ECS2100-10T/PE/P ECS2100-28T/P/PP 10/28-Port Web-smart Pro Gigabit Ethernet Switch CLI Reference Guide Software Release v1.2.2.31 www.edge-core.
CLI Reference Guide ECS2100-10T Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 8 10/100/1000BASE-T (RJ-45) Ports and 2 Gigabit SFP Ports ECS2100-10PE Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 8 10/100/1000BASE-T (RJ-45) 802.3 af/at PoE Ports with 2 Gigabit SFP Ports (PoE Power Budget: 65W) ECS2100-10P Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 8 10/100/1000BASE-T (RJ-45) 802.
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Documentation This documentation is provided for general information purposes only.
How to Use This Guide Revision Date Change Description v1.2.2.
How to Use This Guide Revision Date Change Description Updated: • "prompt" on page 83 • "show process cpu task" on page 102 • "show system" on page 105 • "show tech-support" on page 107 • "watchdog software" on page 109 • "delete" on page 117 • "Time" on page 146 • "snmp-server enable port-traps link-up-down" on page 177 • "radius-server encrypted-key" on page 219 • "tacacs-server encrypted-key" on page 223 • "ip dhcp snooping information option" on page 293 • "ip arp inspection limit" on page 319 • "ip
How to Use This Guide Revision Date v1.2.2.9 rev. 3 06/2018 v1.2.2.9 rev. 2 06/2018 Change Description Removed: • “clear collision-mac-address-table dynamic” • “show collision-macaddress-table” • “show ip default-gateway” • “show ipv6 mld snooping group source-list” Document EIT Corrections Added • "clear ip rip statistics" on page 704 Updated: • Multiple minor inaccuracies fixed per Internal audit.
How to Use This Guide Revision Date v1.2.2.9 rev. 1 08/2017 v1.2.2.0 01/2017 Change Description • "qos map cos-queue" on page 512 • "qos map dscp-queue" on page 514 • "qos map trust-mode" on page 515 • "service-policy" on page 527 • "clear arp-cache" on page 658 • "show arp" on page 658 Removed: • Unsupported selective QinQ commands from "Configuring IEEE 802.
How to Use This Guide Revision v1.1.2.
How to Use This Guide – 10 –
Contents How to Use This Guide Section I 3 Contents 11 Tables 37 Getting Started 43 1 Initial Switch Configuration Connecting to the Switch 45 45 Configuration Options 45 Connecting to the Console Port 46 Logging in to the Command Line Interface 47 Setting Passwords 47 Remote Connections 48 Configuring the Switch for Remote Management 48 Using the Network Interface 48 Setting an IP Address 48 Configuring the Switch for Cloud Management 54 Enabling SNMP Management Access 54 Ma
Contents Configuring NTP Section II 68 Command Line Interface 2 Using the Command Line Interface Accessing the CLI 69 71 71 Console Connection 71 Telnet Connection 72 Entering Commands 73 Keywords and Arguments 73 Minimum Abbreviation 73 Command Completion 73 Getting Help on Commands 74 Partial Keyword Lookup 75 Negating the Effect of Commands 76 Using Command History 76 Understanding Command Modes 76 Exec Commands 76 Configuration Commands 77 Command Line Processing 79 Sho
Contents 4 System Management Commands Cloud Management 91 91 mgmt 92 mgmt loglevel 92 mgmt setoption 93 mgmt property 95 mgmt upgrade 95 show mgmt status 96 show mgmt version 96 show mgmt log 96 show mgmt option 97 Device Designation 97 hostname 97 System Status 98 show access-list tcam-utilization 99 show memory 100 show process cpu 101 show process cpu guard 101 show process cpu task 102 show running-config 103 show startup-config 105 show system 105 show tech-su
Contents whichboot 119 Automatic Code Upgrade Commands 119 upgrade opcode auto 119 upgrade opcode path 120 upgrade opcode reload 121 show upgrade 122 TFTP Configuration Commands 122 ip tftp retry 122 ip tftp timeout 123 show ip tftp 123 Line 124 line 125 databits 125 exec-timeout 126 login 127 parity 128 password 128 password-thresh 129 silent-time 130 speed 131 stopbits 131 timeout login response 132 disconnect 132 terminal 133 show line 134 Event Logging
Contents SMTP Alerts 142 logging sendmail 143 logging sendmail destination-email 143 logging sendmail host 144 logging sendmail level 144 logging sendmail source-email 145 show logging sendmail 145 Time 146 SNTP Commands 147 sntp client 147 sntp poll 148 sntp server 148 show sntp 149 NTP Commands 150 ntp authenticate 150 ntp authentication-key 150 ntp client 151 ntp server 152 show ntp 153 Manual Configuration Commands 153 clock summer-time (date) 153 clock summer-
Contents cluster member 166 rcommand 166 show cluster 167 show cluster members 167 show cluster candidates 168 5 SNMP Commands 169 General SNMP Commands 171 snmp-server 171 snmp-server community 171 snmp-server contact 172 snmp-server location 172 show snmp 173 SNMP Target Host Commands 174 snmp-server enable traps 174 snmp-server host 175 snmp-server enable port-traps link-up-down 177 snmp-server enable port-traps mac-notification 178 show snmp-server enable port-traps 1
Contents process cpu 191 process cpu guard 192 6 Remote Monitoring Commands 195 rmon alarm 196 rmon event 197 rmon collection history 198 rmon collection rmon1 199 show rmon alarms 200 show rmon events 200 show rmon history 201 show rmon statistics 201 7 Flow Sampling Commands 203 sflow owner 203 sflow polling instance 205 sflow sampling instance 206 show sflow 207 8 Authentication Commands 209 User Accounts and Privilege Levels 210 enable password 210 username 211 p
Contents show radius-server TACACS+ Client 220 221 tacacs-server host 221 tacacs-server key 222 tacacs-server encrypted-key 223 tacacs-server port 223 tacacs-server retransmit 224 tacacs-server timeout 224 show tacacs-server 225 AAA 225 aaa accounting commands 226 aaa accounting dot1x 227 aaa accounting exec 228 aaa accounting update 229 aaa authorization commands 229 aaa authorization exec 230 aaa group server 231 server 232 accounting dot1x 232 accounting commands 233
Contents telnet (client) 243 show ip telnet 244 Secure Shell 244 ip ssh authentication-retries 246 ip ssh server 247 ip ssh timeout 248 delete public-key 248 ip ssh crypto host-key generate 249 ip ssh crypto zeroize 249 ip ssh save host-key 250 show ip ssh 250 show public-key 251 show ssh 251 802.
Contents 9 General Security Measures Port Security 267 268 mac-learning 268 port security 269 show port security 271 Network Access (MAC Address Authentication) 273 network-access aging 273 network-access mac-filter 274 mac-authentication reauth-time 275 network-access dynamic-qos 276 network-access dynamic-vlan 277 network-access guest-vlan 278 network-access max-mac-count 278 network-access mode mac-authentication 279 network-access port-mac-filter 280 mac-authentication intru
Contents ip dhcp snooping information option 293 ip dhcp snooping information option encode no-subtype 294 ip dhcp snooping information option remote-id 296 ip dhcp snooping information option tr101 board-id 297 ip dhcp snooping information policy 297 ip dhcp snooping verify mac-address 298 ip dhcp snooping vlan 299 ip dhcp snooping information option circuit-id 300 ip dhcp snooping max-number 302 ip dhcp snooping trust 302 clear ip dhcp snooping binding 303 clear ip dhcp snooping dat
Contents show ip arp inspection vlan Denial of Service Protection 321 322 dos-protection echo-chargen 322 dos-protection smurf 323 dos-protection tcp-flooding 323 dos-protection tcp-null-scan 324 dos-protection tcp-syn-fin-scan 324 dos-protection tcp-xmas-scan 325 dos-protection udp-flooding 325 dos-protection win-nuke 326 show dos-protection 326 Port-based Traffic Segmentation 327 traffic-segmentation 327 traffic-segmentation session 328 traffic-segmentation uplink/downlink 329
Contents permit, deny (MAC ACL) 348 mac access-group 350 show mac access-group 351 show mac access-list 351 ARP ACLs 352 access-list arp 352 permit, deny (ARP ACL) 353 show access-list arp 354 ACL Information 355 clear access-list hardware counters 355 show access-group 355 show access-list 356 11 Interface Commands 357 Interface Configuration 358 interface 358 capabilities 359 description 360 flowcontrol 361 history 362 media-type 362 negotiation 363 shutdown 364
Contents transceiver-threshold temperature 378 transceiver-threshold tx-power 379 transceiver-threshold voltage 380 show interfaces transceiver 381 show interfaces transceiver-threshold 382 Cable Diagnostics 383 test cable-diagnostics 383 show cable-diagnostics 384 Power Savings 385 power-save 385 show power-save 386 12 Link Aggregation Commands 387 Manual Configuration Commands 388 port channel load-balance 388 channel-group 390 Dynamic Configuration Commands 391 lacp 391
Contents power download 407 show power inline status 409 show power inline time-range 410 show power mainpower 411 14 Port Mirroring Commands Local Port Mirroring Commands 413 413 port monitor 413 show port monitor 414 RSPAN Mirroring Commands 415 rspan source 417 rspan destination 418 rspan remote vlan 419 no rspan session 420 show rspan 421 15 Congestion Control Commands Rate Limit Commands 423 423 rate-limit 424 Storm Control Commands 426 switchport packet-rate 16 Loopba
Contents show mac-address-table count 439 18 Smart Pair Commands 441 Smart Pair Concept 441 smart-pair 441 smart-pair restore 442 primary-port 443 backup-port 444 wtr-delay 445 show smart-pair 445 19 Spanning Tree Commands 447 spanning-tree 448 spanning-tree cisco-prestandard 449 spanning-tree forward-time 449 spanning-tree hello-time 450 spanning-tree max-age 451 spanning-tree mode 451 spanning-tree mst configuration 453 spanning-tree pathcost method 453 spanning-tree p
Contents spanning-tree loopback-detection trap 467 spanning-tree mst cost 467 spanning-tree mst port-priority 468 spanning-tree port-bpdu-flooding 469 spanning-tree port-priority 469 spanning-tree root-guard 470 spanning-tree spanning-disabled 471 spanning-tree tc-prop-stop 471 spanning-tree loopback-detection release 472 spanning-tree protocol-migration 473 show spanning-tree 473 show spanning-tree mst configuration 476 20 VLAN Commands 477 Editing VLAN Groups 477 vlan database
Contents protocol-vlan protocol-group (Configuring Interfaces) 493 show protocol-vlan protocol-group 494 show interfaces protocol-vlan protocol-group 495 Configuring MAC Based VLANs 496 mac-vlan 496 show mac-vlan 497 Configuring Voice VLANs 498 voice vlan 498 voice vlan aging 499 voice vlan mac-address 500 switchport voice vlan 501 switchport voice vlan priority 502 switchport voice vlan rule 502 switchport voice vlan security 503 show voice vlan 504 21 Class of Service Comman
Contents policy-map 523 class 524 police rate 525 set cos 526 set ip dscp 527 service-policy 527 show class-map 528 show policy-map 529 show policy-map interface 529 23 Multicast Filtering Commands 531 IGMP Snooping 532 ip igmp snooping 533 ip igmp snooping mrouter-forward-mode dynamic 534 ip igmp snooping proxy-reporting 534 ip igmp snooping querier 535 ip igmp snooping router-alert-option-check 535 ip igmp snooping router-port-expire-time 536 ip igmp snooping tcn-flood
Contents show ip igmp snooping 550 show ip igmp snooping group 551 show ip igmp snooping mrouter 552 show ip igmp snooping statistics 552 Static Multicast Routing 555 ip igmp snooping vlan mrouter IGMP Filtering and Throttling 555 556 ip igmp filter (Global Configuration) 557 ip igmp profile 557 permit, deny 558 range 558 ip igmp filter (Interface Configuration) 559 ip igmp max-groups 560 ip igmp max-groups action 560 ip igmp query-drop 561 show ip igmp filter 562 show ip igmp
Contents show ipv6 mld snooping 575 show ipv6 mld snooping group 575 show ipv6 mld snooping mrouter 578 show ipv6 mld snooping statistics 578 MLD Filtering and Throttling 582 ipv6 mld filter (Global Configuration) 583 ipv6 mld profile 584 permit, deny 584 range 585 ipv6 mld filter (Interface Configuration) 586 ipv6 mld max-groups 586 ipv6 mld max-groups action 587 ipv6 mld query-drop 588 show ipv6 mld filter 588 show ipv6 mld profile 589 show ipv6 mld query-drop 589 show ipv
Contents lldp dot1-tlv vlan-name 603 lldp dot3-tlv link-agg 604 lldp dot3-tlv mac-phy 604 lldp dot3-tlv max-frame 605 lldp dot3-tlv poe 605 lldp med-location civic-addr 606 lldp med-notification 608 lldp med-tlv ext-poe 608 lldp med-tlv inventory 609 lldp med-tlv location 609 lldp med-tlv med-cap 610 lldp med-tlv network-policy 610 lldp notification 611 show lldp config 612 show lldp info local-device 613 show lldp info remote-device 614 show lldp info statistics 616 25 Do
Contents DHCP Client 627 DHCP for IPv4 628 ip dhcp dynamic-provision 628 ip dhcp client class-id 629 ip dhcp restart client 631 show ip dhcp dynamic-provision 631 DHCP for IPv6 632 ipv6 dhcp client rapid-commit vlan 632 ipv6 dhcp restart client vlan 632 show ipv6 dhcp duid 634 show ipv6 dhcp vlan 634 DHCP Relay (IPv4 and IPv6) 635 ip dhcp relay server 635 ip dhcp l2 relay 636 ip dhcp l3 relay 637 ip dhcp restart relay 638 ip dhcp relay information option 639 ip dhcp relay
Contents arp 656 ip proxy-arp 657 clear arp-cache 658 show arp 658 IPv6 Interface 659 Interface Address Configuration and Utilities 660 ipv6 default-gateway 660 ipv6 address 661 ipv6 address autoconfig 662 ipv6 address eui-64 664 ipv6 address link-local 666 ipv6 enable 667 ipv6 mtu 668 show ipv6 default-gateway 669 show ipv6 interface 669 show ipv6 mtu 671 show ipv6 traffic 672 clear ipv6 traffic 676 ping6 677 traceroute6 678 Neighbor Discovery 679 ipv6 nd dad atte
Contents Section III default-metric 690 distance 691 maximum-prefix 692 neighbor 693 network 693 passive-interface 694 redistribute 695 timers basic 696 version 697 ip rip authentication mode 698 ip rip authentication string 699 ip rip receive version 699 ip rip receive-packet 700 ip rip send version 701 ip rip send-packet 702 ip rip split-horizon 702 clear ip rip route 703 clear ip rip statistics 704 show ip protocols rip 705 show ip rip 705 Appendices 707 A Trou
Contents – 36 –
Tables Table 1: Options 60, 66 and 67 Statements 65 Table 2: Options 55 and 124 Statements 65 Table 3: General Command Modes 76 Table 4: Configuration Command Modes 78 Table 5: Keystroke Commands 79 Table 6: Command Group Index 80 Table 7: General Commands 83 Table 8: System Management Commands 91 Table 9: Cloud Management Commands 91 Table 10: Cloud Management Agent Options 93 Table 11: Device Designation Commands 97 Table 12: System Status Commands 98 Table 13: show access-list tc
Tables Table 30: SNMP Commands 169 Table 31: show snmp engine-id - display description 184 Table 32: show snmp group - display description 185 Table 33: show snmp user - display description 186 Table 34: show snmp view - display description 187 Table 35: RMON Commands 195 Table 36: sFlow Commands 203 Table 37: Authentication Commands 209 Table 38: User Access Commands 210 Table 39: Default Login Settings 212 Table 40: Authentication Sequence Commands 214 Table 41: RADIUS Client Comman
Tables Table 65: Access Control List Commands 333 Table 66: IPv4 ACL Commands 333 Table 67: IPv6 ACL Commands 340 Table 68: MAC ACL Commands 346 Table 69: ARP ACL Commands 352 Table 70: ACL Information Commands 355 Table 71: Interface Commands 357 Table 72: show interfaces counters - display description 368 Table 73: show interfaces switchport - display description 374 Table 74: Link Aggregation Commands 387 Table 75: show lacp counters - display description 398 Table 76: show lacp in
Tables Table 100: 802.
