Part No. 060202-10 , Rev. E August 2009 Alcatel OS-LS-6200 User Guide www.alcatel.com...
Page 2
Additionally, with 24-hour-a-day access to Alcatel’s Service and Support web page, you’ll be able to view and update any case (open or closed) that you have reported to Alcatel’s technical support, open a new case or access helpful release notes, technical bulletins, and manuals.
Page 3
This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions in this guide, may cause interference to radio communications. Operation of this equipment in a residential area is likely to cause interference, in which case the user will be required to correct the interference at his own expense.
Static IP Address and Subnet Mask User Name SNMP Community Strings Advanced Configuration ..................21 Retrieving an IP Address From a DHCP Server Receiving an IP Address From a BOOTP Server Security Management and Password Configuration ...........23 Configuring Security Passwords Introduction...
Page 5
Contents Stacking Members and Unit ID Removing and Replacing Stacking Members Exchanging Stacking Members Switching between the Stacking Master and the Secondary Master Configuring Stacking Resetting the Stack Managing System Logs ..................42 Enabling System Logs Viewing Memory Logs Viewing the Device FLASH Logs Remote Log Configuration Configuring SNTP ....................
Page 6
Defining RMON History Control Viewing the RMON History Table Defining RMON Events Control Viewing the RMON Events Logs Defining RMON Alarms Alcatel Mapping Adjacency Protocol (AMAP) ...........126 Configuring AMAP Viewing Adjacent Devices Configuring LLDP .....................129 Defining LLDP Port Settings Defining Media Endpoint Discovery Network Policy...
Page 7
IP Source Guard ....................182 Configuring IP Source Guard Properties Defining IP Source Guard Interface Settings Adding Interfaces to the IP Source Guard Database Defining the Forwarding Database ..............186 Defining Static Forwarding Database Entries Defining Dynamic Forwarding Database Entries Configuring Spanning Tree ................
Page 8
Defining GARP Defining GVRP Viewing GVRP Statistics Multicast Filtering .....................222 Defining IGMP Snooping Specifying Static Interfaces for a Multicast Group Displaying Interfaces Attached to a Multicast Router Configuring Multicast TV Defining Multicast TV Membership Configuring Triple Play ..................230 Configuring Quality of Service ................231...
Page 9
Entering Commands ..................260 Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups .................... 266 802.1x Commands ...................
Page 11
(Interface) sntp unicast client enable sntp unicast client poll sntp server show clock show sntp configuration show sntp status Configuration and Image File Commands ............369 copy delete more rename boot system show running-config show startup-config show bootvar Ethernet Configuration Commands ..............
Page 12
IP Addressing Commands ................424...
Page 14
Port Monitor Commands ...................469 port monitor show ports monitor Power over Ethernet Commands ..............471 power inline power inline powered-device power inline priority power inline usage-threshold power inline traps enable show power inline QoS Commands ....................478...
Page 15
Contents show qos map RADIUS Commands ..................507 radius-server host radius-server key radius-server retransmit radius-server source-ip radius-server timeout radius-server deadtime show radius-servers RMON Commands ................... 515 show rmon statistics rmon collection history show rmon collection history show rmon history rmon alarm...
Page 16
Syslog Commands ....................602 logging on logging logging console...
Page 17
DHCP Snooping, IP Source Guard and ARP Inspection Commands ....642 ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust...
Page 18
Contents ip dhcp information option ip dhcp snooping verify ip dhcp snooping database ip dhcp snooping database update-freq ip dhcp snooping binding clear ip dhcp snooping database show ip dhcp snooping show ip dhcp snooping binding ip source-guard (global) ip source-guard (interface)
Page 19
Appendix A. Configuration Examples Configuring QinQ ....................716 Configuring Customer VLANs using the CLI ............ 719...
Page 20
Contents Configuring Multicast TV ..................721 Configuring Customer VLANs ................728 Configuring Customer VLANs Using the Web Interface ........728 Appendix B. Software Specifications Software Features ....................732 Management Features ..................733 Standards ......................733 Management Information Bases ...............734 Appendix C. Troubleshooting Problems Accessing the Management Interface ..........736 Using System Logs ...................737...
The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 26
Enables to add information for the DHCP server on request. IP Source Address Restricts IP traffic on non-routed, Layer 2 interfaces by filtering traffic. This feature Guard is based on the DHCP snooping binding database and on manually configured IP source bindings.
Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings. Authentication – This switch authenticates management access via the console port, Telnet or web browser.
Page 28
Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 29
BPDU is utilized when Fast Link ports is enabled and/or if the Spanning Tree Protocol is disabled on ports. If a BPDU message is sent to a port on which STP is disabled, BPDU Guard shuts down the port, and generates a SNMP message.
Page 30
ARP Inspection List. Trusted packets are forward without ARP Inspection. • Untrusted — Indicates that the packet arrived from an interface that does not have a recognized IP and MAC addresses. The packet is checked for: • Source MAC — Compares the packet’s source MAC address against the sender’s MAC address in the ARP request.
Page 31
GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can: •...
Page 32
(Vlans) standard. 802.1p establishes eight levels of priority, similar to the IP Precedence IP Header bit-field. Quality of Service Basic Mode – In the Basic QoS mode, it is possible to activate a trust mode (to trust VPT, DSCP, TCP/UDP or none). In addition, a single Access Control List can be attached to an interface.
Remote Authentication Dial In User Service (RADIUS) server using the Extensible Authentication Protocol (EAP). System Defaults The device is configured with default settings. To reset the device to the default settings, delete the startup configuration. The following table lists some of the basic system defaults.
Page 34
300 sec. Discovery Phase Timeout Interval 30 sec. Rate Limiting Input and output limits disabled Port Trunking Static Trunks up to 8 port in 8 trunks can be defined LACP system priority LACP Port-priority LACP long Broadcast Storm Status disabled...
Page 35
Quality of Service QoS Mode disabled CoS Mapping Cos 0 - queue 1; CoS 1 - queue 1; Cos 2 - queue 1 Cos 3 - queue 1; CoS 4 - queue 2; Cos 5 - queue 2 Cos 6 - queue 3; CoS 7 - queue 3;...
Page 36
Introduction Table 1-2. System Defaults Function Parameter Default Server enabled RADIUS RADIUS server none defined TACACS+ TACACS+ server none defined...
• Software Download and Reboot • Startup Menu Functions After completing all external connections, connect a terminal to the device to monitor the boot and other procedures. The order of installation and configuration procedures is illustrated in the following figure. For the initial configuration, the standard device configuration is performed.
Initial Configuration Figure 2-1. Installation and Configuration General Configuration Information Your device has predefined features and setup configuration.
Note: If the station on the other side of the link attempts to auto-negotiate with a port that is manually configured to full duplex, the auto-negotiation results in the station attempting to operate in half duplex. The resulting mismatch may lead to significant frame loss.
Initial Configuration The following is an example for enabling flow control on port e1 using CLI commands: interface ethernet Console (config)# 4-380 flowcontrol Console (config-if)# 4-387 The following is an example for enabling back pressure on port e1 using CLI commands.
Page 41
If the system boot is not interrupted by pressing <Esc> or <Enter>, the system continues operation by decompressing and loading the code into RAM. The code starts running from RAM and the list of numbered system ports and their states (up or down) are displayed.
To manage the switch from a remote network, a static route must be configured, which is an IP address to where packets are sent when no entries are found in the device tables. The configured IP address must belong to the same subnet as one of...
Initial Configuration To configure a static route, enter the command at the system prompt as shown in the following configuration example where 101.1.1.2 is the specific management station: configure Console# interface vlan Console(config)# 4-676 ip address Console(config-if)# 100.1.1.1 255.255.255.0 4-424...
Page 44
• Access rights options: ro (read only), rw (read-and-write) or su (super). • An option to configure IP address or not: If an IP address is not configured, it means that all community members having the same community name are granted the same access rights.
DHCP client. To retrieve an IP address from a DHCP server, perform the following steps: Select and connect any port to a DHCP server or to a subnet that has a DHCP server on it, in order to retrieve the IP address.
4-668 console(config)# The interface receives the IP address automatically. To verify the IP address, enter the show ip interface command at the system prompt as shown in the following example. show ip interface Console# Gateway IP Address Activity status...
(y/n)[n]? ****************************************************** /*the device reboots */ To verify the IP address, enter the show ip interface command. The device is now configured with an IP address. Security Management and Password Configuration System security is handled through the AAA (Authentication, Authorization, and Accounting) mechanism that manages user access rights, privileges, and management methods.
Initial Configuration a password, it is recommended to always assign a password. If there is no specified password, privileged users can access the Web interface with any password. Configuring an Initial Console Password To configure an initial console password, enter the following commands:...
Enter the following commands once when configuring to use a console, a Telnet, or an SSH session in order to use an HTTPS session. In the Web browser enable SSL 2.0 or greater for the content of the page to appear. rypto certificate generate key_generate...
The switch boots and runs when decompressing the system image from the flash memory area where a copy of the system image is stored. When a new image is downloaded, it is saved in the other area allocated for the additional system image copy.
To download a boot file through the TFTP server: Ensure that an IP address is configured on one of the device ports and pings can be sent to a TFTP server. Ensure that the file to be downloaded (the .rfb file) is saved on the TFTP server.
Additional configuration functions can be performed from the Startup menu. To display the Startup menu: During the boot process, after the first part of the POST is completed press <Esc> or <Enter> within two seconds after the following message is displayed: Autoboot in 2 seconds -press RETURN or Esc.to abort and enter prom.
Startup Menu Functions The following sections describe the Startup menu options. If no selection is made within 25 seconds (default), the switch times out and the device continues to load normally. Only technical support personnel can operate the Diagnostics Mode. For this reason, the Enter Diagnostic Mode option of the Startup menu is not described in this guide.
Page 54
Write Flash file name (Up to 8 characters, Enter for none.):config File config (if present) will be erased after system initialization ========Press Enter To Continue ======== Enter config as the name of the flash file. The configuration is erased and the device reboots. Perform the switch’s initial configuration.
Page 55
Erasing flash blocks 1 -63: Done. Password Recovery If a password is lost, use the Password Recovery option on the Startup menu. The procedure enables the user to enter the device once without a password. To recover a lost password for the local terminal only: From the Startup menu, select “4”...
(Internet Explorer 6.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”...
Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the “Apply” or “Apply Changes” button to confirm the new setting. The following table summarizes the web page configuration buttons: Table 3-1.
Configuring the Switch Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Interface Configuration Page as described on page 3-70.
• System Location — Defines the location where the system is currently running. The field range is 0-160 characters. • System Contact — Defines the name of the contact person. The field range is 0-160 characters. • System Object ID — Displays the vendor’s authoritative identification of the network management subsystem contained in the entity.
Stacking provides multiple switch management through a single point as if all stack members are a single unit. All stack members are accessed through a single IP address through which the stack is managed. The stack is managed from the following: •...
The devices operate in a Ring topology. A stacked Ring topology is where all devices in the stack are connected to each other forming a circle. Each device in the stack accepts data and sends it to the device to which it is attached. The packet continues through the stack until it reaches its destination.
Once the user selects a different Unit ID, it is not erased, and remains valid, even if the unit is reset. Unit ID 1 and Unit ID 2 are reserved for Master enabled units. Unit IDs 3 to 8 can be defined for stack members.
MAC addresses are not saved. Each port in the stack has a specific Unit ID, port type, and port number, which is part of both the configuration commands and the configuration files. Configuration files are managed only from the device Stacking Master, including: •...
The Stack Management Topology Page allows network managers to either reset the entire stack or a specific device. Device configuration changes that are not saved before the device is reset are not saved. If the Stacking Master is reset, the entire stack is reset.
Download the file Open the File Download Page. Select the Firmware Download field. Enter full path and file name of software to be downloaded to device. Select Download to all Units. Reset the stack. CLI – The following is an example of stack management commands:...
System Log (syslog) server, and displays a list of recent event messages. The default for all logs is information, with the exception of logs in the Remote Log Server, which are errors.
• Error — Indicates that a device error has occurred, for example, if a single port is offline. • Warning — Indicates the lowest level of a device warning. The device is functioning, but an operational problem has occurred.
• Emergency — The highest warning level. If the device is down or not functioning properly, an emergency log message is saved to the specified logging location. • Alert — The second highest warning level. An alert log is saved, if there is a serious device malfunction; for example, all device features are down.
Configuring the Switch CLI – The following is an example of the CLI commands used to view memory logs: Console# show logging 4-610 Logging is enabled. Console logging: level debugging. Console Messages: 0 Dropped (severity). Buffer logging: level debugging. Buffer Messages: 11 Logged, 200 Max.
• Server — Specifies the IP address of the server to which logs can be sent. • UDP Port — Defines the UDP port to which the server logs are sent. The possible range is 1 - 65535. The default value is 514.
Configuring the Switch is assigned, the first facility is overridden. All applications defined for a device utilize the same facility on a server. The field default is Local 7. The possible field values are Local 0 - Local 7. • Description— Displays the user-defined server description.
You can also manually set the clock using the CLI. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Broadcast server. Message Digest 5 (MD5) Authentication safeguards device synchronization paths to SNTP servers. MD5 is an algorithm that produces a 128-bit hash. MD5 is a variation of MD4, and increases MD4 security. MD5 verifies the integrity of the communication, authenticates the origin of the communication.
Command Attributes • Enable SNTP Authentication — Indicates if authenticating an SNTP session between the device and an SNTP server is enabled on the device. The possible field values are: • Checked — Authenticates SNTP sessions between the device and SNTP server.
• SNTP Server — Displays user-defined SNTP server IP addresses. Up to eight SNTP servers can be defined. • Poll Interval — Indicates whether or not the device polls the selected SNTP server for system time information. • Encryption Key ID — Displays the encryption key identification used to communicate between the SNTP server and device.
• Offset — Indicates the time difference between the device local clock and the acquired time from the SNTP server. • Delay — Indicates the amount of time it takes for a device request to reach the SNTP server. • Remove — Removes SNTP servers from the SNTP server list. The possible field values are: •...
(SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock using the CLI. If the...
Daylight Saving Time, Brazilian clocks go forward one hour in most of the Brazilian southeast. • Chile — In Easter Island, from March 9 until October 12. In the rest of the country, from the first Sunday in March or after 9th March.
Page 81
October. • Macedonia — From the last weekend of March until the last weekend of October. • Mexico — From the first Sunday in April at 02:00 to the last Sunday in October at 02:00. • Moldova — From the last weekend of March until the last weekend of October.
Page 82
• United Kingdom — From the last weekend of March until the last weekend of October. • United States of America — From the first Sunday in April at 02:00 to the last Sunday in October at 02:00. Command Attributes •...
Page 83
Mar/08 and 00:00. The possible field values are: • Date — The date on which DST ends. The possible field range is 1-31. • Month — The month of the year in which DST ends. The possible field range is Jan-Dec.
You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can set the switch to use new firmware without overwriting the previous version.
(\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”).
Configuring the Switch • Configuration TFTP Server IP Address — Specifies the TFTP Server IP Address from which the configuration files are downloaded. • Configuration Source File Name — Specifies the configuration files to be downloaded. • Configuration Destination File — Specifies the destination file to which to the configuration file is downloaded.
Managing System Files Uploading System Files The File Upload Page contains fields for uploading the software from the device to the TFTP server. Command Attributes • Firmware Upload — Specifies that the software image file is uploaded. If Firmware Upload is selected, the Configuration Upload fields are grayed out.
• Source — Select if the Starting Configuration file, the Running Configuration file, or the Backup file will be copied. • Destination — Specifies the usage for the source file after it is copied. It may be used as a Starting Configuration file, the Running Configuration file, the Backup file, or as a configuration file with a new name.
• Date – Version’s date • Status – Indicates Image status • Image After Reset – The Image file which is active on the unit after the device is reset. The possible field values are: • Image 1 — Activates Image file 1 after the device is reset.
In contrast with binary CAM, TCAM allows a third matching state of “X” or “Don’t Care” bits in data searches ( the first two bit types are “0” and “1”), adding more flexibility to searches. However, the need to encode three possible states instead of two also adds greater resource costs.
Page 91
• Stack Unit – Indicates the stacking member for which TCAM resource usage is displayed. • TCAM Utilization – Percentage of the available TCAM resources which are used. For example, if more ACLs and policy maps are defined, the system will use more TCAM resources.
Interfaces can also be designated as PVE ports. PVE ports bypass the Forwarding Database (FDB), and forward all Unicast, Multicast and Broadcast traffic to an uplink. A single uplink can be defined for a protected port.
Page 93
• Max Capability — Indicates that all port speeds and duplex mode settings are accepted. • 10 Half — Indicates that the port advertises for a 10 Mbps speed port and half duplex mode setting. • 10 Full — Indicates that the port advertises for a 10 Mbps speed port and full duplex mode setting.
• LAG — Indicates the LAG of which the port is a member. • PVE — Enables a port to be a Private VLAN Edge (PVE) port. When a port is defined as PVE, it bypasses the Forwarding Database (FDB), and forwards all Unicast, Multicast and Broadcast traffic to an uplink (except MAC-to-me packets).
• All ports in the LAG have the same transceiver type. • The device supports up to eight LAGs, and eight ports in each LAG. • Ports can be configured as LACP ports only if the ports are not part of a previously configured LAG.
Aggregate ports can be linked into link-aggregation port-groups. Each group is comprised of ports with the same speed, set to full-duplex operations. LAG ports can contain different media types if the ports are operating at the same speed. Aggregated links can be set up manually or automatically established by enabling Link Aggregation Control Protocol (LACP) on the relevant links.
Page 97
If the port channel admin key is not set (through the CLI) when a channel group is formed (i.e., it has a null value of 0), this key is set to the same value as the port admin key used by the interfaces that joined the group (lacp admin key).
Displaying Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Page 99
• Port — Defines the specific port for which interface statistics are displayed. • LAG — Defines the specific LAG for which interface statistics are displayed. • Refresh Rate — Defines the amount of time that passes before the interface statistics are refreshed. The possible field values are: •...
Figure 3-25. Statistics Interface Page Etherlike Statistics Command Attributes • Unit No. — Displays the stacking member for which the Etherlike Statistics are displayed. • Interface — Indicates the device for which statistics are displayed. The possible field values are: •...
Displaying Port Statistics • Late Collisions — Displays the number of late collision frames received on the selected interface. • Oversize Packets — Displays the number of oversized packet errors on the selected interface. • Received Pause Frames — Displays the number of received paused frames on the selected interface.
This section describes how to configure an initial IP interface for management access over the network. The IP address for this switch is unassigned by default. To manually configure an address, you need to change the switch IP address and...
The IP Interface Page contains fields for assigning IP parameters to interfaces, and for assigning gateway devices. Packets are forwarded to the default IP when frames are sent to a remote network. The configured IP address must belong to the same IP address subnet of one of the IP interfaces.
Configuring the Switch Figure 3-27. IP Interface Page CLI – The following is an example of the CLI commands for defining an IP interface: Console(config)# interface vlan 1 4-676 Console(config-if)# ip address 131.108.1.27 255.255.255.0 4-424 Defining Default Gateways Packets are forwarded to the default IP when frames are sent to a remote network via the default gateway.
DHCP ensures that network devices can have a different IP address every time the device connects to the network. DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch.
• ARP Entry Age Out — Specifies the amount of time (in seconds) that passes between ARP Table entry requests. Following the ARP Entry Age period, the entry is deleted from the table. The range is 1 - 40000000. The default value is 60000 seconds.
192.87.56.2. DNS servers maintain databases of domain names and their corresponding IP addresses. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Page 108
Configuring the Switch • If there is no domain list, the default domain name is used. If there is a domain list, the default domain name is not used. • When an incomplete host name is received by the DNS server on this switch and...
• Checked — Removes the selected DNS server • Unchecked — Maintains the current DNS server list. • DNS Server — Displays the DNS server IP address. DNS servers are added in the Add DNS Server Page. • Active Server— Specifies the DNS server that is currently active.
