command Displaying ACLs Assigned to VTY Lines Use the SHOW RUNNING-CONFIG command to display the ACLs assigned to VTY lines. Here is the format of the command: awplus# show running-config See Figure 199 for an example of the display that pertains to ACLs assigned to VTY lines.
Chapter 73: Advanced Access Control Lists (ACLs) 1198
Chapter 74 ACL Commands The Access Control List (ACL) commands are summarized in Table 143 and described in detail within the chapter. Table 143. Access Control List Commands Command Mode Description “ACCESS-CLASS” on page 1201 Virtual Terminal Line mode Assigns an ACL to a VTY line. “ACCESS-GROUP” on page 1203 Port Interface Adds IP ACLs to ports. “ACCESS-LIST (MAC Address)” on page 1205 Global Configuration Creates ACLs that identify packets based on source and destination MAC addresses.
Chapter 74: ACL Commands Table 143. Access Control List Commands (Continued) Command Mode Description “NO MAC ACCESS-GROUP” on page 1231 Port Interface Removes MAC address ACLs from ports on the switch. “SHOW ACCESS-LIST” on page 1232 Privileged Exec Displays the ACLs on the switch. “SHOW INTERFACE ACCESSGROUP” on page 1234 Privileged Exec Displays the port assignments of the ACLs.
AT-9000 Switch Command Line User’s Guide ACCESS-CLASS Syntax access-class <3000 - 3699>|<4000 - 4699> Parameters 3000 - 3699 Specifies the ID number of the access control list. The range is 3000 to 3699. 4000 - 4699 Specifies the ID number of the MAC access control list. The range is 4000 to 4699. Mode Virtual Terminal Line mode Description Use this command to assign an Access Control List to a VTY. This is done to restrict the remote access of the switch via Telnet, Web, SNMP, or SSH access.
Chapter 74: ACL Commands Example This example assigns the switch an IP address of 10.0.0.20/24. It creates a Numbered ACL with an ID of 3022 that allows IP address 10.0.0.3 full access to the switch. Then it creates an ACL with an ID number of 3025 that denies all IP addresses access to the switch. It assigns ACL 3022 to VTY lines 0 through 9. Finally, ACL 3025 is assigned to VTY lines 0 through 9. The result is that IP address 10.0.0.3 has full remote access to the switch.
AT-9000 Switch Command Line User’s Guide ACCESS-GROUP Syntax access-group id_number Parameters id_number Specifies the ID number of an access control list you want to add to a port. The range is 3000 to 3699. You can add one ACL to a port at a time with this command. Mode Port Interface mode Description Use this command to add IP ACLs to ports on the switch. Ports begin to filter packets as soon as they are assigned ACLs.
Chapter 74: ACL Commands Examples This example adds an IP ACL with an ID of 3022 to port 15: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.15 awplus(config-if)# access-group 3022 This example removes an IP ACL with an ID of 3001 from port 7: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
AT-9000 Switch Command Line User’s Guide ACCESS-LIST (MAC Address) Syntax access-list id_number action src_mac_address|any src_mac_mask dst_mac_address|any dst_mac_mask Parameters id_number Specifies the ID number for the new ACL. The range is from 4000 to 4699. action Specifies the action of the ACL. Here are the possible actions: permit: Forwards all ingress packets that match the ACL. deny: Discards all ingress packets that match the ACL.
Chapter 74: ACL Commands dst_mac_address Specifies the destination MAC address of the ingress packets. Choose from the following options: dst_mac_address: Specifies the destination MAC address of the packets. The address must be entered in hexadecimal in one of the following formats: xx:xx:xx:xx:xx:xx or xxxx.xxxx.xxxx any: Matches any destination MAC address. dst_mac_mask Specifies the destination MAC address mask. The mask must be entered in one of the following formats: xx:xx:xx:xx:xx:xx or xxxx.xxxx.
AT-9000 Switch Command Line User’s Guide awplus(config_if)# mac access-group 4002 awplus(config_if)# mac access-group 4003 awplus(config_if)# mac access-group 4011 awplus(config_if)# end awplus# show access-list awplus# show interface port1.0.
Chapter 74: ACL Commands ACCESS-LIST ICMP Syntax access-list id_number action icmp src_ipaddress dst_ipaddress [vlan vid] Parameters id_number Specifies an ID number for a new ACL. The range is 3000 to 3699. Each access list on the switch must have a unique ID number. action Specifies the action of the ACL. Here are the possible actions: permit: Forwards all ingress packets that match the ACL. deny: Discards all ingress packets that match the ACL.
AT-9000 Switch Command Line User’s Guide ipaddress/mask: Matches packets that have a destination IP address of a specific subnet or end node. host ipaddress: Matches packets with a destination IP address of a specific end node. The HOST keyword indicates that the address is of a specific end node and that no mask is required. vlan Indicates a VLAN identifier. Specify a VLAN if you want the ACL to filter tagged packets. Omit a VLAN if you want the ACL to filter untagged packets.
Chapter 74: ACL Commands This example adds a deny access list to ports 4 and 5 to discard all untagged ingress packets that are ICMP, from the 152.12.45.0 subnet. The access list is assigned the ID number 3094: awplus> enable awplus# configure terminal awplus(config)# access-list 3094 deny icmp 152.12.45.0/24 any awplus(config)# interface port1.0.4,port1.0.5 awplus(config_if)# access-group 3094 awplus(config_if)# end awplus# show access-list awplus# show interface port1.0.4,port1.0.
AT-9000 Switch Command Line User’s Guide ACCESS-LIST IP Syntax access-list id_number action ip src_ipaddress dst_ipaddress [vlan vid] Parameters id_number Specifies the ID number for a new ACL. The range is 3000 to 3699. action Specifies the action of the access list. Here are the possible actions: permit: Forwards all ingress packets that match the ACL. deny: Discards all ingress packets that match the ACL.
Chapter 74: ACL Commands dst_ipaddress: Specifies the destination IP address of the ingress packets the access list should filter. Here are the possible options: any: Matches any IP address. ipaddress/mask: Matches packets that have a destination IP address of a specific subnet or end node. host ipaddress: Matches packets with a destination IP address of a specific end node. The HOST keyword indicates that the address is of a specific end node and that no mask is required. vlan Indicates a VLAN identifier.
AT-9000 Switch Command Line User’s Guide This example creates a deny access list, ID number 3095, that discards all untagged ingress packets that have destination addresses in the 149.112.2.0 subnet, on ports 11 to 13: awplus> enable awplus# configure terminal awplus(config)# access-list 3095 deny ip any 149.112.2.0/24 awplus(config)# interface port1.0.11-port1.0.13 awplus(config_if)# access-group 3095 awplus(config_if)# end awplus# show access-list awplus# show interface port1.0.11-port1.0.
Chapter 74: ACL Commands This example configures ports 22 and 23 to accept only untagged ingress packets containing destination addresses in the 149.124.47.0 subnet. This example requires both permit and deny ACLs because the permitted traffic is a subset of all traffic on the ports. The permit ACL, ID number 3011, specifies the 149.124.47.0 subnet and the deny ACL, ID number 3012, defines all traffic.
AT-9000 Switch Command Line User’s Guide ACCESS-LIST PROTO Syntax access-list id_number action proto protocol_number src_ipaddress dst_ipaddress [vlan vid] Parameters id_number Specifies an ID number for a new ACL. The range is 3000 to 3699. Each access list on the switch must have a unique ID number. action Specifies the action of the ACL. Choose from the possible actions: permit: Forwards all ingress packets that match the ACL. deny: Discards all ingress packets that match the ACL.
Chapter 74: ACL Commands dst_ipaddress Specifies the destination IP address of the ingress packets the access list should filter. Choose one of the following: any: Matches any IP address. ipaddress/mask: Matches packets that have a destination IP address of a specific subnet or end node. host ipaddress: Matches packets with a destination IP address of a specific end node. The HOST keyword indicates that the address is of a specific end node and that no mask is required. vlan Indicates a VLAN identifier.
AT-9000 Switch Command Line User’s Guide Table 144.
Chapter 74: ACL Commands Table 144. Protocol Numbers (Continued) Number Description 134 RSVP-E2E-IGNORE / RFC3175 135 Mobility Header / RFC3775 136 UDPLite / RFC3828 137 MPLS-in-IP / RFC4023 138 MANET Protocols / RFC-ietf-manet-iana07.
AT-9000 Switch Command Line User’s Guide awplus(config_if)# access-group 3011 awplus(config_if)# end awplus# show access-list awplus# show interface port1.0.5,port1.0.6 access-group This example configures port 18 to accept untagged packets only from the 167.75.89.0 network and that are protocol 54.
Chapter 74: ACL Commands ACCESS-LIST TCP Syntax access-list id_number action tcp src_ipaddress eq|lt|gt|ne|range src_tcp_port dst_ipaddress eq|lt|gt|ne|range dst_tcp_port [vlan vid] Parameters id_number Specifies an ID number for a new ACL. The range is 3000 to 3699. action Specifies the action of the ACL. Choose one of the following: permit: Forwards all ingress packets that match the ACL. deny: Discards all ingress packets that match the ACL.
AT-9000 Switch Command Line User’s Guide lt Matches packets that are less than the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter. gt Matches packets that are greater than the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter. ne Matches packets that are not equal to the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter. range Matches packets with TCP port numbers within the range.
Chapter 74: ACL Commands Mode Global Configuration mode Description Use this command to create access control lists that filter ingress packets based on TCP port numbers.
AT-9000 Switch Command Line User’s Guide This example creates an ACL that causes port 14 to discard all tagged ingress TCP packets with the VID 27, regardless of their source or destination TCP port numbers. The list is assigned the ID number 3255: awplus> enable awplus# configure terminal awplus(config)# access-list 3255 deny tcp any any vlan 27 awplus(config)# interface port1.0.
Chapter 74: ACL Commands ACCESS-LIST UDP Syntax access-list id_number action udp src_ipaddress eq|lt|gt|ne|range src_udp_port dst_ipaddress eq|lt|gt|ne|range dst_udp_port vlan vid Parameters id_number Specifies an ID number for a new ACL. The range is 3000 to 3699. action Specifies the action of the ACL. Choose one of the following: permit: Forwards all ingress packets that match the ACL. deny: Discards all ingress packets that match the ACL.
AT-9000 Switch Command Line User’s Guide lt Matches packets that are less than the UDP port number specified by the SRC_UDP_PORT or DST_UDP_PORT parameter. gt Matches packets that are greater than the UDP port number specified by the SRC_UDP_PORT or DST_UDP_PORT parameter. ne Matches packets that are not equal to the UDP port number specified by the SRC_UDP_PORT or DST_UDP_PORT parameter. range Matches packets with UDP port numbers within the range. Separate the numbers of the range by a space.