Tables Table 135: Basic IP Configuration Commands 648 Table 136: Address Resolution Protocol Commands 656 Table 137: IPv6 Configuration Commands 659 Table 138: show ipv6 interface - display description 670 Table 139: show ipv6 mtu - display description 672 Table 140: show ipv6 traffic - display description 673 Table 141: show ipv6 neighbors - display description 683 Table 160: IP Routing Commands 685 Table 161: Global Routing Configuration Commands 685 Table 162: Routing Information Proto
Tables – 42 –
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 44 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch Logging in to the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec). The commands Interface available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#username admin password 0 [password] Console(config)# * This manual covers the ECS2100-10T/28T Gigabit Ethernet switches, and the ECS2100-10PE/10P/28P/28PP Gigabit Ethernet PoE switches. Other than the difference in port types, and support for PoE, there are no significant differences.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router. To configure this device as the default gateway, use the ip default-gateway command.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Address for Multi-segment Network — Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator: ◆ Prefix for this network ◆ IP address for the switch ◆ Default gateway for the network For netw
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Global unicast address(es): 2001:db8:2222:7272::/64, subnet is 2001:db8:2222:7272::/64 Joined group address(es): ff02::1:ff00:0 ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5. Then save your configuration changes by typing “copy running-config startupconfig.” Enter the startup file name and press .
Chapter 1 | Initial Switch Configuration Configuring the Switch for Cloud Management ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Configuring the Switch for Cloud Management The Edgecore ecCLOUD Controller is a cloud-based network service available from anywhere through a web-browser interface. The switch can be managed by the ecCLOUD controller once you have set up an account and registered the device on the system.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command.
Chapter 1 | Initial Switch Configuration Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The types of files are: ◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved.
Chapter 1 | Initial Switch Configuration Managing System Files Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it. The TFTP server could be any standards-compliant server running on Windows or Linux. When downloading from an FTP server, the logon interface will prompt for a user name and password configured on the remote server. Note that “anonymous” is set as the default user name. File names on the switch are case-sensitive.
Chapter 1 | Initial Switch Configuration Managing System Files The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startupconfig” and press . 2. Enter the name of the start-up file. Press .
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code code file when a file newer than the currently installed one is discovered on the file from a File Server server.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. ◆ If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://site9:billy@192.168.0.1/sm24/ Console(config)# 2. Set the switch to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# 3.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings The following shows an example of the upgrade process. Console#dir File Name Type Startup Modified Time Size (bytes) ------------------------------ ------- ------- ------------------- ----------Unit 1: ECS2100_V1.2.2.15.bix OpCode N 2017-10-27 10:05:27 9,130,248 ECS2100_v1.2.2.9.bix OpCode Y 2018-03-21 09:22:07 8,798,472 Factory_Default_Config.cfg Config N 2016-04-13 05:28:36 477 startup1.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server DHCP client Identifier (Option 60) is used by DHCP clients to specify their unique identifier. The client identifier is optional and can be specified while configuring DHCP on the primary network interface. DHCP Option 60 is disabled by default. The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server ◆ If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP.
Chapter 1 | Initial Switch Configuration Setting the System Clock #option option option option 66, 67 space dynamicProvision code width 1 length 1 hash size 2; dynamicProvision.tftp-server-name code 66 = text; dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.
Chapter 1 | Initial Switch Configuration Setting the System Clock Setting the Time To manually set the clock to 10:30:36, July 29th, 2018, enter this command. Manually Console#calendar set 10 30 36 29 July 2018 Console# To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following.
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “Smart Pair Commands” on page 441 ◆ “Spanning Tree Commands” on page 447 ◆ “VLAN Commands” on page 477 ◆ “Class of Service Commands” on page 507 ◆ “Quality of Service Commands” on page 519 ◆ “Multicast Filtering Commands” on page 531 ◆ “LLDP Commands” on page 593 ◆ “Domain Name Service Commands” on page 617 ◆ “DHCP Commands” on page 599 ◆ “IP Interface Commands” on page 647 ◆ “IP Routing Commands” on page 685 – 70 –
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help on Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config system tacacs-server tech-support time-range traffic-segmentation upgrade users version vlan voice watchdog web-auth Console# Information on the running configuration Shows the sflow information Simple Network Management Protocol configuration and statistics Displays SNMP server configuration Simple Network Time Protocol configuration Spanning-tree configuration Secure
Chapter 2 | Using the Command Line Interface Entering Commands Negating the Effect of For many configuration commands you can enter the prefix keyword “no” to cancel Commands the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands.
Chapter 2 | Using the Command Line Interface Entering Commands system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ECS2100-28T is opened. To end the CLI session, enter [Exit].
Chapter 2 | Using the Command Line Interface Entering Commands ◆ Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance. ◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces. ◆ Time Range - Sets a time range for use by other functions, such as Access Control Lists. ◆ VLAN Configuration - Includes the command to create VLAN groups.
Chapter 2 | Using the Command Line Interface Entering Commands Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
Chapter 2 | Using the Command Line Interface CLI Command Groups Console(config)#ip igmp snooping Console(config)#end Console#show ip igmp snooping mrouter VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/11 Static Console# CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page Address Table Configures the address table for filtering specified addresses, 435 displays current entries, clears the table, or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch 447 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, an
Chapter 2 | Using the Command Line Interface CLI Command Groups – 82 –
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval.
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 113).
Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (88) enable password (210) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 76. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2015. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 90 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Cloud Management Table 9: Cloud Management Commands Command Function Mode show mgmt status Displays the cloud management agent status PE show mgmt version Displays the cloud management agent code version PE show mgmt log Displays log messages from the cloud management agent PE show mgmt option Displays the cloud management agent configuration options PE mgmt This command enables or disables the cloud management agent for the switch.
Chapter 4 | System Management Commands Cloud Management Command Mode Global Configuration Command Usage ◆ The logging levels from minimum severity to maximum severity are: Trace, Debug, Info, Warn, Error. ◆ This command configures messages logged by the cloud management agent based on severity. Messages from the configured level up to the maximum level are logged. Therefore, if Info is the configured level, all messages for Info, Warn, and Error are logged.
Chapter 4 | System Management Commands Cloud Management Table 10: Cloud Management Agent Options (Continued) Name Type Required Default Notes acn.mgmt.loglevel string no “info” Various logging levels for mgmtd. Possible values in lowering order: error, warn, info, debug, trace. acn.mgmt.hb_interval int no 60 Heartbeat message sending interval. acn.mgmt.hb_ack_timeout int no 57 Heartbeat acknowledgement timeout (to consider connection problem is present) acn.mgmt.
Chapter 4 | System Management Commands Cloud Management Example Console(config)#mgmt setoption acn.mgmt.status_interval=600 Console(config)# mgmt property This command sets the cloud management agent properties to their default values. Syntax mgmt property default Default Setting None Command Mode Global Configuration Example Console(config)#mgmt property default Console(config)# mgmt upgrade This command upgrades the cloud management agent software from a file on a TFTP server.
Chapter 4 | System Management Commands Cloud Management show mgmt status This command displays the status of the cloud management agent. Syntax show mgmt status Command Mode Privileged Exec Example Console#show mgmt status Console# show mgmt version This command displays the version of the cloud management agent. Syntax show mgmt version Command Mode Privileged Exec Example Console#show mgmt version Mgmtd version: 1.4.
Chapter 4 | System Management Commands Device Designation 2020-10-26 10:19:39 [info]: mgmtd status set to REG_FAILED 2020-10-26 10:19:39 [error]: Error: Unable to contact registration service! (Empty response) Console# show mgmt option This command displays the cloud management agent options. Syntax show mgmt option Command Mode Privileged Exec Example Console#show mgmt option Mgmtd Option: acn.mgmt=acn acn.mgmt.loglevel=info acn.mgmt.enabled=0 acn.register=register acn.register.state=0 acn.register.
Chapter 4 | System Management Commands System Status name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page. ◆ This command and the prompt command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Chapter 4 | System Management Commands System Status Table 12: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly PE show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory), including the number policy control entries in use, and the number
Chapter 4 | System Management Commands System Status Table 13: show access-list tcam-utilization - display description Field Description Pool Capability Code Abbreviation for processes shown in the TCAM List. Unit Stack unit identifier. Device Memory chip used for indicated pools. Pool Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features. Total The maximum number of policy control entries allocated to the each pool.
Chapter 4 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Chapter 4 | System Management Commands System Status Table 14: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high-watermark, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Chapter 4 | System Management Commands System Status IP_SERVICE_GROU IP_SERVICE_PROC L2_L4_PROCESS L2MCAST_GROUP L2MUX_GROUP L4_GROUP LACP_GROUP MSL_TD NETACCESS_GROUP NETACCESS_NMTR NETCFG_GROUP NMTRDRV NSM_TD RIP_TD SFLOW_PROC SMTP_TD SNMP_GROUP SNMP_PROC SNMP_TD SSH_GROUP STA_GROUP STKCTRL_GROUP SWCTRL_GROUP SWDRV_MONITOR SYSDRV SYSTEM UTILITY_GROUP WTDOG_PROC XFER_GROUP XFER_PROC XFER_TD Console# 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1.80 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.
Chapter 4 | System Management Commands System Status ◆ Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in nonvolatile memory. ◆ This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
Chapter 4 | System Management Commands System Status Related Commands show startup-config (105) show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Command Mode Privileged Exec Command Usage ◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in nonvolatile memory. ◆ This command displays settings for key command modes.
Chapter 4 | System Management Commands System Status System Up Time System Name System Location System Contact MAC Address (Unit 1) Web Server Web Server Port Web Secure Server Web Secure Server Port Telnet Server Telnet Server Port Jumbo Frame Unit 1 : : : : : : : : : : : : 0 days, 1 hours, 43 minutes, and 54.
Chapter 4 | System Management Commands System Status show tech-support This command displays a detailed list of system settings designed to help technical support resolve configuration or functional problems. Command Mode Privileged Exec Command Usage This command generates a long list of information including detailed system and interface settings. It is therefore advisable to direct the output to a file using any suitable output capture function provided with your terminal emulation program.
Chapter 4 | System Management Commands System Status show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 4 | System Management Commands System Status Table 16: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. Number of Ports Number of built-in ports. Main Power Status Displays the status of the internal power supply. Role Shows that this switch is operating as Master or Slave. Loader Version Version number of loader code. Linux Kernel Version Version number of Linux kernel.
Chapter 4 | System Management Commands Frame Size Frame Size This section describes commands used to configure the Ethernet frame size on the switch. Table 17: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports. Use the no form to disable it.
Chapter 4 | System Management Commands File Management File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/SFTP/TFTP server. By saving runtime code to a file on an FTP/SFTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Chapter 4 | System Management Commands File Management Table 18: Flash/File Commands (Continued) Command Function Mode TFTP Configuration Commands ip tftp retry Specifies the number of times the switch can retry transmitting a request to a TFTP server ip tftp timeout Specifies the time the switch can wait for a response from a GC TFTP server before retransmitting a request or timing out for the last retry show ip tftp Displays information about TFTP settings General Commands boot system This comm
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/SFTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/SFTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/SFTP/TFTP server and the quality of the network connection.
Chapter 4 | System Management Commands File Management ◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16. ◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ SFTP/TFTP server.
Chapter 4 | System Management Commands File Management Destination file name: m360.bix \Write to FLASH Programming. -Write to FLASH finish. Success. Console# The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed. Success.
Chapter 4 | System Management Commands File Management Success. Console#reload System will be restarted, continue ? y This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Source public-key file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success.
Chapter 4 | System Management Commands File Management delete This command deletes a file or image. Syntax delete {file {unit unit no. {name filename} | name filename}| | https-certificate | public-key username } file - Keyword that allows you to delete a file. name - Keyword indicating a name of a file. filename - Name of configuration file or code image. unit no. - Unit number of the switch https-certificate - Keyword that allows you to delete the HTTPS secure site certificate.