IP addresses. If more than one IP address is associated with a host name in the static table or via information returned from a name server, a DNS client can try each address in succession, until it establishes a connection with the target device.
Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent.
A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users.
Users must be configured with a specific security level and assigned to a group. Command Attributes • User Name — Contains a list of user-defined user names. The field range is up to 30 alphanumeric characters. • Group Name — Contains a list of user-defined SNMP groups. SNMP groups are defined in the SNMP Group Profile Page.
Page 114
Web – Click System, SNMP, Security, Users. Click Add to configure a user name. In the New User page, define a name and assign it to a group, then click Apply to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Command Attributes • Group Name — Displays the user-defined group to which access control rules are applied. The field range is up to 30 characters. • Security Model — Defines the SNMP version attached to the group. The possible field values are: •...
Web – Click System, SNMP, Security, Groups. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Web – Click System, SNMP, Security, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
• Read Write — Management access is read-write and changes can be made to the device configuration, but not to the community. • SNMP Admin — User has access to all device configuration options, as well as permissions to modify the community.
• Providing Access Control Checks Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 120
• SNMP V2c — Indicates that SNMP Version 2 traps are sent. • UDP Port — Displays the UDP port used to send notifications. The default is 162. • Filter Name — Indicates if the SNMP filter for which the SNMP Notification filter is defined.
Configuring SNMP • Remove — Deletes the currently selected recipient. The possible field values are: • Checked — Removes the selected recipient from the list of recipients. • Unchecked — Maintains the list of recipients. Web – Click SNMP, Trap Management, Trap Station Management. Define the fields and click Add.
Configuring the Switch fields and click Apply. Figure 3-39. SNMP Global Trap Settings Page CLI – The following is an example of the SNMP commands for enabling traps: Console(config)# snmp server enable traps 4-364...
• Object ID Subtree — Displays the OID for which notifications are sent or blocked. If a filter is attached to an OID, traps or informs are generated and sent to the trap recipients. OIDs are selected from either the Select from field or the Object ID field.
• User Name — Displays the user name. • Access Level — Displays the user access level. The lowest user access level is 1 and the highest is 15. Users with access level 15 are Privileged Users, and only they can access and use the EWS.
Configuring User Authentication Figure 3-41. Local Users Page CLI – The following is an example of the CLI commands used for configuring Local Users Passwords: Console(config)# username bob password lee level 15 4-302 Defining Line Passwords Network administrators can define line passwords in the Line Page. After the line password is defined, a management method is assigned to the password.
Configuring the Switch Apply. Figure 3-42. Line Page CLI – The following is an example of the CLI commands used for configuring Line Passwords. Console(config)# line console 4-443 Console(config-line)# password secret 4-301 Defining Enable Passwords The Enable Page sets a local password for a particular access level.
Configuring Authentication Methods Figure 3-43. Enable Page CLI – The following is an example of the CLI commands used for configuring Enable Passwords: Console(config)# enable password level 15 secret 4-301 Configuring Authentication Methods This section provides information for configuring device authentication methods, and includes the following topics: •...
Page 128
For example, if you select (1) RADIUS, (2) TACACS+ and (3) Local, the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted using the TACACS+ server, and finally the local user name and password is checked.
Page 129
Configuring Authentication Methods • Rule Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The rule number is essential to matching packets to rules, as packets are matched on a first-fit basis.
• Access Profile Name — Displays the access profile to which the rule is attached. • Priority — Defines the rule priority. When the packet is matched to a rule, user groups are either granted permission or denied device management access. The...
Page 131
SNMP meeting access profile criteria are permitted or denied access to the device. • Source IP Address — Defines the interface source IP address to which the rule applies. • Prefix Length — Defines the number of bits that comprise the source IP address prefix, or the network mask of the source IP address.
Configuring the Switch Figure 3-45. Profiles Rules Page CLI – The following is an example of the CLI commands used for configuring Profile Rules: Console(config)# ip http server 4-703 Console(config)# ip https server 4-705 Defining Authentication Profiles Authentication profiles allow network administrators to assign authentication methods for user authentication.
Web – Click System, WebViewMgmt, Authentication, Authentication Profiles, define the fields, and click Apply. Figure 3-46. Authentication Profiles Page CLI – The following is an example of the CLI commands used for configuring Authentication Profiles: Console(config)# aaa authentication login default radius local enable...
If the RADIUS server cannot authenticate the management method, the session is permitted. • RADIUS, Local, None — Authentication first occurs at the RADIUS server. If authentication cannot be verified at the RADIUS server, the session is authenticated locally. If the session cannot be authenticated locally, the session is permitted.
If the session cannot be authenticated locally, the session is permitted. Web – Click System, WebViewMgmt, Authentication, Authentication Mapping, define the fields, and click Apply. Figure 3-47. Authentication Mapping Page CLI – The following is an example of the CLI commands used for mapping...
Default Parameters for the TACACS+ servers. Command Attributes • Source IP Address — Defines the default device source IP address used for the TACACS+ session between the device and the TACACS+ server. • Key String — Defines the default authentication and encryption key for TACACS+ communication between the device and the TACACS+ server.
Configuring Authentication Methods • Status — Indicates the connection status between the device and the TACACS+ server. The possible field values are: • Connected — Indicates there is currently a connection between the device and the TACACS+ server. • Not Connected — Indicates there is not currently a connection between the device and the TACACS+ server.
Page 138
RADIUS server before a failure occurs. The possible field values are 1-10. Three is the default value. • Timeout for Reply — Defines the amount of time (in seconds) the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server.
Web – Click System, WebViewMgmt, Authentication, RADIUS, define the fields, and click Apply. Figure 3-49. RADIUS Page CLI – The following is an example of the RADIUS CLI Commands: Console(config)# radius-server host 192.168.10.1 auth-port 20 timeout 20 4-507 Console(config)# radius-server key alcatel-server...
• Multicast Packets Received — Displays the number of good Multicast packets received on the interface since the device was last refreshed. • CRC & Align Errors — Displays the number of CRC and Align errors that have occurred on the interface since the device was last refreshed.
1518 octets. This number excludes frame bits, but includes FCS octets that had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral octet (Alignment Error) number. The field range to detect jabbers is between 20 ms and 150 ms.
For example, the samples may include interface definitions or polling periods. Command Attributes • History Entry No. — Displays the entry number for the History Control Table page. • Source Interface — Displays the interface from which the history samples were taken.
Managing RMON Statistics Figure 3-51. History Control Page CLI – The following is an example of the CLI commands used to view RMON History Control statistics: Console(config)# interface ethernet 1/e1 4-380 Console(config-if)# rmon collection history 1 interval 2400 4-518 Viewing the RMON History Table The History Table Page contains interface specific statistical network samplings.
• Multicast Packets — Displays the number of good Multicast packets received on the interface since the device was last refreshed. • CRC Align Errors — Displays the number of CRC and Align errors that have occurred on the interface since the device was last refreshed.
Page 145
Managing RMON Statistics CLI – The following is an example of the CLI commands used to view RMON History Table statistics: Console# show rmon history 1 throughput 4-519 Sample Set: 1 Owner: CLI Interface: 1/e1 Interval: 1800 Requested samples: 50...
• Log — Indicates that the event is a log entry. • Trap — Indicates that the event is a trap. • Log and Trap — Indicates that the event is both a log entry and a trap. • None — Indicates that no event occurred.
Managing RMON Statistics Figure 3-53. Events Control Page CLI – The following is an example of the CLI commands used to view RMON events Control statistics: Console(config)# rmon event 10 log 4-526 Viewing the RMON Events Logs The Events Logs Page contains a list of RMON events.
Configuring the Switch Figure 3-54. Events Logs Page CLI – The following is an example of the CLI commands used to view RMON events Logs: Console> show rmon events 4-526 Index Description Type Community Owner Last time sent ----- -----------...
Page 149
• Rising Event — Displays the mechanism in which the alarms are reported. The possible field values are: • LOG — Indicates there is not a saving mechanism for either the device or in the management system. If the device is not reset, the entry remains in the Log Table.
Configuring the Switch Figure 3-55. Alarm Page CLI – The following is an example of the CLI commands used to set RMON alarms: Console(config)# rmon alarm 1000 1.3.6.1.2.1.10.7.2.1.3.51 1000000 1000000 10 20 1 4-522 Alcatel Mapping Adjacency Protocol (AMAP) The AMAP protocol enables a switch to discover the topology of other AMAP-aware devices in the network.
“Hello” packets to determine that it is still present. • Passive – A port enters this state if there is no response to a Discovery “hello” packet. This is a receive-only state and no “Hello” packets are transmitted. If a “Hello”...
The AMAP Adjacencies Page provides network configuration information about the systems connected to the device. The table displays the IP and MAC addresses of the local port, and the IP and MAC addresses, and VLAN ID of the connected devices.
The value represents a multiple of the Updates Interval. The possible field range is 2 - 10. The field default is 4. For example, if the Update Interval is 30 seconds and the Hold Multiplier is 4, then the LLDP packets are discarded after 120 seconds.
Figure 3-58. LLDP Properties Page Defining LLDP Port Settings The LLDP Port Settings Page allows network administrators to define LLDP port settings, including the port type, the LLDP port state, and the type of port information advertised. To define LLDP Port Properties: Command Attributes •...
Detailed network topology information including which device are located on the network, and where these devices are located. For example, what IP phone is connect to what port, what software is running on what switch, and with port is connected to what PC.
Streaming Video — Indicates that the network policy is defined for a Streaming Video application. • VLAN ID — Indicates the VLAN ID for which the Network policy is assigned. • VLAN Type — Indicates the VLAN type for which the network policy is defined.
• Port Displays the port to which the network policy is attached. • LLDP MED Status — Indicates if LLDP is enabled on the device. The possible field values are: – Enable – Enables LLDP MED on the device. –...
Apply Figure 3-62. LLDP Neighbor Information Page Viewing Neighbor Information Details In the LLDP Neighbor Information Page, click the Details button to open the The Details Neighbor Information Page. The Details Neighbor Information Page displays the information advertised by neighboring ports when advertising LLDP information.
Page 159
• Power Value — Indicates the total power in watts required by a PD device from a PSE device, or the total power a PSE device is capable of sourcing over a maximum length cable based on its current configuration.
Guard Band protects the device from exceeding the maximum power level. For example, if 400W is maximum power level, and the Guard Band is 20W, if the total system power consumption exceeds 380W no additional PoE components can be added.
PoE operation status and the interface’s power consumption. Command Attributes • Port — Indicates the specific interface for which PoE parameters are defined and assigned to the powered interface connected the to selected port. • Admin Status — Indicates the device PoE mode. The possible field values are: •...
Page 163
Managing Power-over-Ethernet Devices to the device using the PoE module. • Oper. Status — Indicates if the port is enabled to work on PoE. The possible field values are: • On — Indicates the device is delivering power to the interface.
Port mirroring also enables switch performance monitoring. You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 165
• All mirror sessions have to share the same destination port. • When mirroring port traffic, the target port must be included in the same VLAN as the source port. The Port Mirroring Page contains parameters for monitoring and mirroring of network traffic.
Time Domain Reflectometry (TDR) technology to test the quality and characteristics of a copper cable attached to a port. Cables up to 120 meters long can be tested. Cables are tested when the ports are in the down state, with the exception of the Approximated Cable Length test.
Web – Click Physical, Diagnostics, Copper Cable, define the fields, and click Test. Figure 3-67. Copper Cable Page CLI – The following is an example of the CLI commands used to test copper cables: Console# show copper-ports cable-length 4-463...
• Unit No. — Indicates the stacking member for which the interface configuration information is displayed. • Port — Displays the IP address of the port on which the cable is tested. • Temperature — Displays the temperature (C) at which the cable is operating.
• Not Present —The power supply is currently not present. • Fan Status — The fan status. The number of fans on the boards is provided based on the device type (number of ports) and PoE chips availability. Each fan is denoted as fan plus the fan number in the interface.
Configuring the Switch Celsius Fahrenheit Web – Click Physical, Diagnostics, Health. Figure 3-69. Health Page CLI – The following is an example of the device Health CLI commands: Console# show system 4-629 Unit Type ---- ----------------- Alcatel Unit Main Power Supply...
Multicast frames are flooded to all ports on the relevant VLAN. This occupies bandwidth, and loads all nodes on all ports. Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
MAC addresses. These addresses are either manually defined on the port, or learned on that port up to the point when it is locked. When a packet is received on a locked port, and the packet source MAC address is not tied to that...
Page 173
Configuring Traffic Control port (either it was learned on a different port, or it is unknown to the system), the protection mechanism is invoked, and can provide various options. Unauthorized packets arriving at a locked port are either: • Forwarded •...
• Max Entries — Specifies the number of MAC address that can be learned on the port. The Max Entries field is enabled only if Locked is selected in the Set Port field. In addition, the Limited Dynamic Lock mode is selected. The default is 1.
The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server.
• Single Host Mode — Only the authorized host can access the port. • Multiple Host Mode — Multiple hosts can be attached to a single port. Only one host must be authorized for all hosts to access the network. If the host authentication fails, or an EAPOL-logoff message is received, all attached clients are denied access to the network.
Page 177
Disables use of a Guest VLAN for unauthorized ports . This is the default. • Guest VLAN ID — Contains a list of VLANs. The Guest VLAN is selected from the VLAN list. • EAP Frames — Determines how EAP packets are managed when port based authentication is disabled on the device.
Configuring the Switch Figure 3-72. System Information Page CLI – The following is an example of the device Authentication CLI commands: Console(config)# dot1x system-auth-control 4-270 Console(config)# aaa authentication dot1x default none 4-269...
• Current Port Control — Displays the current port authorization state. • Unauthorized — Indicates that the port control is ForceUnauthorized, the port link is down, or the port control is Auto, but a client has not been authenticated via the port.
• Current Port Control — Displays the current port authorization state. • Unauthorized — Indicates that the port control is ForceUnauthorized, the port link is down, or the port control is Auto, but a client has not been authenticated via the port.
Page 181
All selects all ports for reauthentication. • Authenticator State — Displays the current authenticator state. • Quiet Period — Displays the number of seconds that the device remains in the quiet state following a failed authentication exchange. The possible field range is 0-65535.
• Single Host Mode — Only the authorized host can access the port. • Multiple Host Mode — Multiple hosts can be attached to a single 802.1x-enabled port. Only one host must be authorized for all hosts to access the network. If the...
• Disabled — Indicates that traps are disabled for Multiple hosts. • Trap Frequency — Defines the time period by which traps are sent to the host. The Trap Frequency (1-1000000) field can be defined only if multiple hosts are disabled.
Defining Authentication Hosts The Authentication Host Page contains a list of authenticated users. Command Attributes • User Name — Lists the supplicants that were authenticated, and are permitted on each port. • Port — Displays the port number. • Session Time — Displays the amount of time (in seconds) the supplicant was logged on the port.
Page 185
1/e3 Auto Unauthorized 3600 Clark 1/e4 Force-auth Authorized 3600 1/e5 Force-auth Unauthorized* 3600 * Port is down or not present. Console# show dot1x ethernet 1/e3 4-279 802.1x is enabled. Port Admin Mode Oper Mode Reauth Reauth Username Control Period ----...
• Port — Indicates the port, which is polled for statistics. • Refresh Rate — Indicates the amount of time that passes before the EAP statistics are refreshed. The possible field values are: • 15 Sec — Indicates that the EAP statistics are refreshed every 15 seconds.
• Last Frame Version — Indicates the protocol version number attached to the most recently received EAPOL frame. • Last Frame Source — Indicates the source MAC address attached to the most recently received EAPOL frame. Web – Click Security, 802.1x, Statistics and select an interface.
Page 188
Configuring the Switch LastEapolFrameVersion: 1 LastEapolFrameSource: 00:08:78:32:98:78...
• Each ACL can have up to 256 Access Control Elements (ACE rules). • The maximum number of ACLs is 894 per port. • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule.
Configuring the Switch • The switch does not support the explicit “deny any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.
The possible field value is 1-2147483647. • Protocol — Creates an ACE based on a specific protocol. • Select from List — Selects a protocol from a list on which ACE can be based. Some of the possible field values are: •...
Page 192
• ICMP Type — Specifies an ICMP message type for filtering ICMP packets. • ICMP Code — Specifies an ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code.
Console(config-ip-al)# deny rsvp 192.1.1.1 0.0.0.255 any 4-309 Defining MAC Based Access Control Lists The MAC Based ACL Page allows a MAC- based ACL to be defined. ACEs can be added only if the ACL is not bound to an interface. Command Attributes •...
Page 194
00:AB:22:11:33:00 and the wildcard mask is 00:00:00:00:00:FF, the first two bits of the MAC are used, while the last two bits are ignored. • VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4095.
DHCP Snooping Figure 3-79. MAC Based ACL Page CLI – The following is an example of the MAC Based ACL CLI commands: Console(config)# mac access-list macl-acl1 4-311 Console(config-mac-al)# permit 6:6:6:6:6:6 0:0:0:0:0:0 any vlan 6 4-312 Console (config-mac-acl)# deny 66:66:66:66:66:66 4-313...
• Database Update Interval — Indicates how often the DHCP Snooping Data- base is updated. The possible field range is 600 – 86400 seconds. The field default is 1200 seconds. Web – Click Security, Traffic Control, DHCP Snooping, Properties. Define the fields...
VLANs. To enable DHCP Snooping on a VLAN, ensure DHCP Snooping is enabled on the device. Command Attributes • VLAN ID — Indicates the VLAN to be added to the Enabled VLAN list. • Enabled VLAN — Contains a list of VLANs for which DHCP Snooping is enabled.
Trusted interfaces are connected to DHCP servers, switches, or hosts which do not require DHCP packet filtering. Trusted interfaces receive packets only from within the network or the network firewall, and are allowed to respond to DHCP requests. Packets sent from an interface outside the network, or from beyond the network firewall, are blocked by trusted interfaces.
– LAG — Queries the VLAN database by LAG number. • VLAN ID — Displays the VLAN ID to which the IP address is attached in the DHCP Snooping Database. • Type — Displays the IP address binding type. The possible field values are: –...
DHCP with Option 82 can be enabled only if DHCP snooping is enabled. Command Attributes • DHCP Option 82 Insertion — Indicates if DHCP Option 82 with data insertion is enabled on the device. The possible field values are: • Enable — Enables DHCP Option 82 with data insertion on the device. If DHCP Option 82 with data insertion is enabled the DHCP server can insert information into DHCP requests.
• Permits two hosts on the same network to communicate and send packets. • Permits two hosts on different packets to communicate via a gateway. • Permits routers to send packets via a host to a different router on the same network.
Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast addresses. If the packet’s IP address was not found in the ARP Inspection List, and DHCP snooping is enabled for a VLAN, a search of the DHCP Snooping Database is performed. If the IP address is found the packet is valid, and is forwarded. ARP...
ARP Inspection List. Trusted packets are forward without ARP Inspection. • Untrusted — Indicates that the packet arrived from an interface that does not have a recognized IP and MAC addresses. The packet is checked for: –...
• Units — Indicates the port on which ARP Inspection Trust mode is enabled. • LAGs — Indicates the LAG on which ARP Inspection Trust mode is enabled. • Trust — Indicates if the selected interface is trusted or untrusted. The possible field values are: •...
The VLAN Settings Page assigns static ARP Inspection Lists to VLANs. Command Attributes • VLAN ID — A new VLAN ID that is defined by the user and added to the Enabled VLANs list. • Enabled VLANs — Contains a list of VLANs in which ARP Inspection is enabled.
Figure 3-88. VLAN Settings Page IP Source Guard IP Source Guard is a security feature that restricts the client IP traffic to those source IP addresses configured in the binding. IP traffic restrictions are applied according to definitions in both the DHCP Snooping Binding Database and in manually configured IP source bindings.
