Page 1 Enterasys SecureStack ® ™ Stackable Switches Configuration Guide Firmware Version 5.02.xx.xxxx P/N 9033991-17...
Page 3 Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice. IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF SUCH DAMAGES. Enterasys Networks, Inc. 50 Minuteman Road Andover, MA 01810 © 2008 Enterasys Networks, Inc. All rights reserved. Part Number: 9033991‐17 September 2008 ENTERASYS, ENTERASYS NETWORKS, ENTERASYS SECURE NETWORKS, SECURESTACK, ENTERASYS SECURESTACK, ENTERASYS NETSIGHT, WEBVIEW, and any logos associated therewith, are trademarks or registered trademarks of Enterasys Networks, Inc. in the United States and other countries. For a complete list of Enterasys trademarks, see http://www.enterasys.com/company/trademarks.aspx. All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies. Documentation URL: http://www.enterasys.com/support/manuals Documentacion URL: http://www.enterasys.com/support/manuals Dokumentation im Internet: http://www.enterasys.com/support/manuals Version: Information in this guide refers to SecureStack C2 firmware version 5.02.xx.xxxx or higher. Notice...
Page 4 ENTERASYS NETWORKS, INC. FIRMWARE LICENSE AGREEMENT BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc., on behalf of itself and its Affiliates (as hereinafter defined) (“Enterasys”) that sets forth Your rights and obligations with respect to the Enterasys software program/firmware (including any accompanying documentation, hardware or media) (“Program”) in the package and prevails over any additional, conflicting or inconsistent terms and conditions appearing on any purchase order or other document submitted by You. “Affiliate” means any person, partnership, corporation, limited liability company, other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. This Agreement constitutes the entire understanding between the parties, with respect to the subject matter of this Agreement. The Program may be contained in firmware, chips or other media. BY INSTALLING OR OTHERWISE USING THE PROGRAM, YOU REPRESENT THAT YOU ARE AUTHORIZED TO ACCEPT THESE TERMS ON BEHALF OF THE END USER (IF THE END USER IS AN ENTITY ON WHOSE BEHALF YOU ARE AUTHORIZED TO ACT, “YOU” AND “YOUR” SHALL BE DEEMED TO REFER TO SUCH ENTITY) AND THAT YOU AGREE THAT YOU ARE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES, AMONG OTHER PROVISIONS, THE LICENSE, THE DISCLAIMER OF WARRANTY AND THE LIMITATION OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT OR ARE NOT AUTHORIZED TO ENTER INTO THIS AGREEMENT, ENTERASYS IS UNWILLING TO LICENSE THE PROGRAM TO YOU AND YOU AGREE TO RETURN THE UNOPENED PRODUCT TO ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL REFUND. IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, LEGAL DEPARTMENT AT (978) 684‐1000. You and Enterasys agree as follows: LICENSE. You have the non‐exclusive and non‐transferable right to use only the one (1) copy of the Program ...
Page 5 Commerce Control List, or (iii) if the direct product of the technology is a complete plant or any major component of a plant, export to Country Groups D:1 or E:2 the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S. Munitions List. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The enclosed Program (i) was developed solely at private expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section 52.227‐19 (a) through (d) of the Commercial Computer Software‐Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Program is considered commercial computer software in accordance with DFARS section 227.7202‐3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein. DISCLAIMER OF WARRANTY. EXCEPT FOR THOSE WARRANTIES EXPRESSLY PROVIDED TO YOU IN WRITING BY ENTERASYS, ENTERASYS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON‐INFRINGEMENT WITH RESPECT TO THE PROGRAM. IF IMPLIED WARRANTIES MAY NOT BE DISCLAIMED BY APPLICABLE LAW, THEN ANY IMPLIED WARRANTIES ARE LIMITED IN DURATION TO THIRTY (30) DAYS AFTER DELIVERY OF THE PROGRAM TO YOU. LIMITATION OF LIABILITY. IN NO EVENT SHALL ENTERASYS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR RELIANCE DAMAGES, OR OTHER LOSS) ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM, EVEN IF ENTERASYS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS FOREGOING LIMITATION SHALL APPLY REGARDLESS OF THE CAUSE OF ACTION UNDER WHICH DAMAGES ARE SOUGHT. THE CUMULATIVE LIABILITY OF ENTERASYS TO YOU FOR ALL CLAIMS RELATING TO THE PROGRAM, IN CONTRACT, TORT OR OTHERWISE, SHALL NOT EXCEED THE TOTAL AMOUNT OF FEES PAID TO ENTERASYS BY YOU FOR THE RIGHTS GRANTED HEREIN. AUDIT RIGHTS. You hereby acknowledge that the intellectual property rights associated with the Program are of critical value to Enterasys, and, accordingly, You hereby agree to maintain complete books, records and accounts showing (i) license fees due and paid, and (ii) the use, copying and deployment of the Program. You also grant to Enterasys and its authorized representatives, upon reasonable notice, the right to audit and examine during Your normal business hours, Your books, records, accounts and hardware devices upon which the Program may be deployed to verify compliance with this Agreement, including the verification of the license fees due and paid Enterasys and the use, copying and deployment of the Program. Enterasys’ right of examination shall be exercised reasonably, in good faith and in a manner calculated to not unreasonably interfere with Your business. In the event such audit discovers ...
Page 6 10. ENFORCEMENT. You acknowledge and agree that any breach of Sections 2, 4, or 9 of this Agreement by You may cause Enterasys irreparable damage for which recovery of money damages would be inadequate, and that Enterasys may be entitled to seek timely injunctive relief to protect Enterasys’ rights under this Agreement in addition to any and all remedies available at law. 11. ASSIGNMENT. You may not assign, transfer or sublicense this Agreement or any of Your rights or obligations under this Agreement, except that You may assign this Agreement to any person or entity which acquires substantially all of Your stock assets. Enterasys may assign this Agreement in its sole discretion. This Agreement shall be binding upon and inure to the benefit of the parties, their legal representatives, permitted transferees, successors and assigns as permitted by this Agreement. Any attempted assignment, transfer or sublicense in violation of the terms of this Agreement shall be void and a breach of this Agreement. 12. WAIVER. A waiver by Enterasys of a breach of any of the terms and conditions of this Agreement must be in writing and will not be construed as a waiver of any subsequent breach of such term or condition. Enterasys’ failure to enforce a term upon Your breach of such term shall not be construed as a waiver of Your breach or prevent enforcement on any other occasion. 13. SEVERABILITY. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that provision shall be reformed, construed and enforced to the maximum extent permissible. Any such invalidity, illegality, or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction. 14. TERMINATION. Enterasys may terminate this Agreement immediately upon Your breach of any of the terms and conditions of this Agreement. Upon any such termination, You shall immediately cease all use of the Program and shall return to Enterasys the Program and all copies of the Program.
Page 7: Table Of Contents
Navigating the Command Line Interface ... 1-8 Chapter 2: Configuring Switches in a Stack About SecureStack C2 Switch Operation in a Stack ... 2-1 Installing a New Stackable System of Up to Eight Units ... 2-2 Installing Previously-Configured Systems in a Stack ... 2-3 Adding a New Unit to an Existing Stack ...
Page 8 ... 3-34 set boot system ... 3-34 Starting and Configuring Telnet ... 3-35 Purpose ... 3-35 Commands ... 3-35 show telnet ... 3-36 set telnet ... 3-36 telnet... 3-37 Managing Switch Configuration and Files ... 3-37 Configuration Persistence Mode ... 3-37...
Page 9 Clearing and Closing the CLI ... 3-47 Purpose ... 3-47 Commands ... 3-47 cls (clear screen) ... 3-47 exit ... 3-47 Resetting the Switch ... 3-48 Purpose ... 3-48 Commands ... 3-48 reset... 3-48 clear config ... 3-49 Using and Configuring WebView ... 3-50 Purpose ...
Page 10 ... 6-29 Chapter 7: Port Configuration Port Configuration Summary ... 7-1 C2H124-48 and C2H124-48P Switch Ports ... 7-1 C2G124-24, C2G124-48, and C2G124-48P Switch Ports ... 7-1 C2G134-24P Switch Ports ... 7-2 C2K122-24 Switch Ports ... 7-2 C2G170-24 Switch Ports ... 7-2 Port String Syntax Used in the CLI ...
Page 11 Reviewing Port Status ... 7-3 Purpose ... 7-3 Commands ... 7-3 show port ... 7-3 show port status ... 7-4 show port counters ... 7-5 Disabling / Enabling and Naming Ports ... 7-6 Purpose ... 7-6 Commands ... 7-7 set port disable ... 7-7 set port enable...
Page 12 Commands ... 7-30 show port broadcast ... 7-30 set port broadcast... 7-31 clear port broadcast... 7-31 Port Mirroring ... 7-33 Mirroring Features ... 7-33 Configuring SMON MIB Port Mirroring ... 7-33 Purpose ... 7-34 Commands ... 7-34 show port mirroring... 7-35 set port mirroring ...
Page 13 set snmp user ... 8-9 clear snmp user ... 8-10 show snmp group ... 8-11 set snmp group ... 8-12 clear snmp group ... 8-12 show snmp community ... 8-13 set snmp community... 8-14 clear snmp community... 8-14 Configuring SNMP Access Rights ... 8-15 Purpose ...
Page 14 Chapter 9: Spanning Tree Configuration Spanning Tree Configuration Summary ... 9-1 Overview: Single, Rapid, and Multiple Spanning Tree Protocols ... 9-1 Spanning Tree Features ... 9-2 Loop Protect ... 9-2 Configuring Spanning Tree Bridge Parameters ... 9-3 Purpose ... 9-3 Commands ...
Page 15 set spantree legacypathcost... 9-31 clear spantree legacypathcost ... 9-32 Configuring Spanning Tree Port Parameters ... 9-33 Purpose ... 9-33 Commands ... 9-33 set spantree portadmin... 9-33 clear spantree portadmin... 9-34 show spantree portadmin ... 9-34 show spantree portpri ... 9-35 set spantree portpri...
Page 16 clear vlan ... 10-6 clear vlan name ... 10-7 Assigning Port VLAN IDs (PVIDs) and Ingress Filtering ... 10-8 Purpose ... 10-8 Commands ... 10-8 show port vlan ... 10-8 set port vlan ... 10-9 clear port vlan ... 10-9 show port ingress filter...
Page 17 Commands ... 11-15 set policy port ... 11-15 clear policy port ... 11-16 Configuring Policy Class of Service (CoS) ... 11-17 About Policy-Based CoS Configurations ... 11-17 About CoS-Based Flood Control ... 11-19 Commands ... 11-20 set cos state ... 11-20 show cos state...
Page 18 Chapter 13: IGMP Configuration IGMP Overview ... 13-1 About IP Multicast Group Management ... 13-1 About Multicasting ... 13-2 Configuring IGMP at Layer 2 ... 13-2 Purpose ... 13-2 Commands ... 13-2 show igmpsnooping ... 13-2 set igmpsnooping adminmode... 13-3 set igmpsnooping interfacemode...
Page 19 ... 14-13 ping... 14-14 show users ... 14-14 disconnect ... 14-15 show netstat ... 14-15 Managing Switch Network Addresses and Routes ... 14-17 Purpose ... 14-17 Commands ... 14-17 show arp ... 14-17 set arp... 14-18 clear arp... 14-19 traceroute ...
Page 20 History Group Commands ... 15-6 Purpose ... 15-6 Commands ... 15-6 show rmon history ... 15-6 set rmon history ... 15-7 clear rmon history ... 15-7 Alarm Group Commands ... 15-9 Purpose ... 15-9 Commands ... 15-9 show rmon alarm ... 15-9 set rmon alarm properties...
Page 21 clear dhcp server statistics ... 16-10 Configuring IP Address Pools ... 16-12 Manual Pool Configuration Considerations ... 16-12 Purpose ... 16-12 Commands ... 16-12 set dhcp pool ... 16-13 clear dhcp pool ... 16-14 set dhcp pool network... 16-14 clear dhcp pool network... 16-15 set dhcp pool hardware-address ...
Page 22 show dhcpsnooping binding ... 17-12 show dhcpsnooping statistics ... 17-13 clear dhcpsnooping binding ...17-14 clear dhcpsnooping statistics... 17-14 clear dhcpsnooping database... 17-14 clear dhcpsnooping limit ... 17-15 Dynamic ARP Inspection Overview ... 17-16 Functional Description ... 17-16 Basic Configuration ... 17-18 Example Configuration ...
Page 23 ip helper-address ... 19-14 Reviewing IP Traffic and Configuring Routes ... 19-15 Purpose ... 19-15 Commands ... 19-15 show ip route ... 19-15 ip route... 19-17 ping... 19-17 traceroute ... 19-18 Configuring ICMP Redirects ... 19-19 Purpose ... 19-19 Commands ... 19-19 ip icmp redirect enable ...
Page 24 show ip ospf... 20-26 show ip ospf database... 20-27 show ip ospf interface ... 20-28 show ip ospf neighbor... 20-30 show ip ospf virtual-links... 20-31 clear ip ospf process... 20-31 Configuring DVMRP ... 20-33 Purpose ... 20-33 Commands ... 20-33 Enabling DVMRP on an Interface ...
Page 25 Chapter 21: IPv6 Management Purpose ... 21-1 Commands ... 21-1 show ipv6 status ... 21-1 set ipv6 ... 21-2 set ipv6 address ... 21-3 show ipv6 address... 21-4 clear ipv6 address ... 21-4 set ipv6 gateway... 21-5 clear ipv6 gateway... 21-6 show ipv6 neighbors...
Page 26 set macauthentication portinitialize... 23-26 set macauthentication portquietperiod... 23-26 clear macauthentication portquietperiod... 23-27 set macauthentication macinitialize ... 23-27 set macauthentication reauthentication ... 23-28 set macauthentication portreauthenticate...23-28 set macauthentication macreauthenticate ... 23-29 set macauthentication reauthperiod ...23-29 clear macauthentication reauthperiod ... 23-30 set macauthentication significant-bits ... 23-31 clear macauthentication significant-bits ...
Page 27 Abbreviating a Command ... 1-10 10-1 Example of VLAN Propagation via GVRP ... 10-21 Tables Default Settings for Basic Switch Operation ... 1-2 Default Settings for Router Operation ... 1-4 Basic Line Editing Commands... 1-10 Required CLI Setup Commands... 3-1 Optional CLI Setup Commands...
Page 28 15-2 show rmon alarm Output Details ... 15-10 15-3 show rmon event Output Details ... 15-14 18-1 Enabling the Switch for Routing ... 18-2 18-2 Router CLI Configuration Modes ... 18-2 19-1 show ip interface Output Details ... 19-4 19-2 show ip arp Output Details ...
Page 29 20-9 show ip pimsm interface vlan Output Details... 20-55 20-10 show ip pimsm interface stats Output Details... 20-55 20-11 show ip pimsm neighbor Output Details ... 20-56 20-12 show ip pimsm rp Output Details ... 20-57 20-13 show ip pimsm staticrp Output Details ... 20-59 23-1 show radius Output Details...
Page 30 xxviii...
Page 31: About This Guide
Welcome to the Enterasys access the device’s Command Line Interface (CLI) and how to use it to configure SecureStack C2 switch devices. Depending on the firmware version used in your SecureStack device, some features described in this document may not be supported. Refer to the Release Notes shipped with your device to determine which features are supported. Using This Guide A general working knowledge of basic network operations and an understanding of CLI ...
Page 32 Structure of This Guide Chapter 5, Configuring System Power and PoE, describes the commands used to review and set system power and PoE parameters on devices that offer Power over Ethernet. Chapter 6, Discovery Protocol Configuration provides how to configure discovery protocols supported by the device. Chapter 7, Port Configuration, describes how to review and configure console port settings, and how to enable or disable switch ports and configure switch port settings, including port speed, duplex mode, auto‐negotiation, flow control, port mirroring, link aggegation and broadcast suppression. Chapter 8, SNMP Configuration, describes how to configure SNMP users and user groups, access rights, target addresses, and notification parameters. Chapter 9, Spanning Tree Configuration, describes how to review and set Spanning Tree bridge parameters for the device, including bridge priority, hello time, maximum aging time and forward delay; and how to review and set Spanning Tree port parameters, including port priority and path costs. Configuring the SpanGuard and Loop Protect functions is also described. Chapter 10, 802.1Q VLAN Configuration, describes how to create static VLANs, select the mode of operation for each port, establish VLAN forwarding (egress) lists, route frames according to VLAN ID, display the current ports and port types associated with a VLAN and protocol, create a secure management VLAN, and configure ports on the device as GVRP‐aware ports. Chapter 11, Policy Classification Configuration, describes how to create, change or remove user roles or profiles based on business‐specific use of network services; how to permit or deny access to specific services by creating and assigning classification rules which map user profiles to frame filtering policies; how to classify frames to a VLAN or Class of Service (CoS); and how to assign or unassign ports to policy profiles so that only ports activated for a profile will be allowed to transmit frames accordingly. Chapter 12, Port Priority and Rate Limiting Configuration, describes how to set the transmit priority of each port and configure a rate limit for a given port and list of priorities. Chapter 13, IGMP Configuration, describes how to configure Internet Group Management ...
Page 33: Related Documents
Chapter 20, IPv4 Routing Protocol Configuration, describes how to configure IP routing and routing protocols, including RIP, OSPF, DVMRP, IRDP, and VRRP. Chapter 21, IPv6 Management, describes the commands used to configure IPv6 at the switch level. Chapter 22, IPv6 Proxy Routing, describes the commands used to enable IPv6 proxy routing and the suggested procedure to configure a mixed C2 and C3 stack to use IPv6 proxy routing. Chapter 23, Authentication and Authorization Configuration, describes how to configure 802.1X authentication using EAPOL, how to configure RADIUS server, Secure Shell server, MAC authentication, MAC locking, Port Web Authentication, and IP access control lists (ACLs). Related Documents The following Enterasys Networks documents may help you to set up, control, and manage the SecureStack device: • Enterasys Firmware Feature Guides • SecureStack C2 Installation Guide(s) • SecureStack C2 Redundant Power System Installation Guide Documents listed above, can be obtained from the World Wide Web in Adobe Acrobat Portable Document Format (PDF) at the following web site: http://www.enterasys.com/support/manuals/ Conventions Used in This Guide The following conventions are used in the text of this document: Convention Bold font italic font Courier font Courier font in italics...
Page 34: Getting Help
• The switch history (for example, have you returned the switch before, is this a recurring problem?) • Any previous Return Material Authorization (RMA) numbers xxxii About This Guide http://www.enterasys.com/services/support 1-800-872-8440 (toll-free in U.S. and Canada) or 1-978-684-1000 For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/services/support support@enterasys.com To expedite your message, type [C-Series] in the subject line.
Page 35: Chapter 1: Introduction
This chapter provides an overview of the SecureStack C2’s unique features and functionality, an overview of the tasks that may be accomplished using the CLI interface, an overview of ways to manage the switch, factory default settings, and information about how to use the Command Line Interface to configure the switch. For information about... SecureStack C2 CLI Overview Switch Management Methods Factory Default Settings Using the Command Line Interface SecureStack C2 CLI Overview The Enterasys Networks SecureStack C2 CLI interface allows you to perform a variety of network management tasks, including the following: • Use CLI commands to perform network management and switch configuration operations. • Download a new firmware image. • Assign IP address and subnet mask. • Select a default gateway. • Establish and manage Virtual Local Area Networks (VLANs). • Establish and manage policy profiles and classifications.
Page 36: Factory Default Settings
• In‐band using the Enterasys NetSight • Remotely using WebView™, Enterasys Networks’ embedded web server application. The Installation Guide for your SecureStack C2 device provides setup instructions for connecting a terminal or modem to the switch. Factory Default Settings The following tables list factory default settings available on the SecureStack C2 switch. Table 1-1 Default Settings for Basic Switch Operation Feature Switch Mode Defaults CDP discovery protocol CDP authentication code CDP hold time CDP interval Cisco discovery protocol Cisco DP hold time...
Page 37 Enabled on all ports. Port advertised ability Maximum ability advertised on all ports. Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch ports. Port duplex mode Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to full duplex.
Page 38: Default Settings For Router Operation
Factory Default Settings Table 1-1 Default Settings for Basic Switch Operation (Continued) Feature SNMP SNTP Spanning Tree Spanning Tree edge port administrative status Spanning Tree edge port delay Spanning Tree forward delay Spanning Tree hello interval Spanning Tree ID (SID)
Page 39 Table 1-2 Default Settings for Router Operation (Continued) Output... Area authentication (OSPF) Area default cost (OSPF) Area NSSA (OSPF) Area range (OSPF) ARP table ARP timeout Authentication key (RIP and OSPF) Authentication mode (RIP and OSPF) Dead interval (OSPF) Disable triggered updates (RIP) Distribute list (RIP) DVMRP Hello interval (OSPF)
Page 40: Using The Command Line Interface
Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A. Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com (c) Copyright Enterasys Networks, Inc. 2008 Chassis Serial Number: Chassis Firmware Revision: C2(su)-> 1-6 Introduction What it displays... Enabled for RIP packets without poison reverse.
Page 41: Logging In
Connecting Using Telnet Once the SecureStack C2 device has a valid IP address, you can establish a Telnet session from any TCP/IP based node on the network. For information about setting the switch’s IP address, refer to “set ip address” on page 3‐11. To establish a Telnet session: Telnet to the switch’s IP address. Enter login (user name) and password information in one of the following ways: – If the switch’s default login and password settings have not been changed, follow the steps listed in “Using a Default User Account” on page 1‐7, or – Enter an administratively‐configured user name and password. The notice of authorization and the prompt displays as shown in Figure For information about configuring Telnet settings, refer to “Starting and Configuring Telnet” on page 3‐35. Refer to the instructions included with the Telnet application for information about establishing a Telnet session. Logging In By default, the SecureStack C2 switch is configured with three user login accounts—ro for Read‐Only access, rw for Read‐Write access, and admin for super‐user access to all modifiable parameters. The default password is set to a blank string. For information on changing these default settings, refer to “Setting User Accounts and Passwords” on page 3‐2. Using a Default User Account If this is the first time you are logging in to the SecureStack C2 switch, or if the default user accounts have not been administratively changed, proceed as follows: At the login prompt, enter one of the following default user names: – ro for Read‐Only access. –...
Page 42: Navigating The Command Line Interface
Using the Command Line Interface Navigating the Command Line Interface Getting Help with CLI Syntax The SecureStack C2 switch allows you to display usage and syntax information for individual commands by typing help or ? after the command. CLI Command Defaults Descriptions Each command description in this guide includes a section entitled “Defaults” which contains different information from the factory default settings on the switch described in Table section defines CLI behavior if the user enters a command without typing optional parameters (indicated by square brackets [ ]). For commands without optional parameters, the defaults section lists “None”. For commands with optional parameters, this section describes how the CLI responds if the user opts to enter only the keywords of the command syntax. Figure an example. Figure 1-2 Sample CLI Defaults Description Syntax show port status [port-string] Defaults If port‐string is not specified, status information for all ports will be displayed. ...
Page 43: Performing A Partial Keyword Lookup
Scrolling Screen Output C2(su)->show mac MAC Address ---------------------------------------------------------- 00-00-1d-67-68-69 00-00-02-00-00-00 00-00-02-00-00-01 00-00-02-00-00-02 00-00-02-00-00-03 00-00-02-00-00-04 00-00-02-00-00-05 00-00-02-00-00-06 00-00-02-00-00-07 00-00-02-00-00-08 --More-- Abbreviating and Completing Commands The SecureStack C2 switch allows you to abbreviate CLI commands and keywords down to the number of characters that will allow for a unique abbreviation. Figure abbreviate the show netstat command to sh net. 1‐4 shows how to use this function for all copy Port Type host Management ge.1.2 Learned ge.1.3 Learned ge.1.4 Learned ge.1.5 Learned ge.1.6...
Page 44: Abbreviating A Command
Using the Command Line Interface Figure 1-6 Abbreviating a Command C2(su)->sh net Active Internet connections (including servers) Proto Recv-Q Send-Q ----- ------ ------ Basic Line Editing Commands The CLI supports EMACs‐like line editing commands. Table commands. Table 1-3 Basic Line Editing Commands Key Sequence Ctrl+A Ctrl+B Ctrl+D Ctrl+E Ctrl+F Ctrl+H...
Page 45: About Securestack C2 Switch Operation In A Stack
This chapter provides information about configuring SecureStack C2 switches in a stack. For information about ... About SecureStack C2 Switch Operation in a Stack Installing a New Stackable System of Up to Eight Units Installing Previously-Configured Systems in a Stack Adding a New Unit to an Existing Stack Creating a Virtual Switch Configuration...
Page 46: Installing A New Stackable System Of Up To Eight Units
SecureStack C2 Installation Guides. Once all of the stack cables have been connected, individually power on each unit from top to bottom. Notes: Ensure that each switch is fully operational before applying power to the next switch. Since unit IDs are assigned on a first-come, first-served basis, this will ensure that unit IDs are ordered sequentially. Once unit IDs are assigned, they are persistent and will be retained during a power cycle to any or all of the units.
Page 47: Installing Previously-Configured Systems In A Stack
Adding a New Unit to an Existing Stack Use the following procedure for installing a new unit to an existing stack configuration. This procedure assumes that the new unit being added has a clean configuration from manufacturing and is running the same firmware image version as other units in the stack. Ensure that power is off on the new unit being installed. Use one of the following methods to complete stack cable connections: – If the running stack uses a daisy chain topology, make the stack cable connections from the bottom of the stack to the new unit (that is, STACK DOWN port from the bottom unit of the running stack to the STACK UP port on the new unit). – If the running stack uses a ring stack topology, break the ring and make the stack cable connections to the new unit to close the ring. Apply power to the new unit. Creating a Virtual Switch Configuration You can create a configuration for a SecureStack C2 switch before adding the actual physical device to a stack. This preconfiguration feature includes configuring protocols on the ports of the “virtual switch.” Installing Previously-Configured Systems in a Stack SecureStack C2 Configuration Guide 2-3...
Page 48 C2(su)->show port vlan ge.2.1 ge.2.1 is set to 555 Note: If you preconfigure a virtual switch and then add a physical switch of a different type to the stack as that unit number, any configured functionality that cannot be supported on the physical switch will cause a configuration mismatch status for that device and the ports of the new device will join detached.
Page 49: Considerations About Using Clear Config In A Stack
Issues Related to Mixed Type Stacks Feature Support Because the SecureStack C2 and C3 switches have different hardware architectures, the functionality supported by the two switch types is different. When the two types of switches are mixed in a stack, the functionality supported will be the lowest common denominator of features supported on all platforms. Refer to the firmware Release Notes for information about supported features. Configuration Common Firmware Version Mixed stacking is only supported by SecureStack C2 firmware version 5.00.xx and higher. (If you are using a C3K switch, the firmware version must be 5.02.xx or higher.) In order to mix SecureStack C3 switches with C2 switches, you must install the C2 firmware (version 5.00.xx or higher, or version 5.02.xx or higher for C3K devices) on the C3 switch. You can install the C2 firmware first, with the C3 switch in stand‐alone mode, or you can add the C3 switch to the stack and then copy the C2 firmware to the C3 switch using the set switch copy‐fw command (page 2‐ 10). After copying the C2 firmware to the C3 switch, you must reset the stack. Switch Manager It is recommended that a SecureStack C3 switch be made the manager of a mixed stack. Use the set switch movemanagement command (page 2‐11) to change the manager unit. Considerations About Using Clear Config in a Stack SecureStack C2 Configuration Guide 2-5...
Page 50: Stacking Configuration And Management Commands
Use this command to display information about one or more units in the stack. Syntax show switch [status] [unit] Parameters status unit Defaults If not specified, status and other configuration information about all units will be displayed. Mode Switch command, read‐only. Usage After a stack has been configured, you can use this command to physically confirm the identity of each unit. When you enter the command with a unit number, the MGR LED of the specified ...
Page 51: Show Switch Switchtype
C2G124-24 C2G124-24 C2G124-24 C2G124-24 C2G124-24 Management Switch Unassigned Unassigned C2G124-24 C2G124-24 C2G124-24 Enterasys Networks, Inc. C2 -- Model C2G124-24 05.02.xx.xxxx 03.01.20 02.01.37 0 days 6 hrs 37 mins 54 secs Full C2G124-24 Enterasys Networks, Inc. C2 -- Model C2G124-24 C2G124-24 Enterasys Networks, Inc.
Page 52: Show Switch Stack-Ports
[unit] 2-8 Configuring Switches in a Stack (Optional) Specifies the switch index (SID) of the switch type to display. Mgmt Code Pref Version 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0x56950200 C2G124-24 Enterasys Networks, Inc. C2 -- Model C2G124-24 0xa08245 C2G124-24...
Page 53: Set Switch
C2(ro)->show switch stack-ports Stacking Switch Port ------ ---------- ------ ---------- ---------- ------ ---------- -------- Down set switch Use this command to assign a switch ID, to set a switch’s priority for becoming the management switch if the previous management switch fails, or to change the switch unit ID for a switch in the stack. Syntax set switch {unit [priority value | renumber newunit]} Parameters unit priority value renumber newunit Defaults None. Mode Switch command, read‐write. (Optional) Specifies the switch unit ID, an integer ranging from 1 to 8. ------------TX-------------- ------------RX-----------...
Page 54: Set Switch Copy-Fw
Examples This example shows how to assign priority 3 to switch 5: C2(su)->set switch 5 priority 3 This example shows how to renumber switch 5 to switch 7: C2(su)->set switch 5 renumber 7 set switch copy-fw Use this command to replicate the code image file from the management switch to other switch(es) in the stack. Syntax set switch copy-fw [destination-system unit] Parameters destination‐system unit Defaults If destination‐system is not specified, the management image file will be replicated to all switches in the stack. Mode Switch command, read‐write. Example This example shows how to replicate the management image file to all switches in the stack: C2(su)->set switch copy-fw Are you sure you want to copy firmware? (y/n) y Code transfer completed successfully.
Page 55: Set Switch Movemanagement
Mode Switch command, read‐write. Example This example shows how to assign the name “FirstUnit” to switch unit 1 in the stack: C2(su)->set switch description 1 FirstUnit set switch movemanagement Use this command to move management switch functionality from one switch to another. Syntax set switch movemanagement fromunit tounit Parameters fromunit tounit Defaults None. Mode Switch command, read‐write. Example This example shows how to move management functionality from switch 1 to switch 2: C2(su)->set switch movemenagement 1 2 Moving stack management will unconfigure entire stack including all interfaces.
Page 56: Clear Switch Member
Mode Switch command, read‐write. Usage Refer to “Creating a Virtual Switch Configuration” on page 2‐3 for more information about how to add a virtual switch to a stack. Example This example shows how to specify a switch as unit 1 with a switch ID of 1: C2(su)->set switch member 1 1 clear switch member Use this command to remove a member entry from the stack. Syntax clear switch member unit Parameters unit Defaults None. Mode Switch command, read‐write. Example This example shows how to remove the switch 5 entry from the stack: C2(su)->clear switch member 5 2-12 Configuring Switches in a Stack...
Page 57: Chapter 3: Basic Configuration
Table 3-1 Required CLI Setup Commands Step Task Set a new password. Set the switch IP address. Download, activate, and verify new firmware on the switch using TFTP copy. Basic Configuration 3‐1 lists tasks and their associated CLI commands required for setting 3‐2 lists optional CLI commands that will help you CLI commands set password [username]...
Page 58: Setting User Accounts And Passwords
Set the per port broadcast limit Configure a VLAN. Set a Syslog server IP and severity Configure and enable a RADIUS server. Setting User Accounts and Passwords Purpose To change the switch’s default user login and password settings, and to add new user accounts and passwords. Commands For information about... show system login set system login clear system login set password...
Page 59: Show System Login
Use this command to display user login account information. Syntax show system login Parameters None. Defaults None. Mode Switch command, super user. Example This example shows how to display login account information. In this case, switch defaults have not been changed: C2(su)->show system login Password history size: 0 Password aging Username admin Table 3‐1 provides an explanation of the command output. Table 3-1 show system login Output Details Output Field Password history size...
Page 60: Set System Login
Use this command to create a new user login account, or to disable or enable an existing account. The SecureStack C2 switch supports up to 16 user accounts, including the admin account, which cannot be deleted. Syntax set system login username {super-user | read-write | read-only} {enable | disable} Parameters username super‐user | read‐write | read‐only enable | disable Defaults None. Mode Switch command, super user. Usage Login accounts, including the admin user account, can be locked out after multiple failed attempts to log in to the system. Refer to “show system lockout” on page 3‐7 and “set system lockout” on page 3‐8 for more information about lockout parameters. If the admin user account has been locked out, you must wait until the configured lockout time period has expired or you can power cycle the switch to reboot it, which will re‐enable the admin user account. Example This example shows how to enable a new user account with the login name “netops” with super ...
Page 61: Set Password
Parameters username Defaults None. Mode Switch command, super user. Example This example shows how to remove the “netops” user account: C2(su)->clear system login netops set password Use this command to change system default passwords or to set a new login password on the CLI. Syntax set password [username] Parameters username Defaults None. Mode Switch command, read‐write. Switch command, super‐user. Usage Read‐Write users can change their own passwords. Super Users (Admin) can change any password on the system. If you forget the password for the admin user account, you can reset the password to the default password value by pressing the password reset button on the switch. Specifies the login name of the account to be cleared. Note: The default admin (su) account cannot be deleted.
Page 62: Set System Password Length
Use this command to set the minimum user login password length. Syntax set system password length characters Parameters characters Defaults None. Mode Switch command, super user. Example This example shows how to set the minimum system password length to 8 characters: C2(su)->set system password length 8 set system password aging Use this command to set the number of days user passwords will remain valid before aging out, or to disable user account password aging. Syntax set system password aging {days | disable} 3-6 Basic Configuration Specifies the minimum number of characters for a user account password. ...
Page 63: Set System Password History
Parameters days disable Defaults None. Mode Switch command, super user. Example This example shows how to set the system password age time to 45 days: C2(su)->set system password aging 45 set system password history Use this command to set the number of previously used user login passwords that will be checked for password duplication. This prevents duplicate passwords from being entered into the system with the set password command. Syntax set system password history size Parameters size Defaults None. Mode Switch command, super user. Example This example shows how to configure the system to check the last 10 passwords for duplication C2(su)->set system password history 10 show system lockout Use this command to display settings for locking out users after failed attempts to log in to the ...
Page 64: Set System Lockout
Parameters None. Defaults None. Mode Switch command, super user. Example This example shows how to display user lockout settings. In this case, switch defaults have not been changed: C2(su)->show system lockout Lockout attempts: 3 Lockout time: Table 3‐3 provides an explanation of the command output. These settings are configured with the set system lockout command (“set system lockout” on page 3‐8). Table 3-3 show system lockout Output Details Output Field Lockout attempts Lockout time set system lockout Use this command to set the number of failed login attempts before locking out (disabling) a read‐...
Page 65: Setting Basic Switch Properties
Usage Once a user account is locked out, it can only be re‐enabled by a super user with the set system login command (page 3‐4). If the default admin super user account has been locked out, you can wait until the lock out time has expired or you can reset the switch in order to re‐enable the admin account. Example This example shows how to set login attempts to 5 and lockout time to 30 minutes: C2(su)->set system lockout attempts 5 time 30 Setting Basic Switch Properties Purpose To display and set the system IP address and other basic system (switch) properties. Commands For information about... show ip address set ip address clear ip address show ip protocol set ip protocol show system...
Page 66: Show Ip Address
Use this command to display the system IP address and subnet mask. Syntax show ip address Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the system IP address and subnet mask: C2(su)->show ip address Name ---------------- host 3-10 Basic Configuration Address Mask ---------------- ---------------- 10.42.13.20 255.255.0.0 Refer to page...
Page 67: Set Ip Address
IP. The host's gateway must exist on a different device in the network if one is configured. Syntax set ip address ip-address [mask ip-mask] [gateway ip-gateway] Parameters ip‐address mask ip‐mask gateway ip‐gateway Defaults If not specified, ip‐mask will be set to the natural mask of the ip‐address and ip‐gateway will be set to the ip‐address. Mode Switch command, read‐write. Usage Parameters must be entered in the order shown (host IP, then mask, then gateway) for the command to be accepted. Example This example shows how to set the system IP address to C2(su)->set ip address 10.1.10.1 mask 255.255.128.0 clear ip address Use this command to clear the system IP address. Syntax clear ip address Parameters None.
Page 68: Show Ip Protocol
Mode Switch command, read‐write. Example This example shows how to clear the system IP address: C2(rw)->clear ip address show ip protocol Use this command to display the method used to acquire a network IP address for switch management. Syntax show ip protocol Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the method used to acquire a network IP address: C2(su)->show ip protocol System IP address acquisition method: dhcp set ip protocol Use this command to specify the protocol used to acquire a network IP address for switch ...
Page 69: Show System
Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display system information: C2(su)->show system System contact: System location: System name: Switch 1 -------- PS1-Status ---------- Fan1-Status ----------- Temp-Alarm ----------- Thermal Threshold: 58% Temp alarm max threshold: Temp alarm trap: disabled Temp alarm syslog: disabled...
Page 70: Show System Hardware
Name identifying the system. Default of a blank string can be changed with the set system name command (“set system Indicates the switch position in the stack. When multiple switches are in a stack, information for each switch is displayed. Operational status for the primary power supply.
Page 71: Show System Utilization
Mode Switch command, read‐only. Example This example shows how to display the system’s hardware configuration. Please note that the information you see displayed may differ from this example. C2(su)->show system hardware SLOT 1 HARDWARE INFORMATION --------------------------- Model: Serial Number: Vendor ID: Base MAC Address: Hardware Version: FirmWare Version: Boot Code Version: show system utilization Use this command to display detailed information about the processor running on the switch, or the overall memory usage of the Flash and SDRAM storage devices on the unit, or the processes running on the switch. Only the memory usage in the master unit of a stack is shown. Syntax show system utilization {cpu | storage | process}...
Page 72: Show System Enhancedbuffermode
Type Description --------------------------------------------------------------- RAM device Flash Images, Config, Other This example shows how to display information about the processes running on the system. Only partial output is shown. C2(ro)->show system utilization process Switch:1 CPU:1 Name ---------------------------------------------------------- c157930 ipMapForwardingTask cc70000 RMONTask ccb0b60 SNMPTask d4847a0 tEmWeb d4ca360 hapiRxTask dec8600 lvl7TaskUtilMonitorTas eb74120 bcmRX eb7fbc8 bcmLINK.0 f00c9a0 bcmTX f027648 bcmCNTR.0...
Page 73: Set System Temperature
Syntax set system enhancedbuffermode {enable | disable} Parameters enable | disable Defaults None. Mode Switch command, read‐write. Example This example shows how to enable enhanced buffer mode: C2(su)->set system enhancedbuffermode enable Changes in the enhanced buffer mode will require resetting this unit. Are you sure you want to continue? (y/n) set system temperature Use this command to set the system high temperature threshold limit and the high temperature ...
Page 74: Clear System Temperature
Example The following example enables sending SNMP traps and sets the overtemp threshold to 60%. C2(su)->set system temperature trap enable overtemp-threshold 60 clear system temperature Use this command to reset system high temperature parameters to their default values, on the platforms that support this feature. Syntax clear system temperature Parameters None. Defaults None. Mode Switch command, read‐write. Usage This command resets all the high temperature parameters to their default values: • Syslog alerts are disabled by default. • Trap alerts are disabled by default. • Overtemp threshold is 100% by default. Example This example resets all high temperature parameters to their defaults. C2(su)->clear system temperature 3-18 Basic Configuration...
Page 75: Show Time
Use this command to display the current time of day in the system clock. Syntax show time Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the current time. The output shows the day of the week, month, day, and the time of day in hours, minutes, and seconds and the year: C2(su)->show time THU SEP 05 09:21:57 2002 set time Use this command to change the time of day on the system clock. Syntax set time [mm/dd/yyyy] [hh:mm:ss] Parameters [mm/dd/yyyy] [hh:mm:ss] Defaults None. Mode Switch command, read‐write. Example This example shows how to set the system clock to 7:50 a.m: C2(su)->set time 7:50:00 Sets the time in:...
Page 76: Show Summertime
Syntax show summertime Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display daylight savings time settings: C2(su)->show summertime Summertime is disabled and set to '' Start : SUN APR 04 02:00:00 2004 : SUN OCT 31 02:00:00 2004 Offset: 60 minutes (1 hours 0 minutes)
Page 77: Set Summertime Date
Defaults If an offset is not specified, none will be applied. Mode Switch command, read‐write. Example This example shows how to set a daylight savings time start date of April 4, 2004 at 2 a.m. and an ending date of October 31, 2004 at 2 a.m. with an offset time of one hour: C2(su)->set summertime date April 4 2004 02:00 October 31 2004 02:00 60 set summertime recurring Use this command to configure recurring daylight savings time settings. These settings will start and stop daylight savings time at the specified day of the month and hour each year and will not have to be reset annually. Syntax set summertime recurring start_week start_day start_month start_hr_min end_week end_day end_month end_hr_min [offset_minutes] Specifies the month of the year to start daylight savings time.
Page 78: Clear Summertime
Parameters start_week start_day start_hr_min end_week end_day end_hr_min offset_minutes Defaults If an offset is not specified, none will be applied. Mode Switch command, read‐write. Example This example shows how set daylight savings time to recur starting on the first Sunday of April at 2 a.m. and ending the last Sunday of October at 2 a.m. with an offset time of one hour: C2(su)->set summertime recurring first Sunday April 02:00 last Sunday October 02:00 60 clear summertime Use this command to clear the daylight savings time configuration. Syntax clear summertime Parameters None. Defaults None. Mode Switch command, read‐write.
Page 79: Set Prompt
Use this command to modify the command prompt. Syntax set prompt prompt_string Parameters prompt_string Defaults None. Mode Switch command, read‐write. Example This example shows how to set the command prompt to Switch 1: C2(su)->set prompt “Switch 1” Switch 1(su)-> show banner motd Use this command to show the banner message of the day that will display at session login. Syntax show banner motd Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the banner message of the day: C2(rw)->show banner motd This system belongs to XYZ Corporation.
Page 80: Set Banner Motd
The message itself cannot contain any additional double quotation marks. Syntax set banner motd message Parameters message Defaults None. Mode Switch command, read‐write. Example This example shows how to set the message of the day banner to read: “This system belongs to XYZ Corporation. Use of this system is strictly limited to authorized personnel.” C2(rw)->set banner motd "\tThis system belongs to XYZ Corporation.\nUse of this system is strictly limited to authorized personnel." clear banner motd Use this command to clear the banner message of the day displayed at session login to a blank ...
Page 81: Show Version
Syntax show version Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display version information. Please note that you may see different information displayed, depending on the type of hardware. C2(su)->show version Copyright (c) 2007 by Enterasys Networks, Inc. Model -------------- C2G124-48P Table 3‐5 provides an explanation of the command output. Table 3-5 show version Output Details Output Field Model Serial # Versions Serial #...
Page 82: Set System Name
Use this command to configure a name for the system. Syntax set system name [string] Parameters string Defaults If string is not specified, the system name will be cleared. Mode Switch command, read‐write. Example This example shows how to set the system name to Information Systems: C2(su)->set system name “Information Systems” set system location Use this command to identify the location of the system. Syntax set system location [string] Parameters string Defaults If string is not specified, the location name will be cleared. Mode Switch command, read‐write.
Page 83: Set System Contact
Use this command to identify a contact person for the system. Syntax set system contact [string] Parameters string Defaults If string is not specified, the contact name will be cleared. Mode Switch command, read‐write. Example This example shows how to set the system contact string: C2(su)->set system contact “Joe Smith” set width Use this command to set the number of columns for the terminal connected to the switch’s console port. Syntax set width screenwidth [default] Parameters screenwidth default Defaults None. Mode Switch command, read‐write. Usage The number of rows of CLI output displayed is set using the set length command as described in ...
Page 84: Set Length
Example This example shows how to set the terminal columns to 50: C2(su)->set width 50 set length Use this command to set the number of lines the CLI will display. This command is persistent (written to NV‐RAM). Syntax set length screenlength Parameters screenlength Defaults None. Mode Switch command, read‐write. Example This example shows how to set the terminal length to 50: C2(su)->set length 50 show logout Use this command to display the time (in seconds) an idle console or Telnet CLI session will remain connected before timing out. Syntax show logout Parameters None. Defaults None. Mode Switch command, read‐only. 3-28 Basic Configuration Sets the number of lines in the CLI display. Valid values are 0, which ...
Page 85: Set Logout
Logout currently set to: 10 minutes. set logout Use this command to set the time (in minutes) an idle console or Telnet CLI session will remain connected before timing out. Syntax set logout timeout Parameters timeout Defaults None. Mode Switch command, read‐write. Example This example shows how to set the system timeout to 10 minutes: C2(su)->set logout 10 show console Use this command to display console settings. Syntax show console [baud] [bits] [flowcontrol] [parity] [stopbits] Parameters baud bits flowcontrol...
Page 86: Set Console Baud
Mode Switch command, read‐only. Example This example shows how to display all console settings: C2(su)->show console Baud Flow ------ ------- 9600 Disable set console baud Use this command to set the console port baud rate. Syntax set console baud rate Parameters rate Defaults None. Mode Switch command, read‐write. Example This example shows how to set the console port baud rate to 19200: C2(su)->set console baud 19200 Downloading a Firmware Image You can upgrade the operational firmware in the SecureStack C2 switch without physically ...
Page 87: Downloading From A Tftp Server
– Tera Term Pro Version 2.3 Any other terminal applications may work but are not explicitly supported. The C2 switch allows you to download and store dual images. The backup image can be downloaded and selected as the startup image by using the commands described in this section. Downloading from a TFTP Server To perform a TFTP download, proceed as follows: If you have not already done so, set the switch’s IP address using the set ip address command as detailed in “set ip address” on page 3‐11. Download a new image file using the copy command as detailed in “copy” on page 3‐43. Downloading via the Serial Port To download switch firmware via the serial (console) port, proceed as follows: With the console port connected, power up the switch. The following message displays: Version 01.00.29 05-09-2005 Computing MD5 Checksum of operational code... Select an option. If no selection in 2 seconds then operational code will start.
Page 88 Ready to RECEIVE File xcode.bin in binary mode Send several Control-X characters to cCKCKCKCKCKCKCK XMODEM transfer complete, checking CRC... Verified operational code CRC. The following Enterasys Header is in the image: MD5 Checksum...fe967970996c4c8c43a10cd1cd7be99a Boot File Identifier...0x0517 Header Version...0x0100 Image Type...0x82 Image Offset...0x004d...
Page 89: Reverting To A Previous Image
Load your previous version of code on the device, as described in “Downloading a Firmware Image” (page 3‐30). Set this older version of code to be the boot code with the set boot system command (page 3‐ 34). When the system asks if you want to reset the device, specify no (n). Reload the saved configuration onto the device with the configure command, described on page 3‐42. Reboot the system using the reset command (page 3‐48). Caution: If you do not follow the steps above, you may lose remote connectivity to the switch. Reviewing and Selecting a Boot Firmware Image Purpose To display and set the image file the switch loads at startup. The C2 switch allows you to download and store a backup image, which can be selected as the startup image by using the commands described in this section. Commands For information about...
Page 90: Show Boot System
Use this command to display the firmware image the switch loads at startup. Syntax show boot system Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the switch’s boot firmware image: C2(su)->show boot system Current system image to boot: bootfile set boot system Use this command to set the firmware image the switch loads at startup. Syntax set boot system filename Parameters filename Defaults None.
Page 91: Starting And Configuring Telnet
Compatibility: <platform specific> Filename: Version: Size: Date: CheckSum: 9f820d79239f10890442f8ff1f2bc914 Compatibility: <platform specific> Starting and Configuring Telnet Purpose To enable or disable Telnet, and to start a Telnet session to a remote host. The SecureStack C2 switch allows a total of four inbound and / or outbound Telnet session to run simultaneously. Commands For information about... show telnet set telnet telnet c2_05.02.00.0026 (Active) 05.02.00.0026 9405440 (bytes) Fri Jul 18 12:48:35 2008 c2_05.02.03.0007 (Boot) 05.02.03.0007...
Page 92: Show Telnet
Use this command to display the status of Telnet on the switch. Syntax show telnet Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display Telnet status: C2(su)->show telnet Telnet inbound is currently: ENABLED Telnet outbound is currently: ENABLED set telnet Use this command to enable or disable Telnet on the switch. Syntax set telnet {enable | disable} [inbound | outbound | all] Parameters enable | disable...
Page 93: Telnet
Use this command to start a Telnet connection to a remote host. The SecureStack C2 switch allows a total of four inbound and / or outbound Telnet session to run simultaneously. Syntax telnet host [port] Parameters host port Defaults If not specified, the default port number 23 will be used. Mode Switch command, read‐write. Example This example shows how to start a Telnet session to a host at 10.21.42.13: C2(su)->telnet 10.21.42.13 Managing Switch Configuration and Files Configuration Persistence Mode The default state of configuration persistence mode is “auto,” which means that when CLI configuration commands are entered, or when a configuration file stored on the switch is executed, the configuration is saved to NVRAM automatically at the following intervals: • On a standalone unit, the configuration is checked every two minutes and saved if there has been a change. • On a stack, the configuration is saved across the stack every 30 minutes if there has been a change. If you want to save a running configuration to NVRAM more often than the automatic intervals, execute the save config command and wait for the system prompt to return. After the prompt returns, the configuration will be persistent. You can change the persistence mode from “auto” to “manual” with the set snmp persistmode command. If the persistence mode is set to “manual,” configuration commands will not be ...
Page 94: Purpose
Use this command to display the configuration persistence mode setting. Syntax show snmp persistmode Parameters None. Defaults None. Mode Switch command, read‐only. Usage By default, the mode is set to “auto save,” which automatically saves configuration changes at specific intervals. If the mode is set to “manual,” configuration commands are never automatically 3-38 Basic Configuration Refer to page... 3-38 3-39 3-39 3-40 3-41 3-41 3-42...
Page 95: Set Snmp Persistmode
Use this command to set the configuration persistence mode, which determines whether user‐ defined configuration changes are saved automatically, or require issuing the save config command. See “Configuration Persistence Mode” on page 3‐37 for more information. Syntax set snmp persistmode {auto | manual} Parameters auto manual Defaults None. Mode Switch command, read‐write. Example This example shows how to set the configuration persistence mode to manual: C2(su)->set snmp persistmode manual save config Use this command to save the running configuration. If applicable, this command will save the configuration to all switch members in a stack. Syntax save config Parameters None. Sets the configuration persistence mode to automatic. This is the default state.
Page 96: Dir
Defaults None. Mode Switch command, read‐write. Example This example shows how to save the running configuration: C2(su)->save config Use this command to list configuration and image files stored in the file system. Syntax dir [filename] Parameters filename Defaults If filename is not specified, all files in the system will be displayed. Mode Switch command, read‐only. Example This example shows how to list all the configuration and image files in the system. The display indicates which image file is the Active file and which image file is the Boot file that will be used the next time the system reboots. C2(su)->dir Images: ================================================================== Filename: Version: Size: Date: CheckSum: Compatibility: <platform specific> Filename: Version: Size: Date: CheckSum: Compatibility: <platform specific>...
Page 97: Show File
Use this command to display the contents of a file. Syntax show file filename Parameters filename Defaults None. Mode Switch command, read‐only. Example This example shows how to display a text file named “mypolicy” in the configs/ directory. Note that only a portion of the file is shown in this example. C2(rw)->show file configs/mypolicy 3 : #policy 5 : set policy profile 1 name "Check GUEST" pvid-status enable pvid 4095 untagged- vlans 1 7 : set policy profile 2 name "User LABORATORIES" pvid-status enable pvid 680 cos- status enable cos 4 untagged-vlans 680 9 : set policy profile 3 name "Administrator"...
Page 98: Configure
Parameters facility outfile configs/filename Defaults By default, show config will display all non‐default configuration information for all facilities. Mode Switch command, read‐only. Usage The separate facilities that can be displayed by this command are identified in the display of the current configuration by a # preceding the facility name. For example, “#port” indicates the facility name “port.” Examples This example shows how to write the current configuration to a file named save_config2: C2(rw)->show config all outfile configs/save_config2 This example shows how to display configuration for the facility “port”. C2(rw)->show config port This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations.
Page 99: Copy
Parameters filename append Defaults If append is not specified, the current running configuration will be replaced with the contents of the configuration file, which will require an automated reset of the chassis. Mode Switch command, read‐write. Example This example shows how to execute the “Jan1_2004.cfg” configuration file: C2(su)->configure configs/Jan1_2004.cfg copy Use this command to upload or download an image or a CLI configuration file. Syntax copy source destination Parameters source destination Defaults None. Mode Switch command, read‐write. Examples This example shows how to download an image via TFTP: C2(su)->copy tftp://10.1.192.34/version01000 system:image This example shows how to download a configuration file to the configs directory: C2(su)->copy tftp://10.1.192.1/Jan1_2004.cfg configs/Jan1_2004.cfg Specifies the path and file name of the configuration file to execute. (Optional) Appends the configuration file contents to the current configuration. This is equivalent to typing the contents of the config file directly into the CLI and can be used, for example, to make incremental adjustments to the current configuration. Specifies location and name of the source file to copy. Options are a local file ...
Page 100: Delete
Use this command to remove an image or a CLI configuration file from the switch. Syntax delete filename Parameters filename Defaults None. Mode Switch command, read‐write. Usage Use the dir command (page 3‐40) to display current image and configuration file names. Example This example shows how to delete the “Jan1_2004.cfg” configuration file: C2(su)->delete configs/Jan1_2004.cfg show tftp settings Use this command to display TFTP settings used by the switch during data transfers using TFTP. Syntax show tftp settings Parameters None. Defaults None. Mode Switch command, read‐only. Usage The TFTP timeout value can be set with the set tftp timeout command. The TFTP retry value can be set with the set tftp retry command. 3-44 Basic Configuration Specifies the local path name to the file. Valid directories are /images and /configs.44.
