Dell EMC Networking N-Series N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Switches CLI Reference Guide Version 6.3.0.x—N2000/N3000/ N4000 Series Switches Version 6.3.5.x—N3100-ON Series Switches Version 6.3.6.x—N2100-ON/N3100- ON Series Switches Version 6.4.x.x—N1100-ON Series Switches Regulatory Model: E17W/E18W/E15W/E16W/E05W/E04W/ E06W/E07W/PowerConnect 8132/PowerConnect 8132F/...
Page 3
Dell EMC and the Dell EMC logo are trademarks of Dell EMC Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
Page 45
show dot1as statistics 1126 ....Data Center Technology Commands 1129 Data Center Bridging Commands ....1130 Data Center Bridging Exchange Protocol 1130 .
Page 46
show interfaces traffic 1156 ....show interfaces traffic-class-group 1158 ..OpenFlow Commands ......1160 Commands in this Section 1160 .
Page 47
Commands in this Section 1189 ... . 1189 ......arp cachesize 1191 .
The CLI can be accessed from a console terminal connected to an RS-232 port or through a Telnet/SSH session. Serial communication via a dedicated USB port is available on the N1100-ON Series switch. This guide describes how the CLI is structured, describes the command syntax, and describes the command functionality.
Configures IGMP Snooping Querier and displays IGMP Snooping Querier information. IP Addressing Configures and manages IP addresses on the switch. IPv6 ACL Configures and displays ACL information for IPv6. IPv6 MLD Snooping Configures IPv6 MLD Snooping. Dell EMC Networking CLI...
Page 97
Administrative Profiles Group commands into a profile and assign a profile to a Commands user upon authentication. E-mail Alerting Configures e-mail capabilities. RADIUS Configures and displays RADIUS information. TACACS+ Configures and displays TACACS+ information. Dell EMC Networking CLI...
Page 98
Configures BFD and displays BFD information. Configures BGP and displays BGP information. BGP Routing Policy Configures BGP routing policy and displays BGP routing policy information. DHCP Server and Relay Manages DHCP/BOOTP operations on the system. Agent (IPv4) Dell EMC Networking CLI...
Page 99
Managing tunneling operations. Virtual Router Manages a virtual router. Virtual Router Controls virtual LAN routing. Redundancy (IPv4) Switch Management Commands Application Deployment Manages Dell-supplied applications. Auto-Install Automatically configures switch when a configuration file is not found. Dell EMC Networking CLI...
Page 100
Manages file system and Command Line Interface Files scripting commands. DHCP Client Configures an interface to obtain an IP address via DHCP. HiveAgent Enables configuration of the Dell HiveAgent Line Configures the console, SSH, and remote Telnet connection. PHY Diagnostics Diagnoses and displays the interface status.
IP — IP Access List Configuration • IPAF4—IPv4 Address Family Configuration • IPAF—IPv6 Address Family Configuration • IR — Interface Range • KC — Key Chain • KE — Key • L — Logging • LC — Line Configuration Dell EMC Networking CLI...
Page 102
SAC—Support Assist Configuration • SC — Stack Configuration • SP — SSH Public Key • SK — SSH Public Key-chain • TC — TACACS Configuration • TRC — Time Range Configuration • UE — User Exec Dell EMC Networking CLI...
(ACL) to an interface in the in-bound direction. mac access-list extended Creates the MAC Access Control List (ACL) identified by the name parameter. mac access-list extended Renames the existing MAC Access Control List rename (ACL) name. Dell EMC Networking CLI...
Disables new address learning on an interface. (Interface Configuration) show mac address-table Displays dynamically created entries in the bridge-forwarding database. show mac address-table Displays all entries in the bridge-forwarding UE or address database for the specified MAC address. Dell EMC Networking CLI...
Page 105
Clears the ISDP counters. clear isdp table Clears entries in the ISDP table. isdp advertise-v2 Enables the sending of ISDP version 2 packets from the device. isdp enable Enables ISDP on the switch. GC or Dell EMC Networking CLI...
Page 106
Enables the L2 DHCP Relay agent for a set of VLANs. show dhcp l2relay all Displays the summary of DHCP L2 Relay PE or configuration. show dhcp l2relay interface Displays DHCP L2 Relay configuration specific to interfaces. Dell EMC Networking CLI...
Configures the persistent location of the DHCP snooping database. ip dhcp snooping database Configures the interval in seconds at which the write-delay DHCP Snooping database will be stored in persistent storage. ip dhcp snooping limit Controls the maximum rate of DHCP messages. Dell EMC Networking CLI...
VLAN or a range of VLANs to filter invalid ARP packets. ip arp inspection limit Configures the rate limit and burst interval values for an interface. ip arp inspection trust Configures an interface as trusted for Dynamic ARP Inspection. Dell EMC Networking CLI...
Enters the interface configuration mode to GC or execute a command on multiple ports at the IC or same time. link debounce time Configures the debounce timer for one or IC or multiple interfaces. Dell EMC Networking CLI...
Page 110
Displays the status for all configured interfaces. UE show interfaces transceiver Display the optic static parameters as well as the Dell EMC qualification. show statistics Displays statistics for one port or for the entire switch. show statistics switchport Displays detailed statistics for a specific port or for the entire switch.
Page 111
MEP. traceroute ethernet cfm Generates a link trace message (LTM) from the configured MEP. show ethernet cfm errors Displays the cfm errors. show ethernet cfm domain Displays the configured parameters in a maintenance domain. Dell EMC Networking CLI...
Green Ethernet Command Description Mode clear counters Enables a Dell EMC proprietary mode of power reduction on ports that are not connected to another interface. green-mode eee Enables EEE low power idle mode on an interface or all the interfaces.
Page 113
GVRP and dynamic VLAN creation is enabled, and which ports are running GVRP. show gvrp error-statistics Displays GVRP error statistics. show gvrp statistics Displays GVRP statistics. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
VLAN. For the meaning of each Mode abbreviation, see Mode Types. IGMP Snooping Querier Command Description Mode ip igmp snooping Enables/disables IGMP Snooping Querier on GC or the system (Global Configuration mode) or on a VLAN. Dell EMC Networking CLI...
IPv4 addresses on the switch. ip address dhcp (Interface Acquires an IP address on an interface from the Configuration) DHCP server. ip default-gateway Defines a default gateway (router). ip domain-lookup Enables IP DNS-based host name-to-address translation. Dell EMC Networking CLI...
Displays IPv6 DHCP statistics for the out-of- out-of-band statistics band interface. show ipv6 interface out-of- Displays the IPv6 out-of-band port band configuration. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Statically configures a port as connected to a mrouter multicast router for a specified VLAN. ipv6 mld snooping (Global) Enables MLD Snooping on the system (Global Configuration mode). show ipv6 mld snooping Displays MLD Snooping information. Dell EMC Networking CLI...
Enables IP Source Guard on an interface. ip verify binding Configures IPSG static bindings. show ip verify Displays IPSG interface configuration. show ip verify source Displays the bindings configured on a particular interface. Dell EMC Networking CLI...
Adds member gigabit Ethernet port(s) to the dependency list. depends-on Adds the dependent Ethernet ports or port channels list. show link-dependency Shows the link dependencies configured on a particular group. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Page 120
Displays the current LLDP configuration summary. show lldp interface Displays the current LLDP interface state. show lldp local-device Displays the LLDP local data. show lldp med Displays a summary of the current LLDP MED configuration. Dell EMC Networking CLI...
For the meaning of each Mode abbreviation, see Mode Types. MLAG Command Description Mode clear vpc statistics Clears the counters for the keepalive messages transmitted and received by the MLAG switch. feature vpc Enables debug traces for the specified protocols. Dell EMC Networking CLI...
Page 122
Displays information about the keepalive status, keepalive parameters, role of the MLAG switch, and the system MAC and priority. show vpc statistics Displays counters for the keepalive messages transmitted and received by the MLAG switch Dell EMC Networking CLI...
Displays global MVR settings. show mvr members Displays the MVR membership groups allocated. show mvr interface Displays the MVR enabled interface configuration. show mvr traffic Displays global MVR statistics. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Capture packets transmitted or received from Exec) the CPU monitor session Configures a port monitoring session. remote-span Configures a VLAN as an RSPAN VLAN. show monitor capture Displays captured packets transmitted or received from the CPU. Dell EMC Networking CLI...
Page 125
Configures WRED packet drop policy on an GC or interface CoS queue. cos-queue strict Activates the strict priority scheduler mode for GC or each specified queue. diffserv Sets the DiffServ operational mode to active. Dell EMC Networking CLI...
Page 126
Adds to the specified class definition a match condition based on the value of the ethertype. match ip6flowlbl Adds to the specified class definition a match v6CMC condition based on the IPv6 flow label of a packet. Dell EMC Networking CLI...
Page 127
Mirrors all the data that matches the class PCMC defined to the destination port specified. police-simple Implements simple color aware marking for the PCMC specified class. police-single-rate Implements a single-rate Three Color Marker PCMC (trTCM) per RFC 2698 Dell EMC Networking CLI...
Page 128
Displays policy service information for the interface specified interface and direction. show diffserv service brief Displays all interfaces in the system to which a DiffServ policy has been attached. show interfaces cos-queue Displays the class-of-service queue configuration for the specified interface. Dell EMC Networking CLI...
Displays spanning tree information per VLAN and also lists the port roles and states as well as the port cost. spanning-tree Enables spanning-tree functionality. spanning-tree auto-portfast Sets the port to auto portfast mode. Dell EMC Networking CLI...
Page 130
Configures the path cost for multiple spanning tree (MST) calculations. spanning-tree mst port- Configures port priority. priority spanning-tree mst priority Configures the switch priority for the specified spanning tree instance. spanning-tree portfast Enables portfast mode. Dell EMC Networking CLI...
Page 131
Configures the bridge priority of a VLAN. For the meaning of each Mode abbreviation, see Mode Types. UDLD Command Description Mode udld enable (Global Globally enable UDLD. UDLD must be Configuration) globally enabled and enabled on an interface to operate. Dell EMC Networking CLI...
Page 132
VLAN identified by groupid. protocol vlan group all Adds all Ethernet interfaces to the protocol- based VLAN identified by groupid. show dot1q-tunnel Displays the QinQ status for each interface. show interfaces switchport Displays switchport configuration. PE or Dell EMC Networking CLI...
Page 133
Adds or removes VLANs from a port in General vlan mode. switchport general ingress- Disables port ingress filtering. filtering disable switchport general pvid Configures the PVID when the interface is in general mode. switchport mode Configures the VLAN membership mode of a port. Dell EMC Networking CLI...
For the meaning of each Mode abbreviation, see Mode Types. Voice VLAN Command Description Mode voice vlan Enables the voice VLAN capability on the switch. voice vlan (Interface) Enables the voice VLAN capability on the interface. Dell EMC Networking CLI...
Page 135
Enters radius dynamic authorization mode. author authentication enable Globally enables the Authentication Manager. authentication order Sets the order of authentication methods used on a port. authentication priority Sets the priority for the authentication methods used on a port. Dell EMC Networking CLI...
Page 136
Displays information about the authentication methods methods. show authentication Displays the Authentication Manager statistics statistics on one or more interfaces. show authorization methods Displays the configured authorization method lists. show users accounts Displays information about the local user database. Dell EMC Networking CLI...
Administrative Profile for a local user. For the meaning of each Mode abbreviation, see Mode Types. E-mail Alerting Command Description Mode logging email Enables e-mail alerting and sets the lowest severity level for which log messages are e- mailed. Dell EMC Networking CLI...
Page 138
Configures the password required to Configuration Mode) authenticate to the e-mail server. show mail-server Displays the configuration of all the mail servers or a particular mail server. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Page 139
Sets the authentication and encryption key for all RADIUS communications between the switch and the RADIUS daemon. msgauth Enables the message authenticator attribute to be used for the RADIUS Authenticating server being configured. name (RADIUS server) Assigns a name to a RADIUS server. Dell EMC Networking CLI...
Page 140
Specifies the source IP address used for communication with RADIUS servers. radius-server source- Selects the interface from which to use the IP interface address in the source IP address field of transmitted RADIUS packets. Dell EMC Networking CLI...
Page 141
Specifies the order in which servers are used. show tacacs Displays TACACS+ server settings and statistics. tacacs-server host Specifies a TACACS+ server host. tacacs-server key Sets the authentication and encryption key for all TACACS+ communications between the switch and the TACACS+ daemon. Dell EMC Networking CLI...
Page 142
Enables manual control of the authorization state of the port. dot1x re-authenticate Manually initiates a reauthentication of all 802.1x-enabled ports or a specified 802.1X enabled port. dot1x reauthentication Enables periodic reauthentication of the client. IC dot1x system-auth-control Enables 802.1X globally. monitor Dell EMC Networking CLI...
Page 143
RADIUS clients that do not have an individual shared secret configured. show dot1x Displays 802.1X status for the switch or the specified interface. show dot1x authentication- Displays the dot1x authentication events and history information during successful and unsuccessful dot1x authentication processes. Dell EMC Networking CLI...
Configures an additional HTTPS port for captive portal to monitor. show captive-portal Displays the status of captive portal. show captive-portal status Reports the status of all captive portal instances in the system. Dell EMC Networking CLI...
Page 145
Displays the clients authenticated to all captive configuration client status portal configurations or a to specific configuration. show captive-portal Displays information about clients interface client status authenticated on all interfaces or a specific interface. Dell EMC Networking CLI...
Page 146
Creates a user group. user group moveusers Moves a group's users to a different group. user group name Configures a group name. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Enables Unicast storm control. For the meaning of each Mode abbreviation, see Mode Types. Management ACL Command Description Mode deny (management) Defines a deny rule. management access-class Defines which management access-list is used. GC Dell EMC Networking CLI...
Enforces a minimum number of lowercase minimum lowercase-letters letters that a password must contain. passwords strength Enforces a minimum number of numeric minimum numeric- numbers that a password should contain. characters Dell EMC Networking CLI...
Page 149
Erases all public key chains or the public key chain chain for a user. crypto key zeroize {rsa|dsa} Deletes the RSA or DSA keys from the switch. ip ssh port Specifies the port to be used by the SSH server. GC Dell EMC Networking CLI...
Page 150
Displays the MMRP configuration for an PE or interface or globally. show mmrp statistics Displays the MMRP statistics for an interface PE or or globally. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Page 151
Globally enables MSRP. msrp max-fan-in-ports Configures the fan-in value used in calculating available bandwidth. msrp srclass-pvid Configures the MSRP VLAN ID for the SR traffic class on the interface. msrp srclassqav Configures the IEEE 802.1Qav class priority map. Dell EMC Networking CLI...
Page 152
Configures the number of sync intervals expiries with no received announce message in which case the master is considered to be no longer transmitting. Dell EMC Networking CLI...
Page 153
LLDP is enabled to transmit on the given interface. lldp dcbx port-role Configures the port role to manual, auto- upstream, auto-downstream and configuration source. show lldp tlv-select Displays the Traffic Class to Traffic Class Group mapping. Dell EMC Networking CLI...
Page 154
Selects the forwarding mode for the OpenFlow hybrid capability. ipv4 address Assigns the IPv4 source address utilized for controller connections. mode Configures the selection of interfaces used to assign the IP address utilized for controller connections. Dell EMC Networking CLI...
Displays the global or interface priority flow flow-control control status and statistics. For the meaning of each Mode abbreviation, see Mode Types. Layer 3 Routing Commands ARP (IPv4) Command Description Mode Creates an Address Resolution Protocol (ARP) entry. Dell EMC Networking CLI...
Page 156
Configures BFD session parameters for a VLAN routing interface. bfd slow-timer Configures the BFD periodic slow transmission interval for BFD Control packets. ip ospf bfd Enable sending of BFD events to OSPF on a VLAN routing interface. Dell EMC Networking CLI...
Page 157
Compares MED values during the decision process in paths received from different IPAF autonomous systems. bgp client-to-client Enables client-to-client reflection. reflection (BGP Router Configuration) bgp client-to-client Enables client-to-client reflection. IPAF reflection (IPv6 Address Family Configuration) Dell EMC Networking CLI...
(IPv6 Address Sets the metric of redistributed IPv6 routes IPAF Family Configuration) when a metric is not configured in the redistribute command. distance Sets the preference of BGP routes to specific IPAF destinations. Dell EMC Networking CLI...
Page 159
BGP may include in an Equal Cost Multipath (ECMP) route derived from paths received from neighbors outside the local autonomous system. maximum-paths (IPv6 Limits the number of ECMP next hops in IPv6 IPAF Address Family routes from external peers. Configuration) Dell EMC Networking CLI...
Page 160
Router Configuration) neighbor according to the advertisement’s AS Path. neighbor filter-list (IPv6 Filters BGP to apply an AS path access list to IPAF Address Family UPDATE messages received from or sent to a Configuration) specific neighbor. Dell EMC Networking CLI...
Page 161
Enables advertisement of IPv4 routes over IPv6 next hops selectively to an external BGP IPv6 peer. neighbor route-map (BGP Applies a route map to incoming or outgoing Router Configuration) routes for a specific neighbor. Dell EMC Networking CLI...
Page 162
Configures BGP to advertise routes learned by means outside of BGP. BGP can redistribute local (connected), static, OSPF, and RIP routes. redistribute (BGP IPv6) Configures BGP to redistribute non-BGP routes IPAF from the IPv6 routing table. Dell EMC Networking CLI...
Page 163
Displays a list of IPv6 routes received from a received-routes specific neighbor. show bgp ipv6 statistics Displays statistics for the IPv6 decision process. UE, show bgp ipv6 summary Displays a summary of BGP configuration and status. Dell EMC Networking CLI...
Page 164
Displays recent decision process history. show ip bgp summary Displays a summary of BGP configuration and status. show ip bgp template Lists the routes that are allowed by the specified community list. Dell EMC Networking CLI...
AS path access list to a route map. match community Configures a route map to match based on a BGP community list. match ip address prefix-list Configures a route map to match based on a destination prefix. Dell EMC Networking CLI...
Page 166
DHCP Server and Relay Agent (IPv4) Command Description Mode ip dhcp pool Defines a DHCP address pool that can be used to supply addressing information to DHCP client. This command puts the user into DHCP Pool Configuration mode. Dell EMC Networking CLI...
Page 167
Sets the period for which a dynamically assigned DHCP address is valid. netbios-name-server Configures the IPv4 address of the Windows ® Internet Naming Service (WINS) for a Microsoft DHCP client. netbios-node-type Sets the NetBIOS node type for a Microsoft DHCP client. Dell EMC Networking CLI...
Page 168
Sets the DNS domain name which is provided v6DP Pool Config) to a DHCPv6 client by the DHCPv6 server. ipv6 dhcp pool Enters IPv6 DHCP Pool Configuration mode. ipv6 dhcp relay Configures an interface for DHCPv6 Relay functionality. Dell EMC Networking CLI...
Page 169
Configures a static IPv6 DHCP snooping binding. ipv6 dhcp snooping database Configures the persistent location of the DHCP snooping database. ipv6 dhcp snooping database Configures the time period between successive write-delay writes of the binding database. Dell EMC Networking CLI...
Page 170
Displays the IPv6 Source Guard configuration UE or on all interfaces or the specified interface. show ipv6 verify source Displays the Ipv6 source guard configurations UE or on all ports. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Page 171
Enables GMRP globally or on a port. GC or clear gvrp statistics Clears all the GMRO statistics information. show gmrp configuration Displays GMRP configuration. GC or For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Page 172
Displays the registered multicast groups on the interface. show ip igmp interface Displays the IGMP information for the specified interface. show ip igmp membership Displays the list of interfaces that have registered in the multicast group. Dell EMC Networking CLI...
BootP/DHCP Relay on the system. bootpdhcprelay Configures the minimum wait time in seconds minwaittime for BootP/DHCP Relay on the system. clear ip helper statistics Resets (to 0) the statistics displayed in show ip helper statistics. Dell EMC Networking CLI...
Page 174
For the meaning of each Mode abbreviation, see Mode Types. IP Routing Command Description Mode encapsulation Configures the link layer encapsulation type for the packet. ip icmp echo-reply Configures an IP address on an interface. Dell EMC Networking CLI...
Page 175
Routes packets to interface null 0. Sets a list of default next-hop IP addresses set ip default next-hop to be used if no explicit route for the packet’s destination address appears in the routing table. Dell EMC Networking CLI...
Displays a summary of the memory allocation from the routing heap. For the meaning of each Mode abbreviation, see Mode Types. IPv6 Routing Command Description Mode Clears all entries in the IPv6 neighbor table or an entry on a specific interface. Dell EMC Networking CLI...
Page 177
Sets the MLD router's query interval for the interface. ipv6 mld query-max- Sets MLD querier's maximum response time response-time for the interface. ipv6 nd dad attempts Sets the number of duplicate address detection probes transmitted while doing neighbor discovery. Dell EMC Networking CLI...
Page 178
Sets the value that is placed in the Router Lifetime field of the router advertisements sent from the interface. ipv6 nd reachable-time Sets the router advertisement time to consider a neighbor reachable after neighbor discovery confirmation. Dell EMC Networking CLI...
Page 179
Displays information about IPv6 neighbors. show ipv6 protocols Displays information about the configured PE or GC IPv6 routing protocols. show ipv6 route Displays the IPv6 routing table. Dell EMC Networking CLI...
Creates a static multicast route for a source range. ip multicast-routing Sets the administrative mode of the IP multicast forwarder in the router to active. ip multicast ttl-threshold Applies a ttlvalue to a routing interface. Dell EMC Networking CLI...
Page 181
Displays the system-wide multicast information. show ip multicast interface Displays the multicast information for the specified interface. show ip mroute Displays a summary or all the details of the multicast table. Dell EMC Networking CLI...
Mode Types. IPv6 Multicast Command Description Mode clear ipv6 mroute Selectively clears dynamic IPv6 multicast entries from the cache. ipv6 pim (VLAN Interface Administratively enables PIM-SM multicast config) routing mode on a particular IPv6 router interface. Dell EMC Networking CLI...
Page 183
Display the bootstrap router (BSR) information. PE, or show ip mroute group Displays the multicast configuration settings show ip mroute source Displays the multicast configuration settings show ipv6 pim interface Displays interface config parameters. PE or Dell EMC Networking CLI...
Page 184
(Router OSPF) Creates a specified area range for a specified ROSPF NSSA. area stub Creates a stub area for the specified area ID. ROSPF area stub no-summary Prevents Summary LSAs from being advertised ROSPF into the NSSA. Dell EMC Networking CLI...
Page 185
Controls the advertisement of default routes. ROSPF originate (Router OSPF Configuration) default-metric Sets a default for the metric of distributed routes. ROSPF distance ospf Sets the route preference value of OSPF in the ROSPF router. Dell EMC Networking CLI...
Page 186
Enables logging of OSPFv2 neighbor state ROSPF changes. max-metric router-lsa Configures OSPF to enable stub router mode. ROSPF maximum-paths Sets the number of paths that OSPF can report ROSPF for a given destination. Dell EMC Networking CLI...
Page 187
Displays information about the link state database when OSPF is enabled. show ip ospf database Displays the number of each type of LSA in the database-summary database for each area and for the router. Dell EMC Networking CLI...
Page 188
For the meaning of each Mode abbreviation, see Mode Types. OSPFv3 Command Description Mode area default-cost (Router Configures the monetary default cost for the stub ROSV3 OSPFv3) area. area nssa (Router Configures the specified areaid to function as an ROSV3 OSPFv3) NSSA. Dell EMC Networking CLI...
Page 189
ROSV3 delay virtual interface on the virtual interface identified by areaid and neighbor. default-information Controls the advertisement of default routes. ROSV3 originate (Router OSPFv3 Configuration) default-metric Sets a default for the metric of distributed routes. ROSV3 Dell EMC Networking CLI...
Page 190
Enters Router OSPFv3 Configuration mode. maximum-paths Sets the number of paths that OSPF can report ROSV3 for a given destination. Enables OSPF graceful restart. ROSV3 nsf helper Allows OSPF to act as a helpful neighbor for a ROSV3 restarting router. Dell EMC Networking CLI...
Page 191
Displays the information for the IFO object or virtual interface tables. show ipv6 ospf interface Displays brief information for the IFO object or brief virtual interface tables. show ipv6 ospf interface Displays the statistics for a specific interface. stats Dell EMC Networking CLI...
Page 192
Displays the router discovery information for all interfaces, or for a specified interface. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Displays information relevant to the RIP router. PE show ip rip interface Displays information related to a particular RIP interface. show ip rip interface brief Displays general information for each RIP interface. split-horizon Sets the RIP split horizon mode. Dell EMC Networking CLI...
Page 194
Shows the interfaces associated with a VRF instance. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Page 195
Tracks route reachability. show vrrp Displays the global VRRP configuration and UE or status as well as the brief or detailed status of one or all VRRP groups. Dell EMC Networking CLI...
Page 196
Switch Management Commands Application Deployment Command Description Mode application install Installs or removes a Dell-supplied application. GC application start Schedules a Dell-supplied application for immediate execution on the stack master. application stop Stops a Dell-supplied application if the application is executing on the stack master.
Page 197
Displays the SNTP configuration. show sntp server Displays the preconfigured SNTP servers. show sntp status Displays the SNTP status. sntp authenticate Set to require authentication for received NTP traffic from servers. sntp authentication-key Defines an authentication key for SNTP. Dell EMC Networking CLI...
Page 198
Applies commands in the script to the switch. for this command. script delete Deletes a specific script. script list Lists all scripts present in the switch. script show Displays the contents of a script file. script validate Validates a script file. Dell EMC Networking CLI...
For the meaning of each Mode abbreviation, see Mode Types. DHCP Client Command Description Mode release dhcp Forces the DHCPv4 client to release a leased address. renew dhcp Forces the DHCP client to immediately renew an IPv4 address lane. Dell EMC Networking CLI...
Page 200
Applies an accounting method to a line config. LC authorization Applies a command authorization method to a line config. enable authentication Specifies the authentication method list when accessing a higher privilege level from a remote telnet or console. Dell EMC Networking CLI...
Page 201
For the meaning of each Mode abbreviation, see Mode Types. PHY Diagnostics Command Description Mode show copper-ports tdr Displays the last TDR (Time Domain Reflectometry) tests on specified ports. show fiber-ports optical- Displays the optical transceiver diagnostics. transceiver Dell EMC Networking CLI...
Page 202
Reports current PoE configuration and status. show power inline Displays the version of the PoE controller firmware-version firmware present on the switch file system. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Page 203
Enables Authentication Manager debug traces interface for the interface. debug auto-voip Enables Auto VOIP debug messages. debug bfd Enables the display of BFD events or packets. debug cfm Enables CFM debugging. debug clear Disables all debug traces. Dell EMC Networking CLI...
Page 204
Displays debug information about DHCPv6 client activities and to trace DHCPv6 packets to and from the local DHCPv6 client. debug ipv6 mcache Traces MDATAv6 packet reception and transmission. debug ipv6 mld Traces MLD packet reception and transmission. PE Dell EMC Networking CLI...
Page 205
Configures the core dump file name. exception dump Configures the core dump location. exception protocol Enables full core dumps. exception switch-chip- Enables the dumping of the switch chip register registers in case of an exception. Dell EMC Networking CLI...
Page 206
Selects the interface from which to use the IP address inserted in the source IP address field of transmitted sFlow packets. show sflow agent Displays the sflow agent information. show sflow destination Displays all the configuration information related to the sFlow receivers. Dell EMC Networking CLI...
Page 207
Creates or updates an SNMP server filter entry. GC snmp-server group Configures a new SNMP group or a table that maps SNMP users to SNMP views. snmp-server host Specifies the recipient of SNMP notifications. Dell EMC Networking CLI...
Page 208
Configures a proxy server to be used to contact the SupportAssist servers. server Configures a SupportAssist server and enter SupportAssist server configuration mode. show eula-consent support- Reviews the EULA details whenever desired. assist show support-assist status Displays information on the SupportAssist feature status Dell EMC Networking CLI...
Page 209
Logs messages in RFC5424 of RFC 3164 format. logging snmp Enables SNMP Set command logging. logging source-interface Selects the interface from which to use the IP address in the source IP address field of transmitted SYSLOG packets. Dell EMC Networking CLI...
Configures the rising and falling thresholds for the issuance of the message buffer SNMP trap and notification via a SYSLOG message. clear checkpoint Clears the statistics for the checkpointing statistics process. clear counters stack- Clears the statistics for all stack-ports. ports Dell EMC Networking CLI...
Page 211
Disconnects the serial connection to the remote unit on a stack member. reload Reloads the operating system. set description Associates a text description with a switch in the stack. slot Configures a slot in the system. Dell EMC Networking CLI...
Page 212
Checks the CPU utilization for each process currently running on the switch. show process proc-list Lists the configured and in-use resources for PE or GC each application known to the Process Manager. show sessions Displays a list of the open console sessions. Dell EMC Networking CLI...
Page 213
Configures the standby in the stack. switch renumber Changes the identifier for a switch in the stack. GC telnet Logs into a host that supports Telnet. traceroute Discovers the IP routes that packets actually take when traveling to their destinations. Dell EMC Networking CLI...
Adds a periodic time entry to a time range. show time-range Displays a time range and all the absolute/periodic time entries that are defined for the time range. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Closes an active terminal session by logging off the switch. For the meaning of each Mode abbreviation, see Mode Types. Web Server Command Description Mode common-name Specifies the common-name for the device. country Specifies the country. crypto certificate generate Generates a HTTPS certificate. Dell EMC Networking CLI...
Page 216
Displays the HTTP server status information. show ip http server secure Displays the HTTP secure server status UE or status information. state Specifies the state or province name. For the meaning of each Mode abbreviation, see Mode Types. Dell EMC Networking CLI...
Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Introduction This section describes the basics of entering and editing the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Command Line Interface (CLI) commands and defines the command hierarchy. It also explains how to activate the CLI and implement its major functions.
Page 218
Two instances where the help information can be displayed are: • Keyword lookup — The <?> key is entered in place of a command. A list of all valid commands and corresponding help messages is displayed. Partial keyword lookup — A command is incomplete and the <?> key is •...
Page 219
Table 2-1. History Buffer Keyword Source or Destination Up-arrow key Recalls commands in the history buffer, beginning with the most recent command. Repeats the key sequence to recall <Ctrl>+<P> successively older commands. Down-arrow key Returns to more recent commands in the history buffer after recalling commands with the up-arrow key.
Page 220
console(config-if-Gi1/0/1)#show interface status Port Name Duplex Speed Link Flow State Status Control --------- ------------------------- --------- ------------- --------- --------- ------------ Gi1/0/1 Unknown Auto Down Inactive Gi1/0/2 Unknown Auto Down Inactive Gi1/0/3 Unknown Auto Down Inactive Gi1/0/4 Unknown Auto Down Inactive Gi1/0/5 Unknown Auto Down Inactive Gi1/0/6...