DHCP Snooping. If source IP address filtering is enabled, packet transmission is permitted as follows: • IPv4 traffic — Only IPv4 traffic with a source IP address that is associated with the specific port is permitted. • Non IPv4 traffic — All non-IPv4 traffic is permitted.
• Status — Indicates if IP Source Guard is enabled or disabled. • Enable — Indicates that IP Source Guard is enabled on the interface. • Disable — Indicates that IP Source Guard is disabled on the interface. This is the default value.
• Port — Queries the VLAN database by port number. • LAG — Queries the VLAN database by LAG number. • Interface — Displays the VLAN ID to which the IP address is attached in the IP Source Guard Database.
An address becomes associated with a port by learning the frame’s source address, but if a frame that is addressed to a destination MAC address is not associated with a port, that frame is flooded to all relevant VLAN ports. To prevent the bridging table from overflowing, a dynamic MAC address, from which no traffic arrives for a set period, is erased.
• Secure — The MAC Address is defined for locked ports. • Permanent — The MAC address is permanent. • Delete on Reset — The MAC address is deleted when the device is reset. • Delete on Timeout — The MAC address is deleted when a timeout occurs.
Command Attributes • Address Aging — Specifies the amount of time the MAC address remains in the Dynamic MAC Address table before it is timed out, if no traffic from the source is detected. The default value is 300 seconds.
Configuring Spanning Tree Figure 3-94. Dynamic Addresses Page CLI – The following is an example of the CLI commands used to define dynamic addresses:. Console# clear bridge 4-325 Console# configure Console(config)# interface vlan 2 4-676 Console(config-if)# bridge multicast address 01:00:5e:02:02:03 4-321 Console(config-if)# bridge multicast forbidden address 0100.5e02.0203 add...
Page 214
STA uses a distributed algorithm to select a bridging device (STA-compliant switch, bridge or router) that serves as the root of the spanning tree network. It selects a root port on each bridging device (except for the root device) which incurs the lowest path cost when forwarding a packet from that device to the root device.
• Figure 3-95. Spanning Tree Home Page Defining Spanning Tree You can display a summary of the current bridge STP information that applies to the entire switch using the STP Information screen. Command Attributes • Spanning Tree State — Indicates whether STP is enabled on the device. The possible field values are: •...
Page 216
Root Bridge. This field is significant when the bridge is not the Root Bridge. The default is zero. • Root Path Cost — The cost of the path from this bridge to the Root Bridge. • Topology Changes Counts — Specifies the total amount of STP state changes that have occurred.
• A port on a network segment with no other STP compliant bridging device is always forwarding. • If two ports of a switch are connected to the same segment and there is no other STP device attached to this segment, the port with the smaller ID forwards packets...
Page 218
• Port Fast — Indicates if Fast Link is enabled on the port. If Fast Link mode is enabled for a port, the Port State is automatically placed in the Forwarding state...
(ports connected to clients) are enabled or when STP feature is disabled. When BPDU guard is enabled on a port, the port is shut down if a BPDU message is received and an appropriate SNMP trap is generated. The port must then be reactivated by using the set interface active command.
• Multiple STP — Multiple STP is enabled on the device. • Fast Link Status — Indicates whether Fast Link is enabled or disabled for the port or LAG. If Fast Link is enabled for a port, the port is automatically placed in the forwarding state.
To establish communications over a point-to-point link, the originating PPP first sends Link Control Protocol (LCP) packets to configure and test the data link. After a link is established and optional facilities are negotiated as needed by the LCP, the originating PPP sends Network Control Protocol (NCP) packets to select and configure one or more network layer protocols.
Defining Multiple Spanning Tree Multiple Spanning Tree (MSTP) provides differing load balancing scenarios. For example, while port A is blocked in one STP instance, the same port can be placed in the Forwarding state in another STP instance. The MSTP General Page contains information for defining global MSTP settings, including region names, MSTP revisions, and maximum hops.
• Bridge Priority — Specifies the selected spanning tree instance device priority. The field range is 0-61440. • Designated Root Bridge ID — Indicates the ID of the bridge with the lowest path cost to the instance ID. • Root Port — Indicates the selected instance’s root port.
• Port — Specifies the port for which the MSTP settings are displayed. • LAG — Specifies the LAG for which the MSTP settings are displayed. • STP Port Status — Indicates if STP is enabled on the port. The possible field values are:...
Page 225
• Enabled — Enables the port for the specific instance. • Disabled — Disables the port for the specific instance. • Type — Indicates whether the port is a Boundary or Master port. The possible field values are: • Boundary Port — Indicates that the port is a Boundary port. A Boundary port attaches MST bridges to LANs in an outlying region.
This also provides a more secure and cleaner network environment. An IEEE VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs.
Page 228
VLANs to which each end station should be assigned. If an end station (or its network adapter) supports the IEEE VLAN protocol, it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join.
Configuring VLANs Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices. But you can still enable GVRP on these edge switches, as well as on the core switches in the network.
• Checked — Removes the selected VLAN. • Unchecked — Maintains VLANs. Web – Click Layer 2, VLAN, VLAN, Basic Information. Figure 3-103. VLAN Basic Information Page CLI – The following is an example of the VLAN Basic Information CLI commands: Console# show vlan 4-694 VLAN...
Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. The Current Table Page contains parameters for defining VLAN groups: Command Attributes •...
Configuring the Switch Name, and VLAN type fields. and define the port settings, and click Apply. Figure 3-104. Current Table Page CLI – The following is an example of the CLI commands used to create VLANs: Console(config)# vlan database 4-674...
• General — Indicates the port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full IEEE802.1q mode). • Access — Indicates a port belongs to a single untagged VLAN. When a port is in Access mode, the packet types which are accepted on the port cannot be designated.
Console(config-if)# switchport access multicast-tv vlan 20 4-699 Defining Customer Mapping for Multicast TV The Customer Multicast TV VLAN Page assigns ports to a Multicast TV VLAN. This is required for configuring and implementing the Triple Play functionality. Command Attributes • Interface — Defines the VLAN to which the ports are assigned.
Configure the port as Triple Play see Command Attributes • CPE VLAN — Indicates the CPE VLAN which is mapped to the Multicast TV VLAN. • Multicast TV VLAN — Indicates the CPE VLAN which is mapped to the Multicast TV VLAN.
VLANs can be grouped by MAC address, Subnets, and Protocols. Once a user logs on, the system attempts to classify the user by MAC address. If the user cannot be classified by MAC address, the system attempts to classify the user by Subnet. If the subnet classification is unsuccessful, the system attempts to classify the user by protocol.
Defining VLAN Groups • Group ID – Defines the MAC based VLAN ID. The possible field range is 1 - 2147483647. • Remove — If checked, deletes the MAC-Based VLAN Group. Web – Click Layer 2, VLAN, VLAN Groups, MAC-based VLAN Groups. Define the fields and click Apply.
The classification places the interface into a protocol group. Command Attributes • Protocol Value — User-defined protocol value. • Group ID – Defines the IP based VLAN ID. The possible field range is 1 - 2147483647. • Remove — If checked, deletes the Protocol Based VLAN Group.
Defining VLAN Groups Figure 3-110. Protocol Based Groups Page CLI – The following is an example of the CLI commands used to create Protocol Based VLAN groups: console(config)# vlan database 4-674 console(config-vlan)# map protocol protocols-group 4-678 console(config-vlan)# switchport general map protocols-group vlan...
• VLAN ID — Attaches the interface to a user-defined VLAN ID. VLAN group ports can either be attached to a VLAN ID or a VLAN name. The possible field range is 1-4093, and 4095 (4094 is not available for configuration).
GARP state. Leave time is activated by a Leave All Time message sent/received, and cancelled by the Join message received. Leave time must be greater than or equal to three times the join time. The default value is 60 centiseconds.
Page 242
The GVRP Parameters Page is divided into port and LAG parameters. The field definitions are the same. Command Attributes • GVRP Global Status — Indicates if GVRP is enabled on the device. The possible field values are: • Enable — Enables GVRP on the selected device.
• Invalid Attribute Length—Displays the device GVRP Invalid Attribute Length statistics. • Invalid Event—Displays the device GVRP Invalid Event statistics. Web – Click Layer 2, VLAN, VLAN, GVRP Statistics. Enable or disable GVRP, define the fields, and click Apply. Figure 3-114. GVRP Statistics Page CLI –...
Page 245
Defining VLAN Groups Join Empty Sent sJIn: Join In Sent sEmp : Empty Sent sLIn: Leave In Sent Leave Empty Sent sLA : Leave All Sent Port rJIn rEmp rLIn sJIn sEmp sLIn...
Although this approach reduces the network overhead required by a multicast server, the broadcast traffic must be carefully pruned at every multicast switch/router it passes through to ensure that traffic is only passed on to the hosts which subscribed to this service.
Page 247
(VLAN). The user can set the IGMP Querier mode to either V2 or V3. (Default is V2). When working in IGMPv3 mode and detecting an IGMPv2 message, the switch will automatically change its mode to IGMPv2.
Page 248
• Source IP address — Defines the interface source IP address from which queries are sent. • Auto Learn — Indicates if Auto Learn is enabled on the device. If Auto Learn is enabled, the device automatically learns where other Multicast groups are located.
• D — Dynamically joins ports/LAG to the Multicast group in the Current Row. • S — Attaches the port to the Multicast group as static member in the Static Row. The port/LAG has joined the Multicast group statically in the Current Row.
Multicast frames are flooded to all ports in the relevant VLAN. Disabled is the default value. • VLAN ID — Identifies a VLAN and contains information about the Multicast group address. • Bridge Multicast Address — Identifies the Multicast group MAC address/IP address.
The following table summarizes the Multicast settings which can be assigned to ports in the Multicast Forward All Page: • D — Attaches the port to the Multicast router or switch as a dynamic port. • S — Attaches the port to the Multicast router or switch as a static port.
VLAN, eliminating television traffic duplication. Ports which receive Multicast Transmissions, or Receiver Ports, can be defined in any VLAN, and not just in the Multicast VLAN. Receiver ports can only receive Multicast transmissions, they cannot initiate a Multicast TV transmission.
Web – Click Layer 2, Multicast, Multicast TV, IGMP Snooping Mapping, click Add, define the fields, and click Apply. Figure 3-119. IGMP Snooping Mapping Page CLI – The following is an example of the Multicast Forward All CLI commands: console(config)# interface ethernet 1/e21 console(config-if)# switchport access multicast-tv vlan VLAN_ID VLAN ID...
Configuring the Switch Command Attributes • Multicast TV VLAN ID — Indicates the Multicast VLAN ID to which the source ports and receiver ports are members. • Receiver Ports — Indicates the port on which Multicast TV transmissions are received.
Each subscriber on a network maintains a Customer Premise Equipment Multi-Connect (CPE MUX) box. The MUX boxes directs network traffic from uplink ports to MUX access ports. MUX access ports are based on VLAN tags located in packet headers. Service provider’s packets are tagged twice. Each packet has an internal tag and an external tag.
(ACE) is composed of a single classification rule and its action. A single ACL may contain one or more ACEs. The order of the ACEs within an ACL is important, as they are applied in a first-fit manner. The ACEs are processed sequentially, starting with the first ACE. When a packet is matched to an ACE classification, the ACE action is performed and the ACL processing terminates.
(see “Advanced QoS Mode”). • Simple — In the simple form, a single (MAC or IP) ACL is applied to an interface. Although a policy cannot be applied to an interface, it is possible to apply basic QoS rules that classify packets to output queues (see “Basic QoS Mode”).
Configuring the Switch is treated as if it had arrived with this tag. The VPT mapping to the output queue is based on the same user-defined 802.1p tag-based definitions. • DSCP — The user can configure the system to use the IP DSCP of the incoming packet to the output priority queues.
VPT tag than that with which they ingressed. Packets are always assigned a VPT tag of 0 or 1 at the egress. When using trust VPT this caveat does not exist, and packets egress with the same VPT with which they ingressed.
Web – Click Policy, General QoS, General, CoS Mode, define the fields, and click Apply. Figure 3-121. CoS Mode Page CLI – The following is an example of the CLI commands used to enable QoS: Console(config)# qos 4-479 Defining Global Queue Settings The Queue Priority Page contains fields for defining the QoS queue forwarding types.
Web – Click Policy, General QoS, General, Queue Priority. Define the fields, and click Apply. Figure 3-122. Queue Priority Page CLI – The following is an example of the CLI commands used to enable QoS: console(config)# priority-queue out num-of-queues 4 4-493...
Page 262
Configuring the Switch • Status — Enables or Disables rate limiting for ingress interfaces. Disable is the default value. • Rate Limit — Defines the rate limit for ingress ports. The possible field values are: Interface Rate 70 Kbps - 1 Gbps, depending on the maximum port speed.
QoS rate limiting has priority over VLAN rate limiting. For example, if a packet is subject to QoS rate limits but is also subject to VLAN rate limiting, and the rate limits conflict, the QoS rate limits take precedence.
Command Attributes • Class of Service — Specifies the VLAN (CoS) priority tag values, where zero is the lowest and 8 is the highest. • Queue — Defines the traffic forwarding queue to which the CoS priority is mapped.
Configuring Quality of Service Figure 3-125. CoS to Queue Page CLI – The following is an example of the CLI commands used to map CoS values to forwarding queues: Console(config)# wrr-queue cos-map 2 7 4-492 Mapping DSCP Values to Queues The DSCP Priority Page contains fields for classifying DSCP settings to traffic queues.
Packets entering a QoS domain are classified at the edge of the QoS domain. Command Attributes • Trust Mode — Selects the trust mode. If a packet’s CoS tag and DSCP tag are mapped to different queues, the Trust mode determines the queue to which the packet is assigned.
Configuring Quality of Service Figure 3-127. QoS General Page CLI – The following is an example of the CLI commands used to configure QoS Basic Mode’s general parameters: Console(config)# qos trust dscp 4-500 Defining QoS DSCP Rewriting Settings The DSCP Rewrite Page allows network administrators to rewrite DSCP values.
Configuring the Switch Figure 3-128. DSCP Rewrite Page CLI – The following is an example of the CLI commands used to rewrite DSCP values: Console(config)# qos dscp-mutation 4-502 Defining QoS DSCP Mapping Settings When traffic exceeds user-defined limits, use the DSCP Mapping Page to configure the DSCP tag to use in place of the incoming DSCP tags.
Command Attributes • Class-Map Name — Displays the user-defined name of the class map. • Preferred ACL — Indicates if packets are first matched to an IP based ACL or a MAC based ACL. • ACL 1 — Contains a list of the user defined ACLs.
Console(config-cmap)# match access-group royrogers 4-482 Defining Policies A policy is a collection of classes, each of which is a combination of a class map and a QoS action to apply to matching traffic. Classes are applied in a first-fit manner within a policy.
Configuring Quality of Service • Ingress Committed Burst Size (CBS) — CBS in bytes per second. This field is only relevant when the Police value is Single. • Exceed Action — Action assigned to incoming packets when limits (CIR) are exceeded.
Viewing the Policy Table The Policy Table Page provides parameters for defining policies. Command Attributes • Policy Name — Contains a list of user-defined policies that can be attached to the interface. • Remove — Removes policies. • Checked — Removes the selected policies.
Configuring Quality of Service Figure 3-133. Policy Table Page Adding a Policy In addition to the fields in the Policy Table Page, the Add Policy Table Page contains the following fields: • Class Map — Selects a class map for the class.
Configuring the Switch • Ingress Committed Burst Size (CBS) — CBS in bytes per second. This field is only relevant when the Police value is Single. • Exceed Action — Action assigned to incoming packets exceeding the CIR. This field is only relevant when the Police value is Single. Possible values are: •...
Page 275
LAGs — Displays the LAGs and their policy names. The Policy Binding table contains the following fields: • Interface — Selects an interface. • Policy Name — Contains a list of user-defined policies that can be attached to the interface. • Remove — Removes policies.
Web – Click Policy, Advanced Mode, Policy Profile, Policy Binding. Define the fields, and click Apply. Figure 3-135. Policy Binding Page CLI – The following is an example of the CLI commands used to bind policies: Console# show policy-map 4-485...
When enabling and configuring Loopback Detection: • Enable Loopback Detection system wide. • Enable Loopback Detection on access ports. • If the STP mode is set to Multiple Spanning Tree, Loopback Detection can only be enabled on interfaces where STP is disabled. • Enable Auto-Recovery.
Configuring the Switch CLI – The following is an example of the CLI command used to display Loop Detection information: Console> show loopback-detection Loopback detection: Enabled Mode: src-mac-addr LBD packets interval: 30 Seconds Interface Loopback Detection Enabled Enabled Enabled Disabled0...
Web – Click Layer2, Loopback Detection, Properties. Define the fields, and click Apply. Figure 3-137. Loopback Detection Properties Page CLI – The following is an example of the CLI commands used to configure LBD globally: Console (config)# loopback-detection enable 4-485...
Modify Loopback Detection Interface Settings Page The Modify Loopback Detection Interface Settings Page contains the following fields: • Interface — Select the interface for which the Loopback Detection information is displayed. The possible field values are: – Port — Select the port for which the Loopback Detection information is displayed.
Configuring Loopback Detection Figure 3-139. Modify Loopback Detection Interface Settings Page CLI – The following is an example of the CLI commands used to configure LBD on a specific interface: Console (config)# interface ethernet 1/e1 4-485 Console (config-if)# loopback-detection enable...
IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion.
Page 283
Using the Command Line Interface To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0...
Command Completion If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “logging.”...
Entering Commands Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL,DHCP, Interface, Line, VLAN Database, or MSTP).
Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode. You can always enter a question mark “?” at the prompt to display a list of the commands available for the...
VLAN Database * You must be in Privileged Exec mode to access the Global Configuration mode. You must be in Global Configuration mode to access any of the other configuration modes. Exec Commands When you open a new console session on the switch with the user name and password “guest,”...
Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 4-2. Configuration Command Modes...
You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches. You can also use the following editing keystrokes for command-line processing: Table 4-3.
Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below Table 4-4. Command Groups Command Group Description Page 802.1x Commands Configures Port based authentication for authenticating system users 4-268 on a per-port basis via a external server.
Page 291
IP Routing Configures static and dynamic unicast routing Multicast Routing Configures multicast routing protocols DVMRP and PIM-DM The access mode shown in the following tables is indicated by these abbreviations: NE (Normal Exec) IC (Interface Configuration) PE (Privileged Exec) LC (Line Configuration)
Specifies one or more authentication, authorization, and 4-269 dot1x accounting (AAA) methods for use on interfaces running IEEE 802.1X. To return to the default configuration, use the no form of this command dot1x Enables 802.1x globally. To return to the default configuration, use...
VLAN, use the no form of this command. dot1x multiple-hosts Enables multiple hosts (clients) on an 802.1X-authorized port, 4-286 where the authorization state of the port is set to auto. To return to the default configuration, use the no form of this command dot1x...
Command Usage Additional methods of authentication are used only if the previous method returns an error and not if the request for authentication is denied. To ensure that authentication succeeds even if all methods return an error, specify none as the final method in the command line.
Command Usage It is recommended to disable spanning tree or to enable spanning-tree PortFast mode on 802.1x edge ports (ports in auto state that are connected to end stations), in order to get immediately to the forwarding state after successful authentication.
The dot1x re-authentication Interface Configuration mode command enables periodic re-authentication of the client. To return to the default configuration, use the no form of this command. Syntax dot1x re-authentication no dot1x re-authentication Default Setting Periodic re-authentication is disabled.
The dot1x timeout re-authperiod Interface Configuration mode command sets the number of seconds between re-authentication attempts. To return to the default configuration, use the no form of this command. Syntax dot1x timeout re-authperiod seconds...
The dot1x timeout quiet-period Interface Configuration mode command sets the number of seconds that the device remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password). To return to the default configuration, use the no form of this command.