Chapter 4 | System Management Commands File Management dir This command displays a list of files in flash memory. Syntax dir {config | opcode}: [filename]} config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name -----------------------------Unit 1: ECS2100_V1.2.0.171.bix startup1.
Chapter 4 | System Management Commands File Management version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. 2. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. 3. It sets the new version as the startup image. 4.
Chapter 4 | System Management Commands File Management Command Usage ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ECS2100series.bix. However, note that file name is not to be included in this command.
Chapter 4 | System Management Commands File Management Example This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS2100-series.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (130) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (251) show users (108) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history.
Chapter 4 | System Management Commands Line Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Login Timeout Silent Time Console# : 300 sec. : Disabled Event Logging This section describes commands used to configure event logging on the switch. To configure sending event logs as alerts using an SMTP mail server refer to “SMTP Alerts” on page 142.
Chapter 4 | System Management Commands Event Logging interface (console, Telnet, SSH) and user IP address. The severity level for this record type is 6 (see the logging facility command). Example Console(config)#logging facility 19 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default.
Chapter 4 | System Management Commands Event Logging level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7) Table 22: Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g.
Chapter 4 | System Management Commands Event Logging Command Mode Global Configuration Command Usage ◆ Use this command more than once to build up a list of host IP addresses. ◆ The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process.
Chapter 4 | System Management Commands Event Logging logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level level] no logging trap [level] level - One of the syslog severity levels listed in the table on page 136.
Chapter 4 | System Management Commands Event Logging Example Console#clear log Console# Related Commands show log (140) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {command | flash | ram | sendmail | trap} command - Stores CLI command execution records in syslog RAM and flash. flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Chapter 4 | System Management Commands SMTP Alerts The following example displays settings for the trap function. Console#show logging trap Global Configuration: Syslog Logging : Enabled Remote Logging Configuration: Status : Disabled Facility Type : Local use 7 (23) Level Type : Debugging messages (7) Console# Table 24: show logging trap - display description Field Description Global Configuration Syslog logging Shows if system logging has been enabled via the logging on command.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip-address ip-address - IPv4 address of an SMTP server that will be sent alert messages for event handling. Default Setting None Command Mode Global Configuration Command Usage ◆ You can specify up to three SMTP servers for event handing.
Chapter 4 | System Management Commands SMTP Alerts Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0.
Chapter 4 | System Management Commands Time Example Console#show logging sendmail SMTP Servers ----------------------------------------------1. 10.20.1.2 2. 10.1.2.1 SMTP Minimum Severity Level: 5 SMTP Destination E-mail Addresses -----------------------------------------------1. karl@email.com 2. noc_team@email.com SMTP Source E-mail Address: SMTP Status: Console# switch99@email.com Enabled Time The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Chapter 4 | System Management Commands Time Table 26: Time Commands (Continued) Command Function Mode Manual Configuration Commands clock summer-time (date) Configures summer time* for the switch’s internal clock GC clock summer-time (predefined) Configures summer time* for the switch’s internal clock GC clock summer-time (recurring) Configures summer time* for the switch’s internal clock GC clock timezone Sets the time zone for the switch’s internal clock GC calendar set Sets the system da
Chapter 4 | System Management Commands Time SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.80 Console# Related Commands sntp server (148) sntp poll (148) show sntp (149) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Chapter 4 | System Management Commands Time Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
Chapter 4 | System Management Commands Time NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication. Syntax [no] ntp authenticate Default Setting Disabled Command Mode Global Configuration Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ The key number specifies a key value in the NTP authentication key list. Up to 255 keys can be configured on the switch. Re-enter this command for each server you want to configure. ◆ Note that NTP authentication key numbers and values must match on both the server and client. ◆ NTP authentication is optional.
Chapter 4 | System Management Commands Time ◆ This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. Example Console(config)#ntp client Console(config)# Related Commands sntp client (147) ntp server (152) ntp server This command sets the IP addresses of the servers to which NTP time requests are issued.
Chapter 4 | System Management Commands Time Example Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)# Related Commands ntp client (151) show ntp (153) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated.
Chapter 4 | System Management Commands Time b-date - Day of the month when summer time will begin. (Range: 1-31) b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-year- The year summer time will begin. b-hour - The hour summer time will begin. (Range: 0-23 hours) b-minute - The minute summer time will begin. (Range: 0-59 minutes) e-date - Day of the month when summer time will end.
Chapter 4 | System Management Commands Time Related Commands show sntp (149) clock summer-time This command configures the summer time (daylight savings time) status and (predefined) settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region. Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (149) clock summer-time This command allows the user to manually configure the start, end, and offset (recurring) times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 4 | System Management Commands Time Range show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar Current Time Time Zone Summer Time Summer Time in Effect Console# : : : : May 13 14:08:18 2014 UTC, 08:00 Not configured No Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range Command Usage ◆ This command sets a time range for use by other functions, such as Access Control Lists. ◆ A maximum of eight rules can be configured for a time range. Example Console(config)#time-range r&d Console(config-time-range)# Related Commands Access Control Lists (333) absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time.
Chapter 4 | System Management Commands Time Range Example This example configures the time for the single occurrence of an event. Console(config)#time-range r&d Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console(config-time-range)# periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Switch Clustering Example This example configures a time range for the periodic occurrence of an event. Console(config)#time-range sales Console(config-time-range)#periodic daily 1 1 to 2 1 Console(config-time-range)# show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 4 | System Management Commands Switch Clustering Table 29: Switch Cluster Commands (Continued) Command Function Mode show cluster Displays the switch clustering status PE show cluster members Displays current cluster Members PE show cluster candidates Displays current cluster Candidates in the network PE Using Switch Clustering ◆ A switch cluster has a primary unit called the “Commander” which is used to manage all other “Member” switches in the cluster.
Chapter 4 | System Management Commands Switch Clustering Default Setting Disabled Command Mode Global Configuration Command Usage ◆ To create a switch cluster, first be sure that clustering is enabled on the switch (the default is disabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
Chapter 4 | System Management Commands Switch Clustering ◆ Cluster Member switches can be managed through a Telnet connection to the Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch. Example Console(config)#cluster commander Console(config)# cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address.
Chapter 4 | System Management Commands Switch Clustering cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch. member-id - The ID number to assign to the Member switch.
Chapter 4 | System Management Commands Switch Clustering Example Console#rcommand id 1 CLI session with the ECS2100-28T is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration.
Chapter 4 | System Management Commands Switch Clustering show cluster This command shows the discovered Candidate switches in the network.
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 30: SNMP Commands (Continued) Command Function Mode show snmp engine-id Shows the SNMP engine ID PE show snmp group Shows the SNMP groups PE show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter
Chapter 5 | SNMP Commands General SNMP Commands General SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize management community access by clients using SNMP v1 or v2c.
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (172) show snmp This command can be used to check the status of SNMP communications.
Chapter 5 | SNMP Commands SNMP Target Host Commands SNMP Logging: Disabled Console# SNMP Target Host Commands snmp-server This command enables this device to send Simple Network Management Protocol enable traps traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | mac-notification [interval seconds]] authentication - Keyword to issue authentication failure notifications.
Chapter 5 | SNMP Commands SNMP Target Host Commands data, the interval time has not been reached, address table changes will be kept in the buffer, and this new buffer data will be sent once the interval time expires. For example: if the trap interval is set for 15 minutes and the MAC-address table data is sent at 10:00. At 10:15 data sent will be the buffer data composed of new dynamic MAC data collected since the original MAC-address-table data was sent at 10:00.
Chapter 5 | SNMP Commands SNMP Target Host Commands version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” in the Web Management Guide for further information about these authentication and encryption options. port - Host UDP port to use.
Chapter 5 | SNMP Commands SNMP Target Host Commands 4. Allow the switch to send SNMP traps; i.e., notifications (page 174). 5. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 171). 2. Create a remote SNMPv3 user to use in the message exchange process 3. 4. 5. 6. (page 181). Create a view with the required notification messages (page 183).
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps link-up-down Console(config)# snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the mac-notification default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No . . . SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption. ◆ For additional information on the notification messages supported by this switch, see table for “Supported Notification Messages” in the Web Management Guide.
Chapter 5 | SNMP Commands SNMPv3 Commands auth - Uses SNMPv3 with authentication. md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password.) If the encrypted option is selected, enter an encrypted password.
Chapter 5 | SNMP Commands SNMPv3 Commands need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in the following table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 32: show snmp group - display description (Continued) Field Description Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands Table 33: show snmp user - display description (Continued) Field Description Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1.
Chapter 5 | SNMP Commands Notification Log Commands RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Chapter 5 | SNMP Commands Additional Trap Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts.
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60 Console# Related Commands show memory (100) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands – 194 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 202 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector. A full IPv6 address including the network prefix and host address bits. An IPv6 address consists of 8 colon-separated 16-bit hexadecimal values.
Chapter 7 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console#sflow owner stat_server1 timeout 100 port 35100 Console# sflow polling instance This command enables an sFlow polling data source, for a specified interface, that polls periodically based on a specified time interval. Use the no form to remove the polling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands sflow sampling This command enables an sFlow data source instance for a specific interface that instance takes samples periodically based on the number of packets processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands The following command removes a sampling data source from Ethernet interface 1/1. Console# no sflow sampling interface ethernet 1/1 instance 1 Console# show sflow This command shows the global and interface settings for the sFlow process. Syntax show sflow [owner owner-name | interface interface] owner-name - The associated receiver, to which the samples are sent. (Range: 1-30 alphanumeric characters) interface ethernet unit/port unit - Unit identifier.
Chapter 7 | Flow Sampling Commands – 208 –
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 124), user authentication via a remote authentication server (page 209), and host access authentication for specific ports (page 252).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See “Understanding Command Modes” on page 76 and “Configuration Commands” on page 77.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | Authentication Commands RADIUS Client port-number - RADIUS server UDP port used for accounting messages. (Range: 1-65535) Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default.
Chapter 8 | Authentication Commands RADIUS Client host-ip-address - IP address of server. acct-port - RADIUS server UDP port used for accounting messages. (Range: 1-65535) auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) encrypted-key - Encryption key used to authenticate the Radius client with the server. Enclose ASCII characters limited to “A-Z” or “a-z”. Note this key will be transmitted in encrypted text.
Chapter 8 | Authentication Commands RADIUS Client Command Mode Global Configuration Example Console(config)#radius-server key green Console(config)# radius-server This command sets the RADIUS encryption key to be sent in encrypted text. Use the encrypted-key no form to restore the default. Syntax radius-server encrypted-key key-string no radius-server key key-string - Encryption key sent in encrypted text and used to authenticate logon access for client.
Chapter 8 | Authentication Commands RADIUS Client Console(config)#radius-server retransmit 5 Console(config)# radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands TACACS+ Client Request Timeout : 5 RADIUS Server Group: Group Name Member Index ------------------------- ------------radius 1 Console# TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
Chapter 8 | Authentication Commands TACACS+ Client key - Encryption key used to authenticate the TACACS+ client with the server. Enclose any ASCII string (no blanks). Note this key will be transmitted in plain text. (Maximum length: 48 characters) port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server This command sets the TACACS+ encryption key to be sent in encrypted text. Use encrypted-key the no form to restore the default. Syntax radius-server encrypted-key key-string no radius-server key key-string - Encryption key sent in encrypted text and used to authenticate logon access for client. Enclose any character string using ASCII characters “A-Z” or “a-z”.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 8 | Authentication Commands AAA show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times : 2 Timeout : 5 Server 1: Server IP Address Server Port Number Retransmit Times Timeout : : : : 10.11.12.
Chapter 8 | Authentication Commands AAA Table 43: AAA Commands (Continued) Command Function Mode accounting dot1x Applies an accounting method to an interface for 802.
Chapter 8 | Authentication Commands AAA Command Usage ◆ The accounting of Exec mode commands is only supported by TACACS+ servers. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa accounting dot1x default start-stop group radius Console(config)# aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting This command enables the sending of periodic updates to the accounting server. update Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Chapter 8 | Authentication Commands AAA server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-64 characters) Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage The authorization of Exec mode commands is only supported by TACACS+ servers.
Chapter 8 | Authentication Commands AAA Command Mode Global Configuration Command Usage ◆ This command performs authorization to determine if a user is allowed to run an Exec shell for local console, Telnet, or SSH connections. ◆ AAA authentication must be enabled before authorization is enabled.
Chapter 8 | Authentication Commands AAA server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server.
Chapter 8 | Authentication Commands AAA Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting This command applies an accounting method to entered CLI commands. Use the commands no form to disable accounting for entered CLI commands. Syntax accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands.
Chapter 8 | Authentication Commands AAA Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization This command applies an authorization method to entered CLI commands. Use the commands no form to disable authorization for entered CLI commands.
Chapter 8 | Authentication Commands AAA authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec default - Specifies the default method list created with the aaa authorization exec command. list-name - Specifies a method list created with the aaa authorization exec command.
Chapter 8 | Authentication Commands AAA interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) Default Setting None Command Mode Privileged Exec Example Console#show accounting Accounting Type : dot1x Method List : default Group List : radius Interface : Eth 1/1 Method List Group List Interface : tps : radius : Eth 1/2 Accounting Type Method List Group List Interface : : : : EXEC default tacacs+ vty Accounting Type Method List Group List Interface . . .
Chapter 8 | Authentication Commands Web Server Default Setting None Command Mode Privileged Exec Example Console#show authorization Authorization Type : EXEC Method List : default Group List : tacacs+ Interface : vty Authorization Type : Commands 0 Method List : default Group List : tacacs+ Interface : . . .
Chapter 8 | Authentication Commands Web Server ip http authentication This command specifies the method list for EXEC authorization for starting an EXEC session used by the web browser interface. Use the no form to use the default port. Syntax ip http authentication aaa exec-authorization {default | list-name} no ip http authentication aaa exec-authorization default - Specifies the default method list used for authorization requests.
Chapter 8 | Authentication Commands Web Server Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (239) show system (105) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
Chapter 8 | Authentication Commands Web Server Command Usage ◆ You cannot configure the HTTP and HTTPS servers to use the same port.