Page 221
Table 2-2. CLI Shortcuts Keyboard Key Description <Delete, Backspace> Delete previous character <Ctrl>+<A> Go to beginning of line <Ctrl>+<E> Go to end of line <Ctrl>+<F> Go forward one character <Ctrl>+<B> Go backward one character <Ctrl>+<D> Delete current character <Ctrl>+<U,X> Delete to beginning of line <Ctrl>+<K>...
Page 222
) or a blank. In these cases, it may be necessary to enclose the entire string in double or single quotes for the command line parser to properly interpret the parameter. Command Scripting The CLI can be used as a programmable management interface. To facilitate this function, any characters entered after the <!>...
Page 223
Table 2-3. CLI Command Notation Conventions Convention Description In a command line, square brackets indicate an optional entry. In a command line inclusive brackets indicate a selection of compulsory parameters separated by the character. One option must be selected. For example: flowcontrol auto means that for the flowcontrol command either auto, on or off must be selected.
Page 224
• Slot# — The slot number is an integer number assigned to a particular slot. Front panel ports have a slot number of 0. Rear panel ports are numbered from 1 and can be identified by the lexan on the rear panel. Use show slot command to retrieve information for a particular slot.
Page 225
Stacking interfaces are represented in the CLI with the same unit/slot/port form as Ethernet interfaces. The fixed stacking interfaces on the N2000/N2100-ON/N3000 switches always use the TwentyGigabitStacking or Tw notation and on the N1100-ON/N1500/N4000 switches, are referred to using Ethernet notation. Loopback Interfaces Loopback interfaces are represented in the CLI by the keyword loopback followed by the variable loopback-id, which can assume values from 0–7.
Page 226
When listed in command line output, port channel interfaces are preceded by the characters Po. Tunnel Interfaces Tunnel interfaces are represented in the CLI by the keyword tunnel followed by the variable tunnel-id, which can assume values from 0–7. VLAN Routing Interfaces VLAN interfaces are represented in the CLI by the keywords interface vlan followed by the variable vlan-id, which can can assume values from 1-4093.
Page 227
(#, #-#, #) — ranges and non-consecutive interfaces listed together. For example, (1/0/1, 1/0/3-5, 1/0/7) indicates that the operation applies to the physical interfaces 1, 3, 4, 5, and 7 on unit 1. NOTE: Each physical interface must be a fully qualified interface identifier in the format unit/slot/port.
Page 228
None console(config-if-Gi1/0/23)#show slot 2/0 Slot......2/0 Slot Status....... Empty Admin State....... Enable Power State....... Enable Configured Card: Model Identifier....Dell Networking N3024F Card Description....Dell 24 Port 10G Fiber Pluggable......No Example #3 console(config-if-Gi1/0/23)#show slot Admin Power Configured Card Slot...
Page 229
Addresses MAC Addresses MAC addresses are specified in 3 groups of four upper or lower case hexadecimal characters separated by periods with no spaces, e.g. 0011.2233.FFee or by eight pairs of upper or lower case hexadecimal characters separated by colons, e.g. 00:11:22:33:FF:ee. Leadings zeros must be specified in all cases.
CLI Command Modes Since the set of CLI commands is very large, the CLI is structured as a command-tree hierarchy, where related command sets are assigned to command modes for easier access. At each level, only the commands related to that level are available to the user and only those commands are shown in the context sensitive help for that level.
Page 231
There are levels beneath the Global Configuration mode for further grouping of commands. The system prompt reflects these sub-Configuration modes. All the parameters are provided with reasonable defaults where possible. When starting a session, the initial mode is the User Exec mode (privilege level 0).
Page 232
console# Global Configuration Mode Global Configuration commands allow the operator to change the configuration of the switch. The Privileged Exec mode command configure (or configure terminal) is used to enter Global Configuration mode. console(config)# The following are the Global Configuration submodes: •...
Page 233
• Policy-map — Use the policy-map command to access the QoS policy map configuration mode to configure the QoS policy map. • Policy Class — Use the class command to access the QoS Policy-class mode to attach or remove a diffserv class from a policy and to configure the QoS policy class.
Page 234
Pre-configuration Nearly all switch features support a pre-configuration capability, even when a feature is not enabled or the required hardware is not present. Pre-configured capabilities become active only when enabled (typically via an admin mode control) or when the required hardware is present (or both). For example, a port can be pre-configured with both trunk and access mode information.
Page 235
• Interface VLAN— Enables routing on a VLAN and configures routing/L3 parameters on a VLAN. Identifying the Switch and Command Mode from the System Prompt The system prompt provides the user with the name of the switch (hostname) and identifies the command mode. The following is a formal description of the system command prompt: [device name][([command mode-[object]])][# | >] [device name] —...
Page 236
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode Use the enable Use the exit Privileged Exec console# command to enter command, or into this mode. This press mode is password <Ctrl>+<Z>...
Page 237
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode IPv6 Address From BGP Router console (config-router-af)# To exit to BGP Family Configuration Router Configuration mode, use the Configuration address-family ipv6 mode, use the exit command, command.
Page 238
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode MAC Access List From Global console(config-mac-access- To exit to Global list)# Configuration Configuration mode, use the mac mode, use the access-list exit command, command.
Page 239
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode Radius From Global console(Config-auth- To exit to Global radius)# Configuration Configuration mode, use the mode, use the radius-server host exit command, command. or press <Ctrl>+<Z>...
Page 240
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode SNMP From Global console(config-snmp)# To exit to Global Community Configuration Configuration Configuration mode, use the mode, use the snmp-server exit command, community or press command.
Page 241
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode Logging From Global console(config-logging)# To exit to Global Configuration Configuration mode, use the mode, use the logging command. exit command, or press <Ctrl>+<Z>...
Page 242
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode Virtual Router From Global console(config-vrf- To exit to Global XXX)#where XXX is the VRF Config Configuration Configuration name. mode, use the ip vrf mode, use the exit command, command.
Page 243
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode Gigabit Ethernet From Global console (config-if- To exit to Global Giunit/slot/port# Configuration Configuration mode, use the mode, use the interface exit command, gigabitethernet or press command.
Table 2-5. Navigating CLI Command Modes (continued) Command Mode Access Method Command Prompt Exit or Access Previous Mode VLAN From Global console(config-if-vlanvlan- To exit to Global id)# Configuration Configuration mode, use the mode, use the interface vlan exit command, command. or press <Ctrl>+<Z>...
3 When finished, exit the session with the quit or exit command. The switch can be managed over a direct connection to the switch console port or through a Telnet connection. If access is through a Telnet connection, the switch must have a defined IP address, corresponding management access granted, and a connection to the network.
Page 246
Copying Files The copy command not only provides a method for copying files within the file system, but also to and from remote servers. With the copy command and URLs to identify files, the user can back up images to local or remote systems or restore images from local or remote systems.
Page 247
• running-config — This file refers to the configuration file currently active in the system. It is possible to copy the running-config image to a backup- config file or to the startup-config file. • startup-config — This file refers to the special configuration image stored in flash memory which is loaded when the system next reboots.
Page 248
• The serial session defaults to 9600 BAUD, eight data bits, one stop bit, no parity and no flow control (115200 for the N1100-ON, N2100-ON, and N3100-ON). User Accounts Management The CLI provides authentication for users either through remote authentication servers supporting TACACS+ or Radius or through a set of locally managed user accounts.
Page 249
When RADIUS is used, the Vendor-Specific Option field returns the access level. Two vendor specific options are supported. These are CISCO-AV-Pairs(Shell:priv-lvl=x) and Dell Radius VSA (user-group=x). TACACS+ provides the appropriate level of access. The following rules and specifications apply: •...
Page 250
• Log messages are implementation-dependent but may contain debug messages, security or fault events. • The switch maintains at most the last 1000 system events in the in- memory log. Security Logs The system log records security events including the following: •...
Page 251
• HTTPS and the security certificate to be used. • SNMPv1/v2c and the read and read/write community strings to be used. • SNMPv3 and the security information for used this protocol. For each of these management profiles, the administrator defines the list of hosts or subnets from which the management profiles may be used.
Extracting Operational Code from .stk file...done. Loading Operational Code...done. Decompressing Operational Code...done. Scanning devshell symbols file... 47544 symbols, loading... Done. PCI unit 0: Dev 0xb842, Rev 0x02, Chip BCM56842_A0, Driver BCM56840_B0 SOC unit 0 attached to PCI device BCM56842_A0 Adding BCM transport pointers Configuring CPUTRANS TX Configuring CPUTRANS RX <186>...
Page 253
- Activate Backup Image - Start Password Recovery Enter Choice# 4 Creating tmpfs filesystem on /mnt/download for download...done. Current Active Image# /dev/mtd7 Which Image to Update Active (/dev/mtd7) OR Back-Up (/dev/mtd6)? Select (A/B): B You selected to update Back-Up Image /dev/mtd6... Select Mode of Transfer (Press T/X/Y/Z for TFTP/XMODEM/YMODEM/ZMODEM) []:T Please ensure TFTP server is running to begin Transfer...
Page 254
(Unit 1 - Waiting to select management unit)> Applying Global configuration, please wait ... Welcome to Dell Easy Setup Wizard The setup wizard guides you through the initial switch configuration, and gets you up and running as quickly as possible. You can skip the setup...
Page 255
Would you like to run the setup wizard (you must answer this question within 60 seconds)? [Y/N] n Thank you for using the Dell Easy Setup Wizard. You will now enter CLI mode. Applying Interface configuration, please wait ... Booting without a Startup Configuration...
Page 256
Welcome to Dell Easy Setup Wizard The setup wizard guides you through the initial switch configuration, and gets you up and running as quickly as possible. You can skip the setup wizard, and enter CLI mode to manually configure the switch.
Page 257
Password = ******** Out-of-band IP address = DHCP VLAN1 Router Interface IP = 0.0.0.0 0.0.0.0 Proxy Server Address: 192.168.0.3 Proxy Server Port: 443 Proxy Server User Name: Proxy Server Password: Monitoring Traps from CLI It is possible to connect to the CLI session and monitor the events or faults that are being sent as traps from the system.
Layer 2 Switching Commands The sections that follow describe commands that conform to the OSI model data link layer (Layer 2). Layer 2 commands provide a logical organization for transmitting data bits on a particular medium. This layer defines the framing, addressing, and checksum functions for Ethernet packets.
Access list rules are monitored in hardware to either permit or deny traffic matching a particular classification pattern, but the network administrator currently has no insight as to which rules are being hit. Dell EMC Networking platforms have the ability to count the number of hits for a particular...
Page 261
SNMP trap. The Dell EMC Networking ACL syntax supports a log parameter that enables hardware hit count collection and reporting. A five minute logging interval is used, at which time trap log entries are written for each ACL logging rule that accumulated a nonzero hit count during that interval.
Page 262
Table 3-1. Common Ethertypes EtherType Protocol 0x0800 Internet Protocol version 4 (IPv4) 0x0806 Address Resolution Protocol (ARP) 0x0842 Wake-on LAN Packet 0x8035 Reverse Address Resolution Protocol (RARP) 0x8100 VLAN tagged frame (IEEE 802.1Q) 0x86DD Internet Protocol version 6 (IPv6) 0x8808 MAC Control 0x8809 Slow Protocols (IEEE 802.3)
Commands in this Section This section explains the following commands: ip access-list mac access-list extended rename deny | permit (IP ACL) remark deny | permit (Mac-Access-List- service-acl input Configuration) ip access-group show service-acl interface mac access-group show ip access-lists mac access-list extended show mac access-lists ip access-list Use the ip access-list command in Global Configuration mode to create an...
ACL names are global. An IPv6 access list cannot have the same name as an IPv4 access list. Access list names can consist of any printable character except a question mark. Names can be up to 31 characters in length. ACLs referenced in a route map may not be edited.
Page 265
– IPv4 protocols: eigrp, gre, icmp, igmp, ip, ipinip, ospf, tcp, udp, pim, arp, sctp – number: a protocol number in decimal, for example, 8 for EGP every: Match any protocol (don’t care) – • srcip srcmask | any | host srcip—Specifies a source IP address and netmask to match for the IP ACL rule.
Page 266
– When “neq” is specified, IP ACL rule matches only if the layer 4 destination port number is not equal to the specified port number or portkey. – IPv4 TCP/UDP port names: domain, echo, ftp, ftp-data, http, smtp, snmp, telnet, tftp, www, bgp, pop2, pop3, ntp, rip, time, who •...
Page 267
– When icmp-type is specified, IP ACL rule matches on the specified ICMP message type, a number from 0 to 255. – When icmp-code is specified, IP ACL rule matches on the specified ICMP message code, a number from 0 to 255. –...
Page 268
• assign-queue queue-id—Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned. The queue ID is the internal queue number (traffic class), not the CoS value. Use the show classofservice command to display the assignment of CoS and DSCP values to internal queue numbers.
Page 269
Ethertype Protocol 0x0806 Address Resolution Protocol (ARP) 0x0842 Wake-on LAN Packet 0x8035 Reverse Address Resolution Protocol (RARP) 0x8100 VLAN tagged frame (IEEE 802.1Q) 0x86DD Internet Protocol version 6 (IPv6) 0x8808 MAC Control 0x8809 Slow Protocols (IEEE 802.3) 0x8870 Jumbo frames 0x888E EAP over LAN (EAPOL –...
The command accepts the optional time-range parameter. The time-range parameter allows imposing a time limitation on the IP ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist, and the IP ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately.
Page 271
specified name does not exist, and the MAC ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with the specified name exists, and the MAC ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time-range with a specified name becomes active.
Page 272
• 0x0600-0xFFFF—Specify custom EtherType value (hexadecimal range 0x0600-0xFFFF). • vlan eq—VLAN identifier. (Range 0-4095). This matches the outer VLAN of a single or double-tagged packet. It does not match untagged packets. • secondary-vlan eq—VLAN identifier. (Range 0-4095). This matches the inner VLAN of a double-tagged packet.
Command Mode Mac-Access-List Configuration mode User Guidelines The assign-queue and redirect parameters are only valid for permit commands. An implicit deny all condition is added by the system after the last MAC or IP/IPv6 access group if no route-map is configured on the interface. Every permit/deny rule that does not have a rate-limit parameter is assigned a counter.
Page 274
LAG interfaces, whereas the interface mode command does so for the interface. Dell EMC Networking switches support configuration of multiple access groups. Packets are matched against group entries, from lowest sequence number to highest. Configuring an access-group, using the same sequence number as an existing entry, replaces the original group entry.
An implicit deny-all rule is added after the end of the last access group in each direction (in or out). Examples console(config)#ip access-list aclname console(config-ip-acl)#exit console(config)#ip access-group aclname in console(config)#no ip access-group aclname in console(config)#ip access-list aclname1 console(config-ip-acl)#exit console(config)#ip access-group aclname1 out console(config)#interface te1/0/1 console(config-if-Te1/0/1)#ip access-group aclname out 2 console(config-if-Te1/0/1)#no ip access-group aclname out...
Page 276
Command Mode Global Configuration mode or Interface Configuration (Ethernet, VLAN or Port Channel) mode User Guidelines If the access-list specified in the command does not exist, an error is given. The ACLs in the access-group are configured in hardware when the interface becomes active.
Example The following example creates MAC ACL and enters MAC-Access-List- Configuration mode. console(config)#mac access-list extended dell-networking mac access-list extended rename Use the mac access-list extended rename command in Global Configuration mode to rename the existing MAC Access Control List (ACL).
• newname — New name of the access list. (Range: 1-31 characters) Default Configuration This command has no default configuration. Command Mode Global Configuration mode User Guidelines Command fails if the new name is the same as the old one. Example The following example shows the mac access-list extended rename command.
Page 279
Command Mode IPv4 Access-list Configuration mode, IPv6 Access-list Configuration mode, MAC Access-list Configuration mode, ARP Access-list Configuration mode The no form of the command is executed in Global Configuration mode. User Guidelines The administrator can use the remark keyword to add comments to ACL rule entries belonging to an IPv4, IPv6, MAC or ARP ACL.
service-acl input Use the service-acl input command in Interface Configuration mode to block Link Local Protocol Filtering (LLPF) protocol(s) on a given port. Use the no form of this command to unblock link-local protocol(s) on a given port. Syntax service-acl input {blockcdp | blockvtp | blockdtp | blockudld | blockpagp | blocksstp | blockall} no service-acl input [blockcdp | blockvtp | blockdtp | blockudld | blockpagp | blocksstp | blockall]...
show service-acl interface This command displays the status of LLPF rules configured on a particular port or on all the ports. Syntax show service-acl interface {interface-id | all} • interface-id—An Ethernet interface identifier or a port channel interface identifier. See Interface Naming Conventions for interface representation.
show access-lists interface Use the show access-lists interface command to display interface ACLs. Syntax show access-lists interface {interface-id {in | out}} | control-plane • interface-id—The interface identifier (Ethernet, port-channel, or VLAN). • in—Show the ingress ACLs. out— • Show the egress ACLs. •...
Page 283
• accesslistname—The name used to identify the IP ACL. Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command displays information about the attributes “icmp-type”, “icmp- code”, “igmp-type,”...
Page 284
Examples The following example displays the configured IP ACLs. console(config)#show ip access-lists Current number of ACLs: 4 Maximum number of ACLs: 100 ACL Name Rules Count Interface(s) Direction ---------------- ----- ---------- ------------------------- --------- TO_FRM Gi1/0/26 Inbound UPLINKS Gi1/0/26 Outbound Allow-192-168-0-x 7617636 Gi1/0/29 Inbound...
TCP Flags........FIN (Ignore) SYN (Set) RST (Ignore) PSH (Ignore) ACK (Ignore) URG (Ignore) ACL Hit Count........1 show mac access-lists Use the show mac access-lists command to display a MAC access list and all the rules that are defined for the MAC ACL. Use the [ name ] parameter to identify a specific MAC ACL to display.
Page 286
MAC ACL Name Rules Count Interface(s) Direction --------------- ----- ---------- ------------------------- --------- DELL123 Gi1/0/1 Inbound ipv4-multicast 14666 Po1-64,Gi1/0/1-24, Inbound console#show mac access-lists mac-acl MAC ACL Name: mac-acl Outbound Interface(s): Gi1/0/8 Rule Number: 1 Action......... permit Source MAC Address......0000.1122.3344 Source MAC Mask........ FFFF.0000.0000 EtherType........
MAC Address Table Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Dell EMC Networking switches implement a MAC Learning Bridge is compliance with IEEE 802.1Q. The switches implement independent VLAN learning (IVL). Dynamically learned MAC addresses are used to filter the set...
Commands in this Section This section explains the following commands: clear mac address-table show mac address-table show mac address-table multicast dynamic mac address-table aging- show mac address-table show mac address-table time interface mac address-table multicast show mac address-table show mac address-table forbidden address address static...
User Guidelines This command has no user guidelines. Example In this example, the mac address-table tables are cleared. console#clear mac address-table dynamic mac address-table aging-time Use the mac address-table aging-time command in Global Configuration mode to set the aging time of the address. To restore the default, use the no form of the mac address table aging-time command.
mac address-table multicast forbidden address Use the mac address-table multicast forbidden address command in Global Configuration mode to forbid adding a specific Multicast address to specific ports. To return to the system default, use the no form of this command. If routers exist on the VLAN, do not change the unregistered multicast addresses state to drop on the routers ports.
Examples In this example the MAC address 0100.5e02.0203 is forbidden on port 2/0/9 within VLAN 8. console(config)#mac address-table multicast forbidden address vlan 8 0100.5e02.0203 add interface gigabitethernet 2/0/9 mac address-table static vlan Use the mac address table static vlan command in Global Configuration mode to add a static MAC-layer station source address to the bridge table.
The maximum number of static MAC addresses that may be configured on a port is limited by the switchport port-security maximum command. This command may be invoked multiple times with different interfaces (and the same VLAN) when used with a multicast MAC address. Example The following example adds a permanent static MAC address c2f3.220a.12f4 to the MAC address table.
Page 293
Port security allows the network administrator to secure interfaces by specifying (or learning) the allowable MAC addresses on a given port. Packets with a matching source MAC address are forwarded normally. All other host packets are discarded. Port security operates on access, trunk and general mode ports.
Page 294
Sticky mode configuration converts all the existing dynamically learned MAC addresses on an interface to sticky. This means that they will not age out and will appear in the running-config. In addition, new addresses learned on the interface will also become sticky. Note that sticky is not the same as static – the difference is that all sticky addresses for an interface are removed from the running-config when the interface is taken out of sticky mode.
console(config)#vlan 33 console(config-vlan33)#interface gi1/0/3 console(config-if-Gi1/0/3)#switchport mode trunk console(config-if-Gi1/0/3)#switchport port-security mac-address sticky 0011.2233.4455 vlan 33 Remove a sticky mode MAC address from trunk port Gi1/0/3 and VLAN 33. console(config)#vlan 33 console(config-vlan33)#interface gi1/0/3 console(config-if-Gi1/0/3)#switchport mode trunk console(config-if-Gi1/0/3)#no switchport port-security mac-address 0011.2233.4455 vlan 33 Convert all dynamically learned MAC addresses on trunk port gi1/0/3 to sticky MAC addresses and save the running-config so the configuration will persist across reboots.
Page 296
• mac-address — The static MAC address to be configured on the interface and VLAN. • vlan-id — The VLAN identifier on which to configure the MAC address. dynamic — Configure the maximum number of dynamic MAC addresses • that be be learned on the interface. Setting the dynamic limit to 0 causes all received packets with non-static MAC addresses to be considered as violations.
Page 297
User Guidelines Port security allows the network administrator to secure interfaces by specifying (or learning) the allowable MAC addresses on a given port. Packets with a matching source MAC address are forwarded normally. All other host packets are discarded. Port security operates on access, trunk and general mode ports.
Page 298
Statically locked MAC addresses are not eligible for aging. If a packet arrives on a port with a source MAC address that is statically locked on another port, then the packet is discarded. To configure static locking only, set the dynamic MAC limit to 0 and configure the static MAC addresses on the interface.
Page 299
Command History Updated in 6.3.0.1 firmware. Example Enable port security/MAC locking globally and on an interface. console(config)#switchport port-security console(config)#interface gi1/0/3 console(config-if-gi1/0/3)#switchport port-security Enable port security/MAC locking globally and on an interface, enable sticky mode on the interface and convert all dynamic addresses on the interface to sticky.
console(config-if-Gi1/0/3)#switchport port-security mac-address sticky console(config)#do write Convert all sticky MAC addresses on trunk port 33 to sticky MAC addresses and save the running-config so the configuration will persist across reboots. console(config)#vlan 33 console(config-vlan33)#interface gi1/0/3 console(config-if-Gi1/0/3)#switchport mode trunk console(config-if-Gi1/0/3)#switchport port-security mac-address sticky console(config)#do write show mac address-table multicast Use the show mac address-table multicast command to display Multicast...
in the specified format. The vlan, address, and format parameters may all be specified together. A MAC address can be displayed in IP format only if it is in the range 01:00:5e:00:00:00 through 01:00:5e:7f:ff:ff. Static multicast MAC addresses can be added via the mac address-table static command.
Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines Use the show mac address-table multicast to display multicast MAC address entries along with forbidden multicast MAC entries. Example In this example, all classes of entries in the mac address-table are displayed. console#show mac address-table Aging time is 300 Sec Vlan Mac Address...
Default Configuration This command has no default configuration. Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example In this example, the mac address table entry for 0000.E26D.2C2A is displayed.
Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example displays the addresses in the Forwarding Database: console#show mac address-table count Capacity: 8192 Used: 109 Static addresses: 2 Secure addresses: 1 Dynamic addresses: 97...
User Guidelines This command has no user guidelines. Example In this example, all dynamic entries in the mac address-table are displayed. console#show mac address-table dynamic Aging time is 300 Sec Vlan Mac Address Type Port ---- -------------- ------- ------------- 0000.0001.0000 Dynamic Gi1/0/1 0000.8420.5010 Dynamic Gi1/0/1 0000.E26D.2C2A Dynamic Gi1/0/1 0000.E89A.596E Dynamic Gi1/0/1...
Example In this example, all classes of entries in the bridge-forwarding database for Gigabit Ethernet interface 1/0/1 are displayed. console#show mac address-table interface gigabitethernet 1/0/1 Aging time is 300 Sec Vlan Mac Address Type Port ---- -------------- ---- ------------- 0000.0001.0000 Dynamic Gi1/0/1 0000.8420.5010 Dynamic Gi1/0/1 0000.E26D.2C2A Dynamic Gi1/0/1 0000.E89A.596E Dynamic Gi1/0/1...
Example In this example, all static entries in the bridge-forwarding database are displayed. console#show mac address-table static Vlan Mac Address Type Port ---- -------------- ----- ----- 0001.0001.0001 Static Gi1/0/1 show mac address-table vlan Use the show mac address-table vlan command in User Exec or Privileged Exec mode to display all entries in the bridge-forwarding database for the specified VLAN.
1418.7715.47E8 Management 2047.47BA.F696 Dynamic Gi2/0/29 B8CA.3AD5.DF1A Static Gi2/0/29 show port-security Use the show ports security command to display port security (MAC locking) configuration. Syntax show port-security [ interface-id | all | dynamic interface-id | static interface-id | violation interface-id] • interface-id —A physical or port channel interface identifier.
Page 309
This information is shown if only an interface parameter is given: Field Description Interface Identifier The interface identifier. Status The port security administrative status (enabled/disabled). Max-dynamic The dynamic MAC address limit. Max-static The static address limit. Protect Trap issued on violation (enabled/disabled). Frequency The frequency of trap issuance (in seconds).
Page 310
Field Description MAC address The source MAC address of the last packet discarded on the interface. These are packets with unknown MAC addresses, e.g., as in the case of the dynamic limit set to 0. VLAN ID The VLAN identifier of the discarded packet, if applicable.
Auto-VoIP Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Voice over Internet Protocol (VoIP) allows network users to make telephone calls using a computer network over a data network like the Internet. With the increased prominence of delay-sensitive applications (voice, video, and other multimedia applications) deployed in networks today, proper QoS configuration ensures high-quality application performance.
show switchport voice switchport voice detect auto show switchport voice Use the show switchport voice command to show the status of Auto-VoIP on an interface or all interfaces. Syntax show switchport voice [ interface-id ] • interface-id —An Ethernet or port channel interface identifier. Default Configuration There is no default configuration for this command.
• Traffic Class—The Cos Queue or Traffic Class to which all VoIP traffic is mapped. This is not configurable and defaults to the highest COS queue available in the system for data traffic. switchport voice detect auto The switchport voice detect auto command is used to enable the VoIP Profile on all the interfaces of the switch (global configuration mode) or for a specific interface (interface configuration mode).Use the no form of the command to disable the VoIP Profile.
Industry Standard Discovery Protocol (ISDP) is a proprietary Layer 2 network protocol which inter-operates with Cisco network equipment and is used to share information between neighboring devices. Dell EMC Networking switches participate in the ISDP protocol and are able to both discover and be discovered by devices that support the Cisco Discovery Protocol (CDP).
User Guidelines There are no user guidelines for this command. Example console#clear isdp counters clear isdp table The clear isdp table command clears entries in the ISDP table. Syntax clear isdp table Default Configuration There is no default configuration for this command. Command Mode Privileged Exec mode User Guidelines...
Default Configuration ISDP sends version 2 packets by default. Command Mode Global Configuration mode User Guidelines There are no user guidelines for this command. Example console(config)#isdp advertise-v2 isdp enable The isdp enable command enables ISDP on the switch. User the “no” form of this command to disable ISDP.
console(config)#isdp enable console(config)#interface gigabitethernet 1/0/1 console(config-if-Gi1/0/1)#isdp enable isdp holdtime The isdp holdtime command configures the hold time for ISDP packets that the switch transmits. The hold time specifies how long a receiving device should store information sent in the ISDP packet before discarding it. The range is given in seconds.
isdp timer The isdp timer command sets period of time between sending new ISDP packets. The range is given in seconds. Use the “no” form of this command to reset the timer to the default. Syntax isdp timer time no isdp timer •...
Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines There are no user guidelines for this command. Example console#show isdp Timer........ 30 Hold Time......180 Version 2 Advertisements..... Enabled Neighbors table last time changed..0 days 00:06:01 Device ID......
Example console#show isdp entry Switch Device ID N2000/N3000 Series Switch Address(es): IP Address: 172.20.1.18 IP Address: 172.20.1.18 Capability Router IGMP Platform cisco WS-C4948 Interface Gi1/0/1 Port ID Gi1/0/1 Holdtime Advertisement Version Entry last changed time 0 days 00:13:50 Version: Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000 I9K91S-M), Version 12.2(25)EWA9, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc.
Example console#show isdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge, S - Switch, H - Host, I - IGMP, r - Repeater Device ID Intf Holdtime Capability Platform Port ID ------------------------ --------- --------- ---------- ---------------- --------- CN0H784T2829841E0534A00 Gi1/0/13 N3048...
IP packets transparently, a DHCP Relay agent processes DHCP messages and generates new DHCP messages as a result. The Dell EMC Networking DHCP Relay supports DHCP Option 82 circuit- id and remote-id for a VLAN. Commands in this Section...
dhcp l2relay (Global Configuration) Use the dhcp l2relay command to enable Layer 2 DHCP Relay functionality. The subsequent commands mentioned in this section can only be used when the L2-DHCP Relay is enabled. Use the no form of this command to disable L2-DHCP Relay.
Command Mode Interface Configuration (Ethernet, Port-channel). User Guidelines There are no user guidelines for this command. Example console(config-if-Gi1/0/1)#dhcp l2relay dhcp l2relay circuit-id Use the dhcp l2relay circuit-id command to enable setting the DHCP Option 82 Circuit ID for a VLAN. When enabled, the interface number is added as the Circuit ID in DHCP option 82.
dhcp l2relay remote-id Use the dhcp l2relay remote-id command to enable setting the DHCP Option 82 Remote ID for a VLAN. When enabled, the supplied string is used for the Remote ID in DHCP Option 82. Use the no form of this command to disable setting the DHCP Option 82 Remote ID.
Default Configuration DHCP Option 82 is discarded by default. Configuration Mode Interface Configuration (Ethernet, Port-channel). User Guidelines There are no user guidelines for this command. Example console(config-if-Gi1/0/1)#dhcp l2relay trust dhcp l2relay vlan Use the dhcp l2relay vlan command to enable the L2 DHCP Relay agent for a set of VLANs.
show dhcp l2relay interface Use the show dhcp l2relay interface command to display DHCP L2 Relay configuration specific to interfaces. Syntax show dhcp l2relay interface {all | interface-id} • — Show all interfaces. • — interface-id An Ethernet interface. Default Configuration This command has no default configuration.
• interface-id— An Ethernet interface. Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines There are no user guidelines for this command. Example console#show dhcp l2relay stats interface all DHCP L2 Relay is Enabled.
Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines There are no user guidelines for this command. Example console# show dhcp l2relay agent-option vlan 5-10 DHCP L2 Relay is Enabled. VLAN Id L2 Relay CircuitId RemoteId --------- ---------- ----------- ------------...