802.1x Commands Parameters • seconds — Specifies the time in seconds that the device remains in the quiet state following a failed authentication exchange with the client. (Range: 0 - 65535 seconds) Default Setting Quiet period is 60 seconds. Command Mode...
Command Line Interface resending the request. To return to the default configuration, use the no form of this command. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period Parameters • seconds — Specifies the time in seconds that the device waits for a response to an EAP-request/identity frame from the client before resending the request.
The default number of times is 2. Command Mode Interface Configuration (Ethernet) mode Command Usage The default value of this command should be changed only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients. and authentication servers. Example The following example sets the number of times that the device sends an EAP-request/identity frame to 6 .
Command Line Interface frame to the client. To return to the default configuration, use the no form of this command. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout Parameters • seconds — Time in seconds that the device waits for a response to an EAP-request frame from the client before resending the request.
Syntax dot1x timeout server-timeout seconds no dot1x timeout server-timeout Parameters • seconds — Time in seconds that the device waits for a response from the authentication server. (Range: 1-65535 seconds) Default Configuration The timeout period is 30 seconds. Command Mode...
Page 304
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays the status of 802.1X-enabled Ethernet ports. Console# show dot1x 802.1x is enabled Port Admin Mode Oper Mode...
Page 305
Username The username representing the identity of the Supplicant. This field shows the username in case the port control is auto. If the port is Authorized, it shows the username of the current user. If the port is unauthorized it shows the last user that was authenticated successfully.
Command Line Interface Tx period The number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP)-request/identity frame from the client before resending the request. Max req The maximum number of times that the device sends an...
Page 307
The port number. Username The username representing the identity of the Supplicant. Session Time The period of time the Supplicant is connected to the system. Authentication Method Authentication method used by the Supplicant to open the session. MAC Address MAC address of the Supplicant.
The show dot1x statistics Privileged EXEC mode command displays 802.1X statistics for the specified interface. Syntax show dot1x statistics ethernet interface Parameters • interface — Valid Ethernet port. (Full syntax: unit/port) Default Configuration This command has no default configuration.
802.1x Commands InvalidEapolFramesRx: EapLengthErrorFramesRx: LastEapolFrameVersion: LastEapolFrameSource: 00:08:78:32:98:78 The following table describes the significant fields shown in the display: Field Description EapolFramesRx The number of valid EAPOL frames of any type that have been received by this Authenticator. EapolFramesTx The number of EAPOL frames of any type that have been transmitted by this Authenticator.
The dot1x multiple-hosts Interface Configuration mode command enables multiple hosts (clients) on an 802.1X-authorized port, where the authorization state of the port is set to auto. To return to the default configuration, use the no form of this command. Syntax...
MAC address only. For unauthenticated VLANs multiple hosts are always enabled. Port security on a port cannot be enabled if the port if multiple hosts are disabled or multiple hosts are enabled with authentication per host.
Related Commands dot1x multiple-hosts show dot1x advanced dot1x guest-vlan The dot1x guest-vlan Interface Configuration mode command defines a guest VLAN. To return to the default configuration, use the no form of this command. Syntax dot1x guest-vlan no dot1x guest-vlan Default Setting No VLAN is defined as a guest VLAN.
If the guest VLAN is defined and enabled, the port automatically joins the guest VLAN when the port is unauthorized and leaves it when the port becomes authorized. To be able to join or leave the guest VLAN, the port should not be a static member of the guest VLAN.
The dot1x mac-authentication Interface Configuration command enables authentication based on the station’s MAC address. Use the no form of this command to disable MAC authentication. Syntax dot1x mac-authentication {mac-only | mac-and-802.1x} no dot1x mac-authentication Parameters •...
Page 315
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Examples The following examples display 802.1X advanced features for the device. Switch# show dot1x advanced Guest VLAN: 3978 Unauthenticated VLANs: 91,92 Port Multiple Hosts...
Page 316
Command Line Interface Related Commands dot1x auth-not-req dot1x multiple-hosts dot1x single-host-violation dot1x guest-vlan dot1x guest-vlan enable...
To return to the default configuration, use the no form of this command. login authentication Specifies the login authentication method list for a remote telnet or 4-296 console. To return to the default configuration specified by the aaa authentication login command, use the no form of this command.
Page 318
Uses the list of all TACACS+ servers for authentication. Default Setting The local user database is checked. This has the same effect as the command aaa authentication login list-name local. Note: On the console, login succeeds without any authentication check if the authentication method is not defined.
"$enabx$." where x is the privilege level. Default Setting If the default list is not set, only the enable password is checked. This has the same effect as the command aaa authentication enable default enable. On the console, the enable password is used if it exists. If no password is set, the process still succeeds.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
The enable authentication Line Configuration mode command specifies the authentication method list when accessing a higher privilege level from a remote telnet or console. To return to the default configuration specified by the aaa authentication enable command, use the no form of this command.
Uses the list of all RADIUS servers for authentication. tacacs Uses the list of all TACACS+ servers for authentication. Default Setting The local user database is checked. This has the same effect as the command ip http authentication local. Command Mode Global Configuration mode...
Uses the list of all RADIUS servers for authentication. tacacs Uses the list of all TACACS+ servers for authentication. Default Setting The local user database is checked. This has the same effect as the command ip https authentication local. Command Mode Global Configuration mode...
Page 324
Default Setting This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays the authentication configuration. Console# show authentication methods Login Authentication Method Lists ---------------------------------...
Syntax no enable password [level level] password [encrypted] no enable password [level level] Parameters • password — Password for this level (Range: 1-159 characters). • level — Level for which the password applies. If not specified the level is 15...
Global Configuration mode Command Usage There are no user guidelines for this command. Example The following example sets local level 15 password secret to control access to user and privilege levels. Console(config)# enable password level 15 secret Related Commands show privilege...
AAA Commands Example The following example configures user bob with password lee and user level 15 to the system. Console(config)# username bob password lee level 15 Related Commands show privilege show users accounts The show users accounts Privileged EXEC mode command displays information about the local user database.
Page 328
Command Line Interface Lockout If lockout control is enabled, specifies the number of failed authentication attempts since the user last logged in successfully. If the user account is locked, specifies LOCKOUT.
• name — Specifies the name of the ACL. Default Setting The default for all ACLs is deny-all. Command Mode Global Configuration mode Command Usage Up to 1018 rules can be defined on the device, depending on the type of rule defined.
• destination — Specifies the destination IP address of the packet. Specify any to indicate IP address 0.0.0.0 and mask 255.255.255.255. • destination-wildcard — Specifies wildcard to be applied to the destination IP address. Use 1s in bit positions to be ignored.. Specify any to indicate IP...
Page 331
ACL Commands address 0.0.0.0 and mask 255.255.255.255. • protocol — Specifies the abbreviated name or number of an IP protocol. (Range: 0-255) The following table lists protocols that can be specified: IP Protocol Abbreviated Name Protocol Number Internet Control Message Protocol...
Page 332
• list-of-flags — Specifies a list of TCP flags that can be triggered. If a flag is set, it is prefixed by “+”. If a flag is not set, it is prefixed by “-”. Possible values: +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin.
• disable-port — Specifies the ethernet interface is disabled if the condition is matched. • source — Specifies the IP address or host name from which the packet was sent. Specify any to indicate IP address 0.0.0.0 and mask 255.255.255.255.
Page 334
• flags list-of-flags — List of TCP flags that should occur. If a flag should be set it is prefixed by "+".If a flag should be unset it is prefixed by "-". Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin.
Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE is added, an implied deny-any-any condition exists at the end of the list and those packets that do not match the defined conditions are denied.
• source-wildcard — Specifies wildcard bits to be applied to the source MAC address. Use 1s in bit positions to be ignored. • destination — Specifies the MAC address of the host to which the packet is being sent. • destination-wildcard — Specifies wildcard bits to be applied to the destination MAC address.
Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE is added, an implied deny-any-any condition exists at the end of the list and those packets that do not match the conditions defined in the permit statement are denied.
Page 338
Command Line Interface placing 1s in bit positions to be ignored. • destination — Specifies the MAC address of the host to which the packet is being sent. • destination-wildcard — (Optional for the first type) Specifies wildcard bits by placing 1s in bit positions to be ignored.
ACL Commands show access-lists service-acl The service-acl Interface Configuration mode command applies an ACL to the input interface. To detach an ACL from an input interface, use the no form of this command. Syntax service-acl {input acl-name} no service-acl {input} Parameters •...
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays ACLs applied to the interfaces of a device: Console# show interfaces access-lists Interface Input ACL...
Configures the maximum number of addresses that can be 4-327 learned on the port while the port is in port security mode. To return to the default configuration, use the no form of this command. port security routed Adds a MAC-layer secure address to a routed port.
• mac-address — A valid MAC address. • interface — A valid Ethernet port. • port-channel-number — A valid port-channel number. • permanent — The address can only be deleted by the no bridge address command. • delete-on-reset — The address is deleted after reset.
If multicast devices exist on the VLAN, do not change the unregistered multicast addresses state to drop on the switch ports. If multicast devices exist on the VLAN and IGMP-snooping is not enabled, the bridge multicast forward-all command should be used to enable forwarding all multicast packets to the multicast switches.
| port-channel port-channel-number-list} no bridge multicast address {mac-multicast-address} Parameters • add — Adds ports to the group. If no option is specified, this is the default option. • remove — Removes ports from the group. • mac-multicast-address — A valid MAC multicast address.
• interface-list — Separate nonconsecutive Ethernet ports with a comma and no spaces; hyphen is used to designate a range of ports. • port-channel-number-list — Separate nonconsecutive valid port-channels with a comma and no spaces; a hyphen is used to designate a range of port-channels. Default Setting No forbidden addresses are defined.
• interface-list — Separate nonconsecutive Ethernet ports with a comma and no spaces; a hyphen is used to designate a range of ports. • port-channel-number-list — Separate nonconsecutive port-channels with a comma and no spaces; a hyphen is used to designate a range of port-channels. Default Setting This setting is disabled.
• interface-list — Separates nonconsecutive Ethernet ports with a comma and no spaces; a hyphen is used to designate a range of ports. • port-channel-number-list — Separates nonconsecutive port-channels with a comma and no spaces; a hyphen is used to designate a range of port-channels. Default Setting This setting is disabled.
Address Table Commands bridge aging-time The bridge aging-time Global Configuration mode command sets the address table aging time. To restore the default configuration, use the no form of this command. Syntax bridge aging-time seconds no bridge aging-time Parameters • seconds — Time in seconds. (Range: 10-630 seconds) Default Setting The default is 300 seconds.
• discard-shutdown — Discards packets with unlearned source addresses. The port is also shut down. • seconds — Sends SNMP traps and defines the minimum amount of time in seconds between consecutive traps. (Range: 1-1000000) Default Setting This setting is disabled.
The port security max Interface Configuration (Ethernet, port-channel) mode command configures the maximum number of addresses that can be learned on the port while the port is in port security mode. To return to the default configuration, use the no form of this command.
The command enables adding secure MAC addresses to a routed port in port security mode. The command is available when the port is a routed port and in port security mode. The address is deleted if the port exits the security mode or is not a routed port.
Command Usage Internal usage VLANs (VLANs that are automatically allocated on ports with a defined Layer 3 interface) are presented in the VLAN column by a port number and not by a VLAN ID. "Special" MAC addresses that were not statically defined or dynamically learned are displayed in the MAC address table.
Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example In this example, all static entries in the bridge-forwarding database are displayed. Console# show bridge address-table static Aging time is 300 sec Vlan Mac Address...
Privileged EXEC mode Command Usage There are no user guidelines for this command. Example In this example, the number of addresses present in all VLANs are displayed. Console# show bridge address-table count This may take some time. Capacity : 8192...
Page 356
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage A MAC address can be displayed in IP format only if it is in the range of 0100.5e00.0000-0100.5e7f.ffff. Example In this example, multicast MAC address and IP address table information is displayed.
[vlan vlan-id] [address mac-multicast-address | ip-multicast-address] [source ip-address] Parameters • vlan-id — Indicates the VLAN ID. This has to be a valid VLAN ID value. • mac-multicast-address — A valid MAC multicast address. • ip-multicast-address — A valid IP multicast address.
This command has no default configuration. Command Mode User EXEC mode Command Usage There are no user guidelines for this command. Example In this example, the multicast configuration for VLAN 1 is displayed. Console# show bridge multicast filtering 1 Filtering: Enabled VLAN: 1 Port Forward-Unregistered...
Page 359
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example In this example, all classes of entries in the port-lock status are displayed: Console# show ports security Port Status Learning Action...
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Examples In this example, dynamic addresses in currently locked ports are displayed. Console# show ports security addresses Port Status Learning Current...
Page 361
Address Table Commands In this example, dynamic addresses in currently locked port 1/e1 are displayed. Console# show ports security addresses ethernet 1/e1 Port Status Learning Current Maximum ---- -------- -------- ------- ------- 1/e1 Disabled Lock...
EXEC mode. lldp optional-tlv The lldp optional-tlv Interface Configuration (Ethernet) mode command specifies which optional TLVs from the basic set should be transmitted. To revert to the default setting, use the no form of this command. Syntax lldp optional-tlv tlv1 [tlv2 …...
The lldp med enable Interface Configuration (Ethernet) mode command enables the Link Layer Discovery Protocol (LLDP) Media Endpoint Discovery (MED) on an interface. To disable LLDP MED on an interface, use the no form of this command. Syntax lldp med enable [tlv1 … tlv3]...
Command Line Interface lldp med network-policy (global) The lldp med network-policy Global Configuration mode command defines the LLDP MED network policy. To remove LLDP MED network policy, use the no form of this command. Syntax lldp med network-policy number application [vlan id] [vlan-type {tagged |...
Interface Configuration (Ethernet) mode Command Usage There are no guidelines for this command. Example In this example, an LLDP MED network policy is attached to an Ethernet port. Console (config)# interface ethernet 1/e1 Console (config-if)# lldp med network-policy 1 lldp med location...
Interface Configuration (Ethernet) mode Command Usage There are no guidelines for this command. Example In this example, the LLDP MED location information for an Ethernet port is specified as civic-address. Console (config)# interface ethernet 1/e1 Console (config-if)# lldp med location civic-address a1:b2:c3:d4:e5:ff...
LLDP Commands Command Usage There are no guidelines for this command. Example In this example, the LLDP configuration is displayed for an Ethernet port. Console# show lldp configuration ethernet 1/e1 Timer: 30 Seconds Hold multiplier: 4 Reinit delay: 2 Seconds...
---------- ---------- Network Policies: 1 show lldp local The show lldp local Privileged EXEC mode command in privileged EXEC mode displays the Link Layer Discovery Protocol (LLDP) information that is advertised from a specific port. Syntax show lldp local ethernet interface Parameters •...
Power priority: High Power value: 9.6 Watts LLDP-MED Location Coordinates: 54:53:c1:f7:51:57:50:ba:5b:97:27:80:00:00:67:01 show lldp neighbors The show lldp neighbors Privileged EXEC mode command displays information about neighboring devices discovered using Link Layer Discovery Protocol (LLDP). Syntax show lldp neighbors [ethernet interface] Parameters •...
DSCP: 0 LLDP-MED Power over Ethernet Device Type: Power Device Power source: Primary power Power priority: High Power value: 9.6 Watts LLDP-MED Inventory Hardware revision: 2.1 Firmware revision: 2.3 Software revision: 2.7.1 Location information, if it exists, should be displayed too.
Page 371
The following table describes significant LLDP fields: Field Description Port The port number. Device ID The configured ID (name) or MAC address of the neighbor device. Port ID The port ID of the neighbor device. Hold time The remaining amount of time, in seconds, the current device will hold the LLDP advertisement from the neighbor device before discarding it.
Page 372
Critical, High and Low. Power value Indicates the total power in watts required by a PD device from a PSE device, or the total power a PSE device is capable of sourcing over a maximum length cable based on its current configuration.
“Hello” packets to determine that it is still present. • Passive — A port enters this state if there is no response to a Discovery “hello” packet. This is a receive-only state and no “Hello” packets are transmitted. If a “Hello”...
Command Line Interface amap discovery time The time (in seconds) that switch ports in the Discovery state wait for a response to a “Hello” packet from an adjacent switch. Syntax amap discovery time seconds no amap discovery time Parameters • seconds — Discovery transmission timeout value in seconds...
(hh: 0 - 23, mm: 0 - 59, ss: 0 - 59). • day — Current day (by date) in the month (1 - 31). • month — Current month using the first three letters by name (Jan, …, Dec). • year — Current year (2000 - 2097).
Command Line Interface clock source The clock source Global Configuration mode command configures an external time source for the system clock. Use no form of this command to disable external time source. Syntax clock source {sntp} no clock source Parameters •...
The clock summer-time Global Configuration mode command configures the system to automatically switch to summer time (daylight saving time). To configure the software not to automatically switch to summer time, use the no form of this command. Syntax...
Page 380
All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is chronologically after the ending month, the system assumes that you are in the southern hemisphere.
The sntp authenticate Global Configuration mode command grants authentication for received Simple Network Time Protocol (SNTP) traffic from servers. To disable the feature, use the no form of this command. Syntax sntp authenticate...
The sntp trusted-key Global Configuration mode command authenticates the identity of a system to which Simple Network Time Protocol (SNTP) will synchronize. To disable authentication of the identity of the system, use the no form of this command. Syntax...
Command Mode Global Configuration mode Command Usage The command is relevant for both received unicast and broadcast. If there is at least 1 trusted key, then unauthenticated messages will be ignored. Example The following example authenticates key 8. Console(config)# sntp authentication-key 8 md5 ClkKey...
Command Line Interface Example The following example sets the polling time for the Simple Network Time Protocol (SNTP) client to 120 seconds. Console(config)# sntp client poll timer 120 Related Commands sntp authentication-key sntp authenticate sntp trusted-key sntp broadcast client enable...
The sntp anycast client enable Global Configuration mode command enables SNTP anycast client. To disable the SNTP anycast client, use the no form of this command. Syntax sntp anycast client enable...
The sntp unicast client enable Global Configuration mode command enables the device to use the Simple Network Time Protocol (SNTP) to request and accept SNTP traffic from servers. To disable requesting and accepting SNTP traffic from servers, use the no form of this command.
Clock Commands Example The following example enables the device to use the Simple Network Time Protocol (SNTP) to request and accept SNTP traffic from servers. Console(config)# sntp unicast client enable Related Commands sntp authentication-key sntp authenticate sntp trusted-key sntp client poll timer...
The sntp server Global Configuration mode command configures the device to use the Simple Network Time Protocol (SNTP) to request and accept SNTP traffic from a specified server. To remove a server from the list of SNTP servers, use the no form of this command.
Clock Commands Related Commands sntp anycast client enable sntp unicast client enable show clock The show clock User EXEC mode command displays the time and date from the system clock. Syntax show clock [detail] Parameters • detail — Shows timezone and summertime configuration.
Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays the current SNTP configuration of the device. Console# show sntp configuration Polling interval: 7200 seconds MD5 Authentication keys: 8, 9 Authentication is required for synchronization.
(Interface) sntp unicast client enable show sntp status The show sntp status Privileged EXEC mode command shows the status of the Simple Network Time Protocol (SNTP). Syntax show sntp status Default Setting This command has no default configuration.
Displays the contents of the currently running configuration file. 4-376 show startup-config Displays the contents of the startup configuration file. 4-377 show startup-config Displays the active system image file that is loaded by the device 4-378 at startup. copy The copy Privileged EXEC mode command copies files from a source to a destination.
Page 394
Command Line Interface Image file on one of the units. To copy from the master to all units, unit://member/ specify * in the member field. image Boot file on one of the units. To copy from the master to all units, unit://member/ specify * in the member field.