Page 101: Set Tftp Timeout
TFTP packet timeout (seconds): 2 TFTP max retry: 5 set tftp timeout Use this command to configure how long TFTP will wait for a reply of either an acknowledgement packet or a data packet during a data transfer. Syntax set tftp timeout seconds Parameters seconds Defaults None. Mode Switch command, read‐write. Example This example sets the timeout period to 4 seconds. C2(rw)->set tftp timeout 4 clear tftp timeout Use this command to reset the TFTP timeout value to the default value of 2 seconds. Syntax clear tftp timeout Parameters None. Defaults None.
Page 102: Set Tftp Retry
This example shows how to clear the timeout value to the default of 2 seconds. C2(rw)-> clear tftp timeout set tftp retry Use this command to configure how many times TFTP will resend a packet, either an acknowledgement packet or a data packet. Syntax set tftp retry retry Parameters retry Defaults None. Mode Switch command, read‐write. Example This example sets the retry count to 3. C2(rw)->set tftp retry 3 clear tftp retry Use this command to reset the TFTP retry value to the default value of 5 retries. Syntax clear tftp retry Parameters None. Defaults None. Mode Switch command, read‐write.
Page 103: Clearing And Closing The Cli
Clearing and Closing the CLI Purpose To clear the CLI screen or to close your CLI session. Commands For information about... exit cls (clear screen) Use this command to clear the screen for the current CLI session. Syntax Parameters None Defaults None. Mode Switch command, read‐only. Example This example shows how to clear the CLI screen: C2(su)->cls exit Use either of these commands to leave a CLI session. Syntax exit Parameters None. Defaults None. Clearing and Closing the CLI Refer to page...
Page 104: Resetting The Switch
Resetting the Switch Mode Switch command, read‐only. Usage By default, switch timeout occurs after 15 minutes of user inactivity, automatically closing your CLI session. Use the set logout command (page 3‐29) to change this default. Example This example shows how to exit a CLI session: C2(su)->exit Resetting the Switch Purpose To reset one or more switches, and to clear the user‐defined configuration parameters. Commands For information about... reset clear config reset Use this command to reset the switch without losing any user‐defined configuration settings. Syntax reset [unit] Parameters unit Defaults If no unit ID is specified, the entire system will be reset. Mode Switch command, read‐write. Usage A SecureStack C2 switch can also be reset with the RESET button located on its front panel. For information on how to do this, refer to the SecureStack C2 Installation Guide shipped with your switch. 3-48 Basic Configuration (Optional) Specifies a unit to be reset.
Page 105: Clear Config
Are you sure you want to reload the stack? (y/n) y Saving Configuration to stacking members Reloading all switches. This example shows how to reset unit 1: C2(su)->reset 1 Are you sure you want to reload the switch? (y/n) y Reloading switch 1. This switch is manager of the stack. STACK: detach 3 units clear config Use this command to clear the user‐defined configuration parameters. ...
Page 106: Using And Configuring Webview
Using and Configuring WebView Example This example shows how to clear configuration parameters (including stacking parameters, if applicable): C2(su)->clear config all Using and Configuring WebView Purpose By default, WebView (The Enterasys Networks embedded web server for switch configuration and management tasks) is enabled on TCP port number 80 on the SecureStack C2 switch. You can verify WebView status, and enable or disable WebView using the commands described in this section. WebView can also be securely used over SSL port 443, if SSL is enabled on the switch. By default, SSL is disabled. To use WebView, type the IP address of the switch in your browser. To use WebView over SSL, type in https:// then the IP address of the switch. For example, https://172.16.2.10. Commands For information about... show webview set webview show ssl set ssl show webview Use this command to display WebView status. Syntax show webview Parameters None.
Page 107: Set Webview
Example This example shows how to display WebView status: C2(rw)->show webview WebView is Enabled. set webview Use this command to enable or disable WebView on the switch. Syntax set webview {enable | disable} Parameters enable | disable Defaults None. Mode Switch command, read‐write. Usage It is good practice for security reasons to disable HTTP access on the switch when finished configuring with WebView, and then to only enable WebView on the switch when changes need to be made. Example This example shows how to disable WebView on the switch: C2(rw)->set webview disable show ssl Use this command to display SSL status. Syntax show ssl Parameters None. Defaults None.
Page 108: Set Ssl
Example This example shows how to display SSL status: C2(rw)->show ssl SSL status: Enabled set ssl Use this command to enable or disable the use of WebView over SSL port 443. By default, SSL is disabled on the switch. This command can also be used to reinitialize the hostkey that is used for encryption. Syntax set ssl {enabled | disabled | reinitialize | hostkey reinitialize} Parameters enabled | disabled reinitialize hostkey reinitialize Defaults None. Mode Switch command, read‐write. Example This example shows how to enable SSL: C2(rw)->set ssl enabled Gathering Technical Support Information Purpose To gather common technical support information.
Page 109: Show Support
Use this command to display switch information for troubleshooting. Syntax show support Parameters None. Defaults None. Mode Switch command, read‐only. Usage This command initiates a number of show commands to easily gather basic information from an installed device. To use this command, set your console to capture the output to a file first, before executing the command, since the output is extensive. Output from the following commands is gathered by this command: • show version • show logging buffer • show port status • show system utilization process • show system utilization storage • show config Example There is no display example because the output of this command is quite lengthy. show support SecureStack C2 Configuration Guide 3-53...
Page 110 show support 3-54 Basic Configuration...
Page 111: Chapter 4: Activating Licensed Features
In order to enable advanced features, such as advanced routing protocols, you must purchase and activate a license key. If you have purchased a license, you can proceed to activate your license as described in this section. If you wish to purchase a license, contact the Enterasys Networks Sales Department. Purpose To activate and verify licensed features. Commands For information about... license advanced show license no license advanced license advanced When an advanced license is available, use this command to activate licensed features. If this is available on your SecureStack C2 switch, a unique license key will display in the show license command output. Syntax license advanced activation-key Parameters activation‐key Defaults None. Mode Global configuration: router(Config)# Activating Licensed Features Specifies your unique 16‐digit hexadecimal advanced licensing key. Note: When available, the licensing key will display at the top of the show running- config command output.
Page 112: Show License
show license Example This example shows how to use license key abcdefg123456789 to activate advanced routing features: C2(su)->router# configure Enter configuration commands: C2(su)->router(Config)# license advanced abcdefg123456789 show license When available and activated, use this command to display your license key. Syntax show license Parameters None. Defaults None. Mode Privileged EXEC: router# Example This example shows how to display your license key information: C2(su)->router# show license license advanced abcdefg123456789 no license advanced Use this command to remove the license key. Syntax no license advanced Parameters None.
Page 113 no license advanced C2(su)->router# configure Enter configuration commands: C2(su)->router(Config)# no license advanced SecureStack C2 Configuration Guide 4-3...
Page 114 no license advanced 4-4 Activating Licensed Features...
Page 115: Commands
Use this command to display system power properties. Syntax show inlinepower Parameters None. Defaults None. Mode Switch command, read‐only. Configuring System Power and PoE Important Notice Refer to page... SecureStack C2 Configuration Guide 5-1...
Page 116: Set Inlinepower Threshold
-------- -------------- 0.00 What It Displays... Displays the PD detection mode used by the switch. The detection mode can be configured with the command “set inlinepower Number of PoE-capable module. Whether the PoE administrative state is off (disabled) or auto (on). This state is not configurable.
Page 117: Set Inlinepower Trap
Use this command to enable or disable the sending of an SNMP trap message for a unit whenever the status of its ports changes, or whenever the unit’s power usage threshold is crossed. Syntax set inlinepower trap {disable | enable} module-number Parameters disable | enable module‐number Defaults Sending of traps is disabled by default. Mode Switch command, read‐write. Usage The module’s or unit’s power usage threshold must be set using the set inlinepower threshold command as described on page 5‐2. Example This example shows how to enable inline power trap messaging on module 1: C2(su)->set inlinepower trap enable 1 set inlinepower detectionmode Use this command to specify the method the switch will use to detect PDs (powered devices) connected to its ports. Syntax set inlinepower detectionmode {auto | ieee) Disables or enables inline power trap messaging.
Page 118: Show Port Inlinepower
Parameters auto ieee Defaults Default detection mode is auto. Mode Switch command, read‐write. Usage This command is used to specify how the switch should detect PDs connected to its ports. The PoE hardware in the switches can use the IEEE standard 802.3af (resistor‐based) method or a proprietary method using capacitor detection. If auto is configured, the switch will first use the IEEE resistor‐based detection method, and if that fails, the switch will use the capacitor‐based detection method. If ieee is configured, only the IEEE resistor‐based detection method will be used. Example This example sets the switch’s PD detection mode to IEEE standard 802.3af only. (su)->set inlinepower detectionmode ieee show port inlinepower Use this command to display all ports supporting PoE. Syntax show port inlinepower [port-string] Parameters port‐string Defaults If not specified, information for all PoE ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display PoE information for port ...
Page 119: Set Port Inlinepower
{[admin {off | auto}] [priority {critical | high | low}] [type type]} Parameters port‐string admin off | auto priority critical | high | low type type Defaults None. Mode Switch command, read‐write. Example This example shows how to enable PoE on port C2(su)->set port inlinepower ge.3.1 admin auto priority critical Admin Oper Priority ----- ---- -------- auto searching Specifies the port(s) on which to configure PoE.
Page 120 set port inlinepower 5-6 Configuring System Power and PoE...
Page 121: Configuring Cdp
This chapter describes how to configure discovery protocols. For information about... Configuring CDP Configuring Cisco Discovery Protocol Configuring Link Layer Discovery Protocol and LLDP-MED Configuring CDP Purpose To review and configure the Enterasys CDP discovery protocol. This protocol is used to discover network topology. When enabled, this protocol allows Enterasys devices to send periodic PDUs about themselves to neighboring devices. Commands The commands used to review and configure the CDP discovery protocol are listed below. For information about... show cdp set cdp state set cdp auth set cdp interval set cdp hold-time...
Page 122: Show Cdp
For details, refer to state” on page 6-3. CDP version number(s) supported by the switch. Minimum time interval (in seconds) at which CDP configuration messages can be set. The default of 180 seconds can be reset with the set cdp hold-time command.
Page 123: Set Cdp State
Syntax set cdp state {auto | disable | enable} [port-string] Parameters auto | disable | enable port‐string Defaults If port‐string is not specified, the CDP state will be globally set. Mode Switch command, read‐write. Examples This example shows how to globally enable CDP: C2(su)->set cdp state enable This example shows how to enable the CDP for port ge.1.2: C2(su)->set cdp state enable This example shows how to disable the CDP for port ge.1.2: C2(su)->set cdp state disable What It Displays... Authentication code for CDP discovery protocol. The default of 00-00-00-00-00-00- 00-00 can be reset using the set cdp auth command.
Page 124: Set Cdp Auth
Use this command to set a global CDP authentication code. Syntax set cdp auth auth-code Parameters auth‐code Defaults None. Mode Switch command, read‐write. Usage The authentication code value determines a switch’s CDP domain. If two or more switches have the same CDP authentication code, they will be entered into each other’s CDP neighbor tables. If they have different authentication codes, they are in different domains and will not be entered into each other’s CDP neighbor tables. A switch with the default authentication code (16 null characters) will recognize all switches, no matter what their authentication code, and enter them into its CDP neighbor table. Example This example shows how to set the CDP authentication code to 1,2,3,4,5,6,7,8: C2(su)->set cdp auth 1,2,3,4,5,6,7,8: set cdp interval Use this command to set the message interval frequency (in seconds) of the CDP discovery protocol. Syntax set cdp interval frequency...
Page 125: Set Cdp Hold-Time
C2(su)->set cdp interval 15 set cdp hold-time Use this command to set the hold time value for CDP discovery protocol configuration messages. Syntax set cdp hold-time hold-time Parameters hold‐time Defaults None. Mode Switch command, read‐write. Example This example shows how to set CDP hold time to 60 seconds: C2(su)->set cdp hold-time 60 clear cdp Use this command to reset CDP discovery protocol settings to defaults. Syntax clear cdp {[state] [port-state port-string] [interval] [hold-time] [auth-code]} Parameters state port‐state port‐string interval hold‐time...
Page 126: Show Neighbors
Mode Switch command, read‐write. Example This example shows how to reset the CDP state to auto‐enabled: C2(su)->clear cdp state show neighbors This command displays Neighbor Discovery information for either the CDP or Cisco DP protocols. Syntax show neighbors [port-string] Parameters port‐string Defaults If no port is specified, all Neighbor Discovery information is displayed. Mode Switch command, read‐only. Usage This command displays information discovered by both the CDP and the Cisco DP protocols. Example This example displays Neighbor Discovery information for all ports. C2(su)->show neighbors Port Device ID ------------------------------------------------------------------------------ ge.1.1 00036b8b1587 ge.1.6 0001f496126f ge.1.6 00-01-f4-00-72-fe ge.1.6 00-01-f4-00-70-8a ge.1.6...
Page 127: Configuring Cisco Discovery Protocol
Configuring Cisco Discovery Protocol Purpose To review and configure the Cisco discovery protocol. Discovery protocols are used to discover network topology. When enabled, they allow Cisco devices to send periodic PDUs about themselves to neighboring devices. Specifically, this feature enables recognizing PDUs from Cisco phones. A table of information about detected phones is kept by the switch and can be queried by the network administrator. Commands The commands used to review and configure the Cisco discovery protocol are listed below. Refer also to “show neighbors” on page 6‐6. For information about... show ciscodp show ciscodp port info set ciscodp status set ciscodp timer set ciscodp holdtime set ciscodp port clear ciscodp show ciscodp Use this command to display global Cisco discovery protocol information. Syntax...
Page 128: Show Ciscodp Port Info
Number of seconds neighboring devices will hold PDU transmissions from the sending device. Default value of 180 can be changed with the set ciscodp holdtime command. The MAC address of the switch. The time that the last Cisco DP neighbor was discovered. (Optional) Displays Cisco DP information for a specific port. For a detailed ...
Page 129: Set Ciscodp Status
Table 6-3 show ciscodp port info Output Details Output Field Port State vvid trusted set ciscodp status Use this command to enable or disable the Cisco discovery protocol globally on the switch. Syntax set ciscodp state {auto | disable | enable} Parameters auto disable enable Defaults None. Mode Switch command, read‐write. Example This example shows how to globally enable CiscoDP: C2(su)->set ciscodp state enable set ciscodp timer Use this command to set the number of seconds between Cisco discovery protocol PDU ...
Page 130: Set Ciscodp Holdtime
Parameters seconds Defaults None. Mode Switch command, read‐write. Example This example shows how to set the Cisco DP timer to 120 seconds. C2(su)->set ciscodp timer 120 set ciscodp holdtime Use this command to set the time to live (TTL) for Cisco discovery protocol PDUs. This is the amount of time, in seconds, neighboring devices will hold PDU transmissions from the sending device. Syntax set ciscodp holdtime hold-time Parameters hold‐time Defaults None. Mode Switch command, read‐write. Example This example shows how to set Cisco DP hold time to 180 seconds: C2(su)->set ciscodp hold-time 180 set ciscodp port Use this command to set the status, voice VLAN, extended trust mode, and CoS priority for ...
Page 131 Instructs attached phone to overwrite the 802.1p tag of traffic transmitted by the device connected to it with the specified value, when the trust mode of the port is set to untrusted. Value can range from 0 to 7, with 0 indicating the lowest priority. port‐string Specifies the port(s) on which status will be set. Defaults • Status: enabled • Voice VLAN: none • Trust mode: trusted • CoS value: 0 Mode Switch mode, read‐write. Usage The following points describe how the Cisco DP extended trust settings work on the switch. • A Cisco DP port trust status of trusted or untrusted is only meaningful when a Cisco IP phone is connected to a switch port and a PC or other device is connected to the back of the Cisco IP phone. • A Cisco DP port state of trusted or untrusted only affects tagged traffic transmitted by the device connected to the Cisco IP phone. Untagged traffic transmitted by the device connected to the Cisco IP phone is unaffected by this setting. • If the switch port is configured to a Cisco DP trust state of trusted (with the trusted yes parameter of this command), this setting is communicated to the Cisco IP phone instructing it to allow the device connected to it to transmit traffic containing any CoS or Layer 2 802.1p marking. set ciscodp port SecureStack C2 Configuration Guide 6-11...
Page 132: Clear Ciscodp
• If the switch port is configured to a Cisco DP trust state of untrusted (trusted no), this setting is communicated to the Cisco IP phone instructing it to overwrite the 802.1p tag of traffic transmitted by the device connected to it to 0, by default, or to the value specified by the cos parameter of this command. • There is a one‐to‐one correlation between the value set with the cos parameter and the 802.1p value assigned to ingressed traffic by the Cisco IP phone. A value of 0 equates to an 802.1p priority of 0. Therefore, a value of 7 is given the highest priority. Note: The Cisco Discovery Protocol must be globally enabled using the set ciscodp status command before operational status can be set on individual ports. Examples This example shows how to set the Cisco DP port voice VLAN ID to 3 on port ge.1.6 and enable the port operational state. C2(rw)->set ciscodp port status enable vvid 3 This example shows how to set the Cisco DP extended trust mode to untrusted on port ge.1.5 and ...
Page 133: Configuring Link Layer Discovery Protocol And Lldp-Med
Configuring Link Layer Discovery Protocol and LLDP-MED Overview The Link Layer Discovery Protocol (LLPD) provides an industry standard, vendor‐neutral way to allow network devices to advertise their identities and capabilities on a local area network, and to discover that information about their neighbors. LLDP‐MED is an enhancement to LLDP that provides the following benefits: • Extended and automated power management of Power over Ethernet endpoints • Inventory management, allowing network administrators to track their network devices and to determine their characteristics, such as manufacturer, software and hardware versions, and serial or asset numbers The information sent by an LLDP‐enabled device is extracted and tabulated by its peers. The communication can be done when information changes or on a periodic basis. The information tabulated is aged to ensure that it is kept up to date. Ports can be configured to send this information, receive this information, or both send and receive. Either LLDP or LLDP‐MED, but not both, can be used on an interface between two devices. A switch port uses LLDP‐MED when it detects that an LLDP‐MED‐capable device is connected to it. LLDP information is contained within a Link Layer Discovery Protocol Data Unit (LLDPDU) sent in a single 802.3 Ethernet frame. The information fields in LLDPDU are a sequence of short, variable‐length, information elements known as TLVs — type, length, and value fields where: • Type identifies what kind of information is being sent • Length indicates the length of the information string in octets • Value is the actual information that needs to be sent The LLDP standard specifies that certain TLVs are mandatory in transmitted LLDPDUs, while others are optional. You can configure on a port‐specific basis which optional LLDP and LLDP‐ MED TLVs should be sent in LLDPDUs. Purpose To review and configure LLPD and LLPD‐MED. Commands The commands used to review and configure the CDP discovery protocol are listed below. ...
Page 134: Configuration Tasks
show lldp For information about... show lldp port status show lldp port trap show lldp port tx-tlv show lldp port location-info show lldp port local-info show lldp port remote-info set lldp tx-interval set lldp hold-multiplier set lldp trap-interval set lldp med-fast-repeat set lldp port status set lldp port trap set lldp port med-trap...
Page 135: Show Lldp Port Status
Syntax show lldp Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display LLDP configuration information. C2(ro)->show lldp Message Tx Interval Message Tx Hold Multiplier : 4 Notification Tx Interval MED Fast Start Count Tx-Enabled Ports Rx-Enabled Ports Trap-Enabled Ports MED Trap-Enabled Ports show lldp port status Use this command to display the LLDP status of one or more ports. The command lists the ports ...
Page 136: Show Lldp Port Trap
Use this command to display the ports that are enabled to send an LLDP notification when a remote system change has been detected or an LLDP‐MED notification when a change in the topology has been sensed. Ports are enabled to send LLDP notifications with the set lldp port trap command and to send LLDP‐MED notifications with the set lldp port med‐trap command. Syntax show lldp port trap [port-string] Parameters port‐string Defaults If port‐string is not specified, LLDP port trap information will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display LLDP port trap information for all ports. C2(ro)->show lldp port trap Trap-Enabled Ports MED Trap-Enabled Ports: show lldp port tx-tlv Use this command to display information about which optional TLVs have been configured to be transmitted on ports. Ports are configured to send optional TLVs with the set lldp port tx‐tlv command. Syntax show lldp port tx‐tlv [port‐string] Parameters port‐string...
Page 137: Show Lldp Port Location-Info
Mode Switch command, read‐only. Example This example shows how to display transmit TLV information for three ports. C2(ro)->show lldp port tx-tlv ge.1.1-3 * Means TLV is supported and enabled on this port o Means TLV is supported on this port Means TLV is not supported on this port Column Pro Id uses letter notation for enable: s-stp, l-lacp, g-gvrp...
Page 138: Show Lldp Port Local-Info
Mgmt Addr : 10.21.64.100 Chassis ID : 00-E0-63-93-74-A5 Sys Name : LLDP PoE test Chassis Sys Desc : Enterasys Networks, Inc. Sys Cap Supported/Enabled Auto-Neg Supported/Enabled Auto-Neg Advertised Operational Speed/Duplex/Type : 100 full tx Max Frame Size (bytes) Vlan Id LAG Supported/Enabled/Id Protocol Id : Spanning Tree v-3 (IEEE802.1s)
Page 139: Show Lldp Port Local-Info Output Details
LLDP-MED Extensions Extended Power via MDI TLV. Displayed only when a port has PoE capabilities. Value is the Power Type of the device. On a switch port, the value is Power Sourcing Entity (PSE). PoE Power Source LLDP-MED Extensions Extended Power via MDI TLV. Displayed only when a port has PoE capabilities.
Page 140: Show Lldp Port Remote-Info
Parameters port‐string Defaults If port‐string is not specified, remote system information will be displayed for all ports. Mode Switch command, read‐only. 6-20 Discovery Protocol Configuration What it Displays... IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port has PoE capabilities. Indicates whether pair selection can be controlled on the given port (refer to RFC 3621). Value for Controllable can be true or false.
Page 141: Show Lldp Port Remote-Info Output Display
Example This example shows how to display the remote system information stored for port ge.3.1. The remote system information was received from an IP phone, which is an LLDP‐MED‐enabled device. Table 6‐5 describes the output fields that are unique to the remote system information displayed for a MED‐enabled device. C2(ro)->show lldp port remote-info ge.3.1 Local Port : ge.3.1 --------------------- Mgmt Addr : 0.0.0.0 Chassis ID : 0.0.0.0 Device Type : Communication Device Endpoint (class III) Sys Name : AVE0E143D Sys Cap Supported/Enabled Auto-Neg Supported/Enabled Auto-Neg Advertised Operational Speed/Duplex/Type : 100/full/TX Hardware Revision...
Page 142: Set Lldp Tx-Interval
Use this command to set the time, in seconds, between successive LLDP frame transmissions initiated by changes in the LLDP local system information. Syntax set lldp tx-interval frequency Parameters frequency Defaults None. Mode Switch command, read‐write. Example This example sets the transmit interval to 20 seconds. C2(rw)->set lldp tx-interval 20 set lldp hold-multiplier Use this command to set the time‐to‐live value used in LLDP frames sent by this device. The time‐ to‐live for LLDPDU data is calculated by multiplying the transmit interval by the hold multiplier value. Syntax set lldp hold-multiplier multiplier-val Parameters multiplier‐val Defaults None.
Page 143: Set Lldp Trap-Interval
Use this command to set the minimum interval between LLDP notifications sent by this device. LLDP notifications are sent when a remote system change has been detected. Syntax set lldp trap-interval frequency Parameters frequency Defaults None. Mode Switch command, read‐write. Example This example sets the minimum interval between LLDP traps to 10 seconds. C2(rw)->set lldp trap-interval 10 set lldp med-fast-repeat Network connectivity devices transmit only LLDP TLVs in LLDPDUs until they detect that an LLDP‐MED endpoint device has connected to a port. At that point, the network connectivity device starts sending LLDP‐MED TLVs at a fast start rate on that port. Use this command to set the number of successive LLDPDUs (with LLDP‐MED TLVs) to be sent for one complete fast start interval. Syntax set lldp med-fast-repeat count Parameters count Defaults None. Mode Switch command, read‐write.
Page 144: Set Lldp Port Status
{tx-enable | rx-enable | both | disable} port-string Parameters tx‐enable rx‐enable both disable port‐string Defaults None. Mode Switch command, read‐write. Example This example enables both transmitting LLDPDUs and receiving and processing LLDPDUs from remote systems on ports ge.1.1 through ge.1.6. C2(rw)->set lldp port status both ge.1.1-6 set lldp port trap Use this command to enable or disable sending LLDP notifications (traps) when a remote system change is detected. Syntax set lldp port trap {enable | disable} port-string...
Page 145: Set Lldp Port Med-Trap
Defaults None. Mode Switch command, read‐write. Example This example enables transmitting LLDP traps on ports ge.1.1 through ge.1.6. C2(rw)->set lldp port trap enable ge.1.1-6 set lldp port med-trap Use this command to enable or disable sending an LLDP‐MED notification when a change in the topology has been sensed on the port (that is, a remote endpoint device has been attached or removed from the port). Syntax set lldp port med-trap {enable | disable} port-string Parameters enable disable port‐string Defaults None. Mode Switch command, read‐write. Example This example enables transmitting LLDP‐MED traps on ports ge.1.1 through ge.1.6. C2(rw)->set lldp port med-trap enable ge.1.1-6 set lldp port tx-tlv Use this command to select the optional LLDP and LLDP‐MED TLVs to be transmitted in ...
Page 146 set lldp port tx-tlv Parameters port‐desc sys‐name sys‐desc sys‐cap mgmt‐addr vlan‐id lacp gvrp mac‐phy link‐aggr max‐frame med‐cap med‐loc med‐poe port‐string 6-26 Discovery Protocol Configuration Adds all optional TLVs to transmitted LLDPDUs. Port Description optional basic LLDP TLV. Value sent is ifDescr object defined in RFC 2863. System Name optional basic LLDP TLV. Value sent is the administratively assigned name for the system. System Description optional basic LLDP TLV. Value sent is sysDescr object defined in RFC 3418. System Capabilities optional basic LLDP TLV. For a network connectivity device, value sent can be bridge and/or router. Management Address optional basic LLDP TLV. Value sent is IPv4 address of host interface. Port VLAN ID IEEE 802.1 Extensions TLV. Value sent is port VLAN ID (PVID). Spanning Tree information defined by Protocol Identity IEEE 802.1 Extensions TLV. If STP is enabled on the port, value sent includes version of protocol being used. LACP information defined by Protocol Identity IEEE 802.1 ...
Page 147: Clear Lldp
Defaults None. Mode Switch command, read‐write. Example This example configures the management address, MED capability, and MED location identification TLVs to be sent in LLDPDUs by port C2(rw)->set lldp port tx-tlv mgmt-addr med-cap med-loc ge.1.1 clear lldp Use this command to return LLDP parameters to their default values. Syntax clear lldp {all | tx-interval | hold-multiplier | trap-interval | med-fast-repeat} Parameters tx‐interval hold‐multiplier trap‐interval med‐fast‐repeat Defaults None. Mode Switch command, read‐write. Example This example returns the transmit interval to the default value of 30 seconds.
Page 148: Clear Lldp Port Trap
Syntax clear lldp port status port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example returns port processing received LLDPDUs. C2(rw)->clear lldp port status ge.1.1 clear lldp port trap Use this command to return the port LLDP trap setting to the default value of disabled. Syntax clear lldp port trap port-string Parameters port‐string Defaults None. Mode Switch command, read‐write.
Page 149: Clear Lldp Port Tx-Tlv
Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example returns port C2(rw)->clear lldp port med-trap ge.1.1 clear lldp port tx-tlv Use this command to clear the optional LLDP and LLDP‐MED TLVs to be transmitted in LLDPDUs by the specified port or ports to the default value of disabled. Syntax clear lldp port tx-tlv {[all] | [port-desc] [sys-name] [sys-desc] [sys-cap] [mgmt- addr] [vlan-id] [stp] [lacp] [gvrp] [mac-phy] [poe] [link-aggr] [max-frame] [med-...
Page 150 Defaults None. Mode Switch command, read‐write. Example This example disables the management address, MED capability, and MED location identification TLVs from being sent in LLDPDUs by port C2(rw)->clear lldp port tx-tlv mgmt-addr med-cap med-loc ge.1.1 6-30 Discovery Protocol Configuration Disables the Power via MDI IEEE 802.3 Extensions TLV from being transmitted in LLDPDUs. Only valid for PoE‐enabled ports. Disables the Link Aggregation IEEE 802.3 Extensions TLV from being transmitted in LLDPDUs. Disables the Maximum Frame Size IEEE 802.3 Extensions TLV from being transmitted in LLDPDUs. Disables the LLDP‐MED Capabilities TLV from being transmitted in LLDPDUs. Disables the LLDP‐MED Location Identification TLV from being transmitted in LLDPDUs. Disables the LLDP‐MED Extended Power via MDI TLV from being ...
Page 151: Port Configuration Summary
Link Aggregation Control Protocol (LACP) Configuring Protected Ports Port Configuration Summary C2H124-48 and C2H124-48P Switch Ports The C2H124‐48 stackable devices provide the following types of front panel connections: • Forty‐eight fixed RJ45 10/100 Mbps copper Fast Ethernet ports • Four SFP slots that provide the option of installing Small Form Pluggable (SFP) Mini‐GBICs for 1000BASE‐T compliant copper connections or 1000BASE‐SX\LX\ELX fiber‐optic connections C2G124-24, C2G124-48, and C2G124-48P Switch Ports The C2G124‐24, C2G124‐48 and C2G124‐48P stackable devices provide the following types of switch port connections: • Twenty‐four or forty‐eight RJ45 10/100/1000 Mbps 1000BASE‐T Fast Ethernet copper ports Port Configuration Refer to page... 7-10 7-13 7-15 7-19...
Page 152: C2G134-24P Switch Ports
Port Configuration Summary • Four SFP slots that provide the option of installing Small Form Pluggable (SFP) Mini‐GBICs for 1000BASE‐T compliant copper connections or 1000BASE‐SX\LX\ELX fiber‐optic connections. C2G134-24P Switch Ports The C2G134‐24P stackable devices provide the following types of switch port connections: • Twenty‐four 10/100/1000 Mbps 1000BASE‐T Fast Ethernet copper ports connected through four RJ21 connectors (six ports per RJ21). • Four SFP slots that provide the option of installing Small Form Pluggable (SFP) Mini‐GBICs for 1000BASE‐T compliant copper connections or 1000BASE‐SX\LX\ELX fiber‐optic connections. C2K122-24 Switch Ports The C2K122‐24 stackable devices provide the following types of switch port connections: • Twenty‐four RJ45 10/100/1000 Mbps 1000BASE‐T Fast Ethernet copper ports • Two XFP slots that provide the option of installing XFP MSA‐compliant modules for 10‐ Gigabit, 10GBASE‐L/‐LR/‐ER fiber‐optic connections. C2G170-24 Switch Ports The C2G170‐24 stackable devices provide the following types of switch port connections: • Twenty‐four SFP slots that provide the option of installing Small Form Pluggable (SFP) Mini‐ GBICs for 1000BASE‐T compliant copper connections or 1000BASE‐SX\LX\ELX. Important Notice About C2G1x4-xx 10/100/100 and SFP Mini-GBIC Ports SFP Mini-GBIC uplink ports are used in an either / or configuration with the C2 front panel RJ45 10/100/1000 Mbps 1000BASE-T Fast Ethernet copper ports.
Page 153: Reviewing Port Status
Where port number depends on the device. The highest valid port number is dependent on the number of ports in the device and the port type. Port Slot/Unit Parameters Used in the CLI The “unit” parameter is often used interchangeably with “module” in the standalone switch CLI to indicate a module slot location. Examples Note: You can use a wildcard (*) to indicate all of an item. For example, fe.3.* would represent all 100Mbps Ethernet (fe) ports in slot 3, and ge.3 * would represent all 1-Gigabit Ethernet (ge) ports in slot 3.
Page 154: Show Port Status
Parameters port‐string Defaults If port‐string is not specified, operational status information for all ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display operational status information for ge.3.14: C2(su)->show port Port 3.14 enabled show port status Use this command to display operating and admin status, speed, duplex mode and port type for one or more ports on the device. Syntax show port status [port-string] Parameters port‐string Defaults If port‐string is not specified, status information for all ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display status information for ge.3.14: C2(su)->show port status Port ------------ 3.14 Table 7‐1 provides an explanation of the command output.
Page 155: Show Port Counters
Table 7-1 show port status Output Details Output Field Port Alias (truncated) Oper Status Admin Status Speed Duplex Type show port counters Use this command to display port counter statistics detailing traffic through the device and through all MIB2 network devices. Syntax show port counters [port-string] [switch | mib2] Parameters port‐string switch | mib2 Defaults If port‐string is not specified, counter statistics will be displayed for all ports. If mib2 or switch are not specified, all counter statistics will be displayed for the specified port(s). Mode Switch command, read‐only. Examples This example shows how to display all counter statistics, including MIB2 network traffic and traffic through the device for ge.3.1: C2(su)->show port counters Port: What It Displays...
Page 156: Disabling / Enabling And Naming Ports
In Multicast Pkts In Broadcast Pkts In Discards In Errors Out Octets Out Unicasts Pkts Out Multicast Pkts Out Broadcast Pkts Out Errors 802.1Q Switch Counters ---------------------- Frames Received Frames Transmitted This example shows how to display all ge.3.1 port counter statistics related to traffic through the device. C2(su)->show port counters Port: 802.1Q Switch Counters...
Page 157: Commands
Use this command to administratively disable one or more ports. When this command is executed, in addition to disabling the physical Ethernet link, the port will no longer learn entries in the forwarding database. Syntax set port disable port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to disable ge.1.1: C2(su)->set port disable set port enable Use this command to administratively enable one or more ports. Syntax set port enable port-string Parameters port‐string Defaults None. Specifies the port(s) to disable. For a detailed description of possible port‐...
Page 158: Show Port Alias
Mode Switch command, read‐write. Example This example shows how to enable ge.1.3: C2(su)->set port enable show port alias Use this command to display the alias name for one or more ports. Syntax show port alias [port-string] Parameters port‐string Defaults If port‐string is not specified, aliases for all ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display alias information for ports 1‐3 on slot 3: C2(rw)->show port alias ge.3.1-3 Port ge.3.1 user Port ge.3.2 user Port ge.3.3 Admin set port alias Use this command to assign an alias name to a port.
Page 159 Defaults If name is not specified, the alias assigned to the port will be cleared. Mode Switch command, read‐write. Examples This example shows how to assign the alias “Admin” to C2(rw)->set port alias ge.3.3 Admin This example shows how to clear the alias for C2(rw)->set port alias ge.3.3 3.3: 3.3: SecureStack C2 Configuration Guide 7-9 set port alias...
Page 160: Setting Speed And Duplex Mode
Use this command to display the default speed setting on one or more ports. Syntax show port speed [port-string] Parameters port‐string Defaults If port‐string is not specified, default speed settings for all ports will display. Mode Switch command, read‐only. Example This example shows how to display the default speed setting for 1‐Gigabit Ethernet port 14 in slot 3: C2(su)->show port speed ge.3.14 default speed is 10 on port ge.3.14. 7-10 Port Configuration (Optional) Displays default speed setting(s) for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Refer to page...
Page 161: Set Port Speed
Use this command to set the default speed of one or more ports. This setting only takes effect on ports that have auto‐negotiation disabled. Syntax set port speed port-string {10 | 100 | 1000} Parameters port‐string 10 | 100 | 1000 Defaults None. Mode Switch command, read‐write. Example This example shows how to set ge.3.3 to a port speed of 10 Mbps: C2(su)->set port speed show port duplex Use this command to display the default duplex setting (half or full) for one or more ports. Syntax show port duplex [port-string] Parameters port‐string Defaults If port‐string is not specified, default duplex settings for all ports will be displayed.
Page 162: Set Port Duplex
Use this command to set the default duplex type for one or more ports. This command will only take effect on ports that have auto‐negotiation disabled. Syntax set port duplex port-string {full | half} Parameters port‐string full | half Defaults None. Mode Switch command, read‐write. Example This example shows how to set ge.1.17 to full duplex: C2(su)->set port duplex 7-12 Port Configuration Specifies the port(s) for which duplex type will be set. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Sets the port(s) to full‐duplex or half‐duplex operation. 1.17 full...
Page 163: Enabling / Disabling Jumbo Frame Support
Use this command to display the status of jumbo frame support and maximum transmission units (MTU) on one or more ports. Syntax show port jumbo [port-string] Parameters port‐string Defaults If port‐string is not specified, jumbo frame support status for all ports will display. Mode Switch command, read‐only. Example This example shows how to display the status of jumbo frame support for C2(su)->show port jumbo ge.1.1 Port Number ------------- --------------- ------------------ ge.1.1 (Optional) Displays the status of jumbo frame support for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Jumbo Status Max Frame Size...
Page 164: Set Port Jumbo
Use this command to enable or disable jumbo frame support on one or more ports. Syntax set port jumbo {enable | disable}[port-string] Parameters enable | disable port‐string Defaults If port‐string is not specified, jumbo frame support will be enabled or disabled on all ports. Mode Switch command, read‐write. Example This example shows how to enable jumbo frame support for Gigabit Ethernet port 14 in slot 3: C2(su)->set port jumbo enable ge.3.14 clear port jumbo Use this command to reset jumbo frame support status to enabled on one or more ports. Syntax clear port jumbo [port-string] Parameters port‐string Defaults If port‐string is not specified, jumbo frame support status will be reset on all ports.
Page 165: Setting Auto-Negotiation And Advertised Ability
Use this command to display the status of auto‐negotiation for one or more ports. Syntax show port negotiation [port-string] Parameters port‐string Defaults If port‐string is not specified, auto‐negotiation status for all ports will be displayed. Mode Switch command, read‐only. (Optional) Displays auto‐negotiation status for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Setting Auto-Negotiation and Advertised Ability Refer to page... 7-15 7-16 7-16 7-17 7-18 SecureStack C2 Configuration Guide 7-15...
Page 166: Set Port Negotiation
Use this command to enable or disable auto‐negotiation on one or more ports. Syntax set port negotiation port-string {enable | disable} Parameters port‐string enable | disable Defaults None. Mode Switch command, read‐write. Example This example shows how to disable auto‐negotiation on 1‐Gigabit Ethernet port 3 in slot 14: C2(su)->set port negotiation ge.3.14 disable show port advertise Use this command to display port capability and advertisement as far as speed and duplex for auto‐negotiation. Syntax show port advertise [port-string] Parameters port‐string Defaults If port‐string is not specified, advertisement for all ports will be displayed.
Page 167: Set Port Advertise
{port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause} Parameters port‐string 10tfd 100tx 100txfd 1000t 1000tfd pause Defaults None. Mode Switch command, read‐write. advertised remote advertised remote Select the ports for which to configure advertisements. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Advertise 10BASE‐T half duplex mode. Advertise 10BASE‐T full duplex mode. Advertise 100BASE‐TX half duplex mode. Advertise 100BASE‐TX full duplex mode. Advertise 1000BASE‐T half duplex mode.
Page 168: Clear Port Advertise
{port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause} Parameters port‐string 10tfd 100tx 100txfd 1000t 1000tfd pause Defaults None. Mode Switch command, read‐write. Example This example shows how to configure port 1 to not advertise 10 MB capability for auto‐ negotiation: C2(su)->clear port advertise ge.1.1 10t 10tfd 7-18 Port Configuration Clear advertisements for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Do not advertise 10BASE‐T half duplex mode. Do not advertise 10BASE‐T full duplex mode. Do not advertise 100BASE‐TX half duplex mode. Do not advertise 100BASE‐TX full duplex mode.
Page 169: Setting Flow Control
For information about... show flowcontrol set flowcontrol show flowcontrol Use this command to display the flow control state. Syntax show flowcontrol Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the port flow control state: C2(su)->show flowcontrol Flow control status: enabled set flowcontrol Use this command to enable or disable flow control. Syntax set flowcontrol {enable | disable} Parameters enable | disable Enables or disables flow control settings. Setting Flow Control Refer to page...
Page 170 Defaults None. Mode Switch command, read‐write. Example This example shows how to enable flow control: C2(su)->set flowcontrol enable 7-20 Port Configuration...
Page 171: Setting Port Link Traps And Link Flap Detection
Setting Port Link Traps and Link Flap Detection Purpose To disable or re‐enable link traps, display link trap status, and to configure the link flapping detection function. By default, all ports are enabled to send SNMP trap messages indicating changes to their link status (up or down). The link flap function detects when a link is going up and down rapidly (also called “link flapping”) on a physical port, and takes the required actions (disable port, and eventually send notification trap) to stop such a condition. If left unresolved, the “link flapping” condition can be detrimental to network stability because it can trigger Spanning Tree and routing table recalculation. Commands For information about... show port trap set port trap show linkflap set linkflap globalstate set linkflap portstate set linkflap interval set linkflap action clear linkflap action set linkflap threshold set linkflap downtime...
Page 172: Set Port Trap
Defaults If port‐string is not specified, the trap status for all ports will be displayed. Mode Switch command, read‐write. Example This example shows how to display link trap status for ge.3.1 through 4: C2(su)->show port trap Link traps enabled on port Link traps enabled on port Link traps enabled on port Link traps enabled on port set port trap Use this command to enable of disable ports for sending SNMP trap messages when their link status changes. Syntax set port trap port-string {enable | disable} Parameters port‐string...
Page 173 Displays the number of link flap violations since the last reset. port‐string (Optional) Displays information for specific port(s). Defaults • If not specified, information about all link flap detection settings will be displayed. • If port‐string is not specified, information for all ports will be displayed. Mode Switch mode, read‐only. Usage The linkflap default conditions are shown in the following table. Linkflap Parameter Linkflap global state Linkflap port state Linkflap action Linkflap interval Linkflap maximum allowed link downs per 10 seconds Linkflap threshold (number of allowed link down transitions before action is taken)
Page 174: Show Linkflap Parameters Output Details
show linkflap Examples This example shows how to display the global status of the link trap detection function: C2(rw)->show linkflap globalstate Linkflap feature globally disabled This example shows how to display ports disabled by link flap detection due to a violation: C2(rw)->show linkflap downports Ports currently held DOWN for Linkflap violations: None. This example shows how to display the link flap parameters table: C2(rw)->show linkflap parameters Linkflap Port Settable Parameter Table (X means error occurred) Port LF Status -------- --------- ge.1.1 disabled...
Page 175: Set Linkflap Globalstate
TimeElapsed Violations set linkflap globalstate Use this command to globally enable or disable the link flap detection function. Syntax set linkflap globalstate {disable | enable} Parameters disable | enable Defaults By default, the function is disabled globally and on all ports. Mode Switch mode, read‐write. Usage By default, the function is disabled globally and on all ports. If disabled globally after per‐port settings have been configured using the linkflap commands, per‐port settings will be retained. Example This example shows how to globally enable the link trap detection function. C2(rw)->set linkflap globalstate enable set linkflap portstate Use this command to enable or disable link flap monitoring on one or more ports. Syntax set linkflap portstate {disable | enable} [port-string] Parameters disable | enable...
Page 176: Set Linkflap Interval
Mode Switch command, read‐write. Example This example shows how to enable the link trap monitoring on all ports. C2(rw)->set linkflap portstate enable set linkflap interval Use this command to set the time interval (in seconds) for accumulating link down transitions. Syntax set linkflap interval port-string interval-value Parameters port‐string interval‐value Defaults None. Mode Switch command, read‐write. Example This example shows how to set the link flap interval on port ge.1.4 to 1000 seconds. C2(rw)->set linkflap interval set linkflap action Use this command to set reactions to a link flap violation. Syntax set linkflap action port-string {disableInterface | gensyslogentry | gentrap |...
Page 177: Clear Linkflap Action
Defaults None. Mode Switch mode, read‐write. Example This example shows how to set the link flap violation action on port ge.1.4 to generating a Syslog entry. C2(rw)->set linkflap action clear linkflap action Use this command to clear reactions to a link flap violation. Syntax clear linkflap action [port-string] {disableInterface | gensyslogentry | gentrap | all} Parameters port‐string disableInterface gensyslogentry gentrap Defaults If port‐string is not specified, actions will be cleared on all ports. Mode Switch mode, read‐write. Example This example shows how to clear the link flap violation action on port ge.1.4 to generating a Syslog entry. C2(rw)->clear linkflap action set linkflap threshold Use this command to set the link flap action trigger count.
Page 178: Set Linkflap Downtime
Parameters port‐string threshold‐value Defaults None. Mode Switch mode, read‐write. Example This example shows how to set the link flap threshold on port ge.1.4 to 5. C2(rw)->set linkflap threshold set linkflap downtime Use this command to set the time interval (in seconds) one or more ports will be held down after a link flap violation. Syntax set linkflap downtime port-string downtime-value Parameters port‐string downtime‐value Defaults None. Mode Switch mode, read‐write. Example This example shows how to set the link flap downtime on port ge.1.4 to 5000 seconds. C2(rw)->set linkflap downtime clear linkflap down Use this command to toggle link flap disabled ports to operational.
Page 179: Clear Linkflap
Parameters port‐string Defaults If port‐string is not specified, all ports disabled by a link flap violation will be made operational. Mode Switch mode, read‐write. Example This example shows how to make disabled port ge.1.4 operational. C2(rw)->clear linkflap down clear linkflap Use this command to clear all link flap options and / or statistics on one or more ports. Syntax clear linkflap {all | stats [port-string] | parameter port-string {threshold | interval | downtime | all} Parameters all | stats parameter threshold | interval | downtime | all port‐string Defaults If port‐string is not specified, settings and/or statistics will be cleared on all ports. Mode Switch mode, read‐write.
Page 180: Configuring Broadcast Suppression
Configuring Broadcast Suppression Configuring Broadcast Suppression Purpose To review and set the broadcast suppression threshold for one or more ports. This feature limits the number of received broadcast frames the switch will accept per port. Broadcast suppression thresholds apply only to broadcast traffic—multicast traffic is not affected. By default, a broadcast suppression threshold of 14881 packets per second (pps) will be used, regardless of actual port speed. Broadcast suppression protects against broadcast storms and ARP sweeps. Commands For information about... show port broadcast set port broadcast clear port broadcast show port broadcast Use this command to display port broadcast suppression thresholds. Syntax show port broadcast [port-string] Parameters port‐string Defaults If port‐string is not specified, broadcast status of all ports will be displayed. Mode Switch command, read‐only.
Page 181: Set Port Broadcast
Use this command to set the broadcast suppression threshold, in packets per second, on one or more ports. This sets a threshold on the broadcast traffic that is received and switched out to other ports. Syntax set port broadcast port-string threshold-val Parameters port‐string threshold‐val Defaults None. Mode Switch command, read‐write. Usage Per port broadcast suppression is hardset to be globally enabled on the C2. If you would like to disable broadcast suppression, you can get the same result by setting the threshold limit for each port to the maximum number of packets which can be received per second as listed in the parameters section, above. The default broadcast suppression threshold for all ports is set to 14881. Example This example configures ports 1 through 5 with a broadcast limit of 50 pps: C2(su)->set port broadcast ge.1.1-5 50 clear port broadcast Use this command to clear the broadcast threshold limit to the default value of 14881 for the selected port. Syntax clear port broadcast port-string threshold Parameters port‐string ...
Page 182 Defaults None. Mode Switch command, read‐write. Example This example clears the broadcast threshold limit to 14881 pps for ports 1 through 5: C2(su)->clear port broadcast ge.1.1-5 threshold 7-32 Port Configuration...
Page 183: Port Mirroring
Caution: Traffic mirrored to a VLAN may contain control traffic. This may be interpreted by the downstream neighbor as legal control frames. It is recommended that you disable any protocols (such as Spanning Tree) on inter-switch connections that might be affected . Configuring SMON MIB Port Mirroring Overview SMON port mirroring support on Enterasys SecureStack B2, B3, C2 and C3 devices allows you to ...
Page 184: Purpose
Port Mirroring Enter MIB option 4 (createAndGo) and perform an SNMP Set operation. (Optional) Use the CLI to verify the port mirroring instance has been created and enabled as shown in the following example: C2(su)->show port mirroring Port Mirroring ============== Source Port Target Port Frames Mirrored = Rx and Tx Port Mirroring status enabled To create a port mirroring instance without automatically enabling it: Complete steps 1‐4 above. Enter MIB option 5 (createAndWait) and perform an SNMP Set operation. (Optional) Use the CLI to verify the port mirroring instance has been created set to disabled mode as shown in the following example: C2(su)->show port mirroring Port Mirroring ============== Source Port Target Port Frames Mirrored = Rx and Tx Port Mirroring status disabled When you are ready to enable this instance, enter MIB option 1 (active) and perform an SNMP ...
Page 185: Show Port Mirroring
Use this command to display the source and target ports for mirroring, and whether mirroring is currently enabled or disabled for those ports. Syntax show port mirroring Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display port mirroring information. In this case, ge.1.4 is configured as a source port and ge.1.11 is a target and mirroring has been enabled between these ports: C2(su)->show port mirroring Port Mirroring ============== Source Port = Target Port = Frames Mirrored = Rx and Tx Port Mirroring status enabled.
Page 186: Clear Port Mirroring
Parameters create | disable | enable source destination Defaults None. Mode Switch command, read‐write. Usage Note that LAG ports and their underlying physical ports, as described in “Link Aggregation Control Protocol (LACP)” on page 7‐38, cannot be mirrored. Example This example shows how to create and enable port mirroring with ge.1.4 as the source port, and ge.1.11 as the target port: C2(su)->set port mirroring create C2(su)->set port mirroring enable clear port mirroring Use this command to clear a port mirroring relationship. Syntax clear port mirroring source destination Parameters source destination Defaults None.
Page 187 clear port mirroring Example This example shows how to clear port mirroring between source port ge.1.4 and target port ge.1.11: C2(su)->clear port mirroring 1.11 SecureStack C2 Configuration Guide 7-37...
Page 188: Link Aggregation Control Protocol (Lacp)
Caution: Link aggregation configuration should only be performed by personnel who are knowledgeable about Spanning Tree and Link Aggregation, and fully understand the ramifications of modifications beyond device defaults. Otherwise, the proper operation of the network could be at risk. Using multiple links simultaneously to increase bandwidth is a desirable switch feature, which can be accomplished if both sides agree on a set of ports that are being used as a Link Aggregation Group (LAG). Once a LAG is formed from selected ports, problems with looping can be avoided since the Spanning Tree can treat this LAG as a single port.
Page 189: Lacp Terminology
LACPDU Actor and Partner Admin Key System Priority SecureStack C2 Usage Considerations In normal usage (and typical implementations) there is no need to modify any of the default LACP parameters on the switch. The default values will result in the maximum number of aggregations possible. If the switch is placed in a configuration with its peers not running the protocol, no dynamic link aggregations will be formed and the switch will function normally (that Definition Virtual port that controls link aggregation for underlying physical ports. Each SecureStack C2 module provides 6 aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6.
Page 190: Commands
Link Aggregation Control Protocol (LACP) is, will block redundant paths). For information about building static aggregations, refer to set lacp static (page Each SecureStack C2 module provides six virtual link aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6. Each LAG can have up to eight associated physical ports. Once underlying physical ports (for example, fe.x.x, or the resulting aggregation will be represented as one LAG with a lag.0.x port designation. LACP determines which underlying physical ports are capable of aggregating by comparing operational keys. Aggregator ports allow only underlying ports with keys matching theirs to join their LAG. LACP uses a system priority value to build a LAG ID, which determines aggregation precedence. If there are two partner devices competing for the same aggregator, LACP compares the LAG IDs for each grouping of ports. The LAG with the lower LAG ID is given precedence and will be allowed to use the aggregator. There are a few cases in which ports will not aggregate: • An underlying physical port is attached to another port on this same switch (loopback). • There is no available aggregator for two or more ports with the same LAG ID. This can happen if there are simply no available aggregators, or if none of the aggregators have a matching admin key and system priority. • 802.1x authentication is enabled using the set eapol command (page would otherwise aggregate are not 802.1X authorized. The LACP implementation on the SecureStack C2 device will allow up to eight physical ports into a LAG. The device with the lowest LAG ID determines which underlying physical ports are allowed into a LAG based on the ports’ LAG port priority. Ports with the lowest LAG port priority values are allowed into the LAG and all other speed groupings go into a standby state. Multi‐port LAGs will continue to operate as long as there is at least one active port in the LAG. Therefore, there is no need to create backup single port LAGs or to specifically assign the LAG and all its physical ports to the egress list of the LAG’s VLAN. Typically, two or more ports are required to form a LAG. However, you can enable the creation of single port LAGs as described in “set lacp singleportlag” on page 7‐46. If a single port LAG goes down and the switch stays up, the switch will reconfigure the LAG to the same LAG number if the port comes back up. Note: To aggregate, underlying physical ports must be running in full duplex mode and must be of the same operating speed.
Page 191: Show Lacp
Use this command to display information about one or more aggregator ports. Syntax show lacp [port-string] Parameters port‐string Defaults If port‐string is not specified, link aggregation information for all LAGs will be displayed. Mode Switch command, read‐only. Usage Each SecureStack C2 module provides 6 virtual link aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6. Once underlying physical ports (that is, ge.x.x) are associated with an aggregator port, the resulting aggregation will be represented as one Link Aggregation Group (LAG) with a lag.x.x port designation. Example This example shows how to display lacp information for lag.0.1 output fields. C2(su)->show lacp lag.0.1 Global Link Aggregation state: enabled Single Port LAGs: Aggregator: lag.0.1...
Page 192: Set Lacp
What It Displays... Shows if LACP is enabled or disabled on the switch. Displays if the single port LAG feature has been enabled on the switch. See singleportlag” on page 7-46 for more about single port LAG. LAG port designation. Each SecureStack C2 module provides 6 virtual link aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6.