User Guidelines There are no user guidelines for this command. Example console#show dhcp l2relay vlan 100 DHCP L2 Relay is Enabled. DHCP L2 Relay is enabled on the following VLANs: show dhcp l2relay circuit-id vlan Use the show dhcp l2relay circuit-id vlan command to display whether DHCP L2 Relay is globally enabled and whether the DHCP Circuit-ID option is enabled on the specified VLAN or VLAN range.
show dhcp l2relay remote-id vlan Use the show dhcp l2relay remote-id vlan command to display whether DHCP L2 Relay is globally enabled and shows the remote ID configured on the specified VLAN or VLAN range. Syntax show dhcp l2relay remote-id vlan vlan-list •...
Page 336
• — Show all interfaces. • — interface-id An Ethernet interface. Default Configuration This command has no default configuration. Command Mode Privileged Exec mode User Guidelines There are no user guidelines for this command. Example console#clear dhcp l2relay statistics interface gi1/0/1 Layer 2 Switching Commands...
DHCP Snooping Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches DHCP Snooping is a security feature that monitors DHCP messages between DHCP clients and DHCP server to filter harmful DHCP messages and build a bindings database of {MAC address, IP address, VLAN ID, interface} tuples that are considered authorized.
Commands in this Section This section explains the following commands: clear ip dhcp snooping binding ip dhcp snooping trust clear ip dhcp snooping statistics ip dhcp snooping verify mac-address ip dhcp snooping show ip dhcp snooping ip dhcp snooping binding show ip dhcp snooping binding ip dhcp snooping database show ip dhcp snooping database...
clear ip dhcp snooping statistics Use the clear ip dhcp snooping statistics command to clear all DHCP Snooping statistics. Syntax clear ip dhcp snooping statistics Default Configuration There is no default configuration for this command. Command Mode Privileged Exec User Guidelines There are no user guidelines for this command.
User Guidelines To enable DHCP snooping, do the following: 1 Enable DHCP Snooping globally. 2 Enable DHCP Snooping per VLAN. 3 Configure at least one DHCP Snooping trusted port via which the DHCP server may be reached. The bindings database populated by DHCP snooping is used by several other services, including IP source guard and dynamic ARP inspection.
Default Configuration There are no static or dynamic DHCP snooping bindings by default. Command Mode Global Configuration mode User Guidelines There are no user guidelines for this command. Example console(config)#ip dhcp snooping binding 00:00:00:00:00:01 vlan 10 10.131.12.134 interface Gi1/0/1 ip dhcp snooping database Use the ip dhcp snooping database command to configure the persistent storage location of the DHCP snooping database.
Example The following example configures the storage location of the snooping database as local. console(config)#ip dhcp snooping database local The following example configures the storage location of the snooping database as remote. console(config)#ip dhcp snooping database tftp://10.131.11.1/db.txt ip dhcp snooping database write-delay Use the ip dhcp snooping database write-delay command to configure the interval in seconds at which the DHCP Snooping database will be stored in persistent storage.
ip dhcp snooping limit Use the ip dhcp snooping limit command to diagnostically disable itself if the rate of received DHCP messages exceeds the configured limit. Use the no shutdown command to re-enable the interface. Use the no form of this command to disable automatic shutdown of the interface.
The administrator can configure the rate and burst interval. Rate limiting is configured independently on each physical interface and may be enabled on both trusted and untrusted interfaces. The rate limit is configurable in the range of 0-300 packets per second and the burst interval in the range of 1-15 seconds.
ip dhcp snooping trust Use the ip dhcp snooping trust command to configure a port as trusted. Use the no form of this command to configure a port as untrusted. Syntax ip dhcp snooping trust no ip dhcp snooping trust Default Configuration Ports are untrusted by default.
ip dhcp snooping verify mac-address Use the ip dhcp snooping verify mac-address command to enable the verification of the source MAC address with the client MAC address in the received DHCP message. Use the “no” form of this command to disable verification of the source MAC address.
Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines There are no user guidelines for this command. Example console#show ip dhcp snooping DHCP snooping is Disabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 11 - 30, 40 Interface...
Default Configuration There is no default configuration for this command. Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines There are no user guidelines for this command. Example console#show ip dhcp snooping binding Total number of bindings: 2 MAC Address IP Address...
Example console#show ip dhcp snooping database agent url: /10.131.13.79:/sai1.txt write-delay: 5000 show ip dhcp snooping interfaces Use the show ip dhcp snooping interfaces command to show the DHCP Snooping status of the interfaces. Syntax show ip dhcp snooping interfaces [interface-id] •...
Gi1/0/15 show ip dhcp snooping statistics Use the show ip dhcp snooping statistics command to display the DHCP snooping filtration statistics. Syntax show ip dhcp snooping statistics Default Configuration There is no default configuration for this command. Command Mode User Exec, Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines The following fields are displayed by this command:...
Command Modes User Exec, Privileged Exec User Guidelines This command has no user guidelines. Example (console)#clear ipv6 dhcp snooping binding clear ipv6 dhcp snooping statistics Use the clear ipv6 dhcp snooping statistics command to clear all IPv6 DHCP Snooping statistics. Syntax clear ipv6 dhcp snooping statistics Default Configuration...
Syntax ipv6 dhcp snooping no ipv6 dhcp snooping Default Configuration By default, DHCP snooping is not enabled. Command Modes Global Configuration mode User Guidelines The DHCP snooping application processes incoming DHCP messages. For RELEASE and DECLINE messages from a DHCPv6 client and RECONFIGURE messages from a DHCPv6 server received on an untrusted interface, the application compares the receive interface and VLAN with the client’s interface and VLAN in the bindings database.
Syntax ipv6 dhcp snooping vlan vlan-list no ipv6 dhcp snooping vlan-list • vlan-list —A single VLAN, one or more VLANs separated by commas, or two VLANs separated by a single dash indicating all VLANs between the first and second inclusive. Multiple VLAN identifiers can be entered provided that no embedded spaces are contained within the vlan-list.
• — mac-address A valid mac address in standard format. • — vlan-id A configured VLAN id. (Range 1-4093) • — ip-address A valid IPv6 address. • — interface-id A valid physical interface ID in short or long format. • port-channel-number—A valid port channel identifier.
User Guidelines The DHCP binding database is persistently stored on a configured external server or locally in flash, depending on the user configuration. A row-wise checksum is placed in the text file that is stored on the configured TFTP server. On switch startup, the switch reads the text file and uses the contents to build the DHCP snooping database.
ipv6 dhcp snooping limit Use the ipv6 dhcp snooping limit command configures an interface to be diagnostically disabled if the rate of received DHCP messages exceeds the configured limit. Use the no shutdown command to reenable the interface. Use the no form of the command to disable diagnostic disabling of the interface.
The administrator can configure the rate and burst interval. Rate limiting is configured independently on each physical interface and may be enabled on both trusted and untrusted interfaces. The rate limit is configurable in the range of 0-300 packets per second and the burst interval in the range of 1-15 seconds.
ipv6 dhcp snooping trust Use the ipv6 dhcp snooping trust command to configure an interface as trusted. Use the no form of the command to return the interface to the default configuration. Syntax ipv6 dhcp snooping trust no ipv6 dhcp snooping trust Default Configuration By default, interfaces are untrusted.
no ipv6 dhcp snooping verify mac-address Default Configuration By default, MAC address verification is not enabled. Command Modes Global Configuration mode User Guidelines DHCP MAC address verification operates on DHCP messages received over untrusted interfaces. The source MAC address of DHCP packet is different from the client hardware if: •...
Default Configuration By default, no sources are blocked. Command Modes Interface Configuration mode (physical and port-channel) User Guidelines DHCP snooping should be enabled on any interfaces for which ipv6 verify source is configured. If ipv6 verify source is configured on an interface for which DHCP snooping is disabled, or for which DHCP snooping is enabled and the interface is trusted, incoming traffic on the interface is dropped.
User Guidelines This command has no user guidelines. Example (console)#show ipv6 dhcp snooping DHCP snooping is Disabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 11 - 30, 40 Interface Trusted Log Invalid Pkts --------- -------- ----------------...
Command Modes User Exec, Privileged Exec (all show modes) User Guidelines There are no user guidelines for this command. Example (console)#show ipv6 dhcp snooping binding Total number of bindings: 2 MAC Address IPv6 Address VLAN Interface Lease time(Secs) ------------------ ------------ ---- --------- -------------...
write-delay: 5000 show ipv6 dhcp snooping interfaces Use the show ipv6 dhcp snooping interfaces command to show the DHCP Snooping status of IPv6 interfaces. Syntax show ipv6 dhcp snooping interfaces [interface id] • interface id—A valid physical interface. Default Configuration There is no default configuration for this command.
Page 367
Syntax show ipv6 dhcp snooping statistics Default Configuration This command has no default configuration. Command Modes User Exec, Privileged Exec (all show modes) User Guidelines The following statistics are displayed. Parameter Description MAC Verify Failures The number of DHCP messages that got filtered on an untrusted interface because of the source MAC address and client hardware address mismatch.
show ipv6 source binding Use the show ipv6 source binding command to display the IPv6 Source Guard configurations on all ports, on an individual port, or on a VLAN. Syntax show ipv6 source binding [{dhcp-snooping | static}] [interface interface-id] [vlan vlan-id] •...
Default Configuration There is no default configuration for this command. Command Modes User Exec, Privileged Exec (all show modes) User Guidelines The filter type is one of the following values: • ipv6-mac: User has configure MAC address filtering on this interface •...
Page 370
Syntax show ipv6 verify source Default Configuration There is no default configuration for this command. Command Modes User Exec, Privileged Exec (all show modes) User Guidelines If MAC address filtering is not configured on the interface, the MAC Address field is empty. If port security is disabled on the interface, the MAC Address field displays permit-all.
Dynamic ARP Inspection Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its neighbors.
• acl-name — A valid ARP ACL name (Range: 1–31 characters). Default Configuration There are no ARP ACLs created by default. Command Mode Global Configuration mode User Guidelines There are no user guidelines for this command. Example console(config)#arp access-list tier1 clear ip arp inspection statistics Use the clear ip arp inspection statistics command to reset the statistics for Dynamic Address Resolution Protocol (ARP) inspection on all VLANs.
ip arp inspection filter Use the ip arp inspection filter command to configure the ARP ACL to be used for a single VLAN or a range of VLANs to filter invalid ARP packets. If the static keyword is given, packets that do not match a permit statement are dropped without consulting the DHCP snooping bindings.
Syntax ip arp inspection limit {none | rate pps [burst interval seconds]} no ip arp inspection limit • none — To set no rate limit. • pps — The number of packets per second (Range: 0–300). • seconds — The number of seconds (Range: 1–15). Default Configuration The default rate limit is 15 packets per second.
Default Configuration Interfaces are configured as untrusted by default. Command Mode Interface Configuration (gigabitethernet, port-channel, tengigabitethernet, fortygigabitethernet) mode User Guidelines There are no user guidelines for this command. Example console(config-if-Gi1/0/3)#ip arp inspection trust ip arp inspection validate Use the ip arp inspection validate command to enable additional validation checks like source MAC address validation, destination MAC address validation or IP address validation on the received ARP packets.
Command Mode Global Configuration mode User Guidelines There are no user guidelines for this command Example console(config)#ip arp inspection validate src-mac dst-mac ip console(config)#ip arp inspection validate src-mac ip console(config)#ip arp inspection validate dst-mac ip console(config)#ip arp inspection validate ip ip arp inspection vlan Use the ip arp inspection vlan command to enable Dynamic ARP Inspection on a single VLAN or a range of VLANs.
Example console(config)#ip arp inspection vlan 200-300 console(config)#ip arp inspection vlan 200-300 logging permit ip host mac host Use the permit ip host mac host command to configure a rule for a valid IP address and MAC address combination used in ARP packet validation. Use the “no”...
Syntax show arp access-list [acl-name] • acl-name — A valid ARP ACL name (Range: 1–31 characters). Default Configuration There is no default configuration for this command. Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines There are no user guidelines for this command. Example console#show arp access-list ARP access list H2...
Page 379
• statistics [vlan vlan-list]—Display the statistics of the ARP packets processed by Dynamic ARP Inspection. Given vlan-list argument, it displays the statistics on all DAI-enabled VLANs in that range. In the case of no argument, it lists the summary of the forwarded and dropped ARP packets.
Page 380
Invalid IP The number of packets dropped due to invalid IP checks. Example Following is an example of the show ip arp inspection command. console#show ip arp inspection Source MAC Validation....Disabled Destination MAC Validation.... Disabled IP Address Validation....Disabled VLAN Configuration Log Invalid ACL Name...
Page 381
The following global parameters are displayed when no parameters are given: Parameter Description Source Mac Validation If Source Mac validation of ARP frame is enabled. Destination Mac If Destination Mac validation of ARP Response frame is Validation enabled. IP Address Validation If IP address validation of ARP frame is enabled.
Dell EMC Networking switching implements the flow control mechanism defined in IEEE 802.3 Annexes 31A and 31B (formerly IEEE 802.3x). Dell EMC Networking switches implement receive flow control only. They never issue a flow control PAUSE frame when congested, but do respect flow control PAUSE frames received from other switches.
On a storm control enabled interface, if the ingress rate of that type of packet (L2 broadcast, multicast, or unicast) is greater than the configured threshold level (as a percentage of port speed or as an absolute packets-per-second rate), the switch forwarding-plane discards the excess traffic. speed command controls interface link speeds and auto-negotiation.
• interface-id—An Ethernet or port-channel identifier. If specified, counters are cleared for the individual interface. Default Configuration This command has no default configuration. Command Mode Privileged Exec mode User Guidelines Use of the clear counters command with no parameters indicates that both switch and all interface statistics are to be cleared.
Command Mode Interface Configuration (gigabitethernet, port-channel, tengigabitethernet, fortygigabitethernet) mode User Guidelines This command has no user guidelines. Example The following example adds a description to the Ethernet port 5. console(config)#interface gigabitethernet 1/0/5 console(config-if-Gi1/0/5)# description RD_SW#3 duplex Use the duplex command in Interface Configuration mode to configure the duplex operation of a given Ethernet interface.
Auto-negotiation is required on 1G/10G/40G copper ports and 1G fiber ports. The duplex command is only available on the Dell EMC Networking N1500 Series switches. Other switch models support full duplex operation only.
Changing the flow control setting on a copper port restarts auto-negotiation and causes a brief link-flap while auto-negotiation occurs. Changing the flow control setting on a fiber port may cause a brief link flap as the PHY is reset. Enabling flow control on some ports and not others can lead to excessive packet loss in situations where some ports on the switch have been paused and the internal packet buffers are consumed.
User Guidelines Dell EMC Networking switches implement receive flow control only. They never issue a flow control PAUSE frame when congested, but will respect received flow control PAUSE frames received from other switches. Disabling flow control causes the switch to ignore received PAUSE frames.
Page 389
checked until the carriage return is entered. In some cases, the user may need to enter special characters, most often in a string parameter such as a password or a label. Special characters are one of the following characters (`! $ % ^ & * ( ) _ - + = { [ } ] : ; @ ' " ~ # | \ < , > . / ) or a blank. In these cases, it may be necessary to enclose the entire string in double or single quotes for the command line parser to properly interpret the parameter..
console(config)#interface range gi1/0/20-48 console(config)#interface range gi1/0/1,gi1/0/48 console(config)#interface range gi2/0/1-10,gi1/0/30 console(config)#interface range gi1/0/1-10,gi1/0/30-48 console(config)#interface range gi1/0/1,te1/1/1 console(config)#interface range gigabitEthernet 1/0/10,te1/1/2 link debounce time Use the link debounce time command to configure the debounce timer for one or multiple interfaces. Use the no form of the command to set the link debounce time to the default (disabled).
Use the show interfaces debounce command to display the link debounce time or to display the link flap count (the number of notifications sent to the system that link signal was lost). The link flap count is also displayed by the show interfaces command (Link Debounce Flaps).
Page 392
Default Configuration The default ingress rate limit is 1024 packets per second (3000 for N4000 series switches). Command Modes Global Configuration mode User Guidelines Unknown unicast and multicast packets are copied to the CPU on the lowest priority QoS queue. Unknown packets are those that do not have hardware forwarding entries.
Example The following example shows output with higher than normal CPU usage due to packets copied to the software forwarding task. console#show process cpu Memory Utilization Report status bytes ------ ---------- free 1053933568 alloc 673873920 CPU Utilization: Name 5 Secs 60 Secs 300 Secs ---------- ------------------- -------- -------- -------- 1129...
Page 394
Default Configuration There is no default configuration. Command Mode All modes, including Config mode and all config submodes. User Guidelines The show interface command shows the actual operational status of the interface, which is not necessarily the same as the configuration. Input/output rate statistics are collected every 10 seconds.
Page 395
• DHCP Rate Limit – excessive DHCP packets detected • Loop Protection – A loop was detected by the CTP protocol • Multicast Storm – multicast storm detected • Port security – port security violation detected • SFP Mismatch – unsupported transceiver detected •...
Broadcast Packets Received..... 0 Total Packets Received with MAC Errors..0 Jabbers Received....... 0 Fragments/Undersize Received....0 Alignment Errors....... 0 FCS Errors........0 Overruns........0 Total Received Packets Not Forwarded... 7 Total Packets Transmitted Successfully..147070 Unicast Packets Transmitted....0 Multicast Packets Transmitted....
Page 397
Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines The priority resolution field indicates the auto-negotiated link speed and duplex. The clock field indicates whether the local interface has auto- negotiated to clock master or clock slave.
Clock: Master 10000f 1000f 1000h 100f 100h ------ ----- ----- ----- ----- ----- ---- Admin Local link Advertisement Oper Local link Advertisement Oper Peer Advertisement Priority Resolution show interfaces configuration Use the show interfaces configuration command in User Exec mode to display the configuration for all configured interfaces.
Field Description Describes the Auto-negotiation status. The Maximum Transmission Unit. Admin State Displays whether the port is enabled or disabled. Example The following example displays the configuration for all configured interfaces: console#show interfaces configuration gigabitethernet 1/0/1 Port Description Duplex Speed Admin State --------- ------------------------------ ------ ------- ---- ----- -----...
Page 400
Command Mode User Exec mode, Global Configuration mode and all Configuration submodes User Guidelines The following table describes the fields shown in the display: Field Description InOctets Counted received octets. InUcastPkts Counted received Unicast packets. InMcastPkts Counted received Multicast packets. InBcastPkts Counted received Broadcast packets.
Page 401
Field Description Internal MAC Rx Errors A count of frames for which reception fails due to an internal MAC sublayer receive error. Received Pause Frames A count of MAC Control frames received with an opcode indicating the PAUSE operation. Transmitted Pause Counted MAC Control frames transmitted on this Frames interface with an opcode indicating the PAUSE operation.
Page 402
Gi1/0/19 Gi1/0/20 Port OutTotalPkts OutUcastPkts OutMcastPkts OutBcastPkts --------- ---------------- ---------------- ---------------- --------------- Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 Gi1/0/5 Gi1/0/6 Gi1/0/7 Gi1/0/8 Gi1/0/9 Gi1/0/10 Gi1/0/11 Gi1/0/12 The following example displays counters for Ethernet port Te1/0/1. console(config-if-Te1/0/1)#show interfaces counters tengigabitethernet 1/0/13 Port InTotalPkts InUcastPkts InMcastPkts InBcastPkts...
show interfaces debounce Use the show interfaces debounce command to list the debounce information for one or multiple interfaces. If no parameter is given, all physical interfaces are shown. Syntax show interfaces debounce [ interface-id ] • interface-id—A physical interface identifier (i.e., a 1G, 10G, or 40G Ethernet interface) in standard interface format.
Syntax show interfaces description [gigabitethernet unit/slot/port | port-channel port-channel-number | tengigabitethernet unit/slot/port | fortygigabitethernet unit/slot/port] Default Configuration This command has no default configuration. Command Mode User Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example displays the description for all interfaces.
Page 405
Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example displays detailed status and configuration of the specified interface. console#show interfaces detail gi1/0/1 Port Description...
---- --------------------------------- ----------- Forbidden VLANS: VLAN Name ---- --------------------------------- Port Gi1/0/1 Enabled State: Disabled Role: Disabled Port id: 128.1 Port Cost: 0 Port Fast: No (Configured: no ) Root Protection: No Designated bridge Priority: 32768 Address: 1418.7715.2368 Designated port id: 0.0 Designated path cost: 0 CST Regional Root: 80:00:14:18:77:15:23:68 CST Port Cost: 0 BPDUs: Sent: 0, Received: 0...
Page 407
Field Description Port The port or port channel number. Oob means Out-of-Band Management Interface. Description Description of the port. This field may be truncated in the command output. Duplex Displays the port Duplex status. VLAN The VLAN membership for the port. The native VLAN is enclosed in parentheses.
------- ------------------------------ ------- - ------------------- Down H (4),5 show interfaces transceiver Use the show interfaces transceiver command to display the optic static parameters as well as the Dell EMC qualification. Syntax show interfaces transceiver [properties] • properties—Displays the static parameters for the optics.
Te1/0/9 Te1/0/11 Te1/0/13 Te1/0/15 Te1/0/17 The following example shows static parameters of the optics along with the qualifications status. console#show interfaces transceiver properties Yes: Dell Qualified No: Not Qualified N/A : Not Applicable Port Type Media Serial Number Dell Qualified...
Page 410
Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines Statistics are only collected for physical interfaces, port-channel interfaces, and the switch CPU interface. Examples The following example shows statistics for port Te1/0/1. console(config-if-Te1/0/1)#show statistics te1/0/1 Total Packets Received (Octets)....
show statistics switchport Use the show statistics command to display detailed statistics for a specific port or for the entire switch. Syntax show statistics {interface-id |switchport} • interface-id—The interface ID. See Interface Naming Conventions interface representation. • switchport—Displays statistics for the entire switch. Default Configuration This command has no default configuration.
Page 413
Multicast Packets Transmitted ifHCOutMulticastPkts Broadcast Packets Transmitted ifHCOutBroadcastPkts Transmit Packets Discarded ifOutDiscards Example The following example shows statistics for the CPU interface. console#show statistics switchport Total Packets Received (Octets)....0 Packets Received Without Error....0 Unicast Packets Received....... 0 Multicast Packets Received..... 0 Broadcast Packets Received.....
show storm-control Use the show storm-control command to display the configuration of storm control. Syntax show storm-control [all | {gigabitethernet unit/slot/port | tengigabitethernet unit/slot/port | fortygigabitethernet unit/slot/port}] Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines.
shutdown Use the shutdown command in Interface Configuration mode to disable an interface. To restart a disabled interface, use the no form of this command. Syntax shutdown no shutdown Default Configuration The interface is enabled. Command Mode Interface Configuration (Ethernet, Port-Channel, Tunnel, Loopback) mode User Guidelines This command has no user guidelines.
Page 417
• 10—Configures the port to 10 Mbps operation. • 100—Configures the port to 100 Mbps operation. • 1000—Configures the port to 1000 Mbps operation. • 10000—Configures the port to 10 Gbps operation. • 40000—Configures the port to 40 Gbps operation. •...
Page 418
supporting are advertised. Not all ports support all speeds, even if they are available in the command. Entering an unsupported speed will produce the following error message An invalid interface has been used for this function. Fiber ports (other than 1000Base-X) do not support auto-negotiation and therefore require the operator to enter the speed command with the desired operating bandwidth.
switchport protected Use the switchport protected command in Interface Configuration mode to configure a protected port. The groupid parameter identifies the set of protected ports to which this interface is assigned. You can only configure an interface as protected in one group. You are required to remove an interface from one group before adding it to another group.
switchport protected name Use the switchport protected name command in Global Configuration mode to adds the port to the protected group 1 and also sets the group name to “protected”. Syntax switchport protected groupid name name no switchport protected groupid name •...
Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example identifies test as the protected group. console#show switchport protected 0 Name.........
Global Configuration mode User Guidelines Dell EMC Networking N-Series switches do not fragment received packets. The IPv4 and IPv6 MTU are set to the link MTU minus 18 bytes. IP packets forwarded in software are dropped if they exceed the IP MTU. Packets originated on the router, such as OSPF packets, may be fragmented by the IP stack.
Page 423
advertise different IP MTUs, they will not form an adjacency (unless OSPF has been instructed to ignore differences in IP MTU with the ip ospf mtuignore command). The allowed range is 1298 to 9216. This allows for configuration of an IPv4 and IPv6 MTU of 1280 to 9198.
MEP ID and maintenance association levels are assigned by the top level network service provider. Dell EMC Networking CFM is only available on the N4000 series switches. CFM is not compatible with iSCSI optimization. Disable iSCSI optimization before enabling CFM.
ethernet cfm mep active show ethernet cfm maintenance-points remote ethernet cfm mep archive-hold-time show ethernet cfm statistics ethernet cfm mip level – ethernet cfm domain Use the ethernet cfm domain command in Global Configuration mode to enter into Maintenance Domain Configuration mode for an existing domain. Use the optional level parameter to create a domain and enter into maintenance domain Configuration mode.
console(config-cfm-mdomain)# service Use the service command in Maintenance Domain Configuration mode to associate a VLAN with a maintenance domain. Use the no form of the command to remove the association. Syntax service service-name vlan vlan-id • service-name—Unique service identifier. • vlan-id—VLAN ID representing a service instance that is monitored by this maintenance association.
• vlan-id—VLAN ID representing a service instance that is monitored by this maintenance association. The range is 1-4093. • secs—Time interval between successive transmissions. The range is 1, 10, 60, and 600 seconds. The default is 1 second. Default Configuration CCMs are not sent by default.
Command Mode Interface Configuration mode User Guidelines This command has no user guidelines. Example The following example creates a maintenance endpoint at level 1 with mpid 1010 on vlan 10. console(config-if-Gi1/0/3)#ethernet cfm mep level 1 direction up mpid 1010 vlan 10 ethernet cfm mep enable Use the ethernet cfm mep enable command in Interface Configuration mode to enable a MEP at the specified level and direction.
Example The following example enables a maintenance endpoint at level 1 with mpid 1010 on vlan 10. console(config-if-Gi1/0/3)#ethernet cfm mep enable level 1 vlan 10 mpid 1010 ethernet cfm mep active Use the ethernet cfm mep active command in Interface Configuration mode to activate a MEP at the specified level and direction.
• hold-time—The time in seconds to maintain the data for a missing MEP before removing the data. The default value is 600 seconds. Default Configuration No MEPs are preconfigured. Command Mode Interface Configuration User Guidelines The hold time should generally be less than the CCM message interval. Example The following example sets the hold time for maintaining internal information regarding a missing MEP.
User Guidelines Refer to IEEE 802.1ag for an explanation of maintenance association levels. Typically, this value is assigned by the top level network service provider. Example console(config-if-Gi1/0/1)# ethernet cfm mip level 7 ping ethernet cfm Use the ping ethernet cfm command to generate a loopback message (LBM) from the configured MEP.
User Guidelines This command has no user guidelines. Example console #ping ethernet cfm mac 00:11:22:33:44:55 level 1 vlan 10 mpid 1 count traceroute ethernet cfm Use the traceroute ethernet command to generate a link trace message (LTM) from the configured MEP. Syntax traceroute ethernet cfm {mac mac-addr| remote-mpid 1-8191} {domain domain name | level 0-7} vlan vlan-id mpid 1-8191 [ttl 1-255]...
User Guidelines This command has no user guidelines. Example console # traceroute ethernet cfm remote-mpid 32 level 7 vlan 11 mpid 12 show ethernet cfm errors Use the show ethernet cfm errors command to display the cfm errors. Syntax show ethernet cfm errors {domain domain-id | level 0-7} level—Maintenance association level •...
• DevXconCCM—The MEP has received at least one CCM from either another MAID or a lower MD level whose CCM interval has not yet timed out. Example console#show ethernet cfm errors ----- ---- ---- --------- ------------ ------------ ----------- ---------- Level SVID MPID DefRDICcm DefMACStatus DefRemoteCCM DefErrorCCM DefXconCCM ----- ---- ---- --------- ------------ ------------ ----------- ---------- show ethernet cfm domain Use the show ethernet cfm domain command to display the configured...
show ethernet cfm maintenance-points local Use the show ethernet cfm maintenance-points local command to display the configured local maintenance points. Syntax show ethernet cfm maintenance-points local {level 0-7 | interface interface- id | domain domain-name} • level—Maintenance association level • domain—Name of the maintenance domain (an alphanumeric string of up to 43 characters in length).
• Operational Status—The MEP operational status • MAC—The MAC address associated with the MEP. Example show ethernet cfm maintenance-points local level 1 ---- ----- ---- ---- ------ ----- -------- ------ ----------- ----- MPID Level Type VLAN Port Dire- CC MEP- Operational MAC ction Transmit Active Status ---- ----- ---- ---- ------...
User Guidelines Refer to IEEE 802.1ag for an explanation of the maintenance association level and MEP ID. Typically, these are assigned by the top level network service provider. • MEP Id—Local MEP identifier • RMep Id—Remote MEP identifier • Level—Connectivity association level •...
Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines Refer to IEEE 802.1ag for an explanation of the maintenance association level. Typically, maintenance levels are assigned by the top level network service provider. • Out-of-sequence CCM's received—Count of the out-of-sequence continuity check messages (CCM's) received •...
Page 439
Out-of-order Loopback Replies received: 5 Bad MSDU Loopback Replies received Loopback Replies transmitted Unexpected LTR's received ------------------------------------------------------------------ Statistics for 'Domain: domain1, Level: 1, Vlan: 11, MEP Id: 3' ------------------------------------------------------------------ Out-of-sequence CCM's received CCM's transmitted In-order Loopback Replies received Out-of-order Loopback Replies received: 0 Bad MSDU Loopback Replies received Loopback Replies transmitted Unexpected LTR's received...
Green Ethernet Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Dell EMC Networking switches support various Green Ethernet modes, i.e., power saving modes, namely: • Energy-Detect Mode • Energy Efficient Ethernet These modes can enable significant operational cost reductions through direct power savings and reducing cooling costs.
– green-mode energy-detect This command enables a Dell EMC proprietary mode of power reduction on ports that are not connected to another interface. Use the green-mode energy-detect command in Interface Configuration mode to enable energy- detect mode on an interface or all the interfaces. Energy-detect mode is enabled by default on 1G copper interfaces and enabled by default on 10G copper interfaces.
ON 1G copper ports. Energy-detect mode is always enabled on N4000 series 10G ports and cannot be disabled. An error message (Unable to set energy-detect mode) will be displayed if the user attempts to configure energy-detect on a 10G port on a N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON series switch. green-mode eee Use the green-mode eee command in Interface Configuration mode to enable EEE low power idle mode on an interface.