Page 395
Configuration and Image File Commands To copy an image file from a server to flash memory, use the copy source-url image command. Copying a Boot File from a Server to Flash Memory To copy a boot file from a server to flash memory, enter the copy source-url boot command.
The delete Privileged EXEC mode command deletes a file from a flash memory device. Syntax delete url Parameters • url — The location URL or reserved keyword of the file to be deleted. (Range: 1-160 characters) The following table displays keywords and URL prefixes: Keyword Source or Destination flash: Source or destination URL for flash memory.
Page 397
Console# delete flash:test Delete flash:test? [confirm] Related Commands copy show running-config show startup-config The dir Privileged EXEC mode command displays the list of files on a flash file system. Syntax Default Configuration This command has no default configuration. Command Mode...
The more Privileged EXEC mode command displays a file. Syntax more url Parameters • url — The location URL or reserved keyword of the source file to be copied. (Range: 1-160 characters) The following table displays keywords and URL prefixes: Keyword...
The following table displays keywords and URL prefixes: Keyword Source or Destination flash: Source or destination URL for flash memory. It’s the default in case a URL is specified without a prefix Default Configuration This command has no default configuration. Command Mode Privileged EXEC mode Command Usage *.sys and *.prv files cannot be renamed.
• image-1 — Specifies image 1 as the system startup image. • image-2 — Specifies image 2 as the system startup image. Default Setting If the unit number is unspecified, the default setting is the master unit number. Command Mode Privileged EXEC mode Command Usage Use the show bootvar command to find out which image is the active image.
Configuration and Image File Commands Example The following example displays the contents of the running configuration file. Console# show running-config software version 1.1 hostname device interface ethernet 1/e1 ip address 176.242.100.100 255.255.255.0 duplex full speed 1000 interface ethernet 1/e2 ip address 176.243.100.100 255.255.255.0...
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays the active system image file that is loaded by the device at startup. Console# show bootvar Image Filename Version...
Page 403
Configuration and Image File Commands “*" designates that the image was selected for the next boot Console# Related Commands boot system...
Displays the storm control configuration. 4-400 interface ethernet The interface ethernet Global Configuration mode command enters the Interface Configuration mode to configure an Ethernet type interface. The system supports up-to five IP addresses per device. Syntax interface ethernet interface...
{port-range | all} Parameters • port-range — List of valid ports. Where more than one port is listed, separate nonconsecutive ports with a comma and no spaces, use a hyphen to designate a range of ports and group a list separated by commas in brackets.
Command Usage Commands under the interface range context are executed independently on each active interface in the range. If the command returns an error on one of the active interfaces, it does not stop executing commands on other active interfaces.
The description Interface Configuration (Ethernet, port-channel) mode command adds a description to an interface. To remove the description, use the no form of this command. Syntax description string no description Parameters •...
Command Mode Interface Configuration (Ethernet, port-channel) mode Command Usage The no speed command in a port-channel context returns each port in the port-channel to its maximum capability. Example The following example configures the speed operation of Ethernet port 1/e5 to 100 Mbps operation.
When configuring a particular duplex mode on the port operating at 10/100 Mbps, disable the auto-negotiation on that port. Half duplex mode can be set only for ports operating at 10 Mbps or 100 Mbps. Example The following example configures the duplex operation of Ethernet port 1/e5 to full duplex operation.
• capability — Specifies the capabilities to advertise. (Possible values: 10h, 10f, 100h,100f, 1000f) Default Setting Auto-negotiation is enabled. If unspecified, the default setting is to enable all capabilities of the port. Command Mode Interface Configuration (Ethernet, port-channel) mode Command Usage...
Ethernet Configuration Commands flowcontrol The flowcontrol Interface Configuration (Ethernet, port-channel) mode command configures flow control on a given interface. To disable flow control, use the no form of this command. Syntax flowcontrol {auto | on | off} no flowcontrol Parameters •...
On: It is possible to connect to a PC only with a normal cable and to connect to another device only with a cross cable. No: It is possible to connect to a PC only with a cross cable and to connect to another device only with a normal cable.
Interface Configuration (Ethernet) mode Command Usage The back pressure Interface Configuration mode command enables back pressure on half duplex mode only, therefore it can not be configured on a channel port. Example In the following example back pressure is enabled on port 1/e5.
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage This command is used to activate interfaces that were configured to be active, but were shutdown by the system for some reason (e.g., port security). Example The following example reactivates interface 1/e5.
Page 415
Ethernet Configuration Commands Syntax show interfaces advertise [ethernet interface | port-channel port-channel-number] Parameters • interface — Valid Ethernet port. (Full syntax: unit/port) • port-channel-number — Valid port-channel number. Default Setting This command has no default configuration. Command Modes Privileged EXEC mode Command Usage There are no user guidelines for this command.
The show interfaces status Privileged EXEC mode command displays the status of all configured interfaces. Syntax show interfaces status ethernet interface| port-channel port-channel-number] Parameters • interface — A valid Ethernet port. (Full syntax: unit/port)
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays the status of all configured interfaces: Console# show interfaces status Port Type Duplex Speed...
Description ---- ----------- Related Commands description show interfaces counters The show interfaces counters User EXEC mode command displays traffic seen by the physical interface. Syntax show interfaces counters [ethernet interface | port-channel port-channel-number] Parameters • interface — A valid Ethernet port. (Full syntax: unit/port) •...
Page 421
----------- ----------- -------- 27889 OutUcastPkts OutMcastPkts OutBcastPkts OutOctets ------------ ------------ ------------ --------- 23739 The following example displays counters for Ethernet port 1/e1. Console# show interfaces counters ethernet 1/e1 Port InUcastPkts InMcastPkts InBcastPkts InOctets ------ ------------ ----------- ----------- ----------- 1/e1 183892...
Counted received frames that are an integral number of octets in length but do not pass the FCS check. Single Collision Frames Counted frames that are involved in a single collision, and are subsequently transmitted successfully. Late Collisions Number of times that a collision is detected later than one slotTime into the transmission of a packet.
Syntax port storm-control broadcast rate rate no port storm-control broadcast rate Parameters • rate — Maximum kilobits per second of broadcast and multicast traffic on a port. Default Setting The default value is 3500 Kbits/Sec. Command Mode...
Command Line Interface Related Commands port storm-control broadcast enable show ports storm-control show ports storm-control The show ports storm-control User/Privileged EXEC mode command displays the storm control configuration. Syntax show ports storm-control [interface] Parameters • interface — A valid Ethernet port. (Full syntax: unit/port) Default Setting This command has no default configuration.
Page 425
Ethernet Configuration Commands Related Commands port storm-control broadcast enable port storm-control broadcast rate...
4-404 interfaces errdisable recovery cause The errdisable recovery cause Global Configuration mode command enables automatic reactivation of an interface after Errdisable shutdown. Use the no form of this command to disable automatic reactivation. Syntax errdisable recovery cause {lbd} no errdisable recovery cause Parameters •...
The errdisable recovery interval Global Configuration mode command sets the errdisable recovery timeout interval. Use the no form of this command to reset the interval to its default value. Syntax errdisable recovery interval seconds...
Disabled Related Commands errdisable recovery cause errdisable recovery interval show errdisable interfaces show errdisable interfaces The show errdisable interfaces command displays the interfaces in the Errdisable state. Syntax show errdisable interfaces {ethernet interface | port-channel port-channel-number} Parameters • interface — Specifies the interface number...
Page 429
This command has no default configuration. Command Mode EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays the interfaces in the Errdisable state. Console# show errdisable interfaces Interface Reason Automatic recovery ---------...
Table 4-15. GVRP Commands Command Function Mode Page gvrp enable (Global) Enables GVRP globally. To disable GVRP on the device, use the 4-406 no form of this command. gvrp enable Enables GVRP on an interface. To disable GVRP on an interface,...
Related Commands gvrp enable (Interface) gvrp enable (Interface) The gvrp enable Interface Configuration (Ethernet, port-channel) mode command enables GVRP on an interface. To disable GVRP on an interface, use the no form of this command. Syntax gvrp enable no gvrp enable Default Setting GVRP is disabled on all interfaces.
The timer_value value must be a multiple of 10. You must maintain the following relationship for the various timer values: • Leave time must be greater than or equal to three times the join time. • Leave-all time must be greater than the leave time.
The gvrp registration-forbid Interface Configuration (Ethernet, port-channel) mode command deregisters all dynamic VLANs on a port and prevents VLAN creation or registration on the port. To allow dynamic registration of VLANs on a port, use the no form of this command.
Interface Configuration (Ethernet, port-channel) mode Command Usage There are no user guidelines for this command. Example The following example forbids dynamic registration of VLANs on Ethernet port 1/e6. Console(config)# interface ethernet 1/e6 Console(config-if)# gvrp registration-forbid Related Commands gvrp enable (Interface)
Related Commands show gvrp statistics show gvrp error-statistics show gvrp configuration The show gvrp configuration User EXEC mode command displays GVRP configuration information, including timer values, whether GVRP and dynamic VLAN creation is enabled, and which ports are running GVRP. Syntax...
4-416 host-time-out group was not received for a host-time-out period from a specific port, this port is deleted from the member list of that multicast group. To return to the default configuration, use the no form of this command. ip igmp snooping Configures the mrouter-time-out.
IGMP snooping is disabled. Command Mode Global Configuration mode Command Usage IGMP snooping can only be enabled on static VLANs. It must not be enabled on Private VLANs or their community VLANs. Example The following example enables IGMP snooping. Console(config)# ip igmp snooping...
If an IGMP report for a multicast group was not received for a host-time-out period from a specific port, this port is deleted from the member list of that multicast group. To return to the default configuration, use the no form of this command.
IGMP Leave was received from a specific port, this port is deleted from the member list of that multicast group. To return to the default configuration, use the no form of this command.
Command Line Interface Use immediate leave only where there is just one host connected to a port. Example The following example configures the host leave-time-out to 60 seconds. Console(config)# interface vlan 2 Console(config-if)# ip igmp snooping leave-time-out 60 Related Commands...
The ip igmp snooping querier enable Interface Configuration (VLAN) mode command enables the Internet Group Management Protocol (IGMP) querier on a specific VLAN. Use the no form of this command to disable IGMP querier on a VLAN interface. Syntax...
Command Line Interface Parameters • ip-address — Source IP address Default Configuration If an IP address is configured for the VLAN, it would be used as the source address of the IGMP Snooping querier. Command Mode Interface Configuration (VLAN) mode...
IGMP Snooping Commands Example The following example configures IGMPv2 of the IGMP querier on VLAN ID 2. Console(config)# interface vlan 2 Console(config-if)# ip igmp snooping querier version 2 show ip igmp snooping mrouter The show ip igmp snooping mrouter User EXEC mode command displays information on dynamically learned multicast device interfaces.
Command Line Interface ip igmp snooping leave-time-out show ip igmp snooping interface The show ip igmp snooping interface User EXEC mode command displays IGMP snooping configuration. Syntax show ip igmp snooping interface vlan-id Parameters • vlan-id — VLAN number. Default Setting This command has no default configuration.
Page 447
This command has no default configuration. Command Mode User EXEC mode Command Usage To see the full multicast address table (including static addresses) use the show bridge multicast address-table Privileged EXEC command. Example The following example shows IGMP snooping information on multicast groups.
Displays the default domain name, a list of name server hosts, the 4-435 static and the cached list of host names and addresses. ip address The ip address Interface Configuration (Ethernet, VLAN, port-channel) mode command sets an IP address. To remove an IP address, use the no form of this command.
Parameters • host-name — Specifies the name of the host to be placed in the DHCP option 12 field. This name does not have to be the same as the host name specified in the hostname Global Configuration mode command.
If the device is configured to obtain its IP address from a DHCP server, it sends a DHCPDISCOVER message to provide information about itself to the DHCP server on the network.
Console(config)# ip default-gateway 192.168.1.1 Related Commands ip address ip address dhcp show ip interface The show ip interface Privileged EXEC mode command displays the usability status of configured IP interfaces. Syntax show ip interface [ethernet interface-number | vlan vlan-id | port-channel port-channel number] Parameters •...
Page 452
{ethernet interface-number | vlan vlan-id | port-channel port-channel number} Parameters • ip_addr — Valid IP address or IP alias to map to the specified MAC address. • hw_addr — Valid MAC address to map to the specified IP address or IP alias.
The arp timeout Global Configuration mode command configures how long an entry remains in the ARP cache. To return to the default configuration, use the no form of this command. Syntax arp timeout seconds...
The following example deletes all dynamic entries from the ARP cache. Console# clear arp-cache Related Commands arp timeout show arp The show arp Privileged EXEC mode command displays entries in the ARP table. Syntax show arp [ip-address ip-address] [mac-address mac-address] [ethernet interface | port-channel port-channel-number] Parameters •...
The ip domain-lookup Global Configuration mode command enables the IP Domain Naming System (DNS)-based host name-to-address translation. To disable DNS-based host name-to-address translation, use the no form of this command. Syntax ip domain-lookup no ip domain-lookup...
The ip name-server Global Configuration mode command defines the available name servers. To remove a name server, use the no form of this command. Syntax ip name-server server-address [server-address2 … server-address8] no ip name-server [server-address1 … server-address8]...
Page 457
No name server addresses are specified. Command Mode Global Configuration mode Command Usage The preference of the servers is determined by the order in which they were entered. Up to 8 servers can be defined using one command or using multiple commands.
Command Line Interface Command Usage There are no user guidelines for this command. Example The following example defines a static host name-to-address mapping in the host cache. Console(config)# ip host accounting.Alcatel.com 176.10.23.1 Related Commands ip domain-lookup ip domain-name ip name-server...
Related Commands ip host show hosts The show hosts Privileged EXEC mode command displays the default domain name, a list of name server hosts, the static and the cached list of host names and addresses. Syntax show hosts [name] Parameters •...
Page 460
Command Line Interface Command Usage There are no user guidelines for this command. Example The following example displays host information. Console# show hosts Host name: Device Default domain is gm.com, sales.gm.com, usa.sales.gm.com(DHCP) Name/address lookup is enable Name servers (Preference order): 176.16.1.18 176.16.1.19...
Displays LACP information for a port-channel. 4-441 port-channel lacp system-priority The lacp system-priority Global Configuration mode command configures the system priority. To return to the default configuration, use the no form of this command. Syntax lacp system-priority value no lacp system-priority Parameters •...
Command Line Interface lacp port-priority The lacp port-priority Interface Configuration (Ethernet) mode command configures physical port priority. To return to the default configuration, use the no form of this command. Syntax lacp port-priority value no lacp port-priority Parameters • value — Specifies port priority. (Range: 1 - 65535) Default Setting The default port priority is 1.
Command Mode Interface Configuration (Ethernet) mode Command Usage There are no user guidelines for this command. Example The following example assigns a long administrative LACP timeout to Ethernet port 1/e6. Console(config)# interface ethernet 1/e6 Console(config-if)# lacp timeout long Related Commands...
Related Commands lacp port-priority lacp timeout show lacp port-channel show lacp port-channel The show lacp port-channel Privileged EXEC mode command displays LACP information for a port-channel. Syntax show lacp port-channel [port_channel_number] Parameters • port_channel_number — Valid port-channel number.
Page 466
Command Line Interface Example The following example displays LACP information about port-channel 1. Console# show lacp port-channel 1 Port-Channel 1 Port Type 1000 Ethernet Actor System Priority: MAC Address: 00:02:85:0E:1C:00 Admin Key: Oper Key: Partner System Priority: MAC Address: 00:00:00:00:00:00...
Identifies a specific line for configuration and enters the Line 4-443 Configuration command mode. speed Sets the line baud rate. To return to the default configuration, use 4-444 the no form of the command. autobaud Sets the line for automatic baud rate detection (autobaud). To...
Console(config)# line telnet Console(config-line)# Related Commands show line speed The speed Line Configuration mode command sets the line baud rate. To return to the default configuration, use the no form of the command. Syntax speed bps no speed Parameters •...
Related Commands show line exec-timeout The exec-timeout Line Configuration mode command sets the interval that the system waits until user input is detected. To return to the default configuration, use the no form of this command. Syntax exec-timeout minutes [seconds]...
The history size Line Configuration mode command configures the command history buffer size for a particular line. To reset the command history buffer size to the default configuration, use the no form of this command.
To configure the command history buffer size for the current terminal session, use the terminal history size User EXEC mode command. Example The following example changes the command history buffer size to 100 entries for a particular line. Console(config-line)# history size 100...
The terminal history size user EXEC command configures the command history buffer size for the current terminal session. To reset the command history buffer size to the default setting, use the no form of this command. Syntax...
• console — Console terminal line. • telnet — Virtual terminal for remote console access (Telnet). • ssh — Virtual terminal for secured remote console access (SSH). Default Setting If the line is not specified, the default value is console.
Page 474
Command Line Interface Related Commands line speed autobaud exec-timeout history history size terminal historyterminal history size...
Displays information about loopback detection. 4-454 loopback-detection loopback-detection enable The loopback-detection enable Global Configuration mode command enables the Loopback Detection feature globally. Use the no form of this command to disable the Loopback Detection feature. Syntax loopback-detection enable no loopback-detection enable Default Setting Loopback detection is disabled.
The loopback-detection enable Interface Configuration mode command enables the Loopback Detection feature on an interface. Use the no form of this command to disable the Loopback Detection feature on an interface. Syntax loopback-detection enable...
The loopback-detection mode Global Configuration mode command configures the destination address for Loopback Detection packets. Use the no form of this command to reset the Loopback Detection mode to its default value. Syntax loopback-detection mode [src-mac-addr | base-mac-addr]...
Command Line Interface no loopback-detection interval Parameters • seconds — Specifies the number of seconds between Loopback Detection packets (Range: 30-60). Default Setting The default interval between Loopback Detection packets is 30 seconds. Command Mode Global Configuration mode Command Usage This command is not relevant for stp-bpdu.
Page 479
Enabled Enabled Enabled Enabled Disabled Disabled Disabled Disabled The following table describes the fields shown in the display: Field Description Interface Interface number Loopback Detection Specifies the user's configuration of the Loopback Detection Admin feature on the interface. The possible values are Enabled or Disabled.
The management access-list Global Configuration mode command configures a management access list and enters the Management Access-list Configuration command mode. To delete an access list, use the no form of this command. Syntax management access-list name no management access-list name Parameters •...
Management ACL Commands If you reenter an access list context, the new rules are entered at the end of the access list. Use the management access-class command to select the active access list. The active management list cannot be updated or removed.
• mask — A valid network mask of the source IP address. • prefix-length — Number of bits that comprise the source IP address prefix. The prefix length must be preceded by a forward slash (/). (Range: 0 - 32) • service — Service type. Possible values are: telnet, ssh, http, https and snmp.
• ip-address — A valid source IP address. • mask — A valid network mask of the source IP address. • prefix-length — Specifies the number of bits that comprise the source IP address prefix. The prefix length must be preceded by a forward slash (/).
Command Line Interface Parameters • console-only — Indicates that the device can be managed only from the console. • name — Specifies the name of the access list to be used. (Range: 1-32 characters) If no access list is specified, an empty access list is used.
Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays information about the active management access list. Console# show management access-class Management access-class is enabled, using access list mlist Related Commands...
Privileged EXEC mode Command Usage The port to be tested should be shut down during the test, unless it is a combination port with fiber port active. The maximum length of the cable for the TDR test is 120 meter.
This command has no default configuration. Command Mode User EXEC mode Command Usage The maximum length of the cable for the TDR test is 120 meter. Example The following example displays information on the last TDR test performed on all copper ports.
This command has no default configuration. Command Mode User EXEC mode Command Usage The port must be active and working in 100M or 1000M mode. Example The following example displays the estimated copper cable length attached to all ports. Console> show copper-ports cable-length...
Page 489
Output Power – Measured TX output power. Input Power – Measured RX received power. Tx Fault – Transmitter fault – Loss of signal N/A - Not Available, N/S - Not Supported, W - Warning, E - Error Console# show fiber-ports optical-transceiver detailed Port Temp Voltage Current...