Page 193: Set Lacp Asyspri
Use this command to set the LACP system priority. Syntax set lacp asyspri value Parameters asyspri value Defaults None. Mode Switch command, read‐write. Usage LACP uses this value to determine aggregation precedence. If there are two partner devices competing for the same aggregator, LACP compares the LAG IDs for each grouping of ports. The LAG with the lower LAG ID is given precedence and will be allowed to use the aggregator. Example This example shows how to set the LACP system priority to 1000: C2(su)->set lacp asyspri 1000 set lacp aadminkey Use this command to set the administratively assigned key for one or more aggregator ports. Syntax set lacp aadminkey port-string value Parameters port‐string value Defaults None.
Page 194: Clear Lacp
Use this command to clear LACP system priority or admin key settings. Syntax clear lacp {[asyspri] [aadminkey port-string]} Parameters asyspri aadminkey port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the actor admin key for LAG port 6: C2(su)->clear lacp aadminkey lag.0.6 set lacp static Use this command to disable or enable static link aggregation, or to assign one or more underlying physical ports to a Link Aggregation Group (LAG). Syntax set lacp static {disable | enable} | lagportstring [key] port-string Parameters disable | enable lagportstring ...
Page 195: Clear Lacp Static
Defaults If not specified, a key will be assigned according to the specified aggregator. For example a key of 4 would be assigned to lag.0.4. Mode Switch command, read‐write. Example This example shows how to add port ge.1.6 to the LAG of aggregator port 6: C2(su)->set lacp static lag.0.6 clear lacp static Use this command to remove specific ports from a Link Aggregation Group. Syntax clear lacp static lagportstring port-string Parameters lagportstring port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to remove ge.1.6 from the LAG of aggregator port 6: C2(su)->clear lacp static lag.0.6 (Optional) Specifies the new member port and LAG port aggregator admin key value. Only ports with matching keys are allowed to aggregate. Valid values are 0 ‐ 65535. Note: This key value must be unique. If ports other than the desired underlying physical ports share the same admin key value, aggregation will fail or undesired aggregations will form.
Page 196: Set Lacp Singleportlag
Use this command to enable or disable the formation of single port LAGs. Syntax set lacp singleportlag {enable | disable} Parameters disable | enable Defaults None. Mode Switch command, read‐write. Usage When single port LAGs are enabled, Link Aggregration Groups can be formed when only one port is receiving protocol transmissions from a partner. When this setting is disabled, two or more ports are required to form a LAG. This setting has no effect on existing LAGs created with multiple member ports. It also does not prevent previously formed LAGs from coming up after they have gone down, as long as any previous LAG member ports come up connected to the same switch as before the LAG went down. Example This example enables the formation of single port LAGs: C2(su)->set lacp singleportlag enable clear lacp singleportlag Use this command to reset the single port LAG function back to the default state of disabled. Syntax clear lacp singleportlag Parameters None.
Page 197: Show Port Lacp
C2(su)->clear lacp singleportlag show port lacp Use this command to display link aggregation information for one or more underlying physical ports. Syntax show port lacp port port-string {[status {detail | summary}] | [counters]} Parameters port port‐string status detail | summary counters Defaults None. Mode Switch command, read‐only. Usage State definitions, such as ActorAdminState and Partner AdminState, are indicated with letter abbreviations. If the show port lacp command displays one or more of the following letters, it means the state is true for the associated actor or partner ports: • E = Expired • F = Defaulted • D = Distributing (tx enabled) • C = Collecting (rx enabled) •...
Page 198: Set Port Lacp
set port lacp Port Instance: ActorPort: ActorSystemPriority: ActorPortPriority: ActorAdminKey: ActorOperKey: ActorAdminState: ActorOperState: ActorSystemID: SelectedAggID: AttachedAggID: MuxState: DebugRxState: This example shows how to display summarized LACP status information for port ge.1.12: C2(su)->show port lacp port Port Aggr 1.12 none This example shows how to display LACP counters for port ge.1.12: C2(su)->show port lacp port Port Instance: LACPDUsRx: LACPDUsTx: IllegalRx: UnknownRx: MarkerPDUsRx: MarkerPDUsTx: MarkerResponsePDUsRx: MarkerResponsePDUsTx: set port lacp Use this command to set link aggregation parameters for one or more ports. These settings will ...
Page 199 aadminstate Sets the port’s actor LACP administrative state to allow for: lacpactive | lacpactive ‐ Transmitting LACP PDUs. lacptimeout | lacpagg | lacpsync lacptimeout ‐ Transmitting LACP PDUs every 1 sec. vs 30 sec. (default). | lacpcollect | lacpagg ‐ Aggregation on this port. lacpdist | lacpdef | lacpexpire lacpsync ‐ Transition to synchronization state. lacpcollect ‐ Transition to collection state. lacpdist ‐ Transition to distribution state. lacpdef ‐ Transition to defaulted state. lacpexpire ‐ Transition to expired state. aportpri aportpri Sets the port’s actor port priority. Valid values are 0 ‐ 65535, with lower values designating higher priority. asyspri asyspri Sets the port’s actor system priority. The LACP implementation on the SecureStack C2 device uses this value to determine aggregation precedence when there are two devices competing for the same aggregator. Valid values are 0 ‐ 65535, with higher precedence given to lower values. enable (Optional) Enables LACPDU processing on this port. disable (Optional) Disables LACPDU processing on this port. padminkey Sets a default value to use as the port’s partner admin key. Only ports with padminkey matching admin keys are allowed to aggregate. Valid values are 1 ‐ 65535. padminport Sets a default value to use as the port’s partner admin value. Valid values padminport are 1 ‐ 65535. padminportpri Sets a default value to use as the port’s partner port priority. Valid values padminportpri are 0 ‐ 65535, with lower values given higher priority.
Page 200: Clear Port Lacp
Mode Switch command, read‐write. Usage LACP commands and parameters beginning with an “a” (such as aadminkey) set actor values. Corresponding commands and parameters beginning with a “p” (such as padminkey) set corresponding partner values. Actor refers to the local device participating in LACP negotiation, while partner refers to its remote device partner at the other end of the negotiation. Actors and partners maintain current status of the other via LACPDUs containing information about their ports’ LACP status and operational state. Example This example shows how to set the actor admin key to 3555 for port C2(su)->set port lacp ge.3.16 aadminkey 3555 clear port lacp Use this command to clear link aggregation settings for one or more ports. Syntax clear port lacp port port-string {[aadminkey] [aportpri] [asyspri] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef...
Page 201 Deletes a partner port from the LACP configuration. padminstate Clears the port’s specific partner admin state, or all partner admin state(s). lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all Defaults None. Mode Switch command, read‐write. Usage If you set a port to LACP passive using the command clear port lacp port <port‐string> aadminstate lacpactive, the command clear port lacp port <port‐string> aadminstate lacptimeout will also be added to the configuration. If you unset the first command, it will remove the second command automatically from the configuration file. Example This example shows how to clear all link aggregation parameters for port C2(su)->clear port lacp port ge.3.16 clear port lacp 3.16: SecureStack C2 Configuration Guide 7-51...
Page 202: Configuring Protected Ports
The Protected Port feature is used to prevent ports from forwarding traffic to each other, even when they are on the same VLAN. Ports may be designated as either protected or unprotected. Ports are unprotected by default. Multiple groups of protected ports are supported. Protected Port Operation Ports that are configured to be protected cannot forward traffic to other protected ports in the same group, regardless of having the same VLAN membership. However, protected ports can forward traffic to ports which are unprotected (not listed in any group). Protected ports can also forward traffic to protected ports in a different group, if they are in the same VLAN. Unprotected ports can forward traffic to both protected and unprotected ports. A port may belong to only one group of protected ports. This feature only applies to ports within a switch or a stack. It does not apply across multiple switches in a network. Commands For information about... set port protected show port protected clear port protected set port protected name show port protected name clear port protected name set port protected Use this command to specify a port to be protected and assign the port to a group of protected ...
Page 203: Show Port Protected
Example This example shows how to assign ports ge.1.1 through ge.1.3 to protected port group 1: C2(rw)->set port protected ge.1.1-3 1 show port protected Use this command to display information about the ports configured for protected mode. Syntax show port protected [port-string] | [group-id] Parameters port‐string group‐id Defaults If no parameters are entered, information about all protected ports is displayed. Mode Read‐only. Example This example shows how to display information about all protected ports: C2(ro)->show port protected Group id ---------------------- clear port protected Use this command to remove a port or group from protected mode. Syntax clear port protected [port-string] | [group-id] Parameters port‐string group‐id...
Page 204: Set Port Protected Name
Mode Switch command, read‐write. Example This example shows how to clear protected ports ge.1.1 through ge.1.3: C2(rw)->clear port protected ge.1.1-3 set port protected name Use this command to assign a name to a protected port group id. Syntax set port protected name group-id name Parameters group‐id name Defaults None. Mode Switch command, read‐write. Example This example shows how to assign the name “group1” to protected port group 1: C2(rw)->set port protected name 1 group1 show port protected name Use this command to display the name for the group ids specified.
Page 205: Clear Port Protected Name
Group ID ----------------------------- clear port protected name Use this command to clear the name of a protected group. Syntax clear port protected name group-id Parameters group‐id Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the name of protected port group 1: C2(rw)->clear port protected name 1 Group Name group1 Specifies the id of the group for which to clear the name. Id can range from 0 to 2. clear port protected name SecureStack C2 Configuration Guide 7-55...
Page 206 clear port protected name 7-56 Port Configuration...
Page 207: Snmp Configuration Summary
SNMP is an application‐layer protocol that facilitates the exchange of management information between network devices. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. SecureStack C2 devices support three versions of SNMP: • Version 1 (SNMPv1) — This is the initial implementation of SNMP. Refer to RFC 1157 for a full description of functionality. • Version 2 (SNMPv2c) — The second release of SNMP, described in RFC 1907, has additions and enhancements to data types, counter size, and protocol operations. • Version 3 (SNMPv3) — This is the most recent version of SNMP, and includes significant enhancements to administration and security. SNMPv3 is fully described in RFC 2571, RFC 2572, RFC 2573, RFC 2574, and RFC 2575. SNMPv1 and SNMPv2c The components of SNMPv1 and SNMPv2c network management fall into three categories: • Managed devices (such as a switch). • SNMP agents and MIBs, including SNMP traps, community strings, and Remote Monitoring (RMON) MIBs, which run on managed devices. SNMP Configuration Refer to page... 8-15 8-19 8-22 8-25 8-28 8-37 SecureStack C2 Configuration Guide 8-1...
Page 208: Snmpv3
SNMP Configuration Summary • SNMP network management applications, such as the Enterasys NetSight application, which communicate with agents to get statistics and alerts from the managed devices. SNMPv3 SNMPv3 is an interoperable standards‐based protocol that provides secure access to devices by authenticating and encrypting frames over the network. The advanced security features provided in SNMPv3 are as follows: – Message integrity — Collects data securely without being tampered with or corrupted. – Authentication — Determines the message is from a valid source. – Encryption — Scrambles the contents of a frame to prevent it from being seen by an unauthorized source. Unlike SNMPv1 and SNMPv2c, in SNMPv3, the concept of SNMP agents and SNMP managers no longer apply. These concepts have been combined into an SNMP entity. An SNMP entity consists of an SNMP engine and SNMP applications. An SNMP engine consists of the following four components: • Dispatcher — This component sends and receives messages. • Message processing subsystem — This component accepts outgoing PDUs from the dispatcher and prepares them for transmission by wrapping them in a message header and returning them to the dispatcher. The message processing subsystem also accepts incoming messages from the dispatcher, processes each message header, and returns the enclosed PDU to the dispatcher. • Security subsystem — This component authenticates and encrypts messages. • Access control subsystem — This component determines which users and which operations are allowed access to managed objects. About SNMP Security Models and Levels An SNMP security model is an authentication strategy that is set up for a user and the group in ...
Page 209: Using Snmp Contexts To Access Specific Mibs
Table 8-1 SNMP Security Levels (Continued) Model Security Level NoAuthNoPriv AuthNoPriv authPriv Using SNMP Contexts to Access Specific MIBs By default, when operating from the switch CLI, SecureStack C2 devices allow access to all SNMP MIBs or contexts. A context is a collection of MIB objects, often associated with a particular physical or logical device. If no optional context parameters are configured for v1 and v2 “community” names and v3 “user” groups, these groups are able to access all SNMP MIB objects when in switch mode. Specifying a context parameter when setting up SNMP user group would permit or restrict the group’s switch management access to the MIB(s) specified by the context (MIB object ID) value. All SNMP contexts known to the device can be displayed using the show snmp context command as described in “show snmp context” on page 8‐20. Example This example permits the “powergroup” to manage all MIBs via SNMPv3: C2(su)->set snmp access powergroup security-model usm Configuration Considerations Commands for configuring SNMP on the SecureStack C2 device are independent during the ...
Page 210: Commands
Use this command to display the SNMP local engine ID. This is the SNMP v3 engine’s administratively unique identifier. Syntax show snmp engineid Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display SNMP engine properties: C2(su)->show snmp engineid EngineId: 80:00:15:f8:03:00:e0:63:9d:b5:87 Engine Boots Engine Time Max Msg Size Table 8‐2 provides an explanation of the command output. Table 8-2 show snmp engineid Output Details...
Page 211: Show Snmp Counters
Use this command to display SNMP traffic counter values. Syntax show snmp counters Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display SNMP counter values C2(su)->show snmp counters --- mib2 SNMP group counters: snmpInPkts snmpOutPkts snmpInBadVersions snmpInBadCommunityNames = 0 snmpInBadCommunityUses snmpInASNParseErrs snmpInTooBigs snmpInNoSuchNames snmpInBadValues snmpInReadOnlys snmpInGenErrs snmpInTotalReqVars snmpInTotalSetVars snmpInGetRequests...
Page 212: Show Snmp Counters Output Details
show snmp counters usmStatsUnknownEngineIDs usmStatsWrongDigests usmStatsDecryptionErrors Table 8‐3 provides an explanation of the command output. Table 8-3 show snmp counters Output Details Output Field snmpInPkts snmpOutPkts snmpInBadVersions snmpInBadCommunityNames snmpInBadCommunityUses snmpInASNParseErrs snmpInTooBigs snmpInNoSuchNames snmpInBadValues snmpInReadOnlys snmpInGenErrs snmpInTotalReqVars snmpInTotalSetVars snmpInGetRequests snmpInGetNexts snmpInSetRequests snmpInGetResponses snmpInTraps snmpOutTooBigs snmpOutNoSuchNames 8-6 SNMP Configuration What It Displays...
Page 213 Table 8-3 show snmp counters Output Details (Continued) Output Field What It Displays... snmpOutBadValues Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "badValue." snmpOutGenErrs Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "genErr."...
Page 214: Configuring Snmp Users, Groups, And Communities
Configuring SNMP Users, Groups, and Communities Configuring SNMP Users, Groups, and Communities Purpose To review and configure SNMP users, groups, and v1 and v2 communities. These are defined as follows: • User — A person registered in SNMPv3 to access SNMP management. • Group — A collection of users who share the same SNMP access privileges. • Community — A name used to authenticate SNMPv1 and v2 users. Commands For information about... show snmp user set snmp user clear snmp user show snmp group set snmp group clear snmp group show snmp community set snmp community...
Page 215: Set Snmp User
If user is not specified, information about all SNMP users will be displayed. If remote is not specified, user information about the local SNMP engine will be displayed. If not specified, user information for all storage types will be displayed. Mode Switch command, read‐only. Examples This example shows how to display an SNMP user list: C2(su)->show snmp user list --- SNMP user information --- --- List of registered users: Guest admin1 admin2 netops This example shows how to display information for the SNMP “guest” user: (su)->show snmp user guest --- SNMP user information --- EngineId: 00:00:00:63:00:00:00:a1:00:00:00:00 Username Auth protocol...
Page 216: Clear Snmp User
| sha authpassword privacy privpassword (Optional) Applies encryption and specifies an encryption password. volatile | nonvolatile Defaults If remote is not specified, the user will be registered for the local SNMP engine. If authentication is not specified, no authentication will be applied. If privacy is not specified, no encryption will be applied. If storage type is not specified, nonvolatile will be applied. Mode Switch command, read‐write. Example This example shows how to create a new SNMP user named “netops”. By default, this user will be registered on the local SNMP engine without authentication user will be stored in permanent (nonvolatile) memory: C2(su)->set snmp user netops clear snmp user Use this command to remove a user from the SNMPv3 security‐model list. Syntax clear snmp user user [remote remote] Parameters user remote remote Defaults If remote is not specified, the user will be removed from the local SNMP engine.
Page 217: Show Snmp Group
Defaults If groupname is not specified, information about all SNMP groups will be displayed. If user is not specified, information about all SNMP users will be displayed. If security‐model is not specified, user information about all SNMP versions will be displayed. If not specified, information for all storage types will be displayed. Mode Switch command, read‐only. Example This example shows how to display SNMP group information: C2(su)->show snmp group --- SNMP group information --- Security model Security/user name Group name Storage type Row status Security model Security/user name Group name...
Page 218: Set Snmp Group
Defaults If storage type is not specified, nonvolatile storage will be applied. Mode Switch command, read‐write. Example This example shows how to create an SNMP group called “anyone”, assign a user named “public” and assign SNMPv3 security to the group: C2(su)->set snmp group anyone user public security-model usm clear snmp group Use this command to clear SNMP group settings globally or for a specific SNMP group and user. Syntax clear snmp group groupname user [security-model {v1 | v2c | usm}] 8-12 SNMP Configuration What It Displays...
Page 219: Show Snmp Community
Parameters groupname user security‐model v1 | v2c | usm Defaults If not specified, settings related to all security models will be cleared. Mode Switch command, read‐write. Example This example shows how to clear all settings assigned to the “public” user within the SNMP group “anyone”: C2(su)->clear snmp group anyone public show snmp community Use this command to display SNMP community names and status. In SNMPv1 and v2, community names act as passwords to remote management. Syntax show snmp community [name] Parameters name Defaults If name is not specified, information will be displayed for all SNMP communities.
Page 220: Set Snmp Community
[transport transport] [volatile | nonvolatile] Parameters community securityname securityname context context transport transport volatile | nonvolatile Defaults If securityname is not specified, the community name will be used. If context is not specified, access will be granted for the default context. If transport tag is not specified, none will be applied. If storage type is not specified, nonvolatile will be applied. Mode Switch command, read‐write. Example This example shows how to set an SNMP community name called “vip” C2(su)->set snmp community vip clear snmp community Use this command to delete an SNMP community name. Syntax clear snmp community name Parameters name 8-14 SNMP Configuration Specifies a community group name. (Optional) Specifies an SNMP security name to associate with this community. (Optional) Specifies a subset of management information this community ...
Page 221: Configuring Snmp Access Rights
Defaults None. Mode Switch command, read‐write. Example This example shows how to delete the community name “vip.” C2(su)->clear snmp community vip Configuring SNMP Access Rights Purpose To review and configure SNMP access rights, assigning viewing privileges and security levels to SNMP user groups. Commands For information about... show snmp access set snmp access clear snmp access show snmp access Use this command to display access rights and security levels configured for SNMP one or more groups. Syntax show snmp access [groupname] [security-model {v1 | v2c | usm}] [noauthentication...
Page 222: Show Snmp Access Output Details
Defaults If groupname is not specified, access information for all SNMP groups will be displayed. If security‐model is not specified, access information for all SNMP versions will be displayed. If noauthentication, authentication or privacy are not specified, access information for all security levels will be displayed. If context is not specified, all contexts will be displayed. If volatile, nonvolatile or read‐only are not specified, all entries of all storage types will be displayed. Mode Switch command, read‐only. Example This example shows how to display SNMP access information: C2(su)->show snmp access Group Security model Security level Read View Write View Notify View Context match Storage type Row status Group...
Page 223: Set Snmp Access
Table 8-6 show snmp access Output Details (Continued) Output Field Security level Read View Write View Notify View Context match Storage type Row status set snmp access Use this command to set an SNMP access configuration. Syntax set snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context] [exact | prefix] [read read] [write write] [notify notify] [volatile | nonvolatile] Parameters...
Page 224: Clear Snmp Access
If security level is not specified, no authentication will be applied. If context is not specified, access will be enabled for the default context. If context is specified without a context match, exact match will be applied. If read view is not specified none will be applied. If write view is not specified, none will be applied. If notify view is not specified, none will be applied. If storage type is not specified, entries will be stored as permanent and will be held through device reboot. Mode Switch command, read‐write. Example This example permits the “powergroup” to manage all MIBs via SNMPv3: C2(su)->set snmp access powergroup security-model usm clear snmp access Use this command to clear the SNMP access entry of a specific group, including its set SNMP security‐model, and level of security. Syntax clear snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context]...
Page 225: Configuring Snmp Mib Views
Syntax show snmp view [viewname] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only] Parameters viewname subtree oid‐or‐mibobject volatile | nonvolatile | read‐only Defaults If no parameters are specified, all SNMP MIB view configuration information will be displayed. Mode Switch command, read‐only. (Optional) Displays information for a specific MIB view. (Optional) Displays information for a specific MIB subtree when viewname is specified. (Optional) Displays entries for a specific storage type. Configuring SNMP MIB Views Refer to page... 8-19 8-20 8-21 8-22 SecureStack C2 Configuration Guide 8-19...
Page 226: Show Snmp Context
show snmp context Example This example shows how to display SNMP MIB view configuration information: C2(su)->show snmp view --- SNMP MIB View information --- View Name Subtree OID Subtree mask View Type Storage type Row status View Name Subtree OID Subtree mask View Type Storage type Row status View Name Subtree OID Subtree mask View Type...
Page 227: Set Snmp View
Mode Switch command, read‐only. Usage An SNMP context is a collection of management information that can be accessed by an SNMP agent or entity. The default context allows all SNMP agents to access all management information (MIBs). When created using the set snmp access command (“set snmp access” on page 8‐17), other contexts can be applied to limit access to a subset of management information. Example This example shows how to display a list of all SNMP contexts known to the device: C2(su)->show snmp context --- Configured contexts: default context (all mibs) set snmp view Use this command to set a MIB configuration for SNMPv3 view‐based access (VACM). Syntax set snmp view viewname viewname subtree subtree [mask mask] [included | excluded] [volatile | nonvolatile] Parameters viewname viewname Specifies a name for a MIB view. ...
Page 228: Clear Snmp View
Use this command to delete an SNMPv3 MIB view. Syntax clear snmp view viewname subtree Parameters viewname subtree Defaults None. Mode Switch command, read‐write. Example This example shows how to delete SNMP MIB view “public”: C2(su)->clear snmp view public 1.3.6.1 Configuring SNMP Target Parameters Purpose To review and configure SNMP target parameters. This controls where and under what circumstances SNMP notifications will be sent. A target parameter entry can be bound to a target IP address allowed to receive SNMP notification messages with the set snmp targetaddr command (“set snmp targetaddr” on page 8‐26). Commands For information about...
Page 229: Show Snmp Targetparams Output Details
Parameters targetParams volatile | nonvolatile | read‐only Defaults If targetParams is not specified, entries associated with all target parameters will be displayed. If not specified, entries of all storage types will be displayed. Mode Switch command, read‐only. Example This example shows how to display SNMP target parameters information: C2(su)->show snmp targetparams --- SNMP TargetParams information --- Target Parameter Name Security Name Message Proc. Model Security Level Storage type Row status Target Parameter Name Security Name Message Proc. Model...
Page 230: Set Snmp Targetparams
| v3 noauthentication | authentication | privacy volatile | nonvolatile Defaults None. If not specified, security level will be set to noauthentication. If not specified, storage type will be set to nonvolatile. Mode Switch command, read‐write. Example This example shows how to set SNMP target parameters named “v1ExampleParams” for a user named “fred” using version 3 security model and message processing, and authentication: C2(su)->set snmp targetparams v1ExampleParams user fred security-model usm message-processing v3 authentication clear snmp targetparams Use this command to clear the SNMP target parameter configuration. Syntax clear snmp targetparams targetParams 8-24 SNMP Configuration Specifies a name identifying parameters used to generate SNMP messages ...
Page 231: Configuring Snmp Target Addresses
Parameters targetParams Defaults None. Mode Switch command, read‐write. Example This example shows how to clear SNMP target parameters named “v1ExampleParams”: C2(su)->clear snmp targetparams v1ExampleParams Configuring SNMP Target Addresses Purpose To review and configure SNMP target addresses which will receive SNMP notification messages. An address configuration can be linked to optional SNMP transmit, or target, parameters (such as timeout, retry count, and UDP port) set with the set snmp targetparams command (page 8‐24). Commands For information about... show snmp targetaddr set snmp targetaddr clear snmp targetaddr show snmp targetaddr Use this command to display SNMP target address information. Syntax show snmp targetaddr [targetAddr] [volatile | nonvolatile | read-only]...
Page 232: Set Snmp Targetaddr
If not specified, entries of all storage types will be displayed for a target address. Mode Switch command, read‐only. Example This example shows how to display SNMP target address information: C2(su)->show snmp targetaddr Target Address Name Tag List IP Address UDP Port# Target Mask Timeout Retry count Parameters Storage type Row status Table 8‐9 provides an explanation of the command output. Table 8-9 show snmp targetaddr Output Details Output Field...
Page 233 “tag 1 tag 2”). volatile | (Optional) Specifies temporary (default), or permanent storage for SNMP nonvolatile entries. Defaults If not specified, udpport will be set to 162. If not specified, mask will be set to 255.255.255.255 If not specified, timeout will be set to 1500. If not specified, number of retries will be set to 3. If taglist is not specified, none will be set. If not specified, storage type will be nonvolatile. Mode Switch command, read‐write. Example This example shows how to configure a trap notification called “TrapSink.” This trap notification will be sent to the workstation 192.168.190.80 (which is target address “tr”). It will use security and authorization criteria contained in a target parameters entry called “v2cExampleParams”. For more information on configuring a basic SNMP trap, refer to “Creating a Basic SNMP Trap Configuration” on page 8‐37: C2(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist TrapSink set snmp targetaddr SecureStack C2 Configuration Guide 8-27...
Page 234: Clear Snmp Targetaddr
Use this command to delete an SNMP target address entry. Syntax clear snmp targetaddr targetAddr Parameters targetAddr Defaults None. Mode Switch command, read‐write. Example This example shows how to clear SNMP target address entry “tr”: C2(su)->clear snmp targetaddr tr Configuring SNMP Notification Parameters About SNMP Notify Filters Profiles indicating which targets should not receive SNMP notification messages are kept in the NotifyFilter table. If this table is empty, meaning that no filtering is associated with any SNMP target, then no filtering will take place. “Traps” or “informs” notifications will be sent to all destinations in the SNMP targetAddrTable that have tags matching those found in the NotifyTable. When the NotifyFilter table contains profile entries, the SNMP agent will find any filter profile name that corresponds to the target parameter name contained in an outgoing notification message. It will then apply the appropriate subtree‐specific filter when generating notification ...
Page 235: Show Newaddrtrap
Use this command to display the global and port‐specific status of the SNMP new MAC addresses trap function. Syntax show newaddrtrap [port-string] Parameters port‐string Defaults If port‐string is not specified, the status of the new MAC addresses trap function will be displayed for all ports. Mode Switch command, read‐only. Usage By default, this function is disabled globally and per port. Example This example displays the status for Gigabit Ethernet ports 1 through 5 in slot 1. C2(ro)->show newaddrtrap ge.1.1-5 New Address Traps Globally disabled Port Enable State --------- ------------ (Optional) Displays the status of the new MAC addresses trap function on specific ports. show newaddrtrap Refer to page...
Page 236: Set Newaddrtrap
Use this command to enable or disable SNMP trap messaging, globally or on one or more ports, when new source MAC addresses are detected. Syntax set newaddrtrap [port-string] {enable | disable} Parameters port‐string enable | disable Defaults If port‐string is not specified, the trap function is set globally. Mode Switch mode, read‐write. Usage This command enables and disables sending SNMP trap messages when a new source MAC address is detected by a port. If the port is a CDP port, however, traps for new source MAC addresses will not be sent. The default mode is disabled globally and per port. Example= This example enables the trap function globally and then on Gigabit Ethernet ports 1 through 5 in slot 1. C2(rw)->set newaddrtrap enable C2(rw)->set newaddrtrap ge.1.1-5 enable show snmp notify Use this command to display the SNMP notify configuration, which determines the management targets that will receive SNMP notifications.
Page 237: Set Snmp Notify
Parameters notify volatile | nonvolatile | read‐ only Defaults If a notify name is not specified, all entries will be displayed. If volatile, nonvolatile, or read‐only are not specified, all storage type entries will be displayed. Mode Switch command, read‐only. Example This example shows how to display the SNMP notify information: C2(su)->show snmp notify --- SNMP notifyTable information --- Notify name Notify Tag Notify Type Storage type Row status Notify name Notify Tag Notify Type Storage type Row status Table 8‐10 provides an explanation of the command output.
Page 238: Clear Snmp Notify
[trap | inform] [volatile | nonvolatile] Parameters notify tag tag trap | inform volatile | nonvolatile Defaults If not specified, message type will be set to trap. If not specified, storage type will be set to nonvolatile. Mode Switch command, read‐write. Example This example shows how to set an SNMP notify configuration with a notify name of “hello” and a notify tag of “world”. Notifications will be sent as trap messages and storage type will automatically default to permanent: C2(su)->set snmp notify hello tag world trap clear snmp notify Use this command to clear an SNMP notify configuration. Syntax clear snmp notify notify Parameters...
Page 239: Show Snmp Notifyfilter
[profile] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only] Parameters profile subtree oid‐or‐ mibobject volatile | nonvolatile | read‐ only Defaults If no parameters are specified, all notify filter information will be displayed. Mode Switch command, read‐only. Usage See “About SNMP Notify Filters” on page 8‐28 for more information about notify filters. Example This example shows how to display SNMP notify filter information. In this case, the notify profile “pilot1” in subtree 1.3.6 will not receive SNMP notification messages: C2(su)->show snmp notifyfilter --- SNMP notifyFilter information --- Profile Subtree Filter type Storage type Row status (Optional) Displays a specific notify filter.
Page 240: Set Snmp Notifyfilter
Defaults If not specified, mask is not set. If not specified, subtree will be included. If storage type is not specified, nonvolatile (permanent) will be applied. Mode Switch command, read‐write. Usage See “About SNMP Notify Filters” on page 8‐28 for more information about notify filters. Example This example shows how to create an SNMP notify filter called “pilot1” with a MIB subtree ID of 1.3.6: C2(su)->set snmp notifyfilter pilot1 subtree 1.3.6 clear snmp notifyfilter Use this command to delete an SNMP notify filter configuration. Syntax clear snmp notifyfilter profile subtree oid-or-mibobject 8-34 SNMP Configuration Specifies an SNMP filter notify name.
Page 241: Show Snmp Notifyprofile
Parameters profile subtree oid‐or‐ mibobject Defaults None. Mode Switch command, read‐write. Example This example shows how to delete the SNMP notify filter “pilot1”: C2(su)->clear snmp notifyfilter pilot1 subtree 1.3.6 show snmp notifyprofile Use this command to display SNMP notify profile information. This associates target parameters to an SNMP notify filter to determine who should not receive SNMP notifications. Syntax show snmp notifyprofile [profile] [targetparam targetparam] [volatile | nonvolatile | read-only] Parameters profile targetparam targetparam volatile | nonvolatile | read‐ only Defaults If no parameters are specified, all notify profile information will be displayed.
Page 242: Set Snmp Notifyprofile
[volatile | nonvolatile] Parameters profile targetparam targetparam volatile | nonvolatile Defaults If storage type is not specified, nonvolatile (permanent) will be applied. Mode Switch command, read‐write. Example This example shows how to create an SNMP notify profile named area51 parameters entry. C2(su)->set snmp notifyprofile area51 targetparam v3ExampleParams clear snmp notifyprofile Use this command to delete an SNMP notify profile configuration. Syntax clear snmp notifyprofile profile targetparam targetparam Parameters profile targetparam ...
Page 243: Creating A Basic Snmp Trap Configuration
Mode Switch command, read‐write. Example This example shows how to delete SNMP notify profile “area51”: C2(su)->clear snmp notifyprofile area51 targetparam v3ExampleParams Creating a Basic SNMP Trap Configuration Traps are notification messages sent by an SNMPv1 or v2 agent to a network management station, a console, or a terminal to indicate the occurrence of a significant event, such as when a port or device goes up or down, when there are authentication failures, and when power supply errors occur. The following configuration example shows how to use CLI commands to associate SNMP notification parameters with security and authorization criteria (target parameters), and map the parameters to a management target address. Note: This example illustrates how to configure an SNMPv2 trap notification. Creating an SNMPv1 or v3 Trap, or an SNMPv3 Inform notification would require using the same commands with different parameters, where appropriate.
Page 244: Example
Creating a Basic SNMP Trap Configuration Example This example shows how to: • Create an SNMP community called mgmt. • Configure a trap notification called TrapSink. This trap notification will be sent with the community name mgmt to the workstation 192.168.190.80 (which is target address tr). It will use security and authorization criteria contained in a target parameters entry called v2cExampleParams. C2(su)->set snmp community mgmt C2(su)->set snmp targetparams v2cExampleParams user mgmt security-model v2c message-processing v2c C2(su)->set snmp notify entry1 tag TrapSink C2(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist TrapSink How SNMP Will Use This Configuration In order to send a trap/notification requested by a MIB code, the SNMP agent requires the ...
Page 245: Chapter 9: Spanning Tree Configuration
Otherwise, the proper operation of the network could be at risk. Spanning Tree Configuration Summary Overview: Single, Rapid, and Multiple Spanning Tree Protocols The IEEE 802.1D Spanning Tree Protocol (STP) resolves the problems of physical loops in a network by establishing one primary path between any two devices in a network. Any duplicate paths are barred from use and become standby or blocked paths until the original path fails, at which point they can be brought into service. RSTP The IEEE 802.1w Rapid Spanning Protocol (RSTP), an evolution of 802.1D, can achieve much faster convergence than legacy STP in a properly configured network. RSTP significantly reduces the time to reconfigure the network’s active topology when physical topology or configuration parameter changes occur. It selects one switch as the root of a Spanning Tree‐connected active topology and assigns port roles to individual ports on the switch, depending on whether that port is part of the active topology. RSTP provides rapid connectivity following the failure of a switch, switch port, or a LAN. A new root port and the designated port on the other side of the bridge transition to forwarding through an explicit handshake between them. By default, user ports are configured to rapidly transition to forwarding in RSTP. MSTP The IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) builds upon 802.1D and RSTP by optimizing utilization of redundant links between switches in a network. When redundant links exist between a pair of switches running single STP, one link is forwarding while the others are ...
Page 246: Spanning Tree Features
Achieving port changes in short time intervals, which establishes a stable active topology quickly with minimal network disturbance. • Using a minimum amount of communications bandwidth to accomplish the operation of the Spanning Tree Protocol. • Reconfiguring the active topology in a manner that is transparent to stations transmitting and receiving data packets. • Managing the topology in a consistent and reproducible manner through the use of Spanning Tree Protocol parameters. Note: The term “bridge” is used as an equivalent to the term “switch” or “device” in this document. Loop Protect The Loop Protect feature prevents or short circuits loop formation in a network with redundant paths by requiring ports to receive type 2 BPDUs (RSTP/MSTP) on point‐to‐point inter‐switch links (ISLs) before their states are allowed to become forwarding. Further, if a BPDU timeout occurs on a port, its state becomes listening until a BPDU is received. Both upstream and downstream facing ports are protected. When a root or alternate port loses its path to the root bridge due to a message age expiration it takes on the role of designated port. It will not forward traffic until a BPDU is received. When a port is intended to be the designated port in an ISL it constantly proposes and will not forward until a BPDU is received, and will revert to listening if it fails to get a response. This protects against misconfiguration and protocol failure by ...
Page 247: Configuring Spanning Tree Bridge Parameters
Loop Protect operates as a per port, per MST instance feature. It should be set on inter‐switch links. It is comprised of several related functions: • Control of port forwarding state based on reception of agreement BPDUs • Control of port forwarding state based on reception of disputed BPDUs • Communicating port non‐forwarding status through traps and syslog messages • Disabling a port based on frequency of failure events Port forwarding state in the designated port is gated by a timer that is set upon BPDU reception. It is analogous to the rcvdInfoWhile timer the port uses when receiving root information in the root/ alternate/backup role. There are two operational modes for Loop Protect on a port. If the port is connected to a device known to implement Loop Protect, it uses full functional mode. Otherwise the port operates in limited functional mode. Connection to a Loop Protect switch guarantees that the alternate agreement mechanism is implemented. This means the designated port can rely on receiving a response to its proposal regardless of the role of the connected port, which has two important implications. First, the designated port connected to a non‐root port may transition to forwarding. Second, there is no ambiguity when a timeout happens; a Loop Protect event has occurred. In full functional mode, when a type 2 BPDU is received and the port is designated and point‐to‐ point, the timer is set to 3 times helloTime. In limited functional mode there is the additional requirement that the flags field indicate a root role. If the port is a boundary port the MSTIs for that port follow the CIST, that is, the MSTI port timers are set according to the CIST port timer. If the port is internal to the region then the MSTI port timers are set independently using the particular MSTI message. Message age expiration and the expiration of the Loop Protect timer are both Loop Protect events. A notice level syslog message is produced for each such event. Traps may be configured to report these events as well. A syslog message and trap may be configured for disputed BPDUs. It is also configurable to force the locking of a SID/port for the occurrence of one or more events. When the configured number of events happen within a given window of time, the port is forced into blocking and held there until it is manually unlocked via management. Configuring Spanning Tree Bridge Parameters Purpose To display and set Spanning Tree bridge parameters, including device priorities, hello time, ...
Page 248: Commands
Configuring Spanning Tree Bridge Parameters Commands For information about... show spantree stats set spantree show spantree version set spantree version clear spantree version show spantree bpdu-forwarding set spantree bpdu-forwarding show spantree bridgeprioritymode set spantree bridgeprioritymode clear spantree bridgeprioritymode show spantree mstilist set spantree msti clear spantree msti show spantree mstmap...
Page 249: Show Spantree Stats
Use this command to display Spanning Tree information for one or more ports. Syntax show spantree stats [port port-string] [sid sid] [active] Parameters port port‐string sid sid active Defaults If port‐string is not specified, Spanning Tree information for all ports will be displayed. If sid is not specified, information for Spanning Tree 0 will be displayed. If active is not specified information for all ports will be displayed regardless of whether or not they have received BPDUs. Mode Switch command, read‐only. (Optional) Displays information for the specified port(s). For a detailed description of possible port‐‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. (Optional) Displays information for a specific Spanning Tree identifier. If not specified, SID 0 is assumed. (Optional) Displays information for ports that have received STP BPDUs since boot. show spantree stats Refer to page... 9-24 9-25 9-25 9-26...
Page 250: Show Spantree Output Details
show spantree stats Example This example shows how to display the device’s Spanning Tree configuration: C2(su)->show spantree stats Spanning tree status Spanning tree instance Designated Root MacAddr Designated Root Priority Designated Root Cost Designated Root Port Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge ID Priority Bridge Max Age Bridge Hello Time Bridge Forward Delay...
Page 251: Set Spantree
Table 9-1 show spantree Output Details (Continued) Output Bridge Forward Delay Topology Change Count Time Since Top Change Max Hops set spantree Use this command to globally enable or disable the Spanning Tree protocol on the switch. Syntax set spantree {disable | enable} Parameters disable | enable Defaults None. Mode Switch command, read‐write. Example This example shows how to disable Spanning Tree on the device: C2(su)->set spantree disable show spantree version Use this command to display the current version of the Spanning Tree protocol running on the ...
Page 252: Set Spantree Version
Mode Switch command, read‐only. Example This example shows how to display Spanning Tree version information for the device: C2(su)->show spantree version Force Version is mstp set spantree version Use this command to set the version of the Spanning Tree protocol to MSTP (Multiple Spanning Tree Protocol), RSTP (Rapid Spanning Tree Protocol) or to STP 802.1D‐compatible. Syntax set spantree version {mstp | stpcompatible | rstp} Parameters mstp stpcompatible rstp Defaults None. Mode Switch command, read‐write. Usage In most networks, Spanning Tree version should not be changed from its default setting of mstp (Multiple Spanning Tree Protocol) mode. MSTP mode is fully compatible and interoperable with legacy STP 802.1D and Rapid Spanning Tree (RSTP) bridges. Setting the version to stpcompatible ...
Page 253: Show Spantree Bpdu-Forwarding
Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the Spanning Tree version: C2(su)->clear spantree version show spantree bpdu-forwarding Use this command to display the Spanning Tree BPDU forwarding mode. Syntax show spantree bpdu-forwarding Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the Spanning Tree BPDU forwarding mode: C2(su)->show spantree bpdu-forwarding BPDU forwarding is disabled.
Page 254: Show Spantree Bridgeprioritymode
Defaults By default BPDU forwarding is disabled. Mode Switch command, read‐write. Usage The Spanning Tree protocol must be disabled (set spantree disable) for this feature to take effect. Example This example shows how to enable BPDU forwarding: C2(rw)-> set spantree bpdu-forwarding enable show spantree bridgeprioritymode Use this command to display the Spanning Tree bridge priority mode setting. Syntax show spantree bridgeprioritymode Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the Spanning Tree bridge priority mode setting: C2(rw)->show spantree bridgeprioritymode Bridge Priority Mode is set to IEEE802.1t mode.
Page 255: Clear Spantree Bridgeprioritymode
Parameters 8021d 8021t Defaults None Mode Switch command, read‐write. Usage The mode affects the range of priority values used to determine which device is selected as the Spanning Tree root as described in set spantree priority (“set spantree priority” on page 9‐17). The default for the switch is to use 802.1t bridge priority mode. Example This example shows how to set the bridge priority mode to 802.1D: C2(rw)->set spantree bridgeprioritymode 8021d clear spantree bridgeprioritymode Use this command to reset the Spanning Tree bridge priority mode to the default setting of 802.1t. Syntax clear spantree bridgeprioritymode Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the bridge priority mode to 802.1t: C2(rw)->clear spantree bridgeprioritymode Sets the bridge priority mode to use 802.1D (legacy) values, which are 0 ‐ 65535. Sets the bridge priority mode to use 802.1t values, which are 0 to 61440, in ...
Page 256: Show Spantree Mstilist
Use this command to display a list of Multiple Spanning Tree (MST) instances configured on the device. Syntax show spantree mstilist Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display a list of MST instances. In this case, SID 2 has been configured: C2(su)->show spantree mstilist Configured Multiple Spanning Tree instances: set spantree msti Use this command to create or delete a Multiple Spanning Tree instance. Syntax set spantree msti sid sid {create | delete} Parameters sid sid create | delete...
Page 257: Clear Spantree Msti
Use this command to delete one or more Multiple Spanning Tree instances. Syntax clear spantree msti [sid sid] Parameters sid sid Defaults If sid is not specified, all MST instances will be cleared. Mode Switch command, read‐write. Example This example shows how to delete all MST instances: C2(su)->clear spantree msti show spantree mstmap Use this command to display the mapping of a filtering database ID (FID) to a Spanning Trees. Since VLANs are mapped to FIDs, this shows to which SID a VLAN is mapped. Syntax show spantree mstmap [fid fid] Parameters fid fid Defaults If fid is not specified, information for all assigned FIDs will be displayed. Mode Switch command, read‐only. Example This example shows how to display SID to FID mapping information for FID 1. In this case, no ...
Page 258: Set Spantree Mstmap
GVRP communication is lost, it is recommended that you only create MST maps on statically-created VLANs. Syntax set spantree mstmap fid [sid sid] Parameters fid sid sid Defaults If sid is not specified, FID(s) will be mapped to Spanning Tree 0. Mode Switch command, read‐write. Example This example shows how to map FID 3 to SID 2: C2(su)->set spantree mstmap 3 sid 2 clear spantree mstmap Use this command to map a FID back to SID 0. Syntax clear spantree mstmap fid Parameters Defaults If fid is not specified, all SID to FID mappings will be reset.
Page 259: Show Spantree Vlanlist
Use this command to display the Spanning Tree ID(s) assigned to one or more VLANs. Syntax show spantree vlanlist [vlan-list] Parameters vlan‐list Defaults If not specified, SID assignment will be displayed for all VLANs. Mode Switch command, read‐only. Example This example shows how to display the SIDs mapped to VLAN 1. In this case, SIDs 2, 16 and 42 are mapped to VLAN 1. For this information to display, the SID instance must be created using the set spantree msti command as described in “set spantree msti” on page 9‐12, and the FIDs must be mapped to SID mstmap” on page 9‐14: C2(su)->show spantree vlanlist 1 The following SIDS are assigned to VLAN 1: 2 16 42 show spantree mstcfgid Use this command to display the MST configuration identifier elements, including format selector, ...
Page 260: Set Spantree Mstcfgid
Configuration Digest: ac:36:17:7f:50:28:3c:d4:b8:38:21:d8:ab:26:de:62 set spantree mstcfgid Use this command to set the MST configuration name and/or revision level. Syntax set spantree mstcfgid {cfgname name | rev level} Parameters cfgname name rev level Defaults None. Mode Switch command, read‐write. Example This example shows how to set the MST configuration name to “mstconfig”: C2(su)->set spantree mstconfigid cfgname mstconfig clear spantree mstcfgid Use this command to reset the MST revision level to a default value of 0, and the configuration name to a default string representing the bridge MAC address. Syntax clear spantree mstcfgid Parameters None.
Page 261: Set Spantree Priority
Example This example shows how to reset the MST configuration identifier elements to default values: C2(su)->clear spantree mstcfgid set spantree priority Use this command to set the device’s Spanning Tree priority. Syntax set spantree priority priority [sid] Parameters priority Defaults If sid is not specified, priority will be set on Spanning Tree 0. Mode Switch command, read‐write. Usage The device with the highest priority (lowest numerical value) becomes the Spanning Tree root device. If all devices have the same priority, the device with the lowest MAC address will then become the root device. Depending on the bridge priority mode (set with the set spantree bridgeprioritymode command described in “set spantree bridgeprioritymode” on page 9‐10, some priority values may be rounded up or down. Example This example shows how to set the bridge priority to 4096 on SID 1: C2(su)->set spantree priority 4096 1 clear spantree priority Use this command to reset the Spanning Tree priority to the default value of 32768. Syntax...
Page 262: Set Spantree Hello
Defaults If sid is not specified, priority will be reset on Spanning Tree 0. Mode Switch command, read‐write. Example This example shows how to reset the bridge priority on SID 1: C2(su)->clear spantree priority 1 set spantree hello Use this command to set the device’s Spanning Tree hello time, This is the time interval (in seconds) the device will transmit BPDUs indicating it is active. Syntax set spantree hello interval Parameters interval Defaults None. Mode Switch command, read‐write. Example This example shows how to globally set the Spanning Tree hello time to 10 seconds: C2(su)->set spantree hello 10 clear spantree hello Use this command to reset the Spanning Tree hello time to the default value of 2 seconds. Syntax...
Page 263: Set Spantree Maxage
Mode Switch command, read‐write. Example This example shows how to globally reset the Spanning Tree hello time: C2(su)->clear spantree hello set spantree maxage Use this command to set the bridge maximum aging time. Syntax set spantree maxage agingtime Parameters agingtime Defaults None. Mode Switch command, read‐write. Usage The bridge maximum aging time is the maximum time (in seconds) a device can wait without receiving a configuration message (bridge “hello”) before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STP information provided in the last configuration message becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. Example This example shows how to set the maximum aging time to 25 seconds: C2(su)->set spantree maxage 25 clear spantree maxage Use this command to reset the maximum aging time for a Spanning Tree to the default value of 20 seconds.
Page 264: Set Spantree Fwddelay
Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to globally reset the maximum aging time: C2(su)->clear spantree maxage set spantree fwddelay Use this command to set the Spanning Tree forward delay. Syntax set spantree fwddelay delay Parameters delay Defaults None. Mode Switch command, read‐write. Usage The forward delay is the maximum time (in seconds) the root device will wait before changing states (i.e., listening to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a blocking state; otherwise, temporary data loops might result. Example This example shows how to globally set the bridge forward delay to 16 seconds: C2(su)->set spantree fwddelay 16 9-20 Spanning Tree Configuration Specifies the number of seconds for the bridge forward delay. Valid values ...
Page 265: Clear Spantree Fwddelay
Use this command to reset the Spanning Tree forward delay to the default setting of 15 seconds. Syntax clear spantree fwddelay Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to globally reset the bridge forward delay: C2(su)->clear spantree fwddelay show spantree backuproot Use this command to display the backup root status for an MST instance. Syntax show spantree backuproot [sid] Parameters Defaults If a SID is not specified, then status will be shown for Spanning Tree instance 0. Mode Switch command, read‐only. Example This example shows how to display the status of the backup root function on SID 0: C2(rw)->show spantree backuproot Backup root is set to disable on sid 0 (Optional) Display backup root status for a specific Spanning Tree ...
Page 266: Set Spantree Backuproot
Use this command to enable or disable the Spanning Tree backup root function on the switch. Syntax set spantree backuproot sid {disable | enable} Parameters disable | enable Defaults None. Mode Switch command, read‐write. Usage The Spanning Tree backup root function is disabled by default on the SecureStack C2. When this feature is enabled and the switch is directly connected to the root bridge, stale Spanning Tree information is prevented from circulating if the root bridge is lost. If the root bridge is lost, the backup root will dynamically lower its bridge priority so that it will be selected as the new root over the lost root bridge. Example This example shows how to enable the backup root function on SID 2: C2(rw)->set spantree backuproot 2 enable clear spantree backuproot Use this command to reset the Spanning Tree backup root function to the default state of disabled. Syntax clear spantree backuproot sid...
Page 267: Show Spantree Tctrapsuppress
Use this command to display the status of topology change trap suppression on Rapid Spanning Tree edge ports. Syntax show spantree tctrapsuppress Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the status of topology change trap suppression: C2(rw)->show spantree tctrapsuppress Topology change Trap Suppression is set to enabled set spantree tctrapsuppress Use this command to disable or enable topology change trap suppression on Rapid Spanning Tree edge ports. Syntax set spantree tctrapsuppress {disable | enable} Parameters disable | enable...
Page 268: Clear Spantree Tctrapsuppress
Usage By default, RSTP non‐edge (bridge) ports that transition to forwarding or blocking cause the switch to issue a topology change trap. When topology change trap suppression is enabled, which is the device default, edge ports (such as end station PCs) are prevented from sending topology change traps. This is because there is usually no need for network management to monitor edge port STP transition states, such as when PCs are powered on. When topology change trap suppression is disabled, all ports, including edge and bridge ports, will transmit topology change traps. Example This example shows how to allow Rapid Spanning Tree edge ports to transmit topology change traps: C2(rw)->set spantree tctrapsuppress disable clear spantree tctrapsuppress Use this command to clear the status of topology change trap suppression on Rapid Spanning Tree edge ports to the default state of enabled (edge port topology changes do not generate traps). Syntax clear spantree tctrapsuppress Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to clear topology change trap suppression setting: C2(rw)->clear spantree tctrapsuppress set spantree protomigration Use this command to reset the protocol state migration machine for one or more Spanning Tree ...
Page 269: Show Spantree Spanguard
Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the protocol state migration machine on port 20: C2(su)->set spantree protomigration ge.1.20 show spantree spanguard Use this command to display the status of the Spanning Tree SpanGuard function. Syntax show spantree spanguard Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the SpanGuard function status: C2(su)->show spantree spanguard Spanguard is disabled set spantree spanguard Use this command to enable or disable the Spanning Tree SpanGuard function. Syntax set spantree spanguard {enable | disable} Parameters enable | disable...
Page 270: Clear Spantree Spanguard
Mode Switch command, read‐write. Usage SpanGuard is designed to disable, or lock out an “edge” port when an unexpected BPDU is received. The port can be configured to be re‐enabled after a set time period, or only after manual intervention. A port can be defined as an edge (user) port using the set spantree adminedge command, described in “set spantree adminedge” on page 9‐39. A port designated as an edge port is expected to be connected to a workstation or other end‐user type of device, and not to another switch in the network. When SpanGuard is enabled, if a non‐loopback BPDU is received on an edge port, the Spanning Tree state of that port will be changed to “blocking” and will no longer forward traffic. The port will remain disabled until the amount of time defined by set spantree spanguardtimeout (“set spantree spanguardtimeout” on page 9‐27) has passed since the last seen BPDU, the port is manually unlocked (set or clear spantree spanguardlock, “clear / set spantree spanguardlock” on page 9‐29), the configuration of the port is changed so it is not longer an edge port, or the SpanGuard function is disabled. SpanGuard is enabled and disabled only on a global basis (across the stack, if applicable). By default, SpanGuard is disabled and SpanGuard traps are enabled. Example This example shows how to enable the SpanGuard function: C2(rw)->set spantree spanguard enable clear spantree spanguard Use this command to reset the status of the Spanning Tree SpanGuard function to disabled. Syntax clear spantree spanguard Parameters None.
Page 271: Show Spantree Spanguardtimeout
Use this command to display the Spanning Tree SpanGuard timeout setting. Syntax show spantree spanguardtimeout Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the SpanGuard timeout setting: C2(su)->show spantree spanguardtimeout Spanguard timeout: 300 set spantree spanguardtimeout Use this command to set the amount of time (in seconds) an edge port will remain locked by the SpanGuard function. Syntax set spantree spanguardtimeout timeout Parameters timeout Defaults None. Mode Switch command, read‐write. Example This example shows how to set the SpanGuard timeout to 600 seconds: C2(su)->set spantree spanguardtimeout 600...
Page 272: Clear Spantree Spanguardtimeout
Use this command to reset the Spanning Tree SpanGuard timeout to the default value of 300 seconds. Syntax clear spantree spanguardtimeout Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the SpanGuard timeout to 300 seconds: C2(rw)->clear spantree spanguardtimeout show spantree spanguardlock Use this command to display the SpanGuard lock status of one or more ports. Syntax show spantree spanguardlock [port-string] Parameters port‐string Defaults If no port string is specified, the SpanGuard lock status for all ports is displayed. Mode Switch command, read‐only. Example This example shows how to display the SpanGuard lock status for ge.1.1: C2(su)->show spantree spanguardlock ge.1.1...
