Download Print this page

NetApp CN1610 Cli Command Reference

NetApp CN1610 Cli Command Reference

Hide thumbs Also See for CN1610:

Cli command reference (546 pages)

,

Administrator's manual (170 pages)

Table Of Contents

page of 709

/ 709
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

See also: Administrator's Manual

NetApp® CN1610 Network Switch

CLI Command Reference

NetApp, Inc.

495 East Java Drive

Sunnyvale, CA 94089 U.S.A.

Telephone: +1 (408) 822-6000

Fax: +1 (408) 822-4501

Support telephone: +1 (888) 463-8277

Documentation comments: doccomments@netapp.com

Information Web:

www.netapp.com

Part number: 215-06286_C0

August 2017

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the CN1610 and is the answer not in the manual?

Questions and answers

Summary of Contents for NetApp CN1610

Page 1 NetApp® CN1610 Network Switch CLI Command Reference NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S.A. Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501 Support telephone: +1 (888) 463-8277 Documentation comments: doccomments@netapp.com Information Web: www.netapp.com Part number: 215-06286_C0 August 2017...
Page 2 NetApp assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by NetApp. The use or purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of NetApp.
Page 4: Table Of Contents
Using the no Form of a Command ..... . . 13 CN1610 Software Modules......14 Command Modes .
Page 5: Table Of Contents
Prelogin Banner, System Prompt, and Host Name Commands ..133 Chapter 4 Utility Commands .......135 AutoInstall Commands .
Page 6: Table Of Contents
Asymmetric Flow Control ......386 Protected Ports Commands ......388 GARP Commands .
Page 7: Table Of Contents
Chapter 7 Quality of Service Commands ......605 Class of Service Commands ......606 Differentiated Services Commands.
Page 8: Chapter 1 About This Document
Introduction This document describes command-line interface (CLI) commands you use to view and configure the CN1610 software. You can access the CLI by using a direct connection to the serial port or by using Telnet or SSH over a remote network connection.
Page 9 About This Document Scope FASTPATH software encompasses both hardware and software support. The software is partitioned to run in the following processors: ◆ This code runs the networking device management portfolio and controls the overall networking device hardware. It also assists in frame forwarding, as needed and specified.
Page 10: Chapter 2 Using The Command-Line Interface
Values” on page 10 ◆ “Interface Naming Convention” on page 12 ◆ “Using the no Form of a Command” on page 13 ◆ “CN1610 Software Modules” on page 14 ◆ “Command Modes” on page 15 ◆ “Command Completion and Abbreviation” on page 21 ◆...
Page 11: Command Syntax
] is an optional parameter, so you are not required to enter a value gateway in place of the parameter. The NetApp CN1610 Network Switch CLI Command Reference lists each command by the command name and provides a brief description of the command. Each command reference also contains the following information: ◆...
Page 12: Command Conventions
Command Conventions The parameters for a command might include mandatory values, optional values, or keyword choices. Parameters are order-dependent. The following Parameter Conventions table describes the conventions this document uses to distinguish between value types: Symbol Example Description [] square brackets Indicates an optional [value] parameter.
Page 13: Common Parameter Values
Common Parameter Values Parameter values might be names (strings) or numbers. To use spaces as part of a name parameter, enclose the name value in double quotes. For example, the expression “System Name with Spaces” forces the system to accept the spaces. Empty strings (““) are not valid user-defined strings.
Page 14 Parameter Description Character strings Use double quotation marks to identify character strings, for example, “System Name with Spaces”. An empty string (“”) is not valid. Chapter 2: Using the Command-Line Interface...
Page 15: Interface Naming Convention
Interface Naming Convention FASTPATH software references physical entities such as cards and ports by using a slot/port naming convention. The FASTPATH software also uses this convention to identify certain logical entities, such as link aggregation groups (LAGs), which are also known as port-channels. When a command indicates that the variable is , an example of a valid slot/port...
Page 16: Using The No Form Of A Command
Using the no Form of a Command keyword is a specific form of an existing command and does not represent a new or distinct command. Almost every configuration command has a form. In general, use the form to reverse the action of a command or reset a value back to the default.
Page 17: Cn1610 Software Modules
CN1610 Software Modules The CN1610 software consists of flexible modules that can be applied in various combinations to develop advanced Layer 2/3/4+ products. The commands and command modes available on your switch depend on the installed modules. Additionally, for some...
Page 18: Command Modes
Command Modes The CLI groups commands into modes according to the command function. Each of the command modes supports specific CN1610 software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode.
Page 19 Command Mode Prompt Mode Description Interface Config Manages the operation (CN1610) (Interface slot/port)# of an interface. Use this mode to set up (CN1610) (Interface a physical port for a slot/port specific logical (startrange)- connection operation. slot/port(endrange) You can also use this...
Page 20 Command Mode Prompt Mode Description Mail Server Config Allows configuration of (CN1610) (Mail- Server)# the email server. Policy Map Contains the QoS (CN1610) (Config- policy-map)# Config Policy-Map configuration commands. Policy Class Consists of class (CN1610) (Config- policy-class-map)# Config creation, deletion, and matching commands.
Page 21 The following CLI Mode Access and Exit table explains how to enter or exit each mode: Command Mode Prompt Mode Description User EXEC This is the first level of To exit, enter logout access. Privileged EXEC From the User EXEC mode, To exit to the User enter EXEC mode, enter...
Page 22 Command Mode Prompt Mode Description Mail Server Config From the Global Config To exit to the Global mode, enter Config mode, enter . To return to the mail-server address. exit Privileged EXEC mode, enter Ctrl-Z Policy-Map From the Global Config To exit to the Global Config mode, enter...
Page 23 Command Mode Prompt Mode Description ARP Access-List From the Global Config To exit to the Global Config Mode mode, enter the Config mode, enter the command. To access-list command exit return to the Privileged EXEC mode, enter Ctrl-Z. Command Modes...
Page 24: Command Completion And Abbreviation
Command Completion and Abbreviation Command completion finishes spelling the command when you type enough letters of a command to uniquely identify the command keyword. Once you have entered enough letters, press the SPACEBAR or TAB key to complete the word. Command abbreviation allows you to execute a command when you have entered enough letters to uniquely identify the command.
Page 25: Cli Error Messages
CLI Error Messages If you enter a command and the system is unable to execute it, an error message appears. The following table describes the most common CLI error messages: Message Text Description % Invalid input detected at '^' marker. Indicates that you entered an incorrect or unavailable command.
Page 26: Cli Line-Editing Conventions
CLI Line-Editing Conventions The following CLI editing conventions table describes the key combinations you can use to edit commands or increase the speed of command entry. You can access this list from the CLI by entering from the User or Privileged EXEC help modes.
Page 27 Key Sequence Description List available commands, keywords, or parameters. CLI Line-Editing Conventions...
Page 28: Using Cli Help
Select DHCP, BootP, or None as the network config protocol. If the help output shows a parameter in angle brackets, you must replace the parameter with a value: (CN1610)#network parms ? <ipaddr> Enter the IP address. If there are no additional command keywords or parameters, or if additional parameters are optional, the following message appears in the output: <cr>...
Page 29 You can also enter a question mark (?) after typing one or more characters of a word to list the available command or parameters that begin with the letters, as shown in the following example: (CN1610) #show m? mac-addr-table mac-address-table...
Page 30: Accessing The Cli
Accessing the CLI You can access the CLI by using a direct console connection or by using a Telnet or SSH connection from a remote management host. For the initial connection, you must use a direct connection to the console port. You cannot access the system remotely until the system has an IP address, subnet mask, and default gateway.
Page 31 Accessing the CLI...
Page 32: Chapter 3 Management Commands
Management Commands This chapter describes the management commands available in the FASTPATH CLI. The Management Commands chapter contains the following sections: ◆ “Network Interface Commands” on page 30 ◆ “Console Port Access Commands” on page 38 ◆ “Telnet Commands” on page 41 ◆...
Page 33: Network Interface Commands
Interface Config ◆ VLAN Config The following is an example of the command that executes the Privileged EXEC command in Global Config Mode. script list (CN1610) #configure (CN1610)(config)#do script list Configuration Script Name Size(Bytes) -------------------------------- ----------- backup-config 2105 running-config 4483 startup-config 3 configuration script(s) found.
Page 34 Mode Privileged EXEC The following shows an example of the command. (CN1610) # serviceport protocol dhcp network parms This command sets the IP address, subnet mask and gateway of the device. The IP address and the gateway must be on the same subnet. When you specify the option, the IP address and subnet mask are set to the factory defaults.
Page 35 Format network protocol dhcp Mode Global Config The following shows an example of the command. (CN1610) # network protocol dhcp network mac- This command sets locally administered MAC addresses. The following rules address apply: ◆ Bit 6 of byte 0 (called the U/L bit) indicates whether the address is universally administered (b'0') or locally administered (b'1').
Page 36 network mac-type This command specifies whether the switch uses the burned in MAC address or the locally-administered MAC address. Default burnedin Format network mac-type {local | burnedin} Mode Privileged EXEC no network mac- This command resets the value of MAC address to its default. type Format no network mac-type...
Page 37 Term Definition Default Gateway The default gateway for this IP interface. The factory default value is 0.0.0.0. IPv6 Administrative Whether enabled or disabled. Mode IPv6 Prefix is The IPv6 address and length. Default is Link Local format. Burned In MAC The burned in MAC address used for in-band Address connectivity.