This command has no default configuration. Command Mode Global Configuration mode Command Usage Eight aggregated links can be defined with up to eight member ports per port-channel. The aggregated links’ valid IDs are 1-8. Example The following example enters the context of port-channel number 1.
Related Commands show interfaces port-channel channel-group The channel-group Interface Configuration (Ethernet) mode command associates a port with a port-channel. To remove a port from a port-channel, use the no form of this command. Syntax channel-group port-channel-number mode {on | auto}...
Command Line Interface Command Usage There are no user guidelines for this command. Example The following example forces port 1/e1 to join port-channel 1 without an LACP operation. Console(config)# interface ethernet 1/e1 Console(config-if)# channel-group 1 mode on Related Commands show interfaces port-channel...
• An IP interface is not configured on the port. • GVRP is not enabled on the port. • The port is not a member of a VLAN, except for the default VLAN (will automatically be removed from the default VLAN).
Command Line Interface Example The following example copies traffic on port 1/e8 (source port) to port 1/e1 (destination port). Console(config)# interface ethernet 1/e1 Console(config-if)# port monitor 1/e8 Related Commands show ports monitor show ports monitor show ports monitor The show ports monitor User EXEC mode command displays the port monitoring status.
Syntax power inline {auto | never} Parameters • auto — Enables the device discovery protocol and, if found, supplies power to the device. • never — Disables the device discovery protocol and stops supplying power to the device.
The power inline powered-device Interface Configuration (Ethernet) mode command adds a comment or description of the powered device type to enable the user to remember what is attached to the interface. To remove the description, use the no form of this command.
Power over Ethernet Commands power inline priority The power inline priority Interface Configuration (Ethernet) mode command configures the inline power management priority of the interface. To return to the default configuration, use the no form of this command. Syntax power inline priority...
The power inline traps enable Global Configuration mode command enables inline power traps. To disable inline power traps, use the no form of this command. Syntax power inline traps enable no power inline traps Default Setting Inline power traps are disabled.
Power over Ethernet Commands Related Commands show power inline show power inline The show power inline User EXEC mode command displays the information about inline power. Syntax show power inline [ethernet interface] Parameters • interface — Valid Ethernet port. (Full syntax: unit/port) Default Setting This command has no default configuration.
Page 500
Powered Device Description of the powered device type. State Indicates if the port is enabled to provide power. Can be: Auto or Never. Priority The priority of the port from the point of view of inline power management. Can be: Critical, High or Low.
Page 501
Power over Ethernet Commands Related Commands power inline power inline powered-device power inline priority power inline usage-threshold power inline traps enable...
Displays the quality of service (QoS) mode for the device. 4-480 class-map Creates or modifies a class map and enters the Class-map 4-480 Configuration mode. To delete a class map, use the no form of this command. show class-map Displays all class maps. 4-481 match Defines the match criteria for classifying traffic.
Page 503
Displays the QoS mapping information. 4-504 The qos Global Configuration mode command enables quality of service (QoS) on the device. To disable QoS on the device, use the no form of this command. Syntax qos [basic | advanced] no qos Parameters •...
Basic tust: dscp Related Commands class-map The create-map Global Configuration mode command creates or modifies a class map and enters the Class-map Configuration mode. To delete a class map, use the no form of this command. Syntax class-map class-map-name [match-all | match-any]...
ACLs, an error message is generated. Note: A class map in match-all mode cannot be configured if it contains both an IP ACL and a MAC ACL with an ether type that is not 0x0800.
Match Ip dscp 11 21 Related Commands class-map match The match Class-map Configuration mode command defines the match criteria for classifying traffic. To delete the match criteria, use the no form of this command. Syntax match access-group acl-name no match access-group acl-name Parameters •...
• policy-map-name — Specifies the name of the policy map. Default Setting If the packet is an IP packet, the DCSP value of the policy map is 0. If the packet is tagged, the CoS value is 0. Command Mode...
Policy-map Configuration mode Command Usage Before modifying a policy for an existing class or creating a policy for a new class, use the policy-map Global Configuration mode command to specify the name of the policy map to which the policy belongs and to enter the Policy-map Configuration mode.
Traffic policing in a policy map have precedence over VLAN rate limiting. I.e. if a packet is subject to traffic policing in a policy map and is associated with a VLAN that is rate limited, the packet would be counted only in the traffic policing of the policy map.
Syntax trust cos-dscp no trust cos-dscp Default Setting The port is not in the trust mode. If the port is in trust mode, the internal DSCP value is derived from the ingress packet. Command Mode Policy-map Class Configuration mode...
Page 511
QoS Commands Command Usage Action serviced to a class, so that if an IP packet arrives, the queue is assigned per DSCP. If a non-IP packet arrives, the queue is assigned per CoS (VPT). Example The following example configures the trust state for a class called class1 in a policy map called policy1.
GE ports. The command does not function on an FE port. Example The following example sets the dscp value in the packet to 56 for classes in the policy map called policy1. Console (config)# policy-map policy1...
The following example defines a policer for classified traffic. When the traffic rate exceeds 124,000 bps or the normal burst size exceeds 96000 bps, the packet is dropped. The class is called class1 and is in a policy map called policy1.
Page 514
This policer can also be used in Cascade police to make a cascade policer. An aggregate policer cannot be deleted if it is being used in a policy map. The no police aggregate Policy-map Class Configuration command must first be used to delete the aggregate policer from all policy maps.
QoS Commands exceeds 124,000 bps or the normal burst size exceeds 96000 bps, the packet is dropped. Console (config)# qos aggregate-policer policer1 124000 96000 exceed-action drop Related Commands police show qos aggregate-policer police aggregate show qos aggregate-policer The show qos aggregate-policer User EXEC mode command displays the aggregate policer parameter.
The police aggregate Policy-map Class Configuration mode command applies an aggregate policer to multiple classes within the same policy map. To remove an existing aggregate policer from a policy map, use the no form of this command. Syntax police aggregate aggregate-policer-name...
Weighted Round Robin (WRR) and Weighted Random Early Detection (WRED) parameters. It is recommended to specifically map a single VPT to a queue, rather than mapping multiple VPTs to a single queue. Use the priority-queue out Interface Configuration (Ethernet, Port-channel) mode command to enable expedite queues.
Console(config)# priority-queue out num-of-queues 0 Related Commands wrr-queue cos-map traffic-shape The traffic-shape Interface Configuration (Ethernet, port-channel) mode command configures the shaper of the egress port. To disable the shaper, use the no form of this command. Syntax traffic-shape {committed-rate committed-burst} no traffic-shape Parameters •...
• shapers — Display quality of service (QoS) shapers information at the interface level. • rate limit — Display quality of service (QoS) rate-limit information at the interface level. • ethernet interface-number — Specify port for which QoS information will be displayed.
0 is exceeded, packets with the corresponding DP are dropped until the threshold is no longer exceeded. However, packets assigned to threshold 1 or 2 continue to be queued and sent as long as the second or third threshold is not exceeded.
Command Line Interface qos map dscp-dp Use the qos map dscp-dp Global Configuration mode command to map DSCP to Drop Precedence. To return to the default setting, use the no form of this command. Syntax qos map dscp-dp dscp-list to dp...
The qos map dscp-queue Global Configuration mode command modifies the DSCP to CoS map. To return to the default map, use the no form of this command. Syntax qos map dscp-queue dscp-list to queue-id...
(Global) The qos trust Global Configuration mode command configures the system to the basic mode and trust state. To return to the untrusted state, use the no form of this command. Syntax qos trust {cos | dscp}...
Console(config-if) qos trust 3 qos cos The qos cos Interface Configuration (Ethernet, port-channel) mode command defines the default CoS value of a port. To return to the default configuration, use the no form of this command. Syntax qos cos default-cos Parameters •...
Command Mode Interface Configuration (Ethernet, port-channel) mode Command Usage If the port is trusted, the default CoS value of the port is used to assign a CoS value to all untagged packets entering the port. Example The following example configures port 1/e15 default CoS value to 3.
Command Mode Global Configuration mode. Command Usage This is the only map that is not globally configured. it is possible to have several maps and assign each one to different ports. Example The following example changes DSCP values 1, 2, 4, 5 and 6 to DSCP mutation...
Powered Device Description of the powered device type. State Indicates if the port is enabled to provide power. Can be: Auto or Never. Priority The priority of the port from the point of view of inline power management. Can be: Critical, High or Low.
Page 529
• policed-dscp — Displays the DSCP to DSCP remark table. • dscp-mutation — Displays the DSCP-DSCP mutation table. • service-type-cos — Displays the Service type to CoS map (Service mode only). • service-type-dscp — Displays the Service type to DSCP map (Service mode only).
4-513 radius-server host The radius-server host Global Configuration mode command specifies a RADIUS server host. To delete the specified RADIUS host, use the no form of this command. Syntax radius-server host {ip-address | hostname} [auth-port auth-port-number] [timeout timeout] [retransmit retries] [deadtime deadtime] [key key-string]...
Page 532
0.0.0.0 is interpreted as request to use the IP address of the outgoing IP interface. • priority — Determines the order in which servers are used, where 0 has the highest priority. (Range: 0-65535) • type — Specifies the usage type of the server. Possible values are: login, dot.1x or all.
The radius-server key Global Configuration mode command sets the authentication and encryption key for all RADIUS communications between the device and the RADIUS daemon. To return to the default configuration, use the no form of this command. Syntax...
Command Line Interface radius-server retransmit The radius-server retransmit Global Configuration mode command specifies the number of times the software searches the list of RADIUS server hosts. To reset the default configuration, use the no form of this command. Syntax radius-server retransmit retries...
The radius-server timeout Global Configuration mode command sets the interval during which the device waits for a server host to reply. To return to the default configuration, use the no form of this command. Syntax radius-server timeout timeout...
Syntax radius-server deadtime deadtime no radius-server deadtime Parameters • deadtime — Length of time in minutes during which a RADIUS server is skipped over by transaction requests. (Range: 0 - 2000) Default Setting The deadtime setting is 0. Command Mode...
RADIUS Commands radius-server key radius-server retransmit radius-server source-ip radius-server timeout show radius-servers show radius-servers The show radius-servers Privileged EXEC mode command displays the RADIUS server settings. Syntax show radius-servers Default Setting This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command.
Page 538
Command Line Interface Related Commands radius-server host radius-server key radius-server retransmit radius-server source-ip radius-server timeout radius-server deadtime...
Displays the alarms table. 4-523 alarm-table show rmon alarm Displays alarm configuration. 4-524 rmon event Configures an event. To remove an event, use the no form of this 4-526 command. show rmon events Displays the RMON event table. 4-526 show rmon log Displays the RMON log table.
Page 540
The total number of packets received less than 64 octets in length (excluding framing bits but including FCS octets) and either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).
The total number of packets received longer than 1632 octets (excluding framing bits, but including FCS octets), and either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).
Cannot be configured for a range of interfaces (range context). Example The following example enables a Remote Monitoring (RMON) MIB history statistics group on Ethernet port 1/e1 with index number 1 and a polling interval period of 2400 seconds. Console(config)# interface ethernet 1/e1...
Syntax show rmon history index {throughput | errors | other} [period seconds] Parameters • index — Specifies the requested set of samples. (Range: 1 - 65535) • throughput — Indicates throughput counters. • errors — Indicates error counters. • other — Indicates drop and collision counters.
Page 544
Command Line Interface Examples The following examples display RMON Ethernet history statistics for index 1. Console> show rmon history 1 throughput Sample Set: 1 Owner: CLI Interface: 1/e1 Interval: 1800 Requested samples: 50 Granted samples: 50 Maximum table size: 500...
Page 545
Time Date and Time the entry is recorded. Octets The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets). Packets The number of packets (including bad packets) received during this sampling interval.
Command Line Interface Dropped The total number of events in which packets were dropped by the probe due to lack of resources during this sampling interval. This number is not necessarily the number of packets dropped, it is just the number of times this condition has been detected.
The entity that configured this entry. Related Commands rmon alarm show rmon alarm show rmon alarm The show rmon alarm User EXEC mode command displays alarm configuration. Syntax show rmon alarm number Parameters • number — Specifies the alarm index. (Range: 1 - 65535) Default Setting This command has no default configuration.
Page 549
Startup Alarm The alarm that may be sent when this entry is first set. If the first sample is greater than or equal to the rising threshold, and startup alarm is equal to rising or rising and falling, then a single rising alarm is generated.
Command Mode Global Configuration mode Command Usage If log is specified as the notification type, an entry is made in the log table for each event. If trap is specified, an SNMP trap is sent to one or more management stations.
The type of notification that the device generates about this event. Can have the following values: none, log, trap, log-trap. In the case of log, an entry is made in the log table for each event. In the case of trap, an SNMP trap is sent to one or more management stations.
Related Commands rmon alarm rmon table-size The rmon table-size Global Configuration mode command configures the maximum size of RMON tables. To return to the default configuration, use the no form of this command. Syntax rmon table-size {history entries | log entries}...
Page 553
RMON Commands Parameters • history entries — Maximum number of history table entries. (Range: 20-32767) • log entries — Maximum number of log table entries. (Range: 20-32767) Default Setting History table size is 270. Log table size is 200. Command Mode...
Defines the SNMP MIB value. 4-543 show snmp Displays the SNMP status. 4-543 show snmp engineid Displays the ID of the local Simple Network Management Protocol 4-545 (SNMP) engine. show snmp views Displays the configuration of views. 4-546 show snmp groups Displays the configuration of groups.
SNMP Commands snmp-server community The snmp-server community Global Configuration mode command configures the community access string to permit access to the SNMP protocol. To remove the specified community string, use the no form of this command. Syntax snmp-server community community [ro | rw | su] [ipv4 address] [mask |...
Command Line Interface The group-name parameter can also be used to restrict the access rights of a community string. When it is specified: • An internal security name is generated. • The internal security name for SNMPv1 and SNMPv2 security models is mapped to the group name.
• priv — Indicates authentication of a packet with encryption. Applicable only to the SNMP Version 3 security model. • readview — Specifies a string that is the name of the view that enables only viewing the contents of the agent. If unspecified, all objects except for the community-table and SNMPv3 user and access tables are available.
There are no user guidelines for this command. Example The following example attaches a group called user-group to SNMPv3 and assigns to the group the privacy security level and read access rights to a view called user-view. Console(config)# snmp-server group user-group v3 priv read user-view...
Page 559
When a show running-config Privileged EXEC mode command is entered, a line for this user will not be displayed. To see if this user has been added to the configuration, type the show snmp users Privileged EXEC mode command.
If SNMPv3 is enabled using this command, and the default is specified, the default engine ID is defined per standard as: • First 4 octets — first bit = 1, the rest is IANA Enterprise number = 674. • Fifth octet — set to 3 to indicate the MAC address that follows.
ID. The user’s command line password is then destroyed, as required by RFC 2274. As a result, the security digests of SNMPv3 users become invalid if the local value of the engine ID change, and the users will have to be reconfigured.
Example The following example creates a filter that includes all objects in the MIB-II system group except for sysServices (System 7) and all objects for interface 1 in the MIB-II interfaces group. Console(config)# snmp-server filter filter-name system included Console(config)# snmp-server filter filter-name system.7 excluded Console(config)# snmp-server filter filter-name ifEntry.*.1 included...
Page 563
• 1 — Indicates that SNMPv1 traps will be used. • 2 — Indicates that SNMPv2 traps will be used. If • port — Specifies the UDP port of the host to use. If unspecified, the default UDP port number is 162. (Range:1-65535) •...
• auth — Indicates authentication of a packet without encrypting it. • priv — Indicates authentication of a packet with encryption. • port — Specifies the UDP port of the host to use. If unspecified, the default UDP port number is 162. (Range: 1-65535) •...
The snmp-server trap authentication Global Configuration mode command enables the device to send SNMP traps when authentication fails. To disable SNMP failed authentication traps, use the no form of this command. Syntax snmp-server trap authentication...
This command has no default configuration. Command Mode Global Configuration mode Command Usage Do not include spaces in the text string or place text that includes spaces inside quotation marks. Example The following example configures the system contact point called Alcatel Technical Support.
• name value — List of name and value pairs. In the case of scalar MIBs, only a single pair of name values. In the case of an entry in a table, at least one pair of name and value followed by one or more fields.
Page 568
Command Line Interface Default Setting This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays the SNMP communications status. Console# show snmp Community-String Community-Access...
The show snmp engineID Privileged EXEC mode command displays the ID of the local Simple Network Management Protocol (SNMP) engine. Syntax show snmp engineID Default Setting This command has no default configuration.
Console# show snmp engineID Local SNMP engineID: 08009009020C0B099C075878 Related Commands snmp-server engineID local show snmp views The show snmp views Privileged EXEC mode command displays the configuration of views. Syntax show snmp views [viewname] Parameters • viewname — Specifies the name of the view. (Range: 1-30) Default Setting This command has no default configuration.
Related Commands snmp-server view show snmp groups The show snmp groups Privileged EXEC mode command displays the configuration of groups. Syntax show snmp groups [groupname] Parameters • groupname—Specifies the name of the group. (Range: 1-30) Default Setting This command has no default configuration.
Authentication of a packet with encryption. Applicable only to the SNMP v3 security model. Views Read Name of the view that enables only viewing the contents of the agent. If unspecified, all objects except the community-table and SNMPv3 user and access tables are available. Write Name of the view that enables entering data and managing the contents of the agent.
1.3.6.1.2.1.2.2.1.*.1 Included Related Commands snmp-server filter show snmp users The show snmp users Privileged EXEC mode command displays the configuration of users. Syntax show snmp users [username] Parameters • username—Specifies the name of the user. (Range: 1-30) Default Setting This command has no default configuration.
4-556 disable on a port, use the no form of this command. spanning-tree cost Configures the spanning tree path cost for a port. To return to the 4-557 default configuration, use the no form of this command. spanning-tree Configures port priority. To return to the default configuration, use...
Configures the number of hops in an MST region before the BPDU 4-564 max-hops is discarded and the port information is aged out. To return to the default configuration, use the no form of this command. spanning-tree mst Configures port priority for the specified MST instance. To return...
The spanning-tree mode Global Configuration mode command configures the spanning-tree protocol. To return to the default configuration, use the no form of this command. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode Parameters •...
The spanning-tree forward-time Global Configuration mode command configures the spanning-tree bridge forward time, which is the amount of time a port remains in the listening and learning states before entering the forwarding state. To return to the default configuration, use the no form of this command.
The spanning-tree hello-time Global Configuration mode command configures the spanning tree bridge hello time, which is how often the device broadcasts hello messages to other devices.To return to the default configuration, use the no form of this command. Syntax...
The spanning-tree max-age Global Configuration mode command configures the spanning tree bridge maximum age. To return to the default configuration, use the no form of this command. Syntax spanning-tree max-age seconds no spanning-tree max-age Parameters •...
The spanning-tree disable Interface Configuration mode command disables spanning tree on a specific port. To enable spanning tree on a port, use the no form of this command.
The spanning-tree cost Interface Configuration mode command configures the spanning tree path cost for a port. To return to the default configuration, use the no form of this command. Syntax spanning-tree cost cost no spanning-tree cost Parameters •...
The spanning-tree port-priority Interface Configuration mode command configures port priority. To return to the default configuration, use the no form of this command. Syntax spanning-tree port-priority priority...
Spanning-Tree Commands no spanning-tree port-priority Parameters • priority — The priority of the port. (Range: 0 - 240 in multiples of 16) Default Setting The default port priority for IEEE Spanning TreeProtocol (STP) is 128. Command Modes Interface Configuration (Ethernet, port-channel) mode Command Usage There are no user guidelines for this command.
The spanning-tree link-type Interface Configuration mode command overrides the default link-type setting determined by the duplex mode of the port and enables Rapid Spanning Tree Protocol (RSTP) transitions to the forwarding state. To return to the default configuration, use the no form of this command.