Page 273: Clear / Set Spantree Spanguardlock
/ set spantree spanguardlock Use either of these commands to unlock one or more ports locked by the Spanning Tree SpanGuard function. When SpanGuard is enabled, it locks ports that receive BPDUs when those ports have been defined as edge (user) ports (as described in “set spantree adminedge” on page 9‐39). Syntax clear spantree spanguardlock port-string set spantree spanguardlock port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to unlock port C2(rw)->clear spantree spanguardlock ge.1.16 show spantree spanguardtrapenable Use this command to display the state of the Spanning Tree SpanGuard trap function. Syntax show spantree spanguardtrapenable Parameters None. Defaults None. Mode Switch command, read‐only.
Page 274: Set Spantree Spanguardtrapenable
Use this command to enable or disable the sending of an SNMP trap message when SpanGuard has locked a port. Syntax set spantree spanguardtrapenable {disable | enable} Parameters disable | enable Defaults None. Mode Switch command, read‐write. Example This example shows how to disable the SpanGuard trap function: C2(su)->set spantree spanguardtrapenable disable clear spantree spanguardtrapenable Use this command to reset the Spanning Tree SpanGuard trap function back to the default state of enabled. Syntax clear spantree spanguardtrapenable Parameters None. Defaults None.
Page 275: Show Spantree Legacypathcost
Use this command to display the default Spanning Tree path cost setting. Syntax show spantree legacypathcost Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the default Spanning Tree path cost setting. C2(su)->show spantree legacypathcost Legacy Path Cost is disabled. set spantree legacypathcost Use this command to enable or disable legacy (802.1D) path cost values. Syntax set spantree legacypathcost {disable | enable} Parameters disable enable Defaults None.
Page 276: Clear Spantree Legacypathcost
Use this command to set the Spanning Tree default value for legacy path cost to 802.1t values. Syntax clear spantree legacypathcost Defaults None. Mode Switch command, read‐write. Example This example clears the legacy path cost to 802.1t values. C2(rw)->clear spantree legacypathcost 9-32 Spanning Tree Configuration...
Page 277: Set Spantree Portadmin
Use this command to disable or enable the Spanning Tree algorithm on one or more ports. Syntax set spantree portadmin port-string {disable | enable} Parameters port‐string disable | enable Defaults None. Mode Switch command, read‐write. Specifies the port(s) for which to enable or disable Spanning Tree. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Disables or enables Spanning Tree. Configuring Spanning Tree Port Parameters Refer to page... 9-33 9-34 9-34 9-35 9-35...
Page 278: Clear Spantree Portadmin
Example This example shows how to disable Spanning Tree on ge.1.5: C2(rw)->set spantree portadmin clear spantree portadmin Use this command to reset the default Spanning Tree admin status to enable on one or more ports. Syntax clear spantree portadmin port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the default Spanning Tree admin state to enable on ge.1.12: C2(rw)->clear spantree portadmin show spantree portadmin Use this command to display the status of the Spanning Tree algorithm on one or more ports. Syntax show spantree portadmin [port port-string] Parameters port port‐string Defaults If port‐string is not specified, status will be displayed for all ports. Mode Switch command, read‐only.
Page 279: Show Spantree Portpri
Syntax show spantree portpri [port port-string] [sid sid] Parameters port port‐string sid sid Defaults If port‐string is not specified, port priority will be displayed for all Spanning Tree ports. If sid is not specified, port priority will be displayed for Spanning Tree 0. Mode Switch command, read‐only. Example This example shows how to display the port priority for ge.2.7: C2(su)->show spantree portpri port Port 2.7 has a Port Priority of 128 on SID 0 set spantree portpri Use this command to set a port’s Spanning Tree priority. Syntax set spantree portpri port-string priority [sid sid] (Optional) Specifies the port(s) for which to display Spanning Tree priority. ...
Page 280: Clear Spantree Portpri
Parameters port‐string priority sid sid Defaults If sid is not specified, port priority will be set for Spanning Tree 0. Mode Switch command, read‐write. Example This example shows how to set the priority of ge.1.3 to 240 on SID 1 C2(su)->set spantree portpri clear spantree portpri Use this command to reset the bridge priority of a Spanning Tree port to a default value of 128. Syntax clear spantree portpri port-string [sid sid] Parameters port‐string sid sid Defaults If sid is not specified, port priority will be set for Spanning Tree 0. Mode Switch command, read‐write. Example This example shows how to reset the priority of ge.1.3 to 128 on SID 1 C2(su)->clear spantree portpri 9-36 Spanning Tree Configuration Specifies the port(s) for which to set Spanning Tree port priority. For a ...
Page 281: Show Spantree Adminpathcost
Syntax show spantree adminpathcost [port port-string] [sid sid] Parameters port port‐string sid sid Defaults If port‐string is not specified, admin path cost for all Spanning Tree ports will be displayed. If sid is not specified, admin path cost for Spanning Tree 0 will be displayed. Mode Switch command, read‐only. Example This example shows how to display the admin path cost for ge.3.4 on SID 1: C2(su)->show spantree adminpathcost port Port 3.4 has a Port Admin Path Cost of 0 on SID 1 set spantree adminpathcost Use this command to set the administrative path cost on a port and one or more Spanning Trees. Syntax...
Page 282: Clear Spantree Adminpathcost
C2(su)->set spantree adminpathcost clear spantree adminpathcost Use this command to reset the Spanning Tree default value for port admin path cost to 0. Syntax clear spantree adminpathcost port-string [sid sid] Parameters port‐string sid sid Defaults If sid is not specified, admin path cost will be reset for Spanning Tree 0. Mode Switch command, read‐write. Example This example shows how to reset the admin path cost to 0 for ge.3.2 on SID 1: C2(su)->clear spantree adminpathcost show spantree adminedge Use this command to display the edge port administrative status for a port. Syntax show spantree adminedge [port port-string] Parameters port‐string Defaults If port‐string is not specified edge port administrative status will be displayed for all Spanning Tree ...
Page 283: Set Spantree Adminedge
Mode Switch command, read‐only. Example This example shows how to display the edge port status for ge.3.2: C2(su)->show spantree adminedge port Port 3.2 has a Port Admin Edge of Edge-Port set spantree adminedge Use this command to set the edge port administrative status on a Spanning Tree port. Syntax set spantree adminedge port-string {true | false} Parameters port‐string true | false Defaults None. Mode Switch command, read‐write. Usage The default behavior of the edge port administrative status begins with the value set to false initially after the device is powered up. If a Spanning Tree BDPU is not received on the port within a few seconds, the status setting changes to true. ...
Page 284 Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to reset ge.1.11 as a non‐edge port: C2(su)->clear spantree adminedge 9-40 Spanning Tree Configuration Specifies port(s) on which to reset edge port status. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. 1.11...
Page 285: Configuring Spanning Tree Loop Protect Parameters
Configuring Spanning Tree Loop Protect Parameters Purpose To display and set Spanning Tree Loop Protect parameters, including the global parameters of Loop Protect threshold, window, enabling traps, and disputed BPDU threshold, as well as per port and port/SID parameters. See “Loop Protect” on page 9‐2 for more information about the Loop Protect feature. Commands For information about... set spantree lp show spantree lp clear spantree lp show spantree lplock clear spantree lplock set spantree lpcapablepartner show spantree lpcapablepartner clear spantree lpcapablepartner set spantree lpthreshold show spantree lpthreshold clear spantree lpthreshold...
Page 286: Set Spantree Lp
{enable | disable} [sid sid] Parameters port‐string enable | disable sid sid Defaults If no SID is specified, SID 0 is assumed. Mode Switch command, read‐write. Usage Loop Protect takes precedence over per port STP enable/disable (portAdmin). Normally portAdmin disabled would cause a port to go immediately to forwarding. If Loop Protect is enabled, that port should go to listening and remain there. Note: The Loop Protect enable/disable settings for an MSTI port should match those for the CIST port. Example This example shows how to enable Loop Protect on ge.2.3: C2(su)->set spantree lp...
Page 287: Clear Spantree Lp
Defaults If no port‐string is specified, status is displayed for all ports. If no SID is specified, SID 0 is assumed. Mode Switch command, read‐only. Example This example shows how to display Loop Protect status on ge.2.3: C2(su)->show spantree lp port LoopProtect is disabled on port clear spantree lp Use this command to return the Loop Protect status per port and optionally, per SID, to its default state of disabled. Syntax clear spantree lp port-string [sid sid] Parameters port‐string sid sid Defaults If no SID is specified, SID 0 is assumed. Mode Switch command, read‐write. Example This example shows how to return the Loop Protect state on ge.2.3 to disabled: C2(rw)->clear spantree lp port show spantree lplock Use this command to display the Loop Protect lock status per port and/or per SID. A port can ...
Page 288: Clear Spantree Lplock
Parameters port‐string sid sid Defaults If no port‐string is specified, status is displayed for all ports. If no SID is specified, SID 0 is assumed. Mode Switch command, read‐only. Example This example shows how to display Loop Protect lock status on ge.1.1: C2(rw)->show spantree lplock port The LoopProtect lock status for port clear spantree lplock Use this command to manually unlock a blocked port and optionally, per SID. The default state is unlocked. Syntax clear spantree lplock port-string [sid sid] Parameters port‐string sid sid Defaults If no SID is specified, SID 0 is assumed. ...
Page 289: Set Spantree Lpcapablepartner
Use this command to specify per port whether the link partner is Loop Protect capable. See “Loop Protect” on page 2. for more information. Syntax set spantree lpcapablepartner port-string {true | false} Parameters port‐string true | false Defaults None. Mode Switch command, read‐write. Usage The default value for Loop Protect capable partner is false. If the port is configured with a Loop Protect capable partner (true), then the full functionality of the Loop Protect feature is used. If the value is false, then there is some ambiguity as to whether an Active Partner timeout is due to a loop protection event or is a normal situation due to the fact that the partner port does not transmit Alternate Agreement BPDUs. Therefore, a conservative approach is taken in that designated ports will not be allowed to forward unless receiving agreements from a port with root role. This type of timeout will not be considered a loop protection event. Loop protection is maintained by keeping the port from forwarding but since this is not considered a loop event it will not be factored into locking the port. Example This example shows how to set the Loop Protect capable partner to true for ge.1.1: C2(rw)->set spantree lpcapablepartner show spantree lpcapablepartner Use this command to the Loop Protect capability of a link partner for one or more ports.
Page 290: Clear Spantree Lpcapablepartner
Defaults If no port‐string is specified, Loop Protect capability for link partners is displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display the Loop Protect partner capability for ge.1.1: C2(rw)->show spantree lpcapablepartner port Link partner of port clear spantree lpcapablepartner Use this command to reset the Loop Protect capability of port link partners to the default state of false. Syntax clear spantree lpcapablepartner port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the Loop Protect partner capability for ge.1.1: C2(rw)->clear spantree lpcapablepartner set spantree lpthreshold Use this command to set the Loop Protect event threshold.
Page 291: Show Spantree Lpthreshold
Defaults None. The default event threshold is 3. Mode Switch command, read‐write. Usage The LoopProtect event threshold is a global integer variable that provides protection in the case of intermittent failures. The default value is 3. If the event counter reaches the threshold within a given period (the event window), then the port, for the given SID, becomes locked (that is, held indefinitely in the blocking state). If the threshold is 0, the ports are never locked. Example This example shows how to set the Loop Protect threshold value to 4: C2(rw)->set spantree lpthreshold 4 show spantree lpthreshold Use this command to display the current value of the Loop Protect event threshold. Syntax show spantree lpthreshold Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the current Loop Protect threshold value: C2(rw)->show spantree lpthreshold The Loop Protect event threshold value is 4 clear spantree lpthreshold Use this command to return the Loop Protect event threshold to its default value of 3.
Page 292: Set Spantree Lpwindow
Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the Loop Protect event threshold to the default of 3: C2(rw)->clear spantree lpthreshold set spantree lpwindow Use this command to set the Loop Protect event window value in seconds. Syntax set spantree lpwindow value Parameters value Defaults None. Mode Switch command, read‐write. Usage The Loop Protect Window is a timer value, in seconds, that defines a period during which Loop Protect events are counted. The default value is 180 seconds. If the timer is set to 0, the event counter is not reset until the Loop Protect event threshold is reached. If the threshold is reached, that constitutes a loop protection event. Example This example shows how to set the Loop Protect event window to 120 seconds: C2(rw)->set spantree lpwindow 120 show spantree lpwindow Use this command to display the current Loop Protect event window value.
Page 293: Clear Spantree Lpwindow
Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the current Loop Protect window value: C2(rw)->show spantree lpwindow The Loop Protect event window is set to 120 seconds clear spantree lpwindow Use this command to reset the Loop Protect event window to the default value of 180 seconds. Syntax clear spantree lpwindow Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the Loop Protect event window to the default of 180 seconds: C2(rw)->clear spantree lpwindow set spantree lptrapenable Use this command to enable or disable Loop Protect event notification.
Page 294: Show Spantree Lptrapenable
Defaults None. Mode Switch command, read‐write. Usage Loop Protect traps are sent when a Loop Protect event occurs, that is, when a port goes to listening due to not receiving BPDUs. The trap indicates port, SID and loop protection status. Example This example shows how to enable sending of Loop Protect traps: C2(rw)->set spantree lptrapenable enable show spantree lptrapenable Use this command to display the current status of Loop Protect event notification. Syntax show spantree lptrapenable Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the current Loop Protect event notification status: C2(rw)->show spantree lptrapenable The Loop Protect event notification status is enable clear spantree lptrapenable Use this command to return the Loop Protect event notification state to its default state of ...
Page 295: Set Spantree Disputedbpduthreshold
Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the Loop Protect event notification state to the default of disabled. C2(rw)->clear spantree lptrapenable set spantree disputedbpduthreshold Use this command to set the disputed BPDU threshold, which is the number of disputed BPDUs that must be received on a given port/SID until a disputed BPDU trap is sent. Syntax set spantree disputedbpduthreshold value Parameters value Defaults None. Mode Switch command, read‐write. Usage A disputed BPDU is one in which the flags field indicates a designated role and learning, and the priority vector is worse than that already held by the port. If a disputed BPDU is received the port is forced to the listening state. Refer to the 802.1Q‐2005 standard, IEEE Standard for Local and Metropolitan Area Networks – Virtual Bridged Local Area Networks, for a full description of the dispute mechanism, which prevents looping in cases of one‐way communication. The disputed BPDU threshold is an integer variable that represents the number of disputed BPDUs that must be received on a given port/SID until a disputed BPDU trap is sent and a syslog message is issued. For example, if the threshold is 10, then a trap is issued when 10, 20, 30, and so on, disputed BPDUs have been received. If the value is 0, traps are not sent. The trap indicates port, SID and total Disputed BPDU count. The default is 0. Specifies the number of disputed BPDUs that must be received on a given port/SID to cause a disputed BPDU trap to be sent. ...
Page 296: Show Spantree Disputedbpduthreshold
C2(rw)->set spantree disputedbpduthreshold 5 show spantree disputedbpduthreshold Use this command to display the current value of the disputed BPDU threshold. Syntax show spantree disputedbpduthreshold Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the current disputed BPDU threshold: C2(rw)->show spantree disputedbpduthreshold The disputed BPDU threshold value is 0 clear spantree disputedbpduthreshold Use this command to return the disputed BPDU threshold to its default value of 0, meaning that disputed BPDU traps should not be sent. Syntax clear spantree disputedbpduthreshold Parameters None.
Page 297: Show Spantree Nonforwardingreason
Use this command to display the reason for placing a port in a non‐forwarding state due to an exceptional condition. Syntax show spantree nonforwardingreason port-string [sid sid] Parameters port‐string sid sid Defaults If no port‐string is specified, non‐forwarding reason is displayed for all ports. If no SID is specified, SID 0 is assumed. Mode Switch command, read‐only. Usage Exceptional conditions causing a port to be placed in listening or blocking state include a Loop Protect event, receipt of disputed BPDUs, and loopback detection. Example This example shows how to display the non‐forwarding reason on ge.1.1: C2(rw)->show spantree nonforwardingreason port The non-forwarding reason for port Specifies port(s) for which to display the non‐forwarding reason. (Optional) Specifies the specific Spanning Tree(s) for which to display the non‐forwarding reason. Valid values are 0 ‐ 4094. If not specified, SID 0 is assumed. on SID 0 is None...
Page 298 show spantree nonforwardingreason 9-54 Spanning Tree Configuration...
Page 299: Vlan Configuration Summary
This chapter describes the SecureStack C2 system’s capabilities to implement 802.1Q virtual LANs (VLANs). For information about... VLAN Configuration Summary Viewing VLANs Creating and Naming Static VLANs Assigning Port VLAN IDs (PVIDs) and Ingress Filtering Configuring the VLAN Egress List Setting the Host VLAN Enabling/Disabling GVRP (GARP VLAN Registration Protocol) VLAN Configuration Summary Virtual LANs allow the network administrator to partition network traffic into logical groups and ...
Page 300: Viewing Vlans
Step Task Create a new VLAN. Set the PVID for the desired switch port to the VLAN created in Step 1. Add the desired switch port to the egress list for the VLAN created in Step 1. Assign host status to the VLAN.
Page 301: Command
[static] [vlan-list] [portinfo [vlan vlan-list | vlan-name] [port port- string]] Parameters static vlan‐list portinfo vlan vlan‐list | vlan‐name port port‐string Defaults If no options are specified, all information related to static and dynamic VLANs will be displayed. Mode Switch command, read‐only. Example This example shows how to display information for VLAN 1. In this case, VLAN 1 is named “DEFAULT VLAN”. Ports allowed to transmit frames belonging to VLAN 1 are listed as egress ports. Ports that won’t include a VLAN tag in their transmitted frames are listed as untagged ports. There are no forbidden ports (prevented from transmitted frames) on VLAN 1: C2(su)->show vlan 1 VLAN: 1 VLAN Type: Default Egress Ports ge.1.1-10, ge.2.1-4, ge.3.1-7, Forbidden Egress Ports None.
Page 302: Show Vlan Output Details
show vlan Table 10-2 show vlan Output Details Output Field VLAN NAME Status VLAN Type Egress Ports Forbidden Egress Ports Untagged Ports 10-4 802.1Q VLAN Configuration What It Displays... VLAN ID. Name assigned to the VLAN. Whether it is enabled or disabled. Whether it is permanent (static) or dynamic.
Page 303: Creating And Naming Static Vlans
Use this command to create a new static IEEE 802.1Q VLAN, or to enable or disable an existing VLAN. Syntax set vlan {create | enable | disable} vlan-list Parameters create | enable | disable vlan‐list Defaults None. Mode Switch command, read‐write. Usage Once a VLAN is created, you can assign it a name using the set vlan name command described in “set vlan name” on page 10‐6. Each VLAN ID must be unique. If a duplicate VLAN ID is entered, the device assumes that the Administrator intends to modify the existing VLAN. Enter the VLAN ID using a unique number between 1 and 4093. The VLAN IDs of 0 and 4094 and higher may not be used for user‐defined VLANs. Examples This example shows how to create VLAN 3: C2(su)->set vlan create 3 Creates, enables or disables VLAN(s). Specifies one or more VLAN IDs to be created, enabled or disabled.
Page 304: Set Vlan Name
Use this command to set or change the ASCII name for a new or existing VLAN. Syntax set vlan name vlan-list vlan-name Parameters vlan‐list vlan‐name Defaults None. Mode Switch command, read‐write. Example This example shows how to set the name for VLAN 7 to green: C2(su)->set vlan name 7 green clear vlan Use this command to remove a static VLAN from the list of VLANs recognized by the device. Syntax clear vlan vlan-list Parameters vlan‐list Defaults None. Mode Switch command, read‐write.
Page 305: Clear Vlan Name
Use this command to remove the name of a VLAN from the VLAN list. Syntax clear vlan name vlan-list Parameters vlan‐list Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the name for VLAN 9: C2(su)->clear vlan name 9 Specifies the VLAN ID of the VLAN(s) for which the name will be cleared. clear vlan name SecureStack C2 Configuration Guide 10-7...
Page 306: Show Port Vlan
Use this command to display port VLAN identifier (PVID) information. PVID determines the VLAN to which all untagged frames received on one or more ports will be classified. Syntax show port vlan [port-string] Parameters port‐string Defaults If port ‐string is not specified, port VLAN information for all ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display PVIDs assigned to ge.2.1 through 6. In this case, untagged frames received on these ports will be classified to VLAN 1: C2(su)->show port vlan ge.2.1-6 ge.2.1 is set to 1 ge.2.2 is set to 1 ge.2.3 is set to 1 ge.2.4 is set to 1 10-8 802.1Q VLAN Configuration...
Page 307: Set Port Vlan
[modify-egress | no-modify-egress] Parameters port‐string pvid modify‐egress no‐modify‐egress (Optional) Does not prompt for or make egress list changes. Defaults None. Mode Switch command, read‐write. Usage The PVID is used to classify untagged frames as they ingress into a given port. Example This example shows how to add C2(su)->set vlan create 4 C2(su)->set port vlan ge.1.10 4 modify-egress clear port vlan Use this command to reset a port’s 802.1Q port VLAN ID (PVID) to the host VLAN ID 1. Note: The following command will reset the specified port’s egress status to tagged. To set the specified ports back to the default egress status of untagged, you must issue the command as described on page 10-9.
Page 308: Show Port Ingress Filter
Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to reset ports C2(su)->clear port vlan ge.1.3-11 show port ingress filter Use this command to show all ports that are enabled for port ingress filtering, which limits incoming VLAN ID frames according to a port VLAN egress list. If the VLAN ID specified in the received frame is not on the port’s VLAN egress list, then that frame is dropped and not forwarded. Syntax show port ingress-filter [port-string] Parameters port‐string Defaults If port‐string is not specified, ingress filtering status for all ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display the port ingress filter status for ports 10 through 15 in slot 1. In this case, the ports are disabled for ingress filtering: C2(su)->show port ingress-filter ge.1.10-15...
Page 309: Set Port Ingress Filter
Use this command to discard all frames received with a VLAN ID that don’t match the port’s VLAN egress list. Syntax set port ingress-filter port-string {disable | enable} Parameters port‐string disable | enable Defaults None. Mode Switch command, read‐write. Usage When ingress filtering is enabled on a port, the VLAN IDs of incoming frames are compared to the port’s egress list. If the received VLAN ID does not match a VLAN ID on the port’s egress list, then the frame is dropped. Ingress filtering is implemented according to the IEEE 802.1Q standard. Example This example shows how to enable port ingress filtering on C2(su)->set port ingress-filter ge.1.3 enable show port discard Use this command to display the frame discard mode for one or more ports. Ports can be set to discard frames based on whether or not the frame contains a VLAN tag. They can also be set to discard both tagged and untagged frames, or neither. Syntax...
Page 310: Set Port Discard
Mode Switch command, read‐only. Example This example shows how to display the frame discard mode for been set to discard all tagged frames: C2(su)->show port discard ge.2.7 Port ------------ ge.2.7 set port discard Use this command to set the frame discard mode on one or more ports. Syntax set port discard port-string {tagged | untagged | both | none} Parameters port‐string tagged | untagged | both | none Defaults None. Mode Switch command, read‐write.
Page 311: Configuring The Vlan Egress List
Configuring the VLAN Egress List Purpose To assign or remove ports on the egress list of a particular VLAN. This determines which ports on the switch will be eligible to transmit frames for a particular VLAN. For example, ports 1, 5, 7, 8 could be allowed to transmit frames belonging to VLAN 20 and ports 7,8, 9, 10 could be allowed to transmit frames tagged with VLAN 30 (a port can belong to multiple VLAN Egress lists). Note that the Port Egress list for ports 7 and 8 would contain both VLAN 20 and 30. The port egress type for all ports can be set to tagged, forbidden, or untagged. In general, VLANs have no egress (except for VLAN 1) until they are configured by static administration, or through dynamic mechanisms such as GVRP. Setting a port to forbidden prevents it from participating in the specified VLAN and ensures that any dynamic requests (either through GVRP or dynamic egress) for the port to join the VLAN will be ignored. Setting a port to untagged allows it to transmit frames without a tag header. This setting is usually used to configure a port connected to an end user device. Frames sent between VLAN aware switches are typically tagged. The default VLAN defaults its egress to untagged for all ports. Commands For information about... show port egress set vlan forbidden set vlan egress clear vlan egress show vlan dynamicegress set vlan dynamicegress show port egress Use this command to display the VLAN membership for one or more ports.
Page 312: Set Vlan Forbidden
Mode Switch command, read‐write. Example This example shows you how to show VLAN egress information for all three ports are allowed to transmit VLAN 1 frames as tagged and VLAN 10 frames as untagged. Both are static VLANs: C2(su)->show port egress ge.1.1-3 Port Vlan Number ------------------------------------------------------- ge.1.1 ge.1.1 ge.1.2 ge.1.2 ge.1.3 ge.1.3 set vlan forbidden Use this command to prevent one or more ports from participating in a VLAN. This setting instructs the device to ignore dynamic requests (either through GVRP or dynamic egress) for the port to join the VLAN. Syntax set vlan forbidden vlan-id port-string Parameters vlan‐id port‐string Defaults None.
Page 313: Set Vlan Egress
[untagged | forbidden | tagged] Parameters vlan‐list port‐string untagged | forbidden | tagged Defaults If untagged, forbidden or tagged is not specified, the port will be added to the VLAN egress list as tagged. Mode Switch command, read‐write. Examples This example shows how to add these ports will transmit VLAN 7 frames as tagged C2(su)->set vlan egress 7 ge.1.5-10 untagged This example shows how to forbid ports 13 through 15 in slot 1 from joining VLAN 7 and disallow egress on those ports: C2(su)->set vlan egress 7 ge.1.13-15 forbidden This example shows how to allow port 2 in slot 1 to transmit VLAN 7 frames as untagged C2(su)->set vlan egress 7 ge.1.2 untagged clear vlan egress Use this command to remove ports from a VLAN’s egress list.
Page 314: Show Vlan Dynamicegress
Syntax clear vlan egress vlan-list port-string [forbidden] Parameters vlan‐list port‐string forbidden Defaults If forbidden is not specified, tagged and untagged settings will be cleared. Mode Switch command, read‐write. Examples This example shows how to remove C2(su)->clear vlan egress 9 ge.3.14 This example shows how to remove all Ethernet ports in slot 2 from the egress list of VLAN 4: C2(su)->clear vlan egress 4 ge.2.* show vlan dynamicegress Use this command to display the status of dynamic egress (enabled or disabled) for one or more VLANs. Syntax show vlan dynamicegress [vlan-list] Parameters vlan‐list...
Page 315: Set Vlan Dynamicegress
VLAN 53 is enabled VLAN 54 is enabled VLAN 55 is enabled set vlan dynamicegress Use this command to administratively set the dynamic egress status for one or more VLANs. Syntax set vlan dynamicegress vlan-list {enable | disable} Parameters vlan‐list enable | disable Defaults None. Mode Switch command, read‐write. Usage If dynamic egress is enabled for a particular VLAN, when a port receives a frame tagged with that VLAN’s ID, the switch will add the receiving port to that VLAN’s egress list. Dynamic egress is disabled on the SecureStack C2 by default. For example, assume you have 20 AppleTalk users on your network who are mobile users (that is, use different ports every day), but you want to keep the AppleTalk traffic isolated in its own VLAN. You can create an AppleTalk VLAN with a VLAN ID of 55 with a classification rule that all AppleTalk traffic gets tagged with VLAN ID 55. Then, you enable dynamic egress for VLAN 55. Now, when an AppleTalk user plugs into port ge.3.5 and sends an AppleTalk packet, the switch will tag the packet to VLAN 55 and also add port ge.3.5 to VLAN 55’s egress list, which allows the AppleTalk user to receive AppleTalk traffic. Example This example shows how to enable dynamic egress on VLAN 55:...
Page 316: Setting The Host Vlan
Use this command to display the current host VLAN. Syntax show host vlan Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the host VLAN: C2(su)->show host vlan Host vlan is 7. set host vlan Use this command to assign host status to a VLAN. Syntax set host vlan vlan-id 10-18 802.1Q VLAN Configuration VLAN” on page 10-1 for more information.
Page 317: Clear Host Vlan
Parameters vlan‐id Defaults None. Mode Switch command, read‐write. Usage The host VLAN should be a secure VLAN where only designated users are allowed access. For example, a host VLAN could be specifically created for device management. This would allow a management station connected to the management VLAN to manage all ports on the device and make management secure by preventing management via ports assigned to other VLANs. Note: Before you can designate a VLAN as the host VLAN, you must create a VLAN using the set of commands described in Example This example shows how to set VLAN 7 as the host VLAN: C2(su)->set host vlan 7 clear host vlan Use this command to reset the host VLAN to the default setting of 1.
Page 318: Enabling/Disabling Gvrp (Garp Vlan Registration Protocol)
About GARP VLAN Registration Protocol (GVRP) The following sections describe the device operation when its ports are operating under the Generic Attribute Registration Protocol (GARP) application – GARP VLAN Registration Protocol (GVRP). Overview The purpose of GVRP is to dynamically create VLANs across a switched network. When a VLAN is declared, the information is transmitted out GVRP configured ports on the device in a GARP formatted frame using the GVRP multicast MAC address. A switch that receives this frame, examines the frame, and extracts the VLAN IDs. GVRP then creates the VLANs and adds the receiving port to its tagged member list for the extracted VLAN ID (s). The information is then transmitted out the other GVRP configured ports of the device. Figure how VLAN blue from end station A would be propagated across a switch network. How It Works In Figure 10‐1 on page 10‐21, Switch 4, port 1 is registered as being a member of VLAN Blue and then declares this fact out all its ports (2 and 3) to Switch 1 and Switch 2. These two devices register this in the port egress lists of the ports (Switch 1, port 1 and Switch 2, port 1) that received the frames with the information. Switch 2, which is connected to Switch 3 and Switch 5 declares the same information to those two devices and the port egress list of each port is updated with the new information, accordingly. Configuring a VLAN on an 802.1Q switch creates a static VLAN entry. The entry will always remain registered and will not time out. However, dynamic entries will time‐out and their registrations will be removed from the member list if the end station A is removed. This ensures that, if switches are disconnected or if end stations are removed, the registered information remains accurate. The end result is that the port egress list of a port is updated with information about VLANs that reside on that port, even if the actual station on the VLAN is several hops away. 10-20 802.1Q VLAN Configuration...
Page 319: Purpose
Figure 10-1 Example of VLAN Propagation via GVRP Purpose To dynamically create VLANs across a switched network. The GVRP command set is used to display GVRP configuration information, the current global GVRP state setting, individual port settings (enable or disable) and timer settings. By default, GVRP is enabled globally on the device, but disabled on all ports. Commands For information about... show gvrp show garp timer set gvrp clear gvrp set garp timer Enabling/Disabling GVRP (GARP VLAN Registration Protocol) SecureStack C2 Configuration Guide 10-21 Refer to page...
Page 320: Show Gvrp
Use this command to display GVRP configuration information. Syntax show gvrp [port-string] Parameters port‐string Defaults If port‐string is not specified, GVRP configuration information will be displayed for all ports and the device. Mode Switch command, read‐only. Example This example shows how to display GVRP status for the device and for fw.2.1: C2(su)->show gvrp ge.2.1 Global GVRP status is enabled. Port Number ----------- ge.2.1 show garp timer Use this command to display GARP timer values for one or more ports. Syntax show garp timer [port-string] Parameters port‐string...
Page 321: Set Gvrp
Example This example shows how to display GARP timer information on ports 1 through 10 in slot 1: Note: For a functional description of the terms join, leave, and leaveall timers, refer to the standard IEEE 802.1Q documentation, which is not supplied with this device. C2(su)->show garp timer ge.1.1-10 Port based GARP Configuration: (Timer units are centiseconds) Port Number ----------- ge.1.1...
Page 322: Clear Gvrp
Mode Switch command, read‐write. Examples This example shows how to enable GVRP globally on the device: C2(su)->set gvrp enable This example shows how to disable GVRP globally on the device: C2(su)->set gvrp disable This example shows how to enable GVRP on C2(su)->set gvrp enable ge.1.3 clear gvrp Use this command to clear GVRP status or on one or more ports. Syntax clear gvrp [port-string] Parameters port‐string Defaults If port‐string is not specified, GVRP status will be cleared for all ports. Mode Switch command, read‐write. Example This example shows how to clear GVRP status globally on the device: C2(su)->clear gvrp set garp timer Use this command to adjust the values of the join, leave, and leaveall timers. Syntax...
Page 323 Sets the GARP leaveall timer in centiseconds (Refer to 802.1Q standard.) value port‐string Specifies the port(s) on which to configure GARP timer settings. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None. Mode Switch command, read‐write. Usage The setting of these timers is critical and should only be changed by personnel familiar with the 802.1Q standards documentation, which is not supplied with this device. Examples This example shows how to set the GARP join timer value to 100 centiseconds for all ports: C2(su)->set garp timer join 100 *.*.* This example shows how to set the leave timer value to 300 centiseconds for all ports: C2(su)->set garp timer leave 300 *.*.* This example shows how to set the leaveall timer value to 20000 centiseconds for all ports: C2(su)->set garp timer leaveall 20000 *.*.* set garp timer...
Page 324 set garp timer 10-26 802.1Q VLAN Configuration...
Page 325: Chapter 11: Policy Classification Configuration
Permit or deny access to specific services by creating and assigning classification rules which map user profiles to protocol‐based frame filtering policies configured for a particular VLAN or Class of Service (CoS). • Assign or unassign ports to policy profiles so that only ports activated for a profile will be allowed to transmit frames accordingly. Note: It is recommended that you use Enterasys Networks NetSight Policy Manager as an alternative to CLI for configuring policy classification on the SecureStack C2 devices. Configuring Policy Profiles Purpose To review, create, change and remove user profiles that relate to business‐driven policies for managing network resources. Note: B3, C3, and G3 devices support profile-based CoS traffic rate limiting only. Policy rules specifying CoS will only rate limit on D2, C2 and B2 devices, including when C2 and B2 devices are configured on mixed stacks containing B3 and C3 devices.
Page 326: Commands
Syntax show policy profile {all | profile-index [consecutive-pids] [-verbose]} Parameters all | profile‐index consecutive‐pids ‐verbose Defaults If optional parameters are not specified, summary information will be displayed for the specified index or all indices. Mode Switch command, read‐only. Example This example shows how to display policy information for profile 11: C2(su)->show policy profile 11 Profile Index Profile Name Row Status Port VID Status Port VID Override CoS Status Egress Vlans...
Page 327: Set Policy Profile
Admin Profile Usage Oper Profile Usage Dynamic Profile Usage Table 11‐1 provides an explanation of the command output. Table 11-1 show policy profile Output Details Output Field Profile Index Profile Name Row Status Port VID Status Port VID Override CoS Status Egress VLANs Forbidden VLANs Untagged VLANs Rule Precedence Admin Profile Usage Ports administratively assigned to use this policy profile.
Page 328: Clear Policy Profile
| disable cos cos precedence precedence‐list Defaults If optional parameters are not specified, none will be applied. Mode Switch command, read‐write. Example This example shows how to create a policy profile 1 named “netadmin” with PVID override enabled for PVID 10, and Class‐of‐Service override enabled for CoS 5: C2(su)->set policy profile 1 name netadmin pvid-status enable pvid 10 cos-status enable cos 5 clear policy profile Use this command to delete a policy profile entry. Syntax clear policy profile profile-index Parameters profile‐index...
Page 329 clear policy profile Example This example shows how to delete policy profile 8: C2(su)->clear policy profile 8 SecureStack C2 Configuration Guide 11-5...
Page 330: Configuring Classification Rules
Configuring Classification Rules Configuring Classification Rules Purpose To review, create, assign, and unassign classification rules to policy profiles. This maps user profiles to protocol‐based frame filtering policies. Note: B3, C3, and G3 devices support profile-based CoS traffic rate limiting only. Policy rules specifying CoS will only rate limit on D2, C2 and B2 devices, including when C2 and B2 devices are configured on mixed stacks containing B3 and C3 devices.
Page 331 (Optional) Displays rules for a Class‐of‐Service value. admin‐pid Displays rules associated with a specific administrative policy ID [1..1023]. admin‐pid ‐verbose (Optional) Displays detailed information. usage‐list (Optional) If selected, each ruleʹs usage‐list shall be checked and shall display only those ports which have applied this rule. display‐if‐used (Optional) Displays rule(s) only if they are applied to at least one port. Defaults If verbose is not specified, summary information will be displayed. Mode Switch command, read‐only. Example This example shows how to display policy classification information for Ethernet type 2 rules C2(su)->show policy rule ether |PID |Rule Type |Rule Data |Ether |2048 |Ether |2049 |Ether |2989 |Ether |33079 (0x8137) This example shows how to display policy classification information for administrative rule 1 C2(su)->show policy rule admin-pid 1...
Page 332: Show Policy Capability
show policy capability |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port Table 11‐2 provides an explanation of the command output. Table 11-2 show policy rule Output Details Output Field Rule Type Rule Data PortStr VLAN dPID aPID show policy capability Use this command to display detailed policy classification capabilities supported by your SecureStack C2 device. Syntax show policy capability Parameters None.
Page 333 Mode Switch command, read‐only. Usage Use this command to display detailed policy classification capabilities supported by your SecureStack C2 device. The output of this command shows a table listing classifiable traffic attributes and the type of actions, by rule type, that can be executed relative to each attribute. Above the table is a list of all the actions possible on this device. The left‐most column of the table lists all possible classifiable traffic attributes. The next two columns from the left indicate how policy profiles may be assigned, either administratively or dynamically. The next four columns from the left indicate the actions that may be performed. The last three columns indicate auditing options. An x in an action column for a traffic attribute row indicates that your system has the capability to perform that action for traffic classified by that attribute. Example This example shows how to display the device’s policy classification capabilities. Refer to “set policy rule” on page 11‐10 for a description of the parameters displayed: C2(su)->show policy capability The following supports related to policy are supported in this device: VLAN Forwarding Deny Rule-Use Notification ============================================================= | SUPPORTED RULE TYPES...
Page 334: Set Policy Rule
set policy rule |Ether II packet type |LLC DSAP/SSAP/CTRL |VLAN tag |Replace tci |Port string ============================================================= set policy rule Use this command to assign incoming untagged frames to a specific policy profile and to VLAN or Class‐of‐Service classification rules. Syntax This command has two forms of syntax—one to create an admin rule, and the other to create a traffic classification rule and attach it to a policy profile. set policy rule admin-profile {vlantag data [mask mask] admin-pid profile-index} [port-string port-string] set policy rule profile-index {ether | icmptype | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport} data [mask mask] {[vlan vlan] [cos cos] | [drop | forward]}...
Page 335 Specifies that the rule should apply to traffic with the specified TCP source port. udpdestport Specifies that the rule should apply to traffic with the specified UDP destination port. udpsourceport Specifies that the rule should apply to traffic with the specified UDP source port. data Specifies the code for the specified traffic classifier (listed above). This value is dependent on the classification type entered. Refer to Table for valid values for each classification type. mask mask (Optional) Specifies the number of significant bits to match, dependent on the data value entered. Refer to Table classification type and data value. vlan vlan Specifies the action of the rule is to classify to a VLAN ID. cos cos Specifies the action of the rule is to classify to a Class‐of‐Service ID. Valid values are 0 ‐ 4095. A value of ‐1 indicates that no CoS forwarding behavior modification is desired. (Not supported on B3, C3, and G3.) drop | forward Specifies that packets within this classification will be dropped or forwarded. Defaults None. Mode Switch command, read‐write. set policy rule 11‐3 11‐3 for valid values for each SecureStack C2 Configuration Guide 11-11...
Page 336: Valid Values For Policy Classification Rules
set policy rule Usage An admin rule can be used to map incoming tagged frames to a policy role (profile). There can be only one admin rule configured per system (stack). Typically, this rule is used to implement the “User + IP phone” feature. Refer to “Configuring Multi‐User Authentication (User + IP phone)” on page 23‐33 for more information. You would configure a policy profile/role for IP phones (for example, assigning the traffic to a “voice” VLAN), then associate that policy profile with the admin rule, and associate the admin rule with the desired ports. Users authenticating over the same port will typically use a dynamically assigned policy role. A policy classification rule has two main parts: Traffic Description and Actions. The Traffic Description identifies the type of traffic to which the rule will pertain. Actions specify whether that traffic will be assigned class of service, assigned to a VLAN, or both. Table 11‐3 provides the set policy rule data values that can be entered for a particular parameter, and the mask bits that can be entered for each classifier associated with that parameter. Table 11-3 Valid Values for Policy Classification Rules Classification Rule Parameter ether icmptype ipproto Destination or Source IP Address: ipdestsocket ipsourcesocket iptos Destination or Source MAC: macdest macsource...
Page 337: Clear Policy Rule
This example shows how to use Table source traffic from IP address 1.2.3.4. If mask 32 is not specified as shown, a default mask of 48 bits (IP address + port) would be applied: C2(su)->set policy rule 1 ipsourcesocket 1.2.3.4 mask 32 drop clear policy rule Use this command to delete policy classification rule entries. Syntax This command has two forms of syntax—one to clear an admin rule (for policy ID 0), and the other to clear a classification rule. clear policy rule admin-profile {vlantag data [mask mask] clear policy rule profile-index {all-pid-entries | {ether | icmptype | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport}} Parameters The following parameters apply to deleting an admin rule.
Page 338: Clear Policy All-Rules
Defaults When applicable, data and mask must be specified for individual rules to be cleared. Mode Switch command, read‐write. Examples This example shows how to delete Ethernet II Type 1526 classification rule entries associated with policy profile 1 from all ports C2(su)->clear policy rule 1 ether 1526 This example shows how to remove a rule from policy profile 5 that will forward UDP frames from source port 45: C2(su)->clear policy rule 5 udpportsource 45 forward clear policy all-rules Use this command to remove all policy classification rules. Syntax clear policy all-rules Parameters None. Defaults None. Mode Switch command, read‐write.
Page 339: Assigning Ports To Policy Profiles
Assigning Ports to Policy Profiles Note: The C2 switch supports up to three user policies per port. Purpose To assign and unassign ports to policy profiles. Commands For information about... set policy port clear policy port set policy port Use this command to assign ports to a policy profile. Syntax set policy port port-string profile-index Parameters port‐string...
Page 340: Clear Policy Port
Use this command to remove a policy profile from one or more ports. Syntax clear policy port port-string profile-index Parameters port‐string profile‐index Defaults None. Mode Switch command, read‐write. Example This example shows how to remove policy profile 10 from port 21 in slot 1: C2(rw)->clear policy port ge.1.21 10 11-16 Policy Classification Configuration Specifies the port(s) from which to remove the policy profile. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Specifies the ID of the policy profile (role) to which the port(s) will be added. This value must match the profile‐index value assigned using the set policy profile command (“set policy profile” on page 11‐3) in order for a policy profile to be active on the specified port.
Page 341: Configuring Policy Class Of Service (Cos)
Configuring Policy Class of Service (CoS) Note: It is recommended that you use Enterasys Networks NetSight Policy Manager as an alternative to CLI for configuring policy-based CoS on the switches. The SecureStack C2 supports Class of Service (CoS), which allows you to assign mission‐critical data to a higher priority through the device by delaying less critical traffic during periods of congestion. The higher priority traffic going through the device is serviced first (before lower priority traffic). The Class of Service capability of the device is implemented by a priority queueing mechanism. Class of Service is based on the IEEE 802.1D (802.1p) standard specification, and allows you to define eight priorities (0‐7, with 7 granted highest priority) and up to 8 transmit queues (0‐7) for each port. By default, policy‐based CoS is disabled on the device, and default or user‐assigned port‐based 802.1D (802.1p) settings are used to determine traffic prioritization. When policy‐based CoS is enabled, the default and user‐assigned policy‐based settings will override port‐based settings ...
Page 342 Configuring Policy Class of Service (CoS) C2(su)->show cos port-config Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------- Port Group Name Port Group Port Type Assigned Ports ---------------------------------------------------------------------- Port Group Name Port Group Port Type Assigned Ports ---------------------------------------------------------------------- Port Group Name Port Group Port Type Assigned Ports ----------------------------------------------------------------------...
Page 343: About Cos-Based Flood Control
In the CoS settings table, configure a CoS setting for CoS index 1, which has a priority of 0. We enter the IRL reference, created in the previous step. C2(su)->set cos settings 0 irl-reference 1 C2(su)->show cos settings CoS Index Priority --------- ---------- ------- ----- About CoS-Based Flood Control Note: CoS-based flood control does not require a policy license on SecureStack B2 and B3 switches or on standalone D2 switches. CoS‐based flood control prevents configured ports from being disrupted by a traffic storm by rate‐...
Page 344: Set Cos State
Use this command to enable or disable Class of Service. Syntax set cos state {enable | disable} Parameters enable | disable Defaults None. 11-20 Policy Classification Configuration Enables or disables Class of Service on the switch. Default state is disabled. Refer to page... 11-20 11-21 11-21 11-22 11-23 11-23 11-24 11-25 11-26...
Page 345: Show Cos State
Mode Switch command, read‐write. Example This example shows how to enable Class of Service: C2(rw)->set cos state enable show cos state Use this command to display the Class of Service enable state. Syntax show cos state Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to show the Class of Service enable state: C2(rw)->show cos state Class-of-Service application is enabled clear cos state Use this command to set CoS state back to its default setting of disabled. Syntax clear cos state Parameters None.
Page 346: Set Cos Settings
C2(su)->clear cos state set cos settings Use this command to configure a Class of Service entry in the CoS settings table. Syntax set cos settings cos-index priority priority [tos-value tos-value] [irl-reference irl-reference] Parameters cos‐index priority priority tos‐value tos‐value irl‐reference irl‐reference Defaults If no optional parameters are specified, none will be applied. Mode Switch command, read‐write. Usage The CoS settings table takes individual class of service features and displays them as belonging to a CoS entry. Essentially, it is used for CoS feature assignment. Each class of service entry consists of an index, 802.1p priority, an optional ToS value, and an IRL reference. • CoS Index Indexes are unique identifiers for each CoS setting. CoS indexes 0 through 7 are created by default and mapped directly to 802.1p priority for backwards compatibility. These entries cannot be removed, and 802.1p priority values cannot be changed. When CoS is enabled, indexes are assigned. Up to 256 CoS indexes or entries can be configured. • Priority 802.1p priority can be applied per CoS index. For each new CoS index created, the user has the option to assign an 802.1p priority value 0 to 7 for the class of service. CoS indexes 0 through 7 ...
Page 347: Clear Cos Settings
Use this command to clear Class of Service entry settings. Syntax clear cos settings cos-list {[all] | [priority] [tos-value] [irl-reference]} Parameters cos‐list priority tos‐value irl‐reference Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the priority for CoS entry 8: C2(rw)->clear cos settings 8 priority show cos settings Use this command to display Class of Service parameters. Syntax show cos settings [cos-list] Parameters cos‐list Specifies a Class of Service entry to clear. Clears all settings associated with this entry.
Page 348: Set Cos Port-Config
Defaults If not specified, all CoS entries will be displayed. Mode Switch command, read‐only. Example This example shows how to show all CoS settings: C2(su)->show cos settings CoS Index Priority --------- ---------- ------- ------- set cos port-config Use this command to create a port group for inbound rate limiting or flood control and add or remove ports from the group. Syntax set cos port-config {irl|flood-ctrl} group-type-index [name name] [ports port- list] [append] | [clear] Parameters flood‐ctrl group‐type‐index...
Page 349: Show Cos Port-Config
Mode Switch command, read‐write. Usage CoS port groups are identified by group number and the type of ports in the group, in the form of group#.port‐type. The port group 0.0 exists by default. This default port group cannot be removed and all physical ports in the system are assigned to it. Up to seven additional port groups (1 through 7) can be configured. Currently, only one port type (type 0) is supported. This port type supports 100 limiters. Additional port groups may be created for flexibility. Ports assigned to a new port group must be mutually exclusive from the other port group entries—ports are automatically removed from the default port group—and must be comprised of the same port type as defined by the port group. The creation of additional port groups could be used to combine similar ports by their function for flexibility. For instance, ports associated to users can be added to a port group called “Users” and ports associated to uplink ports can be added to a port group called “Uplink.” Using these port groups, a single class of service can assign different rate limits to each port group. “User” ports can be assigned one rate limit, while “Uplink” ports can be assigned another. The command show cos port‐config displays each port group configured by group and type, with the group name and associated (assigned) ports. The command show cos port‐type displays the available inbound rate limiting resources for the port type. Example This example configures two port groups, one for user ports and one for uplink ports and assign ports to the groups. Port group 1.0 will represent user ports, group 2.0 will represent uplink ports. C2(su)->set cos port-config irl 1.0 name Users ports ge.1.1-46 C2(su)->set cos port-config irl 2.0 name Uplink ports ge.1.47-48 show cos port-config Use this command to show CoS port groups and the assigned ports.
Page 350: Clear Cos Port-Config
Mode Switch command, read‐only. Example This example shows all inbound rate limiting port groups. Note that ports ge.1.1 through ge.1.48 were removed from the default port group 0.0 when they were added to port groups 1.0 and 2.0. C2(su)->show cos port-config irl Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------- Port Group Name Port Group Port Type Assigned Ports ---------------------------------------------------------------------- Port Group Name Port Group Port Type Assigned Ports ---------------------------------------------------------------------- Port Group Name...
Page 351: Set Cos Port-Resource Irl
Defaults None. Mode Switch command, read‐write. Usage The default port group 0.0 cannot be deleted. Example This example deletes all IRL Port Groups except for the Default group 0.0: C2(su)->clear cos port-config irl all set cos port-resource irl Use this command to set the inbound rate limit parameters for a specific IRL resource for a specific port group. Syntax set cos port-resource irl group-type-index irl-index {[unit {kbps}] [rate rate] [type {drop}]}[syslog enable | disable] [trap enable|disable] Parameters group‐type‐index irl‐index...
Page 352: Set Cos Port-Resource Flood-Ctrl
Syntax set cos port-resource flood-ctrl group-type-index {unicast | multicast | broadcast | all} rate rate Parameters group‐type‐index unicast multicast broadcast rate rate Defaults None. Mode Switch command, read‐write. 11-28 Policy Classification Configuration Specifies a port group/type index. Valid entries are in the form of group#.port‐type. Valid values for group# can range from 0 to 7. Valid values for port‐type can range from 0 to 1, although only port type 0 is currently supported. For example, port group 3 would be specified as 3.0. Specifies rate limiting will be applied to unknown unicast traffic. Specifies rate limiting will be applied to multicast traffic. Specifies rate limiting will be applied to broadcast traffic. Specifies rate limiting will be applied to unknown unicast, multicast, and broadcast traffic. Specifies a rate limit in packets per second.
Page 353: Show Cos Port-Resource
Parameters flood‐ctrl group‐type‐index irl‐index Defaults If irl or flood‐ctrl are not specified, all port resources are shown. If a port group and IRL index are not specified, the IRL configuration for all resources (0‐99) for all configured port groups will be shown. If a port group is not specified with the flood‐ctrl parameter, flood control resources for all configured port groups will be shown. Mode Switch command, read‐only. Examples This example displays the IRL resource index number 1 configuration for group 2.0. C2(su)->show cos port-resource irl 2.0 1 '?' after the rate value indicates an invalid rate value Group Index Resource Type Unit (Optional) Specifies that inbound rate limiting port resources should be displayed. (Optional) Specifies that flood control port resources should be displayed. (Optional) Specifies a port group/type index. Valid entries are in the form of group#.port‐type. ...
Page 354: Clear Cos Port-Resource Irl
{all | group-type-index [irl-index [unit] [rate] [type]]} Parameters group‐type‐index irl‐index unit rate type Defaults None. Mode Switch command, read‐write. Example This example clears the data rate to 0 for IRL resource index 1 for group 2.0. C2(su)->clear cos port-resource irl 2.0 1 rate 11-30 Policy Classification Configuration --------------- ------ kbps 10000 drop Type Unit ----------...
Page 355: Clear Cos Port-Resource Flood-Ctrl
{all | group-type-index {unicast | multicast | broadcast | all [rate]}} Parameters group‐type‐index unicast multicast broadcast rate Defaults None. Mode Switch command, read‐write. Example This example clears the unicast port resource for port group 1.0 to default values. C2(su)->clear cos port-resource flood-ctrl 1.0 unicast set cos reference Use this command to set the Class of Service inbound rate limiting reference configuration. Syntax set cos reference irl group-type-index reference rate-limit irl-index Clear all flood control resources for all port groups. Specifies a port group/type index. Valid entries are in the form of group#.port‐type. ...
Page 356: Show Cos Reference
Parameters group‐type‐index reference rate‐limit irl‐index Defaults None. Mode Switch command, read‐write. Usage The CoS reference table maps the user‐defined IRL references found in the CoS settings table (see “set cos settings” on page port‐resource irl” on page 11‐27). The CoS reference table indexes can be thought of as virtual rate limiters. The table accounts for the maximum number of rate limiters supported by the device. The virtual limiters then map to the physical rate limiters. The CoS IRL Reference Table is not configured by default. The CoS IRL reference table uses 100 indexes or virtual rate limiters, and maps each virtual limiter to a physical limiter or resource. An IRL reference table exists for each port group configured, and is indexed similarly to port resources, as port group#, port‐type, reference. IRL references are not populated with limiters (resources), but can be configured by the user. The IRL reference table can be displayed using the show cos reference command. Example In the CoS IRL reference mapping table for port groups 1.0 and 2.0, create a reference for the IRL resource number 1 created for each group. The reference number 1 is used. C2(su)->set cos reference irl 1.0 1 rate-limit 1 C2(su)->set cos reference irl 2.0 1 rate-limit 1 show cos reference Use this command to show the Class of Service inbound rate limiting reference configuration.
Page 357: Clear Cos Reference
Parameters group‐type‐index Defaults If irl is not specified, all CoS reference information is displayed. If a specific port group is not specified, information for all port groups is displayed. Mode Switch command, read‐only. Example This example shows the Class of Service IRL references for port group 1.0. Note that not all of the 100 possible references are displayed in this output example. C2(su)->show cos reference irl 1.0 Group Index Reference Type Rate Limiter ----------- --------- ---- ------------ clear cos reference Use this command to clear the Class of Service inbound rate limiting reference configuration. Syntax clear cos reference irl {all | group-type-index reference} Parameters all ...