Chapter 8 | Authentication Commands Telnet Server ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for recent versions of Internet Explorer, Mozilla Firefox, or Google Chrome.
Chapter 8 | Authentication Commands Telnet Server Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. ip telnet max-sessions This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system. Use the no from to restore the default setting.
Chapter 8 | Authentication Commands Telnet Server Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# telnet (client) This command accesses a remote device using a Telnet connection.
Chapter 8 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 8 Console# Secure Shell This section describes the commands used to configure the SSH server.
Chapter 8 | Authentication Commands Secure Shell Configuration Guidelines The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command.
Chapter 8 | Authentication Commands Secure Shell 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c. If a match is found, the connection is allowed.
Chapter 8 | Authentication Commands Secure Shell count – The number of authentication attempts permitted after which the interface is reset. (Range: 1-5) Default Setting 3 Command Mode Global Configuration Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (250) ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service.
Chapter 8 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (249) show ssh (251) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
Chapter 8 | Authentication Commands Secure Shell Example Console#delete public-key admin Console# ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate Syntax ip ssh crypto host-key generate Default Setting Generates the RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses 2048-bit RSA for SSHv2 clients. ◆ This command stores the host key pair in memory (i.e., RAM).
Chapter 8 | Authentication Commands Secure Shell Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. ◆ The SSH server must be disabled before you can execute this command.
Chapter 8 | Authentication Commands Secure Shell Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-32 characters) Default Setting Shows all public keys.
Chapter 8 | Authentication Commands 802.1X Port Authentication stoc aes128-cbc-hmac-md5 Console# Table 48: show ssh - display description Field Description Connection The session number. (Range: 1-8) Version The Secure Shell version number. State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. 802.1X Port Authentication The switch supports IEEE 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 49: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x system- This command enables IEEE 802.1X port authentication globally on the switch. auth-control Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# dot1x max-reauth-req This command sets the maximum number of times that the switch sends an EAPrequest/identity frame to the client before restarting the authentication process. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Chapter 8 | Authentication Commands 802.1X Port Authentication connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. ◆ The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command. The default is 3600 seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that an interface on the switch waits during an tx-period authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands 802.1X Port Authentication ■ ■ ■ ■ ◆ Authenticator PAE State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
Chapter 8 | Authentication Commands Management IP Filter Reauth Max Retries Max Request Operation Mode Port Control Intrusion Action Supplicant : : : : : 2 2 Multi-host Auto Block traffic : 00-e0-29-94-34-65 Authenticator PAE State Machine State : Authenticated Reauth Count : 0 Current Identifier : 3 Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configur
Chapter 8 | Authentication Commands Management IP Filter Default Setting All addresses Command Mode Global Configuration Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Chapter 8 | Authentication Commands Management IP Filter Command Mode Privileged Exec Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
Chapter 8 | Authentication Commands Management IP Filter – 266 –
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled. ◆ The mac-learning commands cannot be used if 802.
Chapter 9 | General Security Measures Port Security Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Related Commands show interfaces status (372) shutdown (364) mac-address-table static (436) show port security This command displays port security status and the secure address count. Syntax show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Port Security Table 53: show port security - display description (Continued) Field Description MaxMacCnt The maximum number of addresses which can be stored in the address table for this interface (either dynamic or static). CurrMacCnt The current number of secure entries in the address table. The following example shows the port security settings and number of secure addresses for a specific port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Global Configuration Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ This command is different from configuring static addresses with the macaddress-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access mac-filter command. ◆ Up to 64 filter tables can be defined. ◆ There is no limitation on the number of entries that can entered in a filter table.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. dynamic-qos Use the no form to restore the default. Syntax [no] network-access dynamic-qos Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access Use this command to enable dynamic VLAN assignment for an authenticated port. dynamic-vlan Use the no form to disable dynamic VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x guest-vlan authentication or MAC authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Console# : : : : : : : : Disabled Block traffic 1024 1024 Enabled Disabled Disabled D
Chapter 9 | General Security Measures Web Authentication Example Console#show network-access Interface MAC Address --------- ----------------1/1 00-00-01-02-03-04 1/1 00-00-01-02-03-05 1/1 00-00-01-02-03-06 1/3 00-00-01-02-03-07 mac-address-table RADIUS Server Time --------------- ------------------------172.155.120.17 00d06h32m50s 172.155.120.17 00d06h33m20s 172.155.120.17 00d06h35m10s 172.155.120.
Chapter 9 | General Security Measures Web Authentication Note: Web authentication cannot be configured on trunk ports. Table 56: Web Authentication Command Function Mode web-auth login-attempts Defines the limit for failed web authentication login attempts GC web-auth quiet-period Defines the amount of time to wait after the limit for failed login attempts is exceeded.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. Syntax web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
Chapter 9 | General Security Measures Web Authentication web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Chapter 9 | General Security Measures Web Authentication web-auth re- This command ends all web authentication sessions connected to the port and authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth This command displays interface-specific web authentication parameters and interface statistics.
Chapter 9 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and summary statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
Chapter 9 | General Security Measures DHCPv4 Snooping Table 57: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping maxnumber configures the maximum number of DHCP clients which IC can be supported per interface ip dhcp snooping trust Configures the specified interface as trusted IC ip dhcp snooping information Enables or disables the use of DHCP Option 82 option circuit-id information circuit-id suboption IC ip dhcp snooping trust Configures the specified interface as trus
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆ Filtering rules are implemented as follows: ■ If global DHCP snooping is disabled, all DHCP packets are forwarded.
Chapter 9 | General Security Measures DHCPv4 Snooping switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch.
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself ) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage ◆ Option 82 information generated by the switch is based on TR-101 syntax as shown below: Table 58: Option 82 information 82 3-69 1 1-67 opt82 opt-len sub-opt1 string-len x1 x2 x3 x4 x5 x63 R-124 string The circuit identifier used by this switch starts at sub-option1 and goes to the end of the R-124 string. The R-124 string includes the following information: ■ sub-type - Distinguishes different types of circuit IDs.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the remote ID to the switch’s IP address, MAC address, or information option arbitrary string, TR-101 compliant node identifier, or removes VLAN ID from the end remote-id of the TR101 field. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the remote ID to the switch’s IP address. Console(config)#ip dhcp snooping information option remote-id tr101 node-identifier ip Console(config)# ip dhcp snooping This command sets the board identifier used in Option 82 information based on information option TR-101 syntax. Use the no form to remove the board identifier.
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings. circuit-id Syntax ip dhcp snooping information option circuit-id {string string | {tr101 {node-identifier {ip | sysname} | no-vlan-field} no dhcp snooping information option circuit-id [tr101 no-vlan-field] string - An arbitrary string inserted into the circuit identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command configures the maximum number of DHCP clients which can be max-number supported per interface. Use the no form to restore the default setting. Syntax ip dhcp snooping max-number max-number no dhcp snooping max-number max-number - Maximum number of DHCP clients.
Chapter 9 | General Security Measures DHCPv4 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console#clear ip dhcp snooping database flash Console# ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory. database flash Command Mode Privileged Exec Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
Chapter 9 | General Security Measures IPv4 Source Guard show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -----11-22-33-44-55-66 192.168.0.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry. Syntax ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id ip-address interface ethernet unit/port-list no ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id mode - Specifies the binding mode. acl - Adds binding to ACL table. mac - Adds binding to MAC address table.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ Static bindings are processed as follows: ■ ■ ◆ A valid static IP source guard entry will be added to the binding table in ACL mode if one of the following conditions is true: ■ If there is no binding entry with the same VLAN ID and MAC address, a new entry will be added to the binding table using the type of static IP source guard binding.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures ARP Inspection ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command enables ARP Inspection globally on the switch. Use the no form to disable this function. Syntax [no] ip arp inspection Default Setting Disabled Command Mode Global Configuration Command Usage When ARP Inspection is enabled globally with this command, it becomes active only on those VLANs where it has been enabled with the ip arp inspection vlan command.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and log-buffer logs the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP validate packet. Use the no form to restore the default setting. Syntax ip arp inspection validate {dst-mac [ip [allow-zeros] [src-mac]] | ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID. (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp inspection This command displays the global configuration settings for ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
Chapter 9 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection echo-chargen bit-rate-in-kilo 65 Console(config)# dos-protection smurf This command protects against DoS smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.
Chapter 9 | General Security Measures Denial of Service Protection Command Mode Global Configuration Example Console(config)#dos-protection tcp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS TCP-null-scan attacks in which a TCP NULL tcp-null-scan scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection tcp-syn-fin-scan Console(config)# dos-protection This command protects against DoS TCP-xmas-scan in which a so-called TCP XMAS tcp-xmas-scan scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection udp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS WinNuke attacks in which affected the win-nuke Microsoft Windows 3.1x/95/NT operating systems.
Chapter 9 | General Security Measures Port-based Traffic Segmentation WinNuke Attack Console# : Disabled, 1000 kilobits per second Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs. ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Default Setting None Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field. ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments.
Chapter 9 | General Security Measures Port-based Traffic Segmentation – 332 –
10 Access Control Lists Access Control Lists (ACL) provide ingress packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs bitmask – Dotted decimal number representing the address bits to match. host – Keyword followed by a specific IP address. time-range-name - Name of the time range. (Range: 1-16 characters) Default Setting None Command Mode Standard IPv4 ACL Command Usage ◆ New rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period.
Chapter 10 | Access Control Lists IPv4 ACLs no {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [dscp dscp] [precedence precedence] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [dscp dscp] [precedence precedence] [source-port sport [bitmask]] [destination-port dport [port-bi
Chapter 10 | Access Control Lists IPv4 ACLs Command Usage ◆ All new rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bit mask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Chapter 10 | Access Control Lists IPv4 ACLs This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any controlflag 2 2 Console(config-ext-acl)# Related Commands access-list ip (334) Time Range (159) ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists IPv4 ACLs show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ingress ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (Standard IPv6 ACL) (341) permit, deny (Extended IPv6 ACL) (342) ipv6 access-group (345) show ipv6 access-list (346) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for (Standard IPv6 ACL) packets emanating from the specified source.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (340) Time Range (159) permit, deny This command adds a rule to an Extended IPv6 ACL.
Chapter 10 | Access Control Lists IPv6 ACLs prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128 for source prefix, 0-128 for destination prefix) dscp – DSCP traffic class. (Range: 0-63) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) sport – Protocol5 source port number. (Range: 0-65535) dport – Protocol4 destination port number.
Chapter 10 | Access Control Lists IPv6 ACLs This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent from any source to any destination when the next header is 43.” Console(config-ext-ipv6-acl)#permit any any next-header 43 Console(config-ext-ipv6-acl)# Here is a more detailed example for setting the CPU rate limit for SNMP packets.
Chapter 10 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds an IPv6 ACL to a port. Use the no form to remove the port. Syntax ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range. (Range: 1-32 characters) counter – Enables counter for ACL statistics.
Chapter 10 | Access Control Lists MAC ACLs Related Commands ipv6 access-group (345) show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists MAC ACLs Table 68: MAC ACL Commands (Continued) Command Function Mode show mac access-group Shows port assignments for MAC ACLs PE show mac access-list Displays the rules for configured MAC ACLs PE access-list mac This command enters MAC ACL configuration mode. Rules can be added to filter packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Chapter 10 | Access Control Lists MAC ACLs permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Rules can also filter packets based on IPv4/v6 addresses, including Layer 4 ports and protocol types. Use the no form to remove a rule.
Chapter 10 | Access Control Lists MAC ACLs {any | host destination | destination address-bitmask} [cos cos cos-bitmask] [vid vid vid-bitmask] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} tagged-eth2 – Tagged Ethernet II packets.
Chapter 10 | Access Control Lists MAC ACLs ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: ■ ■ ■ ◆ 0800 - IP 0806 - ARP 8137 - IPX If an Extended IPv4 rule and MAC rule match the same packet, and these rules specify a “permit” entry and “deny” entry, the “deny” action takes precedence.
Chapter 10 | Access Control Lists MAC ACLs Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (351) Time Range (159) show mac This command shows the ports assigned to MAC ACLs.
Chapter 10 | Access Control Lists ARP ACLs Related Commands permit, deny (348) mac access-group (350) ARP ACLs The commands in this section configure ingress ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 10 | Access Control Lists ARP ACLs Example Console(config)#access-list arp factory Console(config-arp-acl)# Related Commands permit, deny (353) show access-list arp (354) permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Chapter 10 | Access Control Lists ARP ACLs Command Mode ARP ACL Command Usage New rules are added to the end of the list. Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (352) show access-list arp This command displays the rules for configured ARP ACLs.
Chapter 10 | Access Control Lists ACL Information ACL Information This section describes commands used to display ACL information.
Chapter 10 | Access Control Lists ACL Information IP access-list david MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp – Shows ingress rules for ARP ACLs. hardware counters – Shows statistics for all ACLs.
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Interface Configuration Table 71: Interface Commands (Continued) Command Function Mode transceiver-threshold rx-power Sets thresholds for the transceiver power level of the received signal which can be used to trigger an alarm or warning message IC transceiver-threshold temperature Sets thresholds for the transceiver temperature which can IC be used to trigger an alarm or warning message transceiver-threshold tx-power Sets thresholds for the transceiver power level
Chapter 11 | Interface Commands Interface Configuration port-list - Physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers.
Chapter 11 | Interface Commands Interface Configuration Example The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (363) speed-duplex (364) flowcontrol (361) description This command adds a description to an interface.
Chapter 11 | Interface Commands Interface Configuration flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 11 | Interface Commands Interface Configuration history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples. Use the no form to remove a named entry from the sampling table. Syntax history name interval buckets no history name name - A symbolic name for this entry in the sampling table. (Range: 1-32 characters) interval - The interval for sampling statistics. (Range: 1-1440 minutes. buckets - The number of samples to take.
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet) Command Usage Available sfp-forced modes include: ECS2100-10T/PE/P: ECS2100-28T/P/PP: Ports 9-10 (1000BASE SFP) support 1000sfp & 100fx Ports 25-28 (1000BASE SFP) support 1000sfp & 100fx Example This forces the switch to use the 1000sfp mode for SFP port 28.