The spanning-tree pathcost method Global Configuration mode command sets the default path cost method. To return to the default configuration, use the no form of this command. Syntax spanning-tree pathcost method {long | short}...
• bridging — When Spanning Tree is globally disabled, untagged or tagged BPDU packets are flooded, and are subject to ingress and egress VLAN rules. This mode is not relevant if Spanning Tree is disabled only on a group of ports.
This command has no default configuration. Command Modes Privileged EXEC mode Command Usage This feature should be used only when working in RSTP or MSTP mode. Example The following example restarts the protocol migration process on Ethernet port 1/ e11.
The spanning-tree mst priority Global Configuration mode command configures the number of hops in an MST region before the BPDU is discarded and the port information is aged out. To return to the default configuration, use the no form of this command.
Spanning-Tree Commands Parameters • hop-count — Number of hops in an MST region before the BPDU is discarded. (Range: 1-40) Default Setting The default number of hops is 20. Command Mode Global Configuration mode Command Usage There are no user guidelines for this command.
Command Line Interface (Range: 1-Product Specific upper limit) • priority — The port priority. (Range: 0 - 240 in multiples of 16) Default Setting The default port priority for IEEE Multiple Spanning Tree Protocol (MSTP) is 128. Command Modes Interface Configuration (Ethernet, port-channel) mode Command Usage There are no user guidelines for this command.
Page 591
Command Usage There are no user guidelines for this command. Example The following example configures the MSTP instance 1 path cost for Ethernet port 1/ e9 to 4. Console(config) # interface ethernet 1/e9 Console(config-if) # spanning-tree mst 1 cost 4...
Command Line Interface spanning-tree mst configuration The spanning-tree mst configuration Global Configuration mode command enables configuring an MST region by entering the Multiple Spanning Tree (MST) mode. Syntax spanning-tree mst configuration Default Setting This command has no default configuration. Command Mode...
Page 593
(CIST) instance (instance 0) and cannot be unmapped from the CIST. For two or more devices to be in the same MST region, they must have the same VLAN mapping, the same configuration revision number, and the same name.
(mst) revision (mst) show (mst) exit (mst) abort (mst) show spanning-tree revision (mst) The revision MST Configuration mode command defines the configuration revision number. To return to the default configuration, use the no form of this command.
(mst) name (mst) show (mst) exit (mst) abort (mst) show spanning-tree show (mst) The show MST Configuration mode command displays the current or pending MST region configuration. Syntax show {current | pending}...
Page 596
This command has no default configuration. Command Mode MST Configuration mode Command Usage The pending MST region configuration takes effect only after exiting the MST configuration mode. Example The following example displays a pending MST region configuration. Console(config-mst)# show pending Gathering information ..
Spanning-Tree Commands exit (mst) The exit MST Configuration mode command exits the MST configuration mode and applies all configuration changes. Syntax exit Default Setting This command has no default configuration. Command Mode MST Configuration mode Command Usage There are no user guidelines for this command.
When root guard is enabled, the port changes to the alternate state if spanning-tree calculations selects the port as the root port. Example The following example prevents Ethernet port 1/g1 from being the root port of the device. Console(config) # interface ethernet 1/g1...
802.1X is enabled on the ingress port, or discarded in all other cases. This feature enables to bridge 802.1X BPDUs packets as data packets. The feature can be enabled only when 802.1X is globally disabled (by the no dot1x system-auth-control Global Configuration command). If the port is disabled for 802.1X but 802.1X is enabled globally, 802.1X BPDUs would...
• active — Indicates active ports only. • blockedports — Indicates blocked ports only. • mst-configuration — Indicates the MST configuration identifier. • instance-id — Specifies the ID of the spanning tree instance (The range lower limit is 0. The upper limit is product-specific). Default Setting This command has no default configuration.
Page 602
20000 ALTN Shared (STP) 1/e5 Enabled 128.5 20000 Console# show spanning-tree Spanning tree enabled mode RSTP Default port cost method: long Root ID Priority 36864 Address 00:02:4b:29:7a:00 This switch is the root. Hello Time 2 sec Max Age 20 sec...
Page 603
Spanning-Tree Commands Console# show spanning-tree Spanning tree disabled (BPDU filtering) mode RSTP Default port cost method: long Root ID Priority Address Path Cost Root Port Hello Time N/A Max Age N/A Forward Delay N/A Bridge Priority 36864 Address 00:02:4b:29:7a:00 Hello Time 2 sec...
Page 604
Command Line Interface Console# show spanning-tree active Spanning tree enabled mode RSTP Default port cost method: long Root ID Priority 32768 Address 00:01:42:97:e0:00 Path Cost 20000 Root Port 1 (1/e1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec...
Page 605
00:02:4b:29:7a:00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Number of topology changes 2 last change occurred 2d18h ago Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Port 1 (1/e1) enabled...
Page 606
Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:01:42:97:e0:00 Designated port id: 128.25 Designated path cost: 0 Number of transitions to forwarding state: 1 BPDU: sent 2, received 120638 Port 2 (1/e2) enabled State: Forwarding Role: Designated Port id: 128.2...
Page 607
Port Fast: N/A (configured:no) Designated bridge Priority: N/A Address: N/A Designated port id: N/A Designated path cost: N/A Number of transitions to forwarding state: N/A BPDU: sent N/A, received N/A Console# show spanning-tree ethernet 1/e1 Port 1 (1/e1) enabled State: Forwarding Role: Root Port id: 128.1...
Page 608
32768 Address 00:01:42:97:e0:00 Path Cost 20000 Root Port 1 (1/e1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec IST Master ID Priority 32768 Address 00:02:4b:29:7a:00 This switch is the IST master. Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec...
Page 609
Max Age 20 sec Forward Delay 15 sec IST Master ID Priority 32768 Address 00:02:4b:29:7a:00 This switch is the IST master. Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Max hops Number of topology changes 2 last change occurred 2d18h ago...
Page 610
Command Line Interface Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Port 1 (1/e1) enabled State: Forwarding Role: Root Port id: 128.1 Port cost: 20000 Type: P2p (configured: auto) Boundary RSTP Port Fast: No (configured:no)
Page 611
Rem hops Bridge ID Priority 32768 Address 00:02:4b:29:7a:00 Number of topology changes 2 last change occurred 1d9h ago Times: hold 1, topology change 2, notification 2 hello 2, max age 20, forward delay 15 Port 1 (1/e1) enabled State: Forwarding Role: Boundary Port id: 128.1...
Page 612
Spanning tree enabled mode MSTP Default port cost method: long ###### MST 0 Vlans Mapped: 1-9, 21-4094 CST Root ID Priority 32768 Address 00:01:42:97:e0:00 Path Cost 20000 Root Port 1 (1/e1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec...
Page 613
###### MST 0 Vlans Mapped: 1-9, 21-4094 CST Root ID Priority 32768 Address 00:01:42:97:e0:00 This switch is root for CST and IST master. Root Port 1 (1/e1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Max hops...
The ip ssh port Global Configuration mode command specifies the port to be used by the SSH server. To return to the default configuration, use the no form of this command. Syntax ip ssh port port-number...
Command Line Interface Command Usage There are no user guidelines for this command. Example The following example specifies the port to be used by the SSH server as 8080. Console(config)# ip ssh port 8080 Related Commands ip ssh server show ip ssh...
Command Usage DSA keys are generated in pairs: one public DSA key and one private DSA key. If the device already has DSA keys, a warning and prompt to replace the existing keys with new keys are displayed. This command is not saved in the device configuration; however, the keys generated by this command are saved in the private configuration, which is never displayed to the user or backed up on another device.
Command Usage RSA keys are generated in pairs: one public RSA key and one private RSA key. If the device already has RSA keys, a warning and prompt to replace the existing keys with new keys are displayed. This command is not saved in the device configuration; however, the keys generated by this command are saved in the private configuration which is never displayed to the user or backed up on another device.
The crypto key pubkey-chain ssh Global Configuration mode command enters the SSH Public Key-chain Configuration mode. The mode is used to manually specify other device public keys such as SSH client public keys. Syntax...
The user-key SSH Public Key-string Configuration mode command specifies which SSH public key is manually configured. To remove an SSH public key, use the no form of this command. Syntax user-key username {rsa | dsa}...
Follow this command with the key-string SSH Public Key-String Configuration mode command to specify the key. Example The following example enables manually configuring an SSH public key for SSH public key-chain bob. Console(config)# crypto key pubkey-chain ssh Console(config-pubkey-chain)# user-key bob rsa...
Page 622
Use the key-string row SSH Public Key-string Configuration mode command to specify the SSH public key row by row. Each row must begin with a key-string row command. This command is useful for configuration files.
Authentication Code (HMAC-MD5, HMAC-SHA1) Related Commands ip ssh port ip ssh server show crypto key mypubkey The show crypto key mypubkey Privileged EXEC mode command displays the SSH public keys on the device. Syntax show crypto key mypubkey [rsa | dsa]...
Command Usage There are no user guidelines for this command. Example The following example displays the SSH public RSA keys on the device. Console# show crypto key mypubkey rsa rsa key data: ssh-rsa 005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B...
Page 625
This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Examples The following examples display SSH public keys stored on the device. Console# show crypto key pubkey-chain ssh Username Fingerprint -------- -----------------------------------------------...
The logging on Global Configuration mode command controls error message logging. This command sends debug or error messages to a logging process, which logs messages to designated locations asynchronously to the process that generated the messages. To disable the logging process, use the no form of this command.
The logging Global Configuration mode command logs messages to a syslog server. To delete the syslog server with the specified address from the list of syslogs, use the no form of this command. Syntax logging {ip-address | hostname} [port port] [severity level] [facility facility]...
Related Commands show logging logging console The logging console Global Configuration mode command limits messages logged to the console based on severity. To disable logging to the console, use the no form of this command. Syntax logging console level no logging console Parameters •...
The logging buffered Global Configuration mode command limits syslog messages displayed from an internal buffer based on severity. To cancel using the buffer, use the no form of this command. Syntax logging buffered level no logging buffered Parameters •...
Command Line Interface logging buffered size The logging buffered size Global Configuration mode command changes the number of syslog messages stored in the internal buffer. To return to the default configuration, use the no form of this command. Syntax logging buffered size number...
The logging file Global Configuration mode command limits syslog messages sent to the logging file based on severity. To cancel using the buffer, use the no form of this command. Syntax logging file level...
The aaa logging Global Configuration mode command enables logging AAA login events. To disable logging AAA login events, use the no form of this command. Syntax aaa logging login no aaa logging login Parameters •...
Console(config)# aaa logging login Related Commands show logging file-system logging The file-system logging Global Configuration mode command enables logging file system events. To disable logging file system events, use the no form of this command. Syntax file-system logging copy no file-system logging copy...
Logging management ACL events is enabled. Command Mode Global Configuration mode Command Usage Other types of management ACL events are not subject to this command. Example The following example enables logging messages related to deny actions of management ACLs. Console(config)# management logging deny...
Page 635
Syslog Commands Example The following example displays the state of logging and the syslog messages stored in the internal buffer. Console# show logging Logging is enabled. Console logging: level debugging. Console Messages: 0 Dropped (severity). Buffer logging: level debugging. Buffer Messages: 11 Logged, 200 Max.
Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays the logging state and the syslog messages stored in the logging file. Console# show logging file Logging is enabled. Console logging: level debugging. Console Messages: 0 Dropped (severity).
11-Aug-2004 15:41:43: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to up 11-Aug-2004 15:41:43: %LINK-3-UPDOWN: Interface Ethernet1/3, changed state to up 11-Aug-2004 15:41:43: %SYS-5-CONFIG_I: Configured from memory by console 11-Aug-2004 15:41:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up 11-Aug-2004 15:41:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface...
Command Line Interface file-system logging management logging show syslog-servers The show syslog-servers Privileged EXEC mode command displays the settings of the syslog servers. Syntax show syslog-servers Default Setting This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command.
• ip-address — IP address to ping. • hostname — Host name to ping. (Range: 1-158 characters) • packet_size — Number of bytes in a packet. The actual packet size is eight bytes larger than the specified size specified because the device adds...
Page 640
Command Line Interface • packet_count — Number of packets to send. If 0 is entered, it pings until stopped. (Range: 0-65535 packets) • time_out — Timeout in milliseconds to wait for each reply. (Range: 50 - 65535 milliseconds) Default Setting Default packet size is 56 bytes.
• packet_count — The number of probes to be sent at each TTL level. (Range:1-10) • time_out — The number of seconds to wait for a response to a probe packet. (Range:1-60) • ip-address — One of the device’s interface addresses to use as a source address for the probes.
Page 642
(TTL) value. The traceroute command starts by sending probe datagrams with a TTL value of one. This causes the first device to discard the probe datagram and send back an error message. The traceroute command sends several probes at each TTL level and displays the round-trip time for each.
• ip-address — IP address of the destination host. • hostname — Host name of the destination host. (Range: 1-158 characters) • port — A decimal TCP port number, or one of the keywords listed in the Ports table in the Command Usage.
Page 644
At any time during an active Telnet session, Telnet commands can be listed by pressing the Ctrl-shift-6-? keys at the system prompt. A sample of this list follows. Note that the Ctrl-shift-6 sequence appears as ^^ on the screen. Console> ‘Ctrl-shift-6’ ?
Page 645
System Management Commands /stream Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UNIX-to-UNIX Copy Program (UUCP) and other non-Telnet protocols.
World Wide Web This command lists concurrent telnet connections to remote hosts that were opened by the current telnet session to the local device. It does not list telnet connections to remote hosts that were opened by other telnet sessions.
Do you want to continue (y/n) [n]? Related Commands telnet hostname The hostname Global Configuration mode command specifies or modifies the device host name. To remove the existing host name, use the no form of the command. Syntax hostname name no hostname Parameters •...
Related Commands telnet stack master The stack master Global Configuration mode command enables forcing the selection of a stack master. To return to the default configuration, use the no form of this command. Syntax stack master unit unit no stack master Parameters •...
The stack display-order Global Configuration mode command configures the order of the units in the display. To return to the default configuration, use the no form of this command. Syntax stack display-order top unit bottom unit...
Command Modes Global Configuration mode Command Usage If the units are not adjacent in ring or chain topology, the units are not at the edge and the default display order is used. Example This example displays unit 8 at the top of the display and unit 1 at the bottom.
Page 651
00:00:b0:87:12:11 1.0.0.0 Enabled Slave 00:00:b0:87:12:13 1.0.0.0 Enabled Master 00:00:b0:87:12:14 1.0.0.0 Slave 00:00:b0:87:12:15 1.0.0.0 Slave 00:00:b0:87:12:16 1.0.0.0 Slave Configured order: Unit 1 at Top, Unit 2 at bottom Console> show stack Unit Address Software Master Uplink Downlink Status ---- ----------------- -------- ------...
Command Line Interface Related Commands stack master stack reload stack display-order show users The show users User EXEC mode command displays information about the active users. Syntax show users Default Setting This command has no default configuration. Command Mode User EXEC mode Command Usage There are no user guidelines for this command.
The following table describes significant fields shown above. Field Description Connection Connection number. Host Remote host to which the device is connected through a Telnet session. Address IP address of the remote host. Port Telnet TCP port number Byte Number of unread bytes for the user to see on the connection.
The show version User EXEC mode command displays system version information. Syntax show version [unit unit] Parameters • unit — Specifies the number of the unit. (Range: 1-6) Default Setting This command has no default configuration. Command Mode User EXEC mode...
2.178 1.0.0 Related Commands service cpu-utilization service cpu-utilization The service cpu-utilization Global Configuration mode command enables measuring CPU utilization. To return to the default configuration, use the no form of this command. Syntax service cpu-utilization no service cpu-utilization Default Setting Disabled.
Command Line Interface Related Commands show cpu utilization show cpu utilization The show cpu utilization Privileged EXEC mode command displays information about CPU utilization. Syntax show cpu utilization Default Setting This command has no default configuration. Command Mode Privileged EXEC mode...
4-636 TACACS+ server. tacacs-server host The tacacs-server host Global Configuration mode command specifies a TACACS+ host. To delete the specified name or address, use the no form of this command. Syntax tacacs-server host {ip-address | hostname} [single-connection] [port port-number] [timeout timeout] [key key-string] [source source]...
The tacacs-server key Global Configuration mode command sets the authentication encryption key used for all TACACS+ communications between the device and the TACACS+ daemon. To disable the key, use the no form of this command. Syntax tacacs-server key key-string...
The tacacs-server timeout Global Configuration mode command sets the interval during which the device waits for a TACACS+ server to reply. To return to the default configuration, use the no form of this command. Syntax tacacs-server timeout timeout...
The tacacs-server source-ip Global Configuration mode command configures the source IP address to be used for communication with TACACS+ servers. To return to the default configuration, use the no form of this command. Syntax tacacs-server source-ip source...
Page 661
TACACS+ Commands Parameters • ip-address — Name or IP address of the TACACS+ server. Default Setting This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example displays configuration and statistical information about a TACACS+ server.
The switchport customer vlan Interface Configuration (Ethernet, port-channel) mode command sets the port's VLAN when the interface is in customer mode. To restore the default configuration, use the no form of this command. Syntax switchport customer vlan vlan-id...
The ip igmp snooping map cpe vlan Global Configuration command maps CPE VLANs to multicast-TV VLANs. Use the no form of this command to remove the mapping. Syntax...
Command Line Interface If an IGMP message is received on a customer port tagged with a CPE VLAN, and there is a mapping from that CPE VLAN to a multicast-TV VLAN, the IGMP message would be associated with the multicast-TV VLAN.
Triple Play Commands show ip igmp snooping interface The show ip igmp snooping interface Privileged EXEC mode command displays IGMP snooping configuration. Syntax show ip igmp snooping interface vlan-id Parameters • vlan-id — Specifies the valid VLAN number. Default Configuration This command has no default configuration.
Use the ip dhcp snooping verify global configuration command to 4-646 verify configure the switch to verify on an untrusted port that the source MAC address in a DHCP packet matches the client hardware address. ip dhcp snooping...
Use the show ip arp inspection list privileged EXEC command to 4-663 inspection list display the static ARP binding list. ip dhcp snooping The ip dhcp snooping Global Configuration mode command globally enables DHCP snooping. To return to the default configuration, use the no form of this command.
Console # (config)# ip dhcp snooping vlan The ip dhcp snooping vlan Global Configuration mode command enables DHCP snooping on a VLAN. To disable DHCP snooping on a VLAN, use the no form of this command. Syntax ip dhcp snooping vlan vlan-id...
Console # (config)# ip dhcp snooping trust The ip dhcp snooping trust Interface Configuration (Ethernet, Port-channel) mode command configures a port as trusted for DHCP snooping purposes. To return to the default configuration, use the no form of this command. Syntax...
The ip dhcp snooping verify Global Configuration mode command configures the switch to verify, on an untrusted port, that the source MAC address in a DHCP packet matches the client hardware address. To configure the switch to not verify the MAC addresses, use the no form of this command.
Console # (config)# ip dhcp snooping verify Console # (config)# ip dhcp snooping database The ip dhcp snooping database Global Configuration mode command configures the DHCP snooping binding file. To delete the binding file, use the no form of this command. Syntax ip dhcp snooping database...
Command Line Interface ip dhcp snooping database update-freq The ip dhcp snooping database update-freq Global Configuration Command configures the update frequency of the DHCP snooping binding file. To return to the default configuration, use the no form of this command. Syntax...
Command Mode Privileged EXEC mode Command Usage After entering this command an entry would be added to the DHCP snooping database. If DHCP snooping binding file exists, the entry would be added to that file also. The entry would be displayed in the show commands as a “DHCP Snooping entry”.