Chapter 74: ACL Commands Mode Global Configuration mode Description Use this command to create access control lists that filter ingress packets based on UDP port numbers.
AT-9000 Switch Command Line User’s Guide This example defines an ACL that causes port 18 to discard all untagged ingress packets that have source and destination UDP port numbers in the range of 12 to 100 and that are going to the 149.123.159.0 subnet. The VLAN parameter is also included to restrict the ACL to UDP packets that belong to VLAN 7. The list is assigned the ID number 3078: awplus> enable awplus# configure terminal awplus(config)# access-list 3078 deny udp any range 12 100 149.123.159.
Chapter 74: ACL Commands MAC ACCESS-GROUP Syntax mac access-group id_number Parameters id_number Specifies the ID number of a MAC address access control list you want to add to a port. The range is 4000 to 4699. Mode Port Interface mode Description Use this command to add MAC address ACLs to ports on the switch. Ports begin to filter packets as soon as they are assigned ACLs. You can add one ACL to a port at a time with this command.
AT-9000 Switch Command Line User’s Guide NO ACCESS-LIST Syntax no access-list id_number Parameters id_number Specifies the ID number of an access list you want to delete from the switch. You can delete one access list at a time with this command. Mode Global Configuration mode Description Use this command to delete ACLs from the switch. ACLs must first be removed from their port assignments before they can be deleted.
Chapter 74: ACL Commands NO ACCESS-GROUP Syntax no access-group id_number Parameters id_number Specifies the ID number of an access list. The range is 3000 to 3699. You can remove one ACL from a port at a time with this command. Mode Port Interface mode Description Use this command to remove ACLs from ports on the switch. This command works for all ACLs, except for MAC address ACLs, which are removed with “NO MAC ACCESS-GROUP” on page 1231.
AT-9000 Switch Command Line User’s Guide NO MAC ACCESS-GROUP Syntax no mac access-group id_number Parameters id_number Specifies the ID number of a MAC address access list to be removed from a port. The range is 4000 to 4699 You can remove one ACL from a port at a time with this command. Mode Port Interface mode Description Use this command to remove MAC address ACLs from ports on the switch.
Chapter 74: ACL Commands SHOW ACCESS-LIST Syntax show access-list [<3000-3699>|<4000-4699>|] Parameters <3000-3699> Indicates a Numbered IP ACL. <4000-4699> Indicates a MAC ACL. list-name Indicates a Named IP ACL. Mode Privileged Exec mode Description Use this command to display the configurations of the Numbered IPv4, MAC, and Named IPv4 ACLs on the switch. If you do not specify an option, all three ACL types are displayed.
AT-9000 Switch Command Line User’s Guide Example This example displays Numbered IP, MAC, and Named IP ACLs: awplus# show access-list IP access-list 3104 deny 149.87.201.1 mask 255.255.255.0 any MAC access-list 4400 permit any any IP access-list icmppermit ICMP permit an any time-range daily IP access-list denytcp TCP deny 149.55.65.0 mask 255.255.255.0 any time-range NONE Total number of access-lists= 4 Figure 200.
Chapter 74: ACL Commands SHOW INTERFACE ACCESS-GROUP Syntax show interface port access-group Parameters port Specifies a port number. You can specify more than one port at a time. Mode Privileged Exec mode Description Use this command to display the port assignments of the ACLs. Here is an example of the information. Interface port1.0.18 access-group 3022 access-group 3022 Interface port1.0.19 access-group 3228 Figure 201.
Chapter 75 Quality of Service (QOS) Commands The Quality of Service (QoS) commands are summarized in Table 145. Table 145. Quality of Service Commands Command Mode Description “MLS QOS ENABLE” on page 1237 Global Configuration Activates QoS on the switch. “MLS QOS MAP COS-QUEUE” on page 1238 Port Interface Maps CoS priorities to port egress queues. “MLS QOS MAP DSCP-QUEUE” on page 1240 Port Interface Maps DSCP priorities to port egress queues.
Chapter 75: Quality of Service (QOS) Commands Table 145. Quality of Service Commands Command Mode Description “SHOW MLS QOS MAPS COSQUEUE” on page 1252 Privileged Exec Displays the mappings of CoS priority values to egress queues. “SHOW MLS QOS MAPS DSCPQUEUE” on page 1253 Privileged Exec Displays the mappings of DSCP priority values to port egress queues. “WRR-QUEUE WEIGHT” on page 1255 Global Configuration Sets the QoS scheduling method to weighted round robin.
AT-9000 Switch Command Line User’s Guide MLS QOS ENABLE Syntax mls qos enable Parameters None. Mode Global Configuration mode Description Use this command to activate QoS on the switch so that ingress packets are stored in egress queues according to their CoS or DSCP values.
Chapter 75: Quality of Service (QOS) Commands MLS QOS MAP COS-QUEUE Syntax mls qos map cos-queue cos_priority to egress_queue Parameters cos_priority Specifies a Class of Service (CoS) priority level of 0, lowest priority, through 7, highest priority. An egress queue can have more than one priority level, but you can specify just one priority level at a time with this command. egress_queue Specifies an egress queue number of 0 through 7, The lowest priority queue is 0 and the highest queue is 7.
AT-9000 Switch Command Line User’s Guide awplus(config-if)# awplus(config-if)# awplus(config-if)# awplus(config-if)# mls mls mls mls qos qos qos qos trust cos map cos-queue 1 to 5 map cos-queue 2 to 5 map cos-queue 3 to 6 This example restores the default mappings of the CoS priorities to the egress queues on port 4: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 75: Quality of Service (QOS) Commands MLS QOS MAP DSCP-QUEUE Syntax mls qos map dscp-queue dscp_priority to egress_queue Parameters dscp_priority Specifies a DSCP priority level. The lowest priority is 0 and the highest priority is 63. You can map more than one priority level to an egress queue, but you can specify just one priority level at a time with this command. egress_queue Specifies an egress queue number of 0 through 7, The lowest priority queue is 0 and the highest queue is 7.
AT-9000 Switch Command Line User’s Guide awplus(config-if)# mls qos map dscp-queue 11 to 7 awplus(config-if)# mls qos map cos-queue 12 to 7 awplus(config-if)# mls qos map cos-queue 13 to 7 This example restores the default mappings of the DSCP priorities to the egress queues on port 3: awplus> enable awplus# configure terminal awplus(config)# interface port1.0.
Chapter 75: Quality of Service (QOS) Commands MLS QOS QUEUE Syntax mls qos queue priority Parameters priority Specifies a Class of Service (CoS) priority level of 0, lowest priority, to 7, highest priority. You can specify just one priority level. Mode Port Interface mode Description Use this command to configure the default egress queue for any packet arriving on the port. When no default queue is configured the cos-queue map is used to choose the queue for packets.
AT-9000 Switch Command Line User’s Guide MLS QOS SET COS Syntax mls qos set cos priority Parameters priority Specifies a Class of Service (CoS) priority level of 0, lowest priority, to 7, highest priority. You can specify just one priority level. Mode Port Interface mode Description Use this command to remark all egress packets on a port with the specified CoS value. Use the NO form of this command to remove remark CoS values from ports.
Chapter 75: Quality of Service (QOS) Commands MLS QOS SET DSCP Syntax mls qos set dscp priority Parameters priority Specifies a DSCP priority level of 0, lowest priority, to 63, highest priority. You can specify just one priority level. None. Mode Port Interface mode Description Use this command to remark all egress packets on a port with the specified DSCP value. Use the NO form of this command to remove remark DSCP values from ports.
AT-9000 Switch Command Line User’s Guide MLS QOS TRUST COS Syntax mls qos trust cos Parameters None. Mode Port Interface mode Description Use this command to configure ports to use the CoS priorities in ingress packets to determine the appropriate queues on the egress ports to store the packets. Note QoS must be enabled on the switch before you can use this command. Use the NO form of this command to stop ports from using the CoS priorities in ingress packets to determine the egress queues.
Chapter 75: Quality of Service (QOS) Commands MLS QOS TRUST DSCP Syntax mls qos trust dscp Parameters None. Mode Port Interface mode Description Use this command to configure ports to use the DSCP priorities in ingress packets to determine the appropriate queues on the egress ports to store the packets. Note QoS must be enabled on the switch before you can use this command. Use the NO form of this command to stop ports from using the DSCP priorities in ingress packets to determine the egress queues.
AT-9000 Switch Command Line User’s Guide NO MLS QOS ENABLE Syntax no mls qos enable Parameters None. Mode Global Configuration mode Description Use this command to disable QoS on the switch. When QoS is disabled, all traffic is treated the same.
Chapter 75: Quality of Service (QOS) Commands NO WRR-QUEUE WEIGHT Syntax no wrr-queue weight Parameters None. Mode Port Interface mode Description Use this command to set the CoS scheduling method on the ports to strict priority so that they transmit packets from higher priority queues before packets in lower priority queues.
AT-9000 Switch Command Line User’s Guide SHOW MLS QOS INTERFACE Syntax show mls qos interface port Parameters port Specifies the port to display. You can view only one port at a time. Mode Privileged Exec mode Description Use this command to display the scheduling methods of the ports and, for weighted round robin scheduling, the assignments of weights to egress queues. Figure 202 and Figure 203 are examples of a port set to strict priority.
Chapter 75: Quality of Service (QOS) Commands Egress Queue: Scheduler: Weight: Egress Queue: Scheduler: Weight: 6 Strict Priority N/A 7 Strict Priority N/A Figure 203. SHOW MLS QOS INTERFACE Command - Strict Priority (continued) Figure 204 is an example of a port set to weighted round robin scheduling.
AT-9000 Switch Command Line User’s Guide The fields in the display are described in Table 146. Table 146. SHOW MLS QOS INTERFACE Command Field Description Default CoS Specifies the default CoS value for packets that do not have a value. Default Queue Specifies the default egress queue for packets that do not have a COS value. Number of egress queues Specifies the number of egress queues on the port. Each port on the switch has eight queues.
Chapter 75: Quality of Service (QOS) Commands SHOW MLS QOS MAPS COS-QUEUE Syntax show mls qos maps cos-queue interface port Parameters port Specifies the port to display. You can view only one port at a time. Mode Privileged Exec mode Description Use this command to display the mappings of CoS priority values to port egress queues. An example of the information is shown in Figure 205. Interface port1.0.
AT-9000 Switch Command Line User’s Guide SHOW MLS QOS MAPS DSCP-QUEUE Syntax show mls qos maps dscp-queue interface port Parameters port Specifies the port to display. You can view only one port at a time. Mode Privileged Exec mode Description Use this command to display the mappings of DSCP priority values to port egress queues. An example of the information is shown in Figure 206 on page 1254.