Chapter 11 | Interface Commands Interface Configuration Related Commands capabilities (359) speed-duplex (364) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved.
Chapter 11 | Interface Commands Interface Configuration ◆ When auto-negotiation is disabled, the default speed-duplex setting is 100full for 1000BASE-T ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
Chapter 11 | Interface Commands Interface Configuration Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
Chapter 11 | Interface Commands Interface Configuration Console#show interfaces brief Vty-1# show interfaces brief Interface Name Status PVID Pri Speed/Duplex Type Trunk ---------- ----------------- ------------ ----- --- --------------- -------------- ----- Eth 1/ 1 Eth 1/ 2 Eth 1/ 3 Eth 1/ 4 Eth 1/ 5 Eth 1/ 6 Eth 1/ 7 Eth 1/ 8 Eth 1/ 9 Eth 1/10 Eth 1/11 ~ Eth 1/28 Trunk 1 Trunk 3 StaticTrunk3 StaticTrunk3 StaticTrunk3 StaticTrunk3 DynamicTrunk1 DynamicTrunk1 DynamicTrunk1 DynamicTrunk1 StaticTrunk
Chapter 11 | Interface Commands Interface Configuration 0 Error Input ===== Extended Iftable Stats ===== 23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output ===== Ether-like Stats ===== 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Frames Too Long 0 Symbol Errors 0 Pause Frames Input 0 Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets
Chapter 11 | Interface Commands Interface Configuration Table 72: show interfaces counters - display description (Continued) Parameter Description Discard Input The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.
Chapter 11 | Interface Commands Interface Configuration Table 72: show interfaces counters - display description (Continued) Parameter Description Symbol Errors For an interface operating at 100 Mb/s, the number of times there was an invalid data symbol when a valid carrier was present.
Chapter 11 | Interface Commands Interface Configuration Table 72: show interfaces counters - display description (Continued) Parameter Description Octets output per second Number of octets leaving this interface in kbits per second. Packets output per second Number of packets leaving this interface in packets per second. Output utilization The output utilization rate for this interface.
Chapter 11 | Interface Commands Interface Configuration Interval Buckets Requested Buckets Granted Status : : : : 900 second(s) 96 1 Active Current Entries Start Time % Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- -----------00d 00:15:04 0.00 72675 524 35 41 Discards Errors ------------- ------------41 0 % Octets Output Unicast Multicast Broadcast ------ --------------- ------------- ------------- ------------0.
Chapter 11 | Interface Commands Interface Configuration port-channel channel-id (Range: 1-8) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands Interface Configuration interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) port-channel channel-id (Range: 1-8) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Table 73: show interfaces switchport - display description (Continued) Field Description VLAN Membership Mode Indicates membership mode as Trunk or Hybrid (page 484). Ingress Rule Shows if ingress filtering is enabled or disabled (page 483). Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only (page 481). Native VLAN Indicates the default Port VLAN ID (page 485).
Chapter 11 | Interface Commands Transceiver Threshold Configuration transceiver-threshold- This command uses default threshold settings obtained from the transceiver to auto determine when an alarm or warning message should be sent. Use the no form to disable this feature.
Chapter 11 | Interface Commands Transceiver Threshold Configuration threshold. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the high threshold and reaches the low threshold. ◆ If trap messages are enabled with the transceiver-monitor command, and a low-threshold alarm or warning message is sent if the current value is less than or equal to the threshold, and the last sample value was greater than the threshold.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Command Mode Interface Configuration (SFP Ports) Command Usage ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Command Usage ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the transceiver temperature at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the signal power transmitted at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration DDM Info Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 35.64 degree C 3.25 V 12.13 mA 2.36 dBm -24.20 dBm Low Alarm ------------45.00 2.90 1.00 -11.50 -23.98 Low Warning ------------40.00 3.00 3.00 -10.50 -23.01 High Warning -----------85.00 3.60 50.00 -2.00 -1.00 High Alarm -----------90.00 3.70 60.00 -1.00 0.
Chapter 11 | Interface Commands Cable Diagnostics ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# Low Alarm ------------123.00 3.10 6.00 -12.00 -21.50 Low Warning -----------0.00 3.15 7.00 -11.50 -21.00 High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.00 Cable Diagnostics test cable-diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.
Chapter 11 | Interface Commands Cable Diagnostics Example Console#test cable-diagnostics interface ethernet 1/24 Console# show This command shows the results of a cable diagnostics test. cable-diagnostics Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. Use the no form to disable this feature. Syntax [no] power-save Default Setting Enabled Command Mode Interface Configuration (Ethernet ports 1-22/48) Command Usage ◆ Power saving mode only applies to the Gigabit Ethernet ports using copper media. ◆ Power savings can be enabled on Gigabit Ethernet RJ-45 ports.
Chapter 11 | Interface Commands Power Savings Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters. Example Console(config)#interface ethernet 1/24 Console(config-if)#power-save Console(config-if)# show power-save This command shows the configuration settings for power savings.
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 8 trunks.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports. ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands src-dst-ip - Load balancing based on source and destination IP address. src-dst-mac - Load balancing based on source and destination MAC address. src-ip - Load balancing based on source IP address. src-mac - Load balancing based on source MAC address. Default Setting src-dst-ip Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands ■ src-mac: All traffic with the same source MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from many different hosts. Example Console(config)#port channel load-balance dst-ip Console(config)# channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Storm Threshold Resolution : 1 packets/second Flow Control : Disabled MAC Learning : Enabled Link-up-down Trap : Enabled Current status: Created By : LACP Link Status : Up Port Operation Status : Up Operation Speed-duplex : 1000full Up Time : 0w 0d 0h 0m 53s (53 seconds) Flow Control Type
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state. Note: Configuring the partner admin-key does not affect remote or local switch operation. The local switch just records the partner admin-key for user reference.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Default Setting 0 Command Mode Interface Configuration (Port Channel) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second. When it receives an LACPDU set with a long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds. ◆ If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands MarkerPDU Received MarkerResponsePDU Sent MarkerResponsePDU Received Unknown Packet Received Illegal Packet Received : : : : : 0 0 0 0 0 . . . Table 75: show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 76: show lacp internal - display description (Continued) Field Description System Priority LACP system priority assigned to this port channel. Port Priority LACP port priority assigned to this interface within the channel group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 77: show lacp neighbors - display description (Continued) Field Description Partner Oper Port ID Operational port number assigned to this aggregation port by the port’s protocol partner. Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner.
13 Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the RJ-45 ports 1-8 on the ECS2100-10PE/10P and RJ-45 ports 1-24 on the ECS2100-28P/28PP. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.
Chapter 13 | Power over Ethernet Commands power inline This command allows the switch to detect and provide power to powered devices compatible that were designed prior to the IEEE 802.3af PoE standard. Use the no form to disable this feature. Syntax [no] power inline compatible unit unit - Unit identifier.
Chapter 13 | Power over Ethernet Commands Default Setting class Command Mode Global Configuration Command Usage The IEEE standard does not define the maximum power of each PD class. The following table is an example from Microsem's PoE IC implementation. Table 80: Maximum PoE Based on PD Classification PD Class Maximum Power (Watts) Class 0 (AF) 16.1 Class 0 (AT) 33.6 Class 1 4.2 Class 2 7.3 Class 3 16.1 Class 4 33.
Chapter 13 | Power over Ethernet Commands 370000 mW for ECS2100-28PP without external power supply 740000 mW for ECS2100-28PP with external power supply Command Mode Global Configuration Command Usage ◆ Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source. ◆ If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Chapter 13 | Power over Ethernet Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#no power inline Console(config-if)# power inline This command limits the power allocated to specific ports. Use the no form to maximum allocation restore the default setting.
Chapter 13 | Power over Ethernet Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000 Console(config-if)# power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port.
Chapter 13 | Power over Ethernet Commands ■ ◆ If sufficient power cannot be made available by turning off power to lowerpriority ports, power may not be supplied to a device connected to a high or critical priority port. The priority setting will be ignored if a device is connected to a port after the switch has finished booting up. When a newly connected device causes the switch to exceed its budget, power will not be provided to that device’s port regardless of its priority setting.
Chapter 13 | Power over Ethernet Commands Syntax power download filename filename - Name of the PoE chip firmware. (Range: 1-32 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ Periodically, Edgecore will provide new PoE chip firmware. Only Edgecore PoE chip firmware can be downloaded using the “power download” command. ◆ The PoE firmware file must be copied to the switch as a “config” file type and not as would be expected an “opcode” file.
Chapter 13 | Power over Ethernet Commands ------------------------------ ------- ------- ------------------- --------Unit 1: ECS2100_V1.2.2.15.bix OpCode Y 2017-10-27 10:05:27 9,130,248 22021119_0816_003.s19 Config N 2018-03-21 09:19:37 ,162,180 Factory_Default_Config.cfg Config N 2016-04-13 05:28:36 477 startup1.
Chapter 13 | Power over Ethernet Commands Table 82: show power inline status - display description Field Description Compatible Mode Shows if the switch detects and provides power to powered devices that were designed prior to the IEEE 802.
Chapter 13 | Power over Ethernet Commands show power Use this command to display the current power status for the switch. mainpower Syntax show power mainpower unit unit - Unit identifier. (Range: 1) Command Mode Privileged Exec Example This example shows the maximum available PoE power and maximum allocated PoE power. Console#show power mainpower unit 1 Unit 1 PoE Status PoE Maximum Available Power : 200.0 Watts (using internal power PoE Maximum Allocation Power : 50.
Chapter 13 | Power over Ethernet Commands – 412 –
14 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands vlan-id - VLAN ID (Range: 1-4094) Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real-time analysis.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 is prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port. rspan source Use this command to specify the source port and traffic type to be mirrored remotely.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Three sessions are allowed, including both local and remote mirroring, using different VLANs for RSPAN sessions.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands – 422 –
15 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 87: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 15 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps.
Chapter 15 | Congestion Control Commands Rate Limit Commands ~ Console#config Console(config)#interface ethernet 1/4 Console(config-if)#no rate-limit output Console(config-if)#end Console#show running-config ~ interface ethernet 1/3 ! interface ethernet 1/4 rate-limit output 200 no rate-limit output ! interface ethernet 1/5 ~ ◆ If the no form of the command accompanies the rate-limit in the runningconfig file, the rate-limiting function is disabled.
Chapter 15 | Congestion Control Commands Storm Control Commands 802.1Q Tunnel TPID Console# : 8100 (Hex) Related Command show interfaces switchport (373) Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Chapter 15 | Congestion Control Commands Storm Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Chapter 15 | Congestion Control Commands Storm Control Commands – 428 –
16 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 16 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 16 | Loopback Detection Commands Command Usage ◆ When a port receives a control frame sent by itself, this means that the port is in looped state, and the VLAN in the frame payload is also in looped state with the wrong VLAN tag. The looped port is therefore shut down. ◆ Use the loopback-detection recover-time command to set the time to wait before re-enabling an interface shut down by the loopback detection process.
Chapter 16 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback detection transmit-interval control frames. Use the no form to restore the default setting. Syntax loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Chapter 16 | Loopback Detection Commands Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
Chapter 16 | Loopback Detection Commands Recover Time : 60 Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled . . .
17 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 17 | Address Table Commands mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands clear mac-address- This command removes any learned entries from the forwarding database as table dynamic related to the option specified. Syntax clear mac-address-table dynamic [address mac-address| interface interface | vlan vlan-id | all] address mac-address - MAC hardware address mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands ■ Delete on Timeout — The entry is deleted if no ingress packet with a source address matching the entry is received before its aging timer expires. The entry remains in the database and its timer is reset if an ingress packet with a source address that matches the entry is received.
Chapter 17 | Address Table Commands Command Mode Privileged Exec Example Console#show mac-address-table count interface ethernet 1/1 MAC Entries for Eth 1/1 Total Address Count Static Address Count Dynamic Address Count :0 :0 :0 Console#show mac-address-table count Compute the number of MAC Address...
18 Smart Pair Commands Smart Pair Concept A smart pair consists of two ports which are paired to provide layer 2 link redundancy, The pair consists of a primary port and a backup port. All traffic is forwarded through the primary port and the backup port will be set to standby. If the primary port link goes down, the backup port is activated and all traffic is forwarded through it. If the primary port recovers, all traffic will again be forwarded through the primary port after a configured delay.
Chapter 18 | Smart Pair Commands Smart Pair Concept Command Mode Global Configuration Command Usage Use the command to create a new smart pair or to enter the smart-pair configuration mode of an existing smart pair. Example Console(config)#smart-pair 1 Console(config-smart-pair)# smart-pair restore Use the smart-pair restore command to manually restore traffic to the primary port of a specified smart pair. Syntax smart-pair restore ID ID - Identification Number.
Chapter 18 | Smart Pair Commands Smart Pair Concept primary-port This command configures the primary port of a specified smart pair. Use the no form of the command to remove the configured primary port from the smart pair. Syntax primary-port interface no primary-port interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | Smart Pair Commands Smart Pair Concept backup-port This command configures the backup port of a specified smart pair. Use the no form of the command to remove the configured backup port from the smart pair. Syntax backup-port interface no backup interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | Smart Pair Commands Smart Pair Concept wtr-delay This command sets the wait-to-restore delay for a smart pair. Use the no form of the command to set the delay to the default value. Syntax wtr-delay seconds seconds - delay in seconds (Range:0, 5-3600) Default Setting None Command Mode Smart Pair Configuration Mode Command Usage ◆ If the wtr-delay parameter is set to 0, traffic will not be restored after a failed port is recovered.
Chapter 18 | Smart Pair Commands Smart Pair Concept – 446 –
19 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 19 | Spanning Tree Commands Table 93: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in th
Chapter 19 | Spanning Tree Commands route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. ◆ When spanning tree is enabled globally by this command or enabled on an interface (spanning-tree spanning-disabled command), loopback detection is disabled.
Chapter 19 | Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 19 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Chapter 19 | Spanning Tree Commands spanning-tree This command changes to Multiple Spanning Tree (MST) configuration mode. mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address.