EEE mode is supported on N4000 series 10G copper ports and on N1100-ON/N1500/N2000/N2100-ON/N3000/N3100-ON 1G copper interfaces. green-mode eee { tx-idle-time | tx-wake-time} Use the green-mode eee {tx-idle-time | tx_wake-time} command in Interface Configuration mode to control the transmit idle and wake time parameters on an interface.
This command is available in Ethernet interface configuration mode for copper ports that are EEE capable. Configuring the values on interfaces that do not support EEE will return an error. Command History Syntax added in 6.4 release. clear green-mode statistics Use the clear green-mode statistics command to clear: •...
Page 445
Command Mode Global Configuration User Guidelines EEE and energy-detect modes are only supported on N4000 series 10G copper ports and on N1100-ON/N1500/N2000/N2100-ON/N3000/N3100-ON 1G copper ports. Examples Use the command below to set the EEE LPI History sampling interval to the default.
show green-mode interface-id Use the show green-mode interface-id command to display the green-mode configuration and operational status of the port. This command is also used to display the per port configuration and operational status of the green- mode. The status is shown only for the modes supported on the corresponding hardware platform whether enabled or disabled.
Page 447
Term Description Reason for Energy- The energy detect mode may be administratively enabled, but detect current the operational status may be inactive. The possible reasons are: operational status Port is currently operating in the fiber mode Link is up. If the energy-detect operational status is active, then the reason field shows up as: No energy Detected EEE Admin Mode...
Page 448
Term Description Tw_sys_rx Echo Integer that indicates the remote systems Receive Tw_sys that (μSec) was used by the local system to compute the Tw_sys that it can support. This value maps into the aLldpXdot3LocRxTwSysEcho attribute. Fallback Tw_sys Integer that indicates the value of fallback Tw_sys that the local (μSec) system requests from the remote system.
Term Description Time Since Time Since Counters Last Cleared (since the time of power up, Counters Last or after clear eee counters is executed) Cleared Example console#show green-mode gi1/0/1 Energy Detect Admin Mode.... Enabled Operational Status....Active Reason......No Energy Detected Short Reach Feature....
Page 450
Syntax show green-mode Default Configuration This command has no default configuration. Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines This command output provides the following information. Term Description Energy Detect Energy-detect Energy-detect Admin mode is enabled or disabled. Config Energy-detect Opr Energy detect mode is currently active or inactive.
Gi1/0/3 Enabled Active Enabled Disabled In-Active Enabled Gi1/0/4 Enabled Active Enabled Disabled In-Active Enabled Gi1/0/5 Enabled Active Enabled Disabled In-Active Enabled Gi1/0/6 Enabled Active Enabled Disabled In-Active Enabled Gi1/0/7 Enabled Active Enabled Disabled In-Active Enabled Gi1/0/8 Enabled Active Enabled Disabled In-Active Enabled show green-mode eee-lpi-history interface...
Page 452
Term Description Sample Time Time since last reset. %Time Spent in LPI Percentage of time spent in LPI mode on this port when Mode Since Last compared to sampling interval. Sample %Time Spent in LPI Percentage of total time spent in LPI mode on this port when Mode Since Last compared to time since reset.
GMRP Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches The GARP Multicast Registration Protocol (GMRP) provides a mechanism that allows networking devices to dynamically register (and deregister) Group membership information with the MAC networking devices attached to the same segment, and for that information to be disseminated across all networking devices in the bridged LAN that support Extended Filtering Services.
This ensures that the networking device receives multicast frames from all ports but forwards them through only those ports for which GMRP has created Group registration entry (for that multicast address). Registration entries created by GMRP ensures that frames are not transmitted on LAN segments which neither have registered GMRP participants nor are in the path through the active topology between the sources of the frames and the registered group members.
Example In this example, GMRP is globally enabled. console(config)#gmrp enable clear gmrp statistics Use the clear gmrp statistics command to clear all the GMRO statistics information. Syntax clear gmrp statistics [{gigabitethernet unit/slot/port | port-channel port- channel-number | tengigabitethernet unit/slot/port | fortygigabitethernet unit/slot/port}] Default Configuration This command has no default configuration.
Page 456
Default Configuration GMRP is disabled by default. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example console#show gmrp configuration Global GVRP Mode: Disabled Join Leave LeaveAll Port VLAN Interface Timer Timer...
GVRP Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches GARP VLAN Registration Protocol (GVRP) is used to propagate VLAN membership information throughout the network. GVRP is based on the Generic Attribute Registration Protocol (GARP), which defines a method of propagating a defined attribute (that is, VLAN membership) throughout the network.
Syntax clear gvrp statistics [interface-id] • interface-id—An Ethernet interface identifier or a port channel identifier Default Configuration This command has no default configuration. Command Mode Privileged Exec mode User Guidelines This command has no user guidelines. Example The following example clears all the GVRP statistics information on interface Gi1/0/8.
no gvrp enable Default Configuration GVRP is globally disabled. Command Mode Global Configuration mode User Guidelines This command has no user guidelines. Example The following example globally enables GVRP on the device. console(config)#gvrp enable gvrp enable (Interface Configuration) Use the gvrp enable command in Interface Configuration mode to enable GVRP on an interface.
User Guidelines This command is available in Ethernet interface configuration mode and port channel interface configuration mode. An Access port cannot join dynamically to a VLAN because it is always a member of only one VLAN. Membership in untagged VLAN would be propagated in a same way as a tagged VLAN.
Example The following example shows how default dynamic registering and deregistering is forbidden for each VLAN on port 1/0/8. console(config)#interface gigabitethernet 1/0/8 console(config-if-Gi1/0/8)#gvrp registration-forbid gvrp vlan-creation-forbid Use the gvrp vlan-creation-forbid command in Interface Configuration mode to disable dynamic VLAN creation. To enable dynamic VLAN creation, use the no form of this command.
show gvrp configuration Use the show gvrp configuration command to display GVRP configuration information. Timer values are displayed. Other data shows whether GVRP is enabled and which ports are running GVRP. Syntax show gvrp configuration [ interface-id ] Default Configuration This command has no default configuration.
Gi1/0/11 1000 Disabled Gi1/0/12 1000 Disabled Gi1/0/13 1000 Disabled Gi1/0/14 1000 Disabled show gvrp error-statistics Use the show gvrp error-statistics command in User Exec mode to display GVRP error statistics. Syntax show gvrp error-statistics [interface-id] • interface-id—An Ethernet interface identifier or a port channel interface identifier.
Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 show gvrp statistics Use the show gvrp statistics command in User Exec mode to display GVRP statistics. Syntax show gvrp statistics [interface-id] • interface-id —A physical interface identifier or a port channel interface identifier. Default Configuration This command has no default configuration.
IGMP messages. Although the software processing the IGMP messages could maintain state information based on the full IP group addresses, the forwarding tables in Dell EMC Networking are mapped to link layer addresses. The Multicast Forwarding Database (MFDB) manages the forwarding address table for Layer 2 multicast protocols, such as IGMP Snooping.
and thus not detectable by the switch. If a query is not received on an interface within a specified length of time (multicast router present expiration time), that interface is removed from the list of interfaces with multicast routers attached. The multicast router present expiration time is configurable using management.
Page 469
Default Configuration IGMP snooping is enabled globally and on all VLANs by default. Command Mode Global Configuration mode User Guidelines Use this command without parameters to globally enable IGMP snooping. Use the no form of the command to disable IGMP snooping. Use the vlan parameter to enable IGMP snooping on a specific VLAN.
show ip igmp snooping Use the show ip igmp snooping command to display the IGMP snooping configuration and SSM statistics. Syntax show ip igmp snooping [vlan vlan-id] • vlan-id—Specifies a VLAN ID value. Default Configuration This command has no default configuration. Command Mode User Exec, Privileged Exec, Global Configuration mode and all Configuration submodes...
show ip igmp snooping groups Use the show ip igmp snooping groups command in User Exec mode to display the Multicast groups learned by IGMP snooping and IGMP SSM entries. Syntax show ip igmp snooping groups [vlan vlan-id] [address ip-multicast-address] •...
User Guidelines This command has no user guidelines. Example The following example shows IGMP snooping mrouter information. console#show ip igmp snooping mrouter VLAN ID Port ------- ----------- Gi2/0/1 ip igmp snooping vlan immediate-leave This command enables or disables IGMP Snooping immediate-leave mode on a selected VLAN.
User Guidelines This command has no user guidelines. Example The following example enables IGMP snooping immediate-leave mode on VLAN 2. console(config)#ip igmp snooping vlan 2 immediate-leave ip igmp snooping vlan groupmembership-interval This command sets the IGMP Group Membership Interval time on a VLAN. The Group Membership Interval time is the amount of time in seconds that a switch waits for a report from a particular group on a particular interface before deleting the interface from the entry.
Example The following example configures an IGMP snooping group membership interval of 1500 seconds on VLAN 2. console(config)#ip igmp snooping vlan 2 groupmembership-interval 1500 ip igmp snooping vlan last-member-query- interval This command sets the last-member-query interval on a particular VLAN. The last-member-query-interval is the amount of time in seconds after which a host is considered to have left the group.
console(config)#ip igmp snooping vlan 2 last-member-query-interval 7 ip igmp snooping vlan mcrtrexpiretime This command sets the Multicast Router Present Expiration time. The time is set on a particular VLAN. This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached.
Syntax ip igmp snooping vlan vlan-id report-suppression no ip igmp snooping vlan vlan-id report-suppression • vlan-id — A VLAN identifier (Range 1-4093). Default Configuration Report suppression is enabled by default. Command Mode Global Configuration mode User Guidelines When IGMP report suppression is enabled, the switch only sends the first report received for a group in response to a query.
Command Mode Global Configuration mode. User Guidelines There is no equivalent MLD command since this setting applies to both protocols. Example console(config)#ip igmp snooping unregistered floodall ip igmp snooping vlan mrouter This command statically configures a port as connected to a multicast router for a specified VLAN.
Page 479
IGMP snooping will consider that an mrouter is active if an mrouter port is defined in the VLAN, regardless of whether the mrouter port is up or not. If an mrouter port is defined, IGMP snooping will not flood multicast source packets received in the VLAN.
In a network with IP multicast routing, an IP multicast router acts as the IGMP querier. However, if it is required that the IP-multicast traffic in a VLAN be switched and no multicast router is present in the network, the Dell EMC Networking switch can be configured as an IGMP querier. When IGMP...
Page 481
address when generating periodic queries. The no form of this command disables IGMP Snooping Querier on the system. Use the optional address parameter to set or reset the querier address. If a VLAN has IGMP Snooping Querier enabled, and IGMP Snooping is operationally disabled on the VLAN, IGMP Snooping Querier functionality is disabled on that VLAN.
The VLAN IP address takes precedence over the global IP address when both are configured. IGMP Querier does not detect when the local switch is configured as a multicast router. It is not recommended to configure both L3 multicast routing and IGMP Querier on the same switch. IGMP snooping (and IGMP querier) validates IGMP packets.
Default Configuration The snooping querier is configured to not participate in the querier election by default. Command Mode Global Configuration mode User Guidelines If the switch detects another querier in the VLAN, it will cease sending queries for the querier timeout period. Example The following example configures the snooping querier to participate in the querier election on VLAN 10.
The value of this parameter should be larger than the IGMP Max Response Time value inserted into general query messages by the querier. The default IGMP Max Response Time is defined in RFC 3376 as 10 seconds. Dell EMC Networking queriers use this value when sending general query messages.
Example The following example sets the querier timer expiry time to 100 seconds. console(config)#ip igmp snooping querier timer expiry 100 ip igmp snooping querier version This command sets the IGMP version of the query that the snooping switch is going to send periodically. The no form of this command sets the IGMP Querier Version to its default value.
Page 486
Syntax show ip igmp snooping querier [detail | vlan vlan-id] • vlan-id —Specifies a VLAN ID value. Default Configuration This command has no default configuration. Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all submodes User Guidelines When the optional argument vlan-id is not used, the command shows the following information.
Page 487
Parameter Description Operational State Indicates whether IGMP Snooping Querier is in the Querier or Non-Querier state. When the switch is in Querier state it sends out periodic general queries. When in Non-Querier state it waits for moving to Querier state and does not send out any queries.
The error disabled interface can be manually enabled using the no shutdown command. Alternatively administrator can enable auto recovery feature. Dell EMC Networking Auto Recovery re-enables the interface after the expiry of configured time interval.
Page 490
• arp-inspection — Recovery for the dynamic ARP inspection cause is enabled. • dhcp-rate-limit — Recovery for the DHCP rate limit cause is enabled. • bcast-storm — Recovery for broadcast storm disabled interfaces is enabled. • bpdustorm — Recovery for BPDU storm disabled interfaces is enabled. •...
the interface continues to encounter errors (from any listed cause), it may be placed back in the diag-disable state and the interface will be disabled (link down). Interfaces in the disabled state due to a listed cause may be manually recovered by entering the no shutdown command for the interface.
User Guidelines Error disabled interfaces indicate that a problem that must be resolved by the administrator. This could be a configuration problem or a physical problem and does not necessarily indicate a problem with the switch. When the interval expires, the system examines the error disabled interfaces and recovers them if recovery for the indicated cause is enabled.
Page 493
User Guidelines Error disabled interfaces indicate that a problem that must be resolved by the administrator. This could be a configuration problem or a physical problem and does not necessarily indicate a problem with the switch. When the interval expires, the system examines the error disabled interfaces and recovers them if recovery for the indicated cause is enabled.
Example console(config)#show errdisable recovery Reason Auto-recovery Status ------------------ --------------------- ARP Inspection Disabled BPDU Guard Disabled Broadcast Storm Disabled BPDU Storm Disabled DHCP Rate Limit Disabled Loop Protect Disabled Multicast Storm Disabled SFP Mismatch Disabled SFP Plus Mismatch Disabled UDLD Disabled Unicast Storm Disabled Port MAC Locking...
Page 495
When the interval expires, the system examines the error disabled interfaces and recovers them if recovery for the indicated cause is enabled. Only a single timer is used and recovery occurs when the timer expires, not when the interface time expires. The recovery delay time indicates the number of seconds until the interface is eligible for recovery if auto-recovery is enabled for the indicated cause.
Page 496
Example The following example console#show interfaces status err-disabled Interface Reason Recovery Delay ---------- ----------------- -------------- Gi1/0/1 UDLD Gi1/0/2 BPDU Guard Gi1/0/3 BPDU Storm Layer 2 Switching Commands...
The Dell EMC Networking ACL feature allows classification of packets based upon Layer 2 through Layer 4 header information. An Ethernet IPv6 packet is distinguished from an IPv4 packet by its unique EtherType value; thus all IPv6 classifiers implicitly include the EtherType field.
deny permit (IPv6 ACL) This command creates a new rule for the current IPv6 access list. Each rule is appended to the list of configured rules for the list. A rule may either deny or permit traffic according to the specified classification fields.
Page 499
[routing] [fragments] [dscp dscp]}} [time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} interface-id] [rate-limit rate burst-size] no [sequence-number] • sequence-number — Identifies the order of application of the permit/deny statement. If no sequence number is assigned, permit/deny statements are assigned a sequence number beginning at 1000 and incrementing by 10. Statements are applied in hardware beginning with the lowest sequence number.
Page 500
have a value equal or greater than the starting port. The starting port, ending port, and all ports in between will be part of the layer 4 port range. – When “eq” is specified, IPv6 ACL rule matches only if the layer 4 port number is equal to the specified port number or portkey.
Page 501
– This option is visible only if the protocol is tcp. – Ack – Acknowledgment bit – Fin – Finished bit – Psh – push bit – Rst – reset bit – Syn – Synchronize bit Urg – Urgent bit –...
Page 502
• log—Specifies that this rule is to be logged when the rule has been matched one or more times since the expiry of the last logging interval. The logging interval is five minutes. • time-range time-range-name—Allows imposing time limitation on the ACL rule as defined by the parameter time-range-name.
Page 503
Any – is equivalent to ::/0 for IPv6 access lists. Host - indicates /128 prefix length for IPv6. Port ranges are not supported for egress (out) IPv6 traffic-filters. This means that only the eq operator is supported for egress (out) ACLs. The protocol type must be SCTP, TCP or UDP to specify a port range.
For the N1100-ON/N1500/N2000/N2100-ON/N3000/N3100-ON series switches, for ingress (in) ACLs: • The IPv6 ACL “fragment” keyword matches only on the first IPv6 extension header for the fragment header (next header code 44). If the fragment header appears in the second or a subsequent header, it is not matched.
Syntax ipv6 access-list name no ipv6 access-list name • name — Alphanumeric string of 1 to 31 characters uniquely identifying the IPv6 access list. Default Configuration There is no default configuration for this command. Command Mode Global Configuration mode User Guidelines There are no user guidelines for this command Example The following example creates an IPv6 ACL named “DELL_IP6”...
Control List (ACL) to an interface or associates it with a VLAN ID in a given direction. Dell EMC Networking switches support configuration of multiple access groups on interfaces. An optional sequence number may be specified to indicate the order of this access list relative to other IPv6 access lists already assigned to this interface and direction.
• control-plane—The access list is applied to ingress control plane packets. This parameter is only available in Global Configuration mode. • seq-num — Order of access list relative to other access lists already assigned to this interface and direction. (Range: 1–4294967295) Default Configuration No IPv6 traffic filters are configured by default.
Page 508
Syntax show ipv6 access-lists [name] • — name The name used to identify the IPv6 ACL. Default Configuration There is no default configuration for this command. Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines There are no user guidelines for this command.
Page 509
Source IPV6 Address......fe80::2121/128 Destination IPV6 Address....... fe80::1212/128 Destination Layer 4 Operator....Equal To Destination L4 Port Keyword....800 Flow Label........65535 TCP Flags........FIN (Set) SYN (Ignore) RST (Ignore) PSH (Ignore) ACK (Ignore) URG (Ignore) ACL Hit Count........43981900 Layer 2 Switching Commands...
(ICMPv6), and MLD messages are a subset of ICMPv6 messages, identified in IPv6 packets by a preceding Next Header value of 58. Dell EMC Networking switches can snoop on both MLDv1 and MLDv2 protocol packets and bridge IPv6 multicast data based on destination IPv6 Multicast MAC Addresses.
ipv6 mld snooping vlan groupmembership- interval The ipv6 mld snooping vlan groupmembership-interval command sets the MLD Group Membership Interval time on a VLAN or interface. The Group Membership Interval time is the amount of time in seconds that a switch waits for a report from a particular group on a particular interface before deleting the interface from the entry.
You should enable immediate-leave admin mode only on VLANs where only one host is connected to each layer 2 LAN port. This prevents the inadvertent dropping of the other hosts that were connected to the same layer 2 LAN port, but were still interested in receiving multicast traffic directed to that group.
Default Configuration Listener message suppression is enabled by default. Command Mode Global Configuration mode. User Guidelines MLD listener message suppression is equivalent to IGMP report suppression. When MLD listener message suppression is enabled, the switch only sends the first report received for a group in response to a query. Listener message suppression is only applicable to MLDv1.
User Guidelines This command has no user guidelines. Example console(config)#ipv6 mld snooping vlan 2 last-listener-query-interval 7 ipv6 mld snooping vlan mcrtrexpiretime The ipv6 mld snooping mcrtrexpiretime command sets the Multicast Router Present Expiration time. The time is set for a particular interface or VLAN. This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached.
ipv6 mld snooping vlan mrouter This command statically configures a port as connected to a multicast router for a specified VLAN. The no form of this command removes the static binding. Syntax ipv6 mld snooping vlan vlan-id mrouter interface interface no ipv6 mld snooping vlan vlan-id mrouter interface interface •...
no ipv6 mld snooping [vlan vlan-id] • vlan-id — A VLAN identifier (Range 1-4093). Default Configuration MLD Snooping is enabled globally and on all VLANs by default. Command Mode Global Configuration mode. User Guidelines Use this command without parameters to globally enable MLD Snooping. Use the no form of the command to disable MLD Snooping.
Page 517
• interface-id—A physical interface identifier or a port channel identifier • vlan-id—A VLAN identifier. Default Configuration This command has no default configuration Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines With no optional arguments, the command displays the following information: •...
• Last Listener Query Interval—Displays the amount of time the switch waits after it sends a query on an interface, participating in the VLAN, because it did not receive a report for a particular group on that interface. This value may be configured. •...
Default configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This user guideline applies to all switch models.To see the full Multicast address table (including static addresses) use the show mac address-table multicast command.
Page 520
Default configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines MLD snooping forwards IPv6 multicast data plane packets to mrouter ports, including statically configured mrouter ports. If a static mrouter port is configured in a VLAN, MLD snooping will forward multicast data plane packets received on the VLAN even if the interface is down.
IPv6 MLD Snooping Querier Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches The MLD Snooping Querier is an extension of the MLD Snooping feature. MLD Snooping Querier allows the switch to simulate an MLD router in a Layer 2-only network, thus removing the need to have an MLD Router to collect the multicast group membership information.
Syntax ipv6 mld snooping querier no ipv6 mld snooping querier Default Configuration MLD Snooping Querier is disabled by default. Command Mode Global Configuration mode User Guidelines It is not recommended the MLD Snooping Querier be enabled on a switch enabled for IPv6 multicast routing. Example console(config)#ipv6 mld snooping querier ipv6 mld snooping querier (VLAN mode)
User Guidelines There are no user guidelines for this command. Example console(config)#ipv6 mld snooping querier vlan 10 ipv6 mld snooping querier address Use the ipv6 mld snooping querier address command to set the global MLD Snooping Querier address. Use the no form of this command to reset the global MLD Snooping Querier address to the default.
enabled, if the Snooping Querier finds that the other Querier's source address is numerically lower than the Snooping Querier's address, it stops sending periodic queries. If the Snooping Querier wins the election then it will continue sending periodic queries. Use the no form of this command to disable election participation on a VLAN.
• interval — Amount of time that the switch waits before sending another general query. (Range: 1–1800 seconds) Default Configuration The default query interval is 60 seconds. Command Mode Global Configuration mode User Guidelines There are no user guidelines for this command Example console(config)#ipv6 mld snooping querier 120 ipv6 mld snooping querier timer expiry...
User Guidelines There are no user guidelines for this command. Example console(config)#ipv6 mld snooping querier timer expiry 222 show ipv6 mld snooping querier Use the show ipv6 mld snooping querier command to display MLD Snooping Querier information. Configured information is displayed whether or not MLD Snooping Querier is enabled.
Page 527
Querier Query Interval Shows the amount of time that a Snooping Querier waits before sending out a periodic general query. Querier Expiry Interval Displays the amount of time to wait in the Non-Querier operational state before moving to a Querier state. When the optional argument vlan vlan-id is used, the following additional information appears: Parameter...
IP Source Guard Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches IP Source Guard (IPSG) is a security feature that filters IP packets based on source ID. The source ID may either be source IP address or a {source IP address, source MAC address} pair.
Page 529
Syntax ip verify source {port-security} no ip verify source • port-security—Enables filtering based on IP address, VLAN, and MAC address. When not specified, filtering is based upon IP address. Default Configuration By default, no sources are blocked. Command Mode Interface Configuration mode (physical and port channel) User Guidelines DHCP snooping should be enabled on any ports for which ip verify source is configured.
ip verify binding Use the ip verify binding command in Global Configuration mode to configure static bindings. Use the no form of the command to remove the IPSG entry. Syntax ip verify binding macaddr vlan ipaddr interface Default Configuration By default, there are no static bindings configured. Command Mode Global Configuration mode User Guidelines...
Default Configuration There is no default configuration for this command. Command Modes User Exec, Privileged Exec (all show modes) User Guidelines The filter type is one of the following values: • ipv4-mac: IPv4 plus MAC address filtering • ip: IPv4 address filtering •...
Syntax show ip verify source [interface interface-id] • interface-id: A valid physical interface identifier or port-channel identifier Default Configuration There is no default configuration for this command. Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines.
Page 533
User Guidelines This command has no user guidelines. Example console#show ip source binding MAC Address IP Address Type VLAN Interface ------------ ---------- ----- ----- ------------- 0011.2233.4455 1.2.3.4 static Gi1/0/2 Layer 2 Switching Commands...
Optimization Commands Dell EMC Networking N2000/N2100-ON/N3000/N3100-ON/N4000 Series Switches iSCSI Optimization provides a means of performing configuration specific to storage traffic and optionally giving traffic between iSCSI initiator and target systems special Quality of Service (QoS) treatment. iSCSI Optimization is best applied to mixed-traffic networks where iSCSI packets constitutes a portion of overall traffic.
iSCSI Optimization borrows ACL lists from the global system pool. ACL lists allocated by iSCSI Optimization reduce the total number of ACLs available for use by the network operator. Enabling iSCSI Optimization uses one ACL list to monitor for iSCSI sessions. Each monitored iSCSI session utilizes two rules from additional ACL lists up to a maximum of two ACL lists.
User Guidelines Changing the aging time has the following behavior: • When aging time is increased, current sessions will be timed out according to the new value. • When aging time is decreased, any sessions that have been dormant for a time exceeding the new setting will be immediately deleted from the table.
Page 537
Default Configuration By default, frames are not remarked. The default vpt setting for iSCSI is 4, which the default class of service 802.1p mapping assigns to queue 2. Command Mode Global Configuration mode. User Guidelines The remark option only applies to DSCP values. Remarking is not available for vpt values.
console(config)#iscsi cos dscp 41 remark iscsi enable The iscsi enable command globally enables iSCSI optimization. To disable iSCSI optimization, use the no form of this command. Syntax iscsi enable no iscsi enable Default Configuration iSCSI is enabled by default. Command Mode Global Configuration mode User Guidelines This command modifies the running config to enable flow control on all...
AE Selector = 1 AE Protocol = 3260 AE Priority = priority configured for iSCSI PFC (the VPT value above). This TLV is sent in addition to any Application Priority TLV information received from the configuration source. If the configuration source is sending iSCSI application priority information, it is not necessary to enable iscsi cos to send the iSCSI Application Priority TLV.
Default Configuration iSCSI well-known ports 3260 and 860 are configured by default but can be removed as any other configured target. Command Mode Global Configuration mode. User Guidelines • When working with private iSCSI ports (not IANA assigned iSCSI ports 3260/860), it is recommended to specify the target IP address as well, so the switch will only snoop frames with which the TCP destination port is one of the configured TCP ports, AND their destination IP is the target's...
Default Configuration There is no default configuration for this command. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines There are no user guidelines for this command. Example The following example displays the iSCSI configuration. console#show iscsi iSCSI enabled iSCSI CoS enabled...
Default Configuration If not specified, sessions are displayed in short mode (not detailed). Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines The N2000/N2100-ON/N3000/N3100-ON Series switches support monitoring for up to 1024 sessions. The N4000 switches support monitoring for up to 512 sessions.
Page 543
Initiator Initiator Target Target IP address TCP port IP address IP port 172.16.1.3 49154 172.16.1.20 30001 172.16.1.4 49155 172.16.1.21 30001 172.16.1.5 49156 172.16.1.22 30001 Session 2: ----------------------------------------------------- Initiator: iqn.1995-05.com.os-vendor.plan9:cdrom.10 Time started: 17-Aug-2008 21:04:50 Time for aging out: 2 min ISID: 22 Initiator Initiator Target Target IP address TCP port IP address IP port 172.16.1.30 49200 172.16.1.20 30001...
Link Dependency Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Link dependency allows the link status of a group of interfaces to be made dependent on the link status of other interfaces. The effect is that the link status of a group that depends on another interface either mirrors or inverts the link status of the depended-on interface.
Command Mode Link Dependency mode User Guidelines The action up command will cause the group members to be up when no depended-on interfaces are up. Example console(config-depend-1)#action up link-dependency group Use the link-dependency group command to enter the link-dependency mode and configure a link-dependency group. Syntax link-dependency group GroupId no link-dependency group GroupId...
Use this command to add member ten Gigabit or Gigabit Ethernet port(s) or port channels to the dependency list. Syntax add intf-list • intf-list — List of Ethernet interface identifiers or port channel identifiers or ranges. Separate nonconsecutive ports with a comma and no spaces. Use a hyphen to designate the range of ports.
no depends-on intf-list • intf-list — List of Ethernet interface identifiers or port channel interface identifiers or ranges.Separate nonconsecutive items with a comma and no spaces. Use a hyphen to designate the range of ports or port-channel numbers. Default Configuration This command has no default configuration.
Page 548
Default Configuration This command has no default configuration. Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines Configure a link dependency group prior to using this command. Example The following command shows link dependencies for all groups. console#show link-dependency GroupId Member Ports Ports Depended On Link Action Group State...
Devices are not required to implement both transmit and receive functions and each function can be enabled or disabled separately by the network manager. Dell EMC Networking supports both the transmit and receive functions in order to support device discovery.
The receive function accepts incoming LLDPDU frames and stores information about the remote stations. Both local and remote data may be displayed by the user interface and retrieved using SNMP as defined in the LLDP MIB definitions. The component maintains one remote entry per physical network connection.
Default Configuration By default, data is removed only on system reset. Command Mode Privileged Exec mode User Guidelines This command has no user guidelines. Example The following example displays how to clear the LLDP remote data. console#clear lldp remote-data clear lldp statistics Use the clear lldp statistics command to reset all LLDP statistics.
dcb enable This command enables the sending of DCBX information in LLDP frames. Syntax dcb enable no dcb enable Command Mode Global Configuration mode Default Value The sending of DCBX information in enabled by default. User Guidelines Use this command to disable the sending of DCBX information when it is desirable to utilize legacy QoS and disable the automatic configuration of CNAs based on transmitted DCBX information.
Default Value Transmission and reception of LLDP-MED TLVs is enabled on all supported interfaces. User Guidelines No specific guidelines. Example console(config)#interface gigabitethernet 1/0/1 console(config-if-Gi1/0/1)#lldp med lldp med confignotification This command is used to enable sending topology change notifications. Syntax lldp med confignotification no lldp med confignotification Command Mode Interface Configuration (Ethernet) mode...
Syntax lldp med faststartrepeatcount count no lldp med faststartrepeatcount • count — Number of LLDPPDUs that are transmitted when the protocol is enabled. (Range 1–10) Command Mode Global Configuration Default Value User Guidelines No specific guidelines. Example console(config)# lldp med faststartrepeatcount 2 lldp med transmit-tlv This command is used to specify which optional TLVs in the LLDP MED set are transmitted in the LLDPDUs.
User Guidelines The optional ex-pse (extended PSE) and ex-pd (extended PD) parameters are only available on PoE capable switches. Default Value By default, the capabilities and network policy TLVs are included in LLDP packets sent on interfaces enabled for MED. On PoE capable switches, the extended PD TLV and extended PSE TLV are transmitted.
console(config-if-Gi1/0/3)#lldp notification lldp notification-interval Use the lldp notification-interval command in Global Configuration mode to limit how frequently remote data change notifications are sent. To return the notification interval to the factory default, use the no form of this command. Syntax lldp notification-interval interval no lldp notification-interval •...
no lldp receive Default Configuration The default lldp receive mode is enabled. Command Mode Interface Configuration (Ethernet) mode User Guidelines This command has no user guidelines. Example The following example displays how to enable the LLDP receive capability. console(config-if-Gi1/0/3)#lldp receive lldp timers Use the lldp timers command in Global Configuration mode to set the timing parameters for local data transmission on ports enabled for LLDP.