Page 38 The VLAN used to establish an IP connection to the switch from a workstation that is connected to a port in the same VLAN. The following shows example CLI display output for the network port. (CN1610) #show network Interface Status....... Down IP Address........0.0.0.0 Subnet Mask........0.0.0.0 Default Gateway........
Page 39 Burned in MAC The burned in MAC address used for in-band Address connectivity. The following shows example CLI display output for the service port. (CN1610) #show serviceport Interface Status....... Up IP Address........10.27.21.176 Subnet Mask........255.255.252.0 Default Gateway........ 10.27.20.1 IPv6 Administrative Mode....... Enabled...
Page 40 IPv6 Prefix is ........ fe80::2a0:98ff:feea:2e7b/64 Configured IPv4 Protocol....... DHCP Configured IPv6 Protocol....... None IPv6 AutoConfig Mode......Disabled Burned In MAC Address......00:A0:98:EA:2E:7B Chapter 3: Management Commands...
Page 41: Console Port Access Commands
Global Config Term Definition console Console terminal line. telnet Virtual terminal for remote console access (Telnet). Virtual terminal for secured remote console access (SSH). The following shows an example of the CLI command. (CN1610)(config)#line telnet (CN1610)(config-telnet)# Console Port Access Commands...
Page 42 serial baudrate This command specifies the communication rate of the terminal interface. The supported rates are 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200. Default 9600 Format serial baudrate {1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200} Mode Line Config no serial baudrate...
Page 43 ◆ Modes Privileged EXEC ◆ User EXEC Term Definition Serial Port Login The time, in minutes, of inactivity on a serial port Timeout (minutes) connection, after which the switch will close the connection. A value of 0 disables the timeout. Baud Rate (bps) The default baud rate at which the serial port will try to connect.
Page 44: Telnet Commands
Telnet Commands This section describes the commands you use to configure and view Telnet settings. You can use Telnet to manage the device from a remote management host. ip telnet server Use this command to enable Telnet connections to the system and to enable the enable Telnet Server Admin Mode.
Page 45 transport input This command regulates new Telnet sessions. If enabled, new Telnet sessions can telnet be established until there are no more sessions available. An established session remains active until the session is ended or an abnormal network error ends the session.
Page 46 session-limit This command specifies the maximum number of simultaneous outbound Telnet sessions. A value of 0 indicates that no outbound Telnet session can be established. Default Format session-limit 0-5 Mode Line Config no session-limit This command sets the maximum number of simultaneous outbound Telnet sessions to the default value.
Page 47 Format telnetcon maxsessions 0-5 Mode Privileged EXEC no telnetcon This command sets the maximum number of Telnet connection sessions that can maxsessions be established to the default value. Format no telnetcon maxsessions Mode Privileged EXEC telnetcon timeout This command sets the Telnet connection session timeout value, in minutes. A session is active as long as the session has not been idle for the value set.
Page 48 show telnet This command displays the current outbound Telnet settings. In other words, these settings apply to Telnet connections initiated from the switch to a remote system. Format show telnet ◆ Modes Privileged EXEC ◆ User EXEC Term Definition Outbound Telnet The number of minutes an outbound Telnet session Login Timeout is allowed to remain inactive before being logged...
Page 49 The TCP port number where the telnet server is listening. The following output shows an example of the command: (CN1610) #show telnetcon Remote Connection Login Timeout (minutes)..5 Maximum Number of Remote Connection Sessions... 5 Allow New Telnet Sessions...... Yes Telnet Server Admin Mode.......
Page 50: Secure Shell Commands
Secure Shell Commands This section describes the commands you use to configure Secure Shell (SSH) access to the switch. Use SSH to access the switch from a remote management host. Note The system allows a maximum of 5 SSH sessions. ip ssh Use this command to enable SSH access to the system.
Page 51 no ip ssh server This command disables the IP secure shell server. enable Format no ip ssh server enable Mode Privileged EXEC sshcon This command specifies the maximum number of SSH connection sessions that maxsessions can be established. A value of 0 indicates that no ssh connection can be established.
Page 52 Changing the timeout value for active sessions does not become effective until the session is re accessed. Also, any keystroke activates the new timeout duration. Format no sshcon timeout Mode Privileged EXEC show ip ssh This command displays the ssh settings. Format show ip ssh Mode...
Page 53: Management Security Commands
Management Security Commands This section describes commands you use to generate keys and certificates, which you can do in addition to loading them as before. crypto key generate Use this command to generate an RSA key pair for SSH. The new key files will overwrite any existing generated or downloaded RSA key files.
Page 54: Access Commands
Linux shell and return to the CN1610 CLI. The shell session will timeout after five minutes of inactivity. The inactivity timeout value can be changed using the command “session-timeout” on page 43 in Line Console mode.
Page 55 This command displays the complete user names of the users currently logged in long to the switch. Format show loginsession long Mode Privileged EXEC The following shows an example of the command. (CN1610) #show loginsession long User Name ------------ admin test1111test1111test1111test1111test1111test1111test1111test1111 Access Commands...
Page 56: User Account Commands
User Account Commands This section describes the commands you use to add, manage, and delete system users. FASTPATH software has two default users: admin and guest. The admin user can view and configure system settings, and the guest user can view settings. Note You cannot delete the admin user.
Page 57 A separate default enable list, enableNetList, is used for Telnet and SSH users instead of enableList. This list is applied by default for Telnet and SSH, and contains enable followed by deny methods. In CN1610, by default, the enable password is not configured. That means that, by default, Telnet and SSH users...
Page 58 If the login methods include only enable, and there is no enable password configured, then CN1610 does not prompt for a username. In such cases, CN1610 only prompts for a password. CN1610 supports configuring methods after the local method in authentication and authorization lists. If the user is not present in the local database, then the next configured method is tried.
Page 59 . Uses the list of all RADIUS servers for radius authentication. ◆ . Uses the list of all TACACS+ servers tacacs for authentication. The following example sets authentication when accessing higher privilege levels. (CN1610)(config)# aaa authentication enable default enable User Account Commands...
Page 60 no aaa Use this command to return to the default configuration. authentication enable Format no aaa authentication enable {default | list-name} Mode Global Config aaa authorization Use this command to configure an exec authorization method list. This list is identified by or a user-specified .
Page 61 TACACS+/RADIUS/Local none The following shows an example of the command. (CN1610) # (CN1610) #configure (CN1610) (Config)#aaa authorization exec default tacacs+ none no aaa This command deletes the authorization method list. authorization Format no aaa authorization commands {default|list-name}...
Page 62 This command displays the configured authorization method lists. methods Format show authorization methods Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) #show authorization methods Exec Authorization Method Lists ------------------------------------- dfltExecAuthList none Line Exec Method List...
Page 63 The following example specifies the default authentication method when accessing a higher privilege level console. (CN1610)(config)# line console (CN1610)(config-line)# enable authentication default no enable Use this command to return to the default specified by the enable authentication command.
Page 64 15. (CN1610)(config)# username bob password xxxyyymmmm level 15 The following example configures user test with password testPassword and assigns a user level of 1. The password strength will not be validated. (CN1610)(config)# username test password testPassword level 1 override-complexity-check A third example.
Page 65 (Switching) (Config)# username test level 15 password Enter new password:******** Confirm new password:******** A fifth example. (Switching) (Config)# username test level 15 override-complexity- check password Enter new password:******** Confirm new password:******** no username Use this command to remove a user name. Format no username name Mode...
Page 66 username unlock Use this command to allows a locked user account to be unlocked. Only a user with Level 1 access can reactivate a locked user account. Format username name unlock Mode Global Config username snmpv3 This command specifies the snmpv3 access privileges for the specified login accessmode user.
Page 67 Default no authentication Format username snmpv3 authentication username {none | md5 | sha} Mode Global Config no username This command sets the authentication protocol to be used for the specified user to snmpv3 . The is the user name for which the specified authentication none username authentication...
Page 68 no username This command sets the encryption protocol to none. The is the login username snmpv3 encryption user name for which the specified encryption protocol will be used. Format no username snmpv3 encryption username Mode Global Config username snmpv3 This command specifies the des encryption protocol and the required encryption encryption key for the specified user.
Page 69 This command displays the complete usernames of the configured users on the switch. Format show users long Mode Privileged EXEC The following shows an example of the command. (CN1610) #show users long User Name ------------ admin guest test1111test1111test1111test1111 show users...
Page 70 Password Strength Displays the user password's strength (Strong or Weak). This field is displayed only if the Password Strength feature is enabled. The following example displays information about the local user database. (CN1610)#show users accounts UserName Privilege Password Password Lockout Aging...