Chapter 19 | Spanning Tree Commands ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP). Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP. Example Console(config)#spanning-tree pathcost method long Console(config)# spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the system to flood BPDUs to all other ports on the system-bpdu-flooding switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other ports on the switch.
Chapter 19 | Spanning Tree Commands Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number no max-hops hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols.
Chapter 19 | Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
Chapter 19 | Spanning Tree Commands Command Mode MST Configuration Command Usage ◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Chapter 19 | Spanning Tree Commands Example Console(config-mstp)#name R&D Console(config-mstp)# Related Commands revision (459) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number no revision number - Revision number of the spanning tree.
Chapter 19 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command stops all Bridge Protocol Data Units (BPDUs) from being transmitted on configured edge ports to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.
Chapter 19 | Spanning Tree Commands interval - The time to wait before re-enabling an interface. (Range: 30-86400 seconds) Default Setting BPDU Guard: Disabled Auto-Recovery: Disabled Auto-Recovery Interval: 300 seconds Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An edge port should only be connected to end nodes which do not generate BPDUs.
Chapter 19 | Spanning Tree Commands cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method, 1-200,000,000 for long path cost method)10 Table 94: Recommended STA Path Cost Range Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.
Chapter 19 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port. Use the no form to restore the edge-port default. Syntax spanning-tree edge-port [auto] no spanning-tree edge-port auto - Automatically determines if an interface is an edge port.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
Chapter 19 | Spanning Tree Commands Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W2001 9.3.4 (Note 1). ◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in the loopback-detection discarding state because a loopback BPDU was received. Use the no form to restore release-mode the default. Syntax spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
Chapter 19 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections. Use the no form to restore the default.
Chapter 19 | Spanning Tree Commands interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify auto-configuration mode. ◆ Path cost takes precedence over interface priority.
Chapter 19 | Spanning Tree Commands Related Commands spanning-tree mst cost (467) spanning-tree This command floods BPDUs to other ports when spanning tree is disabled globally port-bpdu-flooding or disabled on a specific port. Use the no form to restore the default setting.
Chapter 19 | Spanning Tree Commands Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
Chapter 19 | Spanning Tree Commands could also be used to form a border around part of the network where the root bridge is allowed. ◆ When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard.
Chapter 19 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When this command is enabled on an interface, topology change information originating from the interface will still be propagated. This command should not be used on an interface which is purposely configured in a ring topology.
Chapter 19 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected protocol-migration interface. Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Spanning Tree Commands stp-enabled-only - Displays global settings, and settings for interfaces for which STP is enabled. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree.
Chapter 19 | Spanning Tree Commands State External Admin Path Cost Internal Admin Path Cost External Oper Path Cost Internal Oper Path Cost Priority Designated Cost Designated Port Designated Root Designated Bridge Forward Transitions Admin Edge Port Oper Edge Port Admin Link Type Oper Link Type Flooding Behavior Spanning-Tree Status Loopback Detection Status Loopback Detection Release Mode Loopback Detection Trap Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU G
Chapter 19 | Spanning Tree Commands show spanning-tree This command shows the configuration of the multiple spanning tree.
20 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 20 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on configuring RSPAN through the CLI, see “RSPAN Mirroring Commands” on page 415.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Table 98: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport native vlan Configures the PVID (native VLAN) of an interface IC switchport priority default Sets a port priority for incoming untagged frames IC interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default. types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094). add vlan-list - List of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained. remove vlan-list - List of VLAN identifiers to remove. Default Setting All ports are assigned to VLAN 1 by default.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces switchport Use this command to prevent a port from dynamically joining a VLAN. Use the no forbidden vlan form of the command to disable all restrictions. Syntax switchport forbidden vlan {vlan-list | add vlan-list | remove vlan-list} no switchport forbidden vlan vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094).
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Command Usage ◆ Ingress filtering only affects tagged frames. ◆ If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). ◆ If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# Related Commands switchport acceptable-frame-types (481) switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default.
Chapter 20 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 99: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling Syntax [no] dot1q-tunnel tpid ethertype ethertype – A specific Ethernet protocol number. (Range: 800-ffff hex) Default Setting The ethertype is set to 0x8100 Command Mode Global Configuration Command Usage Use the dot1q-tunnel tpid command to set the global custom 802.1Q ethertype. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ QinQ tunneling must be enabled on the switch using the dot1q-tunnel system-tunnel-control command before the switchport dot1q-tunnel mode interface command can take effect.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel priority map Console(config-if)# show dot1q-tunnel This command displays information about 802.1Q settings. Syntax show dot1q-tunnel Default Setting None Command Mode Privileged Exec. Example Console#show dot1q-tunnel 802.1Q Tunnel Status : Enabled 802.
Chapter 20 | VLAN Commands Configuring Protocol-based VLANs Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 20 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command creates a protocol group, or to add specific protocols to a group. Use protocol-group the no form to remove a protocol group. (Configuring Groups) Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group. (Range: 1-2147483647) frame12 - Frame type used by this protocol.
Chapter 20 | VLAN Commands Configuring Protocol-based VLANs Default Setting No protocol groups are mapped for any interface. Priority: 0 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Chapter 20 | VLAN Commands Configuring Protocol-based VLANs Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------1 ethernet 08 00 Console# show interfaces This command shows the mapping from protocol groups to VLANs for the selected protocol-vlan interfaces.
Chapter 20 | VLAN Commands Configuring MAC Based VLANs Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Chapter 20 | VLAN Commands Configuring MAC Based VLANs ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ◆ The binary equivalent mask matching the characters in the front of the first non-zero character must all be 1s (e.g., 111, i.e., it cannot be 101 or 001...).
Chapter 20 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
Chapter 20 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. ◆ Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
Chapter 20 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.” Example The following example configures the Voice VLAN aging time as 3000 minutes.
Chapter 20 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-0000 description "A new phone" Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Chapter 20 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to priority restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
Chapter 20 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “LLDP Commands” on page 593 for more information on LLDP.
Chapter 20 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Chapter 20 | VLAN Commands Configuring Voice VLANs – 505 –
Chapter 20 | VLAN Commands Configuring Voice VLANs – 506 –
21 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 21 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 21 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 21 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ethernet 1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# Related Commands queue mode (508) show queue weight (511) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 21 | Class of Service Commands Priority Commands (Layer 2) port. (Note that if the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Example Console#show queue weight Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 ... Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) queue - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) cos - CoS value in ingress packets. (Range: 0-7) cfi - Canonical Format Indicator. Set this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format.
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map dscp-queue This command maps DSCP values in incoming packets to per-hop behavior for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-queue dscp-queue from dscp0 ... dscp7 no qos map dscp-queue dscp0 ... dscp7 dscp-queue - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) dscp - DSCP value in ingress packets.
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example changes the priority for all packets entering port 1 which contain a DSCP value of 1 to a per-hop behavior of 3. Console(config)#interface ethernet 1/2 Console(config-if)#qos map dscp-queue 3 from 1 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting.
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section. Console(config)#interface 1/1 Console(config-if)#qos map trust-mode cos Console(config-if)# show qos map cos- This command shows the ingress CoS to eqress queue map. queue Syntax show qos map cos-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map dscp- This command shows the ingress DSCP to eqress queue map. queue Syntax show qos map dscp-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) Command Mode Privileged Exec Command Usage This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Example The following shows that the trust mode is set to CoS: Console#show qos map trust-mode interface ethernet 1/5 Information of Eth 1/5 CoS Map Mode: CoS mode Console# – 518 –
22 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 22 | Quality of Service Commands CoS value. Note that a class map can include match settings for both IP values and a VLAN. 3. Use the policy-map command to designate a policy name for a specific manner in which ingress traffic will be handled, and enter the Policy Map configuration mode. 4. Use the class command to identify the class map, and enter Policy Map Class configuration mode. A policy map can contain up to 16 class maps. 5.
Chapter 22 | Quality of Service Commands Example This example creates a class map call “rd-class,” and sets it to match packets marked for CoS service value 3: Console(config)#class-map rd-class Console(config-cmap)#match cos 3 Console(config-cmap)# Related Commands show class-map (528) description This command specifies the description of a class map or policy map. Use the no form of the command to delete the description of the class map or policy map.
Chapter 22 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 22 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Chapter 22 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 523) before assigning it to a Policy Map.
Chapter 22 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set cos 3 Console(config-pmap-c)# police rate This command defines an enforcer for classified traffic based on the metered flow rate.
Chapter 22 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens: ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else the packet is red and Tc is not decremented.
Chapter 22 | Quality of Service Commands set ip dscp This command modifies the IP DSCP value in a matching packet (as specified by the match command). Use the no form to remove this traffic classification. Syntax [no] set ip dscp dscp dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets.
Chapter 22 | Quality of Service Commands Command Usage ◆ First define a class map, then define a policy map, and finally use the servicepolicy command to bind the policy map to the required interface. ◆ If the Ethernet interface is a member of a port channel then the service-policy cannot be applied and a binding error will occur. Example This example applies a service policy to an ingress interface.
Chapter 22 | Quality of Service Commands show policy-map This command displays the QoS policy maps which define classification criteria for ingress or egress traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] policy-map-name - Name of the policy map. (Range: 1-32 characters) class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all policy maps and all classes.
Chapter 22 | Quality of Service Commands service-policy input policy-map Interface ethernet 1/5 service-policy input policy-map Console# – 530 –
23 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 23 | Multicast Filtering Commands IGMP Snooping IGMP Snooping This section describes commands used to configure IGMP snooping on the switch.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 111: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version different to that currently configured GC clear ip igmp snooping groups dynamic Clears multicast group information dynamicall
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following example enables IGMP snooping globally. Console(config)#ip igmp snooping Console(config)# ip igmp snooping This command sets the switch to restrict forwarding of multicast streams multicast mrouter-forward- on mrouter ports unless multicast groups are joined. Use the no form to disable it.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Default Setting Disabled Command Mode Global Configuration Command Usage As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology tcn-flood change notification (TCN) occurs. Use the no form to disable flooding. Syntax [no] ip igmp snooping tcn-flood Default Setting Disabled Command Mode Global Configuration Command Usage When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation tcn-query-solicit when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the unregistered-data- no form to drop unregistered multicast traffic. flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol version-exclusive packets) which use a version different to that currently configured by the ip igmp snooping version command. Use the no form to disable this feature.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service. Example Console(config)#ip igmp snooping vlan 1 general-query-suppression Console(config)# ip igmp snooping vlan This command immediately deletes a member port of a multicast service if a leave immediate-leave packet is received at that port and immediate-leave is enabled for the parent VLAN.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# ip igmp snooping vlan This command configures the number of IGMP proxy group-specific or group-andlast-memb-query- source-specific query messages that are sent out before the system assumes there count are no more local members. Use the no form to restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default. intvl Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The interval to wait for a response to a group-specific or groupand-source-specific query message.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541. The switch also uses a null address in IGMP reports sent to upstream ports.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-interval interval no ip igmp snooping vlan vlan-id query-interval vlan-id - VLAN ID (Range: 1-4094) interval - The interval between sending IGMP general queries.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Usage This command applies when the switch is serving as the querier (page 535), or as a proxy host when IGMP snooping proxy reporting is enabled (page 534). Example Console(config)#ip igmp snooping vlan 1 query-resp-intvl 20 Console(config)# ip igmp snooping vlan This command adds a port to a multicast group. Use the no form to remove the static port.
Chapter 23 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears multicast group information dynamically learned through snooping groups IGMP snooping. dynamic Syntax clear ip igmp snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though IGMP snooping. Statically configured multicast address are not cleared.
Chapter 23 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings. snooping Syntax show ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (1-4094) Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific IGMP configuration settings.
Chapter 23 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows known multicast group, source, and host port mappings for snooping group the specified VLAN interface, or for all interfaces if none is specified. Syntax show ip igmp snooping group [host-ip-addr [ip-address | interface] | igmpsnp | sort-by-port [ip-address | interface] | user | vlan vlan-id [user | igmpsnp]] ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Eth 1/ 2(M) 0(H) Console# show ip igmp This command displays information on statically configured and dynamically snooping mrouter learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic.
Chapter 23 | Multicast Filtering Commands IGMP Snooping port-channel channel-id (Range: 1-8) vlan vlan-id - VLAN ID (Range: 1-4094) query - Displays IGMP snooping-related statistics.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 113: show ip igmp snooping statistics output - display description Field Description Interface Shows interface. Report The number of IGMP membership reports sent from this interface. Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
Chapter 23 | Multicast Filtering Commands Static Multicast Routing Table 114: show ip igmp snooping statistics vlan query - display description Field Description Warn Rate Limit The rate at which received query messages of the wrong version type cause the Vx warning count to increment. Note that “0 sec” means that the Vx warning count is incremented for each wrong message version received.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile. Syntax {permit | deny} Default Setting Deny Command Mode IGMP Profile Configuration Command Usage Each profile has only one access mode; either permit or deny.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Range 224.1.1.1 228.1.1.1 IGMP Profile 34 Deny Range 229.1.1.1 235.255.255.254 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 224.1.1.1 228.1.1.1 Console# show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets. Syntax show ip igmp query-drop [interface [interface]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp throttle This command displays the interface settings for IGMP throttling. interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 117: MLD Snooping Commands (Continued) Command Function Mode clear ipv6 mld snooping statistics Clears MLD snooping statistics PE show ipv6 mld snooping Displays MLD Snooping configuration PE show ipv6 mld snooping group Displays the learned multicast groups, source and host port mappings.
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage ◆ When proxy reporting is enabled with this command, reports received from downstream hosts are summarized and used to build internal membership states. Proxy-reporting devices may use the IPv6 address configured on this VLAN or Source IP address from received report message as source address when forwarding any summarized reports upstream.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default. Syntax ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping query-max-response-time 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)# ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the unknown-multicast no form to restore the default.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when proxy reporting is enabled. Use the no form to interval restore the default value. Syntax ipv6 mld snooping unsolicited-report-interval seconds no ipv6 mld snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service vlan immediate-leave when a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default. Syntax [no] ipv6 mld snooping vlan vlan-id immediate-leave [by-host-ip] vlan-id - A VLAN identification number.