Chapter 75: Quality of Service (QOS) Commands Interface port1.0.
AT-9000 Switch Command Line User’s Guide WRR-QUEUE WEIGHT Syntax wrr-queue weight weights Parameters weights Specifies the weights of a port’s eight egress priority queues for the weighted round robin scheduling method. The ranges are 1 to 15 packets for Q0 to Q6 and 0 to 15 packets for Q7. A setting of 0 for Q7 means that its packets always take priority and that it has to be empty before a port transmits packets from the other queues.
Chapter 75: Quality of Service (QOS) Commands awplus(config)# interface port1.0.
Section XI Management Security This section contains the following chapters: Chapter 76, “Local Manager Accounts” on page 1259 Chapter 77, “Local Manager Account Commands” on page 1271 Chapter 78, “Telnet Server” on page 1281 Chapter 79, “Telnet Server Commands” on page 1287 Chapter 80, “Telnet Client” on page 1291 Chapter 81, “Telnet Client Commands” on page 1295 Chapter 82, “Secure Shell (SSH) Server” on page 1299 Chapter 83, “SSH Server Commands” on page 1311 Chapter
1258
Chapter 76 Local Manager Accounts This chapter provides the following topics: “Overview” on page 1260 “Creating Local Manager Accounts” on page 1263 “Deleting Local Manager Accounts” on page 1265 “Activating Command Mode Restriction and Creating the Special Password” on page 1266 “Deactivating Command Mode Restriction and Deleting the Special Password” on page 1267 “Activating or Deactivating Password Encryption” on page 1268 “Displaying the Local Manager Accounts” on page 1269
Chapter 76: Local Manager Accounts Overview Each AT-9000 Series switch is pre-configured at the factory with one default manager account. The factory-default values for the user name and password are “manager” and “friend.” If you are the only administrator of the switch, you may not need more than one manager account. But if you plan for the switch to be managed by more than one administrator, you may want to create additional accounts so that each administrator has a separate account.
AT-9000 Switch Command Line User’s Guide awplus Login: adams Password: ******** awplus> enable Password: Figure 207. Password Prompt for Command Mode Restriction If the manager enters the correct password, the Privileged Exec mode prompt is displayed. If the wrong password or no password is entered, the manager remains in the User Exec mode, and the switch displays the error message shown in Figure 208. awplus> enable %No Local Enable Password Set awplus> Figure 208.
Chapter 76: Local Manager Accounts Password encryption is activated with the SERVICE PASSWORDENCRYPTION command and deactivated with the NO SERVICE PASSWORD-ENCRYPTION command, both of which are found in the Global Configuration mode. When you activate password encryption with the SERVICE PASSWORD-ENCRYPTION command, the switch searches the running configuration for plaintext passwords and encrypts them. It also automatically encrypts the plaintext passwords of new manager accounts.
AT-9000 Switch Command Line User’s Guide Creating Local Manager Accounts The command for creating local manager accounts is the USERNAME command in the Global Configuration mode. Here is the command’s format: username name privilege level password [8] password The NAME parameter specifies the log-on name for the new account. The name is case-sensitive and can have up to 15 alphanumeric characters including special characters. Spaces are not allowed.
Chapter 76: Local Manager Accounts Passwords entered in encrypted form remain encrypted in the running configuration even if you disable password encryption by issuing the NO SERVICE PASSWORD-ENCRYPTION command.
AT-9000 Switch Command Line User’s Guide Deleting Local Manager Accounts To delete local manager accounts from the switch, use the NO USERNAME command in the Global Configuration mode. Here is the format of the command: no username name The NAME parameter specifies the name of the manager account you want to delete from the switch. The name is case sensitive. You can delete just one manager account at a time with this command. Once an account is deleted, you cannot use it to manage the switch.
Chapter 76: Local Manager Accounts Activating Command Mode Restriction and Creating the Special Password Command mode restriction is a security feature. It requires that managers who have the privilege level 1 enter a special password to manage the switch. The switch prompts for the special password when the ENABLE command is used to move to the Privileged Exec mode from the User Exec mode. The prompt is shown in Figure 207 on page 1261.
AT-9000 Switch Command Line User’s Guide Deactivating Command Mode Restriction and Deleting the Special Password The command for deactivating command mode restriction and deleting the special password is the NO ENABLE PASSWORD command in the Global Configuration mode. When command mode restriction is deactivated, manager accounts with a privilege level of 15 do not have to enter the special password when they enter the ENABLE command to move from the User Exec mode to the Privilege Exec mode.
Chapter 76: Local Manager Accounts Activating or Deactivating Password Encryption Password encryption controls the manner in which the switch stores the plaintext passwords of manager accounts and command mode restriction in the running configuration. When password encryption is enabled (the default setting), plaintext passwords are stored in encrypted form. When password encryption is disabled, plaintext passwords are stored in plaintext.
AT-9000 Switch Command Line User’s Guide Displaying the Local Manager Accounts To view the local accounts on the switch, use “SHOW RUNNINGCONFIG” on page 130 to display the running configuration. Here is an example of several accounts. username username username username manager privilege 15 password WestWind11a sjones privilege 15 password Lat76rose smith privilege 1 password Positive89act adams privilege 15 password 8 c1a23116461d5856f98ee072ea319bc9 Figure 209.
Chapter 76: Local Manager Accounts 1270
Chapter 77 Local Manager Account Commands The local manager account commands are summarized in Table 147 and described in detail within the chapter. Table 147. Local Manager Account Commands Command Mode Description “ENABLE PASSWORD” on page 1272 Global Configuration Activates command mode restriction on the switch and specifies the password. “NO ENABLE PASSWORD” on page 1274 Global Configuration Deactivates command mode restriction on the switch.
Chapter 77: Local Manager Account Commands ENABLE PASSWORD Syntax enable password [8] password Parameters 8 Specifies that the password is encrypted. password Specifies the password for command mode restriction. A plaintext password is case-sensitive and can have up to 16 alphanumeric characters including special characters. Spaces are not allowed. Mode Global Configuration mode Description Use this command to activate command mode restriction on the switch and to specify the password.
AT-9000 Switch Command Line User’s Guide awplus> enable awplus# configure terminal awplus(config)# enable password 8 1255bbf963118fcf750aca356d 35f6ab 1273
Chapter 77: Local Manager Account Commands NO ENABLE PASSWORD Syntax no enable password Parameters None Mode Global Configuration mode Description Use this command to deactivate command mode restriction on the switch to allow managers who have the privilege level 15 to access all of the command modes without having to enter the special password.
AT-9000 Switch Command Line User’s Guide NO SERVICE PASSWORD-ENCRYPTION Syntax no service password-encryption Parameters None Mode Global Configuration mode Description Use this command to disable password encryption. The passwords of new local manager accounts are entered in clear text in the running configuration file, unless they are entered in their encrypted forms in the USERNAME command.
Chapter 77: Local Manager Account Commands NO USERNAME Syntax no username name Parameters name Specifies the name of the manager account you want to delete from the switch. The name is case sensitive. Mode Global Configuration mode Description Use this command to delete local manager accounts from the switch. Note You can delete the default “manager” account from the switch.
AT-9000 Switch Command Line User’s Guide SERVICE PASSWORD-ENCRYPTION Syntax service password-encryption Parameters None Mode Global Configuration mode Description Use this command to activate password encryption. This feature encrypts all of the manager account passwords in the running configuration of the switch and the passwords of new manager accounts. This is the default setting for password encryption.
Chapter 77: Local Manager Account Commands USERNAME Syntax username name privilege level password [8] password Parameters name Specifies the name of a new manager account. The name is casesensitive and can have up to 15 alphanumeric characters including special characters. Spaces are not allowed. level Specifies the privilege level of either 1 or 15 for the new account. Manager accounts with the privileged level 15 have access to all of the command modes, unless command mode restriction is activated.
AT-9000 Switch Command Line User’s Guide Examples This example creates a manager account for the user, allen. The privilege level is 15 to give the manager access to all of the modes, unless command mode restriction is activated. The password is “laf238pl:” awplus> enable awplus# configure terminal awplus(config)# username allen privilege 15 password laf238pl This example creates a manager account for the user, sjones. The privilege level is 1 to restrict the manager to the User Exec mode.
Chapter 77: Local Manager Account Commands 1280
Chapter 78 Telnet Server This chapter provides the following topics: “Overview” on page 1282 “Enabling the Telnet Server” on page 1283 “Disabling the Telnet Server” on page 1284 “Displaying the Telnet Server” on page 1285 1281
Chapter 78: Telnet Server Overview The switch comes with a Telnet server so that you can remotely manage the device from Telnet clients on your network. Remote Telnet management gives you access to the same AlliedWare Plus commands and management functions as local management sessions, which are conducted through the Console port. The guidelines to using the Telnet server for remote management are listed here. The switch must have a management IP address.
AT-9000 Switch Command Line User’s Guide Enabling the Telnet Server To enable the server, go to the Global Configuration mode and issue the SERVICE TELNET command. Here is the command: awplus> enable awplus# configure terminal awplus(config)# service telnet Once the server is started, you can conduct remote management sessions over your network from Telnet clients, provided that the switch has a management IP address.
Chapter 78: Telnet Server Disabling the Telnet Server To disable the Telnet server, use the NO SERVICE TELNET command in the Global Configuration mode. Here is the command: awplus> enable awplus# configure terminal awplus(config)# no service telnet Note If you disable the server from a remote Telnet management session, your session ends. To resume managing the unit, establish a local management session or remote web browser session.
AT-9000 Switch Command Line User’s Guide Displaying the Telnet Server To display the status of the Telnet server, use the SHOW TELNET command in the User Exec mode or Privileged Exec mode. Here is the command: awplus# show telnet Here is the information the command displays. Telnet Server Configuration ------------------------------------------Telnet server : Enabled Figure 210.
Chapter 78: Telnet Server 1286
Chapter 79 Telnet Server Commands The Telnet server commands are summarized in Table 148 and described in detail within the chapter. Table 148. Telnet Server Commands Command Mode Description “NO SERVICE TELNET” on page 1288 Global Configuration Disables the Telnet server. “SERVICE TELNET” on page 1289 Global Configuration Enables the Telnet server. “SHOW TELNET” on page 1290 User Exec and Privileged Exec Displays the status of the Telnet server on the switch.
Chapter 79: Telnet Server Commands NO SERVICE TELNET Syntax no service telnet Parameters None Mode Global Configuration mode Description Use this command to disable the Telnet server on the switch. You cannot remotely manage the switch with a remote Telnet client when the server is disabled. The default setting for the Telnet server is enabled. Note Your management session ends if you disable the server from a remote Telnet session.