Page 358: Show Cos Unit
Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the CoS inbound rate limiting reference configuration for all groups: C2(su)->clear cos reference irl all show cos unit Use this command to show possible CoS unit entries. Syntax show cos unit [irl [port-type index] [kbps]] [flood-ctrl [port-type index] [pps]] Parameters port‐type index kbps flood‐ctrl Defaults If no parameters are entered, all Cos unit information is displayed. Mode Switch command, read‐only.
Page 359: Clear Cos All-Entries
= flood control type Port Type ----------- clear cos all-entries Use this command to clear all Class of Service entries except entries 0‐7. Syntax clear cos all-entries Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the CoS configuration for all entries except entries 0‐7: C2(su)->clear cos all-entries show cos port-type Use this command to display Class of Service port type configurations. Syntax show cos port-type [irl [port-type]] [flood-ctrl [port-type]] Parameters flood‐ctrl port‐type Unit...
Page 360 Defaults If no parameters are specified, inbound rate limiting and flood controlinformation for all port types is displayed. Mode Switch command, read‐only. Usage The C2 implementation provides one default port type (0) for designating available inbound rate limiting or flood control resources. Port type 0 includes all ports. The port type 0 IRL description is “C2 100 IRL,” which indicates that this port type provides a maximum of 100 inbound rate limiting resources per port group. The port type 0 flood control description is “C2 3 flood‐ctrl” which indicates that this port type provides a maximum of 3 flood control resources per port group. Examples This example shows inbound rate limiting information for port type 0. C2(su)->show cos port-type irl 0 Number of resources: irl = inbound rate limiter(s) Port type Index description ----- ------------ C2 100 IRL This example shows flood control information for port type 0.
Page 361: Chapter 12: Port Priority And Rate Limiting Configuration
Port Priority and Rate Limiting Configuration This chapter describes the Port Priority and Rate Limiting set of commands and how to use them. For information about... Port Priority Configuration Summary Configuring Port Priority Configuring Priority to Transmit Queue Mapping Configuring Quality of Service (QoS) Configuring Port Traffic Rate Limiting Port Priority Configuration Summary The SecureStack C2 device supports Class of Service (CoS), which allows you to assign mission‐ critical data to higher priority through the device by delaying less critical traffic during periods of congestion. The higher priority traffic through the device is serviced first before lower priority traffic. The Class of Service capability of the device is implemented by a priority queueing ...
Page 362: Show Port Priority
[port-string] Parameters port‐string Defaults If port-string is not specified, priority for all ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display the port priority for the ge.2.1 through 5. C2(su)->show port priority 2.1 is set to 0 2.2 is set to 0 2.3 is set to 0 2.4 is set to 0...
Page 363: Clear Port Priority
Syntax set port priority port-string priority Parameters port‐string priority Defaults None. Mode Switch command, read‐write. Usage The set port priority command will not change the 802.1p priority tag on tagged traffic with a default priority tag. The command only has an effect on how untagged traffic will be prioritized as it passes internally through the device. Example This example shows how to set a default priority of 6 on ge.1.3. Frames received by this port without priority information in their frame header are set to the default setting of 6: C2(su)->set port priority clear port priority Use this command to reset the current CoS port priority setting to 0. This will cause all frames received without a priority value in its header to be set to priority 0. Syntax clear port priority port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Specifies the port for which to set priority. For a detailed description of ...
Page 364: Configuring Priority To Transmit Queue Mapping
Use this command to display the port priority levels (0 through 7, with 0 as the lowest level) associated with the current transmit queues (0 being the lowest priority) for each selected port. A frame with a certain port priority is transmitted according to the settings entered using the set port priority‐queue command described in “set port priority‐queue” on page 12‐5. Syntax show port priority-queue [port-string] Parameters port‐string Defaults If port‐string is not specified, priority queue information for all ports will be displayed. Mode Switch command, read‐only. 12-4 Port Priority and Rate Limiting Configuration 1.11 (Optional) Displays the mapping of priorities to transmit queues for one or more ports. Refer to page... 12-4 12-5 12-6...
Page 365: Set Port Priority-Queue
Use this command to map 802.1D (802.1p) priorities to transmit queues. This enables you to change the transmit queue (0 to 7, with 0 being the lowest priority queue) for each port priority of the selected port. You can apply the new settings to one or more ports. Syntax set port priority-queue port-string priority queue Parameters port‐string priority queue Defaults None. Mode Switch command, read‐write. Usage Priority to transmit queue mapping on an individual port basis can only be configured on Gigabit Ethernet ports ( priority‐queue command to configure a Fast Ethernet port ( applied globally to all Fast Ethernet ports on the system. Example This example shows how to set priority 5 frames received on C2(su)->set port priority-queue ge.2.12 5 0 Specifies the port(s) for which to set priority‐to‐queue mappings. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Specifies a value of 0 through 7 (0 is the lowest level) that determines what priority frames will be transmitted on the transmit queue entered in ...
Page 366: Clear Port Priority-Queue
Use this command to reset port priority queue settings back to defaults for one or more ports. Syntax clear port priority-queue port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the priority queue settings on ge.2.12: C2(su)->clear port priority-queue Configuring Quality of Service (QoS) Purpose Eight transmit queues are implemented in the switch hardware for each port. The commands in this section allow you to set the priority mode and weight for each of the available queues (0 through 7) for each physical port on the switch. Priority mode and weight cannot be configured on LAGs, only on the physical ports that make up the LAG. Commands For information about... show port txq...
Page 367: Set Port Txq
Parameters port‐string Defaults If the port‐string is not specified, the QoS setting of all physical ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display the current algorithm and transmit queue weights configured on port ge.1.10: C2(su)->show port txq Port ----- --- --- --- --- --- --- --- --- --- 1.10 WRR 10 set port txq Use this command to set QoS transmit queue arbitration values for physical ports. Syntax set port txq port-string value0 value1 value2 value3 value4 value5 value6 value7 Parameters port‐string...
Page 368: Clear Port Txq
Parameters port‐string Defaults By default, transmit queues are defined as follows: Queue Mode Switch command, read‐write. 12-8 Port Priority and Rate Limiting Configuration 1.1 10 10 10 10 10 10 10 30 1.1 0 0 0 0 0 O O 100 Clears transmit queue values on specific port(s) back to their default values. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2.
Page 369 clear port txq Example This example shows how to clear transmit queue values on ge.1.1: C2(su)->clear port txq SecureStack C2 Configuration Guide 12-9...
Page 370: Configuring Port Traffic Rate Limiting
Use this command to show the traffic rate limiting configuration on one or more ports. Syntax show port ratelimit [port-string] Parameters port‐string Defaults If port‐string is not specified, rate limiting information will be displayed for all ports. Mode Switch command, read‐only. 12-10 Port Priority and Rate Limiting Configuration (Optional) Displays rate limiting information for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Refer to page... 12-10 12-12 12-13...
Page 371: Show Port Ratelimit Output Details
Example This example shows how to display the current rate limiting information for fe.2.1: C2(su)->show port ratelimit fe.2.1 Global Ratelimiting status is disabled. Port Threshold Number Index (kB/s) ----------- ----- --------- fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 Table 12‐1 shows a detailed explanation of the command output. Table 12-1 show port ratelimit Output Details Output Port Number Index Threshold (kB/s) Action Direction...
Page 372: Set Port Ratelimit
Defaults Threshold will be applied to inbound traffic on the port/priority. If index is not specified, settings will be applied to index 1, and will overwrite index 1 for any subsequent rate limits configured. Mode Switch command, read-write. Example This example shows how to: • globally enable rate limiting • configure rate limiting for inbound traffic on port fe.2.1, index 1, priority 5, to a threshold of 125 KBps: C2(rw)->set port ratelimit enable C2(rw)->set port ratelimit fe.2.1 5 125 enable inbound 12-12 Port Priority and Rate Limiting Configuration When entered without a port‐string, globally disables or enables the port ...
Page 373: Clear Port Ratelimit
Use this command to clear rate limiting parameters for one or more ports. Syntax clear port ratelimit port-string [index] Parameters port‐string index Defaults If not specified, all index entries will be reset. Mode Switch command, read‐write. Example This example shows how to clear all rate limiting parameters on port fe.2.1. C2(su)->clear port ratelimit fe.2.1 Specifies the port(s) on which to clear rate limiting. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. (Optional) Specifies the associated resource index to be reset. clear port ratelimit SecureStack C2 Configuration Guide 12-13...
Page 374 clear port ratelimit 12-14 Port Priority and Rate Limiting Configuration...
Page 375: Chapter 13: Igmp Configuration
This chapter describes the IGMP Configuration set of commands and how to use them. For information about... IGMP Overview Configuring IGMP at Layer 2 Configuring IGMP on Routing Interfaces IGMP Overview About IP Multicast Group Management The Internet Group Management Protocol (IGMP) runs between hosts and their immediately neighboring multicast device. The protocol’s mechanisms allow a host to inform its local device that it wants to receive transmissions addressed to a specific multicast group. A multicast‐enabled device can periodically ask its hosts if they want to receive multicast traffic. If there is more than one device on the LAN performing IP multicasting, one of these devices is elected “querier” and assumes the responsibility of querying the LAN for group members. Based on the group membership information learned from IGMP, a device can determine which (if any) multicast traffic needs to be forwarded to each of its ports. At Layer‐3, multicast devices use this information, along with a multicast routing protocol, to support IP multicasting across an IP network. IGMP provides the final step in an IP multicast packet delivery service, since it is only concerned with forwarding multicast traffic from the local device to group members on a directly attached subnetwork or LAN segment. This device supports IP multicast group management by passively snooping on the IGMP query and IGMP report packets transferred between IP multicast devices and IP multicast host groups to learn IP multicast group members. The purpose of IP multicast group management is to optimize a switched network’s performance so multicast packets will only be forwarded to those ports containing multicast group hosts or ...
Page 376: About Multicasting
Configuring IGMP at Layer 2 About Multicasting Multicasting is used to support real‐time applications such as video conferences or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router. Although this approach reduces the network overhead required by a multicast server, the broadcast traffic must be carefully pruned at every multicast switch/router it passes through to ensure that traffic is only passed to the hosts that subscribed to this service. The SecureStack C2 switch device uses IGMP (Internet Group Management Protocol) to query for any attached hosts who want to receive a specific multicast service. The device looks up the IP Multicast Group used for this service and adds it to the egress list of the Level 3 interface. It then propagates the service request on to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. Configuring IGMP at Layer 2 Purpose To configure IGMP snooping from the switch CLI. Commands For information about... show igmpsnooping set igmpsnooping adminmode set igmpsnooping interfacemode set igmpsnooping groupmembershipinterval...
Page 377: Set Igmpsnooping Adminmode
Parameters None. Defaults None. Mode Switch command, read‐only. Usage Configured information is displayed whether or not IGMP snooping is enabled. Status information is displayed only when the function is enabled. For information on enabling IGMP on the system, refer to “set igmpsnooping adminmode” on page 13‐3. For information on enabling IGMP on one or more ports, refer to “set igmpsnooping interfacemode” on page 13‐4. Example This example shows how to display IGMP snooping information: C2(su)->show igmpsnooping Admin Mode... Enable Group Membership Interval... 260 Max Response Time... 100 Multicast Router Present Expiration Time... 0 Interfaces Enabled for IGMP Snooping... ge.1.1,ge.1.2,ge.1.3 Multicast Control Frame Count...
Page 378: Set Igmpsnooping Interfacemode
C2(su)->set igmpsnooping adminmode enable set igmpsnooping interfacemode Use this command to enable or disable IGMP on one or all ports. Syntax set igmpsnooping interfacemode port-string {enable | disable} Parameters port‐string enable | disable Defaults None. Mode Switch command, read‐write. Usage In order for IGMP snooping to be enabled on one or all ports, it must be globally enabled on the device using the set igmpsnooping adminmode command as described in “set igmpsnooping adminmode” on page 13‐3, and then enabled on a port(s) using this command. Example This example shows how to enable IGMP on port ge.1.10: C2(su)->set igmpsnooping interfacemode ge.1.10 enable set igmpsnooping groupmembershipinterval Use this command to configure the IGMP group membership interval time for the system. Syntax...
Page 379: Set Igmpsnooping Maxresponse
Parameters time Defaults None. Mode Switch command, read‐write. Usage The IGMP group membership interval time sets the frequency of host‐query frame transmissions and must be greater than the IGMP maximum response time as described in “set igmpsnooping maxresponse” on page 13‐5. Example This example shows how to set the IGMP group membership interval to 250 seconds: C2(su)->set igmpsnooping groupmembershipinterval 250 set igmpsnooping maxresponse Use this command to configure the IGMP query maximum response time for the system. Syntax set igmpsnooping maxresponse time Parameters time Defaults None. Mode Switch command, read‐write. Usage This value must be less than the IGMP maximum response time described in “set igmpsnooping groupmembershipinterval” on page 13‐4. Specifies the IGMP group membership interval. Valid values are 2 ‐ 3600 seconds. This value works together with the set igmpsnooping maxresponsetime command to remove ports from an IGMP group and must be greater than ...
Page 380: Set Igmpsnooping Mcrtrexpiretime
C2(su)->set igmpsnooping maxresponse 100 set igmpsnooping mcrtrexpiretime Use this command to configure the IGMP multicast router expiration time for the system. Syntax set igmpsnooping mcrtrexpire time Parameters time Defaults None. Mode Switch command, read‐write. Usage This timer is for expiring the switch from the multicast database. If the timer expires, and the only address left is the multicast switch, then the entry will be removed. Example This example shows how to set the IGMP multicast router expiration time to infinity: C2(su)->set igmpsnooping mcrtrexpiretime 0 set igmpsnooping add-static This command creates a new static IGMP entry or adds one or more new ports to an existing entry. Syntax set igmpsnooping add-static group vlan-list [modify] [port-string]...
Page 381: Set Igmpsnooping Remove-Static
If modify is not specified, a new entry is created. Mode Switch command, read‐write. Usage Use this command to create and configure Layer 2 IGMP entries. Example This example creates an IGMP entry for the multicast group with IP address of 233.11.22.33 configured on VLAN 20 configured with the port ge.1.1. C2(su)->set igmpsnooping add-static 233.11.22.33 20 ge.1.1 set igmpsnooping remove-static This command deletes a static IGMP entry or removes one or more new ports from an existing entry. Syntax set igmpsnooping remove-static group vlan-list [modify] [port-string] Parameters group vlan‐list modify port‐string Defaults If no ports are specified, all ports are removed from the entry. Mode Switch command, read‐write. Example This example removes port ge.1.1 from the entry for the multicast group with IP address of 233.11.22.33 configured on VLAN 20. C2(su)->set igmpsnooping remove-static 233.11.22.33 20 ge.1.1 show igmpsnooping static This command displays static IGMP ports for one or more VLANs or IGMP groups.
Page 382: Show Igmpsnooping Mfdb
Parameters vlan‐list group group Defaults If no group is specified, information for all groups is displayed. Mode Switch command, read‐only. Example This example displays the static IGMP ports for VLAN 20. C2(su)->show igmpsnooping static 20 -------------------------------------------------------------------------------- Vlan Id = 20 IGMP Port List = ge.1.1 show igmpsnooping mfdb Use this command to display multicast forwarding database (MFDB) information. Syntax show igmpsnooping mfdb [stats] Parameters stats Defaults If stats is not specified, all MFDB table entries will be displayed. Mode Switch command, read‐only.
Page 383: Clear Igmpsnooping
Use this command to clear all IGMP snooping entries. Syntax clear igmpsnooping Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to clear all IGMP snooping entries: C2(su)->clear igmpsnooping Are you sure you want to clear all IGMP snooping entries? (y/n) y IGMP Snooping Entries Cleared. clear igmpsnooping SecureStack C2 Configuration Guide 13-9...
Page 384: Configuring Igmp On Routing Interfaces
Use this command to enable the L3 IGMP Querier functionality on the switch. The no form of this command disables IGMP Querier functionality. Syntax ip igmp no ip igmp Parameters None. Defaults None. Mode Global configuration: C2(su)‐>router(Config)#...
Page 385: Ip Igmp Enable
Usage Enabling IGMP on a routing interface requires both the ip igmp command (page 13‐10), which enables it on the router, and the ip igmp enable command (page 13‐11), which enables it on an interface. Once these commands are executed, the device will start sending and processing IGMP multicast traffic. IGMP is disabled by default, both globally and on a per interface basis. Example This example shows how to enable IGMP on the router: C2(su)->router(Config)#ip igmp ip igmp enable Use this command to enable IGMP on an interface. The no form of this command disables IGMP on an interface. Syntax ip igmp enable no ip igmp enable Parameters None. Defaults None. Usage Enabling IGMP on a routing interface requires both the ip igmp command (page 13‐10), which enables it on the router, and the ip igmp enable command (page 13‐11), which enables it on an interface. Once these commands are executed, the device will start sending and processing IGMP multicast traffic. IGMP is disabled by default, both globally and on a per interface basis. Mode Interface configuration: C2(su)‐>router(Config‐if(Vlan 1))# Example This example shows how to enable IGMP on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp enable ip igmp version Use this command to set the version of IGMP running on the router. The no form of this command ...
Page 386: Show Ip Igmp Interface
This example shows how to display IGMP routing information for VLAN 1: C2(su)->router#show ip igmp interface vlan 1 Vlan 1 is Admin UP Vlan 1 is Oper UP IGMP is configured via the Switch IGMP ACL currently not supported Multicast TTL currently defaults to 1 IGMP Version is 2 Query Interval is 125 (secs)
Page 387: Show Ip Igmp Groups
show ip igmp groups Use this command to display a list of IGMP streams and client connection ports. Syntax show ip igmp groups Parameters None. Defaults None. Mode Any router mode. Example This example shows how to display information about IGMP groups: C2(su)->router#show ip igmp groups REGISTERED MULTICAST GROUP DETAILS Multicast IP Address --------------- --------------- ------- ------------ ------------ 228.1.1.1 ip igmp query-interval Use this command to set the IGMP query interval on a routing interface. The no form of this command resets the IGMP query interval to the default value of 125 seconds. Syntax ip igmp query-interval time no ip igmp query-interval...
Page 388: Ip Igmp Query-Max-Response-Time
ip igmp query-max-response-time ip igmp query-max-response-time Use this command to set the maximum response time interval advertised in IGMPv2 queries. no form of this command resets the IGMP maximum response time to the default value of 100 (one tenth of a second). Syntax ip igmp query-max-response-time time no ip igmp query-max-response-time Parameters time Defaults None.
Page 389: Ip Igmp Startup-Query-Count
Example This example shows how to set the IGMP startup query interval to 100 seconds on VLAN 1: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp startup-query-interval 100 ip igmp startup-query-count Use this command to set the number of IGMP queries sent out on startup, separated by the startup‐query‐interval as described in ip igmp startup‐query‐interval (page 13‐14). The no form of this command resets the IGMP startup query count to the default value of 2. Syntax ip igmp startup-query-count count no ip igmp startup-query-count Parameters count Defaults None. Mode Interface configuration: C2 Example This example shows how to set the IGMP startup query count to 10 onVLAN 1: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp startup-query-count 10 ip igmp last-member-query-interval Use this command to set the maximum response time being inserted into group‐specific queries ...
Page 390: Ip Igmp Last-Member-Query-Count
ip igmp last-member-query-count Mode Interface configuration: C2(su)‐>router(Config‐if(Vlan 1))# Example This example shows how to set the IGMP last member query interval to 10 seconds on VLAN 1: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp last-member-query-interval 10 ip igmp last-member-query-count Use this command to set the number of group‐specific queries sent before assuming there are no local members. The no form of this command resets the IGMP last member query count to the default value of 2. Syntax ip igmp last-member-query-count count no ip igmp last-member-query-count Parameters count Defaults None. Mode Interface configuration: C2(su)‐>router(Config‐if(Vlan 1))# Example This example shows how to set the IGMP last member query count to 10 on VLAN 1: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp last-member-query-count 10 ip igmp robustness Use this command to configure the robustness tuning for expected packet loss on an IGMP ...
Page 391 Defaults None. Mode Interface configuration: C2 (su)‐>router(Config‐if(Vlan 1))# Usage This value determines how many times IGMP messages will be sent. A higher number will mean that end stations will be more likely to see the packet. After the robustness value is reached, IGMP will assume there is no response to queries. Example This example shows how to set the IGMP robustness value to 5 on VLAN 1: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp robustness 5 ip igmp robustness SecureStack C2 Configuration Guide 13-17...
Page 392 ip igmp robustness 13-18 IGMP Configuration...
Page 393: Configuring System Logging
Note: The commands in this chapter pertain to network management of the SecureStack C2 device from the switch CLI only. For information on router-related network management tasks, including reviewing router ARP tables and IP traffic, refer to For information about...
Page 394: Show Logging Server
Use this command to display the Syslog configuration for a particular server. Syntax show logging server [index] Parameters index Defaults If index is not specified, all Syslog server information will be displayed. Mode Switch command, read‐only. Example This example shows how to display Syslog server configuration information: C2(ro)->show logging server IP Address ------------------------------------------------------------------------- 1 132.140.82.111 local4 warning(5) 2 132.140.90.84 Table 14‐1 provides an explanation of the command output. Table 14-1 show logging server Output Details...
Page 395: Set Logging Server
[descr descr] [port port] [state {enable | disable}] Parameters index ip‐addr ip‐addr facility facility severity severity descr descr port port state enable | disable Defaults If ip‐addr is not specified, an entry in the Syslog server table will be created with the specified index number and a message will display indicating that no IP address has been assigned. If not specified, facility, severity and port will be set to defaults configured with the set logging default command (“set logging default” on page 14‐5). If state is not specified, the server will not be enabled or disabled. Mode Switch command, read‐write. Specifies the server table index number for this server. Valid values are 1 ‐ (Optional) Specifies the Syslog message server’s IP address. (Optional) Specifies the server’s facility name. Valid values are: local0 to local7. (Optional) Specifies the severity level at which the server will log messages. Valid values and corresponding levels are: 1 — emergencies (system is unusable) 2 — alerts (immediate action required) 3 — critical conditions 4 — error conditions 5 — warning conditions 6 — notifications (significant conditions) 7 — informational messages 8 — debugging messages (Optional) Specifies a textual string description of this facility/server. (Optional) Specifies the default UDP port the client uses to send to the ...
Page 396: Clear Logging Server
C2(su)->set logging server 1 ip-addr 134.141.89.113 facility local4 severity 3 port 514 state enable clear logging server Use this command to remove a server from the Syslog server table. Syntax clear logging server index Parameters index Defaults None. Mode Switch command, read‐write. Example This command shows how to remove the Syslog server with index 1 from the server table: C2(su)->clear logging server 1 show logging default Use this command to display the Syslog server default values. Syntax show logging default Parameters None. Defaults None.
Page 397: Set Logging Default
Use this command to set logging default values. Syntax set logging default {[facility facility] [severity severity] port port]} Parameters facility facility severity severity port port Defaults None. Mode Switch command, read‐write. Example This example shows how to set the Syslog default facility name to local2 and the severity level to 4 (error logging): C2(su)->set logging default facility local2 severity 4 14‐1 on page 14‐2. Facility Severity local4 warning(5) Specifies the default facility name. Valid values are: local0 to local7. Specifies the default logging severity level. Valid values and ...
Page 398: Clear Logging Default
Use this command to reset logging default values. Syntax clear logging default {[facility] [severity] [port]} Parameters facility severity port Defaults At least one optional parameter must be entered. All three optional keywords must be entered to reset all logging values to defaults. Mode Switch command, read‐write. Example This example shows how to reset the Syslog default severity level to 6: C2(su)->clear logging default severity show logging application Use this command to display the severity level of Syslog messages for one or all applications configured for logging on your system. Syntax show logging application [mnemonic | all] Parameters mnemonic Defaults If no parameter is specified, information for all applications will be displayed.
Page 399: Set Logging Application
Mode Switch command, read‐only. Example This example shows how to display system logging information pertaining to the SNMP application. C2(ro)->show logging application SNMP Application --------------------------------------------- SNMP 1(emergencies) 4(errors) 7(information) Table 14‐2 provides an explanation of the command output. Table 14-2 show logging application Output Details Output Field Application Current Severity Level set logging application Use this command to set the severity level of log messages for one or all applications. Syntax set logging application {[mnemonic | all]} [level level]...
Page 400: Clear Logging Application
Mnemonic Values for Logging Applications Mnemonic CLIWEB SNMP Driver System Stacking Router Defaults If level is not specified, none will be applied. Mode Switch command, read‐write. Example This example shows how to set the severity level for SNMP to 4 so that error conditions will be logged for that application. C2(rw)->set logging application SNMP level 4 clear logging application Use this command to reset the logging severity level for one or all applications to the default value of 6 (notifications of significant conditions). Syntax clear logging application {mnemonic | all} 14-8 Logging and Network Management (Optional) Specifies the severity level at which the server will log ...
Page 401: Show Logging Local
Parameters mnemonic Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the logging severity level to 6 for SNMP. C2(rw)->clear logging application SNMP show logging local Use this command to display the state of message logging to the console and a persistent file. Syntax show logging local Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the state of message logging. In this case, logging to the console is enabled and logging to a persistent file is disabled. C2(su)->show logging local Syslog Console Logging enabled Syslog File Logging disabled set logging local Use this command to configure log messages to the console and a persistent file.
Page 402: Clear Logging Local
Parameters console enable | disable file enable | disable Defaults None. Mode Switch command, read‐write. Example This command shows how to enable logging to the console and disable logging to a persistent file: C2(su)->set logging local console enable file disable clear logging local Use this command to clear the console and persistent store logging for the local session. Syntax clear logging local Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to clear local logging: C2(su)->clear logging local show logging buffer Use this command to display the last 256 messages logged. By default, critical failures and user ...
Page 403 Defaults None. Mode Switch command, read‐only. Example This example shows a portion of the information displayed with the show logging buffer command: C2(su)->show logging buffer <165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.122 (telnet) <165>Sep 4 07:43:24 10.42.71.13 CLI[5]User: debug failed login from 10.4.1.100 (telnet) show logging buffer SecureStack C2 Configuration Guide 14-11...
Page 404: Monitoring Network Events And Status
Monitoring Network Events and Status Monitoring Network Events and Status Purpose To display switch events and command history, to set the size of the history buffer, and to display and disconnect current user sessions. Commands For information about... history show history set history ping show users disconnect show netstat history Use this command to display the contents of the command history buffer. The command history buffer includes all the switch commands entered up to a maximum of 100, as specified in the set history command (“set history” on page 14‐13). Syntax history Parameters None. Defaults None. Mode Switch command, read‐only.
Page 405: Show History
Use this command to display the size (in lines) of the history buffer. Syntax show history Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the size of the history buffer: C2(su)->show history History buffer size: 20 set history Use this command to set the size of the history buffer. Syntax set history size [default] Parameters size default Defaults None. Mode Switch command, read‐write. Example This example shows how to set the size of the command history buffer to 30 lines: C2(su)->set history 30 Specifies the size of the history buffer in lines. Valid values are 1 to 100. ...
Page 406: Ping
Use this command to send ICMP echo‐request packets to another node on the network from the switch CLI. Syntax ping host Parameters host Defaults None. Mode Switch command, read‐write. Examples This example shows how to ping IP address 134.141.89.29. In this case, this host is alive: C2(su)->ping 134.141.89.29 134.141.89.29 is alive In this example, the host at IP address is not responding: C2(su)->ping 134.141.89.255 no answer from 134.141.89.255 show users Use this command to display information about the active console port or Telnet session(s) logged in to the switch. Syntax show users Parameters None. Defaults None. Mode Switch command, read‐only.
Page 407: Disconnect
C2(su)->show users Session User -------- ----- -------------------------- * telnet telnet disconnect Use this command to close an active console port or Telnet session from the switch CLI. Syntax disconnect {ip-addr | console} Parameters ip‐addr console Defaults None. Mode Switch command, read‐write. Examples This example shows how to close a Telnet session to host 134.141.192.119: C2(su)->disconnect 134.141.192.119 This example shows how to close the current console session: C2(su)->disconnect console show netstat Use this command to display network layer statistics. Syntax show netstat Parameters None. Defaults None.
Page 408: Show Netstat Output Details
show netstat Example The following example shows the output of this command. C2(su)->show netstat Prot Local Address ---- ----------------------------- 127.0.0.1.2222 0.0.0.0.80 0.0.0.0.23 10.1.56.17.23 0.0.0.0.17185 127.0.0.1.49152 0.0.0.0.161 0.0.0.0.* 0.0.0.0.514 The following table describes the output of this command. Table 14-4 show netstat Output Details Output Field Prot Local Address Foreign Address State 14-16 Logging and Network Management Foreign Address ----------------------------- 0.0.0.0.*...
Page 409: Purpose
Managing Switch Network Addresses and Routes Purpose To display or delete switch ARP table entries, and to display MAC address information. Commands For information about... show arp set arp clear arp traceroute show mac show mac agetime set mac agetime clear mac agetime set mac algorithm show mac algorithm clear mac algorithm set mac multicast...
Page 410: Set Arp
134.142.191.192 134.142.192.18 134.142.192.119 ----------------------------------------------------- Table 14‐5 provides an explanation of the command output. Table 14-5 show arp Output Details Output Field IP Address Phys Address Flags set arp Use this command to add mapping entries to the switch’s ARP table. Syntax set arp ip-address mac-address Parameters ip‐address mac‐address Defaults None. Mode Switch command, read‐write. Example This example shows how to map IP address 192.168.219.232 to MAC address 00‐00‐0c‐40‐0f‐bc: C2(su)->set arp 192.168.219.232 00-00-0c-40-0f-bc 14-18 Logging and Network Management ...
Page 411: Clear Arp
Use this command to delete a specific entry or all entries from the switch’s ARP table. Syntax clear arp {ip-address | all} Parameters ip‐address | all Defaults None. Mode Switch command, read‐write. Example This example shows how to delete entry 10.1.10.10 from the ARP table: C2(su)->clear arp 10.1.10.10 traceroute Use this command to display a hop‐by‐hop path through an IP network from the device to a specific destination host. Three UDP or ICMP probes will be transmitted for each hop between the source and the traceroute destination. Syntax traceroute [-w waittime] [-f first-ttl] [-m max-ttl] [-p port] [-q nqueries] [-r] [-d] [-n] [-v] host Parameters ‐w waittime...
Page 412: Show Mac
Switch command, read‐only. Example This example shows how to use traceroute to display a round trip path to host 192.167.252.17. In this case, hop 1 is the SecureStack C2 switch, hop 2 is 14.1.0.45, and hop 3 is back to the host IP address. Round trip times for each of the three UDP probes are displayed next to each hop: C2(su)->traceroute 192.167.252.17 traceroute to 192.167.252.17 (192.167.252.17), 30 hops max, 40 byte packets matrix.enterasys.com (192.167.201.40) 14.1.0.45 (14.1.0.45) 192.167.252.17 (192.167.252.17) show mac Use this command to display MAC addresses in the switch’s filtering database. These are addresses learned on a port through the switching process. Syntax show mac [address mac-address] [fid fid] [port port-string] [type {other | learned...
Page 413: Show Mac Agetime
Defaults If no parameters are specified, all MAC addresses for the device will be displayed. Mode Switch command, read‐only. Example This example shows how to display MAC address information for C2(su)->show mac port ge.3.1 MAC Address ----------------- ---- ------------- -------- 00-09-6B-0F-13-E6 15 MAC Address ----------------- ---- ------------- ------- ------- --------------------------- 01-01-23-34-45-56 20 Table 14‐6 provides an explanation of the command output. Table 14-6 show mac Output Details Output Field MAC Address...
Page 414: Set Mac Agetime
Defaults None. Mode Switch command, read‐only. Example This example shows how to display the MAC timeout period: C2(su)->show mac agetime Aging time: 300 seconds set mac agetime Use This command to set the timeout period for aging learned MAC entries. Syntax set mac agetime time Parameters time Defaults None. Mode Switch command, read‐only. Example This example shows how to set the MAC timeout period: C2(su)->set mac agetime 250 clear mac agetime Use this command to reset the timeout period for aging learned MAC entries to the default value ...
Page 415: Set Mac Algorithm
Mode Switch command, read‐only. Example This example shows how to reset the MAC timeout period to the default value of 300 seconds. C2(su)->clear mac agetime set mac algorithm Use this command to set the MAC algorithm mode, which determines the hash mechanism used by the device when performing Layer 2 lookups on received frames. Syntax set mac algorithm {mac-crc16-lowerbits | mac-crc16-upperbits | mac-crc32-lowerbits | mac-crc32-upperbits} Parameters mac‐crc16‐lowerbits mac‐crc16‐upperbits mac‐crc32‐lowerbits mac‐crc32‐upperbits Defaults The default MAC algorithm is mac‐crc16‐upperbits. Mode Switch command, read‐write. Usage Each algorithm is optimized for a different spread of MAC addresses. When changing this mode, the switch will display a warning message and prompt you to restart the device. The default MAC algorithm is mac‐crc16‐upperbits. Example This example sets the hashing algorithm to mac‐crc32‐upperbits. C2(rw)->set mac algorithm mac-crc32-upperbits show mac algorithm This command displays the currently selected MAC algorithm mode.
Page 416: Clear Mac Algorithm
Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows the output of this command. C2(su)->show mac algorithm Mac hashing algorithm is mac-crc16-upperbits. clear mac algorithm Use this command to return the MAC hashing algorithm to the default value of mac‐crc16‐ upperbits. Syntax clear mac algorithm Parameters None. Defaults None. Mode Switch command, read‐write. Example This example resets the MAC hashing algorithm to the default value. C2(su)->clear mac algorithm set mac multicast Use this command to define on what ports within a VLAN a multicast address can be dynamically ...
Page 417: Clear Mac Address
Parameters mac‐address vlan‐id port‐string append | clear Defaults If no port‐string is defined, the command will apply to all ports. Mode Switch command, read‐write. Example This example configures multicast MAC address 01‐01‐22‐33‐44‐55 for VLAN 24. C2(su)->set mac multicast 01-01-22-33-44-55 24 clear mac address Use this command to remove a multicast MAC address. Syntax clear mac address mac-address [vlan-id] Parameters mac‐address vlan‐id Defaults If no vlan‐id is specified, the multicast MAC address is cleared from all VLANs. Mode Switch command, read‐write. Example This example clears multicast MAC address 01‐01‐22‐33‐44‐55 from VLAN 24. C2(su)->clear mac multicast 01-01-22-33-44-55 24 Specifies the multicast MAC address. The MAC address can be ...
Page 418: Show Mac Unreserved-Flood
Use this command to display the state of multicast flood protection. Syntax show mac unreserved-flood Parameters None. Defaults None. Mode Switch command, read‐write. Example This example displays the status of multicast flood protection. C2(su)->show mac unreserved-flood mac unreserved flood is disabled. set mac unreserved-flood Use this command to enable or disable multicast flood protection. When enabled, this prevents policy profiles requiring a full 10 masks from being loaded. Syntax set mac unreserved-flood {disable | enable} Parameters disable | enable...
Page 419: Purpose
Example This example enables multicast flood protection. C2(su)->set mac unreserved-flood enable Configuring Simple Network Time Protocol (SNTP) Purpose To configure the Simple Network Time Protocol (SNTP), which synchronizes device clocks in a network. Note: A host IP address must be configured on the C2 to support SNTP. Commands For information about... show sntp set sntp client clear sntp client set sntp server clear sntp server set sntp poll-interval...
Page 420: Show Sntp Output Details
Defaults None. Mode Switch command, read‐only. Example This example shows how to display SNTP client settings: C2(su)->show sntp SNTP Version: 3 Current Time: TUE SEP 09 16:13:33 2003 Timezone: 'EST', offset from UTC is -4 hours and 0 minutes Client Mode: unicast Broadcast Count: 0 Poll Interval: 512 seconds...
Page 421: Set Sntp Client
Status set sntp client Use this command to set the SNTP operation mode. Syntax set sntp client {broadcast | unicast | disable} Parameters broadcast unicast disable Defaults None. Mode Switch command, read‐write. Example This example shows how to enable SNTP in broadcast mode: C2(su)->set sntp client broadcast clear sntp client Use this command to clear the SNTP client’s operational mode. Syntax clear sntp client Parameters None. Defaults None.
Page 422: Set Sntp Server
Mode Switch command, read‐write. Example This example shows how to clear the SNTP client’s operational mode: C2(su)->clear sntp client set sntp server Use this command to add a server from which the SNTP client will retrieve the current time when operating in unicast mode. Up to 10 servers can be set as SNTP servers. Syntax set sntp server ip-address [precedence] Parameters ip‐address precedence Defaults If precedence is not specified, 1 will be applied. Mode Switch command, read‐write. Example This example shows how to set the server at IP address 10.21.1.100 as an SNTP server: C2(su)->set sntp server 10.21.1.100 clear sntp server Use this command to remove one or all servers from the SNTP server list.
Page 423: Set Sntp Poll-Interval
Mode Switch command, read‐write. Example This example shows how to remove the server at IP address 10.21.1.100 from the SNTP server list: C2(su)->clear sntp server 10.21.1.100 set sntp poll-interval Use this command to set the poll interval between SNTP unicast requests. Syntax set sntp poll-interval interval Parameters interval Defaults None. Mode Switch command, read‐write. Example This example shows how to set the SNTP poll interval to 30 seconds: C2(su)->set sntp poll-interval 30 clear sntp poll-interval Use this command to clear the poll interval between unicast SNTP requests. Syntax clear sntp poll-interval Parameters None.
Page 424: Set Sntp Poll-Retry
Example This example shows how to clear the SNTP poll interval: C2(su)->clear sntp poll-interval set sntp poll-retry Use this command to set the number of poll retries to a unicast SNTP server. Syntax set sntp poll-retry retry Parameters retry Defaults None. Mode Switch command, read‐write. Example This example shows how to set the number of SNTP poll retries to 5: C2(su)->set sntp poll-retry 5 clear sntp poll-retry Use this command to clear the number of poll retries to a unicast SNTP server. Syntax clear sntp poll-retry Parameters None. Defaults None. Mode Switch command, read‐write.
Page 425: Set Sntp Poll-Timeout
Use this command to set the poll timeout (in seconds) for a response to a unicast SNTP request. Syntax set sntp poll-timeout timeout Parameters timeout Defaults None. Mode Switch command, read‐write. Example This example shows how to set the SNTP poll timeout to 10 seconds: C2(su)->set sntp poll-timeout 10 clear sntp poll-timeout Use this command to clear the SNTP poll timeout. Syntax clear sntp poll-timeout Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the SNTP poll timeout: C2(su)->clear sntp poll-timeout set timezone Use this command to configure the current timezone as an offset from UTC.
Page 426 Parameters name hours minutes Defaults If you enter a timezone name without specifying an offset in hours and minutes, the default is an offset from UTC of 0 hours and 0 minutes. Mode Switch command, read‐write. Usage Typically, this command is used to configure the local timezone offset from UTC (Univeral Time) when SNTP is used to synchronize the time used by devices on the network. To display the current timezone setting used by SNTP, use the show sntp command. To clear an existing offset to zero, enter the command without specifying any hours or minutes. Standard timezone names and offsets can be found at the following URL, among others: http://www.timeanddate.com/library/abbreviations/timezones/ Example The following example sets the timezone name to EST and the offset to North American Eastern Standard Time offset of ‐5 hours from UTC, then displays the timezone used with SNTP. C2(su)->set timezone EST -5 C2(su)->show sntp SNTP Version: 3 Current Time: WED JUL 16 11:35:52 2008 Timezone: 'EST' offset from UTC is -5 hours and 0 minutes...
Page 427: Configuring Node Aliases
Configuring Node Aliases The node alias feature enables administrators to determine the MAC address and location of a given end‐station (or node) using the node’s Layer 3 alias information (IP address) as a key. With this method, it is possible to determine that, for instance, IP address 123.145.2.23 is located on switch 5 port 3. The passive accumulation of a networkʹs node/alias information is accomplished by “snooping” on the contents of network traffic as it passes through the switch fabric. In the C2, node data is automatically accumulated into the ct‐alias mib, and by default this feature is enabled. The NetSight Console Compass utility and Automated Security Manager (ASM) use the information in the node/alias MIB table. Itʹs important to make sure that inter‐switch links are not learning node/alias information, as it would slow down searches by the NetSight Compass and ASM tools and give inaccurate results. Purpose To review, disable, and re‐enable node (port) alias functionality on the switch. Commands For information about... show nodealias config set nodealias clear nodealias config show nodealias config Use this command to display node alias configuration settings on one or more ports. Syntax show nodealias config [port-string] Parameters port‐string Defaults If port‐string is not specified, node alias configurations will be displayed for all ports.
Page 428: Set Nodealias
Use this command to enable or disable a node alias agent on one or more ports, or set the maximum number of alias entries stored per port. Syntax set nodealias {enable | disable | maxentries maxentries} port-string Parameters enable | disable maxentries maxentries port‐string Defaults None. Mode Switch command, read‐write. Usage Upon packet reception, node aliases are dynamically assigned to ports enabled with an alias agent, which is the default setting on SecureStack C2 devices. Node aliases cannot be statically created, but can be deleted using the command “clear nodealias config” (page 14‐37). 14-36 Logging and Network Management ----------- ------------ 4000 What It Displays... Port designation. Maximum number of alias entries configured for this port.
Page 429: Clear Nodealias Config
Itʹs important to make sure that inter‐switch links are not learning node/alias information, as it would slow down searches by the NetSight Compass and ASM tools and give inaccurate results. Example This example shows how to disable the node alias agent on ge.1.3: C2(su)->set nodealias disable ge.1.3 clear nodealias config Use this command to reset node alias state to enabled and clear the maximum entries value. Syntax clear nodealias config port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the node alias configuration on ge.1.3 C2(su)->clear nodealias config ge.1.3 Specifies the port(s) on which to reset the node alias configuration. clear nodealias config SecureStack C2 Configuration Guide 14-37...
Page 430 clear nodealias config 14-38 Logging and Network Management...
Page 431: Chapter 15: Rmon Configuration
This chapter describes the commands used to configure RMON on a SecureStack C2 switch. For information about... RMON Monitoring Group Functions Design Considerations Statistics Group Commands History Group Commands Alarm Group Commands Event Group Commands Filter Group Commands Packet Capture Commands RMON Monitoring Group Functions RMON (Remote Network Monitoring) provides comprehensive network fault diagnosis, planning, and performance tuning information and allows for interoperability between SNMP management stations and monitoring agents. RMON extends the SNMP MIB capability by defining additional MIBs that generate a much richer set of data about network usage. “groups” each gather specific sets of data to meet common network monitoring requirements. Table 15‐1 lists the RMON monitoring groups supported on SecureStack C2 devices, each group’s function and the elements it monitors, and the associated configuration commands needed.
Page 432: Design Considerations
Design Considerations Table 15-1 RMON Monitoring Group Functions and Commands (Continued) RMON Group What It Does... History Records periodic statistical samples from a network. Alarm Periodically gathers statistical samples from variables in the probe and compares them with previously configured thresholds.
Page 433: Statistics Group Commands
• RMON Packet Capture/Filter Sampling and Port Mirroring cannot be enabled on the same interface concurrently. • You can capture a total of 100 packets on an interface, no more and no less. – The captured frames will be as close to sequential as the hardware will allow. – Only one interface can be configured for capturing at a time. – Once 100 frames have been captured by the hardware, the application will stop without manual intervention. • As described in the MIB, the filter is only applied after the frame is captured, thus only a subset of the frames captured will be available for display. • There is only one Buffer Control Entry supported. • Due to the limitations of the hardware, the Buffer Control Entry table will have limits on a few of its elements: – MaxOctetsRequested can only be set to the value ‐1 which indicates the application will capture as many packets as possible given its restrictions. – CaptureSliceSize can only be set to 1518. – The Full Action element can only be set to “lock” since the device does not support wrapping the capture buffer. • Due to hardware limitations, the only frame error counted is oversized frames. • The application does not support Events. Therefore, the following elements of the Channel Entry Table are not supported: TurnOnEventIndex, TurnOffEventIndex, EventIndex, and EventStatus. • There is only one Channel Entry available at a time. – There are only three Filter Entries available, and a user can associate all three Filter Entries with the Channel Entry. • Configured channel, filter, and buffer information will be saved across resets, but not frames ...
Page 434: Show Rmon Stats
Use this command to display RMON statistics measured for one or more ports. Syntax show rmon stats [port-string] Parameters port‐string Defaults If port‐string is not specified, RMON stats will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display RMON statistics for Gigabit Ethernet port 1 in switch 1. C2(su)->show rmon stats ge.1.1 Port: ge.1.1 ------------------------------------- Index Owner Data Source Drop Events Collisions Jabbers Broadcast Pkts Multicast Pkts CRC Errors...
Page 435: Clear Rmon Stats
Defaults If owner is not specified, monitor will be applied. Mode Switch command, read‐write. Example This example shows how to configure RMON statistics entry 2 for ge.1.20: C2(rw)->set rmon stats 2 ge.1.20 clear rmon stats Use this command to delete one or more RMON statistics entries. Syntax clear rmon stats {index-list | to-defaults} Parameters index‐list to‐defaults Defaults None. Mode Switch command, read‐write. Example This example shows how to delete RMON statistics entry 2: C2(rw)->clear rmon stats 2 Specifies one or more stats entries to be deleted, causing them to disappear from any future RMON queries. Resets all history entries to default values. This will cause entries to reappear in RMON queries. clear rmon stats...
Page 436: Show Rmon History
Use this command to display RMON history properties and statistics. The RMON history group records periodic statistical samples from a network. Syntax show rmon history [port-string] Parameters port‐string Defaults If port‐string is not specified, information about all RMON history entries will be displayed. Mode Switch command, read‐only. Example This example shows how to display RMON history entries for Gigabit Ethernet port 1 in switch 1. A control entry displays first, followed by actual entries corresponding to the control entry. In this case, the default settings for entry owner, sampling interval, and maximum number of entries. (buckets) have not been changed from their default values. For a description of the types of statistics shown, refer to Table C2(su)->show rmon history ge.1.1 Port: ge.1.1 ------------------------------------- Index 1 Owner Status...
Page 437: Set Rmon History
Defaults If buckets is not specified, the maximum number of entries maintained will be 50. If not specified, interval will be set to 30 seconds. If owner is not specified, monitor will be applied. Mode Switch command, read‐write. Example This example shows how configure RMON history entry 1 on port ge.2.1 to sample every 20 seconds: C2(rw)->set rmon history 1 ge.2.1 interval 20 clear rmon history Use this command to delete one or more RMON history entries or reset one or more entries to default values. For specific values, refer to “set rmon history” on page 15‐7. Syntax clear rmon history {index-list | to-defaults} Interval Start: 1 days 0 hours 2 minutes 22 seconds...
Page 438 Parameters index‐list to‐defaults Defaults None. Mode Switch command, read‐write. Example This example shows how to delete RMON history entry 1: C2(rw)->clear rmon history 1 15-8 RMON Configuration Specifies one or more history entries to be deleted, causing them to disappear from any future RMON queries. Resets all history entries to default values. This will cause entries to reappear in RMON queries.
Page 439: Show Rmon Alarm
Use this command to display RMON alarm entries. The RMON alarm group periodically takes statistical samples from RMON variables and compares them with previously configured thresholds. If the monitored variable crosses a threshold an RMON event is generated. Syntax show rmon alarm [index] Parameters index Defaults If index is not specified, information about all RMON alarm entries will be displayed. Mode Switch command, read‐only. Example This example shows how to display RMON alarm entry 3: C2(rw)->show rmon alarm 3 Index 3 --------------------- Owner Status Variable Sample Type Interval Rising Threshold Rising Event Index Table 15‐2 provides an explanation of the command output.
Page 440: Set Rmon Alarm Properties
set rmon alarm properties Table 15-2 show rmon alarm Output Details Output Field Index Owner Status Variable Sample Type Startup Alarm Interval Rising Threshold Falling Threshold Rising Event Index Falling Event Index set rmon alarm properties Use this command to configure an RMON alarm entry, or to create a new alarm entry with an unused alarm index number. Syntax set rmon alarm properties index [interval interval] [object object] [type {absolute | delta}] [startup {rising | falling | either}] [rthresh rthresh] [fthresh fthresh] [revent revent] [fevent fevent] [owner owner] Parameters...
Page 441: Set Rmon Alarm Status
Defaults interval ‐ 3600 seconds type ‐ absolute startup ‐ rising rthresh ‐ 0 fthresh ‐ 0 revent ‐ 0 fevent ‐ 0 owner ‐ monitor Mode Switch command, read‐write. Example This example shows how to configure a rising RMON alarm. This entry will conduct monitoring of the delta between samples every 30 seconds: C2(rw)->set rmon alarm properties 3 interval 30 object 1.3.6.1.4.1.5624.1.2.29.1.2.1.0 type delta rthresh 1 revent 2 owner Manager set rmon alarm status Use this command to enable an RMON alarm entry. An alarm is a notification that a statistical sample of a monitored variable has crossed a configured threshold. Syntax set rmon alarm status index enable (Optional) Specifies the type of alarm generated when this event is first ...
Page 442: Clear Rmon Alarm
Parameters index enable Defaults None. Mode Switch command, read‐write. Usage An RMON alarm entry can be created using this command, configured using the set rmon alarm properties command (“set rmon alarm properties” on page command. An RMON alarm entry can be created and configured at the same time by specifying an unused index with the set rmon alarm properties command. Example This example shows how to enable RMON alarm entry 3: C2(rw)->set rmon alarm status 3 enable clear rmon alarm Use this command to delete an RMON alarm entry. Syntax clear rmon alarm index Parameters index Defaults None. Mode Switch command, read‐write. Example This example shows how to clear RMON alarm entry 1: C2(rw)->clear rmon alarm 1...
Page 443: Event Group Commands
Use this command to display RMON event entry properties. Syntax show rmon event [index] Parameters index Defaults If index is not specified, information about all RMON entries will be displayed. Mode Switch command, read‐only. Example This example shows how to display RMON event entry 3: C2(rw)->show rmon event 3 Index 3 ---------------- Owner Status Description Type Community Last Time Sent = 0 days 0 hours 0 minutes 37 seconds Table 15‐3 provides an explanation of the command output.
Page 444: Set Rmon Event Properties
Defaults If description is not specified, none will be applied. If not specified, type none will be applied. If owner is not specified, monitor will be applied. Mode Switch command, read‐write. 15-14 RMON Configuration What It Displays... Index number for this event entry. Text string identifying who configured this entry. Whether this event entry is enabled (valid) or disabled. Text string description of this event.
Page 445: Set Rmon Event Status
Use this command to enable an RMON event entry. An event entry describes the parameters of an RMON event that can be triggered. Events can be fired by RMON alarms and can be configured to create a log entry, generate a trap, or both. Syntax set rmon event status index enable Parameters index enable Defaults None. Mode Switch command, read‐write. Usage An RMON event entry can be created using this command, configured using the set rmon event properties command (“set rmon event properties” on page command. An RMON event entry can be created and configured at the same time by specifying an unused index with the set rmon event properties command. Example This example shows how to enable RMON event entry 1: C2(rw)->set rmon event status 1 enable clear rmon event Use this command to delete an RMON event entry and any associated log entries. Syntax clear rmon event index...
Page 446 Defaults None. Mode Switch command, read‐write. Example This example shows how to clear RMON event 1: C2(rw)->clear rmon event 1 15-16 RMON Configuration...
Page 447: Filter Group Commands
Filter Group Commands The packet capture and filter function is disabled by default. Only one interface can be configured for capturing and filtering at a time. When packet capture is enabled on an interface, the SecureStack C2 switch will capture 100 frames as close to sequentially as possible. These 100 frames will be placed into a buffer for inspection. If there is data in the buffer when the function is started, the buffer will be overwritten. Once 100 frames have been captured, the capture will stop. Filtering will be performed on the frames captured in the buffer. Therefore, only a subset of the frames captured will be available for display. Note: Packet capture is sampling only and does not guarantee receipt of back to back packets. One channel at a time can be supported, with up to three filters. Configured channel, filter, and buffer control information will be saved across resets, but captured frames within the buffer will not be saved. This function cannot be used concurrently with port mirroring. The system will check to prevent concurrently enabling both functions, and a warning will be generated in the CLI if attempted. Commands For information about... show rmon channel set rmon channel...
Page 448: Set Rmon Channel
Defaults If an action is not specified, packets will be accepted on filter matches. If not specified, control will be set to off. If a description is not specified, none will be applied. If owner is not specified, it will be set to monitor. Mode Switch command, read‐write. 15-18 RMON Configuration Channel index= 628 EntryStatus= valid AcceptType OffEventIndex Status 4498 Thu Dec 16 12:57:32 EST 2004 NetSight smith Specifies an index number for this entry. An entry will automatically be created if an unused index number is chosen. Maximum number of entries is 2. Maximum value is 65535. Specifies the port on which traffic will be monitored. (Optional) Specifies the action of the filters on this channel as: •...
Page 449: Clear Rmon Channel
C2(rw)->set rmon channel 54313 ge.2.12 accept failed control on description "capture all" clear rmon channel Use this command to clear an RMON channel entry. Syntax clear rmon channel index Parameters index Defaults None. Mode Switch command, read‐write. Example This example shows how to clear RMON channel entry 2: C2(rw)->clear rmon channel 2 show rmon filter Use this command to display one or more RMON filter entries. Syntax show rmon filter [index index | channel channel] Parameters index index | channel channel Defaults If no options are specified, information for all filter entries will be displayed.
Page 450: Set Rmon Filter
set rmon filter C2(rw)->show rmon filter Index= 55508 ---------------------------------------------------------- Data Offset PktStatusMask Owner ----------------------------- Data ff ff ff ff ff ff ----------------------------- DataMask ff ff ff ff ff ff ----------------------------- DataNotMask 00 00 00 00 00 00 set rmon filter Use this command to configure an RMON filter entry.