The default hold-multiplier is 4. The default delay before reinitialization is 2 seconds. Command Mode Global Configuration mode User Guidelines This command has no user guidelines. Examples The following example displays how to configure LLDP to transmit local information every 1000 seconds. console(config)#lldp timers interval 1000 The following example displays how to set the timing parameter at 1000 seconds with a hold multiplier of 8 and a 5 second delay before...
User Guidelines This command has no user guidelines. Example The following example displays how enable the transmission of local data. console(config-if-Gi1/0/3)#lldp transmit lldp transmit-mgmt Use the lldp transmit-mgmt command in Interface Configuration mode to include transmission of the local system management address information in the LLDPDUs.
lldp transmit-tlv Use the lldp transmit-tlv command in Interface Configuration mode to specify which optional type-length-value settings (TLVs) in the AB basic management set will be transmitted in the LLDPDUs. To remove an optional TLV, use the no form of this command. Syntax lldp transmit-tlv [sys-desc][sys-name][sys-cap][port-desc] no lldp transmit-tlv [sys-desc][sys-name][sys-cap][port-desc]...
show lldp Use the show lldp command to display the current LLDP configuration summary. Syntax show lldp Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example displays the current LLDP configuration summary.
Syntax show lldp interface {gigabitethernet unit/slot/port | tengigabitethernet unit/slot/port | fortygigabitethernet unit/slot/port| all} Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Examples This example show how the information is displayed when you use the command with the all parameter.
Page 563
Syntax show lldp local-device {detail interface | interface | all} detail — includes a detailed version of the local data. • • interface — Specifies a valid physical interface on the device. Specify either gigabitethernet unit/slot/port or tengigabitethernet unit/slot/port or fortygigabitethernet unit/slot/port. •...
Management Address: Type: IPv4 Address: 192.168.17.25 show lldp med This command displays a summary of the current LLDP MED configuration. Syntax show lldp med Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes Default Value Not applicable User Guidelines No specific guidelines.
Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes Default Value Not applicable Example console#show lldp med interface all LLDP MED Interface Configuration Interface Link configMED operMED ConfigNotify TLVsTx --------- ------ --------- -------- ------------ ----------- Gi1/0/1 Detach Enabled Enabled Enabled0,1 Gi1/0/2...
Page 566
Default Value Not applicable Example Console#show lldp med local-device detail gi1/0/8 LLDP MED Local Device Detail Interface: Gi1/0/8 Network Policies Media Policy Application Type : voice Vlan ID: 10 Priority: 5 DSCP: 1 Unknown: False Tagged: True Media Policy Application Type : streamingvideo Vlan ID: 20 Priority: 1 DSCP: 2...
Extended POE PD Required: 0.2 watts Source: local Priority: low show lldp med remote-device This command displays the current LLDP MED remote data. This command can display summary information or detail for each interface. Syntax show lldp med remote-device {gigabitethernet unit/slot/port | tengigabitethernet unit/slot/port | all} show lldp med remote-device detail {gigabitethernet unit/slot/port | tengigabitethernet unit/slot/port}...
Page 568
Local Interface: 1/0/1 Capabilities MED Capabilities Supported: capabilities, networkpolicy, location, extendedpse MED Capabilities Enabled: capabilities, networkpolicy Device Class: Endpoint Class I Network Policies Media Policy Application Type : voice Vlan ID: 10 Priority: 5 DSCP: 1 Unknown: False Tagged: True Media Policy Application Type : streamingvideo Vlan ID: 20 Priority: 1...
Required: 0.2 Watts Source: local Priority: low show lldp remote-device Use the lldp remote-device command to display the current LLDP remote data. This command can display summary information or detail for each interface. Syntax show lldp remote-device {detail interface | interface | all} •...
Gi1/0/19 00:1E:C9:AA:AB:FD Gi1/0/5 console#show lldp remote-device detail Gi1/0/13 LLDP Remote Device Detail Local Interface: Gi1/0/13 Remote Identifier: 1 Chassis ID Subtype: MAC Address Chassis ID: F8:B1:56:2B:A4:FA Port ID Subtype: Interface Name Port ID: Gi1/0/13 System Name: System Description: Port Description: Gi1/0/13 System Capabilities Supported: System Capabilities Enabled: Time to Live: 113 seconds...
Page 571
LLDP Device Statistics Last Update........0 days 22:58:29 Total Inserts........ 1 Total Deletes........ 0 Total Drops........0 Total Ageouts........ 1 Interface Total Total Discards Errors Ageout Discards Unknowns MED 802.3 UPOE --------- ----- ----- -------- ------ ------ -------- -------- ---- ----- ----- Gi1/0/1 29395 82562 0 Gi1/0/2...
Page 572
Fields Description Total Deletes The number of times a complete set of information advertised by a remote device has been deleted from the table. Total Drops Number of times a complete set of information advertised by a remote device could not be inserted due to insufficient resources.
Loop Protection Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Loop protection detects physical and logical loops between Ethernet ports on a device. Loop protection must be enabled globally before it can be enabled at the interface level. Commands in this Section...
Page 574
User Guidelines Loop protection operates by unicasting a Configuration Test Protocol (CTP) reply packet with the following field settings: • Source MAC Address:switch L3 MAC address • Destination MAC Address: Switch L3 MAC address • Ether Type: 0x0900 (LOOP) • Skip Count: 0 •...
keepalive (Global Config) Use the keepalive command in Global Configuration mode to enable keepalive or to configure the loop protection timer and packet count. Use the no form of the command to return the configuration to the defaults. Syntax keepalive [ period [ count ] ] no keepalive •...
Example The following example configures the CTP transmit interval to transmit CTP packets every 5 seconds. console(config)#keepalive 5 This example configures the CTP transmit interval to 5 seconds. If an interface receives two CTP packets, it error disables the interface. console(config)#keepalive 5 2 In the next example, if the CTP transmit interval is configured to 5 seconds, if an interface receives three CTP packets, it will error disable the interface.
User Guidelines Error disabled interfaces can be configured to auto-recover using the errdisable recovery cause loop-protect command. Keep-alive should only be configured on interfaces that do not participate in spanning-tree. Keep-alive may disable interfaces in the spanning-tree designated (blocked) role. Command History Implemented in version 6.3.0.1 firmware.
Field Description Transmit Interval The transmission interval in seconds. Retry Count The number of times a keepalive packet must be seen before a looped state is declared. Command History Implemented in version 6.3.0.1 firmware. Example updated in 6.4 version. Example console#show keepalive Keepalive Service......
Page 579
User Guidelines The following information is displayed. Field Description Port The interface identifier. Keep Alive Are keepalives transmitted on this interface (Yes, No)? Loop Detected Has a loop been detected (Yes, No)? Loop Count The number of CTP packets detected. Time Since Last Loop The last time a loop was detected.
MLAG Commands Dell EMC Networking N2000/N2100-ON/N3000/N3100-ON/N4000 Series Switches MLAG enables a LAG to be created across two independent switches, so that some member ports of a MLAG can reside on one switch and the other members of a MLAG can reside on another switch. The partner switch on the remote side can be a MLAG-unaware unit.
Default Configuration There is no default configuration for this command. Command Modes Privileged Exec mode User Guidelines There are no user guidelines for this command. Example console#clear vpc statistics feature vpc The feature vpc command globally enables MLAG. Use the no form of the command to globally disable MLAG.
peer detection enable Use the peer detection enable command to enable the Dual Control Plane Detection Protocol. This enables the detection of peer MLAG switches and suppresses state transitions out of the secondary state in the presence of peer link failures. Use the no form of the command to disable the dual control plane detection protocol.
Syntax peer detection interval interval-msecs timeout timeout-msecs no peer detection interval • interval-msecs—The peer keepalive timeout in seconds. The range is 200– 4000 milliseconds. • timeout-msecs—The peer timeout value in milliseconds. The range is 700–14000 milliseconds. Default Configuration The default transmission interval is 1000 milliseconds. The default reception timeout is 3500 milliseconds.
Page 584
Syntax peer-keepalive destination ipaddress source srcaddr [udp-port port] no peer-keepalive destination • ipaddress—The ip address of the MLAG peer. • port—The UDP port number to use to listen for peer Dual Control Plane Detection Protocol packets. • srcaddr—The local source address to use. Default Configuration There are no Dual Control Plane Detection Protocol peers configured by default.
Example console(config)#vpc domain 1 console(config-vpc 1)#peer-keepalive enable console(config-vpc 1)#peer-keepalive destination 192.168.0.2 source 192.168.0.1 console(config-vpc 1)#peer detection enable console(config-vpc 1)#exit peer-keepalive enable Use the peer-keepalive enable command to enable the peer keepalive protocol on the peer link. When enabled, if an MLAG switch does not receive keepalive messages from the peer within the timeout value and DCPDP is disabled, the switch begins the process of transitioning to the primary role (if standby).
• Secondary device fails: All MLAG members’ port information regarding the secondary device that the primary switch maintains are removed from the primary switch. Forwarding and control processing continues on the local MLAG ports on the primary switch. Once the secondary comes back up again, it starts the keepalive protocol and, if successful in contacting the primary device, moves to the secondary state.
no peer-keepalive timeout • value—The peer keepalive timeout value in seconds. The range is 2 to 15 seconds. Default Configuration By default, the keepalive timeout value is 5 seconds. Command Modes VPC Domain User Guidelines This command configures the peer keepalive timeout value (in seconds). If an MLAG switch does not receive keepalive messages from the peer for this timeout value, it takes the decision to transition its role (if required).
• Value—The local switch priority value. (The range is 1-255.) Default Configuration The default priority value is 100. Command Modes MLAG Domain Configuration mode User Guidelines This value is used for the MLAG role election and is sent to the MLAG peer in the MLAG keepalive messages.
Default Configuration There is no default configuration for this command. Command Modes Privileged Exec mode and above User Guidelines There are no user guidelines for this command. Example (console)# show vpc 10 VPC Id 10 ----------------- Configuration mode......Enabled Operational mode......Enabled Port channel........Po1 Self member ports Status...
Page 590
User Guidelines A VPC domain ID must be configured for this command to display the VPC status. Only the Primary switch maintains the member status of the Secondary switch. The Secondary switch does not maintain or show the status of the Primary switch peer members.
Number of VPCs configured...... 2 Number of VPCs operational..... 2 VPC id# 1 ----------- Interface........Po2 Configured Vlans....... 1,10,11,12,13,14,15,16,17 VPC Interface State......Active Local MemberPorts Status ----------------- ------ Gi1/0/23 UP Gi1/0/24 UP Peer MemberPorts Status ---------------- ------ Gi1/0/23 UP Gi1/0/24 UP VPC id# 2 ----------- Interface........
Page 592
User Guidelines There are no user guidelines for this command. Command History Introduced in 6.2.0.1 firmware. Updated in 6.3.0.1 firmware. Example console# show vpc consistency-parameters global Parameter Value --------------------- ------------------------------------------- STP Mode Enabled STP Version IEEE 802.1s BPDU Filter Mode Enabled BPDU Guard Mode Enabled...
Syntax show vpc consistency-features { global | interface port-channel-number } • port-channel-number—A valid port-channel identifier. Default Configuration There is no default configuration for this command. Command Modes Privileged Exec mode and above User Guidelines There are no user guidelines for this command. show vpc peer-keepalive Use the show vpc peer-keepalive command to display the peer MLAG switch’s IP address used by the Dual Control Plane Detection Protocol.
Peer IP address......10.130.14.55 Source IP address......10.130.14.54 UDP port........50000 Peer detection admin status....Enabled Peer detection operational status..Up Peer is detected......True Configured Tx interval.....500 milliseconds Configured Rx timeout......2000 milliseconds Operational Tx interval....500 milliseconds Operational Rx timeout.....2000 milliseconds show vpc role Use the show vpc role command to display information about the keepalive status and parameters.
Configured VPC system priority....32767 Operational VPC system priority....32767 Local System MAC........00:10:18:82:18:63 Timeout........5 VPC State........Primary VPC Role........Primary Peer ---- VPC Domain ID........1 Role Priority........100 Configured VPC MAC......<AA:BB:CC:DD:EE:FF> Operational VPC MAC......<AA:BB:CC:DD:EE:FF> Configured VPC system priority....32767 Operational VPC system priority....32767 Role..........Secondary Local System MAC........00:10:18:82:1b:ab show vpc statistics...
Page 597
Total received..........115 Rx successful...........108 Rx Errors..........7 Timeout counter.........6 (console)# show vpc statistics peer-link Peer link control messages transmitted....123 Peer link control messages Tx errors....5 Peer link control messages Tx timeout....4 Peer link control messages ACK transmitted..... 34 Peer link control messages ACK Tx errors....5 Peer link control messages received....
system-mac Use this command to manually configures the MAC address for the VPC domain. Use the no form of the command to revert the domain MAC address to the default value. Syntax system-mac mac-address no system-mac • mac-address—The system MAC address for the VPC domain. Default Configuration By default, the domain uses a pre-configured MAC address.
system-priority Use this command to manually configure the priority for the VPC domain. Use the no form of the command to revert the priority to the default value. Syntax system-priority priority no system-priority • priority—The priority for the VPC domain. Range is 1-65535. Default Configuration By default, the system priority is 32767.
Page 600
Use the vpc command to configure a port-channel (LAG) as part of an MLAG instance. Upon issuing this command, the port-channel is down until the port-channel member information is exchanged and agreed between the MLAG peer switches. Use the no form of the command to remove the LAG from the MLAG domain.
console(config-if-Po3)#switchport trunk allowed vlan 1-99,101-4093 console(config-if-Po3)#vpc 2 console(config-if-Po3)#exitconsole(config)#interface po3 console(config-if-Po3)#switchport mode trunk console(config-if-Po3)#switchport trunk allowed vlan 1-99,101-4093 console(config-if-Po3)#vpc 2 console(config-if-Po3)#exit vpc domain Use the vpc domain command to enter into MLAG configuration mode. This command creates an MLAG domain and enters into MLAG configuration mode.
BPDUs sent out on VPC interfaces. If two VPC domains have the identical domain-ids, the resulting actor IDs may lead to LACP or STP convergence issues. Example console(config)#vpc domain 1 console(config-vpc 1)#peer-keepalive enable console(config-vpc 1)#peer-keepalive destination 192.168.0.2 source 192.168.0.1 console(config-vpc 1)#peer detection enable console(config-vpc 1)#exit vpc peer-link Use the vpc peer-link command to configure a port channel as the MLAG...
Multicast VLAN Registration Commands Dell EMC Networking N1100-ON/N2000/N2100-ON/N3000/N3100- ON/N4000 Series Switches Multicast VLAN registration (MVR) is a method for consolidating multicast traffic from multiple VLANs onto a single VLAN. A typical usage scenario would be the distribution of a multicast group to a switch using a single VLAN where the switch has users in different VLANs subscribing to the multicast group.
Commands in this Section This section explains the following commands: mvr type mvr group mvr vlan group mvr mode show mvr mvr querytime show mvr members mvr vlan show mvr interface mvr immediate show mvr traffic Use the mvr command in Global Configuration and Interface Configuration modes to enable MVR.
Syntax mvr group A.B.C.D [count] no mvr group A.B.C.D [count] • A.B.C.D—Specify a multicast group. • count—Specifies the number of multicast groups to configure. Groups are configured contiguously by incrementing the first group specified. Default Configuration This command has no default configuration. Command Mode Global Configuration User Guidelines...
no mvr mode • compatible—Do not allow membership joins on source ports. • dynamic—Send IGMP joins to the multicast source when IGMP joins are received on receiver ports. Default Configuration The default mode is compatible. Command Mode Global Configuration User Guidelines This command has no user guidelines.
User Guidelines The following table lists the completion messages. Message Type Message Description Successful Completion Message Defaulting MVR query response time. Error Completion Message None Example console(config)#interface Gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 2 console(config-if-Gi1/0/1)#mvr console(config-if-Gi1/0/1)#mvr type receiver console(config-if-Gi1/0/1)#exit console(config)#mvr mode dynamic console(config)#mvr querytime 10 mvr vlan Use the mvr vlan command in Global Configuration mode to set the MVR...
Message Type Message Description Successful Completion Message MVR multicast VLAN ID is set to the default value which is equal to 1. Error Completion Message Receiver port in mVLAN, operation failed. mvr immediate Use the mvr immediate command in Interface Configuration mode to enable MVR Immediate Leave mode.
mvr type Use the mvr type command in Interface Configuration mode to set the MVR port type. Use the no form of this command to set the MVR port type to None. Syntax mvr type {receiver | source} no mvr type •...
console(config-if-Gi1/0/1)#mvr type receiver console(config-if-Gi1/0/1)#interface Gi1/0/24 console(config-if-Gi1/0/24)#switchport mode trunk console(config-if-Gi1/0/24)#switchport trunk native vlan 99 console(config-if-Gi1/0/24)#switchport trunk allowed vlan add 99 console(config-if-Gi1/0/24)#mvr console(config-if-Gi1/0/24)#mvr type source console(config-if-Gi1/0/24)#exit mvr vlan group Use the mvr vlan group command in Interface Configuration mode to participate in the specific MVR group. Use the no form of this command to remove the port participation from the specific MVR group.
Parameter Description MVR Max Multicast Groups The maximum number of multicast groups that is supported by MVR. MVR Current Multicast groups The current number of MVR groups allocated. MVR Query Response Time The current MVR query response time. MVR Mode The current MVR mode.
Message Type Message Description Successful Completion Message None Error Completion Message MVR disabled The following table explains the output parameters. Parameter Description MVR Group IP MVR group multicast IP address. Status The status of the specific MVR group. It can be active or inactive.
Page 615
Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines The following table lists the completion messages. Message Type Message Description Successful Completion Message None Error Completion Message MVR disabled The following table explains the output parameters. Parameter Description Port...
console#show mvr interface gi1/0/23 members vlan 12 235.0.0.1 STATIC ACTIVE 235.1.1.1 STATIC ACTIVE show mvr traffic Use the show mvr traffic command to display global MVR statistics. Syntax show mvr traffic Default Configuration This command has no default configuration. Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines The following table lists the completion messages.
Page 617
Parameter Description IGMP Report V2 Transmitted Number of transmitted IGMP Reports V2. IGMP Leave Transmitted Number of transmitted IGMP Leaves. IGMP Packet Receive Failures Number of failures on receiving the IGMP packets. IGMP Packet Transmit Failures Number of failures on transmitting the IGMP packets.
DCBX configuration, etc. must be compatible on all member links. Per IEEE 802.1AX, only links with the same operational characteristics, such as speed and duplex setting, may be aggregated. Dell EMC Networking switches aggregate links only if they have the same operational speed and duplex setting, as opposed to the configured speed and duplex setting.
unable to buffer the requisite number of frames will show excessive frame discard. Configuring copper and fiber ports together in an aggregation group is not recommended. If a dynamic LAG member sees an LACPDU that contains information different from the currently configured default partner values, that particular member drops out of the LAG.
VLANs and LAGs When Ethernet interfaces are added to a LAG, they are removed from all existing VLAN membership and take on the VLAN membership of the LAG. When members are removed from a LAG, the members regain the Ethernet interface VLAN membership as per the configuration.
Source/Destination IP and source/destination TCP/UDP Port fields of the packet. Enhanced LAG Hashing Dell EMC Networking devices based on Broadcom XGS-IV silicon support configuration of hashing algorithms for each LAG interface. The hashing algorithm is used to distribute traffic load among the physical ports of the LAG while preserving the per-flow packet order.
8 interfaces per dynamic LAG. For example, 128 LAGs may be assigned 2 interfaces each or 18 LAGs may be assigned 8 interfaces each. NOTE: The N1100-ON/N1500 Series switches support 64 port channels. Commands in this Section...
Default Configuration This command has no default configuration. Command Mode Interface Configuration (Ethernet) mode User Guidelines This command has no user guidelines. Example The following example shows how port gi1/0/5 is configured in port-channel 1 without LACP (static LAG). console(config)# interface gigabitethernet 1/0/5 console(config-if-Gi1/0/5)# channel-group 1 mode on The following example shows how port gi1/0/6 is configured to port-channel 2 with LACP (dynamic LAG).
User Guidelines Port channel numbers range from 1 to 128 for all switches except the N1500 which supports 64 port channels. Example The following example enters the context of port-channel 1. console(config)# interface port-channel 1 console(config-if-po1)# interface range port-channel Use the interface range port-channel command in Global Configuration mode to execute a command on multiple port channels at the same time.
• 6 — Source/destination IP and source/destination TCP/UDP port • 7 — Enhanced hashing mode. This mode is not available on Dell EMC Networking N1100-ON/N1500 Series switches. Default Configuration The default hashing mode is 7—Enhanced hashing mode. On Dell EMC Networking N1100-ON/N1500 Series switches, the default hashing mode is 5.
User Guidelines Enhanced hashing mode is recommended, however, depending on the specific traffic patterns present in the network, a different hashing mode may give better bandwidth distribution across the LAG member links. Use the show interfaces utilization command to view link utilization. Example console(config)#interface port-channel l console(config-if-po1)#hashing-mode 4...
The port priority of each port is a four octet binary number, formed by using the configured port priority as the two most significant octets and the port number as the two least significant octets. For any given set of ports, the port with the numerically lower value of port priority has the higher priority.
User Guidelines Per IEEE 802.1AX-2008 Section 5.6, ports are selected for aggregation by each switch based upon the port priority assigned by the switch with the higher system priority, starting with the highest priority port of the switch with the higher switch priority, and working downward through the ordered list of port priority values for the ports.
Command Mode Interface Configuration (Ethernet) mode Interface Range mode User Guidelines The LACP time-out setting indicates a local preference for the rate of LACPDU transmission and the period of time before invalidating received LACPDU information. This setting is negotiated with the link partner. Long time-outs are 90 seconds with a transmission rate of once every 30 seconds.
User Guidelines For a LAG that contains links distributed across stacking units, the default behavior is to distribute locally received ingress traffic across all LAG links in the stack per the selected hashing algorithm. When enabled, this command disables forwarding of ingress unicast traffic across stacking links for a LAG that is comprised of links on multiple stack units.
Default Configuration The default minimum links is 1. Command Mode Interface Configuration (port-channel) mode User Guidelines This command has no user guidelines. Example console(config)#interface port-channel 1 console(config-if-Po1)#port-channel min-links 3 console(config-if-Po1)#no port-channel min-links show interfaces port-channel Use the show interfaces port-channel command to show port-channel information.
Parameter Description Channel Number of the port channel to show. This parameter is optional. If the port channel number is not given, all the channel groups are displayed. (Range: Valid port-channel number, 1 to 48). • Ports—The ports that are members of the port-channel. •...
Page 633
Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example shows how to display LACP Ethernet interface information. console#show lacp gi1/0/1 port Gi1/0/1 LACP parameters: Actor:...
LACP PDUs send: LACP PDUs received: show statistics port-channel Use the show statistics port-channel command to display statistics about a specific port-channel. Syntax show statistics port-channel port-channel-number Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines.
Page 635
Packets RX and TX 2048-4095 Octets..... 0 Packets RX and TX 4096-9216 Octets..... 0 Total Packets Received Without Errors..0 Unicast Packets Received....... 0 Multicast Packets Received..... 0 Broadcast Packets Received..... 0 Receive Packets Discarded...... 0 Total Packets Received with MAC Errors..0 Jabbers Received.......
Page 636
GVRP PDUs Transmitted......0 GVRP Failed Registrations...... 0 GMRP PDUs Received......0 GMRP PDUs Transmitted......0 GMRP Failed Registrations...... 0 BPDUs: Sent: 0, Received: 0 Time since counters last cleared....0 day 6 hr 19 min 42 sec Layer 2 Switching Commands...
Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Dell EMC Networking switches allow the user to monitor traffic with an external network analyzer. The external network analyzer can use any of the Ethernet ports as a probe port. The probe port transmits a mirror copy of the traffic being probed.
• Once configured, there is no network connectivity on the probe (destination) port. The probe port does not forward any traffic and does not receive any traffic. The probe tool attached to the probe port is unable to ping the networking device or ping through the networking device, and no device is able to ping the probe tool.
Page 639
The in memory buffer is 128 packets. The file system buffer is 524288 bytes and is named cpuPktCapture.pcap. The remote monitor capture port is 2002. Command Modes Global Configuration mode User Guidelines Packets that are transmitted or received by the switch CPU may be captured to the switch file system, to local memory, or sent to a WireShark client.
monitor capture (Privileged Exec) Use the monitor capture command to capture packets transmitted or received from the CPU. This facility captures switch control plane traffic and is useful in monitoring network control traffic and analyzing network security. Remote packet capture is not supported when the packets are received via Service Port.
Page 641
Syntax monitor capture mode {line | remote | file} no monitor capture mode • line—Captured packets are sent to the console. • remote—Captured packets are sent to a remote WireShark network analyzer. file—Captured packets are sent to the file system. •...
Page 642
• The time when packet passed through CPU. • The first 128 bytes of packet. • The length of full packet (if greater than 128 bytes). The in-memory capture buffer can be configured to stop when full. This mode is configured with the command no monitor capture line wrap. Capturing packets is started by the monitor capture start command.
Page 643
If capturing is in progress and more than 128 packets are captured and the user configures no monitor capture line wrap mode, capturing is stopped automatically. No packets are lost when capturing is in progress. All captured packets can be displayed. No captured and not yet displayed packets are lost.
Page 644
Remote capture can be enabled or disabled using the CLI. The network operator should obtain a computer with the Wireshark tool to display the captured traffic. When using remote capture mode, the switch doesn’t store any captured data locally. The local TCP port number can be configured for connecting Wireshark to the switch.
Example This example sends capture output to the console. console(config)#monitor capture line console(config)#exit console#monitor capture start all monitor session Use the monitor session command in Global Configuration mode to configure the source and destination for mirroring. Packets are copied from the source to the destination.
Page 646
Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. The Dell EMC Networking N1100-ON and N1500 Series switches support a single unidirectional or bidirectional session. Each session supports multiple sources. However, the destination interface for a session may not overlap with other sessions. The internal CPU port cannot be configured as an RSPAN source.
Page 647
• Up to 4 sessions with egress (TX) traffic mirroring may be active. • Up to 2 sessions with both (RX and TX) traffic mirroring may be active. • Any other combination of up to 4 total ingress or egress mirroring may be active.
Page 648
ports, and be members of the RSPAN VLAN. Do not assign other ports to the RSPAN VLANs (for example, trunk ports that are not reflector ports). Additionally, reflector ports may not be port channels. Monitored traffic is encapsulated in the RSPAN VLAN on the reflector port on the source switch.
Page 649
the implicit deny all). If configuring an egress ACL on the destination port, care must be taken with the ACL numbering to ensure the mirrored traffic is properly processed. Bidirectional mirroring of multiple ports in a network may result in duplicate packets transmitted on the probe port (one copy for the receive side and another copy for the transmit side).
console(config)#monitor session 1 destination remote vlan 723 reflector-port Te1/0/1 console(config)#monitor session 1 mode console(config)#show monitor session 1 Session Admin mode : Enabled Type : Remote source session Source ports Both : Gi1/0/48 Destination port : Te1/0/1 Destination RSPAN VLAN : 723 This example shows how to configure a destination switch using VLAN 723 as the source RSPAN VLAN interface Te1/0/1 and Gi1/0/10 as the destination interface.
Syntax remote-span no remote-span Default Configuration There is no default configuration for this command. Command Modes VLAN Configuration mode. User Guidelines Remote-span VLANs must be configured as a tagged VLAN on trunk or general mode ports on RSPAN transit switches. Traffic in an RSPAN VLAN is always flooded as MAC address learning and link local protocols are disabled on RSPAN VLANs.
Page 652
Command Modes Privileged Exec mode (all SHOW modes) User Guidelines This command has no user guidelines. Example console#show monitor capture Operational Status......Enabled Current Capturing Type......Line Capturing Traffic Mode......Tx/Rx Line Wrap Mode......... Disabled RPCAP Listening Port......2002 RPCAP dump file size (KB)...... 45 console#show monitor capture packets Gi1/0/1 Length = 94...
Page 654
console(config)#show monitor session 1 Session Admin mode : Disabled Type : Local session Source ports Both : Te1/0/10 Destination ports : Te2/0/20 IP access-group : a1 The following example shows the detailed status of the port based mirroring session that is constrained to a local switch. console(config)#show monitor session 1 detail Session Admin mode...
The following example shows the detailed status of a VLAN session on destination switch, where session is span across multiple switches. console# show monitor session 1 detail Session Type : Remote Destination Session Source Ports RX Only : None TX Only : None Both : None...
Access Control Lists The Dell EMC Networking ACL feature allows classification of packets based upon Layer 2 through Layer 4 header information. An Ethernet IPv6 packet is distinguished from an IPv4 packet by its unique Ether-type value; thus, all IPv4 and IPv6 classifiers include the Ether-type field.
Class of Service (CoS) The Dell EMC Networking CoS Queuing feature allows the user to directly configure device queuing and, therefore, provide the desired QoS behavior without the complexities of DiffServ. The CoS feature allows the user to determine the following queue behavior: •...
CoS mapping tables, port default priority, and hardware queue parameters may be configured on LAG interfaces as well as physical port interfaces. Queue Mapping The priority of a packet arriving at an interface is used to steer the packet to the appropriate outbound CoS queue through a mapping table.
DiffServ Standard IP-based networks are designed to provide “best effort” data delivery service. Best effort service implies that the network delivers the data in a timely fashion, although there is no guarantee that it will meet the latency or bandwidth requirements. During times of congestion, packets may be delayed, sent sporadically, or dropped.
classofservice trust match dstip6 police-simple show diffserv service brief conform-color match dstl4port police-single-rate show interfaces cos- queue cos-queue min- match ethertype police-two-rate show interfaces bandwidth random-detect cos-queue random- match ip6flowlbl policy-map show policy-map detect cos-queue strict match ip dscp random-detect show policy-map queue-parms interface...
The command mode is changed to Policy-Class-Map Configuration when this command is executed successfully. Example The following example shows how to specify the DiffServ class name of “DELL.” console(config)#class-map match-all DELL console(config-classmap)#exit console(config)#policy-map DELL1 in console(config-policy-map)#class DELL Layer 2 Switching Commands...
The match-all parameter indicates that all of the match criteria configured in the class map must be met for the packet to be processed by the class map. Example The following example creates a class-map named “DELL” which requires all ACE’s to be matched. console(config)#class-map DELL...
User Guidelines This command has no user guidelines. Example The following example displays how to change the name of a DiffServ class from “DELL” to “DELL1.” console(config)#class-map rename DELL DELL1 console(config)# classofservice dot1p-mapping Use the classofservice dot1p-mapping command in Global Configuration mode to map an IEEE 802.1p user priority to an internal traffic class.