AT-9000 Switch Command Line User’s Guide SERVICE TELNET Syntax service telnet Parameters None Mode Global Configuration mode Description Use this command to enable the Telnet server so that you can remotely manage the switch with a Telnet application protocol. The default setting for the Telnet server is enabled. Note The switch must have a management IP address for remote Telnet management. For background information, refer to Chapter 13, “IPv4 and IPv6 Management Addresses” on page 257.
Chapter 79: Telnet Server Commands SHOW TELNET Syntax show telnet Parameters None Mode User Exec mode and Privileged Exec mode Description Use this command to display the status of the Telnet server on the switch. The status of the server can be either enabled or disabled. Here is the information. Telnet Server Configuration ------------------------------------------Telnet server : Enabled Figure 211.
Chapter 80 Telnet Client This chapter provides the following topics: “Overview” on page 1292 “Starting a Remote Management Session with the Telnet Client” on page 1293 1291
Chapter 80: Telnet Client Overview The switch has a Telnet client. You may use the client to remotely manage other network devices from the switch. Here are the guidelines to using the client: 1292 The client has the two commands: TELNET, which is used to manage network devices that have IPv4 addresses, and TELNET IPV6, for devices that have IPv6 addresses. You may use the Telnet client from local or Telnet management sessions of the switch, but not from remote SSH management sessions.
AT-9000 Switch Command Line User’s Guide Starting a Remote Management Session with the Telnet Client Here are the steps to using the Telnet client on the switch to manage other devices on your network: 1. Start a local or Telnet management session on the switch. Note The Telnet client is not supported from remote SSH management sessions. 2.
Chapter 80: Telnet Client 1294
Chapter 81 Telnet Client Commands The Telnet client commands are summarized in Table 149 and described in detail within the chapter. Table 149. Telnet Client Commands Command Mode Description “TELNET” on page 1296 Privileged Exec Starts Telnet management sessions on remote devices that have IPv4 addresses. “TELNET IPV6” on page 1297 Privileged Exec Starts Telnet management sessions on remote devices that have IPv6 addresses.
Chapter 81: Telnet Client Commands TELNET Syntax telnet ipv4_address [port] Parameters ipv4_address Specifies the IPv4 address of a remote device you want to manage using the Telnet client on the switch. You can specify just one address. port Specifies the protocol port number of the Telnet client. The default value is 23. Mode Privileged Exec mode Description Use this command to start Telnet management sessions on network devices that have IPv4 addresses.
AT-9000 Switch Command Line User’s Guide TELNET IPV6 Syntax telnet ipv6 ipv6_address [port] Parameters ipv6_address Specifies the IPv6 address of a remote device you want to manage using the Telnet client on the switch. You can specify just one address. port Specifies the protocol port number of the Telnet client. The default value is 23. Mode Privileged Exec mode Description Use this command to start Telnet management sessions on network devices that have IPv6 addresses.
Chapter 81: Telnet Client Commands 1298
Chapter 82 Secure Shell (SSH) Server This chapter provides the following topics: “Overview” on page 1300 “Support for SSH” on page 1301 “SSH and Enhanced Stacking” on page 1303 “Creating the Encryption Key Pair” on page 1305 “Enabling the SSH Server” on page 1306 “Disabling the SSH Server” on page 1307 “Deleting Encryption Keys” on page 1308 “Displaying the SSH Server” on page 1309 1299
Chapter 82: Secure Shell (SSH) Server Overview The Secure Shell (SSH) protocol is an alternative to the Telnet protocol for remote management of the switch from workstations on your network. The difference between the two management methods is that SSH management is more secure because the packets the switch and your management workstation exchange during management sessions are encrypted.
AT-9000 Switch Command Line User’s Guide Support for SSH The implementation of the SSH protocol on the switch is compliant with the SSH protocol versions 1.3, 1.5, and 2.0. In addition, the following SSH options and features are supported: Inbound SSH connections (server mode) is supported. The following security algorithms are supported: – 128-bit Advanced Encryption Standard (AES), 192-bit AES, and 256-bit AES – Arcfour (RC4) security algorithm is supported.
Chapter 82: Secure Shell (SSH) Server The SSH server uses protocol port 22. This parameter cannot be changed. If you are using the enhanced stacking feature, you activate and configure SSH server on the master switch, not on the member switches. Note If your switch is in a network that is protected by a firewall, you may need to configure the firewall to permit SSH connections.
AT-9000 Switch Command Line User’s Guide SSH and Enhanced Stacking The switch allows for encrypted SSH management sessions between a management station and the master switch of an enhanced stack, but not with member switches, as explained in this section. When you remotely manage a member switch, all management communications are conducted through the master switch using the enhanced stacking feature.
Chapter 82: Secure Shell (SSH) Server Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a member switch, you configure SSH only on the master switch of a stack. Activating SSH on a member switch has no effect.
AT-9000 Switch Command Line User’s Guide Creating the Encryption Key Pair The first step to using the SSH server on the switch for remote management is to create the encryption key. Here is the base command: crypto key generate hostkey dsa|rsa|rsa1 [value] The VALUE parameter only applies to an RSA key.
Chapter 82: Secure Shell (SSH) Server Enabling the SSH Server The switch does not allow you to enable the SSH server and begin remote management until you have created the encryption key. So if you have not done that yet, perform the instructions in the previous procedure. The command that activates the server is the SERVICE SSH command in the Global Configuration mode.
AT-9000 Switch Command Line User’s Guide Disabling the SSH Server If you decide that you want to disable the server because you do not want to remotely manage the switch with SSH, enter the following commands: awplus> enable awplus# configure terminal awplus(config)# no service ssh Note If you disable the server during a remote SSH management session, your session ends.
Chapter 82: Secure Shell (SSH) Server Deleting Encryption Keys To delete encryption keys from the switch, use the CRYPTO KEY DESTROY HOSTKEY command in the Global Configuration mode. Here is the format of the command: crypto key destroy hostkey dsa|rsa|rsa1 Note You should disable the SSH server before deleting the encryption key. The operations of the server will be impaired if you delete the active key when the server is enabled.
AT-9000 Switch Command Line User’s Guide Displaying the SSH Server To display the current settings of the server, enter this command in the Privileged Exec or Global Configuration mode: awplus# show ssh server 1309
Chapter 82: Secure Shell (SSH) Server 1310
Chapter 83 SSH Server Commands The SSH server commands are summarized in Table 150 and described in detail within the chapter. Table 150. Secure Shell Server Commands Command Mode Description “CRYPTO KEY DESTROY HOSTKEY” on page 1312 Global Configuration Deletes encryption keys from the switch. “CRYPTO KEY GENERATE HOSTKEY” on page 1314 Global Configuration Creates encryption keys. “NO SERVICE SSH” on page 1316 Global Configuration Disables the SSH server.
Chapter 83: SSH Server Commands CRYPTO KEY DESTROY HOSTKEY Syntax crypto key destroy hostkey dsa|rsa|rsa1 Parameters dsa Deletes the DSA key. rsa Deletes the RSA key. rsa1 Deletes the RSA1 key. Mode Global Configuration mode Description Use this command to delete encryption keys from the switch. Deleted encryption keys are permanently removed by the switch when you enter this command.
AT-9000 Switch Command Line User’s Guide This example deletes the RSA1 key: awplus> enable awplus# configure terminal awplus(config)# crypto key destroy hostkey rsa1 1313
Chapter 83: SSH Server Commands CRYPTO KEY GENERATE HOSTKEY Syntax crypto key generate hostkey dsa|rsa|rsa1 [value] Parameters dsa Creates a DSA key that is compatible with SSH versions 1 and 2. rsa Creates an RSA key that is compatible with SSH version 2. rsa1 Creates an RSA key that is compatible with SSH version 1. value Specifies the length of the encryption key in bits. The length is specified only for an RSA key and is optional. The range is 768 to 2048 bits.
AT-9000 Switch Command Line User’s Guide Note Creating a key is a very CPU intensive process for the switch. The switch does not stop forwarding network packets, but it may delay handling some network events, such as spanning tree BPDU packets. To avoid unexpected or unwanted switch behavior, create a key during periods of low network activity.
Chapter 83: SSH Server Commands NO SERVICE SSH Syntax no service ssh Parameters None Mode Global Configuration mode Description Use this command to disable the Secure Shell server to prevent remote management of the switch using a Secure Shell client. The default setting for the Secure Shell server is disabled. Note Your management session of the switch ends if you disable the server from a remote SSH management session.
AT-9000 Switch Command Line User’s Guide SERVICE SSH Syntax service ssh Parameters None Mode Global Configuration mode Description Use this command to enable the Secure Shell server on the switch. You must create an encryption key before enabling the server. For instructions, refer to “CRYPTO KEY GENERATE HOSTKEY” on page 1314.
Chapter 83: SSH Server Commands SHOW CRYPTO KEY HOSTKEY Syntax show crypto key hostkey [dsa|rsa|rsa1] Parameters dsa Displays the DSA key. rsa Displays the RSA key. rsa1 Displays the RSA1 key. Mode Global Configuration mode Description Use this command to display the encryption keys. Here is an example of the information for an RSA key. Type Bits Fingerprint --------------------------------------------------------------RSA 1280 60:59:ff:78:e7:4e:58:24:e6:57:bc:c9:d1:c9:73:91 Figure 213.
AT-9000 Switch Command Line User’s Guide SHOW SSH SERVER Syntax show ssh server Parameters None Modes Privileged Exec and Global Configuration modes Description Use this command to display the current status of the SSH server. Versions supported Server Status Server Port Example This example displays the status of the SSH server: awplus# show ssh server An example of the information the command displays is shown in Figure 214. Secure Shell Server Configuration Versions Supported ........
Chapter 83: SSH Server Commands 1320
Chapter 84 Non-secure HTTP Web Browser Server This chapter describes the following topics: “Overview” on page 1322 “Enabling the Web Browser Server” on page 1323 “Setting the Protocol Port Number” on page 1324 “Disabling the Web Browser Server” on page 1325 “Displaying the Web Browser Server” on page 1326 1321
Chapter 84: Non-secure HTTP Web Browser Server Overview The switch has a web browser server. The server is used to remotely manage the unit over the network with web browser applications. The server can operate in either plain text HTTP mode or encrypted HTTPS mode. This chapter explains how to activate the server for the HTTP mode.
AT-9000 Switch Command Line User’s Guide Enabling the Web Browser Server The command to activate the web browser server for non-secure HTTP operation is the SERVICE HTTP command in the Global Configuration mode. The command, which does not have any parameters, is shown here: awplus> enable awplus# configure terminal awplus(config)# service http Here are the guidelines to using the command: The switch should already have a management IP address.