Chapter 23 | Multicast Filtering Commands MLD Snooping port-channel channel-id (Range: 1-8) Default Setting No static multicast router ports are configured. Command Mode Global Configuration Command Usage Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping vlan 1 static ff05:0:1:2:3:4:5:6 ethernet 1/6 Console(config)# clear ipv6 mld This command clears multicast group information dynamically learned through snooping groups MLD snooping. dynamic Syntax clear ipv6 mld snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though MLD snooping. Statically configured multicast address are not cleared.
Chapter 23 | Multicast Filtering Commands MLD Snooping show ipv6 This command shows the current MLD Snooping configuration. mld snooping Syntax show ipv6 mld snooping [vlan [vlan-id]] vlan-id - VLAN ID (1-4094) Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific MLD snooping configuration settings.
Chapter 23 | Multicast Filtering Commands MLD Snooping sort-by-port - Similar to the host-ip-addr parameter but sorts the output by VLAN and the IP address. source-list - Displays the MLD groups with their Source IP address. vlan - Specifies the VLAN to show the MLD group information for. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands MLD Snooping Console#show ipv6 mld snooping group sort-by-port ethernet 1/22 Expire: H:M:S; Port VLAN --------- ---Eth 1/22 1 Eth 1/22 1 Eth 1/22 1 Eth 1/22 1 Eth 1/22 2 Eth 1/22 2 Uptime: H:M:S; T: Dynamic/Static; Q: Unreply query Group Expire Uptime --------------------------------------- ------ ---------ff02::fb 2:28 0:1:59 ff02::1:fff2:90d5 2:20 0:1:59 ff12::1:3 2:23 0:1:56 ff17::101 2:22 0:1:57 ff12::1:3 2:54 0:1:25 ff17::101 2:53 0:1:26 T Q - -D 0 D 0 D 0 D
Chapter 23 | Multicast Filtering Commands MLD Snooping Console# show ipv6 mld This command shows MLD Snooping multicast router information. snooping mrouter Syntax show ipv6 mld snooping mrouter [vlan vlan-id] vlan-id - A VLAN identification number.
Chapter 23 | Multicast Filtering Commands MLD Snooping query - Displays MLD snooping query-related statistics.
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 119: show ipv6 MLD snooping statistics output - display description Field Description Interface The unit/port or VLAN interface. Report The number of MLD membership reports transmitted from this interface. Leave The number of leave messages transmitted from this interface. G Query The number of general query messages transmitted from this interface.
Chapter 23 | Multicast Filtering Commands MLD Snooping The following shows MLD snooping summary statistics: Console#show ipv6 mld snooping statistics summary interface e 1/1 Number of Groups: 1 Querier: : Report & Leave: : Transmit : Transmit : General : 6 Report : 0 Group Specific: 0 Leave : 0 Recieved : Recieved : General : 0 Report : 4 Group Specific: 0 Leave : 0 join Success : 0 Filter Drop : 0 Source Port Drop: 0 Others Drop : 0 Console#show ipv6 mld snooping statistics summary interface vlan 1 Number
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Table 121: show ipv6 MLD snooping statistics summary - display description Field Leave Description The number of leave messages sent from this interface. Recieved Report The number of MLD membership reports received on this interface. Leave The number of leave messages received on this interface. join Success The number of times a multicast group was successfully joined.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Table 122: MLD Filtering and Throttling Commands (Continued) Command Function Mode ipv6 mld filter Assigns an MLD filter profile to an interface IC ipv6 mld max-groups Specifies an M:D throttling number for an interface IC ipv6 mld max-groups action Sets the MLD throttling action for an interface IC ipv6 mld query-drop Drops any received MLD query packets IC show ipv6 mld filter Displays the MLD filtering status PE sho
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Related Commands show ipv6 mld filter ipv6 mld profile This command creates an MLD filter profile number and enters MLD profile configuration mode. Use the no form to delete a profile number. Syntax [no] ipv6 mld profile profile-number profile-number - An MLD filter profile number.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling ◆ When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, MLD join reports are only processed when a multicast group is not in the controlled range. Example Console(config)#ipv6 mld profile 19 Console(config-mld-profile)#permit Console(config-mld-profile)# range This command specifies multicast group addresses for a profile.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld filter This command assigns an MLD filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax ipv6 mld filter profile-number no ipv6 mld filter profile-number - An MLD filter profile number.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Command Usage ◆ MLD throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new MLD join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld query-drop This command drops any received MLD query packets. Use the no form to restore the default setting. Syntax [no] ipv6 mld query-drop Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to drop any query packets received on the specified interface.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling MLD Profile 19 Deny Range ff01::101 Console# ff01::faa show ipv6 mld profile This command displays MLD filtering profiles created on the switch. Syntax show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Command Usage Using this command without specifying an interface displays all interfaces.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Example Console#show ipv6 mld query-drop Ethernet 1/1: Enabled Ethernet 1/2: Disabled Ethernet 1/3: Disabled Ethernet 1/4: Disabled Ethernet 1/5: Disabled Ethernet 1/6: Disabled Ethernet 1/7: Disabled Ethernet 1/8: Disabled Ethernet 1/9: Disabled Ethernet 1/10: Disabled Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throt
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling – 592 –
24 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 24 | LLDP Commands Table 123: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port- IC based protocol related VLAN information
Chapter 24 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 24 | LLDP Commands lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit during count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packet-number no lldp med-fast-start-count packet-number - Amount of packets.
Chapter 24 | LLDP Commands Command Usage ◆ This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission.
Chapter 24 | LLDP Commands seconds - Specifies the delay before attempting to re-initialize LLDP. (Range: 1 - 10 seconds) Default Setting 2 seconds Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted.
Chapter 24 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 24 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols.
Chapter 24 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 492). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 481 and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 493. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage ◆ This command only applies to the PoE models. ◆ This option advertises Power-over-Ethernet capabilities, including whether or not PoE is supported, currently enabled, if the port pins through which power is delivered can be controlled, the port pins selected to deliver power, and the power class.
Chapter 24 | LLDP Commands ◆ Use the ca-type to advertise the physical location of the device, that is the city, street number, building and room information. The address location is specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776. The following table describes some of the CA type numbers and provides examples.
Chapter 24 | LLDP Commands Console(config-if)#lldp med-location civic-addr what 2 Console(config-if)# lldp med-notification This command enables the transmission of SNMP trap notifications about LLDPMED changes. Use the no form to disable LLDP-MED notifications.
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command only applies to the PoE models. This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv location Console(config-if)# lldp med-tlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Chapter 24 | LLDP Commands show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example The following example shows all basic LLDP parameters are enabled on Port 1.
Chapter 24 | LLDP Commands MED Enabled TLVs Advertised : med-cap network-policy location ext-poe inventory MED Location Identification: Location Data Format : Civic Address LCI Civic Address Status : Enabled Country Name : US What : 2 CA-Type : 1 CA-Value : Alabama CA-Type : 2 CA-Value : Tuscaloosa Console# show lldp info This command shows LLDP global and interface-specific configuration settings for local-device this device.
Chapter 24 | LLDP Commands Console#show lldp info local-device detail ethernet 1/1 LLDP Local Port Information Detail Port : Eth 1/1 Port ID Type : MAC Address Port ID : 00-12-CF-DA-FC-E9 Port Description : Ethernet Port on unit 1, port 1 MED Capability : LLDP-MED Capabilities Network Policy Location Identification Inventory Console# show lldp info This command shows LLDP global and interface-specific configuration settings for remote-device remote devices attached to an LLDP-enabled port.
Chapter 24 | LLDP Commands Enabled Capabilities : Bridge Management Address : 192.168.0.
Chapter 24 | LLDP Commands Software Revision Serial Number Manufacture Name Model Name Asset ID Console# : : : : : 1.2.6.0 S123456 Prye VP101 340937 show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
25 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 25 | Domain Name Service Commands DNS Commands DNS Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 25 | Domain Name Service Commands DNS Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before DNS can be enabled.
Chapter 25 | Domain Name Service Commands DNS Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 25 | Domain Name Service Commands DNS Commands Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts No. Flag Type IP Address TTL Domain ---- ---- ------- -------------------- ----- -----------------------------0 2 Address 192.168.1.
Chapter 25 | Domain Name Service Commands DNS Commands sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (620) ip domain-lookup (619) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address.
Chapter 25 | Domain Name Service Commands DNS Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache No. Flag Type IP Address TTL Host ------- ------- ------- --------------- ------- -------Console# clear host This command deletes dynamic entries from the DNS table. Syntax clear host {name | *} name - Name of the host. (Range: 1-127 characters) * - Removes all entries.
Chapter 25 | Domain Name Service Commands DNS Commands show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No.
Chapter 25 | Domain Name Service Commands Multicast DNS Commands show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.1.55 1 2 Address 2001:DB8:1::12 3 4 Address 209.131.36.
Chapter 25 | Domain Name Service Commands Multicast DNS Commands Command Mode Global Configuration Command Usage Use this command to enable multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. For more information on this command refer to the Web Management Guide. Example Console(config)#ip mdns Console(config)# show ip mdns This command displays the configuration state multicast DNS service.
26 DHCP Commands (IPv4 and IPv6) These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Client DHCP for IPv4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Client 2. Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "Edge-core"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg"; } shared-network Sample2 { subnet 192.168.1.0 netmask 255.255.255.0 { } pool { allow members of "OPT66_67"; range 192.168.1.10 192.168.1.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Client ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Client ip dhcp restart client This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange rapid-commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Client Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (662) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) List of known servers: Server address : FE80::250:FCFF:FEF9:A494 DUID : 0001-0001-48CFB0D5-F48F2A006801 Server address : FE80::250:FCFF:FEF9:A405 DUID : 0001-0001-38CF5AB0-F48F2A003917 Console# RELATED COMMANDS ipv6 address (661) DHCP Relay (IPv4 and IPv6) This section describes commands used to configure the switch to relay DHCP (v4 and v6) requests from local hosts to a remote DHCP server.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) address - IP address of DHCP server. (Range: 1-5 addresses) Default Setting None Command Mode Global Configuration, Interface Configuration (VLAN) Usage Guidelines ◆ DHCP relay service at the VLAN interface configuration level applies to DHCP client requests received on the specified VLAN. ◆ This command is used to configure DHCP relay for host devices attached to the switch.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) Default Setting Enabled Command Mode Global Configuration Command Usage ◆ When the DHCP client and the DHCP server are located on the same subnets, an intermediate DHCP relay agent must be enabled to function in layer 2 mode. ◆ You must specify the IP address for at least one active DHCP server. Otherwise, the switch's DHCP relay agent will not be able to forward client requests to a DHCP server.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) DHCP client's subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch). This switch then broadcasts the DHCP response received from the server to the client. ◆ You must specify the IP address for at least one active DHCP server. Otherwise, the switch's DHCP relay agent will not be able to forward client requests to a DHCP server.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) Proxy ARP is disabled DHCP Client Vendor Class ID (text): ECS4510-28T DHCP Relay Server: Console# Related Commands ip dhcp relay server (635) ip dhcp relay This command enables DHCP Option 82 information relay. Use the no form of this information option command to disable this feature.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) ◆ ■ If a DHCP relay server has been set on the switch, when the switch receives a DHCP request packet without option 82 information from the management VLAN or a non-management VLAN, it will add option 82 relay information and the relay agent’s address to the DHCP request packet, and then unicast it to the DHCP server.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) ■ A DHCP relay server has been set on the switch, when the switch receives a DHCP request packet with a non-zero relay agent address field (that is not the address of this switch). ■ A DHCP relay server has been set on the switch, when the switch receives DHCP reply packet without option 82 information from the management VLAN.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) Usage Guidelines Option 82 information must be enabled for this command to have any effect. Example This example configures the switch to include the extra subtype with the Option 82 information . Console(config)#no ip dhcp relay information option encode no-subtype Console(config)# ip dhcp relay This command specifies how to handle client requests which already contain DHCP information policy Option 82 information.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) Example This example sets the Option 82 policy to keep the client information in the request packet received by the relay agent, and forward this packet on to the DHCP server.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) The relay agent is enabled if the command show ipv6 dhcp relay destination interface displays at least one entry for a configured VLAN. The relay agent is disabled if the command displays no entries. Example This example configures the switch to enable DHCPv6 relay agent service for VLAN 200 and sets a unicast destination IPv6 address.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) The layer 3 interface of the configured or destination VLAN must have its layer 3 interface enabled. (Adding an IPv6 or IP address to the VLAN interface will enable it.) The relay agent is enabled if the command show ipv6 dhcp relay destination interface displays at least one entry for a configured VLAN. The relay agent is disabled if the command displays no entries.
Chapter 26 | DHCP Commands (IPv4 and IPv6) DHCP Relay (IPv4 and IPv6) VLAN 620 : Console(config)# – 646 –
27 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 27 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 27 | IP Interface Commands IPv4 Interface Command Usage ◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets. A specific IP address can be manually configured, or the router can be directed to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything other than this format is not be accepted by the configuration program.
Chapter 27 | IP Interface Commands IPv4 Interface ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established. Command Mode Global Configuration Command Usage ◆ The default gateway can also be defined using the following Global configuration command: ip route 0.
Chapter 27 | IP Interface Commands IPv4 Interface show ip interface This command displays the settings of an IPv4 interface. Command Mode Privileged Exec Example Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-00-00-00-01 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.
Chapter 27 | IP Interface Commands IPv4 Interface timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages UDP Statistics: input no port
Chapter 27 | IP Interface Commands IPv4 Interface devices respond correctly to probes by returning an “ICMP port unreachable” message. If the timer goes off before a response is returned, the trace function prints a series of asterisks and the “Request Timed Out” message. A long sequence of these messages, terminating only when the maximum timeout has been reached, may indicate this problem with the target device.
Chapter 27 | IP Interface Commands IPv4 Interface ◆ ◆ The following are some results of the ping command: ■ Normal response - The normal response occurs in one to ten seconds, depending on network traffic. ■ Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. ■ Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
Chapter 27 | IP Interface Commands IPv4 Interface Command Usage This command can be used to stop multicast services using UDP packets from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command). Example Console(config)#interface ethernet 1/1 Console(config-if)#ip multicast-data-drop Console(config-if)# show ip This command shows if the specified interface is configured to drop multicast data multicast-data-drop packets.