Default Configuration The default 802.1p mapping is as follows: User Priority Traffic Class Command Mode Global Configuration or Interface Configuration (Ethernet, Port-channel) mode User Guidelines None Example The following example globally configures a mapping for user priority 1 and traffic class 2. If trust mode is enabled for 802.1p (classofservice trust dot1p), packets received on any interface marked with IEEE 802.1p priority 1 will be assigned to internal CoS queue 2.
Page 666
Syntax classofservice ip-dscp-mapping ipdscp trafficclass no classofservice ip-dscp-mapping • ipdscp—Specifies the IP DSCP value which is to be mapped to the specified traffic class. (Range: 0–63 or an IP DSCP keyword – af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, be, cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef).
Page 668
IP DSCP Traffic Class (queue-id) 46(ef) 48(cs6) 56(cs7) Command Mode Global Configuration mode User Guidelines The switch may be configured to trust either DSCP or CoS values, but not both. Setting the trust mode does not affect ACL packet matching, e.g. it is still possible to use an ACL that matches on a received CoS value and assigns the packet to a queue even when DSCP is trusted.
Example The following example globally configures the mapping for IP DSCP 1 to traffic class 2. If trust mode is enabled for DSCP (classofservice trust ip- dscp), packets received on any interface marked with DSCP 1 will be assigned to internal CoS queue 2. console(config)#classofservice ip-dscp-mapping 1 2 classofservice trust Use the classofservice trust command in either Global Configuration mode...
Examples The following example sets the class of service trust mode of all interfaces to trust 802.1p packet markings. console(config)#classofservice trust dot1p The following example displays how to set the class of service trust mode of all interfaces to trust IP DSCP packet markings. console(config)#classofservice trust ip-dscp conform-color Use the conform-color command in Policy-Class-Map Configuration mode...
Page 671
Color conforming classes must be one of the following types: • Primary COS • Secondary COS • DSCP • IP Precedence This includes both the input and color aware classes. The conform color class may not be the same as the input class, nor may the match criteria be of the same type.
cos-queue min-bandwidth Use the cos-queue min-bandwidth command in either Global Configuration mode or Interface Configuration mode to specify the minimum transmission bandwidth for each interface queue. To restore the default for each queue’s minimum bandwidth value, use the no form of this command. Syntax cos-queue min-bandwidth bw-0 bw-1 …...
When ETS is operational on an N4000 series switch, this command overrides the ETS assignments and assigns minimum bandwidth constraints across traffic class groups. This allows the administrator to ensure that the frame scheduler does not completely starve lower priority groups when strict priority is enabled on a high numbered TCG.
Page 674
Default Configuration WRED queue management policy is disabled by default. Tail-drop queue management policy is enabled by default. The threshold for invoking tail- drop behavior when WRED is disabled is approximately 1/2 of the remaining free packet buffer in the switch. Command Mode Interface Configuration (physical or port-channel) mode, Interface Range mode, or Global Configuration mode...
Page 675
Simple RED may be enabled/disabled for any CoS queue on the Dell EMC Networking N1500 Series switches, however, the drop probability must be one of the values given below. The percentage before the dash indicates the actual drop probability. The number after the dash indicates the value entered in the drop-prob-scale parameter.
cos-queue strict Use the cos-queue strict command in either Global Configuration mode or Interface Configuration mode to activate the strict priority scheduler mode for the specified queue. To restore the default weighted scheduler mode for each specified queue, use the no form of this command. Syntax cos-queue strict {queue-id-1} [{queue-id-2} …...
bandwidth on other queues, ensure that the total of the minimum bandwidths is less than 100% to allow the scheduler to handle bursts of traffic. Example The following example displays how to activate the strict priority scheduler mode for two queues. console(config)#cos-queue strict 1 2 The following example displays how to activate the strict priority scheduler mode for three queues (1, 2, and 4) and reserves a minimal amount of...
Example The following example displays how to set the DiffServ operational mode to active. console(Config)#diffserv drop Use the drop command in Policy-Class-Map Configuration mode to specify that all packets for the associated traffic stream are to be dropped at ingress. This command is not available on the N1500 Series switches.
Syntax mark cos cos-value • cos-value — Specifies the CoS value as an integer. (Range: 0–7) Default Configuration There is no default cos-value for this command. Packets are not remarked by default. Command Mode Policy-Class-Map Configuration mode User Guidelines Received frames are assigned to an internal CoS queue on ingress depending on configuration such as whether the ingress port is trusted for CoS, DSCP or IP precedence value and it's mapping onto an internal CoS queue.
Default Configuration This command has no default configuration. Command Mode Policy-Class-Map Configuration mode User Guidelines. Received frames are assigned to a CoS queue on ingress depending on configuration such as whether the ingress port is trusted for CoS, DSCP or IP precedence value and it's mapping onto an internal CoS queue.
Example The following example adds match conditions defined for the Dell class to the class currently being configured. console(config-classmap)#match class-map Dell The following example deletes the match conditions defined for the Dell class from the class currently being configured.
Syntax match cos • cos-value — Specifies the CoS value as an integer (Range: 0–7) Default Configuration This command has no default configuration. Command Mode Class-Map Configuration mode User Guidelines This command has no user guidelines. Example The following example displays adding a match condition to the specified class.
Default Configuration This command has no default configuration. Command Mode Class-Map Configuration mode User Guidelines This command has no user guidelines. Example The following example configures a match condition for the specified MAC address and bit mask. console(config-classmap)#match destination-address mac AA:ED:DB:21:11:06 FF:FF:FF:EF:EE:EE match dstip Use the match dstip command in Class-Map Configuration mode to add a...
User Guidelines This command has no user guidelines. Example The following example displays adding a match condition using the specified IP address and bit mask. console(config-classmap)#match dstip 10.240.1.1 255.255.255.1 match dstip6 The match dstip6 command adds a match condition based on the destination IPv6 address of a packet.
match dstl4port Use the match dstl4port command in Class-Map Configuration mode to add a match condition based on the destination layer 4 port of a packet using a single keyword or a numeric notation. This command is not available on the N1500 Series switches. NOTE: Syntax match dstl4port {portkey | port-number}...
Syntax match ethertype {keyword | 0x0600-0xffff} keyword — Specifies either a valid keyword or a valid hexadecimal number. • The supported keywords are appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp. (Range: 0x0600– 0xFFFF) Default Configuration This command has no default configuration.
Command Mode Ipv6-Class-Map Configuration mode. User Guidelines There are no user guidelines for this command. Example The following example adds a rule to match packets whose IPv6 Flow Label equals 32312. console(config-classmap)#match ip6flowlbl 32312 match ip dscp Use the match ip dscp command in Class-Map Configuration mode to add to the specified class definition a match condition based on the value of the IP DiffServ Code Point (DSCP) field in a packet.
The ip dscp, ip precedence, and ip tos match conditions are alternative ways to specify a match criterion for the same Service Type field in the IP header but with a slightly different user notation. To specify a match on all DSCP values, use the match ip tos tosbits tosmask command with tosbits set to “0”...
To specify a match on all precedence values, use the match ip tos tosbits tosmask command with tosbits set to “0” (zero) and tosmask set to hex “1F.” Example The following example displays adding a match condition based on the value of the IP precedence field.
This specification is the free form version of the IP DSCP/Precedence/TOS match specification in that you have complete control of specifying which bits of the IP Service Type field are checked. Example The following example displays adding a match condition based on the value of the IP TOS field in a packet.
Example The following example displays adding a match condition based on the “ip” protocol name keyword. console(config-classmap)#match protocol ip match source-address mac Use the match source-address mac command in Class-Map Configuration mode to add to the specified class definition a match condition based on the source MAC address of the packet.
match srcip Use the match srcip command in Class-Map Configuration mode to add to the specified class definition a match condition based on the source IP address of a packet. This command is not available on the N1500 Series switches. NOTE: Syntax match srcip ipaddr ipmask...
Syntax match srcip6 source-ipv6-prefix/prefix-length • source-ipv6-prefix — IPv6 prefix in IPv6 global address format. • prefix-length — IPv6 prefix length value. Default Configuration There is no default configuration for this command. Command Mode Ipv6-Class-Map Configuration mode. User Guidelines There are no user guidelines for this command. Example console(config-classmap)#match srcip6 2001:DB8::0/32 match srcl4port...
Command Mode Class-Map Configuration mode User Guidelines Only one srcl4port matching criteria can be specified. To remove the matching criteria, delete the class map. Example The following example displays how to add a match condition using the “snmp” port name keyword. console(config-classmap)#match srcl4port snmp match vlan Use the match vlan command in Class-Map Configuration mode to add to...
Example The following example displays adding a match condition for the VLAN ID “2.” console(config-classmap)#match vlan 2 mirror Use the mirror command in Policy-Class-Map Configuration mode to mirror all the data that matches the class defined to the destination port specified. This command is not available on the N1500 Series switches.
Page 697
Syntax police-simple {datarate burstsize conform-action {drop | set-prec-transmit cos | set-dscp-transmit dscpval | transmit} [violate-action {drop | set-cos transmit cos | set-prec-transmit cos | set-dscp-transmit dscpval | transmit}]} • datarate — Data rate in kilobits per second (Kbps). (Range: 1– 4294967295) •...
User Guidelines The simple form of the police command uses a single data rate and burst size, resulting in two outcomes: conform and violate. Conforming packets are colored green and non-conforming packets are colored red for use by the WRED mechanism. Only one style of police command (simple, single-rate or two-rate) is allowed for a given class instance in a particular policy.
– set-dscp-transmit dscp-val: Remark the DSCP in the packet to dscp- val and transmit. (Range 0-63) – set-cos-transmit 802.1p-priority: Remark the 802.1p priority in the packet to 802.1p-priority and transmit. (Range 0-7) – transmit: Transmit the packet unmodified. Default Configuration There no default configuration for this command.
Page 700
Syntax police-two-rate datarate burstsize peak-data-rate excess-burstsize conform- action action exceed-action action violate-action action • datarate — Data rate in kilobits per second (Kbps). (Range: 1– 4294967295) • burstsize — Burst size in Kbytes (Range: 1–128) • peak-data-rate— Peak data rate in kilobits per second (Kbps). (Range 1- 4294967295) •...
Peak Burst Size (PBS) A packet is colored red if it exceeds the PIR, yellow if it exceeds the CIR, but not the PIR, and green if it does not exceed either. A trTCM is useful when a peak rate needs to be enforced separately from a committed rate. The CIR and PIR are measured in Kbps (not pps as indicated in the RFC), the CBS in Kbytes, and the PBS in Kbytes.
Example The following example shows how to establish a new ingress DiffServ policy named “DELL.” console(config)#policy-map DELL in console(config-policy-classmap)# random-detect queue-parms Use the random-detect queue-parms command to configure the WRED green, yellow, and red TCP and non-TCP packet minimum and maximum drop thresholds and corresponding drop probabilities on an interface or globally.
Page 703
• queue-id—The internal class of service queue (range 0-6). The queue-id is not the same as the CoS value received in incoming packets. Use the show classofservice dot1p-mapping command to display the CoS value to internal CoS queue mapping. • min-thresh—The minimum threshold at which to begin dropping, based on the configured maximum drop probability for each color and for non- TCP packets.
Page 704
Queue ID WRED Minimum WRED Maximum WRED Drop ECN Enabled Threshold Threshold Probability Scale 40/30/20/100 100/ 90/ 80/100 10/ 10/ 10/ 10 40/30/20/100 100/ 90/ 80/100 10/ 10/ 10/ 10 Command Mode Global Configuration mode, Interface Configuration mode (physical and port-channel), Interface Range mode User Guidelines Interface configuration overrides the global configuration.
Page 705
For the Dell EMC NetworkingN2000/N3000 Series switches, a threshold of 100% corresponds to a buffer occupancy of 295428 bytes queued for transmission on an interface. For the N4000 Series switch, a threshold of 100% corresponds to a buffer occupancy of 666757 bytes queued for transmission on an interface.
Page 706
ECN capability is supported. Simple RED may be enabled/disabled for any CoS queue on the Dell EMC Networking N1500 Series switches, however, the drop probability must be one of the values given below. The percentage before the dash indicates the actual drop probability.
100%: 100 Examples This example configures simple RED on an N1500 series switch. CoS queue 1 is globally configured for simple RED with a congestion threshold of 50% and a drop probability of 0.781% for green colored traffic. console(config)# random-detect queue-parms 1 min-thresh 50 0 0 drop-prob- scale 8 0 0 console(config)#cos-queue random-detect 1...
size to ½ the difference between the previous size and the current instantaneous queue size, set the weighting constant to 1. To update the current queue size to 1/4 the difference between the previous size and the current instantaneous queue size, set the weighting constant to 2, ..The average queue size is calculated for each physical interface independently.
service-policy Use the service-policy command in either Global Configuration mode (for all system interfaces) or Interface Configuration mode (for a specific interface) to attach a policy to an interface. To return to the system default, use the no form of this command. This command is not available on the N1500 Series switches.
The policy appears in the running-config as part of the individual interface configuration. Example The following example shows how to attach a service policy named “DELL” to all interfaces for packets ingressing the switch. console(config)#service-policy in DELL show class-map Use the show class-map command to display all configuration information for the specified class.
Class Name Type Proto Reference Class Name ------------------------------- ----- ----- ----------------------------- ipv4 ipv4 ipv6 ipv6 stop_http_class ipv6 match_icmp6 ipv6 console#show class-map ipv4 Class Name........ipv4 Class Type........All Class Layer3 Protocol......ipv4 Match Criteria Values ---------------------------- ------------------------------------- Source IP Address 2.2.2.2 (255.255.255.0) console#show class-map stop_http_class Class Name........
Page 712
Default Configuration By default, interfaces are configured to trust the IEEE 802.1p value in received packets and utilize the dot1p-mapping to assign packets to CoS queues. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines If the interface is specified, the IEEE 802.1p mapping table of the interface is displayed.
show classofservice ip-dscp-mapping Use the show classofservice ip-dscp-mapping command to display the current IP DSCP mapping to internal traffic classes for a specific interface. Syntax show classofservice ip-dscp-mapping Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines.
show classofservice trust Use the show classofservice trust command to display the current trust mode setting for a specific interface. Syntax show classofservice trust [{gigabitethernet unit/slot/port| port-channel port- channel-number | tengigabitethernet unit/slot/port | fortygigabitethernet unit/slot/port}] Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes...
Syntax show diffserv Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example displays the DiffServ information. console#show diffserv DiffServ Admin mode......
Default Configuration This command has no default configuration. Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example console#show diffserv service interface gigabitethernet 1/0/1 in DiffServ Admin Mode......Enable Interface........Gi1/0/1 Direction........
The following example shows how to display all interfaces in the system to which a DiffServ policy has been attached. console(config)#show diffserv service brief DiffServ Admin Mode......Enable Interface Direction OperStatus Policy Name ----------- ----------- ---------- ------------------------------- Po47 Down DELL Gi1/0/1 Down DELL Po48 Down DELL Gi1/0/2 Down DELL show interfaces cos-queue Use the show interfaces cos-queue command to display the class-of-service queue configuration for the specified interface.
Page 719
console#show interfaces cos-queue Global Configuration Interface Shaping Rate......0 Queue Id Min. Bandwidth Scheduler Type Queue Management Type -------- -------------- -------------- -------------- Weighted Tail Drop Weighted Tail Drop Weighted Tail Drop Weighted Tail Drop Weighted Tail Drop Weighted Tail Drop Weighted Tail Drop This example displays the COS configuration for the specified interface...
Parameter Description Queue Mgmt Type The queue depth management technique used for all queues on this interface. Queue An interface supports n queues numbered 0 to (n-1).The specific n value is platform-dependent. Internal egress queue of the interface; queues 0–6 are available.
Page 721
User Guidelines This command displays the globally configured policy if no interface parameter is given. If an interface parameter is given, it displays the configured interface policy. The per CoS queue display for an interface displays the minimum and maximum thresholds, drop probability, and ECN capability per TCP packet color in the order: green, yellow, red, and non-TCP.
Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example displays the DiffServ information. console#show policy-map Policy Name Policy Type Class Members ----------- ----------- ------------- POLY1 DellClass DELL DellClass Layer 2 Switching Commands...
The following example displays the statistics information for port te1/0/1. console#show policy-map interface te1/0/1 in Interface........Te1/0/1 Operational Status......Down Policy Name........DELL Interface Summary: Class Name........Dell EMC Networking In Offered Packets......1003 In Discarded Packets......11 Layer 2 Switching Commands...
This command has no user guidelines. Example The following example displays a summary of policy-oriented statistics information. console#show service-policy in Oper Policy Intf Stat Name ------ ----- ------------------------------- Gi1/0/1 Down DELL Gi1/0/2 Down DELL Gi1/0/3 Down DELL Gi1/0/4 Down DELL Gi1/0/5 Down DELL...
traffic-shape Use the traffic-shape command in Global Configuration mode and Interface Configuration mode to specify the maximum transmission bandwidth limit for the interface as a whole. To restore the default interface shaping rate value, use the no form of this command. Syntax traffic-shape bw kbps no traffic-shape...
vlan priority Use the vlan priority command to assign a default VLAN priority tag for untagged frames ingressing an interface. Syntax vlan priority cos-value • cos-value – A value ranging from 0-7. Default Configuration By default, untagged frames are processed with VLAN priority 0. The VLAN priority is mapped to a class of service value which determines the handling of the frame.
Management of MSTP is compliant with the requirements of RFC5060. The following features are supported by Dell EMC Networking MSTP: STP Loop Guard - The Loop Guard feature is an enhancement of the Multiple Spanning Tree Protocol. Loop guard protects a network from forwarding loops induced by BPDU packet loss.
port. In this way, the root guard enforces the position of the root bridge. In MSTP scenario the port may be designated in one of the instances while being alternate in the CIST, and so on. Root guard is a per port (not a per port per instance command) configuration so all the MSTP instances this port participates in should not be in root role.
console#clear spanning-tree detected-protocols gigabitethernet 1/0/1 exit (mst) Use the exit command in MST mode to exit the MST configuration mode and apply all configuration changes. Syntax exit Default Configuration MST configuration. Command Mode MST mode User Guidelines This command has no user guidelines. Example The following example shows how to exit the MST configuration mode and save changes.
Page 731
VLAN mapping, the same configuration revision number, and the same configuration name. Dell EMC Networking MSTP supports mapping of VLANs to MST instances, even though the underlying VLAN may not be defined on the switch. Traffic received on VLANs not defined on the port received is dropped.
Example The following example sets the configuration name to “region1”. console(config)#spanning-tree mst configuration console(config-mst)#name region1 revision (mst) Use the revision command in MST mode to identify the configuration revision number. To return to the default setting, use the no form of this command.
show spanning-tree Use the show spanning-tree command to display the spanning-tree configuration. Syntax show spanning-tree [{gigabitethernet unit/slot/port | port-channel port- channel-number | tengigabitethernet unit/slot/port | fortygigabitethernet unit/slot/port}] [instance instance-id] show spanning-tree [detail] [active | blockedports] | [instance instance-id] show spanning-tree mst-configuration show spanning-tree {uplinkfast | backbonefast} •...
Page 735
console#show spanning-tree Spanning Tree: Enabled - BPDU Flooding: Disabled - Portfast BPDU Filtering: Disabled Mode: rstp CST Regional Root: 80:00:00:1E:C9:DE:D4:47 Regional Root Path Cost: ROOT ID Priority 32768 Address 001E.C9DE.D447 This Switch is the Root. Hello Time: 2s Max Age: 20s Forward Delay: 15s Transmit Hold Count: 6s Bridge Max Hops: 20 Interfaces...
Page 736
This Switch is the Root. Hello Time: 2s Max Age: 20s Forward Delay: 15s Transmit Hold Count: 6s Bridge Max Hops: 20 Number of topology changes: 1 Last Change Occurred: 0d0h3m6s ago Times: Hold: 6, Hello: 2, Max Age: 20, Forward Delay: 15 Port: Gi1/0/1 Enabled State: Forwarding Role: Designated...
Page 737
Port ID: 128.1 Port Cost: 20000 Root Protection: No Designated Bridge Priority: 32768 Address: 001E.C9DE.D447 Designated Port ID: 128.1 Designated Path Cost: 0 CST Regional Root: 80:00:00:1E:C9:DE:D4:47 CST Port Cost: 0 BPDUs: Sent: 112, Received: 0 Port: Gi1/0/2 Enabled State: Forwarding Role: Designated Port ID: 128.2 Port Cost: 20000...
Page 738
Name Interface list --------------- ------------------------------------ VLAN0001 Gi1/0/2(fwd) VLAN0002 VLAN0003 VLAN0004 VLAN0005 VLAN0006 VLAN0007 VLAN0008 VLAN0009 VLAN0010 console(config)#show spanning-tree backbonefast Indirectlink rapid convergence is enabled Indirectlink rapid convergence Statistics --------------------- Transitions via indirectlink rapid convergenc.. 0 Inferior BPDUs received (all VLANs).... 7 RLQ request PDUs received (all VLANs)..
Page 739
--------- -------- --------- --------- ---- ----- -------------- Gi1/0/1 Enabled 128.1 Desg Gi1/0/2 Enabled 128.2 Desg Te1/0/1 Enabled 128.49 Desg Te1/0/2 Enabled 128.50 Bkup ###### MST 1 Vlan Mapped: ROOT ID Priority 32768 Address 001E.C9DE.D447 This Switch is the Root. Hello Time: 2s Max Age: 20s Forward Delay: 15s Interfaces Name State...
Page 741
Gi1/0/2 Enabled 128.2 20000 Desg Te1/0/1 Enabled 128.49 2000 Desg Te1/0/2 Enabled 128.50 2000 Bkup This example shows spanning-tree configured in rapid-pvst mode. Output is shown for each VLAN that is actively running a spanning tree instance. console(config)#show spanning-tree active Spanning-tree enabled protocol rpvst VLAN RootID...
show spanning-tree summary Use the show spanning-tree summary command to display spanning tree settings and parameters for the switch. Syntax show spanning-tree summary Default Configuration There is no default configuration for this command. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines The following fields are displayed:...
Configuration Revision Identifier used to identify the configuration currently Level being used. Configuration Digest Key A generated Key used in the exchange of the BPDUs. Configuration Format Specifies the version of the configuration format being Selector used in the exchange of BPDUs. The default value is zero.
Default Configuration There is no default configuration for this command. Command Modes Privileged Exec and above User Guidelines There are no user guidelines for this command. Example console(config)#show spanning-tree vlan 2 VLAN Spanning Tree: Enabled Mode: rapid-pvst RootID Priority 32770 Address 001E.C9DE.D447 Cost...
Command Mode Global Configuration mode User Guidelines This command has no user guidelines. Example The following example enables spanning-tree functionality. console(config)#spanning-tree spanning-tree auto-portfast Use the spanning-tree auto-portfast command to set the port to auto portfast mode. This enables the port to become a portfast port if it does not see any BPDUs for 3 seconds after a link up event.
console(config-if-4/0/1)#spanning-tree auto-portfast spanning-tree backbonefast Use the spanning-tree backbonefast command to enable the detection of indirect link failures and accelerate spanning tree convergence on STP-PV/RSTP-PV configured switches using Indirect Link Rapid Convergence (IRC). IRC accelerates finding an alternative path when an indirect link to the root port goes down.
spanning-tree bpdu flooding The spanning-tree bpdu flooding command allows flooding of BPDUs received on non-spanning-tree ports to all other non-spanning-tree ports. Use the “no” form of the command to disable flooding. Syntax spanning-tree bpdu flooding no spanning-tree bpdu flooding Default Configuration This feature is disabled by default.
BPDU packets to maliciously disrupt the switch and cause network flapping. Dell spanning-tree provides a BPDU guard function against such attacks. If an interface enabled for BPDU guard receives a BPDU packet, the interface is diagnostically disabled and a message is written to the log. The port may be re-enabled using the no shutdown command after disconnecting the offending device from the interface.
Page 749
User Guidelines Dell EMC Networking spanning tree uses long values for spanning tree costs. The range for path cost for a port is 0-200,000,000. The range for path cost for a VLAN is 1-200,000,000. Use the no form of the command to calculate the cost based on the interface speed.
Example The following example configures the external path cost to be 8192 for VLANs 12, 13, 24, 25, and 26. console(config-if-Gi1/0/1)#spanning-tree vlan 12,13,24-26 cost 8192 spanning-tree disable Use the spanning-tree disable command in Interface Configuration mode to disable spanning-tree on a specific port. To enable spanning-tree on a port, use the no form of this command.
To reset the default forward time, use the no form of this command. Syntax spanning-tree forward-time seconds no spanning-tree forward-time • seconds — Time in seconds. (Range: 4–30) Default Configuration The default forwarding-time for IEEE Spanning-tree Protocol (STP) is 15 seconds.
• loop — Enables loop guard • none — Disables root and loop guard. Default Configuration Neither root nor loop guard is enabled. Command Mode Interface Configuration (Ethernet, Port Channel) mode. User Guidelines There are no user guidelines for this command. Example The following example disables spanning-tree guard functionality on Gigabit ethernet interface 4/0/1.
User Guidelines There are no user guidelines for this command. Example The following example enables spanning-tree loopguard functionality on all ports. console(config)#spanning-tree loopguard default spanning-tree max-age Use the spanning-tree max-age command in Global Configuration mode to configure the spanning-tree bridge maximum age. To reset the default maximum age, use the no form of this command.
console(config)#spanning-tree max-age 10 spanning-tree max-hops Use the spanning-tree max-hops command to set the MSTP Max Hops parameter to a new value for the common and internal spanning tree. Use the “no” form of this command to reset the Max Hops to the default. Syntax spanning-tree max-hops hops no spanning-tree max-hops...
Page 755
• mst — Multiple Spanning Tree Protocol (MSTP) is enabled. • pvst— STP-PV Spanning-tree operates in mode. • rapid-pvst— RSTP-PV Spanning-tree operates in mode. Default Configuration Rapid Spanning Tree Protocol (RSTP) is enabled. Command Mode Global Configuration mode User Guidelines In RSTP mode, the switch uses STP when the neighbor switch is using STP.
When the mode is changed to rapid-pvst, version 0 STP BPDUs are no longer transmitted and version 2 RSTP-PV BPDUs that carry per-VLAN information are transmitted on the VLANs enabled for spanning-tree. If a version 0 BPDU is seen, RSTP-PV reverts to sending version 0 BPDUs. RSTP-PV embeds support for STP-PV Indirect Link Rapid Convergence and Direct Link Rapid Convergence.
console (config-mst)#name region1 console (config-mst)#revision 1 spanning-tree mst cost Use the spanning-tree mst cost command in Interface Configuration mode to configure the internal path cost for multiple spanning tree (MST) calculations. If a loop occurs, the spanning tree considers path cost when selecting an interface to put in the forwarding state.
Example The following example configures the MSTP instance 1 path cost for Gigabit Ethernet interface 1/0/9 to 4. console(config)#interface gigabitethernet 1/0/9 console(config-if-Gi1/0/9)#spanning-tree mst 1 cost 4 spanning-tree mst port-priority Use the spanning-tree mst port-priority command in Interface Configuration mode to configure port priority. To return to the default port priority, use the no form of this command.
spanning-tree mst priority Use the spanning-tree mst priority command in Global Configuration mode to set the switch priority for the specified spanning-tree instance. To return to the default setting, use the no form of this command. Syntax spanning-tree mst instance-id priority priority no spanning-tree mst instance-id priority •...
spanning-tree portfast Use the spanning-tree portfast command in Interface Configuration mode to enable portfast mode. In portfast mode, the interface is immediately put into the forwarding state upon linkup, without waiting for the timer to expire. To disable portfast mode, use the no form of this command. Syntax spanning-tree portfast no spanning-tree portfast...
spanning-tree portfast bpdufilter default The spanning-tree portfast bpdufilter default command disables the transmission and reception of BPDUs on portfast enabled ports. Use the “no” form of the command to enable the transmission and receipt of BPDUs. Syntax spanning-tree portfast bpdufilter default no spanning-tree portfast bpdufilter default Default Configuration This feature is disabled by default.
console(config)#spanning-tree portfast bpdufilter default spanning-tree portfast default Use the spanning-tree portfast default command to enable portfast mode on access ports. Interfaces configured as access mode ports are considered to be edge ports. Use the no form of this command to disable portfast mode on all ports.
spanning-tree port-priority (Interface Configuration) Use the spanning-tree port-priority command in Interface Configuration mode to configure the priority value of an edge-port or point-to-point interface to allow the operator to select the relative importance of the interface in the selection process for forwarding. Set this value to a lower number to prefer an operationally enabled interface for forwarding of frames.
An edge port is a port with spanning-tree port-fast enabled. A point-to-point link is a link configured as full-duplex. Edge-ports and point-to-point links directly transition to the forwarding state and do not delay for the listening and learning stages of spanning-tree. An edge port that receives a BPDU is no longer considered an edge-port and will utilize the configured port priority value.
Command Mode Global Configuration mode User Guidelines The priority value must be a multiple of 4096. The switch with the lowest priority is the root of the spanning tree. Bridge priority configuration is given preference over root primary/secondary configuration. Root primary/secondary configuration is given preference over DRC configuration.
Example The following example configures spanning-tree tcnguard on 4/0/1. console(config-if-4/0/1)#spanning-tree tcnguard spanning-tree transmit hold-count Use the spanning-tree transmit hold-count command to set the maximum number of BPDUs that a bridge is allowed to send within a hello time window (2 seconds). Use the no form of this command to reset the hold count to the default value.
Page 767
Direct Link Rapid Convergence on STP-PV switches. This command assists in accelerating spanning-tree convergence after switchover to an alternate port. Use the no form of the command to return the configured rate to the default value (or disable uplinkfast on STP-PV configured switches). Syntax spanning-tree uplinkfast [max-update-rate packets/s ] no spanning-tree uplinkfast [max-update-rate]...
Configuration of the bridge priority is given preference over configuration of the root primary or root secondary configuration, which is given preference over the configuration of DirectLink Rapid Convergence. RSTP-PV embeds support for IRC and DRC. There is no provision to enable or disable these features in RSTP-PV configured switches.
User Guidelines This command can be configured even if the switch is configured for MST(RSTP) mode. It is only used when the switch is configured for STP-PV or RSTP-PV modes. Example This example configures a switch to use per VLAN spanning tree for VLANS 12, 13 and 24-26 console(config)#spanning-tree vlan 12,13,24-26 spanning-tree vlan forward-time...
Forward delay is only application to STP modes. The forward delay setting is ignored in MSTP, RSTP and RSTP-PV modes as the designated port is transitioned to the forwarding state immediately. Example console(config)#spanning-tree vlan 3 forward-time 12 spanning-tree vlan hello-time Use the spanning-tree vlan hello-time command to configure the spanning tree hello time for a specified VLAN or a range of VLANs.
spanning-tree vlan max-age Use the spanning-tree vlan max-age command to configure the spanning tree maximum age time for a set of VLANs. Use the no form of the command to return the maximum age timer to the default value. Syntax spanning-tree vlan vlan-list max-age 6-40 no spanning-tree vlan vlan-list>...