Chapter 84: Non-secure HTTP Web Browser Server Setting the Protocol Port Number The default setting of port 80 for the protocol port of the HTTP web server can be adjusted with the IP HTTP PORT command in the Global Configuration mode. This example of the command changes the protocol port to 100: awplus> enable awplus# configure terminal awplus(config)# ip http port 100 The range of the port number is 0 to 65535.
AT-9000 Switch Command Line User’s Guide Disabling the Web Browser Server The command to disable the HTTP server is the NO SERVICE HTTP command in the Global Configuration mode: awplus> enable awplus# configure terminal awplus(config)# no service http No further web browser management sessions are permitted by the switch after the server is disabled. Any web browser sessions that are in progress when the server is disabled are interrupted and are not allowed to continue.
Chapter 84: Non-secure HTTP Web Browser Server Displaying the Web Browser Server To display whether the HTTP web server is enabled or disabled on the switch, issue the SHOW IP HTTP command in the Privileged Exec mode. The command also displays the protocol port number if the server is enabled. Here is the command: awplus> enable awplus# show ip http Here is an example of the display. HTTP server enabled. Port 80. Figure 215.
Chapter 85 Non-secure HTTP Web Browser Server Commands The non-secure HTTP web browser server commands are summarized in Table 151 and described in detail within the chapter. Table 151. Non-secure HTTP Web Browser Server Commands Command Mode Description “SERVICE HTTP” on page 1328 Global Configuration Enables the HTTP web browser server. “IP HTTP PORT” on page 1329 Global Configuration Sets the protocol port number of the server.
Chapter 85: Non-secure HTTP Web Browser Server Commands SERVICE HTTP Syntax service http Parameters None Mode Global Configuration mode Description Use this command to activate the HTTP web browser server on the switch. The switch supports non-secure HTTP web browser management sessions when the server is activated. Confirmation Command “SHOW IP HTTP” on page 1331.
AT-9000 Switch Command Line User’s Guide IP HTTP PORT Syntax ip http port port Parameters port Specifies the TCP port number the HTTP web server listens on. The range is 0 to 65535. Mode Global Configuration mode Description Use this command to set the TCP port for the web browser server.
Chapter 85: Non-secure HTTP Web Browser Server Commands NO SERVICE HTTP Syntax no http server Parameters None Mode Global Configuration mode Description Use this command to disable the HTTP web browser server on the switch to prevent any further remote management with a web browser. Any active web browser management session are interrupted and are not allowed to continue.
AT-9000 Switch Command Line User’s Guide SHOW IP HTTP Syntax show ip http Parameters None Mode Privileged Exec mode Description Use this command to display the status of the HTTP server on the switch. Here is an example of the information. HTTP server enabled. Port: 80 Figure 216.
Chapter 85: Non-secure HTTP Web Browser Server Commands 1332
Chapter 86 Secure HTTPS Web Browser Server This chapter describes the following topics: “Overview” on page 1334 “Creating a Self-signed Certificate” on page 1337 “Configuring the HTTPS Web Server for a Certificate Issued by a CA” on page 1340 “Enabling the Web Browser Server” on page 1344 “Disabling the Web Browser Server” on page 1345 “Displaying the Web Browser Server” on page 1346 1333
Chapter 86: Secure HTTPS Web Browser Server Overview The switch has a web browser server for remote management of the unit with a web browser application from management workstations on your network. The server has a secure HTTPS mode and a non-secure HTTP mode. Web browser management sessions that use the secure HTTPS mode are protected against snooping because the packets exchanged between the switch and your management workstations are encrypted.
AT-9000 Switch Command Line User’s Guide Private CAs allow companies to keep track of the certificates and control access to various network devices. If your company is large enough, it might have a private CA, and you might want that group to issue the certificate for the switch so that you are in compliance with company policy. If you choose to have a public or private CA issue the certificate, you must first create a self-signed certificate.
Chapter 86: Secure HTTPS Web Browser Server Note If the certificate will be issued by a private or public CA, you should check with the CA to see if they have any rules or guidelines on distinguished names for the certificates they issue. Guidelines The guidelines for creating certificates are: The switch must have a management IP address. For instructions, refer to Chapter 13, “IPv4 and IPv6 Management Addresses” on page 257.
AT-9000 Switch Command Line User’s Guide Creating a Self-signed Certificate Here are the main steps to configuring the switch for a self-signed certificate: 1. Create a new self-signed certificate with “CRYPTO CERTIFICATE GENERATE” on page 1349, in the Global Configuration mode.
Chapter 86: Secure HTTPS Web Browser Server At this point, the switch, if it has a management IP address, is ready for remote management with a web browser application. To start a management session, enter the IP address of the switch in the URL field of your web browser, being sure to include the prefix “https://”. Here is an example of how to create a self-signed certificate and how to configure the HTTPS web browser server for the certificate.
AT-9000 Switch Command Line User’s Guide awplus(config)# service https Enable the HTTPS server with “SERVICE HTTPS” on page 1355. awplus(config)# exit Return to the Privileged Exec mode. awplus# show ip https Confirm the confirmation with “SHOW IP HTTPS” on page 1359. HTTPS server enabled. Port: 443 Certificate 2 is active Issued by: self-signed Valid from: 1/1/2000 to 12/31/2000 Subject: C=US, ST=California, L=San_Jose, O=Jones_Industries, OU=Sales, CN=167.214.121.
Chapter 86: Secure HTTPS Web Browser Server Configuring the HTTPS Web Server for a Certificate Issued by a CA Here are the main steps to configuring the HTTPS web browser server for a certificate from a CA: 1. Create a self-signed certificate with “CRYPTO CERTIFICATE GENERATE” on page 1349, in the Global Configuration mode.
AT-9000 Switch Command Line User’s Guide 7. Designate the new certificate from the CA as the active certificate on the switch with “IP HTTPS CERTIFICATE” on page 1356, in the Global Configuration mode. The command has this format: ip https certificate id_number The ID_NUMBER parameter is the ID number you assigned the selfsigned certificate and enrollment request. 8. Activate the HTTPS web browser server with “SERVICE HTTPS” on page 1355, in the Global Configuration mode. This command has no parameters.
Chapter 86: Secure HTTPS Web Browser Server awplus(config)# crypto certificate 1 request 124.201.76.54 Production ABC_Industries San_Jose California US Create an enrollment request that has exactly the same information, including the same ID number, as the self-signed certificate, with “CRYPTO CERTIFICATE REQUEST” on page 1353. Cut and paste the certificate request from your screen into a word processor document.
AT-9000 Switch Command Line User’s Guide awplus(config)# no http server If the non-secure HTTP web browser server is enabled on the unit, disabled it with “NO SERVICE HTTP” on page 1330. awplus(config)# service https Enable the HTTPS server with “SERVICE HTTPS” on page 1355. awplus(config)# exit Return to the Privileged Exec mode. awplus# show ip https Confirm the confirmation with “SHOW IP HTTPS” on page 1359. HTTPS server enabled.
Chapter 86: Secure HTTPS Web Browser Server Enabling the Web Browser Server The command to activate the web browser server for secure HTTPS operation is the SERVICE HTTPS command in the Global Configuration mode. The command, which does not have any parameters, is shown here: awplus> enable awplus# configure terminal awplus(config)# service https Here are the guidelines to the command: The switch should already have a management IP address.
AT-9000 Switch Command Line User’s Guide Disabling the Web Browser Server The command to disable the HTTPS mode is the NO SERVICE HTTPS command in the Global Configuration mode: awplus> enable awplus# configure terminal awplus(config)# no service https No further web browser management sessions are permitted by the switch after the server is disabled. Any web browser sessions that are in progress when the server is disabled are interrupted and are not allowed to continue.
Chapter 86: Secure HTTPS Web Browser Server Displaying the Web Browser Server To display whether the HTTPS web server is enabled or disabled on the switch, issue the SHOW IP HTTPS command in the Privileged Exec mode. The command also displays the protocol port number if the server is enabled. Here is the command: awplus> enable awplus# show ip https Here is an example of the display. HTTPS server enabled.
Chapter 87 Secure HTTPS Web Browser Server Commands The secure HTTPS web browser server commands are summarized in Table 152 and described in detail within the chapter. Table 152. Secure HTTPS Web Browser Server Commands Command Mode Description “CRYPTO CERTIFICATE DESTROY” on page 1348 Global Configuration Deletes unused certificates from the switch.
Chapter 87: Secure HTTPS Web Browser Server Commands CRYPTO CERTIFICATE DESTROY Syntax crypto certificate id_number destroy Parameters id_number Specifies the ID number of a certificate to be deleted from the switch. The range is 0 to 10. You can enter just one ID number. Mode Global Configuration mode Description Use this command to delete unused certificates from the switch. You can delete just one certificate at a time with this command.
AT-9000 Switch Command Line User’s Guide CRYPTO CERTIFICATE GENERATE Syntax crypto certificate id_number generate length passphrase common_name organizational_unit organization location state country duration Parameters id_number Specifies a certificate ID number. The range is 0 to 10. A certificate must be assigned an ID number that is unique from the ID numbers of all other certificates already on the switch. length Specifies the length of the encryption key in bits. The range is 512 to 1536 bits.
Chapter 87: Secure HTTPS Web Browser Server Commands country Specifies the ISO 3166-1 initials of a country. This parameter must be two uppercase characters. duration Specifies the number of days the certificate is valid. The range is 30 to 3650 days. Note For a valid certificate to be active, you need to set the system clock. See “Manually Setting the Date and Time” on page 89 or “Activating the SNTP Client and Specifying the IP Address of an NTP or SNTP Server” on page 297.
AT-9000 Switch Command Line User’s Guide Organizational unit: Sales Organization: Jones_Industries Location: San_Jose State: California Country: US Duration: 365 days awplus> enable awplus# configure terminal awplus(config)# crypto certificate 2 generate 1280 trailtree 167.214.121.
Chapter 87: Secure HTTPS Web Browser Server Commands CRYPTO CERTIFICATE IMPORT Syntax crypto certificate id_number import Parameters id_number Specifies the ID number of a certificate to be imported into the certificate database on the switch. You can specify just one ID number. Mode Global Configuration mode Description Use this command to import certificates from public or private CAs into the certificate database of the switch.
AT-9000 Switch Command Line User’s Guide CRYPTO CERTIFICATE REQUEST Syntax crypto certificate id_number request common_name organizational_unit organization location state country Parameters id_number Specifies a certificate ID number. The range is 0 to 10. A certificate must be assigned an ID number that is unique from the ID numbers of any certificates already on the switch. common_name Specifies a common name for the certificate.