Page 71 Lockout........False Override Complexity Check...... Disable Password Strength......--- UserName........guest Privilege........1 Password Aging......... --- Password Expiry........ --- Lockout........False Override Complexity Check...... Disable Password Strength......--- show users login- Use this command to display information about the login history of users. history [long] Format show users login-history [long]...
Page 72 Uses the indicated list created with the command. authentication login The following example specifies the default authentication method for a console. (CN1610) (config)# line console (CN1610) (config-line)# login authentication default no login Use this command to return to the default specified by the authentication authentication command.
Page 73 128 characters long because the assumption is that this password is already encrypted with AES. The following example specifies a password on a line. mcmxxyyy (CN1610)(config-line)# password mcmxxyyy The following is another example of the command. (Switching)(Config-line)# password testtest (Switching) (Config-line)# password e8d63677741431114f9e39a853a15e8fd35ad059e2e1b49816c243d7e08152b052 eafbf23b528d348cdba1b1b7ab91be842278e5e970dbfc62d16dcd13c0b864...
Page 74 IAS User Config The following shows an example of the command. (CN1610) # (CN1610) #configure (CN1610) (Config)#aaa ias-user username client-1 (CN1610) (Config-aaa-ias-User)#password client123 (CN1610) (Config-aaa-ias-User)#no password The following is an example of adding a MAB Client to the Internal user database.
Page 75 (CN1610) #configure (CN1610) (Config)#aaa ias-user username 1f3ccb1157 (CN1610) (Config-aaa-ias-User)#password 1f3ccb1157 (CN1610) (Config-aaa-ias-User)#exit (CN1610) (Config)# enable password Use the configuration command to set a local password to enable password (Privileged EXEC) control access to the privileged EXEC mode. Format enable password [password [encrypted]]...
Page 76 no enable password Use the command to remove the password requirement. no enable password (Privileged EXEC) Format no enable password Mode Privileged EXEC passwords min- Use this command to enforce a minimum password length for local users. The length value also applies to the enable password. The valid range is 8-64. Default Format passwords min-length 8-64...
Page 77 passwords aging Use this command to implement aging on passwords for local users. When a user’s password expires, the user will be prompted to change it before logging in again. The valid range is 1-365. The default is 0, or no aging. Default Format passwords aging 1-365...
Page 78 passwords Use this command to enable the password strength feature. It is used to verify the strength-check strength of a password during configuration. Default Disable Format passwords strength-check Mode Global Config no passwords Use this command to set the password strength checking to the default value. strength-check Format no passwords strength-check...
Page 79 passwords strength Use this command to enforce a minimum number of uppercase letters that a minimum password should contain. The valid range is 0-16. The default is 2. Minimum of 0 uppercase-letters means no restriction on that set of characters. Default Format passwords strength minimum uppercase-letters...
Page 80 passwords strength Use this command to enforce a minimum number of numeric characters that a minimum numeric- password should contain. The valid range is 0-16. The default is 2. Minimum of 0 characters means no restriction on that set of characters. Default Format passwords strength minimum numeric-characters...
Page 81 passwords strength Use this command to enforce a minimum number of characters classes that a minimum password should contain. Character classes are uppercase letters, lowercase character-classes letters, numeric characters and special characters. The valid range is 0-4. The default is 4. Default Format passwords strength minimum character-classes...
Page 82 Mode Privileged EXEC Term Definition Minimum Password Minimum number of characters required when Length changing passwords. Password History Number of passwords to store for reuse prevention. Password Aging Length in days that a password is valid. Lockout Attempts Number of failed password login attempts before lockout.
Page 83 Format no aaa ias-user username user Mode Global Config The following shows an example of the command. (CN1610) # (CN1610) #configure (CN1610) (Config)#aaa ias-user username client-1 (CN1610) (Config-aaa-ias-User)#exit (CN1610) (Config)#no aaa ias-user username client-1 (CN1610) (Config)# User Account Commands...
Page 84 aaa session-id Use this command in Global Config mode to specify if the same session-id is used for Authentication, Authorization and Accounting service type within a session. Default common Format aaa session-id [common | unique] Mode Global Config Parameter Description common Use the same session-id for all AAA Service types.
Page 85 ◆ The same list-name can be used for both exec and commands accounting type ◆ AAA Accounting for commands with RADIUS as the accounting method is not supported. ◆ Start-stop or None are the only supported record types for DOT1X accounting.
Page 86 (CN1610) #aaa accounting exec ExecList stop-only tacacs (CN1610) #aaa accounting exec ExecList start-stop tacacs (CN1610) #aaa accounting exec ExecList start-stop tacacs radius The first aaa command creates a method list for exec sessions with the name ExecList, with record-type as stop-only and the method as TACACS+. The second command changes the record type to start-stop from stop-only for the same method list.
Page 87 AAA IAS User Config The following shows an example of the command. (CN1610) # (CN1610) #configure (CN1610) (Config)#aaa ias-user username client-1 (CN1610) (Config-aaa-ias-User)#password client123 (CN1610) (Config-aaa-ias-User)#no password The following is an example of adding a MAB Client to the Internal user database.
Page 88 Encrypted password to be entered, copied from another switch configuration. The following is an example of the command. (CN1610) # (CN1610) #clear aaa ias-users (CN1610) # show aaa ias-users Use this command to display configured IAS users and their attributes.
Page 89 Enter a string of not more than 15 characters. The following is a example of the command. (CN1610) # (CN1610) #configure (CN1610) (Config)#line telnet (CN1610)(Config-line)# accounting exec default (CN1610) #exit no accounting Use this command to remove accounting from a Line Configuration mode. Format...
Page 90: Show Accounting Methods
Use this command to display configured accounting method lists. methods Format show accounting methods Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) # (CN1610) #show accounting methods Acct Type Method Name Record Type Method Type ---------- ------------ ------------...
Page 91 Mode Privileged EXEC show domain-name This command displays the configured domain-name. Format show domain-name Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) # (CN1610) #show domain-name Domain : Enable Domain-name :abc User Account Commands...
Page 92: Snmp Commands
SNMP Commands This section describes the commands you use to configure Simple Network Management Protocol (SNMP) on the switch. You can configure the switch to act as an SNMP agent so that it can communicate with SNMP managers on your network.
Page 93 Mode Global Config Parameter Description community-name A name associated with the switch and with a set of SNMP managers that manage it with a specified privileged level. The length of community name be up to 16 case-sensitive characters. ro | rw | su The access mode of the SNMP community, which can be public (Read-Only/RO), private (Read- Write/RW), or Super User (SU).
Page 94 Parameter Description community-string The community which is created and then associated with the group. The range is 1 to 20 characters. group-name The name of the group that the community is associated with. The range is 1 to 30 characters. ipaddress Optionally, the IPv4 address that the community may be accessed from.
Page 95 Mode Global Config no snmp-server This command disables the Authentication Flag. enable traps Format no snmp-server enable traps Mode Global Config snmp trap link- This command enables link status traps on an interface or range of interfaces. status Note This command is valid only when the Link Up/Down Flag is enabled. See “snmp trap link-status”...
Page 96 no snmp trap link- This command disables link status traps for all interfaces. status all Note This command is valid only when the Link Up/Down Flag is enabled. See “snmp trap link-status” on page 92. Format no snmp trap link-status all Mode Global Config snmp-server enable...
Page 97 no snmp-server This command disables Multiple User traps. enable traps Format no snmp-server enable traps multiusers multiusers Mode Global Config snmp-server enable This command enables the sending of new root traps and topology change traps stpmode notification traps. Default enabled Format snmp-server enable traps stpmode Mode...
Page 98 Parameter Description default Sets the engine-id to the default string, based on the device MAC address. CAUTION Changing the engine-id will invalidate all SNMP configuration that exists on the box. no snmp-server This command removes the specified engine ID. engineID local Default The engineID is configured automatically, based on the device MAC address.
Page 99 Parameter Description included The tree is included in the filter. excluded The tree is excluded from the filter. no snmp-server This command removes the specified filter. filter Default No filters are created by default. Format snmp-server filter filtername [oid-tree] Mode Global Config snmp-server group This command creates an SNMP access group.
Page 100 Parameter Description auth This group can be accessed only when using Authentication but not Encryption. Applicable only if SNMPv3 is selected. priv This group can be accessed only when using both Authentication and Encryption. Applicable only if SNMPv3 is selected. context-name The SNMPv3 context used during access.
Page 101 Parameter Description host-addr The IPv4 or IPv6 address of the host to send the trap or inform to. traps Send SNMP traps to the host. This option is selected by default. version 1 Sends SNMPv1 traps. This option is not available if informs is selected.
Page 102 Default No default users are created. Format snmp-server user username groupname [remote engineid- string] [ {auth-md5 password | auth-sha password | auth-md5-key md5-key | auth-sha-key sha-key} [priv-des password | priv-des-key des-key] Mode Global Config Parameter Description username The username the SNMPv3 user will connect to the switch as.
Page 103 snmp-server view This command creates or modifies an existing view entry that is used by groups to determine which objects can be accessed by a community or user. Default Views are created by default to provide access to the default groups.
Page 104 Parameter Description host-addr The IPv4 or IPv6 address of the host to send the trap or inform to. user-name User used to send a Trap or Inform message. This user must be associated with a group that supports the version and access method. The range is 1 to 30 characters.