Page 451: Clear Rmon Filter
Mode Switch command, read‐write. Example This example shows how to create RMON filter 1 and apply it to channel 9: C2(rw)->set rmon filter 1 9 offset 30 data 0a154305 dmask ffffffff clear rmon filter Use this command to clear an RMON filter entry. Syntax clear rmon filter {index index | channel channel} Parameters index index | channel channel Defaults None. Mode Switch command, read‐write. Example This example shows how to clear RMON filter entry 1: C2(rw)->clear rmon filter index 1 Clears a specific filter entry, or all entries belonging to a specific channel.
Page 452: Packet Capture Commands
Use this command to display RMON capture entries and associated buffer control entries. Syntax show rmon capture [index [nodata]] Parameters index nodata Defaults If no options are specified, all buffer control entries and associated captured packets will be displayed. Mode Switch command, read‐only. Example This example shows how to display RMON capture entries and associated buffer entries: C2(rw)->show rmon capture Buf.control= 28062 ---------------------------------------------------------- FullStatus Captured packets Download size Max Octet Requested 50000 Start time 15-22 RMON Configuration (Optional) Displays the specified buffer control entry and all captured ...
Page 453: Set Rmon Capture
Owner captureEntry= 1 -------------------------------------------- Pkt ID Pkt Length Data: 00 00 5e 00 01 01 00 01 f4 00 7d ce 08 00 45 00 00 4b b4 b9 00 00 40 11 32 5c 0a 15 43 05 86 8d bf e5 00 a1 0e 2b 00 37 cf ca 30 2d 02 01 00 04 06 70 75 62 6c 69 63 a2 20 02 02 0c 92 02 01 00 02 01 00 30 14 30 12 06 0d 2b 06 01 02 01 10 07...
Page 454: Clear Rmon Capture
Mode Switch command, read‐write. Example This example shows how to create RMON capture entry 1 to “listen” on channel 628: C2(rw)->set rmon capture 1 628 clear rmon capture Use this command to clears an RMON capture entry. Syntax clear rmon capture index Parameters index Defaults None. Mode Switch command, read‐write. Example This example shows how to clear RMON capture entry 1: C2(rw)->clear rmon capture 1 15-24 RMON Configuration Specifies the capture entry to be cleared.
Page 455: Chapter 16: Dhcp Server Configuration
This chapter describes the commands to configure the IPv4 DHCP server functionality on a SecureStack C2 switch. For information about... DHCP Overview Configuring General DHCP Server Parameters Configuring IP Address Pools DHCP Overview Dynamic Host Configuration Protocol (DHCP) for IPv4 is a network layer protocol that implements automatic or manual assignment of IP addresses and other configuration information to client devices by servers. A DHCP server manages a user‐configured pool of IP addresses from which it can make assignments upon client requests. A relay agent passes DHCP messages between clients and servers which are on different physical subnets. DHCP Relay Agent The DHCP/BOOTP relay agent function can be configured on all of the SecureStack C2’s routing interfaces. The relay agent can forward a DHCP client’s request to a DHCP server located on a different network if the address of the server is configured as a helper address on the receiving interface. The relay agent interface must be a VLAN which is configured with an IP address. Refer to the ip helper‐address command (“ip helper‐address” on page 19‐14) for more information. DHCP Server DHCP server functionality allows the SecureStack C2 switch to provide basic IP configuration information to a client on the network who requests such information using the DHCP protocol. DHCP provides the following mechanisms for IP address allocation by a DHCP server: • Automatic—DHCP server assigns an IP address to a client for a limited period of time (or until the client explicitly relinquishes the address) from a defined pool of IP addresses ...
Page 456: Configuring A Dhcp Server
NetBIOS WINS server(s) and node name • Boot file • DHCP options as defined by RFC 2132 Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the entire switch, can be configured on the SecureStack C2 Configuring a DHCP Server For DHCP to function on SecureStack C2 systems, the system has to “know about” the IP network for which the DHCP pool is to be created. On the C2, there are two ways to configure a DHCP server: one is to associate the DHCP address pool with the switch’s host port IP address, and the other is to associate the DHCP address pool ...
Page 457: Configuring General Dhcp Server Parameters
set port vlan ge.1.1-10 6 Create a routed interface for the VLAN in router configuration mode. In the following example, an IP address is associated with routed interface VLAN 6: In router configuration mode: interface vlan 6 no shutdown ip address 6.6.1.1 255.255.0.0 Enable DHCP server functionality on the system with the set dhcp enable command. Create the DHCP address pool. The only required steps are to name the pool and define the network number and mask for the pool. Note that the pool has to be in the same subnet as the routed interface and use the same mask configured on the routed interface. For example: set dhcp pool auto-pool network 6.6.0.0 255.255.0.0 DHCP clients in VLAN 6 will be served IP addresses from this DHCP address pool. Optional DHCP server tasks include: • You can limit the scope of addresses assigned to a pool for dynamic address assignment with the set dhcp exclude command. Up to 128 non‐overlapping address ranges can be excluded on the SecureStack C2. For example: set dhcp exclude 192.0.0.1 192.0.0.10 Note: The IP address of the system’s host port or the routed interface is automatically excluded.
Page 458: Set Dhcp Bootp
Use this command to enable or disable the DHCP server functionality on the SecureStack C2. Syntax set dhcp {enable | disable} Parameters enable | disable Defaults None. Mode Switch command, read‐write. Example This example enables DHCP server functionality. C2(rw)->set dhcp enable set dhcp bootp Use this command to enable or disable automatic address allocation for BOOTP clients. By default, address allocation for BOOTP clients is disabled. Refer to RFC 1534, “Interoperation Between DHCP and BOOTP,” for more information. Syntax set dhcp bootp {enable | disable} Parameters enable | disable...
Page 459: Set Dhcp Conflict Logging
Defaults None. Mode Switch command, read‐write. Example This example enables address allocation for BOOTP clients. C2(rw)->set dhcp bootp enable set dhcp conflict logging Use this command to enable conflict logging. By default, conflict logging is enabled. Use the clear dhcp conflict logging command to disable conflict logging. Syntax set dhcp conflict logging Parameters None. Defaults None. Mode Switch command, read‐write. Example This example enables DHCP conflict logging. C2(rw)->set dhcp conflict logging show dhcp conflict Use this command to display conflict information, for one address or all addresses. Syntax show dhcp conflict [address]...
Page 460: Clear Dhcp Conflict
Use this command to clear conflict information for one or all addresses, or to disable conflict logging. Syntax clear dhcp conflict {logging | ip-address| *} Parameters logging ip‐address Defaults None. Mode Switch command, read‐write. Examples This example disables DHCP conflict logging. C2(rw)->clear dhcp conflict logging This example clears the conflict information for the IP address 192.0.0.2. C2(rw)->clear dhcp conflict 192.0.0.2 16-6 DHCP Server Configuration Detection Method Detection Time ----------------- ---------------...
Page 461: Set Dhcp Exclude
Use this command to configure the IP addresses that the DHCP server should not assign to DHCP clients. Multiple address ranges can be configured but the ranges cannot overlap. Up to 128 non‐ overlapping address ranges can be excluded. Syntax set dhcp exclude low-ipaddr [high-ipaddr] Parameters low‐ipaddr high‐ipaddr Defaults None. Mode Switch command, read‐write. Example This example first configures the address pool named “auto1” with 255 addresses for the Class C network 172,20.28.0, with the set dhcp pool network command. Then, the example limits the scope of the addresses that can be assigned by a DHCP server by excluding addresses 172.20.28.80 – 100, with the set dhcp exclude command. C2(rw)->set dhcp pool auto1 network 172.20.28.0 24 C2(rw)->set dhcp exclude 172.20.28.80 172.20.28.100 clear dhcp exclude Use this command to clear the configured IP addresses that the DHCP server should not assign to DHCP clients. Syntax...
Page 462: Set Dhcp Ping
C2(rw)->clear dhcp exclude 192.168.1.88 192.168.1.100 set dhcp ping Use this command to configure the number of ping packets the DHCP server sends to an IP address before assigning the address to a requesting client. Syntax set dhcp ping packets number Parameters packets number Defaults None. Mode Switch command, read‐write. Example This example sets the number of ping packets sent to 3. C2(rw)->set dhcp ping packets 3 clear dhcp ping Use this command to reset the number of ping packets sent by the DHCP server back to the default value of 2. Syntax clear dhcp ping packets Parameters None.
Page 463: Show Dhcp Binding
Example This example resets the number of ping packets sent back to the default value. C2(rw)->clear dhcp ping packets show dhcp binding Use this command to display binding information for one or all IP addresses. Syntax show dhcp binding [ip-address] Parameters ip‐address Defaults If no IP address is specified, binding information for all addresses is displayed. Mode Read‐only. Example This example displays binding information about all addresses. C2(rw)->show dhcp binding IP address ----------- 192.0.0.6 192.0.0.8 192.0.0.10 192.0.0.11 192.0.0.12 192.0.0.13 192.0.0.14 clear dhcp binding Use this command to clear (delete) one or all DHCP address bindings.
Page 464: Show Dhcp Server Statistics
Mode Switch command, read‐write. Example This example deletes the DHCP address binding for IP address 192.168.1.1. C2(rw)->clear dhcp binding 192.168.1.1 show dhcp server statistics Use this command to display DHCP server statistics. Syntax show dhcp server statistics Parameters None. Defaults None. Mode Read‐only. Example This example displays server statistics. C2(ro)->show dhcp server statistics Automatic Bindings Expired Bindings Malformed Bindings...
Page 465 Parameters None. Defaults None. Mode Switch command, read‐write. Example This example clears all DHCP server counters. C2(rw)->clear dhcp server statistics clear dhcp server statistics SecureStack C2 Configuration Guide 16-11...
Page 466: Purpose
Configuring IP Address Pools Configuring IP Address Pools Manual Pool Configuration Considerations • The subnet of the IP address being issued should be on the same subnet as the ingress interface (that is, the subnet of the host IP address of the switch, or if routing interfaces are configured, the subnet of the routing interface). • A manual pool can be configured using either the client’s hardware address (set dhcp pool hardware‐address) or the client’s client‐identifier (set dhcp pool client‐identifier), but using both is not recommended. • If the incoming DHCP request packet contains a client‐identifier, then a manual pool configured with that client‐identifier must exist on the switch in order for the request to be processed. The hardware address is not checked. • A hardware address and type (Ethernet or IEEE 802) configured in a manual pool is checked only when a client‐identifier is not also configured for the pool and the incoming DHCP request packet does not include a client‐identifier option. Purpose To configure and clear DHCP address pool parameters, and to display address pool configuration information. Note: A total of 16 address pools, dynamic and/or static, can be configured on the SecureStack C2 Commands For information about...
Page 467: Set Dhcp Pool
Use this command to create and assign a name to a DHCP server pool of addresses. Up to 16 address pools may be configured on a SecureStack C2. Note that entering this command is not required to create an address pool before configuring other address pool parameters. Syntax set dhcp pool poolname Parameters poolname Defaults None. Mode Switch command, read‐write. Example This example creates an address pool named “auto1.” C2(rw)->set dhcp pool auto1 Specifies the name of the address pool. Pool names may be up to 31 characters in length. set dhcp pool Refer to page... 16-21 16-21 16-22 16-22 16-23...
Page 468: Clear Dhcp Pool
Use this command to delete a DHCP server pool of addresses. Syntax clear dhcp pool poolname Parameters poolname Defaults None. Mode Switch command, read‐write. Example This example deletes the address pool named “auto1.” C2(rw)->clear dhcp pool auto1 set dhcp pool network Use this command to configure the subnet number and mask for an automatic DHCP address pool. Syntax set dhcp pool poolname network number {mask | prefix-length} Parameters...
Page 469: Clear Dhcp Pool Network
C2(rw)->set dhcp exclude 172.20.28.80 172.20.28.100 clear dhcp pool network Use this command to remove the network number and mask of a DHCP server pool of addresses. Syntax clear dhcp pool poolname network Parameters poolname Defaults None. Mode Switch command, read‐write. Example This example deletes the network and mask from the address pool named “auto1.” C2(rw)->clear dhcp pool auto1 network set dhcp pool hardware-address Use this command to configure the MAC address of the DHCP client and create an address pool for manual binding. You can use either this command or the set dhcp pool client‐identifier command to create a manual binding pool, but using both is not recommended. Syntax set dhcp pool poolname hardware-address hw-addr [type]...
Page 470: Clear Dhcp Pool Hardware-Address
Defaults If no type is specified, Ethernet is assumed. Mode Switch command, read‐write. Example This example specifies 0001.f401.2710 as the Ethernet MAC address for the manual address pool named “manual1.” Alternatively, the MAC address could have be entered as 00:01:f4:01:27:10. C2(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710 clear dhcp pool hardware-address Use this command to remove the hardware address of a DHCP client from a manual binding address pool. Syntax clear dhcp pool poolname hardware-address Parameters poolname Defaults None. Mode Switch command, read‐write. Example This example deletes the client hardware address from the address pool named “manual1.” C2(rw)->clear dhcp pool manual1 hardware-address set dhcp pool host Use this command to configure an IP address and network mask for a manual DHCP binding.
Page 471: Clear Dhcp Pool Host
Defaults If a mask or prefix is not specified, the class A, B, or C natural mask will be used. Mode Switch command, read‐write. Example This example shows how to configure the minimum requirements for a manual binding address pool. First, the hardware address of the client’s hardware platform is configured, followed by configuration of the address to be assigned to that client manually. C2(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710 C2(rw)->set dhcp pool manual1 host 15.12.1.99 255.255.248.0 clear dhcp pool host Use this command to remove the host IP address from a manual binding address pool. Syntax clear dhcp pool poolname host Parameters poolname Defaults None. Mode Switch command, read‐write.
Page 472: Clear Dhcp Pool Client-Identifier
Parameters poolname Defaults None. Mode Switch command, read‐write. Usage The client identifier is formed by concatenating the media type and the MAC address. For example, if the client hardware type is Ethernet and the client MAC address is 00:01:22:33:44:55, then the client identifier configured with this command must be 01:00:01:22:33:44:55. Example This example shows how to configure the minimum requirements for a manual binding address pool, using a client identifier rather than the hardware address of the client’s hardware platform. C2(rw)->set dhcp pool manual2 client-identifier 01:00:01:22:33:44:55 C2(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0 clear dhcp pool client-identifier Use this command to remove the unique identifier of a DHCP client from a manual binding address pool. Syntax clear dhcp pool poolname client-identifier...
Page 473: Set Dhcp Pool Client-Name
Syntax set dhcp pool poolname client-name name Parameters poolname name Defaults None. Mode Switch command, read‐write. Example This example configures the client name “appsvr1” to the manual binding pool “manual2.” C2(rw)->set dhcp pool manual2 client-identifier 01:22:33:44:55:66 C2(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0 C2(rw)->set dhcp pool manual2 client-name appsvr1 clear dhcp pool client-name Use this command to delete a DHCP client name from an address pool for manual binding.
Page 474: Set Dhcp Pool Bootfile
Use this command to specify a default boot image for the DHCP clients who will be served by the address pool being configured. Syntax set dhcp pool poolname bootfile filename Parameters poolname filename Defaults None. Mode Switch command, read‐write. Example This example sets the boot image filename for address pool named “auto1.” C2(rw)->set dhcp pool auto1 bootfile image1.img clear dhcp pool bootfile Use this command to remove a default boot image from the address pool being configured. Syntax clear dhcp pool poolname bootfile Parameters poolname Defaults None.
Page 475: Set Dhcp Pool Next-Server
Syntax set dhcp pool poolname next-server ip-address Parameters poolname ip‐address Defaults None. Mode Switch command, read‐write. Example This example specifies the file server from which clients being served by address pool “auto1” should download the boot image file “image1.img.” C2(rw)->set dhcp pool auto1 bootfile image1.img C2(rw)->set dhcp pool auto1 next-server 10.1.1.10 clear dhcp pool next-server Use this command to remove the boot image file server from the address pool being configured. Syntax clear dhcp pool poolname next-server...
Page 476: Set Dhcp Pool Lease
{days [hours [minutes]] | infinite} Parameters poolname days hours minutes infinite Defaults If no lease time is specified, a lease duration of 1 day is configured. Mode Switch command, read‐write. Example This example configures a lease duration of 12 hours for the address pool being configured. Note that to configure a lease time less than one day, enter 0 for days, then the number of hours and minutes. C2(rw)->set dhcp pool auto1 lease 0 12 clear dhcp pool lease Use this command to restore the default lease time value of one day for the address pool being configured. Syntax clear dhcp pool poolname lease...
Page 477: Set Dhcp Pool Default-Router
Mode Switch command, read‐write. Example This example restores the default lease duration of one day for address pool “auto1.” C2(rw)->clear dhcp pool auto1 lease set dhcp pool default-router Use this command to specify a default router list for the DHCP clients served by the address pool being configured. Up to 8 default routers can be configured. Syntax set dhcp pool poolname default-router address [address2 ... address8] Parameters poolname address address2 ... address8 Defaults None. Mode Switch command, read‐write. Example This example assigns a default router at 10.10.10.1 to the address pool named “auto1.” C2(rw)->set dhcp pool auto1 default-router 10.10.10.1 clear dhcp pool default-router Use this command to delete the default routers configured for this address pool.
Page 478: Set Dhcp Pool Dns-Server
Mode Switch command, read‐write. Example This example removes the default router from the address pool “auto1.” C2(rw)->clear dhcp pool auto1 default-router set dhcp pool dns-server Use this command to specify one or more DNS servers for the DHCP clients served by the address pool being configured. Up to 8 DNS servers can be configured. Syntax set dhcp pool poolname dns-server address [address2 ... address8] Parameters poolname address address2 ... address8 Defaults None. Mode Switch command, read‐write. Example This example assigns a DNS server at 10.14.10.1 to the address pool “‘auto1.” C2(rw)->set dhcp pool auto1 dns-server 10.14.10.1 clear dhcp pool dns-server Use this command to remove the DNS server list from the address pool being configured.
Page 479: Set Dhcp Pool Domain-Name
Mode Switch command, read‐write. Example This example removes the DNS server list from the address pool “auto1.” C2(rw)->clear dhcp pool auto1 dns-server set dhcp pool domain-name Use this command to specify a domain name to be assigned to DHCP clients served by the address pool being configured. Syntax set dhcp pool poolname domain-name domain Parameters poolname domain Defaults None. Mode Switch command, read‐write. Example This example assigns the “mycompany.com” domain name to the address pool “auto1.” C2(rw)->set dhcp pool auto1 domain-name mycompany.com clear dhcp pool domain-name Use this command to remove the domain name from the address pool being configured.
Page 480: Set Dhcp Pool Netbios-Name-Server
Mode Switch command, read‐write. Example This example removes the domain name from the address pool “auto1.” C2(rw)->clear dhcp pool auto1 domain-name set dhcp pool netbios-name-server Use this command to assign one or more NetBIOS name servers for the DHCP clients served by the address pool being configured. Up to 8 NetBIOS name servers can be configured. Syntax set dhcp pool poolname netbios-name-server address [address2 ... address8] Parameters poolname address address2 ... address8 Defaults None. Mode Switch command, read‐write. Example This example assigns a NetBIOS name server at 10.15.10.1 to the address pool being configured. C2(rw)->set dhcp pool auto1 netbios-name-server 10.15.10.1 clear dhcp pool netbios-name-server Use this command to remove the NetBIOS namer server list from the address pool being ...
Page 481: Set Dhcp Pool Netbios-Node-Type
Mode Switch command, read‐write. Example This example removes the NetBIOS name server list from the address pool auto1. C2(rw)->clear dhcp pool auto1 netbios-name-server set dhcp pool netbios-node-type Use this command to specify a NetBIOS node (server) type for the DHCP clients served by the address pool being configured. Syntax set dhcp pool poolname netbios-node-type {b-node | h-node | p-node | m-node} Parameters poolname b‐node h‐node p‐node m‐node Defaults None. Mode Switch command, read‐write. Example This example specifies hybrid as the NetBIOS node type for the address pool “auto1.”...
Page 482: Set Dhcp Pool Option
Defaults None. Mode Switch command, read‐write. Example This example removes the NetBIOS node type from the address pool “auto1.” C2(rw)->clear dhcp pool auto1 netbios-node-type set dhcp pool option Use this command to configure DHCP options, described in RFC 2132. Syntax set dhcp pool poolname option code {ascii string | hex string-list | ip address- list} Parameters poolname code ascii string hex string‐list...
Page 483: Clear Dhcp Pool Option
Use this command to remove a DHCP option from the address pool being configured. Syntax clear dhcp pool poolname option code Parameters poolname code Defaults None. Mode Switch command, read‐write. Example This example removes option 19 from address pool “auto1.” C2(rw)->clear dhcp pool auto1 option 19 show dhcp pool configuration Use this command to display configuration information for one or all address pools. Syntax show dhcp pool configuration {poolname | all} Parameters poolname Defaults None.
Page 484 show dhcp pool configuration Network Lease Time Default Routers Pool: static1 Pool Type Client Name Client Identifier Host Lease Time Option Pool: static2 Pool Type Hardware Address Hardware Address Type Host Lease Time 16-30 DHCP Server Configuration 192.0.0.0 255.255.255.0 1 days 0 hrs 0 mins 192.0.0.1 Manual appsvr1...
Page 485: Chapter 17: Dhcp Snooping And Dynamic Arp Inspection
DHCP snooping monitors DHCP messages between DHCP clients and DHCP servers to filter harmful DHCP messages and to build a bindings database of {MAC address, IP address, VLAN ID, port} tuples that are considered authorized. DHCP snooping is disabled globally and on all VLANs by default. Ports are untrusted by default. DHCP snooping must be enabled globally and on specific VLANs. Ports within the VLANs must be configured as trusted or untrusted. DHCP servers must be reached through trusted ports. DHCP snooping enforces the following security rules: • DHCP packets from a DHCP server (DHCP OFFER, DHCP ACK, DHCP NAK) are dropped if received on an untrusted port. • DHCP RELEASE and DHCP DECLINE messages are dropped if they are for a MAC address in the snooping database but the bindingʹs interface in the database is different from the interface where the message was received. • On untrusted interfaces, the switch drops DHCP packets whose source MAC address does not match the client hardware address. This feature is a configurable option. DHCP Message Processing The hardware identifies all incoming DHCP packets on ports where DHCP snooping is enabled. On untrusted ports, the hardware traps all incoming DHCP packets to the CPU. On trusted ports, DHCP Snooping and Dynamic ARP Inspection SecureStack C2 Configuration Guide 17-1 Refer to page... 17-1 17-4 17-16 17-20...
Page 486: Building And Maintaining The Database
Note: If the switch has been configured as a DHCP relay agent, to forward client requests to a DHCP server that does not reside on the same broadcast domain as the client, MAC address verification should be disabled in order to allow DHCP RELEASE packets to be processed by the DHCP snooping functionality and client bindings removed from the bindings database.
Page 487: Rate Limiting
The following configuration procedure does not change the write delay to the snooping database or any of the default rate limiting values. Additional configuration notes follow this procedure. Procedure 17-1 Basic Configuration for DHCP Snooping Step Task Enable DHCP snooping globally on the switch. Determine where DHCP clients will be connected and enable DHCP snooping on their VLANs. Determine which ports will be connected to the DHCP server and configure them as trusted ports.
Page 488: Dhcp Snooping Commands
Use this command to enable or disable DHCP snooping globally. Syntax set dhcpsnooping {enable | disable} Parameters enable disable Defaults Disabled globally. Mode Switch command, read‐write. Usage By default, DHCP snooping is disabled globally and on all VLANs. You must enable it globally with this command, and then enable it on specific VLANs. 17-4 DHCP Snooping and Dynamic ARP Inspection Enable DHCP snooping globally on the switch. Disable DHCP snooping globally on the switch. Refer to page... 17-4 17-5 17-5 17-6...
Page 489: Set Dhcpsnooping Vlan
Use this command to enable or disable DHCP snooping on a VLAN or range of VLANs. Syntax set dhcpsnooping vlan vlan-range {enable | disable} Parameters vlan‐range enable | disable Defaults DHCP snooping is disabled by default on all VLANs. Mode Switch command, read‐write. Usage By default, DHCP snooping is disabled globally and on all VLANs. You must enable it globally with the set dhcpsnooping command, and then enable it on specific VLANs with this command. Example This example enables DHCP snooping on VLANS 10 through 20. C2(rw)->set dhcpsnooping vlan 10-20 enable set dhcpsnooping database write-delay Use this command to specify the interval between updates to the stored bindings database. Syntax set dhcpsnooping database write-delay seconds...
Page 490: Set Dhcpsnooping Trust
Mode Switch command, read‐write. Usage When a switch learns of new bindings or when it loses bindings, the switch updates the entries in the bindings database according to the write delay timer. The switch also updates the entries in the binding file. The frequency at which the file is updated is based on the delay configured with this command, and the updates are batched. Example The following example specifies that the stored database should be updated once an hour. C2(rw)->set dhcpsnooping database write-delay 3600 set dhcpsnooping trust Use this command to enable or disable a port as a DHCP snooping trusted port. Syntax set dhcpsnooping trust port port-string {enable | disable} Parameters port port‐string enable | disable Defaults By default, ports are untrusted. Mode Switch command, read‐write. Usage In order for DHCP snooping to operate, snooping has to be enabled globally and on specific VLANs, and the ports within the VLANs have to be configured as trusted or untrusted. On ...
Page 491: Set Dhcpsnooping Binding
Use this command to add a static DHCP binding to the DHCP snooping database. Syntax set dhcpsnooping binding mac-address vlan vlan-id ipaddr port port-string Parameters mac‐address vlan vlan‐id ipaddr port port‐string Defaults None. Mode Switch command, read‐write. Usage When enabled globally and on VLANs, DHCP snooping builds its bindings database from DHCP client messages received on untrusted ports. Such entries in the database are dynamic entries which will be removed in response to valid DECLINE, RELEASE, and NACK messages or when the absolute lease time of the entry expires. You can add static entries to the bindings database with this command. Example This example creates a static entry, associating MAC address 00:01:02:33:44:55 with IP address 192.168.10.10 and VLAN 10, port ge.1.1. (rw)->set dhcpsnooping binding 00:01:02:33:44:55 vlan 10 192.168.10.10 port ge.1.1 set dhcpsnooping verify Use this command to enable or disable DHCP snooping to filter on source MAC address.
Page 492: Set Dhcpsnooping Log-Invalid
Parameters enable disable Defaults Source MAC address verification is enabled by default. Mode Switch command, read‐write. Usage When this verification is enabled, the DHCP snooping application compares the source MAC address contained in valid client messages with the client’s hardware address. If there is a mismatch, DHCP snooping logs the event and drops the packet. Use the show dhcpsnooping command to display the status (enabled or disabled) of source MAC address verification for each interface in an enabled VLAN. The show dhcpsnooping statistics command shows the actual number of MAC verification errors that occurred on untrusted ports. Example This example disables source MAC address verification and logging. (rw)->set dhcpsnooping verify mac-address disable set dhcpsnooping log-invalid Use this command to enable or disable logging of invalid DHCP messages on ports. Syntax set dhcpsnooping log-invalid port port-string {enable | disable} Parameters port port‐string enable | disable Defaults Disabled.
Page 493: Set Dhcpsnooping Limit
Syntax set dhcpsnooping limit port-string {none | rate pps {burst interval secs]} Parameters port‐string none rate pps burst interval secs Defaults Rate = 15 packets per second Burst Interval = 1 second Mode Switch command, read‐write. Trusted Log Invalid Pkts ---------------- Specifies the port or ports to which to apply these rate limiting parameters. Configures no limit on incoming DHCP packets. Specifies a rate limit in packets per second. The value of pps can range from 0 to 100 packets per second. Specifies a burst interval in seconds. The value of secs can range from 1 to 15 seconds. set dhcpsnooping limit SecureStack C2 Configuration Guide 17-9...
Page 494: Show Dhcpsnooping
Usage To protect the switch from DHCP attacks when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on untrusted interfaces. DHCP snooping monitors the receive rate on each interface separately. If the receive rate exceeds the configured limit, DHCP snooping brings down the interface. You can re‐enable the interface with the set port enable command. Both the rate and the burst interval can be configured. You can display the currently configured rate limit parameters with the show dhcpsnooping port command. Example This example configures rate limit parameters on port ge.1.1. C2(rw)->set dhcpsnooping limit ge.1.1 rate 20 burst interval 2 C2(rw)->show dhcpsnooping port ge.1.1 Interface ---------- ------------- ge.1.1 show dhcpsnooping Use this command to display DHCP snooping configuration parameters. Syntax show dhcpsnooping Parameters None. Defaults None. Mode Switch command, read‐write.
Page 495: Show Dhcpsnooping Database
----------- ---------- ge.1.47 ge.1.48 lag.0.1 show dhcpsnooping database Use this command to display DHCP snooping database configuration parameters. Syntax show dhcpsnooping database Parameters None. Defaults None. Mode Switch command, read‐write. Usage This command displays where the database file is stored (locally) and what the write delay value Example This example shows the output of the show dhcpsnooping database command. C2(su)->show dhcpsnooping database agent url: local write-delay: show dhcpsnooping port Use this command to display DHCP snooping configuration parameters for specific ports. Syntax show dhcpsnooping port port-string Parameters port‐string...
Page 496: Show Dhcpsnooping Binding
Defaults None. Mode Switch command, read‐write. Usage This command displays the trust state and rate limiting parameters configured on the specified ports. Example This example shows the output of the show dhcpsnooping port command. C2(su)->show dhcpsnooping port ge.1.1 Interface ---------- ------------- ge.1.1 show dhcpsnooping binding Use this command to display the contents of the DHCP snooping bindings database. Syntax show dhcpsnooping binding [dynamic | static] [port port-string] [vlan vlan-id] Parameters dynamic | static port port‐string vlan vlan‐id Defaults If no parameters are entered, all bindings in the database are displayed.
Page 497: Show Dhcpsnooping Statistics
MAC Address ----------------- 00:02:B3:06:60:80 00:0F:FE:00:13:04 show dhcpsnooping statistics Use this command to display DHCP snooping statistics for untrusted ports. Syntax show dhcpsnooping statistics Parameters None. Defaults None. Mode Switch command, read‐write. Usage The DHCP snooping application processes incoming DHCP messages on enabled untrusted interfaces. For DHCP RELEASE and DHCP DECLINE messages, the application compares the receive interface and VLAN with the clientʹs interface and VLAN in the bindings database. If the interfaces do not match, the application logs the event (if logging of invalid messages is enabled) and drops the message. If source MAC verification is enabled, for valid client messages, DHCP snooping compares the source MAC address to the DHCP client hardware address. Where there is a mismatch, DHCP snooping logs and drops the packet. This command displays, for each enabled untrusted interface, the number of source MAC verification failures and client interface mismatches that occurred since the last time these statistics were cleared. Since DHCP servers should not be connected through an untrusted port, the DHCP snooping application will drop incoming DHCP server messages on untrusted interfaces and increment a counter that is displayed with this command. Example This example shows the output of the show dhcpsnooping statistics command. C2(su)->show dhcpsnooping statistics Interface ----------- ge.1.48...
Page 498: Clear Dhcpsnooping Binding
Use this command to remove bindings from the DHCP snooping bindings database. Syntax clear dhcpsnooping binding [port port-string | mac mac-addr] Parameters port port‐string mac mac‐addr Defaults If no parameters are entered, all bindings (static and dynamic) are removed. Mode Switch command, read‐write. Example This example clears the static binding entry that includes port ge.1.2. C2(su)->clear dhcpsnooping binding port ge.1.2 clear dhcpsnooping statistics Use this command to clear the DHCP snooping statistics counters. Syntax clear dhcpsnooping statistics Parameters None. Defaults None.
Page 499: Clear Dhcpsnooping Limit
Syntax clear dhcpsnooping database [write-delay] Parameters write‐delay Defaults None. Mode Switch command, read‐write. Usage This command will set the database write delay value to the default of 300 seconds. Example This example sets the database storage location to the default of local. C2(su)->clear dhcpsnooping database clear dhcpsnooping limit Use this command to reset the rate limit values to the defaults of 15 packets per second with a burst interval of 1 second. Syntax clear dhcpsnooping limit port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example resets the rate limit values to their defaults on port ge.1.1. (su)->clear dhcpsnooping limit ge.1.1 (Optional) Specifies that the write delay value should be returned to the ...
Page 500: Dynamic Arp Inspection Overview
Dynamic ARP Inspection Overview Dynamic ARP Inspection Overview Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man‐in‐the‐middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses in which the attacker claims to be someone else. By poisoning the ARP cache, a malicious user can intercept the traffic intended for other hosts on the network. The Dynamic ARP Inspection application performs ARP packet validation. When DAI is enabled, it verifies that the sender MAC address and the source IP address are a valid pair in the DHCP snooping binding database and drops ARP packets whose sender MAC address and sender IP address do not match an entry in the database. Additional ARP packet validation can be configured. If DHCP snooping is disabled on the ingress VLAN or the receive interface is trusted for DHCP snooping, ARP packets are dropped. Functional Description DAI is enabled on VLANs, effectively enabling DAI on the interfaces (physical ports or LAGs) that are members of that VLAN. Individual interfaces are configured as trusted or untrusted. The trust configuration for DAI is independent of the trust configuration for DHCP snooping. A trusted port is a port the network administrator does not consider to be a security threat. An untrusted port is one which could potentially be used to launch a network attack. DAI considers all physical ports and LAGs untrusted by default. Static Mappings Static mappings are useful when hosts configure static IP addresses, DHCP snooping cannot be run, or other switches in the network do not run dynamic ARP inspection. A static mapping associates an IP address to a MAC address on a VLAN. DAI consults its static mappings before it consults DHCP snooping — thus, static mappings have precedence over DHCP snooping bindings. ARP ACLs are used to define static mappings for DAI. In this implementation, only the subset of ARP ACL syntax required for DAI is supported. ARP ACLs are completely independent of ACLs used for QoS. A maximum of 100 ARP ACLs can be configured. Within an ACL, a maximum of 20 rules can be configured. Optional ARP Packet Validation If optional ARP packet validation has been configured, DAI verifies that the sender MAC address ...
Page 501: Logging Invalid Packets
• Loopback addresses (in the range 127.0.0.0/8) Logging Invalid Packets By default, DAI writes a log message to the normal buffered log for each invalid ARP packet it drops. You can configure DAI to not log invalid packets for specific VLANs. Packet Forwarding DAI forwards valid ARP packets whose destination MAC address is not local. The ingress VLAN could be a switching or routing VLAN. ARP requests are flooded in the VLAN. ARP responses are unicast toward their destination. DAI queries the MAC address table to determine the outgoing port. If the destination MAC address is local, DAI gives valid ARP packets to the ARP application. Rate Limiting To protect the switch from DHCP attacks when DAI is enabled, the DAI application enforces a rate limit for ARP packets received on untrusted interfaces. DAI monitors the receive rate on each interface separately. If the receive rate exceeds a configurable limit, DAI error disables the interface, which effectively brings down the interface. You can use the set port enable command to reenable the port. You can configure both the rate and the burst interval. The default rate is 15 pps on each untrusted interface with a range of 0 to 100 pps. The default burst interval is 1 second with a range to 1 to 15 seconds.. The rate limit cannot be set on trusted interfaces since ARP packets received on trusted interfaces do not come to the CPU. Eligible Interfaces Dynamic ARP inspection is enabled per VLAN, effectively enabling DAI on the members of the VLAN, either physical ports or LAGs. Trust is specified on the VLAN members. DAI cannot be enabled on port‐based routing interfaces. It may be connected to: • A single host through a trusted link (for example, a server) • If multiple hosts need to connected, there must be a switch between the router and the hosts, with DAI enabled on that switch Interaction with Other Functions • DAI relies on the DHCP snooping application to verify that a {IP address, MAC address, ...
Page 502: Basic Configuration
If desired, configure optional validation parameters. If desired, configure static mappings for DAI by creating ARP ACLs: • Create the ARP ACL • Apply the ACL to a VLAN Example Configuration The following example configures DHCP snooping and dynamic ARP inspection in a routing environment using RIP. The example configures two interfaces on the switch, configuring RIP on both interfaces, assigning each to a different VLAN, and then enabling DHCP snooping and dynamic ARP inspection on them: • Interface ge.1.1, which is connected to a remote DHCP server, on VLAN 192 • Interface ge.1.2, which is connected to DHCP clients, on VLAN 10 In addition, the default VLAN, VLAN 1, is also enabled for DHCP snooping and dynamic ARP ...
Page 503: Dhcp Snooping Configuration
exit interface vlan 192 no shutdown ip address 192.168.0.1 255.255.255.0 ip rip send version 2 ip rip receive version 2 ip rip enable exit router rip exit VLAN Configuration set vlan create 10 set vlan create 192 clear vlan egress 1 ge.1.1-2 set vlan egress 10 ge.1.2 untagged set vlan egress 192 ge.1.1 untagged DHCP Snooping Configuration...
Page 504: Dynamic Arp Inspection Commands
Use this command to enable dynamic ARP inspection on one or more VLANs, and optionally, enable logging of invalid ARP packets. Syntax set arpinspection vlan vlan-range [logging] Parameters vlan‐range logging Defaults Logging is disabled by default. Mode Switch command, read‐write. Usage This command enables dynamic ARP inspection (DAI) on one or more VLANs. When DAI is enabled on a VLAN, DAI is effectively enabled on the interfaces (physical ports or LAGs) that are members of that VLAN. 17-20 DHCP Snooping and Dynamic ARP Inspection Specifies the VLAN or range of VLANs on which to enable dynamic ARP inspection. (Optional) Enables logging of invalid ARP packets for that VLAN. Refer to page... 17-20 17-21...
Page 505: Set Arpinspection Trust
C2(su)->set arpinspection vlan 2-5 logging set arpinspection trust Use this command to enable or disable a port as a dynamic ARP inspection trusted port. Syntax set arpinspection trust port port-string {enable | disable} Parameters port‐string enable | disable Defaults By default, all physical ports and LAGs are untrusted. Mode Switch command, read‐write. Usage Individual interfaces are configured as trusted or untrusted. The trust configuration for DAI is independent of the trust configuration for DHCP snooping. A trusted port is a port the network administrator does not consider to be a security threat. An untrusted port is one which could potentially be used to launch a network attack. DAI considers all physical ports and LAGs untrusted by default. Packets arriving on trusted interfaces bypass all DAI validation checks. Example This example enables port ge.1.1 as trusted for DAI. C2(su)->set arpinspection trust port ge.1.1 enable Specifies the port or ports to be enabled or disabled as DAI trusted ...
Page 506: Set Arpinspection Validate
Use this command to configure additional optional ARP validation parameters. Syntax set arpinspection validate {[src-mac] [dst-mac] [ip]} Parameters src‐mac dst‐mac Defaults All parameters are optional, but at least one parameter must be specified. Mode Switch command, read‐write. Usage This command adds additional validation of ARP packets by DAI, beyond the basic validation that the ARP packet’s sender MAC address and sender IP address match an entry in the DHCP snooping bindings database. Example This example adds the optional verification that sender MAC addresses are the same as the source MAC addresses in the Ethernet headers of ARP packets. C2(su)->set arpinspection validate src-mac set arpinspection limit Use this command to configure rate limiting parameters for incoming ARP packets on a port or ports Syntax set arpinspection limit port port-string {none | rate pps {burst interval secs]} 17-22 DHCP Snooping and Dynamic ARP Inspection Specifies that DAI should verify that the sender MAC address equals ...
Page 507: Set Arpinspection Filter
Parameters port‐string none rate pps burst interval secs Defaults Rate = 15 packets per second Burst Interval = 1 second Mode Switch command, read‐write. Usage To protect the switch against DHCP attacks when DAI is enabled, the DAI application enforces a rate limit for ARP packets received on untrusted interfaces. DAI monitors the receive rate on each interface separately. If the receive rate exceeds the limit configured with this command, DAI disables the interface, which effectively brings down the interface. You can use the set port enable command to reenable the port. You can configure both the rate and the burst interval. The default rate is 15 pps on each untrusted interface with a range of 0 to 100 pps. The default burst interval is 1 second with a range to 1 to 15 seconds.. The rate limit cannot be set on trusted interfaces since ARP packets received on trusted interfaces do not come to the CPU. Example This example sets the rate to 20 packets per second and the burst interval to 2 seconds on ports ge.1.1 and ge.1.2. C2(su)->set arpinspection limit port ge.1.1-2 rate 20 burst interval 2 set arpinspection filter Use this command to create an ARP ACL and then to assign an ACL to a VLAN, optionally as a static mapping. Syntax set arpinspection filter name {permit ip host sender-ipaddr mac host...
Page 508: Show Arpinspection Access-List
Defaults None. Mode Switch command, read‐write. Usage ARP ACLs are used to define static mappings for DAI. ARP ACLs are completely independent of ACLs used for QoS. A maximum of 100 ARP ACLs can be configured. Within an ACL, a maximum of 20 rules can be configured. A static mapping associates an IP address to a MAC address on a VLAN. DAI consults its static mappings before it consults the DHCP snooping bindings database — thus, static mappings have precedence over DHCP snooping bindings. Example This example creates an ACL named staticARP and creates a permit rule for IP address 192.168.1.10. Then, the ACL is assigned to a VLAN as a static mapping. C2(su)->set arpinspection filter staticARP permit ip host 192.168.1.10 mac host 00:01:22:33:44:55 C2(su)->set arpinspection filter staticARP vlan 10 static show arpinspection access-list Use this command to display ARP access list configuration information.
Page 509: Show Arpinspection Ports
192.168.1.10 mac host 00:01:22:33:44:55 permit ip host 192.168.1.20 mac host 00:0A:11:22:33:66 show arpinspection ports Use this command to display the ARP configuration of one or more ports. Syntax show arpinspection ports [port-string] Parameters port‐string Defaults If a port‐string is not specified, information about all DAI‐enabled untrusted ports is displayed. Mode Switch command, read‐write. Example This example displays the ARP configuration of lag.0.1. C2(su)->show arpinspection ports lag.0.1 Interface ---------- ------------- lag.0.1 show arpinspection vlan Use this command to display the ARP configuration of one or more VLANs. Syntax...
Page 510: Show Arpinspection Statistics
Configuration Log Invalid ---- ------------- ----------- -------------------------------- Disabled show arpinspection statistics Use this command to display ARP statistics for all DAI‐enabled VLANs or for specific VLANs. Syntax show arpinspection statistics [vlan vlan-range] Parameters vlan vlan‐range Defaults If no VLANs are specified, limited statistics for all DAI‐enabled VLANs is displayed. Mode Switch command, read‐write. Usage When no specific VLANs are entered, this command displays the number of Forwarded and Dropped ARP packets per DAI‐enabled VLAN. When one or more VLANs are specified, this command displays more detailed statistics. Examples This example shows what is displayed when no VLANs are specified. C2(su)->show arpinspection statistics VLAN Forwarded ---- ------------ This example shows what information is displayed when one or more VLANs are specified. C2(su)->show arpinspection statistics vlan 5...
Page 511: Clear Arpinspection Validate
Use this command to remove additional optional ARP validation parameters that were previously configured. Syntax clear arpinspection validate {[src-mac] [dst-mac] [ip]} Parameters src‐mac dst‐mac Defaults All parameters are optional, but at least one parameter must be specified. Mode Switch command, read‐write. Usage This command removes previously configured additional validation of ARP packets by DAI, beyond the basic validation that the ARP packet’s sender MAC address and sender IP address match an entry in the DHCP snooping bindings database. Use the show arpinspection vlan command to display the current status of the additional validation rules. Example This example removes all 3 additional validation conditions. C2(su)->clear arpinspection validate src-mac dst-mac ip clear arpinspection vlan Use this command to disable dynamic ARP inspection on one or more VLANs or to disable logging of invalid ARP packets on one or more VLANs. Syntax clear arpinspection vlan vlan-range [logging] Parameters vlan‐range...
Page 512 Defaults If logging is enabled for the specified VLAN but logging is not entered with this command, logging will remain enabled. Mode Switch command, read‐write. Usage You can use this command to disable dynamic ARP inspection on one or more VLANs, or you can disable logging of invalid ARP packets on specified VLANs. To disable both logging and DAI, you must enter this command twice. Example This example first displays the DAI configuration for VLAN 5, then disables DAI on VLAN 5, then disables logging of invalid ARP packets on VLAN 5. C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan Configuration Log Invalid ---- ------------- ----------- -------------------------------- Enabled C2(su)->clear arpinspection vlan 5 C2(su)->show arpinspection vlan 5...
Page 513: Clear Arpinspection Filter
Use this command to remove an ARP ACL from a VLAN or from the switch, or to remove a permit rule from an existing ACL, or to change the status of static mapping to disabled. Syntax clear arpinspection filter name [permit ip host sender-ipaddr mac host sender-macaddr] | [vlan vlan-range [static] Parameters name permit ip host sender‐ipaddr mac host sender‐macaddr vlan vlan‐range static Defaults If only the name is specified, the ACL is deleted from the switch. Mode Switch command, read‐write. Usage You can use this command to: • Remove a configured ARP ACL from the switch, or • Remove a permit rule from a configured ARP ACL, or •...
Page 514: Clear Arpinspection Limit
This example removes the ARP ACL named staticARP from VLAN 5. C2(su)->clear arpinspection filter staticARP vlan 5 This example removes the ARP ACL named staticARP from the switch completely. C2(su)->clear arpinspection filter staticARP clear arpinspection limit Use this command to return the DAI rate limiting values to their default values for a port or range of ports. Syntax clear arpinspection limit port port-string Parameters port‐string Defaults Rate = 15 packets per second Burst Interval = 1 second Mode Switch mode, read‐write. Usage Use the set arpinspection limit command to change the values of the rate limit and burst interval. Use the show arpinspection ports command to display the currently configured rate limits. Example This example returns the DAI rate limiting values to their defaults for port ge.1.1. C2(su)->clear arpinspection limit port ge.1.1 clear arpinspection statistics Use this command to clear all dynamic ARP inspection statistics.
Page 515 Mode Switch command, read‐write. Example This example clears all DAI statistics from the switch. C2(su)->clear arpinspection statistics clear arpinspection statistics SecureStack C2 Configuration Guide 17-31...
Page 516 clear arpinspection statistics 17-32 DHCP Snooping and Dynamic ARP Inspection...
Page 517: Chapter 18: Preparing For Router Mode
Enabling advanced router features. (“Activating Advanced Routing Features” on page 20‐1) Note: The command prompts used as examples in switch operation for a user in admin (su) access mode, and a system where the VLAN 1 interface has been configured for routing. The prompt changes depending on your current configuration mode, your specific switch, and the interface types and numbers configured for routing on your system.
Page 518: Example
Enabling Router Configuration Modes Table 18-1 Enabling the Switch for Routing Step To do this task... From admin (su) mode, enable router mode. Enable router Privileged EXEC mode. Enable global router configuration mode. Enable interface configuration mode using the routing VLAN or loopback id.
Page 519 Set IP protocol Mode parameters. Note: To jump to a lower configuration mode, type exit at the command prompt. To revert back to switch CLI, type exit from Privileged EXEC router mode. Enabling Router Configuration Modes Access method... Resulting Prompt...
Page 520 Enabling Router Configuration Modes 18-4 Preparing for Router Mode...
Page 521: Configuring Routing Interface Settings
This chapter describes the Internet Protocol (IP) configuration set of commands and how to use them. Router: Unless otherwise noted, the commands covered in this chapter can be executed only when the device is in router mode. For details on how to enable router configuration modes, refer “Enabling Router Configuration For information about... Configuring Routing Interface Settings Reviewing and Configuring the ARP Table Configuring Broadcast Settings Reviewing IP Traffic and Configuring Routes...
Page 522: Show Interface
show interface show interface Use this command to display information about one or more interfaces (VLANs or loopbacks) configured on the router. Syntax show interface [vlan vlan-id] [loopback loop-id] Parameters vlan vlan‐id loopback loop‐id Defaults If interface type is not specified, information for all routing interfaces will be displayed. Mode Any router mode. Examples This example shows how to display information for all interfaces configured on the router. For a detailed description of this output, refer to Table C2(su)->router#show interface Vlan 1 is Administratively DOWN Vlan 1 is Operationally DOWN Mac Address is: 0001.f4da.2cba The name of this device is Vlan 1 The MTU is 1500 bytes The bandwidth is 10000 Mb/s Encapsulation ARPA, Loopback not set...
Page 523: Interface
Parameters vlan vlan‐id Specifies the number of the VLAN interface to be configured for routing. This interface must be configured for IP routing as described in “Pre‐ Routing Configuration Tasks” on page 18‐1. loopback loop‐id Specifies the number of the loopback interface to be configured for routing. The value of loop‐id can range from 0 to 7. Defaults None. Mode Router global configuration mode: C2(su)‐>router(Config)# Usage This command enables interface configuration mode from global configuration mode, and, if the interface has not previously been created, this command creates a new routing interface. For details on configuration modes supported by the SecureStack C2 device and their uses, refer to Table 18‐2 in “Enabling Router Configuration Modes” on page 18‐2. VLANs must be created from the switch CLI before they can be configured for IP routing. For details on creating VLANs and configuring them for IP, refer to “Enabling Router Configuration Modes” on page 18‐2. Each VLAN interface must be configured for routing separately using the interface command. To end configuration on one interface before configuring another, type exit at the command prompt. Enabling interface configuration mode is required for completing interface‐specific configuration tasks. For an example of how these commands are used, refer to “Pre‐Routing Configuration Tasks” on page 18‐1. A loopback interface is always expected to be up. This interface can provide the source address for sent packets and can receive both local and remote packets. The loopback interface is typically used by routing protocols. If RADIUS is configured with no host IP address on the device, it will use the loopback interface 0 IP address (if it has been configured) as its source for the NAS‐IP attribute. Each SecureStack C2 system (stack) can support up to 24 routing interfaces. Each interface can be configured for the RIP and/or OSPF routing protocols. Examples This example shows how to enter configuration mode for VLAN 1: C2(su)->router#configure C2(su)->router(Config)#interface vlan 1...
Page 524: Show Ip Interface
show ip interface show ip interface Use this command to display information, including administrative status, IP address, MTU (Maximum Transmission Unit) size and bandwidth, and ACL configurations, for interfaces configured for IP. Syntax show ip interface [vlan vlan-id] [loopback loop-id] Parameters vlan vlan‐id loopback loop‐id Defaults If interface type is not specified, status information for all routing interfaces will be displayed. Mode Any router mode. Example This example shows how to display configuration information for VLAN 1: C2(su)->router#show ip interface vlan 1 Vlan 1 is Admin DOWN Vlan 1 is Oper DOWN Primary IP Address is 192.168.10.1 Frame Type Ethernet MAC-Address 0001.F45C.C993...
Page 525: Ip Address
Table 19-1 show ip interface Output Details (Continued) Output Field Outgoing Access List ARP Timeout Direct Broadcast Proxy Arp ip address Use this command to set, remove, or disable a primary or secondary IP address for an interface. The no form of this command removes the specified IP address and disables the interface for IP processing. Syntax ip address ip-address ip-mask [secondary] no ip address ip-address ip-mask Parameters ip‐address ip‐mask secondary Defaults If secondary is not specified, the configured address will be the primary address for the interface.
Page 526: Show Running-Config
show running-config show running-config Use this command to display the non‐default, user‐supplied commands entered while configuring the device. Syntax show running-config Parameters None. Defaults None. Mode Any router mode. Example This example shows how to display the current router operating configuration: C2(su)->router#show running-config interface vlan 10 ip address 99.99.2.10 255.255.255.0 no shutdown router ospf 1 network 99.99.2.0 network 192.168.100.1 0.0.0.0 no shutdown Use this command to enable an interface for IP routing and to allow the interface to automatically be enabled at device startup. Syntax no shutdown shutdown...
Page 527: No Ip Routing
Example This example shows how to enable VLAN 1 for IP routing: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#no shutdown no ip routing Use this command to disable IP routing on the device. By default, IP routing is enabled when interfaces are configured for it as described in “Configuring Routing Interface Settings” on page 19‐1. Syntax no ip routing Parameters None. Mode Global configuration: C2(su)‐>router(Config)# Defaults None. Example This example shows how to disable IP routing on the device: C2(su)->router(Config)#no ip routing no ip routing SecureStack C2 Configuration Guide 19-7...
Page 528: Reviewing And Configuring The Arp Table
Reviewing and Configuring the ARP Table Reviewing and Configuring the ARP Table Purpose To review and configure the routing ARP table, to enable proxy ARP on an interface, and to set a MAC address on an interface. Commands For information about... show ip arp ip proxy-arp arp timeout clear arp-cache show ip arp Use this command to display entries in the ARP (Address Resolution Protocol) table. ARP converts an IP address into a physical address. Syntax show ip arp [ip-address]|[vlan vlan-id]|[output-modifier] Parameters ip‐address vlan vlan‐id output‐modifier...
Page 529: Arp
Example This example shows how to use the show ip arp command: C2(su)->router#show ip arp Protocol Address ------------------------------------------------------------------------------ Internet 134.141.235.251 Internet 134.141.235.165 Internet 134.141.235.167 C2(su)->router#show ip arp 134.141.235.165 Protocol Address ------------------------------------------------------------------------------ Internet 134.141.235.165 C2(su)->router#show ip arp vlan 2 Protocol Address ------------------------------------------------------------------------------ Internet 134.141.235.251 Table 19‐2 provides an explanation of the command output. Table 19-2 show ip arp Output Details Output Field Protocol Address...
Page 530: Ip Proxy-Arp
ip proxy-arp Defaults None. Mode Global configuration: C2(su)‐>router(Config)# Usage The IP address specified for the static ARP entry must fall within one of the subnets or networks defined on the routed interfaces of the system ( or stack, if applicable). The system can then match the IP address of the static ARP entry with the appropriate routed interface and associate it with the correct VLAN. Example This example shows how to add a permanent ARP entry for the IP address 130.2.3.1 and MAC address 0003.4712.7a99: C2(su)->router(Config)#arp 130.2.3.1 0003.4712.7a99 ip proxy-arp Use this command to enable proxy ARP on an interface. The no form of this command disables proxy ARP. Syntax ip proxy-arp no ip proxy-arp Parameters None. Defaults Disabled. Mode Interface configuration: C2 Usage This variation of the ARP protocol allows the router to send an ARP response on behalf of an end node to the requesting host. Proxy ARP can be used to resolve routing issues on end stations that are unable to route in the subnetted environment. The SecureStack C2 will answer to ARP requests on behalf of targeted end stations on neighboring networks. It is disabled by default. Example This example shows how to enable proxy ARP on VLAN 1: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip proxy-arp 19-10 IP Configuration...