Chapter 87: Secure HTTPS Web Browser Server Commands Description Use this command to create certificate enrollment requests for submittal to public or private CAs. Enrollment requests are stored in the file system in Base64-encoded X.509 format, with a “.pem” extension. Note An enrollment request must have the same ID number and other information as its corresponding self-signed certificate.
AT-9000 Switch Command Line User’s Guide SERVICE HTTPS Syntax service https Parameters None Mode Global Configuration mode Description Use this command to activate the HTTPS web server on the switch. The switch supports secure HTTPS web browser management sessions when the server is activated. Here are the preconditions to activating the server: The non-secure HTTP server on the switch must be disabled. For instructions, refer to “NO SERVICE HTTP” on page 1330.
Chapter 87: Secure HTTPS Web Browser Server Commands IP HTTPS CERTIFICATE Syntax ip https certificate id_number Parameters id_number Specifies a certificate ID number. Mode Global Configuration mode Description Use this command to designate the active certificate for the secure HTTPS web server. The switch can have only one active certificate.
AT-9000 Switch Command Line User’s Guide NO SERVICE HTTPS Syntax no service https Parameters None Mode Global Configuration mode Description Use this command to disable the secure HTTPS web server on the switch. The switch rejects secure HTTPS web browser management sessions when the server is deactivated. You might disable the server to prevent remote web browser management sessions of the switch or prior to activating the non-secure HTTP web browser server.
Chapter 87: Secure HTTPS Web Browser Server Commands SHOW CRYPTO CERTIFICATE Syntax show crypto certificate id_number Parameters id_number Specifies a certificate ID number. Mode Privileged Exec mode Description Use this command to display detailed information about the certificates on the switch. You can display just one certificate at a time.
AT-9000 Switch Command Line User’s Guide SHOW IP HTTPS Syntax show ip http Parameters None Mode Privileged Exec mode Description Use this command to display the status of the HTTPS server and basic information about the certificates on the switch. An example of the information is shown here. HTTPS server enabled. Port: 443 Certificate 1 is active Issued by: self-signed Valid from: 5/17/2010 to 5/16/2011 Subject: C=US, ST=California, L=San_Jose, O=Jones_Industries, OU=Sales, CN=167.214.121.
Chapter 87: Secure HTTPS Web Browser Server Commands Table 153. SHOW IP HTTPS Command (Continued) Field Description Certificate # is active|inactive Displays the status of the certificate. An active status indicates that the certificate was designated with “IP HTTPS CERTIFICATE” on page 1356 as the active certificate for the HTTPS server. The switch can have just one active certificate. Valid from Displays the dates during which the certificate is valid.
Chapter 88 RADIUS and TACACS+ Clients This chapter describes the following topics: “Overview” on page 1362 “Remote Manager Accounts” on page 1363 “Managing the RADIUS Client” on page 1366 “Managing the TACACS+ Client” on page 1370 “Configuring Remote Authentication of Manager Accounts” on page 1373 1361
Chapter 88: RADIUS and TACACS+ Clients Overview The switch has RADIUS and TACACS+ clients for remote authentication. Here are the two features that use remote authentication: 802.1x port-based network access control. This feature lets you increase network security by requiring that network users log on with user names and passwords before the switch will forward their packets. This feature is described in Chapter 60, “802.1x Portbased Network Access Control” on page 863. Remote manager accounts.
AT-9000 Switch Command Line User’s Guide Remote Manager Accounts The switch has one local manager account. The account is referred to as a local account because the switch authenticates the user name and password when a manager uses the account to log on. If the user name and password are valid, the switch allows the individual to access its management software. Otherwise, it cancels the login to prevent unauthorized access. There are two ways to add more manager accounts.
Chapter 88: RADIUS and TACACS+ Clients the switch, the privilege level of an account is ignored and all accounts have access to the entire command mode structure. Here are the main steps to using the remote manager accounts feature on the switch: 1. Install TACACS+ or RADIUS server software on one or more of your network servers or management stations. Authentication protocol server software is not available from Allied Telesis. 2. Add the new manager accounts to the authentication servers.
AT-9000 Switch Command Line User’s Guide 4. Configure the RADIUS or TACACS+ client on the switch by entering the IP addresses of up to three authentication servers. For instructions, refer to “Managing the RADIUS Client” on page 1366 or “Managing the TACACS+ Client” on page 1370. 5. Enable the TACACS+ or RADIUS client. 6. Activate remote manager authentication on the switch. For instructions, refer to “Configuring Remote Authentication of Manager Accounts” on page 1373.
Chapter 88: RADIUS and TACACS+ Clients Managing the RADIUS Client The following subsections describe how to manage the RADIUS client: Adding IP Addresses of RADIUS Servers “Adding IP Addresses of RADIUS Servers” next “Specifying a RADIUS Global Encryption Key” on page 1367 “Specifying the Server Timeout” on page 1367 “Specifying RADIUS Accounting” on page 1368 “Removing the Accounting Method List” on page 1368 “Deleting Server IP Addresses” on page 1369 “Displaying the RADIUS C
AT-9000 Switch Command Line User’s Guide The AUTH-PORT parameter specifies the UDP destination port for RADIUS authentication requests. If 0 is specified, the server is not used for authentication. The default UDP port for authentication is 1812. The KEY parameter specifies the encryption key used by the designated RADIUS server. The maximum length is 40 characters. The AUTH-PORT parameter specifies the UDP destination port for RADIUS authentication requests. The default UDP port is 1812.
Chapter 88: RADIUS and TACACS+ Clients This example sets the RADIUS timeout to 15 seconds: awplus> enable awplus# configure terminal awplus(config)# radius-server timeout 15 Specifying RADIUS Accounting To specify RADIUS accounting for all shell login sessions, use the AAA ACCOUNTING LOGIN command in the Global Configuration mode.
AT-9000 Switch Command Line User’s Guide Deleting Server IP Addresses To delete the IP address of a RADIUS server from the list of servers on the switch, use the NO RADIUS-SERVER HOST command in the Global Configuration mode. You can delete only one IP address at a time with this command. This example removes the IP address 211.132.123.12 from the list of RADIUS servers: awplus> enable awplus# configure terminal awplus(config)# no radius-server host 211.132.123.
Chapter 88: RADIUS and TACACS+ Clients Managing the TACACS+ Client The following subsections describe how to manage the TACACS+ client: Adding IP Addresses of TACACS+ Servers “Adding IP Addresses of TACACS+ Servers” next “Specifying TACACS+ Accounting” on page 1371 “Deleting IP Addresses of TACACS+ Servers” on page 1372 “Removing the Accounting Method List” on page 1371 “Displaying the TACACS+ Client” on page 1372 The TACACS+ client can store the IP addresses of three TACACS+ servers
AT-9000 Switch Command Line User’s Guide This example adds the IP address 115.16.172.54 as a TACACS+ authentication server at the bottom of the list. The server has the key “prt17:” awplus> enable awplus# configure terminal awplus(config)# tacacs-server host 115.16.172.54 key prt17 Specifying TACACS+ Accounting To specify TACACS+ accounting for all shell login sessions, use the AAA ACCOUNTING LOGIN command in the Global Configuration mode.
Chapter 88: RADIUS and TACACS+ Clients Deleting IP Addresses of TACACS+ Servers To delete the IP address of a TACACS+ server from the client on the switch, use the NO TACACS-SERVER HOST command in the Global Configuration mode. You can delete only one IP address at a time with this command. This example removes the IP address 122.124.15.7 from the TACACS+ client: awplus> enable awplus# configure terminal awplus(config)# no tacacs-server host 122.114.15.
AT-9000 Switch Command Line User’s Guide Configuring Remote Authentication of Manager Accounts Check that you performed the following steps before activating remote authentication of manager accounts on the switch: Added at least one RADIUS or TACACS+ server to your network. Added the manager accounts to the authentication servers. Assigned a management IP address to the switch. Added the IP addresses of the authentication servers to the RADIUS or TACACS+ client on the switch.
Chapter 88: RADIUS and TACACS+ Clients uses for remote Telnet and SSH sessions. (For background information, refer to “VTY Lines” on page 41.) Toggling remote authentication is accomplished with the LOGIN AUTHENTICATION and NO LOGIN AUTHENTICATION commands, found in the Console Line and Virtual Terminal Line modes. Here are several examples of how to use the commands. Assume you used the appropriate AAA AUTHENTICATION LOGIN command to activate remote authentication on the switch.
AT-9000 Switch Command Line User’s Guide The LINE_ID parameter has a range of 0 to 9. The following example of the command toggles off remote authentication on VTY line 0. awplus> enable awplus# configure terminal awplus(config)# line vty 0 awplus(config-line)# no login authentication Now, the switch uses the local manager accounts, instead of the remote accounts, to authenticate the user name and password when an administrator establishes a Telnet or SSH management session on VTY line 0.
Chapter 88: RADIUS and TACACS+ Clients 1376
Chapter 89 RADIUS and TACACS+ Client Commands The commands for the RADIUS and TACACS+ clients are summarized in Table 154 and described in detail within the chapter. Table 154. RADIUS and TACACS+ Client Commands Command Mode Description “AAA ACCOUNTING LOGIN” on page 1379 Global Configuration Configures RADIUS or TACACS+ accounting for login shell session. “AAA AUTHENTICATION ENABLE (TACACS+)” on page 1381 Global Configuration Enables the TACACS+ password on the switch.
Chapter 89: RADIUS and TACACS+ Client Commands Table 154. RADIUS and TACACS+ Client Commands (Continued) Command Mode Description “RADIUS-SERVER TIMEOUT” on page 1395 Global Configuration Specifies the maximum amount of time the RADIUS client waits for a response from a RADIUS authentication server for an authentication request. “SHOW RADIUS” on page 1396 Privileged Exec Displays the configuration settings of the RADIUS client.
AT-9000 Switch Command Line User’s Guide AAA ACCOUNTING LOGIN Syntax aaa accounting login default start-stop|stop-only|none group radius|tacacs Parameters default Indicates the default accounting method list. start-stop Sends a start accounting message at the beginning of a session and a stop accounting message at the end of the session. stop-only Sends a stop accounting message at the end of the session. none Disables accounting messages. group Indicates the user server group.
Chapter 89: RADIUS and TACACS+ Client Commands Confirmation Commands “SHOW RADIUS” on page 1396 “SHOW TACACS” on page 1398 Examples To configure RADIUS accounting for login shell sessions, use the following commands: awplus> enable awplus# configure terminal awplus(config)# aaa accounting login default start-stop group radius To reset the configuration of the default accounting list, use the following commands: awplus> enable awplus# configure terminal awplus(config)# no aaa accounting login default To
AT-9000 Switch Command Line User’s Guide AAA AUTHENTICATION ENABLE (TACACS+) Syntax aaa authentication enable default group tacacs [local] Parameters default Indicates the default accounting method list. group Indicates the user server group. Specify the following: tacacs: Uses all TACACS+ servers. local Indicates that authentication using the password provided in the ENABLE PASSWORD command is attempted if a TACACS+ server is not available.