Page 105 Term Definition Community Community-String The community string for the entry. Table: This is used by SNMPv1 and SNMPv2 protocols to access the switch. Community-Access The type of access the community has: ◆ Read only ◆ Read write ◆ View Name The view this community has access IP Address Access to this community is limited to...
Page 106 Term Definition Host Table: Target Address The address of the host that traps will be sent to. Type The type of message that will be sent, either traps or informs. Community The community traps will be sent to. Version The version of SNMP the trap will be sent as.
Page 107 Format show snmp filters [filtername] Mode Privileged EXEC Parameter Description Name The filter name for this entry. OID Tree The OID tree this entry will include or exclude. Type Indicates if this entry includes or excludes the OID Tree. show snmp group This command displays the configured groups.
Page 108 Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610)# show snmp source-interface SNMP trap Client Source Interface....(not configured) show snmp user This command displays the currently configured SNMPv3 users. Format show snmp user [username]...
Page 109 Parameter Description OID Tree The OID tree that this entry will include or exclude. Type Indicates if this entry includes or excludes the OID tree. show trapflags This command displays trap conditions. The command’s display shows all the enabled OSPFv2 and OSPFv3 trapflags. Configure which traps the switch should generate by enabling or disabling the trap condition.
Page 110: Radius Commands
RADIUS Commands This section describes the commands you use to configure the switch to use a Remote Authentication Dial-In User Service (RADIUS) server on your network for authentication and accounting. authorization Use this command to enable the switch to accept VLAN assignment by the radius network radius server.
Page 111 4 [ipaddr] Mode Global Config The following shows an example of the command. (CN1610) (Config) #radius server attribute 4 192.168.37.60 (CN1610) (Config) #radius server attribute 4 radius server host This command configures the IP address or DNS name to use for communicating with the RADIUS server of a selected server type.
Page 112 If you use the parameter, the command configures the IP address or auth hostname to use to connect to a RADIUS authentication server. You can configure up to 3 servers per RADIUS client. If the maximum number of configured servers is reached, the command fails until you remove one of the servers by issuing the “no”...
Page 113 Global Config The following shows an example of the command. (CN1610) (Config) #radius server host acct 192.168.37.60 (CN1610) (Config) #radius server host acct 192.168.37.60 port 1813 (CN1610) (Config) #radius server host auth 192.168.37.60 name Network1_RS port 1813 (CN1610) (Config) #radius server host acct 192.168.37.60 name Network2_RS (CN1610) (Config) #no radius server host acct 192.168.37.60...
Page 114 Note The secret must be an alphanumeric value not exceeding 16 characters. Format radius server key {auth | acct} {ipaddr|dnsname} encrypted password Mode Global Config Field Description ipaddr The IP address of the server. dnsname The DNS name of the server. password The password in encrypted format.
Page 115 radius server This command specifies a configured server that should be the primary server in primary the group of servers which have the same server name. Multiple primary servers can be configured for each number of servers that have the same name. When the RADIUS client has to perform transactions with an authenticating RADIUS server of specified name, the client uses the primary server that has the specified server name by default.
Page 116 no radius server The no version of this command sets the value of this global parameter to the retransmit default value. Format no radius server retransmit Mode Global Config radius server This command configures the global parameter for the RADIUS client that timeout specifies the timeout value (in seconds) after which a request must be retransmitted to the RADIUS server if no response is received.
Page 117: Show Radius
(CN1610)# show radius servers name Default-RADIUS-Server RADIUS Server Name......CoA-Server-1 Current Server IP Address...... 1.1.1.1 Number of Retransmits......3 Timeout Duration....... 15 Deadtime........0 Port........... 3799 Source IP........10.27.9.99 <- switch RADIUS Accounting Mode......Disabled Secret Configured......Yes Message Authenticator......Enable Number of CoA Requests Received......
Page 118 NAS-IP-Address attribute of RADIUS requests. The following shows example CLI display output for the command. (CN1610) #show radius Number of Configured Authentication Servers..... 32 Number of Configured Accounting Servers....32 Number of Named Authentication Server Groups.... 15 Number of Named Accounting Server Groups....
Page 119 Format show radius servers [{ipaddr|dnsname | name [servername]}] Mode Privileged EXEC Field Description ipaddr The IP address of the authenticating server. dnsname The DNS name of the authenticating server. servername The alias name to identify the server. Current The * symbol preceding the server host address specifies that the server is currently active.
Page 120 Secondary 192.168.37.201 Network2_RADIUS_Server Primary 192.168.37.202 Network3_RADIUS_Server Secondary 192.168.37.203 Network4_RADIUS_Server Primary (CN1610) #show radius servers name Default_RADIUS_Server Server Name......Default_RADIUS_Server Host Address......192.168.37.58 Secret Configured...... No Message Authenticator ....Enable Number of Retransmits....4 Time Duration......10 Chapter 3: Management Commands...
Page 121 RADIUS Accounting Mode....Disable RADIUS Attribute 4 Mode....Enable RADIUS Attribute 4 Value ....192.168.37.60 (CN1610) #show radius servers 192.168.37.58 Server Name......Default_RADIUS_Server Host Address......192.168.37.58 Secret Configured...... No Message Authenticator ....Enable Number of Retransmits....4 Time Duration......10 RADIUS Accounting Mode....
Page 122: Show Radius Accounting
1813 192.168.37.202 Network3_RADIUS_Server 1813 192.168.37.203 Network4_RADIUS_Server 1813 (CN1610) #show radius accounting name Default_RADIUS_Server Server Name......Default_RADIUS_Server Host Address......192.168.37.200 RADIUS Accounting Mode....Disable Port ........1813 Secret Configured ..... Yes show radius This command displays a summary of statistics for the configured RADIUS accounting accounting servers.
Page 123 Term Definition dnsname The DNS name of the server. servername The alias name to identify the server. RADIUS Accounting The name of the accounting server. Server Name Server Host Address The IP address of the host. Round Trip Time The time interval, in hundredths of a second, between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server.
Page 124 The number of RADIUS packets received from this server on the accounting port and dropped for some other reason. The following shows example CLI display output for the command. (CN1610) #show radius accounting statistics 192.168.37.200 RADIUS Accounting Server Name....Default_RADIUS_Server Host Address........192.168.37.200 Round Trip Time.......
Page 125 show radius This command displays the summary statistics of configured RADIUS statistics Authenticating servers. Format show radius statistics {ipaddr|dnsname | name servername} Mode Privileged EXEC Term Definition ipaddr The IP address of the server. dnsname The DNS name of the server. servername The alias name to identify the server.
Page 126 The number of RADIUS packets received from this server on the authentication port and dropped for some other reason. The following shows example CLI display output for the command. (CN1610) #show radius statistics 192.168.37.200 RADIUS Server Name......Default_RADIUS_Server Server Host Address......192.168.37.200 Access Requests.......
Page 127 (CN1610) #show radius statistics name Default_RADIUS_Server RADIUS Server Name......Default_RADIUS_Server Server Host Address......192.168.37.200 Access Requests....... 0.00 Access Retransmissions......0 Access Accepts........ 0 Access Rejects........ 0 Access Challenges......0 Malformed Access Responses....0 Bad Authenticators......0 Pending Requests......0 Timeouts........0 Unknown Types.........
Page 128: Tacacs+ Commands
TACACS+ Commands TACACS+ provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ is based on the TACACS protocol (described in RFC1492) but additionally provides for separate authentication, authorization, and accounting services.
Page 129 Text-based configuration supports TACACS server’s secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the “show running-config”...
Page 130 Default Format tacacs-server timeout timeout Mode Global Config no tacacs-server Use the no tacacs-server timeout command to restore the default timeout timeout value for all TACACS servers. Format no tacacs-server timeout Mode Global Config Use the command in TACACS Configuration mode to specify the authentication and encryption key for all TACACS communications between the device and the TACACS server.
Page 131 The following shows an example of the command. (Switching)(Config)#tacacs-server host 1.1.1.1 (Switching)(Tacacs)#keystring Enter tacacs key:******** Re-enter tacacs key:******** port Use the command in TACACS Configuration mode to specify a server port port number. The server range is 0 - 65535. port-number Default Format...
Page 132 show tacacs Use the command to display the configuration, statistics, and show tacacs source interface details of the TACACS+ client. Format show tacacs [ip-address|hostname|client|server] Mode Privileged EXEC Term Definition Host address The IP address or hostname of the configured TACACS+ server. Port The configured TACACS+ server port number.
Page 133: Configuration Scripting Commands
Configuration Scripting Commands Configuration Scripting allows you to generate text-formatted script files representing the current configuration of a system. You can upload these configuration script files to a PC or UNIX system and edit them. Then, you can download the edited files to the system and apply the new configuration. You can apply configuration scripts to one or more switches with no or minor modifications.
Page 134 Note To specify a blank password for a user in the configuration script, you must specify it as a space within quotes. For example, to change the password for user jane from a blank password to hello, the script entry is as follows: users passwd jane "...
Page 135 script show This command displays the contents of a script file, which is named scriptname Format script show scriptname Mode Privileged EXEC Term Definition Output Format line number: line contents script validate This command validates a script file by parsing each line in the script file where is the name of the script to validate.The validate option is intended scriptname to be used as a tool for script development.