Chapter 27 | IP Interface Commands IPv4 Interface ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
Chapter 27 | IP Interface Commands IPv4 Interface Related Commands clear arp-cache (658) show arp (658) ip proxy-arp This command enables proxy Address Resolution Protocol (ARP). Use the no form to disable proxy ARP. Syntax [no] ip proxy-arp Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage Proxy ARP allows a non-routing device to determine the MAC address of a host on another subnet or network.
Chapter 27 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Command Mode The command only deletes dynamic entries in the ARP cache. The maximum number of dynamic ARP cache entries is 48. Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache.
Chapter 27 | IP Interface Commands IPv6 Interface 145.30.20.23 09-50-40-30-20-10 dynamic VLAN3 Total entry : 3 Console# IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 27 | IP Interface Commands IPv6 Interface Table 137: IPv6 Configuration Commands (Continued) Command Function Mode clear ipv6 neighbors Deletes all dynamic entries in the IPv6 neighbor discovery PE cache show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known next hop.
Chapter 27 | IP Interface Commands IPv6 Interface Related Commands show ipv6 default-gateway (669) ip default-gateway (650) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Chapter 27 | IP Interface Commands IPv6 Interface Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: fe80::7272:cfff:fe83:3466%1/64 Global unicast address(es): 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 27 | IP Interface Commands IPv6 Interface ◆ When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration. If the router advertisements have the “other stateful configuration” flag set, the switch may also attempt to acquire other non-address configuration information (such as a default gateway) from a DHCPv6 server when DHCPv6 is restarted. Example This example assigns a dynamic global unicast address of to the switch.
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 27 | IP Interface Commands IPv6 Interface globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35. ◆ This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device, as long as those interfaces are attached to different subnets.
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. Syntax ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
Chapter 27 | IP Interface Commands IPv6 Interface ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 27 | IP Interface Commands IPv6 Interface IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64 Global unicast address(es): 2001:db8:0:1:7272:cfff:fe83:3466/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff19:6779 ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 27 | IP Interface Commands IPv6 Interface Example The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1 Console(config-if)#ipv6 mtu 1280 Console(config-if)# Related Commands show ipv6 mtu (671) jumbo frame (110) show ipv6 This command displays the current IPv6 default gateway.
Chapter 27 | IP Interface Commands IPv6 Interface Example This example displays all the IPv6 addresses configured for the switch.
Chapter 27 | IP Interface Commands IPv6 Interface Table 138: show ipv6 interface - display description (Continued) Field Description number of DAD attempts The number of consecutive neighbor solicitation messages sent on the interface during duplicate address detection. ND retransmit interval The interval between IPv6 neighbor solicitation retransmissions sent on an interface during duplicate address detection.
Chapter 27 | IP Interface Commands IPv6 Interface Table 139: show ipv6 mtu - display description* Field Description MTU Adjusted MTU contained in the ICMP packet-too-big message returned from this destination, and now used for all traffic sent along this path. Since Time since an ICMP packet-too-big message was received from this destination. Destination Address Address which sent an ICMP packet-too-big message. * No information is displayed if an IPv6 address has not been assigned to the switch.
Chapter 27 | IP Interface Commands IPv6 Interface neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages ICMPv6 sent 6 output destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages 3 router solicit messages router advertisement messages 3 neighbor solicit messages neighbor advertisement messages redirect messages group
Chapter 27 | IP Interface Commands IPv6 Interface Table 140: show ipv6 traffic - display description (Continued) Field Description discards The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. delivers The total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP).
Chapter 27 | IP Interface Commands IPv6 Interface Table 140: show ipv6 traffic - display description (Continued) Field Description ICMPv6 Statistics ICMPv6 received input The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.
Chapter 27 | IP Interface Commands IPv6 Interface Table 140: show ipv6 traffic - display description (Continued) Field Description echo request messages The number of ICMP Echo (request) messages sent by the interface. echo reply messages The number of ICMP Echo Reply messages sent by the interface. router solicit messages The number of ICMP Router Solicitation messages sent by the interface. router advertisement messages The number of ICMP Router Advertisement messages sent by the interface.
Chapter 27 | IP Interface Commands IPv6 Interface ping6 This command sends (IPv6) ICMP echo request packets to another node on the network. Syntax ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 27 | IP Interface Commands IPv6 Interface response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 3 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 4 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 5 Ping statistics for FE80::2E0:CFF:FE00:FC%1/64: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 20 ms, Average = 4 ms Console# traceroute6 This command shows the route packets take to the specified destination.
Chapter 27 | IP Interface Commands IPv6 Interface prints a series of asterisks and the “Request Timed Out” message. A long sequence of these messages, terminating only when the maximum timeout has been reached, may indicate this problem with the target device. Example Console#traceroute6 FE80::2E0:CFF:FE9C:CA10%1 Press "ESC" to abort. Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination.
Chapter 27 | IP Interface Commands IPv6 Interface ◆ An interface that is re-activated restarts duplicate address detection for all unicast IPv6 addresses on the interface. While duplicate address detection is performed on the interface’s link-local address, the other IPv6 addresses remain in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses.
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability.
Chapter 27 | IP Interface Commands IPv6 Interface show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 27 | IP Interface Commands IPv6 Interface Table 141: show ipv6 neighbors - display description (Continued) Field Description D (Delay) - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning. A packet was sent within the last DELAY_FIRST_PROBE_TIME interval.
28 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Chapter 28 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 28 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | rip | static | summary] connected – Displays all currently connected entries. database – All known routes, including inactive routes. rip – Displays all entries learned through the Routing Information Protocol (RIP). static – Displays all static entries.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes. The RIB contains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base (see Command Usage under the show ip route command).
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Table 162: Routing Information Protocol Commands (Continued) Command Function Mode timers basic Sets basic timers, including update, timeout, garbage collection RC version Specifies the RIP version to use on all network interfaces (if RC not already specified with a receive version or send version command) ip rip authentication mode Specifies the type of authentication used for RIP2 packets ip rip authentication string Enables a
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Related Commands network (693) default-information This command generates a default external route into the local RIP autonomous originate system. Use the no form to disable this feature. Syntax [no] default-information originate Default Setting Disabled Command Mode Router Configuration Command Usage This command sets a default route for every Layer 3 interface where RIP is enabled.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage ◆ This command does not override the metric value set by the redistribute command. When a metric value has not been configured by the redistribute command, the default-metric command sets the metric value to be used for all imported external routes. ◆ The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Router Configuration Command Usage ◆ Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols. A smaller administrative distance indicates a more reliable protocol. ◆ The administrative distance is applied to all routes learned for the specified network. Example Console(config-router)#distance 2 192.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) neighbor This command defines a neighboring router with which this router will exchange routing information. Use the no form to remove an entry. Syntax [no] neighbor ip-address ip-address - IP address of a neighboring router. Default Setting No neighbors are defined.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage ◆ RIP only sends and receives updates on interfaces specified by this command. If a network is not specified, the interfaces in that network will not be advertised in any RIP updates. ◆ Subnet addresses are interpreted as class A, B or C, based on the first field in the specified address. In other words, if a subnet address nnn.xxx.xxx.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Example Console(config-router)#passive-interface vlan 1 Console(config-router)# Related Commands neighbor (693) redistribute This command imports external routing information from other routing domains (that is, directly connected routes, protocols, or static routes) into the autonomous system. Use the no form to disable this feature.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Example This example redistributes static routes and sets the metric for all of these routes to a value of 3. Console(config-router)#redistribute static metric 3 Console(config-router)# Related Commands default-metric (690) timers basic This command configures the RIP update timer, timeout timer, and garbagecollection timer. Use the no form to restore the defaults.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) ◆ Setting the update timer to a short interval can cause the router to spend an excessive amount of time processing updates. ◆ These timers must be set to the same values for all routers in the network. Example This example sets the: update timer to 40 seconds, the timeout timer to 240 seconds, and the garbage-collection timer to 160 seconds.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Related Commands ip rip receive version (699) ip rip send version (701) ip rip authentication This command specifies the type of authentication that can be used for RIPv2 mode packets. Use the no form to restore the default value. Syntax ip rip authentication mode {md5 | text} no ip rip authentication mode md5 - Message Digest 5 (MD5) authentication text - Indicates that a simple password will be used.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the no form to string delete the authentication key. Syntax ip rip authentication string key-string no ip rip authentication string key-string - A password used for authentication.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Default Setting RIPv1 and RIPv2 packets Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the receive version based on these options: ■ Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2, respectively.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface. For example, when only static routes are to be allowed for a specific interface. Example Console(config)#interface vlan 1 Console(config-if)#ip rip receive-packet Console(config-if)# Related Commands ip rip send-packet (702) ip rip send version This command specifies a RIP version to send on an interface.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Example This example sets the interface version for VLAN 1 to send RIPv1 packets. Console(config)#interface vlan 1 Console(config-if)#ip rip send version 1 Console(config-if)# Related Commands version (697) ip rip send-packet This command configures the interface to send RIP packets. Use the no form to disable this feature.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Interface Configuration (VLAN) Default Setting split-horizon poisoned Command Usage ◆ Split horizon never propagates routes back to an interface from which they have been acquired. ◆ Poison reverse propagates routes back to an interface port from which they have been acquired, but sets the distance-vector metrics to infinity. (This provides faster convergence.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Using this command with the “all” parameter clears the RIP table of all routes. To avoid deleting the entire RIP network, use the redistribute connected command to make the RIP network a connected route. To delete the RIP routes learned from neighbors and also keep the RIP network intact, use the “rip” parameter with this command (clear ip rip route rip). Example This example clears one specific route.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) show ip protocols rip This command displays RIP process parameters.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Example Console#show ip rip Codes: R - RIP, Rc - RIP connected, Rs - RIP static, C - Connected, S - Static, O - OSPF Network Next Hop Metric From Rc 192.168.0.
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 709 ◆ “License Information” on page 711 – 707 –
Section III | Appendices – 708 –
A Troubleshooting Problems Accessing the Management Interface Table 163: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs.
Glossary QoS Quality of Service. QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow. RADIUS Remote Authentication Dial-in User Service.
Glossary TACACS+ Terminal Access Controller Access Control System Plus. TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACScompliant devices on the network. TCP/IP Transmission Control Protocol/Internet Protocol. Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol. Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP.
Glossary – 722 –
Commands aaa accounting commands 226 aaa accounting dot1x 227 aaa accounting exec 228 aaa accounting update 229 aaa authorization commands 229 aaa authorization exec 230 aaa group server 231 absolute 160 access-list arp 352 access-list ip 334 access-list ipv6 340 access-list mac 347 accounting commands 233 accounting dot1x 232 accounting exec 233 arp 656 authentication enable 214 authentication login 215 authorization commands 234 authorization exec 235 backup-port 444 boot system 112 calendar set 158 capa
Commands end 89 exec-timeout 126 exit 89 flowcontrol 361 history 362 hostname 97 interface 358 interface vlan 480 ip access-group 338 ip address 648 ip arp inspection 314 ip arp inspection filter 315 ip arp inspection limit 319 ip arp inspection log-buffer logs 316 ip arp inspection trust 319 ip arp inspection validate 317 ip arp inspection vlan 318 ip default-gateway 650 ip dhcp client class-id 629 ip dhcp dynamic-provision 628 ip dhcp l2 relay 636 ip dhcp l3 relay 637 ip dhcp relay information option 639
Commands ipv6 address eui-64 664 ipv6 address link-local 666 ipv6 default-gateway 660 ipv6 dhcp client rapid-commit vlan 632 ipv6 dhcp relay destination 643 ipv6 dhcp relay destination multicast 644 ipv6 dhcp restart client vlan 632 ipv6 enable 667 ipv6 host 622 ipv6 mld filter (Global Configuration) 583 ipv6 mld filter (Interface Configuration) 586 ipv6 mld max-groups 586 ipv6 mld max-groups action 587 ipv6 mld profile 584 ipv6 mld query-drop 588 ipv6 mld snooping 566 ipv6 mld snooping proxy-reporting 566
Commands mst vlan 457 name 458 negotiation 363 neighbor 693 network 693 network-access aging 273 network-access dynamic-qos 276 network-access dynamic-vlan 277 network-access guest-vlan 278 network-access mac-filter 274 network-access max-mac-count 278 network-access mode mac-authentication 279 network-access port-mac-filter 280 nlm 187 no rspan session 420 ntp authenticate 150 ntp authentication-key 150 ntp client 151 ntp server 152 parity 128 passive-interface 694 password 128 password-thresh 129 periodi
Commands show dot1q-tunnel 491 show dot1x 261 show history 86 show hosts 625 show interfaces brief 366 show interfaces counters 367 show interfaces history 371 show interfaces protocol-vlan protocol-group 495 show interfaces status 372 show interfaces switchport 373 show interfaces transceiver 381 show interfaces transceiver-threshold 382 show ip access-group 339 show ip access-list 339 show ip arp inspection configuration 320 show ip arp inspection interface 320 show ip arp inspection log 321 show ip arp
Commands show reload 89 show rmon alarms 200 show rmon events 200 show rmon history 201 show rmon statistics 201 show rspan 421 show running-config 103 show sflow 207 show smart-pair 445 show snmp 173 show snmp engine-id 184 show snmp group 185 show snmp notify-filter 190 show snmp user 186 show snmp view 187 show snmp-server enable port-traps 178 show sntp 149 show spanning-tree 473 show spanning-tree mst configuration 476 show ssh 251 show startup-config 105 show system 105 show tacacs-server 225 show te
Commands terminal 133 test cable-diagnostics 383 timeout login response 132 time-range 159 timers basic 696 traceroute 652 traceroute6 678 traffic-segmentation 327 traffic-segmentation session 328 traffic-segmentation uplink/downlink 329 traffic-segmentation uplink-to-uplink 330 transceiver-monitor 375 transceiver-threshold current 376 transceiver-threshold rx-power 377 transceiver-threshold temperature 378 transceiver-threshold tx-power 379 transceiver-threshold voltage 380 transceiver-threshold-auto 376
Commands – 730 –
E052021-CS-R07