Chapter 89: RADIUS and TACACS+ Client Commands command is attempted if a TACACS+ server is not available, use the following commands: awplus> enable awplus# configure terminal awplus(config)# aaa authentication enable default group tacacs local To enable the TACACS+ password on the switch, use the following commands: awplus> enable awplus# configure terminal awplus(config)# aaa authentication enable default group tacacs 1382
AT-9000 Switch Command Line User’s Guide AAA AUTHENTICATION LOGIN Syntax aaa authentication login default [group radius|tacacs] [local] Parameters default Indicates the default accounting method list. group Indicates the user server group. Specify one of the following: radius: Uses all RADIUS servers. tacacs: Uses all TACACS+ servers. local Indicates that authentication using the password provided in the ENABLE PASSWORD command is attempted if a RADIUS or TACACS+ server is not available.
Chapter 89: RADIUS and TACACS+ Client Commands Confirmation Commands “SHOW RADIUS” on page 1396 “SHOW TACACS” on page 1398 Examples To enable RADIUS servers on the switch, use the following commands: awplus> enable awplus# configure terminal awplus(config)# aaa authentication login default group radius local To enable TACACS+ servers on the switch, use the following commands: awplus> enable awplus# configure terminal awplus(config)# aaa authentication login default group tacacs local 1384
AT-9000 Switch Command Line User’s Guide IP RADIUS SOURCE-INTERFACE Syntax ip radius source-interface Ipv4 Address | VID Parameters Ipv4 Address Indicates an IPv4 address in the following format: xxx.xxx.xxx.xxx VID Specifies a VLAN ID. Modes Global Configuration mode Description Use this command to assign the RADIUS source interface to an IPv4 address or VLAN ID. The RADIUS client uses the specified IP address on every outgoing RADIUS packet.
Chapter 89: RADIUS and TACACS+ Client Commands This example removes the RADIUS source IP address from the RADIUS client: awplus> enable awplus# configure terminal awplus(config)# no ip radius source-interface 1386
AT-9000 Switch Command Line User’s Guide LOGIN AUTHENTICATION Syntax login authentication Parameters None Modes Console Line and Virtual Terminal Line modes Description Use this command to activate remote authentication of manager accounts for local management sessions and remote Telnet and SSH sessions. You can activate remote authentication separately for the different management methods.
Chapter 89: RADIUS and TACACS+ Client Commands This example activates remote authentication for remote Telnet and SSH management sessions that use VTY line 0: awplus> enable awplus# configure terminal awplus(config)# line vty 0 awplus(config-line)# login authentication 1388
AT-9000 Switch Command Line User’s Guide NO LOGIN AUTHENTICATION Syntax no login authentication Parameters None Modes Console Line and Virtual Terminal Line modes Description Use this command to deactivate remote authentication for local management sessions and remote Telnet and SSH sessions.
Chapter 89: RADIUS and TACACS+ Client Commands NO RADIUS-SERVER HOST Syntax no radius-server host ipaddress Parameter ipaddress Specifies an IP address of a RADIUS server to be deleted from the authentication server list. Mode Global Configuration mode Description Use this command to delete IP addresses of RADIUS servers from the list of authentication servers on the switch. You can delete only one IP address at a time with this command.
AT-9000 Switch Command Line User’s Guide NO TACACS-SERVER HOST Syntax no tacacs-server host ipaddress Parameter ipaddress Specifies an IP address of a TACACS+ server to be deleted from the TACACS+ client. You can delete just one address at a time with this command. Mode Global Configuration mode Description Use this command to delete IP addresses of TACACS+ servers from the client. You can delete only one IP address at a time with this command.
Chapter 89: RADIUS and TACACS+ Client Commands RADIUS-SERVER HOST Syntax radius-server host ipaddress [acct-port value] [auth-port value] [key value] Parameters ipaddress Specifies the IP address of a RADIUS server on the network. acct-port Specifies the accounting port. This is the UDP destination port for RADIUS accounting requests. If 0 is specified, the server is not used for accounting. The default UDP port for accounting is 1813.
AT-9000 Switch Command Line User’s Guide Examples This example adds a RADIUS server with the IP address 176.225.15.23. The UDP port is 1811, and the encryption key is “abt54:” awplus> enable awplus# configure terminal awplus(config)# radius-server host 176.225.15.23 auth-port 1811 key abt54 This example adds the IP address 149.245.22.22 of a RADIUS server to the RADIUS client on the switch.
Chapter 89: RADIUS and TACACS+ Client Commands RADIUS-SERVER KEY Syntax radius-server key value Parameters key Specifies the global encryption key of the RADIUS servers. The maximum length is 40 characters. Mode Global Configuration mode Description Use this command to add the global encryption key of the RADIUS servers to the RADIUS client.
AT-9000 Switch Command Line User’s Guide RADIUS-SERVER TIMEOUT Syntax radius-server timeout value Parameters timeout Specifies the maximum amount of time the RADIUS client waits for a response from a RADIUS authentication server. The range is 1 to 1,000 seconds. The default is 5 seconds. Mode Global Configuration mode Description Use this command to set the timeout value for the RADIUS client on the switch.
Chapter 89: RADIUS and TACACS+ Client Commands SHOW RADIUS Syntax show radius Parameters None Modes Privileged Exec mode Description Use this command to display the configuration of the RADIUS client. Here is an example of the client information. RADIUS Global Configuration Source Interface : 192.168.3.97 Timeout : 5 sec Server Host : 192.168.1.75 Authentication Port : 1812 Accounting Port : 1813 Figure 221. SHOW RADIUS Command The fields are defined in this table. Table 155.
AT-9000 Switch Command Line User’s Guide Table 155. SHOW RADIUS Command (Continued) Parameter Description Accounting Port The accounting protocol port. Encryption Keys The server encryption keys, if defined.
Chapter 89: RADIUS and TACACS+ Client Commands SHOW TACACS Syntax show tacacs Parameters None Mode Privileged Exec mode Description Use this command to display the configuration of the TACACS+ client on the switch. An example of the information is shown in Figure 222. TACACS+ Global Configuration Timeout : 5 sec Server Host : 149.123.154.12 Server Status : Alive Server Host : 149.123.154.26 Server Status : Dead Figure 222. SHOW TACACS Command The fields are described in Table 156. Table 156.
AT-9000 Switch Command Line User’s Guide Table 156. SHOW TACACS Command (Continued) Parameter Server Status Description Indicates the status of the server host. One of the following options is displayed: – Alive: Indicates the server is working correctly. The sockets are successful. – Dead: Indicates the server has timed out or the sockets are unsuccessful.
Chapter 89: RADIUS and TACACS+ Client Commands TACACS-SERVER HOST Syntax tacacs-server host ipaddress [key value] Parameters host Specifies an IP address of a TACACS+ server. key Specifies the secret key of a TACACS+ server. The maximum length is 40 characters. Mode Global Configuration mode Description Use this command to add IP addresses of TACACS+ servers to the TACACS+ client in the switch.
AT-9000 Switch Command Line User’s Guide TACACS-SERVER KEY Syntax tacacs-server key value Parameters value Specifies the global encryption key of the TACACS+ servers. The maximum length is 40 characters. Mode Global Configuration mode Description Use this command to add the global encryption key of the TACACS+ servers to the TACACS+ client.
Chapter 89: RADIUS and TACACS+ Client Commands TACACS-SERVER TIMEOUT Syntax tacacs-server timeout value Parameters timeout Specifies the maximum amount of time the TACACS+ client waits for a response from a TACACS+ authentication server. The range is 1 to 1,000 seconds. The default is 5 seconds. Mode Global Configuration mode Description Use this command to set the timeout value for the TACACS+ client on the switch.
Appendix A System Monitoring Commands The system monitoring commands are summarized in Table 157 and described in detail within the chapter. Table 157. System Monitoring Commands Command Mode Description “SHOW CPU” on page 1404 Privileged Exec Displays a list of running processes and their CPU utilization. “SHOW CPU HISTORY” on page 1405 Privileged Exec Displays graphs of historical CPU utilization of the switch.
Chapter : System Monitoring Commands SHOW CPU Syntax show cpu [sort pri|runtime|sleep|thrds] Parameters pri Sorts the list by process priorities. runtime Sorts the list by the runtimes of the processes. sleep Sorts the list by the average sleeping times. thrds Sorts the list by the number of threads. Mode Privileged Exec mode Description Use this command to display a list of running processes with their CPU utilizations.
AT-9000 Switch Command Line User’s Guide SHOW CPU HISTORY Syntax show cpu history Parameters None Mode Privileged Exec mode Description Use this command to display graphs of historical CPU utilization on the switch.
Chapter : System Monitoring Commands SHOW CPU USER-THREADS Syntax show cpu user-threads Parameters None Mode Privileged Exec mode Description Use this command to display a list of CPU utilization and the status of the user threads.
AT-9000 Switch Command Line User’s Guide SHOW MEMORY Syntax show memory [sort peak|size|stk] Parameters peak Sorts the list by the peak amounts of memory the processes have ever used. size Sorts the list by the peak amounts of memory the processes are currently using. stk Sorts the list by the stack sizes of the processes. Mode Privileged Exec mode Description Use this command to display the memory consumption of each process.
Chapter : System Monitoring Commands SHOW MEMORY ALLOCATION Syntax show memory allocation process Parameter process Specifies a system process. Mode Privileged Exec mode Description Use this command to display the memory allocations used by the processes.
AT-9000 Switch Command Line User’s Guide SHOW MEMORY HISTORY Syntax show memory history Parameters None Mode Privileged Exec mode Description Use this command to display a graph showing historical memory usage.
Chapter : System Monitoring Commands SHOW MEMORY POOLS Syntax show memory pools Parameters None Mode Privileged Exec mode Description Use this command to display a list of memory pools used by the processes.
AT-9000 Switch Command Line User’s Guide SHOW PROCESS Syntax show memory process [sort cpu|mem] Parameters cpu Sorts the list by percentage of CPU utilization. mem Sorts the list by percentage of memory utilization. Mode Privileged Exec mode Description Use this command to display a summary of the current running processes.
Chapter : System Monitoring Commands SHOW SYSTEM SERIALNUMBER Syntax show system serialnumber Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to display the serial number of the switch. The serial number is also displayed with “SHOW SYSTEM” on page 133.
AT-9000 Switch Command Line User’s Guide SHOW SYSTEM INTERRUPTS Syntax show system interrupts Parameters None Mode Privileged Exec mode Description Use this command to display the number of interrupts for each Interrupt Request (IRQ) used to interrupt input lines on a Programmable Interrupt Controller (PIC) on the switch.