Page 136: Prelogin Banner, System Prompt, And Host Name Commands
Prelogin Banner, System Prompt, and Host Name Commands This section describes the commands you use to configure the prelogin banner and the system prompt. The prelogin banner is the text that displays before you login at the prompt. User: copy (pre-login command includes the option to upload or download the CLI Banner to copy banner)
Page 137 Default No contents to display before displaying the login prompt. Format show clibanner Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) #show clibanner Banner Message configured : ========================= -------------------------- TEST -------------------------- set clibanner Use this command to configure the prelogin CLI banner before displaying the login prompt.
Page 138: Chapter 4 Utility Commands
Utility Commands This chapter describes the utility commands available in the FASTPATH CLI. The Utility Commands chapter includes the following sections: ◆ “AutoInstall Commands” on page 136 ◆ “CLI Output Filtering Commands” on page 140 ◆ “Dual Image Commands” on page 143 ◆...
Page 139: Autoinstall Commands
AutoInstall Commands The AutoInstall feature enables the automatic update of the image and configuration of the switch. This feature enables touchless or low-touch provisioning to simplify switch configuration and imaging. AutoInstall includes the following support: ◆ Downloading an image from TFTP server using DHCP option 125. The image update can result in a downgrade or upgrade of the firmware on the switch.
Page 140 Format boot autoinstall {start | stop} Mode Privileged EXEC boot host Use this command to set the number of attempts to download a configuration file retrycount from the TFTP server. Default Format boot host retrycount 1-3 Mode Privileged EXEC no boot host Use this command to set the number of attempts to download a configuration file retrycount to the default value.
Page 141 boot host autosave Use this command to automatically save the downloaded configuration file to the startup-config file on the switch. When autosave is disabled, you must explicitly save the downloaded configuration to non-volatile memory by using the write command. If memory copy system:running-config nvram:startup-config the switch reboots and the downloaded configuration has not been saved, the...
Page 142 This command displays the current status of the AutoInstall process. Format show autoinstall Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) #show autoinstall AutoInstall Mode....... Stopped AutoInstall Persistent Mode....Disabled AutoSave Mode........Disabled AutoReboot Mode........ Enabled AutoInstall Retry Count......3...
Page 143: Cli Output Filtering Commands
If a line of output contains both the include and exclude strings then the line is not displayed. The following shows example of the CLI command. (CN1610) #show running-config | include “spanning-tree” exclude “configuration” spanning-tree bpduguard spanning-tree bpdufilter default spanning-tree forceversion 802.1w...
Page 144 Collision Frames....... 0 Number of link down events..... 1 Time Since Counters Last Cleared....281 day 4 hr 9 min 0 sec (CN1610) #show interface 0/1 | exclude “Packets” Transmit Packet Errors......0 Collision Frames....... 0 Number of link down events..... 1 Time Since Counters Last Cleared....
Page 145 show xxx |section The command xxx is executed and the output is filtered to only show lines “ string ” “ string2 ” included within the section(s) identified by lines containing the “string” match and ending with the first line containing the “string2” match. If multiple sessions matching the specified string match criteria are part of the base output, then all instances are displayed.
Page 146: Dual Image Commands
Dual Image Commands FASTPATH software supports a dual image feature that allows the switch to have two software images in the permanent storage. You can specify which image is the active image to be loaded in subsequent reboots. This feature allows reduced down-time when you upgrade or downgrade the software.
Page 147 Mode Privileged EXEC update bootcode This command updates the bootcode (boot loader) on the switch. The bootcode is read from the active-image for subsequent reboots. Format update bootcode Mode Privileged EXEC Dual Image Commands...
Page 148: System Information And Statistics Commands
System Information and Statistics Commands This section describes the commands you use to view information about system features, components, and configurations. show arp switch This command displays the contents of the IP stack’s Address Resolution Protocol (ARP) table. The IP stack only learns ARP entries associated with the management interfaces - network or service ports.
Page 149 Term Definition Code The event code. Time The time this event occurred. Note Event log information is retained across a switch reset. show version This command displays inventory information for the switch. Format show version Mode Privileged EXEC Term Definition System Description Text used to identify the product name of this switch.
Page 150 (RVMB) information of the switch. Timestamp Timestamp at which the image is built The following shows example CLI display output for the command. (CN1610) #show platform vpd Operational Code Image File Name....FastPath-Ent-esw- xgs4-gto-BL20R-CS-6AIQHSr3v7m14b35 Software Version....... 3.7.14.35 Timestamp........Thu Mar 7 14:36:14...
Page 151 show interface This command displays a summary of statistics for a specific interface or a count of all CPU traffic based upon the argument. Format show interface {slot/port | switchport} Mode Privileged EXEC The display parameters, when the argument is slot/port, are as follows: Parameters Definition Packets Received...
Page 152 Parameters Definition Time Since Counters The elapsed time, in days, hours, minutes, and Last Cleared seconds since the statistics for this port were last cleared. The display parameters, when the argument is “switchport” are as follows: Term Definition Packets Received The total number of packets (including broadcast Without Error packets and multicast packets) received by the...
Page 153 The description of the interface is configurable through the existing command which has a maximum length of 64 characters that is description <name> truncated to 28 characters in the output. The long form of the description can be displayed using .
Page 154 The total number of multicast packets transmitted by the interface. OutBcastPkts The total number of broadcast packets transmitted by the interface. The following shows example CLI display output for the command. (CN1610) #show interface counters Port InOctets InUcastPkts InMcastPkts InBcastPkts...
Page 155 0/3 150980 3139 0000 0000 ch64 0 000 CPU 3595330 3044217 Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts --------- ---------------- ---------------- ---------------- ------ ---------- 0000 0/2 00 00 0/3 131369 0 1189 000 0 0000 0000 0000 ch64 0000 CPU 40252930 32910120 show interface This command displays detailed statistics for a specific interface or for all CPU ethernet...
Page 156 Term Definition ◆ Packets Received Total Packets Received (Octets) - The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including Frame Check Sequence (FCS) octets). This object can be used as a reasonable estimate of Ethernet utilization.
Page 157 Term Definition ◆ Packets Received 256–511 Octets - The total number of packets (including bad packets) received that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets). ◆ Packets Received 512–1023 Octets - The total number of packets (including bad packets) received that were between 512 and 1023 octets in length inclusive (excluding framing bits but...
Page 158 Term Definition ◆ Packets RX and TX 64 Octets - The total number of packets (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets). ◆ Packets RX and TX 65–127 Octets - The total number of packets (including bad packets) received and transmitted that were between 65 and 127 octets in length inclusive (excluding...
Page 159 Term Definition ◆ Packets Received Packets RX and TX 512–1023 Octets - The total number of packets (including bad packets) (con’t) received and transmitted that were between 512 and 1023 octets in length inclusive (excluding framing bits but including FCS octets). ◆...
Page 160 Term Definition ◆ Packets Received Total Packets Received Without Error - The total number of packets received that were Successfully without errors. ◆ Unicast Packets Received - The number of subnetwork-unicast packets delivered to a higher-layer protocol. ◆ Multicast Packets Received - The total number of good packets received that were directed to a multicast address.
Page 161 Term Definition ◆ Packets Received with Total Packets Received with MAC Errors - The total number of inbound packets that MAC Errors contained errors preventing them from being deliverable to a higher-layer protocol. ◆ Jabbers Received - The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check...
Page 162 Term Definition ◆ Received Packets Not Total Received Packets Not Forwarded - A count of valid frames received which were Forwarded discarded (in other words, filtered) by the forwarding process ◆ 802.3x Pause Frames Received - A count of MAC Control frames received on this interface with an opcode indicating the PAUSE operation.
Page 163 Term Definition ◆ Packets Transmitted Total Packets Transmitted (Octets) - The total number of octets of data (including those in bad Octets packets) received on the network (excluding framing bits but including FCS octets). This object can be used as a reasonable estimate of Ethernet utilization.
Page 164 Term Definition ◆ Packets Transmitted Total Packets Transmitted Successfully- The number of frames that have been transmitted by Successfully this port to its segment. ◆ Unicast Packets Transmitted - The total number of packets that higher-level protocols requested be transmitted to a subnetwork- unicast address, including those that were discarded or not sent.
Page 165 Term Definition ◆ Transmit Discards Total Transmit Packets Discards - The sum of single collision frames discarded, multiple collision frames discarded, and excessive frames discarded. ◆ Single Collision Frames - A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly one collision.
Page 166 Term Definition ◆ Protocol Statistics 802.3x Pause Frames Transmitted - A count of MAC Control frames transmitted on this interface with an opcode indicating the PAUSE operation. This counter does not increment when the interface is operating in half-duplex mode. ◆...
Page 167 Term Definition ◆ Dot1x Statistics EAPOL Frames Transmitted - The number of EAPOL frames of any type that have been transmitted by this authenticator. ◆ EAPOL Start Frames Received - The number of valid EAPOL start frames that have been received by this authenticator.