Page 531: Arp Timeout
arp timeout Use this command to set the duration (in seconds) for dynamically learned entries to remain in the ARP table before expiring. The no form of this command restores the default value of 14,400 seconds. arp timeout seconds no arp timeout Parameters seconds Defaults 14,400 seconds. Mode Global configuration: C2(su)‐>router(Config)# Example This example shows how to set the ARP timeout to 7200 seconds: C2(su)->router(Config)#arp timeout 7200 clear arp-cache Use this command to delete all nonstatic (dynamic) entries from the ARP table. clear arp-cache Parameters None. Mode Privileged EXEC: C2(su)‐>router# Defaults None. Example This example shows how to delete all dynamic entries from the ARP table: C2(su)->router#clear arp-cache Specifies the time in seconds that an entry remains in the ARP cache. Valid values are 0 ‐ 65535. A value of 0 specifies that ARP entries will never be aged out. arp timeout SecureStack C2 Configuration Guide 19-11...
Page 532: Configuring Broadcast Settings
Configuring Broadcast Settings Configuring Broadcast Settings Purpose To configure IP broadcast settings. By default, interfaces on the SecureStack C2 do not forward broadcast packets. Commands For information about... ip directed-broadcast ip forward-protocol ip helper-address ip directed-broadcast Use this command to enable or disable IP directed broadcasts on an interface. By default, interfaces on the SecureStack C2 do not forward directed broadcasts. The no form of this command disables IP directed broadcast on the interface. Syntax ip directed-broadcast no ip directed-broadcast Parameters None. Defaults None. Mode Interface configuration: C2(su)‐>Router1(Config‐if(Vlan 1))# Usage Directed broadcast is an efficient mechanism for communicating with multiple hosts on a network while only transmitting a single datagram. A directed broadcast is a packet sent to all hosts on a specific network or subnet. The directed broadcast address includes the network or subnet fields, with the binary bits of the host portion of the address set to one. For example, for a network with ...
Page 533: Ip Forward-Protocol
broadcast only on the 30 network interface will allow anyone from any other networks (10, 20, 40, 50) to send directed broadcast to the 30 network. Example This example shows how to enable IP directed broadcasts on VLAN 1: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip directed-broadcast ip forward-protocol Use this command to enable UDP broadcast forwarding and specify which protocols will be forwarded. Syntax ip forward-protocol udp [port] no ip forward-protocol udp [port] Parameters port Defaults If port is not specified, the following defaults are used: • Trivial File Transfer Protocol (TFTP) (port 69) • Domain Naming System (port 53) • Time service (port 37) • NetBIOS Name Server (port 137) • NetBIOS Datagram Server (port 138) • TACACS service (port 49) •...
Page 534: Ip Helper-Address
ip helper-address Examples The following example globally disables IP forwarding for UDP port 69. C2(su)->router(Config)#no ip forward-protocol udp 69 The following example disables IP forwarding for UDP port 69 on a specific interface. C2(su)->router(Config)#interface vlan 10 C2(su)->router(Config-if(Vlan 10))#no ip forward-protocol udp 69 ip helper-address Use this command to enable the DHCP/BOOTP relay agent on a SecureStack C2 routed interface. Enabling the relay agent allows forwarding of client DHCP/BOOTP requests to a DHCP/BOOTP server that does not reside on the same broadcast domain as the client. Up to 6 IP helper addresses may be configured per interface. The no form of this command disables the forwarding of UDP datagrams to the specified address. Syntax ip helper-address address no ip helper-address address Parameters address Defaults None. Mode Interface configuration: C2(su)‐>Router1(Config‐if(Vlan 1))# Usage When a host requests an IP address, it sends out a DHCP broadcast packet. Normally, the router ...
Page 535: Reviewing Ip Traffic And Configuring Routes
Example This example show how to have all client DHCP requests for users in VLAN 1 to be forwarded to the remote DHCP server with IP address 192.168.1.28. C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip helper-address 192.168.1.28 Reviewing IP Traffic and Configuring Routes Purpose To review IP traffic and configure routes, to send router ICMP (ping) messages, and to execute traceroute. Commands For information about... show ip route ip route ping traceroute show ip route Use this command to display information about IP routes. Syntax show ip route [destination-prefix [destination-prefix-match] | connected | ospf | rip | static | summary] Parameters destination‐prefix ...
Page 536 show ip route Mode Any router mode. Usage The routing table contains all active static routes, all the RIP routes, and up to three best OSPF routes learned for each network. Example This example shows how to use the show ip route command to display all IP route information. A portion of the output is shown: C2(su)->router#show ip route Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2 * - candidate default, U - per user static route...
Page 537: Ip Route
33.33.0.0/16 [150/20] via 168.0.0.249, Vlan 3205 ip route Use this command to add or remove a static IP route. The no form of this command removes the static IP route. ip route prefix mask dest-addr [distance] no ip route prefix mask forward-addr Parameters prefix mask dest‐addr distance Defaults If distance is not specified, the default value of 1 will be applied. Mode Global configuration: C2(su)‐>router(Config)# Example This example shows how to set IP address 10.1.2.3 as the next hop gateway to destination address 10.0.0.0: C2(su)->router(Config)#ip route 10.0.0.0 255.0.0.0 10.1.2.3 ping Use this command to test routing network connectivity by sending IP ping requests. ...
Page 538: Traceroute
Usage This command is also available in switch mode. Examples This example shows output from a successful ping to IP address 182.127.63.23: C2(su)->router#ping 182.127.63.23 182.127.63.23 is alive This example shows output from an unsuccessful ping to IP address 182.127.63.24: C2(su)->router#ping 182.127.63.24 no answer from 182.127.63.24 traceroute Use this command to display a hop‐by‐hop path through an IP network from the device to a specific destination host. Three ICMP probes will be transmitted for each hop between the source and the traceroute destination. Syntax traceroute host Parameters host Defaults None. Mode Privileged EXEC: C2(su)‐>router# Usage There is also a traceroute command available in switch mode. Example This example shows how to use traceroute to display a round trip path to host 192.141.90.183. C2(su)->router#traceroute 192.141.90.183 Traceroute to 192.141.90.183, 30 hops max, 40 byte packets 10.1.56.1...
Page 539: Configuring Icmp Redirects
Configuring ICMP Redirects Purpose Disable or enable sending ICMP redirect packets to the switch CPU for processing, at a global level and at an interface level. By default, sending ICMP redirects is enabled globally and on all interfaces. Disabling sending ICMP redirects can reduce CPU usage in certain deployments. Commands For information about... ip icmp redirect enable show ip icmp redirect ip icmp redirect enable Use this command to enable or disable sending ICMP redirects to the CPU for processing on a global level or on a specific interface. The no form of this command disables sending ICMP redirects to the CPU. Syntax ip icmp redirect enable no ip icmp redirect enable Parameters None. Defaults By default, sending ICMP redirects to the CPU is enabled globally and on all interfaces.
Page 540: Show Ip Icmp Redirect
show ip icmp redirect This example disables sending ICMP redirects globally. C2(su)->router#configure C2(su)->router(Config)#no ip icmp redirect enable show ip icmp redirect Use this command to display the status of sending ICMP redirects at a global or interface level. Syntax show ip icmp redirect {status | interface [vlan vlan-id]} Parameters status interface vlan vlan‐id Defaults If no VLAN is specified with the interface parameter, information for all VLAN interfaces is displayed. Mode Privileged EXEC mode:C2(su)‐>router# Router global configuration mode: C2(su)‐>router(Config)# Examples This example displays the global ICMP redirect status. C2(su)->router#show ip icmp redirect status Global ICMP Redirect status - Enabled This example displays the ICMP redirect status for VLAN 5.
Page 541: Activating Advanced Routing Features
SecureStack C2 device, you must purchase and activate a license key. If you have purchased an advanced routing license, and have enabled routing on the device, you can activate your license as described in the chapter entitled “Activating Licensed Features.” If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. Note: The command prompts used in examples throughout this guide show a system where the VLAN 1 interface has been configured for routing. The prompt changes depending on your current configuration mode, your specific device, and the interface types and numbers configured for routing on your system.
Page 542: Rip Configuration Task List And Commands
router rip RIP Configuration Task List and Commands Table 20‐1 lists the tasks and commands associated with RIP configuration. Commands are described in the associated section as shown. Table 20-1 RIP Configuration Task List and Commands To do this... Enable RIP configuration mode. Enable RIP on an interface. Configure an administrative distance. Allow reception of a RIP version. Allow transmission of a RIP version.
Page 543: Ip Rip Enable
Example This example shows how to enable RIP: C2(su)->router#configure C2(su)->router(Config)#router rip C2(su)->router(Config-router)# ip rip enable Use this command to enable RIP on an interface. The no form of this command disables RIP on an interface: By default, RIP is disabled on all interfaces. Syntax ip rip enable no ip rip enable Parameters None. Defaults None. Mode Interface configuration: C2 Example This example shows how to enable RIP on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip enable distance Use this command to configure the administrative distance for RIP routes. The no form of this command resets RIP administrative distance to the default value of 120. Syntax distance weight no distance [weight] Parameters weight...
Page 544: Ip Rip Send Version
ip rip send version Usage If several routes (coming from different protocols) are presented to the SecureStack C2, the protocol with the lowest administrative distance will be chosen for route installation. By default, RIP administrative distance is set to 120. The distance command can be used to change this value, resetting RIP’s route preference in relation to other routes as shown in the table below. Route Source Connected Static OSPF Example This example shows how to change the default administrative distance for RIP to 1001: C2(su)->router(Config)#router rip C2(su)->router(Config-router)#distance 100 ip rip send version Use this command to set the RIP version for RIP update packets transmitted out an interface. The no version of this command sets the version of the RIP update packets to RIPv1. Syntax ip rip send version {1 | 2 | r1compatible} no ip rip send version Parameters r1compatible Defaults...
Page 545: Ip Rip Receive Version
ip rip receive version Use this command to set the RIP version(s) for RIP update packets accepted on an interface. The no version of this command sets the acceptable receive version of the RIP update packets to RIPv1. Syntax ip rip receive version {1 | 2 | 1 2 | none} no ip rip receive version Parameters 1 1 2 none Mode Interface configuration: C2(su)‐>router(Config‐if(Vlan 1))# Defaults None. Example This example shows how to set the RIP receive version to 2 for update packets received on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip receive version 2 ip rip authentication-key Use this command to enable or disable a RIP authentication key (password) for use on an ...
Page 546: Ip Rip Message-Digest-Key
ip rip message-digest-key Example This example shows how to set the RIP authentication key chain to “password” on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip authentication-key password ip rip message-digest-key Use this command to enable or disable a RIP MD5 authentication key (password) for use on an interface. The no form of this command prevents RIP from using authentication. Syntax ip rip message-digest-key keyid md5 key no ip rip message-digest-key keyid Parameters keyid md5 Mode Interface configuration: C2(su)‐>router(Config‐if(Vlan 1))# Defaults None. Examples This example shows how to set the MD5 authentication ID to 5 for the RIP authentication key set on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip message-digest-key 5 md5 password...
Page 547: Split-Horizon Poison
Mode Router configuration: C2(su)‐>router(Config‐router)# Usage By default, RIP version 2 supports automatic route summarization, which summarizes subprefixes to the classful network boundary when crossing network boundaries. Disabling automatic route summarization enables CIDR, allowing RIP to advertise all subnets and host routing information on the SecureStack C2 device. To verify which routes are summarized for an interface, use the show ip route command as described in “show ip route” on page 19‐15. The reverse of the command re‐enables automatic route summarization. By default, RIP auto‐ summarization affects both RIPv1 and RIPv2 routes. Note: This command is necessary for enabling CIDR for RIP on the SecureStack C2 device. Example This example shows how to disable RIP automatic route summarization: C2(su)->router(Config)#router rip C2(su)->router(Config-router)#no auto-summary split-horizon poison Use this command to enable or disable split horizon poison‐reverse mode for RIP packets. The no form of this command disables split horizon poison reverse. Syntax split-horizon poison no split-horizon poison Parameters None.
Page 548: Passive-Interface
passive-interface passive-interface Use this command to prevent RIP from transmitting update packets on an interface. The no form of this command disables passive interface. Syntax passive-interface vlan vlan-id no passive-interface vlan vlan-id Parameters vlan vlan‐id Defaults None. Mode Router configuration: C2(su)‐>router(Config‐router)# Usage This command does not prevent RIP from monitoring updates on the interface. Example This example shows how to set VLAN 2 as a passive interface. No RIP updates will be transmitted on VLAN 2: C2(su)->router(Config)#router rip C2(su)->router(Config-router)#passive-interface vlan 2 receive-interface Use this command to allow RIP to receive update packets on an interface. The no form of this command denies the reception of RIP updates. By default, receiving is enabled on all routing interfaces. Syntax receive-interface vlan vlan-id no receive-interface vlan vlan-id Parameters vlan vlan‐id Defaults...
Page 549: Redistribute
Mode Router configuration: C2(su)‐>router(Config‐router)# Usage This command does not affect the sending of RIP updates on the specified interface. Example This example shows how to deny the reception of RIP updates on VLAN 2: C2(su)->router(Config)#router rip C2(su)->router(Config-router)#no receive-interface vlan 2 redistribute Use this command to allow routing information discovered through non‐RIP protocols to be distributed in RIP update messages. The no form of this command clears redistribution parameters. Syntax redistribute {connected | ospf process-id | static} [metric metric value] [subnets] no redistribute {connected | ospf process-id | static} Parameters connected ospf process‐id static ...
Page 550 redistribute Example This example shows how to redistribute routing information discovered through static routes will be redistributed into RIP update messages: C2(su)->router(Config)#router rip C2(su)->router(Config-router)#redistribute static 20-10 IPv4 Routing Protocol Configuration...
Page 551: Purpose
“Activating Licensed Features” in order to enable the OSPF command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. Purpose To enable and configure the Open Shortest Path First (OSPF) routing protocol.
Page 552: Router Id
router id Table 20-2 OSPF Configuration Task List and Commands (Continued) To do this... • Define an area as a stub area. • Set the cost value for the default route that is sent into a stub area. • Define an area as an NSSA. Create virtual links.
Page 553: Router Ospf
router ospf Use this command to enable or disable Open Shortest Path First (OSPF) configuration mode. The no form of this command disables OSPF configuration mode. Syntax router ospf process-id no router ospf process-id Parameters process‐id Defaults None. Mode Global configuration: C2(su)‐>router(Config)# Usage You must execute the router ospf command to enable the protocol before completing many OSPF‐ specific configuration tasks. For details on enabling configuration modes, refer to Table page 18‐2. Only one OSPF process (process‐id) is allowed per SecureStack C2 router. Example This example shows how to enable routing for OSPF process 1: C2(su)->router#conf terminal C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)# 1583compatibility Use this command to enable RFC 1583 compatibility on OSPF interfaces. The no form of this command disables RFC 1583 compatibility on OSPF interfaces. Syntax 1583compatability no 1583compatability Parameters None.
Page 554: Ip Ospf Enable
ip ospf enable Mode Router configuration: C2(su)‐>router(Config‐router)# Example This example shows how to enable RFC 1583 compatibility: C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#1583compatability ip ospf enable Use this command to enable OSPF on an interface. The no form of this command disables OSPF on an interface. Syntax ip ospf enable no ip ospf enable Parameters None. Defaults None. Mode Interface configuration: C2 Example This example shows how to enable OSPF on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf enable ip ospf areaid Use this command to configure area IDs for OSPF interfaces. If OSPF is enabled on an interface as ...
Page 555: Ip Ospf Cost
Mode Interface configuration: C2 Example This example shows how to configure the VLAN 1 interface as area 0.0.0.31: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf areaid 0.0.0.31 ip ospf cost Use this command to set the cost of sending an OSPF packet on an interface. The no form of this command resets the OSPF cost to the default of 10. Syntax ip ospf cost cost no ip ospf cost Parameters cost Defaults None. Mode Interface configuration: C2 Usage Each router interface that participates in OSPF routing is assigned a default cost. This command overwrites the default of 10. Example This example shows how to set the OSPF cost to 20 for the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf cost 20 ip ospf priority Use this command to set the OSPF priority value for router interfaces. The no form of this ...
Page 556: Timers Spf
timers spf Parameters number Defaults None. Mode Interface configuration: C2 Usage The priority value is communicated between routers by means of hello messages and influences the election of a designated router. Example This example shows how to set the OSPF priority to 20 for the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf priority 20 timers spf Use this command to change OSPF timer values to fine‐tune the OSPF network. The no form of this command restores the default timer values (5 seconds for delay and 10 seconds for holdtime). Syntax timers spf spf-delay spf-hold no timers spf Parameters spf‐delay spf‐hold Defaults None. Mode Router configuration: C2(su)‐>router(Config‐router)# Example This example shows how to set SPF delay time to 7 seconds and hold time to 3: ...
Page 557: Ip Ospf Retransmit-Interval
ip ospf retransmit-interval Use this command to set the amount of time between retransmissions of link state advertisements (LSAs) for adjacencies that belong to an interface. The no form of this command resets the retransmit interval value to the default, 5 seconds. Syntax ip ospf retransmit-interval seconds no ip ospf retransmit-interval Parameters seconds Defaults None. Mode Interface configuration: C2 Example This example shows how to set the OSPF retransmit interval for the VLAN 1 interface to 20: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf retransmit-interval 20 ip ospf transmit-delay Use this command to set the amount of time required to transmit a link state update packet on an interface. The no form of this command resets the retransmit interval value to the default, 1 second. Syntax ip ospf transmit-delay seconds no ip ospf transmit-delay Parameters seconds...
Page 558: Ip Ospf Hello-Interval
ip ospf hello-interval Example This example shows how to set the time required to transmit a link state update packet on the VLAN 1 interface at 20 seconds: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf transmit-delay 20 ip ospf hello-interval Use this command to set the number of seconds a router must wait before sending a hello packet to neighbor routers on an interface. The no form of this command sets the hello interval value to the default value of 10 seconds. Syntax ip ospf hello-interval seconds no ip ospf hello-interval Parameters seconds Defaults None. Mode Interface configuration: C2 Example This example shows how to set the hello interval to 5 for the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf hello-interval 5 ip ospf dead-interval Use this command to set the number of seconds a router must wait to receive a hello packet from ...
Page 559: Ip Ospf Authentication-Key
Parameters seconds Defaults None. Mode Interface configuration: C2 Example This example shows how to set the dead interval to 20 for the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf dead-interval 20 ip ospf authentication-key Use this command to assign a password to be used by neighboring routers using OSPF’s simple password authentication.The no form of this command removes an OSPF authentication password on an interface. Syntax ip ospf authentication-key password no ip ospf authentication-key Parameters password Defaults None. Mode Interface configuration: C2 Usage This password is used as a “key” that is inserted directly into the OSPF header in routing protocol packets. A separate password can be assigned to each OSPF network on a per‐interface basis. All neighboring routers on the same network must have the same password configured to be able ...
Page 560: Ip Ospf Message Digest Key Md5
ip ospf message digest key md5 Example This example shows how to enables an OSPF authentication key on the VLAN 1 interface with the password “yourpass”: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf authentication-key yourpass ip ospf message digest key md5 Use this command to enable or disable OSPF MD5 authentication on an interface. This validates OSPF MD5 routing updates between neighboring routers. The no form of this command disables MD5 authentication on an interface. Syntax ip ospf message-digest-key keyid md5 key no ip ospf message-digest-key keyid Parameters keyid Defaults None.
Page 561: Area Range
Parameters external | inter‐ area | intra‐area weight Defaults If route type is not specified, the distance value will be applied to all OSPF routes. Mode Router configuration: C2(su)‐>router(Config‐router)# Usage If several routes (coming from different protocols) are presented to the SecureStack C2, the protocol with the lowest administrative distance will be chosen for route installation. By default, OSPF administrative distance is set to 110. The distance ospf command can be used to change this value, resetting OSPF’s route preference in relation to other routes as shown in the table below. Route Source Connected Static OSPF Example This example shows how to change the default administrative distance for external OSPF routes to 100: C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#distance ospf external 100 area range Use this command to define the range of addresses to be used by Area Border Routers (ABRs) when they communicate routes to other areas. Each SecureStack C2 stack can support up to 4 OSPF areas. The no form of this command stops the routes from being summarized. Syntax area area-id range ip-address ip-mask [advertise | no-advertise] no area area-id range ip-address ip-mask Applies the distance value to external (type 5 and type 7), to inter‐area, or to ...
Page 562: Area Stub
area stub Parameters area‐id ip‐address ip‐mask advertise | no‐ advertise Defaults If not specified, advertise mode will be set. Mode Router configuration: C2(su)‐>router(Config‐router)# Example This example shows how to define the address range as 172.16.0.0/16 for summarized routes from area 0.0.0.8: C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 0.0.0.8 range 172.16.0.0 255.255.0.0 area stub Use this command to define an OSPF area as a stub area. This is an area into which Autonomous System external ASAs will not be flooded. The no form of this command changes the stub back to a plain area. Syntax area area-id stub [no-summary] no area area-id stub [no-summary] Parameters area‐id no‐summary Mode Router configuration: C2(su)‐>router(Config‐router)#...
Page 563: Area Default Cost
Example The following example shows how to define OSPF area 10 as a stub area: C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 stub area default cost Use this command to set the cost value for the default route that is sent into a stub area and NSSA by an Area Border Router (ABR). The no form of this command removes the cost value from the summary route that is sent into the stub area. Syntax area area-id default-cost cost no area area-id default-cost Parameters area‐id cost Defaults None. Mode Router configuration: C2(su)‐>router(Config‐router)# Usage The use of this command is restricted to ABRs attached to stub and NSSA areas. Example This example shows how to set the cost value for stub area 10 to 99: C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 default-cost 99 area nssa Use this command to configure an area as a Not So Stubby Area (NSSA). The no form of this ...
Page 564: Area Virtual-Link
area virtual-link Parameters area‐id default‐ information‐ originate Defaults If default‐information‐originate is not specified, no default type will be generated. Mode Router configuration: C2(su)‐>router(Config‐router)# Usage An NSSA allows some external routes represented by external Link State Advertisements (LSAs) to be imported into it. This is in contrast to a stub area that does not allow any external routes. External routes that are not imported into an NSSA can be represented by means of a default route. This configuration is used when an OSPF internetwork is connected to multiple non‐OSPF routing domains. Example This example shows how to configure area 10 as an NSSA area: C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 nssa default-information-originate area virtual-link Use this command to define an OSPF virtual link, which represents a logical connection between the backbone and a non‐backbone OSPF area. The no form of this command removes the virtual link and/or its associated settings. Syntax area area-id virtual-link router-id no area area-id virtual-link router-id In addition to the syntax above, the options for using this command are: area area-id virtual-link router-id authentication-key key no area area-id virtual-link router-id authentication-key key...
Page 565: Redistribute
Parameters area‐id router‐id authentication‐ key key dead‐interval seconds hello‐interval seconds retransmit‐ interval seconds transmit‐delay seconds Defaults None. Mode Router configuration: C2(su)‐>router(Config‐router)# Example This example shows how to configure a virtual link over transition area 0.0.0.2 to router ID 192.168.7.2: C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 0.0.0.2 virtual-link 192.168.7.2 redistribute Use this command to allow routing information discovered through non‐OSPF protocols to be distributed in OSPF update messages. The no form of this command clears redistribution parameters. Syntax redistribute {connected | rip | static} [metric metric value] [metric-type type- value] [subnets] no redistribute {connected | rip | static} Specifies the transit area for the virtual link. Valid values are decimal values ...
Page 566: Show Ip Ospf
show ip ospf Parameters connected static metric metric value metric‐type type value subnets Defaults If metric value is not specified, 0 will be applied. If type value is not specified, type 2 (external route) will be applied. If subnets is not specified, only the shortest prefix matching routes will be redistributed. Mode Router configuration: C2(su)‐>router(Config‐router)# Example This example shows how to redistribute RIP routing information to non‐subnetted routes in OSPF routes: C2(su)->router(Config)#router ospf C2(su)->router(Config-router)#redistribute rip show ip ospf Use this command to display OSPF information. Syntax show ip ospf Parameters None. Defaults None. Mode Any router mode. 20-26 IPv4 Routing Protocol Configuration Specifies that non‐OSPF information discovered via directly connected ...
Page 567: Show Ip Ospf Database
Example This example shows how to display OSPF information: C2(su)->router#show ip ospf Routing process "ospf 1" with ID 155.155.155.155 Supports only Normal TOS route. It is not an area border router and is an autonomous system boundary router. Redistributing External Routes from static Number of areas in this router is 2 Area 0.0.0.0 SPF algorithm executed 0 times Area ranges are...
Page 568: Show Ip Ospf Interface
show ip ospf interface 191.4.0.0 Displaying Router Link States(Area 0.0.0.8) LinkID 3.3.3.3 155.155.155.155 Displaying Net Link States(Area 0.0.0.8) LinkID 192.168.30.2 192.168.31.2 192.168.32.2 192.168.33.2 Displaying Ipnet Sum Link States(Area 0.0.0.8) LinkID 0.0.0.0 8.1.1.0 8.1.2.0 8.1.3.0 8.1.4.0 Table 20‐3 provides an explanation of the command output. Table 20-3 show ip ospf database Output Details Output Field Link ID ADV Router...
Page 569: Show Ip Ospf Interface Output Details
Defaults If vlan‐id is not specified, OSPF statistics will be displayed for all VLANs. Mode Any router mode. Example This example shows how to display all OSPF related information for the VLAN 6 interface: C2(su)->router#show ip ospf interface vlan 6 Vlan 6 Internet Address 192.168.6.2 Router ID 3.3.3.3 , Cost: 10 Transmit Delay is 1 sec , State designated-router , Priority 1 Designated Router id 3.3.3.3 , Interface Addr 192.168.6.2 Backup Designated Router id 2.2.2.2 , Timer intervals configured , Table...
Page 570: Show Ip Ospf Neighbor
show ip ospf neighbor show ip ospf neighbor Use this command to display the state of communication between an OSPF router and its neighbor routers. Syntax show ip ospf neighbor [detail] [ip-address] [vlan vlan-id] Parameters detail ip‐address vlan vlan‐id Defaults If detail is not specified, summary information will be displayed. If ip‐address is not specified, OSPF neighbors will be displayed for all IP addresses configured for routing. If vlan‐id is not specified, OSPF neighbors will be displayed for all VLANs configured for routing. Mode Any router mode. Example This example shows how to use the show ospf neighbor command: C2(su)->router#show ip ospf neighbor 182.127.62.1 Table 20‐5 provides an explanation of the command output. Table 20-5 show ip ospf neighbor Output Details Output Field State Dead-Int...
Page 571: Show Ip Ospf Virtual-Links
show ip ospf virtual-links Use this command to display information about the virtual links configured on a router. A virtual link represents a logical connection between the backbone and a non‐backbone OSPF area. Syntax show ip ospf virtual-links Parameters None. Defaults None. Mode Any router mode. Example This example shows how to display OSPF virtual links information: C2(su)->router#show ip ospf virtual-links Neighbor ID 155.155.155.155 Transit area 0.0.0.8 Transmit delay is 1 sec State point-to-point Timer intervals configured: Adjacency State Full Table 20‐6 provides an explanation of the command output.
Page 572 clear ip ospf process Parameters process‐id Defaults None. Mode Privileged EXEC: C2(su)‐>router# Example This example shows how to reset OSPF process 1: C2(su)->router#clear ip ospf process 1 20-32 IPv4 Routing Protocol Configuration Specifies the process ID, an internally used identification number for each instance of the OSPF routing process run on a router. Valid values are 1 to 65535.
Page 573: Configuring Dvmrp
“Activating Licensed Features” in order to enable the DVMRP command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. Purpose To enable and configure the Distance Vector Multicast Routing Protocol (DVMRP) on an interface. ...
Page 574: Ip Dvmrp
ip dvmrp ip dvmrp Use this command to enable the DVMRP process. The no form of this command disables the DVMRP process: Syntax ip dvmrp no ip dvmrp Parameters None. Defaults None. Mode Global configuration: C2(su)‐>router(Config)# Example This example shows how to enable the DVMRP process: C2(su)->router(Config)#ip dvmrp ip dvmrp enable Use this command to enable DVMRP on an interface. The no form of this command disables DVMRP on an interface: Syntax ip dvmrp enable no ip dvmrp enable Parameters None. Defaults None. Mode Interface configuration: C2 Example This example shows how to enable DVMRP on the VLAN 1 interface:...
Page 575: Ip Dvmrp Metric
ip dvmrp metric Use this command to configure the metric associated with a set of destinations for DVMRP reports. Syntax ip dvmrp metric metric Parameters metric Defaults None. Mode Interface configuration: C2 Usage To reset the DVMRP metric back to the default value of 1, enter ip dvmrp metric 1. Example This example shows how to set a DVMRP of 16 on the VLAN 1 interface: C2(su)->router(Config-if(Vlan 1))#ip dvmrp metric 16 show ip dvmrp Use this command to display DVMRP routing information. Syntax show ip dvmrp [route | neighbor | status] Parameters route | neighbor | status Defaults If no optional parameters are specified, status information will be displayed. ...
Page 576 show ip dvmrp ------- ------- 20-36 IPv4 Routing Protocol Configuration ------------ ------------ Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Disabled...
Page 577: Configuring Irdp
Configuring IRDP Purpose To enable and configure the ICMP Router Discovery Protocol (IRDP) on an interface. This protocol enables a host to determine the address of a router it can use as a default gateway. It is disabled by default. Commands For information about... ip irdp enable ip irdp maxadvertinterval ip irdp minadvertinterval ip irdp holdtime ip irdp preference ip irdp broadcast show ip irdp ip irdp enable Use this command to enable IRDP on an interface. The no form of this command disables IRDP on an interface. Syntax ip irdp enable no ip irdp enable Parameters None.
Page 578: Ip Irdp Maxadvertinterval
ip irdp maxadvertinterval ip irdp maxadvertinterval Use this command to set the maximum interval in seconds between IRDP advertisements. The no form of this command resets the maximum advertisement interval to the default value of 600 seconds. Syntax ip irdp maxadvertinterval interval no irdp maxadvertinterval Parameters interval Defaults None. Mode Interface configuration: C2 Example This example shows how to set the maximum IRDP advertisement interval to 1000 seconds on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp maxadvertinterval 1000 ip irdp minadvertinterval Use this command to set the minimum interval in seconds between IRDP advertisements. The no form of this command deletes the custom holdtime setting, and resets the minimum advertisement interval to the default value of three‐fourths of the maxadvertinterval value, which is equal to 450 seconds.
Page 579: Ip Irdp Holdtime
Example This example shows how to set the minimum IRDP advertisement interval to 500 seconds on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp minadvertinterval 500 ip irdp holdtime Use this command to set the length of time in seconds IRDP advertisements are held valid. The no form of this command resets the hold time to the default value of three times the maxadvertinterval value, which is equal to 1800 seconds. Syntax ip irdp holdtime holdtime no irdp holdtime Parameters holdtime Defaults None. Mode Interface configuration: C2 Example This example shows how to set the IRDP hold time to 4000 seconds on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp holdtime 4000 ip irdp preference Use this command to set the IRDP preference value for an interface. This value is used by IRDP to ...
Page 580: Ip Irdp Broadcast
ip irdp broadcast Defaults None. Mode Interface configuration: C2 Example This example shows how to set IRDP preference on the VLAN 1 interface so that the interface’s address may still be advertised, but cannot be used by neighboring hosts as a default router address: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp preference -2147483648 ip irdp broadcast Use this command to configure IRDP to use the limited broadcast address of 255.255.255.255. The default is multicast with address 224.0.0.1. The no form of this command resets IRDP to use multicast on IP address 224.0.0.1. Syntax ip irdp broadcast no ip irdp broadcast Parameters None. Defaults None. Mode Interface configuration: C2 Example This example shows how to enable broadcast for IRDP on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp broadcast...
Page 581 Parameters vlan vlan‐id (Optional) Displays IRDP information for a specific VLAN. This VLAN must be configured for IP routing as described in “Pre‐Routing Configuration Tasks” on page 18‐1. Defaults If vlan vlan‐id is not specified, IRDP information for all interfaces will be displayed. Mode Interface configuration: C2 Example This example shows how to display IRDP information for the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(vlan 1))#show ip irdp vlan 1 Interface vlan 1 has router discovery enabled Advertisements will occur between 450 and 600 seconds Advertisements are sent with broadcasts Advertisements are valid for 1800 seconds Default preference will be 0 (su)‐>router(Config‐if(Vlan 1))#...
Page 582: Configuring Vrrp
“Activating Licensed Features” in order to enable the VRRP command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. Purpose To enable and configure the Virtual Router Redundancy Protocol (VRRP). This protocol eliminates ...
Page 583: Create
Usage You must execute the router vrrp command to enable the protocol before completing other VRRP‐specific configuration tasks. For details on enabling configuration modes, refer to Table 18‐2 on page 18‐2. Example This example shows how enable VRRP configuration mode: C2(su)->router#configure C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)# create Use this command to create a VRRP session. Each SecureStack C2 system supports up to 20 VRRP sessions. The no form of this command disables the VRRP session. Syntax create vlan vlan-id vrid no create vlan vlan-id vrid Parameters vlan vlan‐id vrid Defaults None. Mode Router configuration: C2(su)->router(Config-router)# Usage This command must be executed to create an instance of VRRP on a routing interface (VLAN) before any other VRRP settings can be configured. Example This example shows how to create a VRRP session on the VLAN 1 interface with a VRID of 1: C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#create vlan 1 1 Specifies the number of the VLAN on which to create a VRRP session. This ...
Page 584: Address
address address Use this command to configure a virtual router IP address. The no form of this command clears the VRRP address configuration. Syntax address vlan vlan-id vrid ip-address owner no address vlan vlan-id vrid ip-address owner Parameters vlan vlan‐id vrid ip‐address owner Defaults None. Mode Router configuration: C2(su)‐>router(Config‐router)# Usage If the virtual router IP address is the same as the interface (VLAN) address owned by a VRRP router, then the router owning the address becomes the master. The master sends an advertisement to all other VRRP routers declaring its status and assumes responsibility for forwarding packets associated with its virtual router ID (VRID). If the virtual router IP address is not owned by any of the VRRP routers, then the routers compare their priorities and the higher priority owner becomes the master. If priority values are the same, then the VRRP router with the higher IP address is selected master. For details on using the priority command, refer to “priority” on page 20‐45. Example This example shows how to configure a virtual router address of 182.127.62.1 on the VLAN 1 interface, VRID 1, and to set the router connected to the VLAN via this interface as the master: C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#address vlan 1 1 182.127.62.1 1 20-44 IPv4 Routing Protocol Configuration Specifies the number of the VLAN on which to configure a virtual router ...
Page 585: Priority
priority Use this command to set a priority value for a VRRP router. The no form of this command clears the VRRP priority configuration. Syntax priority vlan vlan-id vrid priority-value no priority vlan vlan-id vrid priority-value Parameters vlan vlan‐id vrid priority‐value Defaults None. Mode Router configuration: C2(su)‐>router(Config‐router)# Example This example shows how set a VRRP priority of 200 on the VLAN 1 interface, VRID 1: C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#priority vlan 1 1 200 advertise-interval Use this command to set the interval in seconds between VRRP advertisements. The no form of this command clears the VRRP advertise interval value. Syntax advertise-interval vlan vlan-id vrid interval no advertise-interval vlan vlan-id vrid interval Specifies the number of the VLAN on which to configure VRRP priority. ...
Page 586: Preempt
preempt Parameters vlan vlan‐id vrid interval Defaults None. Mode Router configuration: C2(su)‐>router(Config‐router)# Usage VRRP advertisements are sent by the master router to other routers participating in the VRRP master selection process, informing them of its configured values. Once the master is selected, then advertisements are sent every advertising interval to let other VRRP routers in this VLAN/ VRID know the router is still acting as master of the VLAN/VRID. All routers with the same VRID should be configured with the same advertisement interval. Example This example shows how set an advertise interval of 3 seconds on the VLAN 1 interface, VRID 1: C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#advertise-interval vlan 1 1 3 preempt Use this command to enable or disable preempt mode on a VRRP router. The no form of this command disables preempt mode. Syntax preempt vlan-id vrid no preempt vlan-id vrid Parameters vlan vlan‐id vrid Defaults None. 20-46 IPv4 Routing Protocol Configuration Specifies the number of the VLAN on which to configure the VRRP ...
Page 587: Enable
Mode Router configuration: C2(su)‐>router(Config‐router)# Usage Preempt is enabled on VRRP routers by default, which allows a higher priority backup router to preempt a lower priority master. The router that owns the virtual router IP address always preempts other routers, regardless of this setting. Example This example shows how to disable preempt mode on the VLAN 1 interface, VRID 1: C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#no preempt vlan 1 1 enable Use this command to enable VRRP on an interface. The no form of this command disables VRRP on an interface. Syntax enable vlan vlan-id vrid no enable vlan vlan-id vrid Parameters vlan vlan‐id vrid Defaults None. Mode Router configuration: C2(su)‐>router(Config‐router)# Example This example shows how to enable VRRP on the VLAN 1 interface, VRID 1: C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#enable vlan 1 1 Specifies the number of the VLAN on which to enable VRRP. This VLAN ...
Page 588: Ip Vrrp Authentication-Key
ip vrrp authentication-key ip vrrp authentication-key Use this command to enable or disable a VRRP authentication key (password) for use on an interface. The no form of this command prevents VRRP from using authentication. Syntax ip vrrp authentication-key name no ip vrrp authentication-key Parameters name Defaults None. Mode Interface configuration: C2(su)‐>router(Config‐if(Vlan 1))# Example This example shows how to set the VRRP authentication key chain to “password” on the VLAN 1 interface: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip vrrp authentication-key password show ip vrrp Use this command to display VRRP routing information. Syntax show ip vrrp Parameters None.
Page 589: Configuring Pim-Sm
“Activating Licensed Features” in order to enable the PIM command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. Design Considerations Enterasys Networks recommends that administrators consider the following recommendations ...
Page 590: Ip Pimsm
ip pimsm For information about... show ip pimsm interface show ip pimsm neighbor show ip pimsm rp show ip pimsm rphash show ip pimsm staticrp show ip mroute ip pimsm This command sets administrative mode of PIM‐SM multicast routing across the router to enabled. IGMP must be enabled before PIM‐SM can be enabled. By default, both IGMP and PIM are globally disabled. The no form of this command disables PIM (across the entire stack, if applicable). Syntax ip pimsm no ip pimsm Parameters None.
Page 591: Ip Pimsm Enable
Parameters ipaddress groupadress groupmask Defaults None. Mode Global Router configuration: C2(su)‐>router(Config)# Example This example shows how to set an RP for a specific multicast group. C2(su)->router(Config)# ip pimsm staticrp 192.15.18.3 224.0.0.0 240.0.0.0 ip pimsm enable This command sets the administrative mode of PIM‐SM multicast routing on a routing interface to enabled. By default, PIM is disabled on all IP interfaces. The no form of this command disables PIM on the specific interface. Syntax ip pimsm enable no ip pimsm enable Parameters None. Defaults None. Mode Interface configuration: C2 Example This example shows how to enable PIM on IP interface for VLAN 1. C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip pimsm enable The IP address of the Rendezvous Point The group address supported by the Rendezvous Point...
Page 592: Ip Pimsm Query-Interval
ip pimsm query-interval ip pimsm query-interval This command configures the transmission frequency of hello messages in seconds between PIM‐enabled neighbors. The no form of this command resets the hello interval to the default, 30 seconds. Syntax ip pimsm query-interval seconds no ip pimsm query-interval Parameters seconds Defaults None. Mode Interface configuration: C2 Example This example shows how to set the hello interval rate to 100 seconds. C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip pimsm query-interval 100 show ip pimsm Use this command to display system‐wide PIM‐SM routing information. Syntax show ip pimsm Parameters None.
Page 593: Show Ip Pimsm Componenttable
PIM-SM INTERFACE STATUS VlanId Interface Mode --------- -------------- Disable Enable Enable Enable Enable Disable Disable Disable Table 20‐7 provides an explanation of the command output. Table 20-7 show ip pimsm Output Details Output Field Admin Mode Join/Prune Interval (secs) VlanId Interface Mode Protocol State show ip pimsm componenttable This command displays the table containing objects specific to a PIM domain. One row exists for ...
Page 594: Show Ip Pimsm Interface
show ip pimsm interface Component Component Index BSR Address ---------- --------------- --------------- ------------- 192.168.30.2 Table 20‐8 provides an explanation of the command output. Table 20-8 show ip pimsm componenettable Output Details Output Field Component Index Component BSR Address Component BSR Expiry Time Component CRP Hold Time show ip pimsm interface This command displays PIM‐SM status of the router interfaces. With the stats parameter, this ...
Page 595: Show Ip Pimsm Neighbor
Hello Interval (secs) CBSR Preference CRP Preference CBSR Hash Mask Length Table 20‐9 provides an explanation of the show ip pimsm interface vlan command output. Table 20-9 show ip pimsm interface vlan Output Details Output Field IP Address Subnet Mask Mode Hello Interval CBSR Preference CRP Preference CBSR Hash Mask Length This example shows how to display PIM interface statistics. C2(su)->router>...
Page 596: Show Ip Pimsm Rp
show ip pimsm rp Parameters vlan‐id Mode Any router mode. Defaults If the VLAN id is omitted, all neighbors off all interfaces will be displayed. Example This example shows how to display PIM information: C2(su)->router> show ip pimsm neighbor Vlan ID IP Address --------- ---------------- 192.168.30.2 192.168.6.1 Table 20‐11 provides an explanation of the command output. Table 20-11 show ip pimsm neighbor Output Details Output Field Vlan ID IP Address Up Time Expiry Time show ip pimsm rp...
Page 597: Show Ip Pimsm Rphash
Defaults None. Mode Any router mode. Examples This example shows how to display the RP set for a specific group address. C2(su)->router> show ip pimsm rp 224.0.0.0 240.0.0.0 Group Address Group Mask --------- ---------- 224.0.0.0 240.0.0.0 Table 20‐12 provides an explanation of the command output. Table 20-12 show ip pimsm rp Output Details Output Field Group Address Group Mask Address Hold Time Expiry Time Component C-RP Priority...
Page 598: Show Ip Pimsm Staticrp
show ip pimsm staticrp Parameters group‐address Defaults None. Mode Any router mode. Example This example shows how to display RP that will be selected for group address 224.0.0.0: C2(su)->router> show ip pimsm rphash 224.0.0.0 192.168.129.223 show ip pimsm staticrp Display the PIM‐SM static Rendezvous Point information. Syntax show ip pimsm staticrp Parameters None. Mode Any router mode. Defaults None. Example This example shows how to display PIM information. C2(su)->router# show ip pimsm staticrp STATIC RP TABLE Address --------------- --------------- ---------------...
Page 599: Show Ip Mroute
Table 20-13 show ip pimsm staticrp Output Details Output Field Address Group Address Group Mask show ip mroute Use this command to display the IP multicast routing table. Syntax show ip mroute Parameters None. Defaults None. Mode Any router mode. Usage The multicast routing table shows how a multicast routing protocol, such as PIM and DVMRP, will forward a multicast packet. Information in the table includes source network/mask and upstream neighbors. For information about DVMRP, see “Configuring DVMRP” on page 20‐33. Example This example shows the output of this command. C2(su)->router#show ip mroute Active IP Multicast Sources Flags: D - Dense, S - Sparse, C - Connected, L - Local,P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires...
Page 600 show ip mroute Upstream Neighbor: 0.0.0.0 Upstream Vlan Downstream Vlans : 8 Source Network Source Mask MultiCast Group Uptime Upstream Neighbor: 0.0.0.0 Upstream Vlan Downstream Vlans : 8 Source Network Source Mask MultiCast Group Uptime Upstream Neighbor: 0.0.0.0 Upstream Vlan Downstream Vlans : 8 20-60 IPv4 Routing Protocol Configuration : 111...
Page 601: Purpose
This chapter describes the switch mode set of commands used to manage IPv6. Purpose To enable or disable the IPv6 management function, to configure and display the IPv6 host address and IPv6 gateway for the switch, and to display IPv6 status information. Commands For information about... show ipv6 status set ipv6 set ipv6 address show ipv6 address clear ipv6 address set ipv6 gateway clear ipv6 gateway show ipv6 neighbors show ipv6 netstat ping ipv6 traceroute ipv6 show ipv6 status Use this command to display the status of the IPv6 management function.
Page 602: Chapter 21: Ipv6 Management
Defaults None. Mode Switch mode, read‐only. Example This example shows how to display IPv6 management function status. C2(ro)->show ipv6 status IPv6 Administrative Mode: Disabled set ipv6 Use this command to globally enable or disable the IPv6 management function. Syntax set ipv6 {enable | disable} Parameters enable | disable Defaults By default, IPv6 management is disabled. Mode Switch mode, read‐write. Usage When you enable IPv6 management on the switch, the system automatically generates a link‐local host address for the switch from the host MAC address. You can set a different host IPv6 address with the set ipv6 address command. Example This example shows how to enable IPv6 management. C2(su)-> set ipv6 enable C2(su)->show ipv6 status...
Page 603: Set Ipv6 Address
Use this command to configure IPv6 global addressing information. Syntax set ipv6 address ipv6-addr/prefix-length [eui64] Parameters ipv6‐addr prefix‐length eui64 Defaults No global unicast IPv6 address is defined by default. Mode Switch mode, read‐write. Usage Use this command to manually configure a global unicast IPv6 address for IPv6 management. You can specify the address completely, or you can use the optional eui64 parameter to allow the switch to generate the lower order 64 bits of the address. When using the eui64 parameter, you specify only the network prefix and length. Examples This example shows how to completely specify an IPv6 address by entering all 128 bits and the prefix: C2(su)->set ipv6 address 2001:0db8:1234:5555::9876:2/64 C2(su)->show ipv6 address Name ------------ host host This example shows how to use the eui64 parameter to configure the lower order 64 bits: C2(su)->set ipv6 address 2001:0db8:1234:5555::/64 eui64 C2(su)->show ipv6 address...
Page 604: Show Ipv6 Address
Use this command to display the system IPv6 address(es) and IPv6 gateway address (default router), if configured. Syntax show ipv6 address Parameters None. Defaults None. Mode Switch command, read‐only. Usage This command displays the IPv6 addresses configured automatically and with the set ipv6 address and set ipv6 gateway commands. Example This example displays three IPv6 management addresses configured for the switch. C2(su)->show ipv6 address Name ------------ host host gateway clear ipv6 address Use this command to clear IPv6 global addresses. Syntax clear ipv6 [address {all|ipv6-addr/prefix-length}] Parameters ipv6‐addr...
Page 605: Set Ipv6 Gateway
Mode Switch mode, read‐write. Usage This command clears addresses manually configured with the set ipv6 address command. Use the clear ipv6 gateway command to clear the IPv6 gateway address. Example This example illustrates that this command clears only those IPv6 addresses configured with the set ipv6 address command. The link‐local address for the host interface and the gateway address are not removed with this command. C2(su)->show ipv6 address Name ------------ host host host gateway C2(su)->clear ipv6 address all C2(su)->show ipv6 address Name ------------ host gateway set ipv6 gateway Use this command to configure the IPv6 gateway (default router) address. Syntax set ipv6 gateway ipv6-addr Parameters ipv6‐addr Defaults None.
Page 606: Clear Ipv6 Gateway
C2(su)->show ipv6 address Name ------------ host gateway clear ipv6 gateway Use this command to clear an IPv6 gateway address. Syntax clear ipv6 gateway Parameters None. Defaults None. Mode Switch mode, read‐write. Example This example shows how to remove a configured IPv6 gateway address. C2(su)->show ipv6 address Name ------------ host gateway C2(su)->clear ipv6 gateway C2(su)->show ipv6 address Name ------------ host show ipv6 neighbors Use this command to display the system IPv6 Neighbor Discovery Protocol cache. ...
Page 607: Show Ipv6 Netstat
Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows example output of this command. C2(su)->show ipv6 neighbors IPv6 Address --------------------------------------- ----------------- ----- ------- 2001:db8:1234:6666::2310:3 show ipv6 netstat Use this command to display IPv6 netstat information. Syntax show ipv6 netstat Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows the output of this command. C2(su)->show ipv6 netstat Prot Local Address...
Page 608: Ping Ipv6
3333::211:88FF:FE59:4424.443 2020::D480:1384:F58C:B114.1055 ping ipv6 Use this command to test routing network connectivity by sending IP ping requests. Syntax ping ipv6-addr [size num] Parameters ipv6‐addr size num Defaults None. Mode Switch mode, read‐write. Usage This command is also available in router mode. Examples This example shows output from a successful ping to IPv6 address 2001:0db8:1234:5555::1234:1. C2(su)->ping ipv6 2001:0db8:1234:5555::1234:1 2001:DB8:1234:5555::1234:1 is alive This example shows output from an unsuccessful ping to IPv6 address 2001:0db8:1234:5555::1234:1. C2(su)->ping ipv6 2001:0db8:1234:5555::1234:1 no answer from 2001:DB8:1234:5555::1234:1 21-8 IPv6 Management Specifies the IPv6 address of the system to ping. Enter the address in the ...
Page 609: Traceroute Ipv6
Use this command to discover the routes that packets actually take when traveling to their destination through the network on a hop‐by‐hop basis. Syntax traceroute ipv6 ipv6-addr Parameters ipv6‐addr Defaults None. Mode Switch mode, read‐write. Usage This command is also available in router mode. Example This example shows how to use traceroute to display a round trip path to host 2001:0db8:1234:5555 C2(su)->router#traceroute ipv6 2001:0db8:1234:5555::1 Traceroute to 2001:0db8:1234:5555, 30 hops max, 40 byte packets 1 2001:0db8:1234:5555 Specifies a host to which the route of an IPv6 packet will be traced. Enter the address in the form documented in RFC 4291, with the address specified in hexadecimal using 16‐bit values between colons. 1.000000e+00 ms traceroute ipv6 1.000000e+00 ms...
Page 610 traceroute ipv6 21-10 IPv6 Management...
Page 611: Chapter 22: Ipv6 Proxy Routing
This chapter describes the commands used to enable IPv6 proxy routing and the suggested procedure to configure a mixed C2 and C3 stack to use IPv6 proxy routing. For information about... Overview Preparing a Mixed Stack for IPv6 Proxy Routing Commands Overview IPv6 proxy routing allows a mixed C2/C3 stack to support some IPv6 routing functionality. When IPv6 proxy routing is enabled, all the switches in the stack can support IPv6 unicast routing and IPv6 tunneling. You can configure port‐based and VLAN‐based IPv6 routing interfaces on any C2 or C3 stack unit. There is no change in existing IPv4 routing capabilities. Since this is a function that exists only in a mixed stack, it is implemented only in the C2 firmware, release 5.01 and later. For IPv6 proxy routing to exist in the stack, a C3 unit must run as the manager of the stack. To facilitate this, the stack manager preference of C3 units should be set to a higher value than C2 units. If a C3 unit is added to an all C2 stack, you must move the manager to a C3 unit to use this feature. Multiple C3 units can exist in the mixed stack. All the C3 units in the mixed stack will independently perform hardware IPv6 routing/tunneling. The manager C3 unit will transparently do the hardware IPv6 routing/tunneling for all the C2 units. When IPv6 proxy routing is enabled, the C2 being configured for routing/tunneling (called the proxy client) is configured to redirect the routed IPV6/Tunneling packets to one of the stacking ports of the C3 stack manager (called the proxy server). The C2 is only configured if the proxy feature is already enabled on the stack. It should be noted that only IPv6 packets with a destination MAC of the router MAC of the system are redirected to the proxy server. On the proxy server, all incoming packets to the stacking ports with a destination of one of the stacking ports will be processed through L2 and L3 switching logic. If the destination port is not one of the stacking ports (not an IPv6 packet), then the incoming packet is forwarded based on header information. This feature is disabled by default. In order to use the OSPF, PIM, DVMRP, or VRRP protocols, you must have purchased and installed the C2 advanced routing license. IPv6 Proxy Routing Refer to page...
Page 612: Limitations
As in any mixed C2/C3 mixed stack, the C2 firmware (release 5.01 or later) must be installed on the C3 switches. Refer to “Issues Related to Mixed Type Stacks” on page 2‐5 for additional information. If you are adding the C3 switches to an existing C2 stack, make one of the C3 switches the stack manager. For example, if the current stack manager is unit 1 and the C3 switch that you want to become manager is unit 7: C2(su)->set switch movemenagement 1 7 Moving stack management will unconfigure entire stack including all interfaces. Are you sure you want to move stack management? (y/n) y Set the management priority of the C3 switches to be higher than that of the C2 switches. For example, if your C3 switches are units 7 and 8, and you want the unit 7 C3 switch to always become the manager and the unit 8 C3 switch to be the backup manager: C2(su)->set switch 7 priority 15 C2(su)->set switch 8 priority 13...
Page 613: Commands
Commands For information about... ipv6 proxy-routing show ipv6 proxy-routing ipv6 proxy-routing Use this command to enable or disable IPv6 proxy routing on a mixed C2/C3 stack. Syntax ipv6 proxy-routing no ipv6 proxy-routing Parameters None. Defaults IPv6 proxy routing is disabled by default. Mode Router global configuration: C2(su)‐>router(Config)# Usage IPv6 proxy routing is disabled by default. It must be enabled with this command before the C2 switches in the stack will start redirecting routed IPv6/tunneling packets to the C3 proxy server. Uses the no form of this command to disable IPv6 proxy routing. Example This example enables IPv6 proxy routing. c2(su)->router c2(su)->router>enable c2(su)->router#config Enter configuration commands: c2(su)->router(Config)#ipv6 proxy-routing show ipv6 proxy-routing Use this command to display the status of IPv6 proxy routing.