Example console(config)#spanning-tree vlan 3 max-age 18 spanning-tree vlan root Use the spanning-tree vlan root primary command to configure the switch to become the root bridge or standby root bridge by modifying the bridge priority from the default value to a lower value calculated to ensure the bridge is the root (or standby) bridge.
spanning-tree vlan priority Use the spanning-tree vlan priority command to configure the bridge priority of a VLAN. The bridge priority is combined with the MAC address of the switch and is used to select the root bridge for the VLAN. Use the no form of the command to return the priority to the default value.
Page 774
Configuration of the bridge priority is given preference over configuration of the root primary or root secondary configuration, which is given preference over the configuration of DirectLink Rapid Convergence. Example This example configures a switch to be the spanning tree root bridge for VLANs 12, 13, 24, 25, and 26.
UDLD Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches The UDLD feature detects unidirectional links on physical ports. A unidirectional link is a forwarding anomaly in a Layer 2 communication channel in which a bi-directional link stops passing traffic in one direction.
recognize only the sending failures on unidirectional links. If all devices in the network support UDLD, this functionality is enough to detect all unidirectional links. Processing UDLD Traffic from Neighbors Every UDLD-capable device collects information about all other UDLD- capable devices. Each device populates UDLD echo packets with collected neighbor information to help neighbors identify unidirectional links.
UDLD will put the port into the diagnostically disabled state in the following cases: When there is a loopback, the device ID and port ID sent out on a port is received back. UDLD PDU is received from a partner does not have its own details (echo).
Command Mode Global Configuration mode User Guidelines This command globally enables UDLD. Interfaces must also be individually enabled for UDLD. Example This command globally enables UDLD. console(config)#udld enable udld reset Use the udld reset command to reset (enable) all interfaces disabled by UDLD.
Example This example resets all UDLD disabled interfaces. console#udld reset udld message time Use the udld message time command in Global Configuration mode to configure the interval between the transmission of UDLD probe messages on ports that are in the advertisement phase. Use the no form of the command to return the message transmission interval to the default value.
udld timeout interval Use the udld timeout interval command in Global Configuration mode to configure the interval for the receipt of ECHO replies. Use the no form of the command to return the value to the default setting. Syntax udld timeout interval timeout-interval no udld timeout interval •...
no udld enable Default Configuration UDLD is disabled by default on an interface. UDLD must be enabled globally and on an interface in order to operate. Command Mode Interface (physical) Configuration mode User Guidelines UDLD cannot be enabled on a port channel. Instead, enable UDLD on the physical interfaces of a port channel.
Command Mode Interface (Ethernet) Configuration mode User Guidelines In aggressive mode, UDLD will attempt to detect a peer by sending an ECHO packet every seven seconds until a peer is detected. Example This example configure an interface to operate in UDLD aggressive mode. console(config-if-Te1/0/1)#udld port aggressive show udld Use the show udld command in User Exec or Privileged Exec mode to display...
Page 783
Field Description Timeout Interval The time period (in seconds) before making decision that link is unidirectional. When an interface ID is specified, the following fields are shown: Field Description Interface Id The interface identifier in short form, e.g. te1/0/1. Admin Mode The administrative mode of UDLD configured on this interface.
Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Dell EMC Networking 802.1Q VLANs are an implementation of the Virtual Local Area Network, specification 802.1Q. Operating at Layer 2 of the OSI model, the VLAN is a means of parsing a single network into logical user groups or organizations as if they physically resided on a dedicated LAN segment of their own.
Any valid Ethernet frame with a value of 0x8100 in the 12th and 13th bytes is recognized as a tagged frame. Dell EMC Networking N-Series switches can be configured to enable the port in double-VLAN (QinQ) mode. In this mode, the switch looks for 12th, 13th, 16th, and 17th bytes for the tag status in the incoming frame.
Protocol Based VLANs The main purpose of Protocol-based VLANs (PBVLANs) is to selectively process packets based on their upper-layer protocol by setting up protocol- based filters. Packets are bridged through user-specified ports based on their protocol. In PBVLANs, the VLAN classification of a packet is based on its protocol (IP, IPX, NetBIOS, and so on).
Private VLAN Commands The Dell EMC Networking Private VLAN feature separates a regular VLAN domain into two or more subdomains. Each subdomain is defined (represented) by a primary VLAN and a secondary VLAN. The primary VLAN ID is the same for all subdomains that belong to a private VLAN. The secondary VLAN ID differentiates subdomains from each another and provides Layer 2 isolation between ports of the same private VLAN.
Page 788
promiscuous ports or can communicate only with the promiscuous ports (if the secondary VLAN is an isolated VLAN). The Private VLANs can be extended across multiple switches through inter- switch/stack links that transport primary, community and isolated VLANs between devices, as shown in Figure 3-1. Figure 3-1.
Private VLAN Operation in the Switch Environment The Private VLAN feature operates in a stacked or single switch environment. The stack links are transparent to the configured VLAN, thus there is no need for special private VLAN configuration. Any private VLAN port can reside on any stack member.
IP routing is globally enabled. DHCP and Layer 3 are not enabled on VLAN 1 by default for the N3000, N3100-ON, and N4000 Series switches. DHCP is enabled on VLAN 1 by default for the N1100- ON/N1500/N2000/N2100-ON switches. The N1100-ON does not support routing. Command Mode...
Use the no form of the command to remove empty interface vlan entries from the running config. Dell EMC N1100-ON switches support configuration of a single IP address in interface vlan configuration mode. That IP address is used as the L3 address of the switch.
Command Mode Global Configuration mode User Guidelines The VLANs in the interface range must by configured and enabled for routing prior to use in the vlan range command. Commands used in the interface range context are executed independently on each interface in the range.
Command Mode VLAN Configuration mode User Guidelines The VLAN name may include any alphanumeric characters including a space, underscore, or dash. Enclose the string in double quotes to include spaces within the name. The surrounding quotes are not used as part of the name. The CLI does not filter illegal characters and may truncate entries at the first illegal character or reject the entry entirely.
• vlan-list—A list of secondary VLAN ids to be mapped to a primary VLAN. The VLAN list can contain multiple entries separated by commas and containing no spaces. Each entry can be a single VLAN id or a hyphenated range of VLANs. Default Configuration This command has no default setting.
protocol group Use the protocol group command in VLAN Configuration mode to attach a VLAN ID to the protocol-based group identified by groupid. A group may only be associated with one VLAN at a time. However, the VLAN association can be changed. The referenced VLAN should be created prior to the creation of the protocol-based group except when GVRP is expected to create the VLAN.
protocol vlan group Use the protocol vlan group command in Interface Configuration mode to add the physical unit/slot/port interface to the protocol-based group identified by groupid. A group may have more than one interface associated with it. Each interface and protocol combination can be associated with one group only.
console(config-if-Gi1/0/1)#protocol vlan group 2 protocol vlan group all Use the protocol vlan group all command in Global Configuration mode to add all physical interfaces to the protocol-based group identified by groupid. A group may have more than one interface associated with it. Each interface and protocol combination can be associated with one group only.
show dot1q-tunnel Use the show dot1q-tunnel command to display the QinQ status for each interface. Syntax show dot1q-tunnel [ interface interface-id ] Default Configuration If no interfaces are specified, information is shown for all interfaces. Command Mode Privileged Exec mode and all show modes User Guidelines Up to three additional TPIDs can be configured.
show interfaces switchport Use the show interfaces switchport command to display the complete switchport VLAN configuration for all possible switch mode configurations: access, dot1q-tunnel, general, trunk, and (private VLAN) host or (private VLAN) promiscuous. Syntax show interfaces switchport {{gigabitethernet unit/slot/port | port-channel port-channel-number | tengigabitethernet unit/slot/port| fortygigabitethernet unit/slot/port}} Default Configuration...
Example The following example displays the Protocol-Based VLAN information for either the entire system. console#show port protocol all Group Group Name Protocol(s) VLAN Interface(s) --------------- ----- ---------- ---- ------------ test gi1/0/1 show switchport ethertype Use the show switchport ethertype to display the configured Ethertype for each interface.
Example This example shows the various invocations of the command. console(config)#show switchport ethertype Default TPID........802.1 Configured TPIDs....... vMAN Custom (1010) console(config)#show switchport ethertype interface gi1/0/1 Interface EtherType Secondary TPIDs --------- --------- --------------- Gi1/0/1 802.1 console(config-vlan10)#show switchport ethertype interface all console(config)#show switchport ethertype interface gi1/0/1 Interface EtherType Secondary TPIDs --------- --------- ---------------...
Page 803
Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines • VLAN—The VLAN identifier • Name—The VLAN name • Ports—The port membership for the VLAN • Type—The type of VLAN (default, static, dynamic) Example This shows all VLANs and RSPAN VLANs. console#show vlan VLAN Name...
myspan Te1/0/1 Static RSPAN Vlan ------------------------------------------------------------------ Enabled show vlan association mac Use the show vlan association mac command to display the VLAN associated with a specific configured MAC address. If no MAC address is specified, the VLAN associations of all the configured MAC addresses are displayed. Syntax show vlan association mac [mac-address] •...
show vlan association subnet Use the show vlan association subnet command to display the VLAN associated with a specific configured IP-Address and netmask. If no IP Address and net mask are specified, the VLAN associations of all the configured IP-subnets are displayed. Syntax show vlan association subnet [ip-address ip-mask] •...
show vlan private-vlan Use the show vlan private-vlan command to display information about the configured private VLANs including primary and secondary VLAN IDs, type (community, isolated, or primary), and the ports which belong to a private VLAN. Syntax show vlan private-vlan [type] Default Configuration This command has no default setting.
switchport access vlan Use the switchport access vlan command in Interface Configuration mode to configure the VLAN ID when the interface is in access mode. To reconfigure the interface to use the default VLAN, use the no form of this command. Syntax switchport access vlan vlan-id no switchport access vlan...
console(config)# interface gi1/0/12 console(config-if-Gi1/0/12)# switchport access vlan 33 Access VLAN does not exist. Creating VLAN 33 switchport dot1q ethertype (Global Configuration) Use the switchport dot1q ethertype command to define additional QinQ tunneling TPIDs for matching in the outer VLAN tag of received frames. Use the no form of the command to remove the configured TPIDs.
Page 809
Use the no form of the command to remove an additional TPID. Doing so removes the TPID from all interfaces. If the removed TPID is the primary TPID for an interface, the interface is configured to use the default primary TPID 0x8100.
console(config-if-Te1/0/1)#switchport trunk native vlan 10 console(config-if-Te1/0/1)#switchport dot1q ethertype vman primary-tpid switchport dot1q ethertype (Interface Configuration) Use the switchport dot1q ethertype command to apply previously defined QinQ tunneling TPIDs to a service provider interface. Use the no form of the command to remove the configured TPIDs. Syntax switchport dot1q ethertype { 802.1Q | vman | custom 0-65535 } [primary- tpid]...
Page 811
The outer VLAN tag in tagged packets received on the interface is compared against the configured list of TPIDs. Frames that do not match any of the configured TPIDs are forwarded normally, i.e. without QinQ processing. Frames transmitted on the interface are always transmitted with the primary TPID inserted in the outer VLAN tag.
switchport general forbidden vlan Use the switchport general forbidden vlan command in Interface Configuration mode to forbid adding specific VLANs to a general mode port. To revert to allowing the addition of specific VLANs to the port, use the remove parameter of this command. Syntax switchport general forbidden vlan {add vlan-list | remove vlan-list} add vlan-list —...
switchport general acceptable-frame-type tagged-only Use the switchport general acceptable-frame-type tagged-only command in Interface Configuration mode to discard untagged frames at ingress. To enable untagged frames at ingress, use the no form of this command. Syntax switchport general acceptable-frame-type tagged-only no switchport general acceptable-frame-type tagged-only Default Configuration All frame types are accepted at ingress.
• add vlan-list — List of VLAN IDs to add. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs. • remove vlan-list — List of VLAN IDs to remove. Separate nonconsecutive VLAN IDs with a comma and no spaces.
Syntax switchport general ingress-filtering disable no switchport general ingress-filtering disable Default Configuration Ingress filtering is enabled. Command Mode Interface Configuration (gigabitethernet, port-channel, tengigabitethernet, fortygigabitethernet) mode User Guidelines Ingress filtering, when enabled, discards received frames that are not tagged with a VLAN for which the port is a member. If ingress filtering is disabled, tagged frames from all VLANs are processed by the switch.
Default Configuration The default value for the vlan-id parameter is 1 when the VLAN is enabled. Otherwise, the value is 4093. Command Mode Interface Configuration (gigabitethernet, port-channel, tengigabitethernet, fortygigabitethernet) mode User Guidelines Setting a new PVID does NOT remove the previously configured PVID VLAN from the port membership.
configured with a native VLAN. A trunk port only transmits tagged packets for member VLANs other than the native VLAN and untagged packets for the native VLAN. • general—Full 802.1Q support VLAN interface. A general mode port is a combination of both trunk and access ports capabilities. It is possible to fully configure all VLAN features on a general mode port.
Page 818
Command Mode Interface mode (physical and port channel), Interface range mode (physical and port channel) User Guidelines This command configures a customer edge (CE) port for QinQ tunneling. The dot1q-tunnel mode is an overlay on switchport access mode. In particular, configuring the access mode PVID sets the outer dot1q-tunnel VLAN ID.
appear in the frame. Due to the internal processing of QinQ tagging, the TPID of ingress frames mirrored from the SP port will always be 0x8100. In addition, packets forwarded internally across a stacking link may have different tags applied than packets forwarded on a local egress port. This is due to the processing required for forwarding across a stack.
Command Mode Interface Configuration (physical or port-channel) User Guidelines Do not configure private VLANs on ports configured with any of these features: • Link Aggregation Control Protocol (LACP) • Multicast VLAN Registration (MVR) • Voice VLAN It is recommended that the private VLAN host ports be configured as spanning-tree portfast.
• add—Associates the secondary VLAN with the primary one. • remove—Deletes the secondary VLANs from the primary VLAN association. secondary-vlan-list—A list of secondary VLANs to be mapped to a primary • VLAN. Default Configuration This command has no default association or mapping configuration. Command Mode Interface Configuration (physical or port-channel) User Guidelines...
Page 822
– all specifies all VLANs from 1 to 4093. This keyword is not allowed on commands that do not permit all VLANs in the list to be set at the same time. – add adds the defined list of VLANs to those currently set instead of replacing the list.
Use this command for compatibility. This command performs no action. Syntax switchport trunk encapsulation dot1q Default Configuration Dell EMC Networking switches use dot1q encapsulation on trunk ports by default. Command Mode Interface config mode, Interface range mode (including port-channels) User Guidelines This command performs no action.
vlan Use the vlan command in Global Configuration mode to configure a VLAN. To delete a VLAN, use the no form of this command. Syntax vlan {vlan–list} no vlan {vlan–list} • vlan–list—A list of one or more valid VLAN IDs. List separate, non- consecutive VLAN IDs separated by commas (without spaces).
vlan association mac Use the vlan association mac command in VLAN Configuration mode to associate a MAC address to a VLAN. The maximum number of MAC-based VLANs is 256. Only packets with a matching source MAC address are placed in the VLAN. Syntax vlan association mac mac-address no vlan association mac mac-address...
no vlan association subnet ip-address subnet-mask • ip-address — Source IP address. (Range: Any valid IP address) • subnet-mask — Subnet mask. (Range: Any valid subnet mask) Default Configuration No assigned ip-subnet. Command Mode VLAN Configuration mode User Guidelines This command has no user guidelines. Example The following example associates the 192.168.0.xxx IP address with VLAN ID console(config)# vlan 1...
User Guidelines The dynamic VLAN (created via GRVP) should exist prior to executing this command. See the Type column in output from the show vlan command to determine that the VLAN is dynamic. Example The following changes vlan 3 to a static VLAN. console(config-vlan)#vlan makestatic 3 vlan protocol group Use the vlan protocol group command in Global Configuration mode to add...
vlan protocol group add protocol Use the vlan protocol group add protocol command in Global Configuration mode to add a protocol to the protocol-based VLAN groups identified by groupid. A group may have more than one protocol associated with it. Each interface and protocol combination can be associated with one group only.
vlan protocol group name This is a new command for assigning a group name to vlan protocol group id. Syntax vlan protocol group name group-id groupName no vlan protocol group name group-id • groupid—The protocol-based VLAN group ID, which is automatically generated when you create a protocol-based VLAN group with the vlan protocol group command.
Page 830
• group-id — The protocol-based VLAN group ID, which is automatically generated when you create a protocol-based VLAN group with the vlan protocol group command. To see the group ID associated with the name of a protocol group, use the show port protocol all command. Default Configuration This command has no default configuration.
Voice VLAN Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches The Voice VLAN feature enables switch ports to carry voice traffic with an administrator-defined priority so as to enable prioritization of voice traffic over data traffic. Using Voice VLAN helps to ensure that the sound quality of an IP phone is protected from deterioration when the data traffic utilization on the port is high.
traffic. See the User Configuration Guide for more information. Voice VLAN is recommended for enterprise-wide deployment of voice services on the IP network. Commands in this Section This section explains the following commands: voice vlan voice vlan data priority voice vlan (Interface) show voice vlan voice vlan This command is used to enable the voice VLAN capability on the switch.
Example This example configures an interface to use VLAN 100 as the voice VLAN and sends LLDP configuration in the Network Policy TLV to the phone to assign VLAN 100 to 802.1p priority 5. The data priority is trusted by default. console(config)#vlan 100 console(config-vlan100)#interface gi1/0/1 console(config-if-Gi1/0/1)#voice vlan 100...
Example console(config)#interface gigabitethernet 1/0/1 console(config-if-Gi1/0/1)#voice vlan data priority untrust console(config-if-Gi1/0/1)#voice vlan data priority trust show voice vlan This command displays information about the voice VLAN. Syntax show voice vlan [interface {gigabitethernet unit/slot/port | tengigabitethernet unit/slot/port | fortygigabitethernet unit/slot/port}|all] Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines When the interface parameter is not specified, only the global mode of the...
Security Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Security commands enable network operators to administer security for administrator access to the switch management console or web interface as well as to configure restrictions of network access for network attached devices.
Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches Dell EMC Networking switches support authentication of network users and switch administrators via a number of methods. Management access to the switch is via telnet, HTTP, SSH, or the serial console (SNMP access is discussed in the SNMP Commands section).
To authenticate a switch administrator, the authentication methods in the APL for the access line are attempted in order until an authentication attempt returns a success or failure return code. If a method times out, the next method in the list is attempted. The component requesting authentication is unaware of the ultimate authentication source.
Accounting notification is sent when the administrator exits exec mode. The duration of the exec session is logged in the accounting notice. Accounting notifications are sent at the end of each administrator executed command. In the case of commands like reload, and clear config, an exception is made and the stop accounting notice is sent at the...
Local 802.1x Authentication Server The Dell EMC Networking switch supports a dedicated database for local authentication of users for network access through the 802.1x feature. This functionality is distinct from management access for the switch. See the 802.1x Commands section for information on configuring IEEE 802.1x access...
The Internal Authentication Server feature provides support for the creation of users for IEEE 802.1x access only, i.e. without switch management access. This feature maintains a separate database of users allowed for 802.1x access. The authentication method internal is available in the list of methods supported by authentication to support user database lookup.
Guest VLAN The Guest VLAN feature allows a Dell EMC Networking switch to provide a distinguished service to unauthenticated network devices (not rogue devices that fail authentication). This feature provides a mechanism to allow network devices to have network access to reach an external network while restricting their ability to access the internal LAN.
in the unauthorized state and the client is not granted access to the network. If an unauthenticated VLAN is configured for the port and the 802.1x client fails to authenticate for the configured number of attempts, the port is placed in the authorized state on the unauthenticated VLAN and the client is granted access to the network.
Page 845
Use the no form of the command to delete a list. A list may be identified by the default keyword or a user-specified listname. Use either the aaa accounting dot1x default none or no aaa accounting dot1x default command to disable dot1x accounting. Use the no aaa accounting exec or no aaa accounting commands to disable aaa accounting and optionally delete an accounting method list.
Page 846
User Guidelines This list is identified by default or a user-specified list_name. Accounting records, when enabled for a line-mode, can be sent at both the beginning and at the end (start-stop) or only at the end (stop-only). If none is specified, accounting is disabled for the specified list.
(console)#configure (console-config)#aaa accounting exec ExecList stop-only tacacs (console-config)#aaa accounting exec ExecList start-stop tacacs (console-config)#aaa accounting exec ExecList start-stop tacacs radius (console-config)#exit The first aaa command creates a method list for exec sessions with the name ExecList, with record-type as stop-only and the method as TACACS+. The second command changes the record type to start-stop from stop-only for the same method list.
User Guidelines Only one authentication method may be specified in the command. For the RADIUS authentication method, if the RADIUS server cannot be contacted, the supplicant fails authentication. The none method always allows access. the ias method utilizes the internal authentication server. The internal authentication server only supports the EAP-MD5 method.
Page 849
Keyword Source or destination enable Uses the enable password for authentication. line Uses the line password for authentication. none Uses no authentication. radius Uses the list of all RADIUS servers for authentication. tacacs Uses the list of all TACACS+ servers for authentication. Default Configuration The default enable list is enableList.
NOTE: Requests sent by the switch to a RADIUS server include the username “$enabx$”, where x is the requested privilege level in decimal. For enable to be authenticated on Radius servers, add “$enabx$” users to them. The login user ID is also sent to TACACS+ servers for enable authentication.
Page 851
Keyword Source or destination tacacs Use the list of all TACACS+ servers for authentication. Default Configuration The default login lists are defaultList and networkList. defaultList is used by the console and only contains the method none. networkList is used by telnet and SSH and only contains the method local.
aaa authorization Use the aaa authorization command to enable authorization and optionally create an authorization method list. A list may be identified by a user- specified list-name or the keyword default. Use the no form of the command to disable authorization and optionally delete an authorization list.
Page 853
Authorization is not enabled by default. Authorization supports Exec authorization and network authorization for RADIUS. Only TACACS is supported for command authorization. Setting a none or local method for authorization authorizes Exec access for all functions. The following default Authorization Methods List is present by default: Default List Name Description Authorization Method...
Page 854
If no authorization server is available or configured, the function is denied unless the none method is configured in the list. If authorization is configured on the console, this can lead to situations where the console denies administrative access. Therefore, it is recommended that the console authorization only be enabled with due regard to the risks involved.
Command Mode Global Configuration mode User Guidelines The RADIUS server can place a port in a particular VLAN based on the result of the authentication. VLAN assignment must be configured on the external RADIUS server using the RADIUS TUNNEL-TYPE attribute and others. See RADIUS Commands Security Commands for further information.
The aaa new-model command in Global Configuration mode is a no-op command. It is present only for compatibility purposes. Dell EMC Networking switches only support the new model command set. Syntax aaa new-model Default Configuration This command has no default configuration.
Page 858
Default Configuration By default, no dynamic RADIUS servers are configured. Command Mode Global Configuration User Guidelines Configuring a dynamic RADIUS server causes the system to begin listening on the default port 3799 for RADIUS CoA requests. The switch ensures that a unique Acct-Session-Id and the Calling-Station-Id is sent to the RADIUS server in all Access-Request packets.
authentication type is allowed for CoA and disconnect requests. In this example, the NAS-IP-Address is optionally configured at the fixed IPv4 address of 3.3.3.3. CoA client 5.5.5.5 uses the global server key while client 4.4.4.4 uses a client-specific server key. console#configure terminal console(config)# aaa new-model console(config)# aaa authentication dot1x default radius...
Default Configuration The default value is Disabled. Command Mode Global Configuration mode User Guidelines The administrator must ensure that any methods configured by the Authentication Manager are enabled (e.g. enable IEEE 802.1x using the dot1x system-auth-control command). Enable MAB using the dot1x mac- auth-bypass command.
User Guidelines Each method can only be entered once. Ordering is only possible between 802.1x and MAB. Captive portal can be configured either as a stand-alone method or as the last method in the order. Example console(config-if-Gi1/0/1)# authentication order dot1x mab captive-portal console(config-if-Gi1/0/1)# no authentication order authentication priority Use this command to set the priority for the authentication methods used on...
Example console(config-if-Gi1/0/1)# authentication priority mab dot1x captive-portal console(config-if-Gi1/0/1)# no authentication priority authentication restart Use this command to set the interval after which reauthentication starts. This timer starts only if all the authentication methods fail. Use the no form of this command to set the authentication restart timer to factory default value.
Syntax clear aaa ias-users Default Configuration This command has no default configuration. Command Mode Privileged Exec mode User Guidelines There are no user guidelines for this command. Example console#clear aaa ias-users clear authentication statistics Use this command to clear the authentication statistics. Syntax clear authentication statistics {interface-id | all} Default Configuration...
clear authentication authentication-history Use this command to clear the authentication history logs. Syntax clear authentication authentication-history {interface-id | all} • interface-id—The interface. • all—All interfaces. Default Configuration There is no default configuration for this command. Command Modes Privileged Exec mode User Guidelines None Example...
Command Mode Global Configuration mode User Guidelines The Dell EMC Networking firmware emulates industry standard behavior for enable mode authentication over SSH and telnet. The default enable authentication method for telnet and SSH uses the enableNetList method, which requires an enable password. If users are unable to enter privileged mode when accessing the switch via telnet or SSH, the administrator will need to either change the enable authentication method, e.g.
• method1 [method2...] — Specify at least one from the following table: Keyword Source or destination local Uses the local username database for authentication. none Uses no authentication. radius Uses the list of all RADIUS servers for authentication. tacacs Uses the list of all TACACS+ servers for authentication. Default Configuration The local user database is checked.
Page 867
• method1 [method2...] — Specify at least one from the following table: Keyword Source or destination local Uses the local username database for authentication. none Uses no authentication. radius Uses the list of all RADIUS servers for authentication. tacacs Uses the list of all TACACS+ servers for authentication. Default Configuration The local user database is checked.
password (AAA IAS User Configuration) Use the password command in aaa IAS User Configuration mode to configure a password for an IAS user. The password is composed of up to 64 alphanumeric characters. An optional parameter [encrypted] is provided to indicate that the password given to the command is already pre-encrypted.
console(config-ias-user)#password F81F3CCCB157 console(config-ias-user)#exit console(config)# password (User Exec) Use the password command in User Exec mode to allow a currently logged in user to change the user password without having read/write privileges. This command should be used after the password has aged. The user is prompted to enter the old password and the new password.
show aaa ias-users Use the show aaa ias-users command to display configured IAS users and their attributes. Passwords configured are not shown in the show command output. Syntax show aaa ias-users Default Configuration This command has no default configuration. Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines IAS users are distinct from switch administrative users.
Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Examples console#show aaa statistics Number of Accounting Notifications sent at beginning of an Exec session: 0 Errors when sending Accounting Notifications beginning of an Exec session: 0 Number of Accounting Notifications sent at end of an Exec session: 0 Errors when sending Accounting Notifications at end of an Exec session: 0 Number of Accounting Notifications sent at beginning of a command execution: 0...
------------------------------------------------------------------ Exec dfltExecList start-stop tacacs Commands dfltCmdList stop-only tacacs Dot1x dfltDot1xList start-stop Line EXEC Method List Command Method List ------------------------------------------------- Console none none Telnet none none none none Command History Example updated in the 6.4 release. show authentication Use this command to list the authentication methods configured on the interface and display if the Tiered Authentication feature is enabled.
--------------------- --------- ----------------- ------------ ------ Jul 21 1919 15:06:15 Gi1/0/1 00:00:00:00:00:01 Authorized 802.1x show authentication methods Use the show authentication methods command to display information about the authentication methods. Syntax show authentication methods Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes...
networkList enableNetList HTTPS :local HTTP :local DOT1X show authentication statistics Use this command to display the Authentication Manager statistics on one or more interfaces. Syntax show authentication statistics interface-id • interface-id—The physical interface. Default Configuration There is no default configuration for this command. Command Modes Privileged Exec mode, Global Configuration mode and all Configuration submodes...
show authorization methods Use the show authorization methods command to display the configured authorization method lists. Syntax show authorization methods Default Configuration This command has no default setting. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines Command authorization is supported only for the line, telnet, and SSH access methods.
show users accounts Use the show users accounts command to display the local user status with respect to user account lockout and password aging. Syntax show users accounts Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines User accounts are distinct from the IAS user accounts.
console(config)#show users accounts UserName Privilege Password Password Lockout Aging Expiry date ------------------------ --------- -------- -------------------- -------- admin Jan 13 1915 00:32:12 False Administrative Profile(s): show users login-history Use the show users login-history command in Global Configuration mode to display information about the login history of users. Syntax show users login-history [username|long] •...
Command History Syntax updated in 6.4 release. username Use the username command in Global Configuration mode to add a new user to the local user (switch administrator) database. The default privilege level is 1. The command optionally allows the specification of an Administrative Profile for a local user.
Page 880
• encrypted—Encrypted password entered, copied from another switch configuration. Password strength checking is not applied to the encrypted string. Default Configuration The default privilege level is 1. Command Mode Global Configuration mode User Guidelines To use the ! character as part of the username or password string, it should be enclosed within quotation marks.
Message Type Message Description Reason behind the failure Exceeds Minimum Length of a Password. Password should be in the range of 8-64 characters in length. Set minimum password length to 0 by using the passwords min-length 0 command. Password should contain Minimum <number>...
Page 882
Default Configuration This command has no default configuration. Command Mode Global Configuration mode User Guidelines This command applies to switch administrator accounts. Privilege level 0 is restricted from using Privileged Exec or any Configuration- level commands. There is effectively no difference between privilege level 1 and 15.
This capability is similar to the industry standard “User Roles” feature. The main difference is that the Administrative Profile is obtained via authentication rather than via authorization. This was necessary because Dell EMC Networking does not support AAA authorization of users.
passes enable authentication, the user is permitted access to all commands. This is also true if none of the Administrative Profiles provided are configured on the switch. RADIUS and TACACS+ The network administrator may configure a custom attribute to be provided by the server during authentication.
Default Configuration The administrative profiles are defined by default. Command Mode Global Configuration mode User Guidelines This command has no user guidelines. Example console(config)#admin-profile qos console(admin-profile)# description (Administrative Profile Configuration) Use the description command in Administrative Profile Configuration mode to add a description to an administrative profile. Use the no form of this command to delete the description.
Example console(admin-profile)#description “This profile allows access to QoS commands.” rule Use the rule command to add a rule to an administrative profile. Use the no form of this command to delete a rule. Syntax rule number {deny|permit} {command command-string|mode mode- name} no rule number •...
Example console(admin-profile)#rule 1 permit command “access-list *” console(admin-profile)# show admin-profiles Use the show admin-profiles command to show the administrative profiles. If the optional profile name parameter is used, only that profile will be shown. Syntax show admin-profiles [name profile-name] • profile-name—The name of the administrative profile to display.