Page 168 If you use the keyword, the following information appears for all interfaces on the switch. Term Definition Port The Interface ID. Bytes Tx The total number of bytes transmitted by the interface. Bytes Rx The total number of bytes transmitted by the interface.
Page 169 show interface lag Use this command to display configuration information about the specified LAG interface. Format show interface lag lag-intf-num Mode Privileged EXEC Parameters Definition Packets Received The total number of packets (including broadcast Without Error packets and multicast packets) received on the LAG interface Packets Received The number of inbound packets that contained errors...
Page 170 Measured optical output power relative to 1mW. Input Power Measured optical power received relative to 1mW. TX Fault Transmitter fault. Loss of signal. The following information shows an example of the command output: (CN1610) #show fiber-ports optical-transceiver all Output Input Port Temp Voltage Current...
Page 171 show fiber-ports This command displays the SFP vendor related information like Vendor Name, optical-transceiver- Serial Number of the SFP, Part Number of the SFP. The values are derived from info the SFP's A0 table using the I C interface. Format show fiber-ports optical-transceiver-info {all | slot/port} Mode...
Page 172 A value of all zero in this field indicates that the vendor revision is unspecified. The following information shows an example of the command output: (CN1610) #show fiber-ports optical-transceiver-info all Link Link Nominal Length Length Chapter 4: Utility Commands...
Page 173 50um 62.5um Rate Port Vendor Name [m] [m] Serial Number Part Number [Mbps] Rev -------- ---------------- --- ---- ---------------- --------------- - ----- ---- 0/49 BROADCOM 8 3 A7N2018414 AXM761 10300 10 0/51 BROADCOM 8 3 A7N2018472 AXM761 10300 10 0/52 BROADCOM 8 3 A7N2018501 AXM761 10300 10...
Page 174 Term Definition MAC Address A unicast MAC address for which the switch has forwarding and or filtering information. The format is 6 two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB Interface The port through which this address was learned. Interface Index This object indicates the ifIndex of the interface table entry associated with this port.
Page 175 Term Definition Dynamic Address Number of MAC addresses in the forwarding count database that were automatically learned. Static Address (User- Number of MAC addresses in the forwarding defined) count database that were manually entered by a user. Total MAC Addresses Number of MAC addresses currently in the in use forwarding database.
Page 176 Parameter Description falling threshold The percentage of CPU resources that, when usage falls below this level for the configured interval, triggers a notification. The range is 1 to 100. The default is 0 (disabled). A notification is triggered when the total CPU utilization falls below this level for a configured period of time.
Page 177 Parameter Description Running Status Indicates whether the process is currently running or stopped. The following shows example CLI display output for the command. Admin Auto Running Name Status Restart Status ---- ---------------- ----- --------- --------- ------- 1 dataplane 15309 Enabled Disabled Running 2 switchdrvr...
Page 178 Parameter Description Max Mem Usage The maximum amount of memory the process has used at any given time since it started. (CN1610) #show process app-resource-list Memory Memory Max Mem Name Limit Share Usage Usage ---- ---------------- ---- ----------- --------- ----------- ------...
Page 179 CPU utilization sampling in 300Secs interval Total CPU Utilization Total CPU utilization % within the specified window of 5Secs, 60Secs and 300Secs. The following shows example CLI display output for the command using Linux. (CN1610) #show process cpu Memory Utilization Report status bytes ------ ----------...
Page 180 The maximum amount of virtual memory the process has used at a given time. FD Count The file descriptors count for the process. The following shows example CLI display output for the command. (CN1610) #show process proc-list Process Application VM Size VM Peak...
Page 181 The output is displayed in script format, which can be used to configure another switch with the same configuration. If the optional is provided with scriptname a file name extension of “.scr”, the output is redirected to a script file. Note If you issue the command from a serial connection,...
Page 182 Display the running config for a specified lag interface. vlan Display the running config for a specified vlan routing interface. The following shows example CLI display output for the command. (CN1610) #show running-config interface 0/1 !Current Configuration: interface addport 3/1 exit (CN1610) # Chapter 4: Utility Commands...
Page 183 Display the content of the factory-defaults file. The following shows example CLI display output for the command using the startup-config parameter. (CN1610) #show startup-config !Current Configuration: !System Description "Quanta LB6M, 8.1.14.41, Linux 2.6.27.47, U- Boot 2009.06 (Apr 19 2011 - 15:57:06)"...
Page 184 The following shows example CLI display output for the command using the backup-config parameter. (CN1610) #show backup-config !Current Configuration: !System Description "Quanta LB6M, 8.1.14.41, Linux 2.6.27.47, U- Boot 2009.06 (Apr 19 2011 - 15:57:06)" !System Software Version "8.1.14.41"...
Page 185 Use this command to list the files in the directory /mnt/fastpath in flash from the CLI. Format Mode Privileged EXEC (CN1610) #dir drwx 2048 May 09 2002 16:47:30 . drwx 2048 May 09 2002 16:45:28 .. -rwx 592 May 09 2002 14:50:24 slog2.txt -rwx 72 May 09 2002 16:45:28 boot.dim...
Page 186 -rwx 1776 May 09 2002 16:44:38 slog1.txt -rwx 356 Jun 17 2001 10:43:18 crashdump.ctl -rwx 1024 May 09 2002 16:45:44 sslt.rnd -rwx 14328276 May 09 2002 16:01:06 image2 -rwx 148 May 09 2002 16:46:06 hpc_broad.cfg -rwx 0 May 09 2002 14:51:28 olog1.txt -rwx 517 Jul 23 2001 17:24:00 ssh_host_key -rwx...
Page 187 Term Definition System Up Time The time in days, hours and minutes since the last switch reboot. Current SNTP The system time acquired from a network SNTP Synchronized Time server. MIBs Supported A list of MIBs supported by this agent. show tech-support Use the show tech-support...
Page 188 Mode Privileged EXEC length value Use this command to set the pagination length to value number of lines for the sessions specified by configuring on different Line Config modes (telnet/ssh/console) and is persistent. Length command on Line Console mode applies for Serial Console session. Default Format length value...
Page 189 Format show terminal length Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) #show terminal length Terminal Length: ---------------------- For Current Session………………….. 24 For Serial Console…………………… 24 For Telnet Sessions…………………... 24 For SSH Sessions…………………….. 24...
Page 190: Box Services Commands
Box Services Commands This section describes the Box Services commands. Box services are services that provide support for features such as temperature, power supply status, fan control, and others. Each of these services is platform dependent. (For example, some platforms may have temperature sensors, but no fan controller. Or, others may have both while others have neither.) Note The bootloader version can only be supported on PowerPC platforms that use the...
Page 191 Term Definition Temp The current temperature of the switch environment, in Celsius. Fan Speed The current speed of the fan, in RPM. Fan Duty Level Temperature traps The minimum and maximum temperatures for range normal operation, in Celsius. Temperature Sensors Shows information for each switch temperature sensor.
Page 192 The type of power module. State The current state of the power module. The following shows example CLI display output for the command. (CN1610) #show environment Temp (C)........36 Fan Speed, RPM......... 12840 Fan Duty Level......... 100% Temperature traps range: 0 to 60 degrees (Celsius)
Page 193 Mode Privileged EXEC Term Definition System Description Text used to identify the product name of this switch. Machine Type The machine model as defined by the Vital Product Data. Machine Model The machine model as defined by the Vital Product Data Serial Number The unique box serial number for this switch.
Page 194 SFP Part Number The vendor-assigned part number for the SFP. SFP Serial Number The serial number of the SFP module. The following shows example CLI display output for the command. (CN1610) #show hardware Switch: 1 Chapter 4: Utility Commands...
Page 195 System Description......NetApp CN1610, 1.2.0.0, Linux 3.8.13-4ce360e8 Machine Type........NetApp CN1610 Machine Model........CN1610 Serial Number........40811200201 Part Number........111-00982 Burned In MAC Address......00:A0:98:EA:2E:7A Software Version....... 1.2.0.0 CPLD version........0x6 Manufacturer Name......NetApp, Inc. Revision........E0 Date Code........20140824 Operating System......Linux 3.8.13-4ce360e8...
Page 196: Logging Commands
Logging Commands This section describes the commands you use to configure system logging, and to view logs and the logging settings. logging buffered This command enables logging to an in-memory log. Default disabled; critical when enabled Format logging buffered Mode Global Config no logging buffered This command disables logging to in-memory log.
Page 197 logging cli- This command enables the CLI command logging feature, which enables the command FASTPATH software to log all CLI commands issued on the system. The commands are stored in a persistent log. Use the “show logging persistent” on page 199 command to display the stored history of CLI commands. Default enabled Format...
Page 198 (7). The following shows examples of the command. (CN1610) (Config)# logging host google.com dns 214 (CN1610) (Config)# logging host 10.130.64.88 ipv4 214 6 (CN1610) (Config)# logging host 2000::150 ipv6 214 7 logging host This command enables logging host reconfiguration.
Page 199 logging host This command disables logging to host. See “show logging hosts” on page 198 remove for a list of host indexes. Format logging host remove hostindex Mode Global Config logging syslog This command enables syslog logging. Format logging syslog Mode Global Config no logging syslog...
Page 200 Log Messages Number of messages sent to the collector/relay. Relayed The following shows example CLI display output for the command. (CN1610) #show logging Logging Client Local Port : 514 Logging Client Source Interface : (not configured)
Page 201 CLI Command Logging : disabled Console Logging : enabled Console Logging Severity Filter : error Buffered Logging : enabled Persistent Logging : disabled Persistent Logging Severity Filter : alert Syslog Logging : disabled Log Messages Received : 1010 Log Messages Dropped Log Messages Relayed show logging This command displays buffered logging (system startup and system operation...
Page 202 Status field provides the current status of snmp row status. (Active, Not in Service, Not Ready). The following shows example CLI display output for the command. (CN1610) #show logging hosts ? <cr> Press enter to execute the command. Output filter options.