Page 614 show ipv6 proxy-routing Defaults None. Mode Any routing mode. Example This example shows the output of this command when IPv6 proxy routing is disabled. c2(su)->router(Config)#show ipv6 proxy-routing IPv6 Proxy Routing Mode... Disable 22-4 IPv6 Proxy Routing...
Page 615: Overview Of Authentication And Authorization Methods
Configuring Multiple Authentication Methods Configuring VLAN Authorization (RFC 3580) Configuring MAC Locking Configuring Port Web Authentication (PWA) Configuring Secure Shell (SSH) Configuring Access Lists Overview of Authentication and Authorization Methods The following methods are available for controlling which users are allowed to access, monitor, and manage the switch. • Login user accounts and passwords – used to log in to the CLI via a Telnet connection or local COM port connection. For details, refer to “Setting User Accounts and Passwords” on page 3‐2. • Host Access Control Authentication (HACA) – authenticates user access of Telnet management, console local management and WebView via a central RADIUS Client/Server ...
Page 616: Radius Filter-Id Attribute And Dynamic Policy Profile Assignment
– provides a mechanism via a RADIUS server for administrators to securely authenticate and grant appropriate access to end user devices communicating with SecureStack C2 ports. For details on using CLI commands to configure 802.1X, refer to “Configuring 802.1X Authentication” on page 23‐11. Note: To configure EAP pass-through, which allows client authentication packets to be forwarded through the switch to an upstream device, 802.1X authentication must be globally disabled with the set dot1x command. • MAC Authentication – provides a mechanism for administrators to securely authenticate source MAC addresses and grant appropriate access to end user devices communicating with SecureStack C2 ports. For details, refer to “Configuring MAC Authentication” on page 23‐21.
Page 617: Configuring Radius
The RADIUS Filter‐ID attribute is simply a string that is formatted in the RADIUS Access‐Accept packet sent back from the RADIUS server to the switch during the authentication process. Each user can be configured in the RADIUS server database with a RADIUS Filter‐ID attribute that specifies the name of the policy profile and/or management level the user should be assigned upon successful authentication. During the authentication process, when the RADIUS server returns a RADIUS Access‐Accept message that includes a Filter‐ID matching a policy profile name configured on the switch, the switch then dynamically applies the policy profile to the physical port the user/device is authenticating on. Filter-ID Attribute Formats Enterasys Networks supports two Filter‐ID formats — “decorated” and “undecorated.” The decorated format has three forms: • To specify the policy profile to assign to the authenticating user (network access authentication): Enterasys:version=1:policy=string where string specifies the policy profile name. Policy profile names are case‐sensitive. • To specify a management level (management access authentication): Enterasys:version=1:mgmt=level where level indicates the management level, either ro, rw, or su. • To specify both management level and policy profile: Enterasys:version=1:mgmt=level:policy=string The undecorated format is simply a string that specifies a policy profile name. The undecorated format cannot be used for management access authentication. Decorated Filter‐IDs are processed first by the switch. If no decorated Filter‐IDs are found, then undecorated Filter‐IDs are processed. If multiple Filter‐IDs are found that contain conflicting values, a Syslog message is generated. Configuring RADIUS Purpose To perform the following: • Review the RADIUS client/server configuration on the switch. • Enable or disable the RADIUS client. • Set local and remote login options.
Page 618: Commands
Syntax show radius [status | retries | timeout | server [index | all]] Parameters status retries timeout server index | all Defaults If no parameters are specified, all RADIUS configuration information will be displayed. Mode Switch command, read‐only. Example This example shows how to display RADIUS configuration information: C2(rw)->show radius RADIUS status: RADIUS retries: RADIUS timeout: RADIUS Server -------------- Table 23‐1 provides an explanation of the command output. 23-4 Authentication and Authorization Configuration (Optional) Displays the RADIUS server’s enable status.
Page 619: Set Radius
RADIUS server’s index number, IP address, and UDP authentication port. Realm defines who has to go through the RADIUS server for authentication. • Management-access: This means that anyone trying to access the switch (Telnet, SSH, Local Management) has to authenticate through the RADIUS server.
Page 620 Note: If the management-access or any access realm has been configured, the local “admin” account is disabled for access to the switch using the console, Telnet, or Local Management. Only the network-access realm allows access to the local “admin” account.
Page 621: Clear Radius
This example shows how to force any management‐access to the switch (Telnet, web, SSH) to authenticate through a RADIUS server. The all parameter at the end of the command means that any of the defined RADIUS servers can be used for this Authentication. C2(rw)->set radius realm management-access all clear radius Use this command to clear RADIUS server settings. Syntax clear radius [retries] | [timeout] | [server {index | all | realm {index | all}}] Parameters retries timeout server index | all realm Mode Switch command, read‐write. Defaults None. Examples This example shows how to clear all settings on all RADIUS servers: C2(su)->clear radius server all This example shows how to reset the RADIUS timeout to the default value of 20 seconds:...
Page 622: Set Radius Accounting
Parameters server counter ip‐address retries timeout Mode Switch command, read‐only. Defaults If no parameters are specified, all RADIUS accounting configuration information will be displayed. Example This example shows how to display RADIUS accounting configuration information. In this case, RADIUS accounting is not currently enabled and global default settings have not been changed. One server has been configured. For details on enabling and configuring RADIUS accounting, refer to “set radius accounting” on page 23‐8: C2(ro)->show radius accounting RADIUS accounting status: RADIUS Acct Server ------------------ set radius accounting Use this command to configure RADIUS accounting. Syntax set radius accounting {[enable | disable] [retries retries] [timeout timeout]...
Page 623: Clear Radius Accounting
Mode Switch command, read‐write. Defaults None. Examples This example shows how to enable the RADIUS accounting client for authenticating with the accounting server at IP address 10.2.4.12, UDP authentication port 1800. As previously noted, the “server secret” password entered here must match that already configured as the Read‐Write (rw) password on the RADIUS accounting server: C2(su)->set radius accounting server 10.2.4.12 1800 Enter secret: Re-enter secret: This example shows how to set the RADIUS accounting timeout to 30 seconds: C2(su)->set radius accounting timeout 30 This example shows how to set RADIUS accounting retries to 10: C2(su)->set radius accounting retries 10 clear radius accounting Use this command to clear RADIUS accounting configuration settings. Syntax clear radius accounting {server ip-address | retries | timeout | counter} Parameters server ip‐address...
Page 624 clear radius accounting Defaults None. Example This example shows how to reset the RADIUS accounting timeout to 5 seconds. C2(su)->clear radius accounting timeout 23-10 Authentication and Authorization Configuration...
Page 625: Configuring 802.1X Authentication
Authentication Protocol). 802.1X controls network access by enforcing user authorization on selected ports, which results in allowing or denying network access according to RADIUS server configuration. Note: To configure EAP pass-through, which allows client authentication packets to be forwarded through the switch to an upstream device, 802.1X authentication must be globally disabled with the set dot1x command Commands For information about... show dot1x...
Page 626 If port‐string is not specified, information for all ports will be displayed. Mode Switch command, read‐only. Examples This example shows how to display 802.1X status: C2(su)->show dot1x DOT1X is disabled. This example shows how to display authentication diagnostics information for fe.1.1: C2(su)->show dot1x auth-diag Port : 1 Auth-Diag Enter Connecting: EAP Logoffs While Connecting: Enter Authenticating: Success While Authenticating Timeouts While Authenticating: Fails While Authenticating: ReAuths While Authenticating:...
Page 627: Show Dot1X Auth-Config
Defaults If no parameters are specified, all 802.1X settings will be displayed. If port‐string is not specified, information for all ports will be displayed. Mode Switch command, read‐only. Examples This example shows how to display the EAPOL port control mode for fe.1.1: C2(su)->show dot1x auth-config authcontrolled-portcontrol Port 1: Auth controlled port control: This example shows how to display the 802.1X quiet period settings for fe.1.1: C2(su)->show dot1x auth-config quietperiod Port 1: Quiet period: This example shows how to display all 802.1X authentication configuration settings for C2(ro)->show dot1x auth-config ge.1.1 (Optional) Displays the current value of the controlled Port control parameter for the port.
Page 628: Set Dot1X
{enable | disable | port {init | reauth} {true | false} [port-string]} Parameters enable | disable port init | reauth true | false port‐string Defaults If no ports are specified, the reinitialization or reauthentication setting will be applied to all ports. Mode Switch command, read‐write. Usage Disabling 802.1X authentication globally, by not entering a specific port‐string value, will enable the EAP pass‐through feature. EAP pass‐through allows client authentication packets to be forwarded unmodified through the switch to an upstream device. Examples This example shows how to enable 802.1X: C2(su)->set dot1x enable This example shows how to reinitialize C2(rw)->set dot1x port init true ge.1.2...
Page 629: Set Dot1X Auth-Config
[reauthperiod value] [servertimeout timeout] [supptimeout timeout] [txperiod value]} [port-string] Parameters authcontrolled‐ portcontrol auto | forced‐auth | forced‐unauth maxreq value quietperiod value reauthenabled false | true reauthperiod value servertimeout timeout supptimeout timeout txperiod value port‐string Defaults If port‐string is not specified, authentication parameters will be set on all ports. Mode Switch command, read‐write. Specifies the 802.1X port control mode. • auto – Set port control mode to auto controlled port control. This is the default value. • forced‐auth – Set port control mode to ForcedAuthorized controlled port control. • forced‐unauth – Set port control mode to ForcedUnauthorized controlled port control. Specifies the maximum number of authentication requests allowed by the backend authentication state machine. Valid values are 1 – 10. Default value is 2. Specifies the time (in seconds) following a failed authentication before another attempt can be made by the authenticator PAE state machine. Valid values are 0 – 65535. Default value is 60 seconds. Enables (true) or disables (false) reauthentication control of the reauthentication timer state machine. Default value is false.
Page 630: Clear Dot1X Auth-Config
Parameters authcontrolled‐ portcontrol maxreq quietperiod reauthenabled reauthperiod servertimeout supptimeout txperiod port‐string Defaults If no parameters are specified, all authentication parameters will be reset. If port‐string is not specified, parameters will be set on all ports. Mode Switch command, read‐write. Examples This example shows how to reset the 802.1X port control mode to auto on all ports: C2(su)->clear dot1x auth-config authcontrolled-portcontrol This example shows how to reset reauthentication control to disabled on ports fe.1.1‐3: C2(su)->clear dot1x auth-config reauthenabled 23-16 Authentication and Authorization Configuration (Optional) Resets the 802.1X port control mode to auto. (Optional) Resets the maximum requests value to 2. (Optional) Resets the quiet period value to 60 seconds. (Optional) Resets the reauthentication control state to disabled (false). (Optional) Resets the reauthentication period value to 3600 seconds. (Optional) Resets the server timeout value to 30 seconds. (Optional) Resets the authentication supplicant timeout value to 30 seconds.
Page 631: Show Eapol
This example shows how to reset the 802.1X quiet period to 60 seconds on ports fe.1.1‐3: C2(su)->clear dot1x auth-config quietperiod show eapol Use this command to display EAPOL status or settings for one or more ports. Syntax show eapol [port-string] Parameters port‐string Defaults If port‐string is not specified, only EAPOL enable status will be displayed. Mode Switch command, read‐only. Example This example shows how to display EAPOL status for ports fe.1.1‐3: C2(su)->show eapol EAPOL is disabled. Port Authentication State -------- -------------------- .1.1 Initialize .1.2 Initialize .1.3 Initialize Table 23‐2 provides an explanation of the command output. For details on using the set eapol command to enable the protocol and assign an authentication mode, refer to “set eapol” on page 23‐19.
Page 632: Show Eapol Output Details
Port designation. For a detailed description of possible port-string values, refer to “Port String Syntax Used in the CLI” on page 7-2. Current EAPOL authentication state for each port. Possible internal states for the authenticator (switch) are: • initialize: A port is in the initialize state when: – authentication is disabled, –...
Page 633: Set Eapol
[enable | disable] [auth-mode {auto | forced-auth | forced-unauth} port-string Parameters enable | disable auth‐mode auto | forced‐auth | forced‐unauth port‐string Defaults None. Mode Switch command, read‐write. Examples This example shows how to enable EAPOL: C2(su)->set eapol enable This example shows how to enable EAPOL with forced authorized mode on port fe.1.1: C2(su)->set eapol auth-mode forced-auth clear eapol Use this command to globally clear the EAPOL authentication mode, or to clear settings for one or more ports. Syntax clear eapol [auth-mode] [port-string] Enables or disables EAPOL.
Page 634 Parameters auth‐mode port‐string Defaults If auth‐mode is not specified, all EAPOL settings will be cleared. If port‐string is not specified, settings will be cleared for all ports. Mode Switch command, read‐write. Example This example shows how to clear the EAPOL authentication mode for port C2(su)->clear eapol auth-mode ge.1.3 23-20 Authentication and Authorization Configuration (Optional) Globally clears the EAPOL authentication mode. Specifies the port(s) on which to clear EAPOL parameters. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. .1.3:...
Page 635: Configuring Mac Authentication
Configuring MAC Authentication Purpose To review, disable, enable and configure MAC authentication. This authentication method allows the device to authenticate source MAC addresses in an exchange with an authentication server. The authenticator (switch) selects a source MAC seen on a MAC‐authentication enabled port and submits it to a backend client for authentication. The backend client uses the MAC address stored password, if required, as credentials for an authentication attempt. If accepted, a string representing an access policy may be returned. If present, the switch applies the associated policy rules. You can specify a mask to apply to MAC addresses when authenticating users through a RADIUS server (see “set macauthentication significant‐bits” on page 23‐31). The most common use of significant bit masks is for authentication of all MAC addresses for a specific vendor. Commands For information about... show macauthentication show macauthentication session set macauthentication set macauthentication password clear macauthentication password set macauthentication port set macauthentication portinitialize set macauthentication portquietperiod...
Page 636: Show Macauthentication Output Details
Parameters port‐string Defaults If port‐string is not specified, MAC authentication information will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display MAC authentication information for C2(su)->show macauthentication ge.2.1-8 MAC authentication: MAC user password: Port username significant bits Port Port State ------- -------- ---------- -------- --------- ----------------- ge.2.1 disabled 3600 ge.2.2 disabled 3600 ge.2.3 disabled 3600 ge.2.4...
Page 637: Show Macauthentication Session
Output Field Reauth Period Auth Allowed Auth Allocated Reauthentications show macauthentication session Use this command to display the active MAC authenticated sessions. Syntax show macauthentication session Parameters None. Defaults If port‐string is not specified, MAC session information will be displayed for all MAC authentication ports. Mode Switch command, read‐only. Usage Changing the Reauth Period with the set macauthentication reauthperiod command does not affect current sessions. New sessions display the correct period. Example This example shows how to display MAC session information: C2(su)->show macauthentication session Port MAC Address ----- ----------------- ge.1.2 00:60:97:b5:4c:07 Table 23‐4 provides an explanation of the command output.
Page 638: Set Macauthentication
Table 23-4 show macauthentication session Output Details (Continued) Output Field Duration Reauth Period Reauthentications set macauthentication Use this command to globally enable or disable MAC authentication. Syntax set macauthentication {enable | disable} Parameters enable | disable Mode Switch command, read‐write. Defaults None. Example This example shows how to globally enable MAC authentication: C2(su)->set macauthentication enable set macauthentication password Use this command to set a MAC authentication password. Syntax set macauthentication password password Parameters password Defaults None.
Page 639: Clear Macauthentication Password
This example shows how to set the MAC authentication password to “macauth”: C2(su)->set macauthentication password macauth clear macauthentication password Use this command to clear the MAC authentication password. Syntax clear macauthentication password Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the MAC authentication password: C2(su)->clear macauthentication password set macauthentication port Use this command to enable or disable one or more ports for MAC authentication. Syntax set macauthentication port {enable | disable} port-string Parameters enable | disable port‐string Defaults None.
Page 640: Set Macauthentication Portinitialize
Usage Enabling port(s) for MAC authentication requires globally enabling MAC authentication on the switch as described in “set macauthentication” on page 23‐24, and then enabling it on a port‐by‐ port basis. By default, MAC authentication is globally disabled and disabled on all ports. Example This example shows how to enable MAC authentication on C2(su)->set macauthentication port enable ge.2.1-5 set macauthentication portinitialize Use this command to force one or more MAC authentication ports to re‐initialize and remove any currently active sessions on those ports. Syntax set macauthentication portinitialize port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to force C2(su)->set macauthentication portinitialize ge.2.1-5 set macauthentication portquietperiod This sets the number of seconds following a failed authentication before another attempt may be ...
Page 641: Clear Macauthentication Portquietperiod
Defaults None. Mode Switch command, read‐write. Example This example sets port 1 to wait 5 seconds after a failed authentication attempt before a new attempt can be made: C2(su)->set macauthentication portquietperiod 5 ge.1.1 clear macauthentication portquietperiod This sets the quiet period back to the default value of 30 seconds. Syntax clear macauthentication portquietperiod [port-string] Parameters port‐string Defaults If a port‐string is not specified then all ports will be set to the default port quiet period. Mode Switch command, read‐write. Example This example resets the default quiet period on port 1: C2(su)->clear macauthentication portquietperiod ge.1.1 set macauthentication macinitialize Use this command to force a current MAC authentication session to re‐initialize and remove the session. Syntax set macauthentication macinitialize mac-addr Parameters mac‐addr...
Page 642: Set Macauthentication Reauthentication
Mode Switch command, read‐write. Defaults None. Example This example shows how to force the MAC authentication session for address 00‐60‐97‐b5‐4c‐07 to re‐initialize: C2(su)->set macauthentication macinitialize 00-60-97-b5-4c-07 set macauthentication reauthentication Use this command to enable or disable reauthentication of all currently authenticated MAC addresses on one or more ports. Syntax set macauthentication reauthentication {enable | disable} port-string Parameters enable | disable port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to enable MAC reauthentication on C2(su)->set macauthentication reauthentication enable ge.4.1-5 set macauthentication portreauthenticate Use this command to force an immediate reauthentication of the currently active sessions on one ...
Page 643: Set Macauthentication Macreauthenticate
Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to force C2(su)->set macauthentication portreauthentication ge.2.1-5 set macauthentication macreauthenticate Use this command to force an immediate reauthentication of a MAC address. Syntax set macauthentication macreauthenticate mac-addr Parameters mac‐addr Defaults None. Mode Switch command, read‐write. Example This example shows how to force the MAC authentication session for address 00‐60‐97‐b5‐4c‐07 to reauthenticate: C2(su)->set macauthentication macreauthenticate 00-60-97-b5-4c-07 set macauthentication reauthperiod Use this command to set the MAC reauthentication period (in seconds). This is the time lapse between attempts to reauthenticate any current MAC address authenticated to a port. Syntax set macauthentication reauthperiod time port-string Specifies MAC authentication port(s) to be reauthenticated. For a detailed ...
Page 644: Clear Macauthentication Reauthperiod
Parameters time port‐string Defaults None. Mode Switch command, read‐write. Usage Changing the Reauth Period with the set macauthentication reauthperiod command does not affect current sessions. New sessions will use the correct period. Example This example shows how to set the MAC reauthentication period to 7200 seconds (2 hours) on .2.1 through 5: C2(su)->set macauthentication reauthperiod 7200 ge.2.1-5 clear macauthentication reauthperiod Use this command to clear the MAC reauthentication period on one or more ports. Syntax clear macauthentication reauthperiod [port-string] Parameters port‐string Defaults If port‐string is not specified, the reauthentication period will be cleared on all ports. Mode Switch command, read‐write. Example This example shows how to globally clear the MAC reauthentication period: C2(su)->clear macauthentication reauthperiod 23-30 Authentication and Authorization Configuration Specifies the number of seconds between reauthentication attempts. Valid ...
Page 645: Set Macauthentication Significant-Bits
Use this command to set the number of significant bits of the MAC address to use for authentication. Syntax set macauthentication significant-bits number Parameters number Defaults None. Mode Switch command, read‐write. Usage This command allows you to specify a mask to apply to MAC addresses when authenticating users through a RADIUS server. The most common use of significant bit masks is for authentication of all MAC addresses for a specific vendor. On switches using MAC authentication, the MAC address of a user attempting to log in is sent to the RADIUS server as the user name. If access is denied, and if a significant bit mask has been configured (other than 48) with this command, the switch will apply the mask and resend the masked address to the RADIUS server. For example, if a user with MAC address of 00‐16‐CF‐12‐ 34‐56 is denied access, and a 32 bit mask has been configured, the switch will apply the mask and resend a MAC address of 00‐16‐CF‐12‐00‐00 to the RADIUS server. To use a significant bits mask for authentication of devices by a particular vendor, specify a 24‐bit mask, to mask out everything except the vendor portion of the MAC address. Example This example sets the MAC authentication significant bits mask to 24. C2(su)->set macauthentication significant-bits 24 clear macauthentication significant-bits Use this command to reset the number of significant bits of the MAC address to use for authentication to the default of 48. Syntax...
Page 646 Mode Switch command, read‐write. Example This example resets the MAC authentication significant bits to 48. C2(su)->clear macauthentication significant-bits 23-32 Authentication and Authorization Configuration...
Page 647: Configuring Multiple Authentication Methods
Configuring Multiple Authentication Methods Note: C2 devices support up to six authenticated users per port. About Multiple Authentication Types When enabled, multiple authentication types allow users to authenticate using more than one method on the same port. In order for multiple authentication to function on the device, each possible method of authentication (MAC authentication, 802.1X, PWA) must be enabled globally and configured appropriately on the desired ports with its corresponding command set described in this chapter. Multiple authentication mode must be globally enabled on the device using the set multiauth mode command. Configuring Multi-User Authentication (User + IP phone) The User + IP phone multi‐user authentication feature allows a user and their IP phone to both use a single port on the C2 but to have separate policy roles. Note: The only Multi-User Authentication supported on the C2 is User + IP phone. The IP phone has to authenticate using 802.1x or MAC authentication, but the User may authenticate using 802.1x, PWA, or MAC authentication.
Page 648: Show Multiauth
Use this command to display multiple authentication system configuration. Syntax show multiauth Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display multiple authentication system configuration: C2(rw)->show multiauth Multiple authentication system configuration ------------------------------------------------- Supported types Maximum number of users Current number of users System mode Default precedence...
Page 649: Set Multiauth Mode
Use this command to set the system authentication mode to allow multiple authenticators simultaneously (802.1x, PWA, and MAC Authentication) on a single port, or to strictly adhere to 802.1x authentication. Syntax set multiauth mode {multi | strict} Parameters multi strict Defaults None. Mode Switch command, read‐write. Usage Multiauth multi mode requires that MAC, PWA, and 802.1X authentication be enabled globally, and configured appropriately on the desired ports according to their corresponding command sets described in this chapter. Refer to “Configuring 802.1X Authentication” on page 23‐11 and “Configuring MAC Authentication” on page (PWA)” on page 23‐61. Example This example shows how to enable simultaneous multiple authentications: C2(rw)->set multiauth mode multi clear multiauth mode Use this command to clear the system authentication mode. Syntax clear multiauth mode Parameters None.
Page 650: Set Multiauth Precedence
This example shows how to clear the system authentication mode: C2(rw)->clear multiauth mode set multiauth precedence Use this command to set the system’s multiple authentication administrative precedence. Syntax set multiauth precedence {[dot1x] [mac] [pwa]} Parameters dot1x Defaults None. Mode Switch command, read‐write. Usage When a user is successfully authenticated by more than one method at the same time, the precedence of the authentication methods will determine which RADIUS‐returned filter ID will be processed and result in an applied traffic policy profile. Example This example shows how to set precedence for MAC authentication: C2(rw)->set multiauth precedence mac dot1x clear multiauth precedence Use this command to clear the system’s multiple authentication administrative precedence. Syntax clear multiauth precedence Parameters None.
Page 651: Show Multiauth Port
Mode Switch command, read‐write. Example This example shows how to clear the multiple authentication precedence: C2(rw)->clear multiauth precedence show multiauth port Use this command to display multiple authentication properties for one or more ports. Syntax show multiauth port [port-string] Parameters port‐string Defaults If port‐string is not specified, multiple authentication information will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display multiple authentication information for ports C2(rw)->show multiauth port ge.3.1-4 Port ------------ ------------ ---------- ---------- ---------- ge.3.1 auth-opt ge.3.2 auth-opt ge.3.3 auth-opt ge.3.4...
Page 652: Clear Multiauth Port
Defaults None. Mode Switch command, read‐write. Examples This example shows how to set the port multiple authentication mode to required on C2(rw)->set multiauth port mode auth-reqd ge.3.14 This example shows how to set the number of users allowed to authenticate on port C2(rw)->set multiauth port numusers 8 ge.3.14 clear multiauth port Use this command to clear multiple authentication properties for one or more ports. Syntax clear multiauth port {mode | numusers} port-string Parameters mode numusers ...
Page 653: Show Multiauth Station
Mode Switch command, read‐write. Examples This example shows how to clear the port multiple authentication mode on port C2(rw)->clear multiauth port mode ge.3.14 This example shows how to clear the number of users on port C2(rw)->clear multiauth port numusers ge.3.14 show multiauth station Use this command to display multiple authentication station (end user) entries. Syntax show multiauth station [mac address] [port port-string] Parameters mac address port port‐string Mode Switch command, read‐only. Defaults If no options are specified, multiple authentication station entries will be displayed for all MAC addresses and ports. Example This example shows how to display multiple authentication station entries. In this case, two end user MAC addresses are shown: C2(rw)->show multiauth station...
Page 654: Show Multiauth Idle-Timeout
Parameters agent dot1x | mac | mac address port port‐string Defaults If no options are specified, multiple authentication session entries will be displayed for all sessions, authentication types, MAC addresses, and ports. Mode Switch command, read‐only. Example This example shows how to display multiple authentication session information for port C2(su)->show multiauth session port ge.1.1 __________________________________________ Port Auth status Agent type Server type Policy index Session timeout Idle timeout Termination time | Not Terminated show multiauth idle-timeout Use this command to display the timeout value, in seconds, for an idle session for all ...
Page 655: Set Multiauth Idle-Timeout
Parameters dot1x timeout Defaults If no authentication method is specified, the idle timeout value is set for all authentication methods. Mode Switch mode, read‐write. Usage If you set an idle timeout value, a MAC user whose MAC address has aged out of the forwarding database will be unauthenticated if no traffic has been seen from that address for the specified idle timeout period. A value of zero indicates that no idle timeout will be applied unless an idle timeout value is provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may encode a Idle‐Timeout Attribute in its authentication response. Example This example sets the idle timeout value for all authentication methods to 300 seconds. C2(su)->set multiauth idle-timeout 300 Timeout (sec) (Optional) Specifies the IEEE 802.1X port‐based network access control authentication method for which to set the timeout value. (Optional) Specifies the Enterasys MAC authentication method for which to set the timeout value. (Optional) Specifies the Enterasys Port Web Authentication method for which to set the timeout value. Specifies the timeout value in seconds. The value can range from 0 to 65535. A value of 0 means that no idle timeout will be applied unless an idle timeout value is provided by the authenticating server. set multiauth idle-timeout SecureStack C2 Configuration Guide 23-41...
Page 656: Clear Multiauth Idle-Timeout
[dot1x | mac | pwa] Parameters dot1x Defaults If no authentication method is specified, the idle timeout value is reset to its default value of 0 for all authentication methods. Mode Switch mode, read‐write. Example This example resets the idle timeout value for all authentication methods to 0 seconds. C2(su)->clear multiauth idle-timeout show multiauth session-timeout Use this command to display the session timeout value, in seconds, for all authentication methods. Syntax show multiauth session-timeout Parameters None. Defaults None. Mode Switch mode, read‐only. 23-42 Authentication and Authorization Configuration (Optional) Specifies the IEEE 802.1X port‐based network access control authentication method for which to reset the timeout value to its default. (Optional) Specifies the Enterasys MAC authentication method for which to reset the timeout value to its default. (Optional) Specifies the Enterasys Port Web Authentication method for which to reset the timeout value to its default. ...
Page 657: Set Multiauth Session-Timeout
[dot1x | mac | pwa] timeout Parameters dot1x timeout Defaults If no authentication method is specified, the session timeout value is set for all authentication methods. Mode Switch mode, read‐write. Usage A value of zero may be superseded by a session timeout value provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may encode a Session‐Timeout Attribute in its authentication response. Example This example sets the session timeout value for the IEEE 802.1X authentication method to 300 seconds. C2(su)->set multiauth session-timeout dot1x 300 Timeout (sec) (Optional) Specifies the IEEE 802.1X port‐based network access control authentication method for which to set the session timeout value. (Optional) Specifies the Enterasys MAC authentication method for which to set the session timeout value. (Optional) Specifies the Enterasys Port Web Authentication method for which to set the session timeout value. Specifies the timeout value in seconds. The value can range from 0 to 65535. A value of 0 means that no session timeout will be applied unless a session timeout value is provided by the authenticating server. set multiauth session-timeout SecureStack C2 Configuration Guide 23-43...
Page 658: Clear Multiauth Session-Timeout
Use this command to reset the maximum number of consecutive seconds an authenticated session may last before termination of the session to its default value of 0. Syntax clear multiauth session-timeout [dot1x | mac | pwa] Parameters dot1x Defaults If no authentication method is specified, the session timeout value is reset to its default value of 0 for all authentication methods. Mode Switch mode, read‐write. Example This example resets the session timeout value for the IEEE 802.1X authentication method to 0 seconds. C2(su)->clear multiauth session-timeout dot1x 23-44 Authentication and Authorization Configuration (Optional) Specifies the IEEE 802.1X port‐based network access control authentication method for which to reset the timeout value to its default. (Optional) Specifies the Enterasys MAC authentication method for which to reset the timeout value to its default. (Optional) Specifies the Enterasys Port Web Authentication method for which to reset the timeout value to its default. ...
Page 659: Configuring Vlan Authorization (Rfc 3580)
Configuring VLAN Authorization (RFC 3580) Purpose RFC 3580 Tunnel Attributes provide a mechanism to contain an 802.1X authenticated or a MAC authenticated user to a VLAN regardless of the PVID. Up to six users can be configured per Gigabit port. Please see section 3‐31 of RFC 3580 for details on configuring a RADIUS server to return the desired tunnel attributes. As stated in RFC 3580, “... it may be desirable to allow a port to be placed into a particular Virtual LAN (VLAN), defined in [IEEE8021Q], based on the result of the authentication.” The RADIUS server typically indicates the desired VLAN by including tunnel attributes within its Access‐Accept parameters. However, the IEEE 802.1X or MAC authenticator can also be configured to instruct the VLAN to be assigned to the supplicant by including tunnel attributes within Access‐Request parameters. The following tunnel attributes are used in VLAN authorization assignment, : • Tunnel‐Type ‐ VLAN (13) • Tunnel‐Medium‐Type ‐ 802 • Tunnel‐Private‐Group‐ID ‐ VLANID In order to authenticate multiple RFC 3580 users, policy maptable response must be set to tunnel as described in this section. Notes: The C2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are configured to use a port, and the C2 is then switched from "policy"...
Page 660: Set Policy Maptable Response
Syntax show policy maptable response Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the current policy maptable response setting: C2(rw)->show policy maptable response policy set policy maptable response Sets the maptable response from the default of policy to tunnel to allow up to six VLAN authorized users to be configured per Gigabit port. Syntax set policy maptable response {policy | tunnel} Parameters policy...
Page 661: Set Vlanauthorization
When a user successfully authenticates to the network, the RADIUS server returns an Access‐ Accept frame. This frame can have many attributes, two of which are a Filter ID (which is how policy assignment is achieved) and RFC 3580 VLAN assignment. If a switch is in tunnel mode: • The FID (Filter ID) is always ignored, but Default policy rules still apply. • The VLAN attribute is used if present, and if VLAN authorization is enabled. See “set vlanauthorization” on page 23‐47. If a switch is in policy mode: • If the Access‐Accept frame has the FID attribute only, then the FID is used. • If the Access‐Accept frame has the VLAN attribute only, then it is used provided that VLAN authorization is enabled. See “set vlanauthorization” on page 23‐47. • If both attributes are returned, use the FID only. Examples This example shows how to set the policy maptable response to tunnel: C2(rw)-> set policy maptable response tunnel set vlanauthorization Enable or disable the use of the RADIUS VLAN tunnel attribute to put a port into a particular VLAN based on the result of authentication. Syntax set vlanauthorization {enable | disable} [port-string] Parameters enable | disable port‐string...
Page 662: Set Vlanauthorization Egress
Controls the modification of the current VLAN egress list of 802.1x authenticated ports for the VLANs returned in the RADIUS authorization filter id string. Syntax set vlanauthorization egress {none | tagged | untagged} port-string Parameters none tagged untagged port‐string Defaults By default, administrative egress is set to untagged. Mode Switch command, read‐write. Example This example shows how to enable the insertion of the RADIUS assigned VLAN to an 802.1q tag for all outbound frames for ports 10 through 15 on unit/module number 3. C2(rw)->set vlanauthorization egress tagged ge.3.10-15 clear vlanauthorization Use this command to return port(s) to the default configuration of VLAN authorization disabled, egress untagged. Syntax clear vlanauthorization [port-string] Parameters port‐string Defaults If no port string is entered, all ports a will be reset to default configuration with VLAN ...
Page 663: Show Vlanauthorization
Mode Switch command, read‐write. Example This example show how to clear VLAN authorization for all ports on slots 3, 4, and 5: C2(rw)->clear vlanauthorization ge.3-5.* show vlanauthorization Displays the VLAN authentication status and configuration information for the specified ports. Syntax show vlanauthorization [port-string] Parameters port‐string Defaults If no port string is entered, the status for all ports will be displayed. Mode Switch command, read‐only. Example This command shows how to display VLAN authorization status for ge.1.1: C2(su)‐>show vlanauthorization ge.1.1 Vlan Authorization: ‐ enabled port status ------- -------- ge.1.1 enabled Table 23‐5 provides an explanation of command output. For details on enabling and assigning protocol and egress attributes, refer to “set vlanauthorization” on page vlanauthorization egress” on page 23‐48. Table 23-5 show vlanauthorization Output Details...
Page 664: Configuring Mac Locking
Configuring MAC Locking Table 23-5 show vlanauthorization Output Details (Continued) Output Field authenticated mac address vlan id Configuring MAC Locking This feature locks a MAC address to one or more ports, preventing connection of unauthorized devices through the port(s). When source MAC addresses are received on specified ports, the switch discards all subsequent frames not containing the configured source addresses. The only frames forwarded on a “locked” port are those with the “locked” MAC address(es) for that port. There are two methods of locking a MAC to a port: first arrival and static. The first arrival method is defined to be locking the first n number of MACs which arrive on a port configured with MAC locking enabled. The value n is configured with the set maclock firstarrival command. The static method is defined to be statically provisioning a MAC‐port lock using the set maclock command. The maximum number of static MAC addresses allowed for MAC locking on a port can be configured with the set maclock static command. You can configure the switch to issue a violation trap if a packet arrives with a source MAC address different from any of the currently locked MAC addresses for that port. MACs are unlocked as a result of: • A link down event • When MAC locking is disabled on a port • When a MAC is aged out of the forwarding database when FirstArrival aging is enabled When properly configured, MAC locking is an excellent security tool as it prevents MAC spoofing ...
Page 665: Show Maclock
Use this command to display the status of MAC locking on one or more ports. Syntax show maclock [port-string] Parameters port‐string Defaults If port‐string is not specified, MAC locking status will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display MAC locking information for C2(su)->show maclock ge.1.1 MAC locking is globally enabled Port Port Number Status ------- ------- ge.1.1 enabled Table 23‐6 provides an explanation of the command output.
Page 666: Show Maclock Stations
CLI” on page 7-2. Whether MAC locking is enabled or disabled on the port. MAC locking is globally disabled by default. For details on enabling MAC locking on the switch and on one or more ports, refer to “set maclock enable”...
Page 667: Set Maclock Enable
Use this command to enable MAC locking globally or on one or more ports. Note: MAC locking needs to be enabled globally and on appropriate ports for it to function. Syntax set maclock enable [port‐string] Parameters port‐string Defaults If port‐string is not specified, MAC locking will be enabled globally. Mode Switch command, read‐write. Usage When enabled and configured, MAC locking defines which MAC addresses, as well as how many MAC addresses are permitted to use specific port(s). .2.* MAC Address Status -------------- -------------- ----- active active What It Displays...
Page 668: Set Maclock Disable
Example This example shows how to enable MAC locking on fe.2.3: C2(su)->set maclock enable set maclock disable Use this command to disable MAC locking globally or on one or more ports. Syntax set maclock disable [port-string] Parameters port‐string Defaults If port‐string is not specified, MAC locking will be disabled globally on the switch. Mode Switch command, read‐write. Example This example shows how to disable MAC locking on fe.2.3: C2(su)->set maclock disable set maclock Use this command to create a static MAC address‐to‐port locking, and to enable or disable MAC locking for the specified MAC address and port. Syntax set maclock mac-address port-string {create | enable | disable} Parameters mac‐address...
Page 669: Clear Maclock
Defaults None. Mode Switch command, read‐write. Usage Configuring a port for MAC locking requires globally enabling it on the switch first using the set maclock enable command as described in “set maclock enable” on page 23‐53. Static MAC locking a user on multiple ports is not supported. Statically MAC locked addresses will display in the show mac output (as described on page 14‐20) as address type “other” and will not remove them on link down. Example This example shows how to create a MAC locking association between MAC address 0e‐03‐ef‐d8‐ 44‐55 and port C2(rw)->set maclock 0e-03-ef-d8-44-55 ge.3.2 create clear maclock Use this command to remove a static MAC address to port locking entry. Syntax clear maclock mac-address port-string Parameters mac‐address port‐string Defaults None. Mode Switch command, read‐write. Establishes a MAC locking association between the specified MAC address and port. Create automatically enables MAC locking between the specified MAC address and port. Enables or disables MAC locking between the specified MAC address and ...
Page 670: Set Maclock Static
Use this command to set the maximum number of static MAC addresses allowed per port. Static MACs are administratively defined. Syntax set maclock static port-string value Parameters port‐string value Defaults None. Mode Switch command, read‐write. Example This example shows how to set the maximum number of allowable static MACs to 2 on C2(rw)->set maclock static ge.3.1 2 clear maclock static Use this command to reset the number of static MAC addresses allowed per port to the default value of 20. Syntax clear maclock static port-string 23-56 Authentication and Authorization Configuration Specifies the port on which to set the maximum number of static MACs ...
Page 671: Set Maclock Firstarrival
Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the number of allowable static MACs on fe.2.3: C2(rw)->clear maclock static set maclock firstarrival Use this command to restrict MAC locking on a port to a maximum number of end station addresses first connected to that port. Syntax set maclock firstarrival port-string value Parameters port‐string value Defaults None. Mode Switch command, read‐write. Usage The maclock first arrival count resets when the link goes down. This feature is beneficial if you have roaming users—the first arrival count will be reset every time a user moves to another port, but will still protect against connecting multiple devices on a single port and will protect against MAC address spoofing. Note: Setting a port’s first arrival limit to 0 does not deny the first MAC address learned on the port from passing traffic.
Page 672: Clear Maclock Firstarrival
C2(su)->set maclock firstarrival clear maclock firstarrival Use this command to reset the number of first arrival MAC addresses allowed per port to the default value of 600. Syntax clear maclock firstarrival port-string Parameters port‐string Defaults None. Mode Switch command, read‐write. Example This example shows how to reset MAC first arrivals on fe.2.3: C2(su)->clear maclock firstarrival set maclock agefirstarrival Use this command to enable or disable the aging of first arrival MAC addresses. When enabled, first arrival MAC addresses that are aged out of the forwarding database will be removed from the associated port MAC lock. Syntax set maclock agefirstarrival port-string {enable | disable} Parameters port‐string enable | disable...
Page 673: Clear Maclock Agefirstarrival
Mode Switch mode, read‐write. Example This example enables first arrival aging on port C2(su)-> set maclock agefirstarrival ge.1.1 enable clear maclock agefirstarrival Use this command to reset first arrival aging on one or more ports to its default state of disabled. Syntax clear maclock agefirstarrival port-string Parameters port‐string Defaults None. Mode Switch mode, read‐write. Example This example disables first arrival aging on port C2(su)-> clear maclock agefirstarrival ge.1.1 enable set maclock move Use this command to move all current first arrival MACs to static entries. Syntax set maclock move port-string Parameters port‐string...
Page 674: Set Maclock Trap
Mode Switch command, read‐write. Usage If there are more first arrival MACs than the allowed maximum static MACs, then only the latest first arrival MACs will be moved to static entries. For example, if you set the maximum number of static MACs to 2 with the set maclock static command, and then executed the set maclock move command, even though there were five MACs in the first arrival table, only the two most recent MAC entries would be moved to static entries. Example This example shows how to move all current first arrival MACs to static entries on ports C2(rw)->set maclock move ge.3.1-40 set maclock trap Use this command to enable or disable MAC lock trap messaging. Syntax set maclock trap port-string {enable | disable} Parameters port‐string enable | disable Defaults None. Mode Switch command, read‐write. Usage When enabled, this feature authorizes the switch to send an SNMP trap message if an end station is connected that exceeds the maximum values configured using the set maclock firstarrival and set maclock static commands. Violating MAC addresses are dropped from the device’s (or stack’s) ...
Page 675: Configuring Port Web Authentication (Pwa)
Configuring Port Web Authentication (PWA) About PWA PWA provides a way of authenticating users before allowing general access to the network To log on using PWA, the user makes a request through a web browser for the PWA web page or is automatically redirected to this login page after requesting a URL in a browser. Depending upon the authenticated state of the user, a login page or a logout page will display. When a user submits username and password, the switch then authenticates the user via a preconfigured RADIUS server. If the login is successful, then the user will be granted full network access according to the user’s policy configuration on the switch. Note: One user per PWA-configured port can be authenticated on SecureStack C2 devices. PWA authentication does not support RFC-3580 VLAN authorization. Purpose To review, enable, disable, and configure Port Web Authentication (PWA). Commands For information about...
Page 676: Show Pwa
Use this command to display port web authentication information for one or more ports. Syntax show pwa [port-string] Parameters port‐string Defaults If port‐string is not specified, PWA information will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display PWA information for C2(su)->show pwa ge.2.1 PWA Status PWA IP Address PWA Protocol PWA Enhanced Mode PWA Logo PWA Guest Networking Status - disabled PWA Guest Name...
Page 677: Set Pwa
Example This example shows how to enable port web authentication: C2(su)->set pwa enable What It Displays... Whether the Enterasys Networks logo will be displayed or hidden at user login. Default state of enabled (displayed) can be changed using the set pwa displaylogo command as described in “set pwa displaylogo”...
Page 678: Show Pwa Banner
Switch command, read‐only. Example This example shows how to display the PWA login banner: C2(su)->show pwa banner Welcome to Enterasys Networks set pwa banner Use this command to configure a string to be displayed as the PWA login banner. Syntax set pwa banner string Parameters string Defaults None. Mode Switch command, read‐write. Example This example shows how to set the PWA login banner to “Welcome to Enterasys Networks”: C2(su)->set pwa banner “Welcome to Enterasys Networks” 23-64 Authentication and Authorization Configuration Specifies the PWA login banner.
Page 679: Clear Pwa Banner
Use this command to reset the PWA login banner to a blank string. Syntax clear pwa banner Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the PWA login banner to a blank string C2(su)->clear pwa banner set pwa displaylogo Use this command to set the display options for the Enterasys Networks logo. Syntax set pwa displaylogo {display | hide} Parameters display | hide Defaults None. Mode Switch command, read‐write. Example This example shows how to hide the Enterasys Networks logo: C2(su)->set pwa displaylogo hide Displays or hides the Enterasys Networks logo when the PWA website ...
Page 680: Set Pwa Ipaddress
Use this command to set the PWA IP address. This is the IP address of the end station from which PWA will prevent network access until the user is authenticated. Syntax set pwa ipaddress ip-address Parameters ip‐address Defaults None. Mode Switch command, read‐write. Example This example shows how to set a PWA IP address of 1.2.3.4: C2(su)->set pwa ipaddress 1.2.3.4 set pwa protocol Use this command to set the port web authentication protocol. Syntax set pwa protocol {chap | pap} Parameters chap | pap Defaults None.
Page 681: Set Pwa Guestname
Use this command to set a guest user name for PWA networking. PWA will use this name to grant network access to guests without established login names and passwords. Syntax set pwa guestname name Parameters name Defaults None. Mode Switch command, read‐write. Example This example shows how to set the PWA guest user name to “guestuser”: C2(su)->set pwa guestname guestuser clear pwa guestname Use this command to clear the PWA guest user name. Syntax clear pwa guestname Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to clear the PWA guest user name C2(su)->clear pwa guestname Specifies a guest user name. ...
Page 682: Set Pwa Guestpassword
Use this command to set the guest user password for PWA networking. Syntax set pwa guestpassword Parameters None. Defaults None. Mode Switch command, read‐write. Usage PWA will use this password and the guest user name to grant network access to guests without established login names and passwords. Example This example shows how to set the PWA guest user password name: C2(su)->set pwa guestpassword Guest Password: ********* Retype Guest Password: ********* set pwa gueststatus Use this command to enable or disable guest networking for port web authentication. Syntax set pwa gueststatus {authnone | authradius | disable} Parameters authnone ...
Page 683: Set Pwa Initialize
This example shows how to enable PWA guest networking with RADIUS authentication: C2(su)->set pwa guestnetworking authradius set pwa initialize Use this command to initialize a PWA port to its default unauthenticated state. Syntax set pwa initialize [port-string] Parameters port‐string Defaults If port‐string is not specified, all ports will be initialized. Mode Switch command, read‐write. Example This example shows how to initialize ports C2(su)->set pwa initialize ge.1.5-7 set pwa quietperiod Use this command to set the amount of time a port will remain in the held state after a user unsuccessfully attempts to log on to the network. Syntax set pwa quietperiod time [port-string] Parameters time port‐string (Optional) Initializes specific port(s). For a detailed description of possible ...
Page 684: Set Pwa Maxrequest
Defaults If port‐string is not specified, quiet period will be set for all ports. Mode Switch command, read‐write. Example This example shows how to set the PWA quiet period to 30 seconds for ports C2(su)->set pwa quietperiod 30 ge.1.5-7 set pwa maxrequest Use this command to set the maximum number of log on attempts allowed before transitioning the PWA port to a held state. Syntax set pwa maxrequests requests [port-string] Parameters maxrequests port‐string Defaults If port‐string is not specified, maximum requests will be set for all ports. Mode Switch command, read‐write. Example This example shows how to set the PWA maximum requests to 3 for all ports: C2(su)->set pwa maxrequests 3 set pwa portcontrol This command enables or disables PWA authentication on select ports.
Page 685: Show Pwa Session
Parameters enable | disable port‐string Defaults If port‐string is not specified, PWA will enabled on all ports. Mode Switch command, read‐write. Example This example shows how to enable PWA on ports 1‐22: C2(su)->set pwa portcontrol enable ge.1.1-22 show pwa session Use this command to display information about current PWA sessions. Syntax show pwa session [port-string] Parameters port‐string Defaults If port‐string is not specified, session information for all ports will be displayed. Mode Switch command, read‐only. Example This example shows how to display PWA session information: C2(su)->show pwa session Port -------- ----------------- --------------- ------------- ------------ --------- ge.2.19...
Page 686: Set Pwa Enhancedmode
This command enables PWA URL redirection. The switch intercepts all HTTP packets on port 80 from the end user, and sends the end user a refresh page destined for the PWA IP Address configured. Syntax set pwa enhancedmode {enable | disable} Parameters enable | disable Defaults None. Mode Switch command, read‐write. Example This example shows how to enable PWA enhancedmode: C2(su)->set pwa enhancedmode enable 23-72 Authentication and Authorization Configuration Enables or disables PWA enhancedmode.
Page 687: Configuring Secure Shell (Ssh)
Configuring Secure Shell (SSH) Purpose To review, enable, disable, and configure the Secure Shell (SSH) protocol, which provides secure Telnet. Commands For information about... show ssh status set ssh set ssh hostkey show ssh status Use this command to display the current status of SSH on the switch. Syntax show ssh status Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display SSH status on the switch: C2(su)->show ssh status SSH Server status: Disabled set ssh Use this command to enable, disable or reinitialize SSH server on the switch. By default, the SSH ...
Page 688: Set Ssh Hostkey
Parameters enable | disable reinitialize Defaults None. Mode Switch command, read‐write. Example This example shows how to disable SSH: C2(su)->set ssh disable set ssh hostkey Use this command to set or reinitialize new SSH authentication keys. Syntax set ssh hostkey [reinitialize] Parameters reinitialize Defaults If reinitialize is not specified, the user must supply SSH authentication key values. Mode Switch command, read‐write. Example This example shows how to regenerate SSH keys: C2(su)->set ssh hostkey reinitialize 23-74 Authentication and Authorization Configuration Enables or disables SSH, or reinitializes the SSH server.
Page 689: Configuring Access Lists
Configuring Access Lists Router: These commands can be executed when the device is in router mode only. For details on how to enable router configuration modes, refer to page 18-2. Note: Access Control Lists are limited to 100 per stack and 9 per interface on C2 stack configurations, or mixed configurations of C2 and C3 switches in a stack.
Page 690: Access-List (Standard)
access-list (standard) (standard)” on page 23‐76. For details on configuring extended access lists, refer to “access‐list (extended)” on page 23‐77 C2(su)->router#show access-lists 101 Extended IP access list 101 1: permit icmp host 18.2.32.130 any 2: permit udp host 198.92.32.130 host 171.68.225.126 3: deny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255 4: deny ip 11.6.0.0 0.1.255.255 224.0.0.0 15.255.255.255 5: deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255 access-list (standard) Use this command to define a standard IP access list by number when operating in router mode. ...
Page 691: Access-List (Extended)
If source2 is not specified with move, only one entry will be moved. Mode Global configuration: C2(su)‐>router(Config)# Usage Note: ACLs are not supported on routed VLANs which incorporate LAG ports. Valid access list numbers for standard ACLs are 1 to 99. For extended ACLs, valid values are 100 to 199. Access lists are applied to interfaces by using the ip access‐group command ((page 23‐79)). Examples This example shows how to create access list 1 with three entries that allow access to only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list entries will be rejected: C2(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255 C2(su)->router(Config)#access-list 1 permit 128.88.0.0 0.0.255.255 C2(su)->router(Config)#access-list 1 permit 36.0.0.0 0.255.255.255 This example moves entry 16 to the beginning of ACL 22: C2(su)->router(Config)#access-list 22 move 1 16 access-list (extended)
Page 692 access-list (extended) protocol source source‐wildcard operator port destination destination‐ wildcard insert | replace entry move destination source1 source2 Defaults If insert, replace, or move are not specified, the new entry will be appended to the access list. If source2 is not specified with move, only one entry will be moved. If operator and port are not specified, access parameters will be applied to all TCP or UDP ports. Mode Global configuration: C2(su)‐>router(Config)# Usage Access lists are applied to interfaces by using the ip access‐group command as described in “ip access‐group” on page 23‐79. 23-78 Authentication and Authorization Configuration Specifies an IP protocol for which to deny or permit access. Valid values and their corresponding protocols are: • ip ‐ Any Internet protocol • udp ‐ User Datagram Protocol • tcp ‐ Transmission Control Protocol • icmp ‐ Internet Control Message Protocol Specifies the network or host from which the packet will be sent. Valid options for expressing source are: •...
Page 693: Ip Access-Group
Valid access‐list‐numbers for extended ACLs are 100 to 199. For standard ACLs, valid values are 1 to 99. Example This example shows how to define access list 101 to deny ICMP transmissions from any source and for any destination: C2(su)->router(Config)#access-list 101 deny ICMP any any ip access-group Use this command to apply access restrictions to inbound frames on an interface when operating in router mode. The no form of this command removes the specified access list. Syntax ip access-group access-list-number in no ip access-group access-list-number in Parameters access‐list‐number Defaults None. Mode Interface configuration: C2(su)‐>router(Config‐if(Vlan <vlan_id>))# Usage ACLs must be applied per routing interface. An entry (rule) can be applied to inbound frames only. Example This example shows how to apply access list 1 for all inbound frames on the VLAN 1 interface. Through the definition of access list 1, only frames with a source address on the 192.5.34.0/24 network will be routed. All the frames with other source addresses received on the VLAN 1 interface are dropped: C2(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255 C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip access-group 1 in Specifies the number of the access list to be applied to the access list. This ...
Page 694 ip access-group 23-80 Authentication and Authorization Configuration...
Page 695: Index
20-8 RIP send 20-4 access lists 23-76 23-77 address, setting for a routing interface 19-5 routes, adding in router mode 19-17 routes, managing in switch mode 14-17 IPv6 addresses, setting 21-3 default router, setting 21-5 gateway, setting 21-5 management 21-1...
Page 696 Multiple Spanning Tree Protocol (MSTP) Name setting for a VLAN 10-6 setting for the system 3-26 Neighbors OSPF 20-30 Network Management addresses and routes 14-17 monitoring switch events and status 14-12 Networks OSPF 20-14 Node Alias 14-35 NSSA Areas 20-23 NVRAM clearing 3-49...
Page 697 Stub Areas 20-22 Syslog 14-1 System Information displaying basic 3-13 setting basic Technical Support xxxii Telnet disconnecting 14-15 enabling in switch mode 3-36 Terminal Settings 3-27 TFTP downloading firmware upgrades 3-30 Timeout 19-11 CLI, system 3-29 RADIUS 23-5 Timers...
Page 698 Index - 4...

This manual is also suitable for:

C2h124-24 Securestack c2

Enterasys SecureStack C2 C2G170-24 Configuration Manual

About this Guide

Chapter 1: Introduction

Chapter 2 : Configuring Switches in a Stack

Chapter 3: Basic Configuration

Chapter 4: Activating Licensed Features

Chapter 5 : Configuring System Power and Poe

Chapter 6 : Discovery Protocol Configuration

Chapter 7 : Port Configuration

Quick Links

Related Manuals for Enterasys SecureStack C2 C2G170-24

Summary of Contents for Enterasys SecureStack C2 C2G170-24