Description: This profile allows access to QoS commands. Rule Perm Type Entity ---- ------ ------- ---------------------------------------- permit command access-list * permit command access-group * permit mode class-map show admin-profiles brief Use the show admin-profiles brief command to list the names of the administrative profiles defined on the switch.
show cli modes Use the show cli modes command to list the names of all the CLI modes. Syntax show cli modes Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines These are the generic mode names to be used in the...
E-mail Alerting Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches E-mail Alerting is an extension of the logging system. The Dell EMC Networking logging system allows the user to configure a variety of destinations for log messages. This feature adds e-mail configuration capabilities, by which the log messages are sent to a configured SMTP server such that an operator may receive the log in an e-mail account of their choice.
Default Configuration E-mail alerting is disabled by default. When e-mail alerting is enabled, log messages at or above severity Warning are e-mailed. Command Mode Global Configuration mode User Guidelines The logging email command with no arguments enables e-mail alerting. Specify a severity to set the severity level of log messages that are e-mailed in a non-urgent manner.
– error (3) – warning (4) – notice (5) – info (6) – debug (7) • none— If you specify this keyword, no log messages are e-mailed urgently. All log messages at or above the non-urgent level (configured with the logging email command) are e-mailed in batch.
Urgent | non-urgent | both—The priority with which the email is queued. Urgent email is sent immediately. Non-urgent email is queued and sent periodically. Example console(config)#logging email message-type urgent to-addr admin123@dell.com Command History Example added in the 6.4 release. logging email from-addr Use the logging email from-addr command in Global Configuration mode to configure the From address of the e-mail.
The from-addr in this command is the email address of the email sender. Many mail servers will validate the from address of an email to ensure that abuse of the email server does not occur. Example console(config)#logging email from-addr dell@gmail.com Command History Example added in the 6.4 release. logging email message-type subject Use the logging email message-type subject command in Global Configuration mode to configures subject of the e-mail.
Example console(config)#logging email message-type urgent subject UrgentLog Command History Example added in the 6.4 release. logging email logtime Use the logging email logtime command in Global Configuration mode to configure the value of how frequently the queued messages are sent. Syntax logging email logtime time duration no logging email logtime...
logging email test message-type Use the logging email test message-type command in Global Configuration mode to test whether or not an e-mail is being sent to an SMTP server. Syntax logging email test message-type message-type message-body message-body • message-type— Urgent, non-urgent, or both •...
Default Configuration This command has no default configuration. Command Mode Privileged Exec User Guidelines This command has no user guidelines. Example console#show logging email statistics No of email Failures so far....0 No of email sent so far......0 Time since last email Sent....00 days 00 hours 00 mins 00 secs clear logging email statistics Use the clear logging email statistics command to clear the e-mail alerting...
Command History Example added in the 6.4 release. security Use the security command in Mail Server Configuration mode to set the e- mail alerting security protocol. This enables and disables the switch to use TLS authentication with the SMTP Server. If the administrator sets the TLS mode and, if the SMTP sever does not support TLS mode, then no e-mail goes to the SMTP server.
Syntax mail-server {ip-address | hostname} no mail-server {ip-address | hostname} • ip-address—An IPv4 or IPv6 address. • hostname— The DNS name of an SMTP server. Default Configuration The default configuration for a mail server is shown in the table below. Field Default Email Alert Mail Server Port...
Default Configuration The default value is 25 (SMTP). Command Mode Mail Server Configuration User Guidelines Port 25 is the standard SMTP port for cleartext messages. Port 465 is the standard port for messages sent using TLSv1. Example console(config)#mail-server 10.131.1.11 console(mail-server)#port 1024 Command History Example added in the 6.4 release.
User Guidelines This command has no user guidelines. Example console(config)#mail-server 10.131.1.11 console(mail-server)#username admin Command History Example added in the 6.4 release. password (Mail Server Configuration Mode) Use the password command in Mail Server Configuration mode to configure the password required to authenticate to the e-mail server. Use the no form of the command to revert the password to the default value.
show mail-server Use the show mail-server command to display the configuration of all the mail servers or a particular mail server. Syntax show mail-server {ip-address | hostname | all} Default Configuration This command has no default configuration. Command Mode Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines.
Page 904
Email Alert Mail Server Address....10.131.1.11 Email Alert Mail Server Port....465 Email Alert SecurityProtocol....tlsv1 Email Alert Username......admin Email Alert Password......password Command History Example added in the 6.4 release. Security Commands...
The RADIUS client supports up to 32 named authentication and accounting servers. For the N1100-ON and N1500 Series switches, the number of supported authentication and accounting servers is 8. RADIUS-based Dynamic VLAN Assignment...
RADIUS Change of Authorization Dell EMC Networking supports the Change of Authorization Disconnect - Request per RFC 3575. The Dell EMC Networking switch listens for the Disconnect-Request on UDP port 3799. The Disconnect-Request identifies the user session to be terminated using the following attributes: •...
CoA NAK message is calculated from a dummy key value. The Dell EMC Networking switch starts listening to the client again based on re-authentication timer. Refer to the RADIUS Change of Authorization section in the Users Configuration Guide for examples of configuring RADIUS CoA.
auth-port radius-server attribute 31 source-ip deadtime radius-server deadtime timeout radius-server host usage msgauth radius-server key – name (RADIUS server) radius-server retransmit – acct-port Use the acct-port command to set the port on which the RADIUS accounting server listens for connections. Use the no form of this command to reset the port to the default.
Service-Type attribute is required and validated in the Access-Accept packet received from the RADIUS server. Dell EMC Networking N-Series switches accept the Login-User (1) and Administrative-User (6) values in the Access-Accept message returned from the RADIUS server. If the mandatory parameter is not configured, the Service-Type TLV received in an Access-Accept packet is ignored.
This example configures the switch to process and validate the Service-Type received in the Access-Accept message from the RADIUS server. console#conf console(config)#radius-server host 4.3.2.1 console(config-auth-radius)#attribute 6 mandatory attribute 8 Use the attribute 8 command to configure the switch to send the RADIUS Framed-IP-Address attribute in the Access-Request message sent to a specific RADIUS authentication server.
attribute 25 Use the attribute 25 command to enable the switch to send the RADIUS Class attribute as supplied by the RADIUS server in accounting messages sent to the specific accounting server. Syntax attribute 25 include-in-access-req no attribute 25 include-in-access-req Default Configuration By default, the Service-Type is included in the accounting messages sent to the accounting server.
Page 912
Syntax attribute 31 mac format { ietf | unformatted | legacy } [lower-case | upper- case] no attribute 31 mac format • ietf—Format the MAC address as aa-aa-bb-bb-cc-cc. The default is upper case. • unformatted—Format the MAC address as aaaabbbbcccc. The default is lower case.
Example This example configures the format of the MAC address sent in MAC based authentication to IETF lower case for the RADIUS server at address 1.2.3.4. MAB must be configured on the switch in an active authentication list, IEEE 802.1X must be configured, and a RADIUS server must also be configured. console(config)#radius-server host 1.2.3.4 console(config-auth-radius)# attribute 31 mac format ietf lower-case authentication event fail retry...
This parameter is independent of, and does not control, the number of times the authenticator will attempt to contact the RADIUS servers. For example, if the max-retries for a single configured RADIUS server is set to 3 and the max- attempts is set to 2, on a supplicant login attempt, the authenticator will send up to three access requests to the RADIUS server before returning failure.
Syntax auth-port auth-port-number • auth-port-number — Port number for authentication requests. (Range: 1 - 65535) Default Configuration The default value of the port number is 1812. Command Mode RADIUS Server Configuration mode User Guidelines User must enter the mode corresponding to a specific RADIUS Server Configuration before executing this command.
Page 916
Default Configuration The default deadtime interval is 0 minutes. Command Mode RADIUS Server Configuration mode User Guidelines If only one RADIUS server is configured, it is recommended to use a deadtime interval of 0. Example The following example specifies a deadtime interval of 60 minutes. console(config)#radius-server host 192.143.120.123 console(config-auth-radius)#deadtime 60 Use the key command to specify the encryption key which is shared with the...
Command Mode RADIUS Server Configuration mode User Guidelines There are no user guidelines for this command. In an Access-Request, encrypted passwords are sent using the RSA Message Digest algorithm (MD5). If no encryption parameter (7) is present, the key string is interpreted as an unencrypted shared secret.
Default Configuration The message authenticator attribute is enabled by default. Command Mode RADIUS Server Configuration mode User Guidelines There are no user guidelines for this command. Example console(Config-auth-radius)#msgauth name (RADIUS server) Use the name command to assign a name to a RADIUS server. Use the no form of the command to return the name to the default (Default-RADIUS- Server).
Note that, when multiple RADIUS servers are configured with different names (for example, ServerName is name1 and address is 1.1.1.1 and ServerName is name2 and address is 1.1.1.2): The RADIUS request is always sent to the first ordered name server list, i.e. name1 server list would be tried before moving on to name2.
Command Mode RADIUS Server Configuration mode User Guidelines There are no user guidelines for this command. Example console(Config-auth-radius)#primary priority Use the priority command in RADIUS Server Configuration mode to specify the order in which the servers are to be used, with 0 being the highest priority. Syntax priority priority •...
radius-server attribute 4 Use the radius-server attribute 4 command to set the network access server (NAS) IPv4 address for the RADIUS server. The NAS-IP-Address is RADIUS attribute number 4. Use the no version of the command to set the value to the default.
Service- Type parameter received from the RADIUS server in Access-Accept messages. Dell EMC Networking N-Series switches accept the Login-User (1) or Administrative-User (6) values in the Access-Accept message returned from the RADIUS server. Access-Accept messages without one of those values are treated as if an Access-Reject message has been received.
Example This command configures the switch to send the Service-Type attribute in the Access-Request message sent to the RADIUS server. console#conf console(config)#radius-server attribute 6 on-for-login-auth radius-server attribute 8 Use the radius-server attribute 8 command to enable the switch to send the RADIUS Framed-IP-Address attribute in authentication messages sent to the authentication server.
radius-server attribute 25 Use the radius-server attribute 25 command to globally enable the switch to send the RADIUS Class attribute as supplied by the RADIUS server in accounting messages sent to the accounting server. Syntax radius-server attribute 25 include-in-access-req no radius-server attribute 25 include-in-access-req Default Configuration By default, the switch sends the Class attribute to the accounting server.
Page 925
Syntax radius-server attribute 31 mac format { ietf | unformatted | legacy } [lower- case | upper-case] no radius-server attribute 31 mac format • ietf—Format the MAC address as aa-aa-bb-bb-cc-cc. The default is upper case. • unformatted—Format the MAC address as aaaabbbbcccc. The default is lower case.
Example This example globally configures the format of the MAC address sent in the Calling-Station-Id attribute and the User-Name attribute when using MAC based authentication to IETF lower case. It also configures interface Gi1/0/1 to use MAB. MAB must be configured on the switch in an active authentication list, IEEE 802.1X must be configured, and a RADIUS server must also be configured.
User Guidelines If only one RADIUS server is configured, it is recommended that the deadtime interval be left at 0. If a RADIUS server is currently active and responsive, that server will be used until it no longer responds. RADIUS servers whose deadtime interval has not expired are skipped when searching for a new RADIUS server to contact.
User Guidelines RADIUS servers are keyed by the host name, therefore it is advisable to use unique server host names. Example The following example specifies a RADIUS server host with the following characteristics: Server host IP address — 192.168.10.1 console(config)#radius-server host 192.168.10.1 radius-server key Use the radius-server key command to set the authentication and encryption key for all RADIUS communications between the switch and the RADIUS...
User Guidelines In an Access-Request, encrypted passwords are sent using the RSA Message Digest algorithm (MD5). If no encryption parameter (7) is present, the key string is interpreted as an unencrypted shared secret. Keys are always displayed in their encrypted form in the running configuration.
User Guidelines This command has no user guidelines. Example The following example configures the number of times the RADIUS client attempts to retransmit requests to the RADIUS server to five attempts. console(config)#radius-server retransmit 5 radius-server source-ip Use the radius-server source-ip command to specify the source IPv4 address used in the IP header for communication with RADIUS servers.
The source IP address of RADIUS packets sent to a server should match the NAS IP address configured on the RADIUS server. A mismatch may lead to a RADIUS packet timeout. Loopback interfaces are not supported on the Dell EMC N1100-ON Series switches. Command History Introduced in version 6.3.0.1 firmware.
console(config)#interface vlan 1 console(config-if-vlan1)#ip address dhcp console(config-if-vlan1)#exit console(config)#radius-server source-interface vlan 1 radius-server timeout Use the radius-server timeout command in Global Configuration mode to set the interval for which a switch waits for a server to reply. To restore the default, use the no form of this command. Syntax radius-server timeout timeout no radius-server timeout...
Syntax retransmit retries • retries — Specifies the retransmit value. (Range: 1-10 attempts) Default Configuration The default number for attempts is 3. Command Mode RADIUS mode User Guidelines User must enter the mode corresponding to a specific RADIUS server before executing this command.
Page 934
• servername—Will cause only the server(s) with server-name name to be displayed. There are no global parameters displayed when this parameter is specified. Default Configuration All authentication servers are displayed by default. Command Mode User Exec, Privileged Exec, Global Configuration mode and all Configuration submodes User Guidelines The following fields are displayed:...
Field Description RADIUS Attribute 4 A Global parameter that specifies the IP address to be Value used in NAS-IP-Address attribute to be used in RADIUS requests. Source Interface The source interface from which the source IP address is obtained. Command History Introduced in version 6.2.0.1 firmware.
test 6.6.6.6 1812 switch-top#show aaa servers authentication name CoA-Server-1 RADIUS Server Name......CoA-Server-1 Current Server IP Address...... 1.1.1.1 Number of Retransmits......3 Timeout Duration....... 15 Deadtime........0 Port........... 3799 Source IP........Default RADIUS Accounting Mode......Disabled Secret Configured......Yes Message Authenticator......Enable Number of CoA Requests Received......
Page 937
Default Configuration There is no default configuration for this command. Command Mode User Exec, Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines The following fields are displayed for accounting servers: Field Description RADIUS Name of the accounting server. Accounting Server Name Server Host...
Page 938
Field Description Timeouts The number of accounting timeouts on this server. Unknown Types The number of packets unknown type which were received from this server on accounting port. Packets Dropped The number of RADIUS packets received from this server on accounting port and dropped for some other reason.
Page 939
Field Description Timeouts The number of authentication timeouts to this server. Unknown Types The number of packets unknown type which were received from this server on the authentication port. Packets Dropped The number of RADIUS packets received from this server on authentication port and dropped for some other reason.
source-ip Use the source-ip command in RADIUS Server Configuration mode to specify the source IP address to be used for communication with RADIUS servers. 0.0.0.0 is interpreted as a request to use the IP address of the outgoing IP interface. Syntax source-ip source •...
Default Configuration The default value is 15 seconds. Command Mode RADIUS mode User Guidelines User must enter the mode corresponding to a specific RADIUS server before executing this command. Example The following example specifies the timeout setting for the designated RADIUS Server.
Page 942
Example The following example specifies usage type login. console(config)#radius-server host 192.143.120.123 console(config-auth-radius)#usage login Security Commands...
Dell EMC Networking supports authentication of a user using a TACACS+ server. When TACACS+ is configured as the authentication method for a user login type (CLI/HTTP/HTTPS), the NAS will prompt for the user login credentials and request services from the TACACS+ client;...
Page 944
show tacacs tacacs-server timeout – timeout Use the key command in TACACS Configuration mode to specify the authentication and encryption key for all TACACS communications between the device and the TACACS server. This key must match the key used on the TACACS daemon.
Keys are always displayed in their encrypted form in the running configuration. In an Access-Request, encrypted passwords are sent using the RSA Message Digest algorithm (MD5). The encryption algorithm is the same across switches. Encrypted passwords may be copied from one switch and pasted into another switch configuration. Command History Updated in version 6.3.0.1 firmware.
Example The following example displays how to specify TACACS server port number 1200. console(config-tacacs)#port 1200 priority Use the priority command in TACACS Configuration mode to specify the order in which servers are used, where 0 (zero) is the highest priority. Syntax priority [priority] •...
• ip-address — The name or IP address of the host. Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Examples The following example displays TACACS+ server settings.
Default Configuration No TACACS+ host is specified. Command Mode Global Configuration mode User Guidelines To specify multiple hosts, multiple tacacs-server host commands can be used. TACACS servers are keyed by the host name, therefore it is advisable to use unique host names. Example The following example specifies a TACACS+ host.
Default Configuration The default is an empty string. Command Mode Global Configuration mode User Guidelines The tacacs-server key command accepts any printable characters for the key except a question mark. Enclose the string in double quotes to include spaces within the key. The surrounding quotes are not used as part of the name. The CLI does not filter illegal characters and may accept entries up to the first illegal character or reject the entry entirely.
User Guidelines The source interface must have an assigned IP address (either manually or via another method such as DHCP). Loopback interfaces are not suppported on the Dell EMC N1100-ON Series switches. Command History Introduced in version 6.3.0.1 firmware. Example...
Syntax tacacs-server timeout [timeout] no tacacs-server timeout • timeout — The timeout value in seconds. (Range: 1–30) Default Configuration The default value is 5 seconds. Command Mode Global Configuration mode User Guidelines This command has no user guidelines. Example The following example sets the timeout value as 30. console(config)#tacacs-server timeout 30 timeout Use the timeout command in TACACS Configuration mode to specify the...
Page 952
User Guidelines This command has no user guidelines. Example This example shows how to specify the timeout value. console(config-tacacs)#timeout 23 Security Commands...
A port is defined as a single point of attachment to the LAN. The Dell EMC Networking switches support an 802.1x Authenticator service with a local authentication server or authentication using remote RADIUS or TACACS servers.
to be able to identify the short-comings in the configuration of a 802.1x authentication on the switch without affecting the network access to the users of the switch. There are three important aspects to this feature after activation: 1 To allow successful authentications using the returned information from authentication server.
dot1x eapolflood This command enables the flooding of received IEEE 802.1x frames in the VLAN. Use the no form of the command to return the processing of EAPOL frames to the default. Syntax dot1x eapolflood no dot1x eapolflood Default Configuration By default, the switch does not forward received IEEE 802.1x frames, even if 802.1x is not enabled on the switch.
Syntax dot1x initialize [interface interface-id] • interface-id—The port to be initialized. Default Configuration This command has no default configuration. Command Mode Privileged Exec mode User Guidelines There are no user guidelines for this command. dot1x mac-auth-bypass Use the dot1x mac-auth-bypass command to enable MAB on an interface. Use the no form of this command to disable MAB on an interface.
Example The following example sets MAC Authentication Bypass on interface gigabitethernet 1/0/2: console(config-if-Gi1/0/2)#dot1x port-control mac-based console(config-if-Gi1/0/2)#dot1x mac-auth-bypass dot1x max-req Use the dot1x max-req command in Interface Configuration mode to set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-request frame (assuming that no response is received) to the client before restarting the authentication process.
— The number of users the port supports for MAC-based 802.1x authentication (Range: 1–64) Default Configuration The default number of clients supported on a port with MAC-based 802.1x authentication is 64. The N1100-ON Series switches, the range is 1–32. Command Mode Interface Configuration (Ethernet) mode User Guidelines The N1100-ON Series switches support up to 32 users per interface.
Page 960
Syntax dot1x port-control {force-authorized | force-unauthorized | auto | mac- based} no dot1x port-control • auto — Enables 802.1x authentication on the interface and causes the port to transition to the authorized or unauthorized state based on the 802.1x authentication exchange between the switch and the client. VLAN assignment is allowed on the port if it is not configured in trunk mode.
When configuring a port to use MAC-based authentication, the port must be in switchport general mode. Example The following command enables MAC-based authentication on port 1/0/2 console(config)# interface gigabitethernet 1/0/2 console(config-if-Gi1/0/2)# dot1x port-control mac-based dot1x re-authenticate Use the dot1x re-authenticate command to manually initiate a re-authentication of all 802.1x-enabled ports or the specified 802.1x-enabled port.
dot1x reauthentication Use the dot1x reauthentication command in Interface Configuration mode to enable periodic re-authentication of the client. To return to the default setting, use the no form of this command. Syntax dot1x reauthentication no dot1x reauthentication Default Configuration Periodic reauthentication is disabled. Command Mode Interface Configuration (Ethernet) mode User Guidelines...
Default Configuration The default for this command is disabled. Command Mode Global Configuration mode User Guidelines Devices connected to interfaces on which IEEE 802.1X authentication is enabled will be required to authenticate before accessing network resources. This command enables local processing of IEEE 802.1x frames on the switch. Dot1x eapolflood mode must be disabled for local processing to occur.
User Guidelines Monitor mode always allows access to network resources, even if authentication fails. Example The following command enables monitor mode. Clients are always authenticated in monitor mode. console(config)# dot1x system-auth-control monitor dot1x timeout quiet-period Use the dot1x timeout quiet-period command in Interface Configuration mode to set the number of seconds that the switch remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password).
Change the default value of this command only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers. To provide a faster response time to the user, enter a smaller number than the default.
Example The following example sets the number of seconds between re-authentication attempts to 300. console(config)# interface gigabitethernet 1/0/16 console(config-if-Gi1/0/16)# dot1x timeout re-authperiod 300 dot1x timeout server-timeout Use the dot1x timeout server-timeout command in Interface Configuration mode to set the time that the switch waits for a response from the authentication server.
dot1x timeout supp-timeout Use the dot1x timeout supp-timeout command to set the time that the switch waits for a response before retransmitting an Extensible Authentication Protocol (EAP-Request/Identity) frame to the client. To return to the default setting, use the no form of this command. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout...
dot1x timeout tx-period Use the dot1x timeout tx-period command in Interface Configuration mode to set the number of seconds that the switch waits for a response to an Extensible Authentication Protocol EAP-Request/Identity frame from the client before resending the request. To return to the default setting, use the no form of this command.
auth-type Use this command to set the accepted authorization types for dynamic RADIUS clients. Use the no form of the command to set the authorization type to the default. Syntax auth-type { all | any |session-key} no auth-type • all—Selects all COA client authentication types. All authentication attributes must match for the authentication to succeed.
client Use this command to enter the CoA client parameters. Syntax client {ip-address | hostname } [ server-key [0 | 7] key-string ] no client {ip-address | hostname } • ip-address—The IPv4 address of a CoA client. The IPv4 address is entered in dotted-quad notation.
Page 971
Command History Introduced in version 6.2.0.1 firmware. Example The following example configures RADIUS servers at 1.1.1.1, 2.2.2.2, and 3.3.3.3 and CoA clients at 3.3.3.3, 4.4.4.4, and 5.5.5.5. It sets the front panel ports to use 802.1x MAC-based authentication. CoA is configured for two RADIUS servers located at 1.1.1.1 and 2.2.2.2 using a global shared secret and a third server using a server specific shared secret.
ignore Use this command to set the switch to ignore certain authentication parameters from dynamic RADIUS clients. Use the no form of the command to restore checking of the specific authentication parameters as configured by the auth-type command. Syntax ignore {session-key | server-key} no ignore {session-key | server-key} •...
port Use this command to set the port on which to listen for CoA and disconnect requests from authorized dynamic RADIUS clients. Syntax port port–number no port • port-number—An integer in the range of 1025–65535 Default Configuration The default is port 3799. Command Modes Dynamic Radius Configuration User Guidelines...
Page 974
Syntax server-key [0 | 7] key-string no server-key • 0—An unencrypted key is to be entered. • 7—An encrypted key is to be entered. • key-string—The key string in encrypted or unencrypted form. In encrypted form, it must be 256 characters in length. In unencrypted form, it may be up to 128 characters in length.
Page 976
Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines If you do not use the optional parameters, the command displays the global dot1x mode, Dynamic VLAN Creation Mode, Monitor Mode, EAPOL Flood Mode, and the VLAN Assignment mode. Field Description Administrative...
show dot1x authentication-history Use the show dot1x authentication-history command to display the dot1x authentication events and information during successful and unsuccessful dot1x authentication processes. The command is available to display all events, or events per interface, or only failure authentication events in summary or in detail.
Parameter Description Reason Actual reason behind the successful or failure authentication. Result Age Time since last result. Filter Name The name of the assigned filter (policy map). Example console#show dot1x authentication-history all detail Time Stamp......Mar 22 2010 01:16:31 Result Age......0 days, 1 hours, 17 minutes, 38 seconds Interface......
show dot1x clients Use the show dot1x clients command to display 802.1x client information. The client information is displayed in summary or in detail. The command also displays the statistics of the number of clients that are authenticated using Monitor Mode and using 802.1x. Syntax show dot1x clients {interface–id | all} •...
Supp MAC Address....... 00:01:02:03:04:05 Session Time........518 Filter Id........VLAN Assigned........1 Interface........Gi1/0/7 User Name........dell Supp MAC Address....... 00:08:A1:7E:45:1A Session Time........67 VLAN Assigned........Monitor Mode show dot1x interface This command shows the status and configuration of an IEEE 802.1x configured interface.
Page 981
Syntax show dot1x interface interface-id Default Configuration There is no default configuration for this command. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines The command accepts Ethernet interface identifiers. Example console#show dot1x interface gigabitethernet 1/0/10 Administrative Mode....
show dot1x interface statistics Use the show dot1x interface statistics command to display 802.1x statistics for the specified interface. Syntax show dot1x interface {gigabitethernet unit/slot/port| tengigabitethernet unit/slot/port | fortygigabitethernet unit/slot/port} statistics Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines...
Field Description EAP Request/ID Frames The number of EAP Req/Id frames that have been Transmitted transmitted by this Authenticator. EAP Request Frames The number of EAP Request frames (other than Rq/Id Transmitted frames) that have been transmitted by this Authenticator. Invalid EAPOL Frames The number of EAPOL frames that have been received Received...
Syntax show dot1x users [username username] • username — Supplicant username (Range: 1–160 characters) Default Configuration This command has no default configuration. Command Mode Privileged Exec mode, Global Configuration mode and all Configuration submodes User Guidelines This command has no user guidelines. Example The following example displays 802.1x users.
Syntax clear dot1x authentication–history [interface–id] • interface–id—Any valid interface. See Interface Naming Conventions interface representation. Default Configuration This command has no default configuration. Command Mode Privileged Exec mode User Guidelines This command has no user guidelines. Example This examples clears all entries from the authentication log. console#clear dot1x authentication-history This example purges all entries for the specified interface from the authention log.
• vlan-id — The ID of a valid VLAN to use as the guest VLAN (Range: 0- 4093). Default Configuration The guest VLAN is disabled on the interface by default. Command Mode Interface Configuration (Ethernet) mode User Guidelines If configured, the guest VLAN is the VLAN to which 802.1X unaware clients are assigned.
Command Mode Interface Configuration (Ethernet) mode User Guidelines It is recommended that the user set the dot1x timeout guest-vlan-period to at least three times the while timer so that at least three EAP Requests are sent, before assuming that the client is an 802.1X unaware client. An 802.1X unaware client is one that does not respond to EAP-Request/Identity frames and does not send EAPOL-Start or EAP-Response/Identity frames.
User Guidelines The switch attempts authentication three times before assigning a user to the unauthenticated VLAN. Configure the unauthenticated VLAN before using this command. Example The following example set the unauthenticated VLAN on port 1/0/2 to VLAN console(config-if-Gi1/0/2)#dot1x unauth-vlan 20 show dot1x advanced Use the show dot1x advanced command to display 802.1x advanced features for the switch or for the specified interface.
Captive Portal Commands Dell EMC Networking N1100-ON/N1500/N2000/N2100- ON/N3000/N3100-ON/N4000 Series Switches The Captive Portal feature is a software implementation that blocks both wired and wireless clients from accessing the network until user verification has been established. Verification can be configured to allow access for both guest and authenticated users.
Page 991
interface session-timeout locale verification Captive Portal Client Connection Commands captive-portal client deauthenticate show captive-portal interface client status show captive-portal client status show captive-portal interface configuration status show captive-portal configuration client – status Captive Portal Local User Commands clear captive-portal users user-logout no user user name...
Captive Portal Global Commands authentication timeout Use the authentication timeout command to configure the authentication timeout. If the user does not enter valid credentials within this time limit, the authentication page needs to be served again in order for the client to gain access to the network.
Default Configuration There is no default configuration for this command. Command Mode Global Configuration mode User Guidelines There are no user guidelines for this command. Example console(config)#captive-portal console(config-cp)# enable Use the enable command to globally enable captive portal. Use the “no” form of this command to globally disable captive portal.
http port Use the http port command to configure an additional HTTP port for captive portal to listen for connections. Use the “no” form of this command to remove the additional HTTP port from monitoring. Syntax http port port-num no http port •...
• port-num — The port number on which the HTTPS server listens for connections (Range: 1025–65535). Default Configuration Captive portal listens on port 443 by default. Command Mode Captive Portal Configuration mode. User Guidelines The port number should not be set to a value that might conflict with other well- known protocol port numbers used on this switch.
Example console#show captive-portal Administrative Mode....... Disabled Operational Status......Disabled Disable Reason......Administrator Disabled CP IP Address......1.2.3.4 show captive-portal status Use the show captive-portal status command to report the status of all captive portal instances in the system. Syntax show captive-portal status Default Configuration There is no default configuration for this command.
Captive Portal Configuration Commands The commands in this section are related to captive portal configurations. block Use the block command to block all traffic for a captive portal configuration. Use the “no” form of this command to unblock traffic. Syntax block no block Default Configuration...
• cp-id — Captive Portal ID (Range: 1–10). Default Configuration Configuration 1 is enabled by default. Command Mode Captive Portal Configuration mode. User Guidelines There are no user guidelines for this command. Example console(config-cp)#configuration 2 console(config-cp 2)# enable Use the enable command to enable a captive portal configuration. Use the no form of this command to disable a configuration.
group Use the group command to configure the group number for a captive portal configuration. If a group number is configured, the user entry (Local or RADIUS) must be configured with the same name and the group to authenticate to this captive portal instance. Use the no form of this command to reset the group number to the default.
Default Configuration No interfaces are associated with a configuration by default. Command Mode Captive Portal Instance Configuration mode. User Guidelines There are no user guidelines for this command. Example console(config-cp 2)#interface gi1/0/2 locale The locale command is not intended to be a user command. The administrator must use the Web UI to create and customize captive portal web content.
name (Captive Portal) Use the name command to configure the name for a captive portal configuration. Use the no form of this command to remove a configuration name. Syntax name cp-name no name • cp-name — CP configuration name (Range: 1–32 characters). Default Configuration Configuration 1 has the name “Default”...
Command Mode Captive Portal Instance mode. User Guidelines There are no user guidelines for this command. Example console(config-cp 2)#protocol http redirect Use the redirect command to enable the redirect mode for a captive portal configuration. Use the “no” form of this command to disable redirect mode. Syntax redirect no redirect...