Page 203 Parameter Description Persistent Log Count The number of persistent log entries. Persistent Log Files The list of persistent log files in the system. Only displayed if is specified. log-files The following shows example CLI display output for the command. (Broadcom FASTPATH Switching) #show logging persistent Persistent Logging: disabled Persistent Log Count: 0 (Broadcom FASTPATH Switching) #show logging persistent log-files...
Page 204 Term Definition The log number. System Time Up How long the system had been running at the time the trap was sent. Trap The text of the trap message. clear logging This command clears buffered logging (system startup and system operation buffered logs).
Page 205: Email Alerting And Mail Server Commands
Email Alerting and Mail Server Commands logging email This command enables email alerting and sets the lowest severity level for which log messages are emailed. If you specify a severity level, log messages at or above this severity level, but below the urgent severity level, are emailed in a non- urgent manner by collecting them together until the log time expires.
Page 206 no logging email This command resets the urgent severity level to the default value. urgent Format no logging email urgent Mode Global Config logging email This command configures the email address to which messages are sent. The message-type to- message types supported are , and .
Page 207 logging email This command configures the subject line of the email for the specified type. message-type subject Default For urgent messages: Urgent Log Messages For non-urgent messages: Non Urgent Log Messages Format logging email message-type {urgent |non-urgent |both} subject subject Mode Global Config no logging email...
Page 208 logging traps This command sets the severity at which SNMP traps are logged and sent in an email. Specify the value as either an integer from 0 to 7 or severitylevel symbolically through one of the following keywords: (0), (1), emergency alert (2),...
Page 209 Term Definition Email Alert From The email address of the sender (the switch). Address Email Alert Urgent The lowest severity level that is considered urgent. Severity Level Messages of this type are sent immediately. Email Alert Non The lowest severity level that is considered non- Urgent Severity Level urgent.
Page 210 Term Definition Email Alert Operation The operational status of the email alerting feature. Status No of Email Failures The number of email messages that have attempted to be sent but were unsuccessful. No of Email Sent The number of email messages that were sent from the switch since the counter was cleared.
Page 211 security This command sets the email alerting security protocol by enabling the switch to use TLS authentication with the SMTP Server. If the TLS mode is enabled on the switch but the SMTP sever does not support TLS mode, no email is sent to the SMTP server.
Page 212 show mail-server This command displays information about the email alert configuration. config Format show mail-server {ip-address | hostname | all} config Mode Privileged EXEC Term Definition No of mail servers The number of SMTP servers configured on the configured switch. Email Alert Mail The IPv4/IPv6 address or DNS hostname of the Server Address...
Page 213: System Utility And Clear Commands
(service port or network port). Similarly, CN1610 will not accept a packet that arrives on a management interface if the packet’s destination is an address on a routing interface. Thus, it would be futile...
Page 214 ◆ Default count: 3 probes ◆ interval: 3 seconds ◆ size: 0 bytes ◆ port: 33434 ◆ maxTtl: 30 hops ◆ maxFail: 5 probes ◆ initTtl: 1 hop Format traceroute [vrf vrf-name] {ip-address | [ipv6] {ipv6-address | hostname}} [initTtl initTtl] [maxTtl maxTtl] [maxFail maxFail] [interval interval] [count count] [port port] [size size] [source {ip-address | | ipv6-address |...
Page 215 IP address or interface for the traceroute. The following are examples of the CLI command. traceroute Success: (CN1610) # traceroute 10.240.10.115 initTtl 1 maxTtl 4 maxFail 0 interval 1 count 3 port 33434 size 43 System Utility and Clear Commands...
Page 216 Hop Count = 1 Last TTL = 2 Test attempt = 6 Test Success = 6 traceroute ipv6 Success (CN1610) # traceroute 2001::2 initTtl 1 maxTtl 4 maxFail 0 interval 1 count 3 port 33434 size 43 Traceroute to 2001::2 hops max 43 byte packets:...
Page 217 clear config This command resets the configuration to the factory defaults without powering off the switch. When you issue this command, a prompt appears to confirm that the reset should proceed. When you enter , you automatically reset the current configuration on the switch to the default values.
Page 218 Mode Privileged EXEC clear vlan This command resets VLAN configuration parameters to the factory defaults. When the VLAN configuration is reset to the factory defaults, there are some scenarios regarding GVRP and MVRP that happen due to this: 1. Static VLANs are deleted. 2.
Page 219 Note For information about the command for IPv6 hosts, see “ping ipv6” on ping page 601. ◆ Default The default count is 1. ◆ The default interval is 3 seconds. ◆ The default size is 0 bytes. Format ping [vrf vrf-name] {address| hostname | {ipv6 {interface {unit/slot/port | vlan 1-4093 | network | serviceport} link-local-address} | ipv6-address | hostname} [count count] [interval 1-60] [size size]...
Page 220 The following are examples of the CLI command. IPv4 ping success: (CN1610) #ping 10.254.2.160 count 3 interval 1 size 255 Pinging 10.254.2.160 with 255 bytes of data: Received response for icmp_seq = 0. time = 275268 usec Received response for icmp_seq = 1. time = 274009 usec Received response for icmp_seq = 2.
Page 221 IPv4 ping failure: In Case of Unreachable Destination: (CN1610) # ping 192.168.254.222 count 3 interval 1 size 255 Pinging 192.168.254.222 with 255 bytes of data: Received Response: Unreachable Destination Received Response :Unreachable Destination Received Response :Unreachable Destination ----192.168.254.222 PING statistics----...
Page 222 Mode Privileged EXEC copy command uploads and downloads files to and from the switch. You can copy also use the command to manage the dual images (active and backup) on copy the file system. Upload and download files from a server using FTP, TFTP, Xmodem, Ymodem, or Zmodem.
Page 223 For FTP, TFTP, SFTP and SCP, the parameter is the IP ipaddr|hostname address or host name of the server, is the path to the file, and filepath is the name of the file you want to upload or download. For SFTP and filename SCP, the parameter is the username for logging into the remote server...
Page 224 Source Destination Description Uploads the core dump file on the nvram: core- tftp://<ipadd dump ress|hostname local system to an external >/<filepath>/ TFTP/FTP/SCP/SFTP server. <filename>| ftp://<user>@ <ipaddr|hostn ame>/<path>/< filename> | scp://<user>@ <ipaddr|hostn ame>/<path>/< filename> | sftp://<user> @<ipaddr|host name>/<path>/ <filename>} Uploads CPU packets capture file. nvram:cpupktcap ture.pcap Copies the crash log to a server.
Page 225 Source Destination Description Uploads the startup log file. nvram:startup- Copies the trap log file to a server. nvram:traplog Saves the running configuration to system:running- nvram:startup config -config NVRAM. Saves the running configuration to system:running- nvram:factory config -defaults NVRAM to the factory-defaults file.
Page 226 Source Destination Description (CN1610) #copy tftp://1.1.1.1/file.scr nvram:script file.scr noval Downloads an SSH key file. For nvram:sshkey- more information, see “Secure Shell Commands” on page 47. Downloads an SSH key file. nvram:sshkey- rsa1 Downloads an SSH key file. nvram:sshkey- rsa2 Downloads the startup configuration...
Page 227 File transfer operation completed successfully. Validating and updating the users to the IAS users database. Updated IAS users database successfully. (CN1610) # write memory Use this command to save running configuration changes to NVRAM so that the changes you make will persist across a reboot. This command is the same as copy .
Page 228: Simple Network Time Protocol Commands
Simple Network Time Protocol Commands This section describes the commands you use to automatically configure the system time and date by using Simple Network Time Protocol (SNTP). sntp broadcast This command sets the poll interval for SNTP broadcast clients in seconds as a client poll-interval power of two where can be a value from 6 to 10.
Page 229 sntp client port This command sets the SNTP client port ID to 0, 123 or a value between 1025 and 65535. The default value is 0, which means that the SNTP port is not configured by the user. In the default case, the actual client port value used in SNTP packets is assigned by the underlying OS.
Page 230 Format sntp unicast client poll-timeout poll-timeout Mode Global Config no sntp unicast This command will reset the poll timeout for SNTP unicast clients to its default client poll-timeout value. Format no sntp unicast client poll-timeout Mode Global Config sntp unicast client This command will set the poll retry for SNTP unicast clients to a value from 0 to poll-retry Default...
Page 231 no sntp server This command deletes an server from the configured SNTP servers. Format no sntp server remove {ipaddress | ipv6address | hostname} Mode Global Config show sntp This command is used to display SNTP settings and status. Format show sntp Mode Privileged EXEC Term...
Page 232 Term Definition Port SNTP Client Port. The field displays the value 0 if it is default value. When the client port value is 0, if the client is in broadcast mode, it binds to port 123; if the client is in unicast mode, it binds to the port assigned by the underlying OS.
Page 233 Term Definition Address Type Address Type of configured SNTP server (IPv4, IPv6, or DNS). Priority IP priority type of the configured server. Version SNTP Version number of the server. The protocol version used to query the server in unicast mode. Port Server Port Number.
Page 234: Time Zone Commands
1 to 31. The range for year is 2010 to 2079. The following shows examples of the command. (CN1610) (Config)# clock set 03:17:00 (CN1610) (Config)# clock set 11/01/2011 clock summer-time Use the clock summer-time date command to set the summer-time offset to date Coordinated Universal Time (UTC).
Page 235 The range is up to four characters are allowed. The following shows examples of the command. (CN1610) (Config)# clock summer-time date 1 nov 2011 3:18 2 nov 2011 3:18 (CN1610) (Config)# clock summer-time date 1 nov 2011 3:18 2 nov...
Page 236 Up to four characters are allowed. The following shows examples of the command. (CN1610) (Config)# clock summer-time recurring 2 sun nov 3:18 2 mon nov 3:18 (CN1610) (Config)# clock summer-time recurring 2 sun nov 3:18 2 mon...