Trusted ---------------------- ---------------------- show ip dhcp snooping binding The show ip dhcp snooping binding User EXEC mode command displays the DHCP snooping binding database and configuration information for all interfaces on a switch. Syntax show ip dhcp snooping binding [mac-address mac-address]...
(s) 3 1/22 ip source-guard (global) The ip source-guard Global Configuration mode command globally enables the IP source guard. To disable IP source guard, use the no form of this command. Syntax ip source-guard no ip source-guard Default Configuration IP source guard is disabled.
Console # (config-if)# ip source-guard binding The ip source-guard binding Global Configuration mode command configures the static IP source bindings on the switch. To delete static bindings, use the no form of this command. Syntax ip source-guard binding mac-address vlan-id ip-address {ethernet interface...
Global Configuration mode Command Usage There are no user guidelines for this command. Example The following example configures the static IP source bindings on the switch for port 1/e16. Console # (config)# ip source-guard binding 00:60:70:4C:73:FF 1 10.6.22.195 ethernet 1/e16...
(TCAM) resources, there may be situations where IP source guard addresses are inactive because of lack of TCAM resources. By default, every minute the software conducts a search for available space in the TCAM for the inactive IP source guard addresses.
IP Source Guard is Enabled. Interface State ----------- --------- 1/21 Enabled 1/22 Enabled 1/22 Enabled 1/22 Enabled 1/23 Enabled 1/24 Enabled 1/32 Disabled show ip source-guard inactive The show ip source-guard inactive EXEC mode command displays the IP source guard inactive addresses.
(TCAM) resources, there may be situations where IP source guard addresses are inactive because of lack of TCAM resources. By default, every minute the software conducts a search for available space in the TCAM for the inactive IP source guard addresses.
The following example globally enables the ARP inspection. Console # (config)# ip arp inspection Console # (config)# 01-Jan-2000 23:07:53 %ARPINSP-I-PCKTLOG: ARP packet dropped from port g3 with VLAN tag 1 and reason: packet verification failed SRC MAC 00:00:5e:00:01:07 SRC IP 10.6.22.193 DST MAC 00:00:00:00:00:00 DST IP 10.6.22.195...
Default Configuration The interface is untrusted. Command Mode Interface Configuration (Ethernet, Port-channel) mode Command Usage The switch does not check ARP packets, which are received on the trusted interface; it simply forwards the packets.
The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection log-buffer vlan Global Configuration mode command.
The ip arp inspection list create Global Configuration mode command creates a static ARP binding list and to enter the ARP list configuration mode. To delete the list, use the no form of this command.
Console(config-ARP-list)# ip 172.16.1.2 mac 0060.704C.7322 ip arp inspection list assign The ip arp inspection list assign Global Configuration mode command assigns static ARP binding lists to a VLAN. To delete the assignment, use the no form of this command. Syntax...
Global Configuration mode Command Usage There are no user guidelines for this command. Example The following example sets the minimum ARP SYSLOG message interval to 10 seconds. Console # (config)# ip arp inspection logging interval 10 Console # (config)# show ip arp inspection The show ip arp inspection EXEC mode command displays the ARP inspection configuration.
User Interface Commands ----------- ----------- show ip arp inspection list The show ip arp inspection list Privileged EXEC mode command displays the static ARP binding list. Syntax show ip arp inspection list Default Configuration This command has no default configuration.
Page 688
Changes a login username. 4-666 configure Enters the Global Configuration mode. 4-667 exit (Configuration) Exits any configuration mode to the next highest mode in the CLI 4-667 mode hierarchy. Configur ation Modes exit Closes an active terminal session by logging off the device.
The enable User EXEC mode command enters the Privileged EXEC mode. Syntax enable [privilege-level] Parameters • privilege-level — Privilege level to enter the system. (Range: 1 - 15) Default Setting The default privilege level is 15. Command Mode User EXEC mode Command Usage There are no user guidelines for this command.
The disable Privileged EXEC mode command returns to the User EXEC mode. Syntax disable [privilege-level] Parameters • privilege-level — Privilege level to enter the system. (Range: 1 - 15) Default Setting The default privilege level is 1. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command.
The following example enters Global Configuration mode. Console# configure Console(config)# Related Commands enable disable exit (Configuration) The exit command exits any configuration mode to the next highest mode in the CLI mode hierarchy. Syntax exit Default Setting This command has no default configuration.
Privileged and User EXEC modes Command Usage There are no user guidelines for this command. Example The following example closes an active terminal session. Console> exit Related Commands configure The end command ends the current configuration session and returns to the Privileged EXEC mode.
This command has no default configuration. Command Mode All configuration modes. Command Usage There are no user guidelines for this command. Example The following example changes from Global Configuration mode to Privileged EXEC mode. Console(config)# end Console# Related Commands exit help The help command displays a brief description of the help system.
Help is provided when: 1. There is a valid command and a help request is made for entering a parameter or argument (e.g. 'show ?'). All possible parameters or arguments for the entered command are displayed.
User Interface Commands Related Commands show history show history The show history User EXEC mode command lists the commands entered in the current session. Syntax show history Default Setting This command has no default configuration. Command Mode User EXEC mode Command Usage The buffer includes executed and unexecuted commands.
Page 696
Command Mode Privileged and User EXEC modes Command Usage There are no user guidelines for this command. Example The following example displays the current privilege level for the Privileged EXEC mode. Console# show privilege Current privilege level is 15 Related Commands...
4-676 interface range vlan Enables simultaneously configuring multiple VLANs. 4-677 name Adds a name to a VLAN. To remove the VLAN name, use the no 4-678 form of this command. map protocol Maps a protocol to a group of protocols.
Sets a subnet-based classification rule. 4-691 map subnets-group vlan switchport protected Overrides the FDB decision and sends all Unicast, Multicast and 4-692 Broadcast traffic to an uplink port. To return to the default configuration, use the no form of the command.
Console(config-vlan)# Related Commands vlan name show vlan vlan Use the vlan VLAN Configuration mode command to create a VLAN. To delete a VLAN, use the no form of this command. Syntax vlan vlan-range no vlan vlan-range Parameters • vlan-range — Specifies a list of VLAN IDs to be added. Separate nonconsecutive VLAN IDs with a comma and no spaces;...
Command Line Interface default-vlan vlan Use the default-vlan vlan VLAN Configuration mode command to create a default VLAN. To restore the default configuration or delete a VLAN, use the no form of this command. Syntax default-vlan vlan vlan-id no default-vlan vlan Parameters •...
Command Usage Commands under the interface range context are executed independently on each interface in the range. If the command returns an error on one of the interfaces, an error message is displayed and execution of the command continues on the other interfaces.
The map protocol protocols-group VLAN Configuration command maps a protocol to a group of protocols. Use the no form of this command to delete the map. Syntax map protocol protocol [encapsulation] protocols-group group no map protocol protocol [encapsulation] Parameters - protocol —...
The following protocol names are reserved for Ethernet Encapsulation: - ip-arp - ipx - ip Example The following example maps a protocol 0x0000 to protocol group 1000 for Ethernet port 1/e16. Console(config-vlan)# map protocol 0x000 ethernet protocols-group 1000 Console(config-if)# switchport mode access Related Commands...
The switchport mode Interface Configuration mode command configures the VLAN membership mode of a port. To return to the default configuration, use the no form of this command. Syntax switchport mode {access | trunk | general}...
The switchport access vlan Interface Configuration mode command configures the VLAN ID when the interface is in access mode. To return to the default configuration, use the no form of this command. Syntax...
Command Line Interface Example The following example configures a VLAN ID of 23 to the untagged layer 2 VLAN Ethernet port 1/e16. Console(config)# interface ethernet 1/e16 Console(config-if)# switchport access vlan 23 Related Commands switchport mode switchport trunk allowed vlan switchport trunk native vlan...
VLAN Commands Example The following example adds VLANs 1, 2, 5 to 6 to the allowed list of Ethernet port 1/ e16. Console(config)# interface ethernet 1/e16 Console(config-if)# switchport trunk allowed vlan add 1-2,5-6 Related Commands switchport mode switchport access vlan...
[tagged | untagged] switchport general allowed vlan remove vlan-list Parameters • add vlan-list — Specifies the list of VLAN IDs to be added. Separate nonconsecutive VLAN IDs with a comma and no spaces. A hyphen designates a range of IDs.
This command enables changing the egress rule (e.g., from tagged to untagged) without first removing the VLAN from the list. Example The following example adds VLANs 2, 5, and 6 to the allowed list of Ethernet port 1/ e16. Console(config)# interface ethernet 1/e16...
Command Line Interface Command Usage There are no user guidelines for this command. Example The following example configures the PVID for Ethernet port 1/e16, when the interface is in general mode. Console(config)# interface ethernet 1/e16 Console(config-if)# switchport general pvid 234...
The switchport general acceptable-frame-type tagged-only Interface Configuration mode command discards untagged frames at ingress. To return to the default configuration, use the no form of this command. Syntax switchport general acceptable-frame-type tagged-only...
The switchport forbidden vlan Interface Configuration mode command forbids adding specific VLANs to a port. To return to the default configuration, use the remove parameter for this command. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} Parameters •...
The map mac macs-group VLAN Configuration mode command maps a MAC address or range of MAC addresses to a group of MAC addresses. To delete the map, use the no form of this command. Syntax...
The map subnet subnets-group VLAN Configuration mode command maps the IP subnet to a group of IP subnets. To delete the map, use the no form of this command. Syntax map subnet ip-address prefix-mask subnets-group group...
VLAN Commands Parameters • ip-address — Specifies the IP address prefix of the subnet to be entered to the group. • prefix-mask — Mask bits. The format is IP address format. • group — Indicates the group number. (Range: 1-2147483647) Default Configuration This command has no default configuration.
Command Mode Interface Configuration (Ethernet, port-channel) Command Usage Packets to the MAC address of the device are sent to the device and not forwarded to the uplink. IGMP snooping works on PVE protected ports; however forwarding of query/ reports is not limited to the PVE uplink.
IP interface, an unused VLAN is selected by the software. • If the software selected a VLAN for internal use and the user wants to use that VLAN as a static or dynamic VLAN, the user should do one of the following: •...
Command Line Interface Example The following example reserves an unused VLAN as the internal usage VLAN of ethernet port 1/e8. Console# config Console(config)# interface ethernet 1/e8 Console(config-if)# ip internal-usage-vlan Related Commands switchport mode switchport access vlan switchport trunk allowed vlan...
Related Commands vlan database vlan name show vlan internal usage The show vlan internal usage Privileged EXEC mode command displays a list of VLANs used internally by the device. Syntax show vlan internal usage Default Setting This command has no default configuration.
Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Examples The following examples display the switchport configuration for Ethernet ports 1/e1 and 1/e2. Console# show interfaces switchport ethernet 1/e1 Port 1/e1: Port Mode: Access...
Page 721
VLAN Commands Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Protected: Enabled, Uplink is 1/e9. Port 1/e1 is member in: Vlan Name Egress rule Port Membership Type ---- -------------------- ----------- ------------------- default untagged System VLAN008 tagged Dynamic...
Page 722
Port Membership Type ---- ------------ ----------- ------------------- IP Telephony tagged Static Static configuration: PVID: 8 Ingress Filtering: Disabled Acceptable Frame Type: All Port 1/e2 is statically configured to: Vlan Name Egress rule ---- ------------ ----------- VLAN0072 untagged IP Telephony tagged Forbidden VLANS:...
VLAN that is not the Access port VLAN, while keeping the L2 segregation with subscribers on different Access port VLANs. Use the no form of this command to disable receiving multicast transmissions.
The show vlan protocols-groups EXEC command displays protocols-groups information. Syntax show vlan protocols-groups Default Configuration There are no user default configuration for this command. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command. Example The following example configures displays IPMP Snooping configuration.
VLAN Commands switchport access vlan show vlan macs-groups The show vlan macs-groups Privileged EXEC mode command displays macs-groups information. Syntax show vlan macs-groups Default Configuration This command has no default configuration. Command Mode Privileged EXEC mode Command Usage There are no user guidelines for this command.
-------- 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 show vlan multicast-tv Use the show multicast-tv command to display information on the source ports and receiver ports of multicast-tv vlan. Syntax show vlan multicast-tv vlan-id Parameters of the Multicast TV VLAN • vlan-id — VLAN ID Default Configuration This command has no default configuration.
Specifies the TCP port to be used by the Web browser interface. 4-704 To return to the default configuration, use the no form of this command. ip http exec-timeout Sets the interval, which the system waits to user input in http 4-705 sessions before automatic logoff. ip https server Enables configuring the device from a secured browser.
The ip http port Global Configuration mode command specifies the TCP port to be used by the Web browser interface. To return to the default configuration, use the no form of this command. Syntax...
The ip http exec-timeout Global Configuration mode command sets the interval, which the system waits to user input in http sessions before automatic logoff. To restore the default configuration, use the no form of this command. Syntax...
The ip https port Global Configuration mode command specifies the TCP port used by the server to configure the device through the Web browser. To return to the default configuration, use the no form of this command.
The ip https exec-timeout Global Configuration mode command sets the interval that the system waits to user input in https sessions before automatic logoff. To restore the default configuration, use the no form of this command. Syntax...
If no RSA key length is specified, the default length is 1024. If no URL or IP address is specified, the default common name is the lowest IP address of the device at the time that the certificate is generated.
Page 733
Web Server Commands • common-name — Specifies the fully qualified URL or IP address of the device. (Range: 1- 64) • organization-unit — Specifies the organization-unit or department name. (Range: 1- 64) • organization — Specifies the organization name. (Range: 1- 64) •...
The imported certificate must be based on a certificate request created by the crypto certificate request Privileged EXEC mode command. If the public key found in the certificate does not match the device's SSL RSA key, the command fails. This command is not saved in the device configuration; however, the certificate imported by this command is saved in the private configuration (which is never displayed to the user or backed up to another device).
The ip https certificate Global Configuration mode command configures the active certificate for HTTPS. To return to the default configuration, use the no form of this command. Syntax ip https certificate number...
Subject: CN= router.gm.com, 0= General Motors, C= US Finger print: DC789788 DC88A988 127897BC BB789788 Related Commands crypto certificate generate crypto certificate request crypto certificate import ip https certificate show ip http The show ip http Privileged EXEC mode command displays the HTTP server configuration.
HTTP server enabled. Port: 80 Related Commands ip http server ip http port show ip https The show ip https Privileged EXEC mode command displays the HTTPS server configuration. Syntax show ip https Default Setting This command has no default configuration.
Command Line Interface Certificate 2 is inactive Issued by: self-signed Valid from: 8/9/2004 to 8/9/2005 Subject: CN= router.gm.com, 0= General Motors, C= US Finger print: 1873B936 88DC3411 BC8932EF 782134BA Related Commands ip https server ip https port ip https certificate...
Appendix A. Configuration Examples This appendix contains configuration example for the Customer VLANs, and Multicast TV, and contains the following sections: • Configuring QinQ • Configuring Multicast TV • Configuring Customer VLANs -715...
QinQ. Adding additional tags to the packets helps create more VLAN space. The added tag provides an VLAN ID to each customer, this ensures private and segregated network traffic. The VLAN ID tag is assigned to a customer port in the service providers network. The designated port then provides additional services to the packets with the double-tags.
Set the VLAN Interface Mode field to Customer. Define the remaining fields. 10. Click . The VLAN interface settings are saved, and the device is updated. 11. Click Layer 2 > VLAN > VLAN > Current Table. The VLAN Current Table opens. -718...
14. Click . The customer VLAN is defined, and the device is updated. Configuring Customer VLANs using the CLI As an example for configuring QinQ. The following figure illustrates the configuration example being described. Figure 6. QinQ Configuration Example To configure QinQ, perform the following: Enter the global configuration mode.
A and B, to each of the CPE customers. For this purpose port e4 is configured as a trunked port, tagged for VLANs 1001, 1048, 3000, 3001, with port e1 and e48 configured as the triple play ports connected to the customer site.
Page 746
Console (config)# Enter the VLAN configuration mode. Console (config)# vlan database Console (config-vlan)# Create VLANs for customer port 1 and port 48 for QinQ. Each customer has separate VLAN. Console (config-vlan)# vlan 1001 Console (config-vlan)# vlan 1048 Create a VLAN for configuring Multicast TV provider A.
Page 747
12. To configure the QinQ uplink, configure port e4 as a trunked port, tagged for VLANs 1001, 1048, 3000 and 3001. Console (Config)# interface ethernet e4 Console (config-if)# switchport mode trunk Console (config-if)# switchport trunk allowed vlan add 1001 Console (config-if)# switchport trunk allowed vlan add 1048...
Figure 8. Add VLAN Membership Page Create VLANs for customer port 1 and port 48 for QinQ. Each customer has separate VLAN. For this example use 1001 and 1048. With the same screen create a VLAN for configuring Multicast TV provider A as 3000, and create a VLAN for configuring Multicast TV provider B as 3001.
Figure 9. CPE VLAN Mapping Page Click The Add CPE VLAN Mapping Page opens: Map the internal CPE VLAN 3 to the Multicast TV VLAN 3001, and map the internal CPE VLAN 4 to the Multicast TV VLAN 3000. 10. Click 11.
12. Click Layer 2 > VLAN > VLAN > Current Table. The VLAN Current Table Page opens. 13. Select VLAN ID number 1001 and double-click port e1. The VLAN Membership Settings page opens. Figure 10. CPE VLAN Mapping Page 14. In the...
20. Click 21. Close the VLAN Interface Settings Page. 22. Repeat steps 18 to 21 configuring port e48 as a customer port on VLAN 1048. 23. Click Layer 2 > VLAN > VLAN > Customer Multicast TV VLAN. The Customer Multicast VLAN Page opens.
VLAN space. The added tag provides an VLAN ID to each customer, this ensures private and segregated network traffic. The VLAN ID tag is assigned to a customer port in the service providers network. The designated port then provides additional services to the packets with the double-tags.
10. Click . The VLAN interface settings are saved, and the device is updated. 11. Click Layer 2 > VLAN > VLAN > Current Table. The VLAN Current Table opens. Figure 17. VLAN Current Table 12. Select the VLAN ID.
Appendix B. Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) AMAP Alcatel Mapping Adjacency Protocol SNMPv3 Management access via MIB database Trap management to specified hosts...
Up to 255 groups; port-based, protocol-based, or tagged (802.1Q), GVRP for automatic VLAN learning, private VLANs Class of Service Supports eight levels of priority and Weighted Round Robin Queueing (which can be configured by VLAN tag or port), Layer 3/4 priority mapping: IP Precedence, IP DSCP...
• Be sure the management station has an IP address in the same subnet as the switch’s IP interface to which it is connected. • If you are trying to connect to the switch via the IP address for a tagged VLAN group, your management station, and the ports connecting intermediate switches in the network, must be configured with the appropriate tag.
YSTEM Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
DSCP priority bit. Differentiated Services Code Point Service (DSCP) DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues.
Page 763
Spanning Tree network. Generic Attribute Registration Protocol (GARP) GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations.
Page 764
On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Page 765
MD5 Message Digest Algorithm An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 766
NTP servers. Spanning Tree Protocol (STP) A technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
Page 767
Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 768
802.1p 234 static entries 86 Domain Name Service 83 DSCP 234, 244 Access Control Element 232 Dynamic Host Configuration Access Control List See ACL Protocol 81 Access Control Lists 165, 232 ACE 232 ACEs 165, 232 E-911 131 ACL 234, 245...
Page 769
Index Line 108 Link Aggregation Control Protocol 72 RADIUS 108 Link Control Protocol 197 Rapid Spanning Tree Protocol 196 LLDP Media Endpoint Discovery 131 RSTP 196 LLDP-MED 131 Rules 106, 233 log-in, Web interface 32 logon authentication TACACS+ client 104...
Page 770
Index Web interface access requirements 32 Warm standby 38 configuration buttons 33 home page 32 menu list 34 panel display 34 Weighted Round Robin 234 WRR 234, 235...