Chapter : System Monitoring Commands SHOW TECH-SUPPORT Syntax show tech-support [all] Parameters all Performs the full set of technical support commands. Mode Privileged Exec mode Description Use this command to store the system information in a file. You may be asked to perform this command and to send the file to Allied Telesis technical support if you contact the company for assistance with a switch problem.
AT-9000 Switch Command Line User’s Guide With the ALL option, the command performs the previous commands and these additional commands: SHOW ARP SHOW INTERFACE SHOW IP INTERFACE SHOW IPV6 INTERFACE SHOW MAC ADDRESS-TABLE Examples This example stores the system information in a file: awplus# show tech-support This example performs the full set of technical support commands and stores the system information in a file: awplus# show tech-support all 1415
Chapter : System Monitoring Commands 1416
Appendix B Management Software Default Settings This appendix lists the factory default settings of the switch. The features are listed in alphabetical order: “Boot Configuration File” on page 1418 “Class of Service” on page 1419 “Console Port” on page 1420 “802.
Appendix B: Management Software Default Settings Boot Configuration File The following table lists the name of the default configuration file. Boot Configuration File Switch 1418 Default boot.
AT-9000 Switch Command Line User’s Guide Class of Service The following table lists the default mappings of the IEEE 802.1p priority levels to the egress port priority queues. IEEE 802.
Appendix B: Management Software Default Settings Console Port The following table lists the default settings for the Console port. Console Port Setting Default Data Bits 8 Stop Bits 1 Parity None Flow Control None Baud Rate 9600 bps Note The baud rate is the only adjustable parameter on the port.
AT-9000 Switch Command Line User’s Guide 802.1x Port-Based Network Access Control The following table describes the 802.1x Port-based Network Access Control default settings. 802.1x Port-based Network Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Roles None Authentication Port 1812 The following table lists the default settings for an authenticator port. Authenticator Port Setting Default Authentication Mode 802.
Appendix B: Management Software Default Settings The following table lists the default settings for RADIUS accounting.
AT-9000 Switch Command Line User’s Guide Enhanced Stacking The following table lists the enhanced stacking default setting.
Appendix B: Management Software Default Settings GVRP This section provides the default settings for GVRP.
AT-9000 Switch Command Line User’s Guide IGMP Snooping The following table lists the IGMP Snooping default settings.
Appendix B: Management Software Default Settings Link Layer Discovery Protocol (LLDP and LLDP-MED) The following table lists the default settings for LLDP and LLDP-MED.
AT-9000 Switch Command Line User’s Guide MAC Address-based Port Security The following table lists the MAC address-based port security default settings.
Appendix B: Management Software Default Settings MAC Address Table The following table lists the default setting for the MAC address table.
AT-9000 Switch Command Line User’s Guide Management IP Address The following table lists the default settings for the management IP address. Management IP Address Setting Default Management IP Address 0.0.0.0 Subnet Mask 0.0.0.
Appendix B: Management Software Default Settings Manager Account The following table lists the manager account default settings. Manager Account Setting Default Manager Login Name manager Manager Password friend Console Disconnect Timer Interval 10 minutes Maximum Number of Manager Sessions 3 Note Login names and passwords are case sensitive.
AT-9000 Switch Command Line User’s Guide Port Settings The following table lists the port configuration default settings.
Appendix B: Management Software Default Settings RADIUS Client The following table lists the RADIUS configuration default settings. RADIUS Configuration Setting 1432 Default Global Encryption Key ATI Global Server Timeout Period 5 seconds RADIUS Server 1 Configuration 0.0.0.0 RADIUS Server 2 Configuration 0.0.0.0 RADIUS Server 3 Configuration 0.0.0.
AT-9000 Switch Command Line User’s Guide Remote Manager Account Authentication The following table describes the remote manager account authentication default settings.
Appendix B: Management Software Default Settings RMON The following table lists the default settings for RMON collection histories. There are no default settings for alarms or events.
AT-9000 Switch Command Line User’s Guide Secure Shell Server The following table lists the SSH default settings. SSH Setting Default Status Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Expiry Time 0 hours Login Timeout 180 seconds SSH Port Number 22 Note The SSH port number is not adjustable.
Appendix B: Management Software Default Settings sFlow Agent The default settings for the sFlow agent are listed in this table. sFlow Agent Setting 1436 Default sFlow Agent Status Disabled sFlow Collector IP Address 0.0.0.
AT-9000 Switch Command Line User’s Guide Simple Network Management Protocol (SNMPv1, SNMPv2c and SNMPv3) The following table describes the default settings for SNMPv1, SNMPv2c and SNMPv3.
Appendix B: Management Software Default Settings Simple Network Time Protocol The following table lists the SNTP default settings. SNTP Setting 1438 Default System Time Sat, 01 Jan 2000 00:00:00 SNTP Status Disabled SNTP Server 0.0.0.
AT-9000 Switch Command Line User’s Guide Spanning Tree Protocols (STP, RSTP and MSTP) This section provides the default settings for STP and RSTP. Spanning Tree Status The following table describes the Spanning Tree Protocol default settings for the switch. Spanning Tree Setting Spanning Tree Protocol Default Spanning Tree Status Enabled Active Protocol Version RSTP The following table describes the STP default settings.
Appendix B: Management Software Default Settings RSTP Setting Multiple Spanning Tree Protocol 1440 Default Loop Guard Disabled BPDU Guard Disabled BPDU Guard Timeout Status Disabled BPDU Guard Timeout Interval 300 seconds The following table describes the RSTP default settings.
AT-9000 Switch Command Line User’s Guide System Name The default setting for the system name is listed in this table.
Appendix B: Management Software Default Settings TACACS+ Client The following table lists the TACACS+ client configuration default settings. TACACS+ Client Configuration Setting 1442 Default TAC Server 1 0.0.0.0 TAC Server 2 0.0.0.0 TAC Server 3 0.0.0.
AT-9000 Switch Command Line User’s Guide Telnet Server The default settings for the Telnet server are listed in this table. Telnet Server Setting Default Telnet Server Enabled Telnet Port Number 23 Note The Telnet port number is not adjustable.
Appendix B: Management Software Default Settings VLANs This section provides the VLAN default settings.
AT-9000 Switch Command Line User’s Guide Web Server The following table lists the web server default settings.
Appendix B: Management Software Default Settings 1446
Command Index A AAA ACCOUNTING LOGIN command 1379 AAA ACCOUNTING LOGIN TACACS command 1379 AAA AUTHENTICATION DOT1X DEFAULT GROUP command 881 AAA AUTHENTICATION DOT1X DEFAULT GROUP RADIUS command 894 AAA AUTHENTICATION ENABLE command 1381 AAA AUTHENTICATION LOGIN command 1383 AAA AUTHENTICATION RADIUS command 1379 ACCESS-CLASS command 1201 ACCESS-GROUP command 1184, 1203 ACCESS-LIST (MAC address) command 1169, 1205 ACCESS-LIST ICMP command 1169, 1208 ACCESS-LIST IP command 1169, 1211 ACCESS-LIST PROTO comma
Index ENABLE command 24, 64 ENABLE PASSWORD command 1266, 1272 END command 28, 65 ERASE STARTUP-CONFIG command 92, 113, 454 ESTACK COMMAND-SWITCH command 341, 363 ESTACK RUN command 364 EXEC-TIMEOUT command 96, 114 EXIT command 28, 54, 66 GVRP APPLICANT STATE ACTIVE command 752 GVRP APPLICANT STATE NORMAL command 744, 753 GVRP APPLICATION STATE ACTIVE command 739 GVRP ENABLE command 738, 754 GVRP REGISTRATION command 740, 743, 755 GVRP TIMER JOIN command 741, 756 GVRP TIMER LEAVE command 741, 757 GVRP TIM
AT-9000 Switch Command Line User’s Guide NO ECOFRIENDLY LED command 79 NO EGRESS-RATE-LIMIT command 181 NO ENABLE PASSWORD command 1267, 1274 NO ESTACK COMMAND-SWITCH command 365 NO ESTACK RUN command 366 NO FLOWCONTROL command 150, 182 NO GVRP ENABLE command 745, 759 NO HOSTNAME command 120 NO HTTPS SERVER command 1345 NO INSTANCE MSTI-ID PRIORITY command 664 NO INSTANCE MSTI-ID VLAN command 665 NO IP ADDRESS command 264, 284 NO IP ADDRESS DHCP command 264, 285 NO IP IGMP SNOOPING command 402, 414 NO IP I
Index NO SWITCHPORT VLAN-STACKING command 832 NO TACACS-SERVER HOST command 1372, 1391 NO TACACS-SERVER KEY command 1401 NO TACACS-SERVER TIMEOUT command 1402 NO USERNAME command 1265, 1276 NO VLAN command 708, 715, 782, 788, 807, 810 NO VLAN MACADDRESS command (Global Configuration mode) 781, 789 NO VLAN MACADDRESS command (Port Interface mode) 781, 790 NO WRR-QUEUE WEIGHT command 1248 NOAAA AUTHENTICATION ENABLE command 1381 NTP PEER command 297, 308 P PING command 90, 121 PING IPV6 command 123 PING IPv
AT-9000 Switch Command Line User’s Guide SHOW IP INTERFACE command 265, 289 SHOW IP ROUTE command 263, 265, 290 SHOW IPV6 INTERFACE command 269, 292 SHOW IPV6 ROUTE command 267, 269, 293 SHOW LACP SYS-ID command 556 SHOW LLDP command 1045, 1091 SHOW LLDP INTERFACE command 1026, 1027, 1029, 1031, 1046, 1093 SHOW LLDP LOCAL-INFO INTERFACE command 1049, 1095 SHOW LLDP NEIGHBORS DETAIL command 1047, 1097 SHOW LLDP NEIGHBORS INTERFACE command 1047, 1102 SHOW LLDP STATISTICS command 1050, 1104 SHOW LLDP STATISTI
Index SPANNING-TREE MODE MSTP command 676 SPANNING-TREE MODE RSTP command 606, 634 SPANNING-TREE MODE STP command 582, 598 SPANNING-TREE MST CONFIGURATION command 678 SPANNING-TREE MST INSTANCE command 679 SPANNING-TREE MSTP ENABLE command 677 SPANNING-TREE PATH-COST command 586, 599, 611, 635, 680 SPANNING-TREE PORTFAST BPDU-GUARD command 637, 682 SPANNING-TREE PORTFAST command 611, 636, 681 SPANNING-TREE PRIORITY (Bridge Priority) command 584, 602, 608, 638 SPANNING-TREE PRIORITY (Port Priority) command