Page 237 The acronym for the time zone. The range is up to four characters. The following shows an example of the command. (CN1610) (Config)# clock timezone 5 minutes 30 zone INDA no clock timezone Use this command to reset the time zone settings.
Page 238 Format show clock detail Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) # show clock detail 15:05:24 (UTC+0:00) Nov 1 2011 No time source Time zone: Acronym not configured Offset is UTC+0:00...
Page 239 Summertime: Acronym is INDA Recurring every year Begins on second Sunday of Nov at 03:18 Ends on second Monday of Nov at 03:18 Offset is 120 minutes Summer-time is in effect. Time Zone Commands...
Page 240: Dns Client Commands
DNS Client Commands These commands are used in the Domain Name System (DNS), an Internet directory service. DNS is how domain names are translated into IP addresses. When enabled, the DNS client provides a hostname lookup service to other components of FASTPATH. ip domain lookup Use this command to enable the DNS client.
Page 241 no ip domain name Use this command to remove the default domain name configured using the domain name command. Format no ip domain name Mode Global Config ip domain list Use this command to define a list of default domain names to complete unqualified names.
Page 242 Format no ip name-server [server-address1...server- address8] Mode Global Config ip host Use this command to define static host name-to-address mapping in the host cache. The parameter is host name and is the IP address of name ip address the host. The hostname can include 1–255 alphanumeric characters, periods, hyphens, underscores, and non-consecutive spaces.
Page 243 no ipv6 host Use this command to remove the static host name-to-IPv6 address mapping in the host cache. Format no ipv6 host name Mode Global Config ip domain retry Use this command to specify the number of times to retry sending Domain Name System (DNS) queries.
Page 244 Mode Global Config clear host Use this command to delete entries from the host name-to-address cache. This command clears the entries from the DNS cache maintained by the software. This command clears both IPv4 and IPv6 entries. Format clear host {name | all} Mode Privileged EXEC Field...
Page 245 Field Description Number of Retries Number of time to retry sending Domain Name System (DNS) queries. Retry Timeout Period Amount of time to wait for a response to a DNS query. Name Servers Configured name servers. DNS Client Source Shows the configured source interface (source IP Interface address) used for a DNS client.
Page 246: Ip Address Conflict Commands
IP Address Conflict Commands The commands in this section help troubleshoot IP address conflicts. ip address-conflict- This command triggers the switch to run active address conflict detection by detect run sending gratuitous ARP packets for IPv4 addresses on the switch. Format ip address-conflict-detect run ◆...
Page 247: Serviceability Packet Tracing Commands
Serviceability Packet Tracing Commands These commands improve the capability of network engineers to diagnose conditions affecting their FASTPATH product. CAUTION The output of “debug” commands can be long and may adversely affect system performance. capture start Use the command capture start to manually start capturing CPU packets for packet trace.
Page 248 capture Use this command to configure file capture options. The command is persistent file|remote|line across a reboot cycle. Format capture {file|remote|line} Mode Global Config Parameter Description file In the capture file mode, the captured packets are stored in a file on NVRAM. The maximum file size defaults to 524288 bytes.
Page 249 Parameter Description remote In the remote capture mode, the captured packets are redirected in real time to an external PC running the Wireshark tool for Microsoft Windows. A packet capture server runs on the switch side and sends the captured packets via a TCP connection to the Wireshark tool.
Page 250 capture remote port Use this command to configure file capture options. The command is persistent across a reboot cycle. The parameter is a TCP port number from 1024– 49151. Format capture remote port id Mode Global Config capture file size Use this command to configure file capture options.
Page 251 Capturing packets is stopped automatically when 128 packets are captured and have not yet been displayed during a capture session. Captured packets are not retained after a reload cycle. Format show capture packets Mode Privileged EXEC debug aaa This command is useful to debug accounting configuration and functionality in accounting User Manager.
Page 252 The following is an example of the command. (Switching) #debug aaa authorization Tacacs authorization receive packet tracing enabled. (Switching) #debug tacacs authorization packet transmit authorization tracing enabled. (Switching) #no debug aaa authorization AAA authorization tracing enabled (Switching) # debug This command displays either the debug trace for either a single event or all authentication events for an interface Default...
Page 253 Format debug console Mode Privileged EXEC no debug console This command disables the display of “debug” trace output on the login session in which it is executed. Format no debug console Mode Privileged EXEC debug crashlog Use this command to view information contained in the crash log file that the system maintains when it experiences an unexpected reset.
Page 254 Parameter Description crashlog-number Specifies the file number to view. The system maintains up to four copies, and the valid range is 1– 4.”deb upload url To upload the crash log (or crash dump) to a TFTP server, use the keyword and specify the upload required TFTP server information.
Page 255 debug dhcp packet This command displays “debug” information about DHCPv4 client activities and traces DHCPv4 packets to and from the local DHCPv4 client. Default disabled Format debug dhcp packet [transmit | receive] Mode Privileged EXEC no debug dhcp This command disables the display of “debug” trace output for DHCPv4 client activity.
Page 256 Mode Privileged EXEC no debug This command disables tracing of IGMP Snooping packets. igmpsnooping packet Format no debug igmpsnooping packet Mode Privileged EXEC debug This command enables tracing of IGMP Snooping packets transmitted by the igmpsnooping switch. Snooping should be enabled on the device and the interface in order to packet transmit monitor packets for a particular interface.
Page 257 Parameter Definition Dest_IP The destination multicast IP address in the packet. Type The type of IGMP packet. Type can be one of the following: ◆ Membership Query – IGMP Membership Query ◆ V1_Membership_Report – IGMP Version 1 Membership Report ◆ V2_Membership_Report –...
Page 258 Src_IP: 11.1.1.1 Dest_IP: 225.0.0.5 Type: Membership_Query Group: 225.0.0.5 The following parameters are displayed in the trace message: Parameter Definition A packet received by the device. Intf The interface that the packet went out on. Format used is unit/slot/port (internal interface number). Unit is always shown as 1 for interfaces.
Page 259 debug ipv6 dhcp This command displays “debug” information about DHCPv6 client activities and traces DHCPv6 packets to and from the local DHCPv6 client. Default disabled Format debug ipv6 dhcp Mode Privileged EXEC no debug ipv6 dhcp This command disables the display of “debug” trace output for DHCPv6 client activity.
Page 260 debug mldsnooping Use this command to trace MLD snooping packet reception and transmission. packet receive traces only received MLD snooping packets and transmit traces only transmitted MLD snooping packets. When neither keyword is used in the command, then all MLD snooping packet traces are dumped. Vital information such as source address, destination address, control packet type, packet length, and the interface on which the packet is received or transmitted is displayed on the console.
Page 261 Parameter Definition TX/RX TX refers to a packet transmitted by the device. RX refers to packets received by the device. Intf The interface that the packet came in or went out on. Format used is unit/slot/port (internal interface number). Unit is always shown as 1. SRC_IP The source IP address in the IP header in the packet.
Page 262 debug spanning- This command enables tracing of spanning tree BPDUs received and transmitted tree bpdu by the switch. Default disabled Format debug spanning-tree bpdu Mode Privileged EXEC no debug spanning- This command disables tracing of spanning tree BPDUs. tree bpdu Format no debug spanning-tree bpdu Mode...
Page 263 Parameter Definition Source_Mac Source MAC address of the packet. Version Spanning tree protocol version (0-3). 0 refers to STP, 2 RSTP and 3 MSTP. Root_Mac MAC address of the CIST root bridge. Root_Priority Priority of the CIST root bridge. The value is between 0 and 61440.
Page 264 Parameter Definition A packet transmitted by the device. Intf The interface that the packet went out on. Format used is unit/port/slot (internal interface number). Unit is always shown as 1 for interfaces on a non- stacking device. Source_Mac Source MAC address of the packet. Version Spanning tree protocol version (0-3).
Page 265 Parameter Description packet transmit Turn on TACACS+ transmit packet debugs. accounting Turn on TACACS+ authentication debugging. authentication Turn on TACACS+ authorization debugging. debug transfer This command enables debugging for file transfers. Format debug transfer Mode Privileged EXEC no debug transfer This command disables debugging for file transfers.
Page 266 Mode Privileged EXEC exception protocol Use this command to specify the protocol used to store the core dump file. Default None Format exception protocol {nfs | tftp | ftp | local | usb | none} Mode Global Config no exception Use this command to reset the exception protocol configuration to its factory protocol default value.
Page 267 exception dump nfs Use this command to configure an NFS mount point in order to dump core file to the NFS file system. Default None Format exception dump nfs ip-address/dir Mode Global Config no exception dump Use this command to reset the exception dump NFS mount point configuration to its factory default value.
Page 268 is selected: hostname file-name-prefix_hostname_Time_Stamp.bin is not selected: hostname file-name-prefix_MAC_Address_Time_Stamp.bin is configured the core file name takes the , otherwise the hostname hostname core-file names uses the MAC address when generating a core dump file. The prefix length is 15 characters. Default Core Format...
Page 269 Default None Format exception dump ftp-server ip-address [{username user- name password password}] Mode Global Config no exception dump This command resets exception dump remote FTP server configuration to its ftp-server factory default value. This command also resets the FTP username and password to empty string.
Page 270 Use this command to display the configuration parameters for generating a core dump file. Default None Format show exception Mode Privileged EXEC The following shows an example of this command. (CN1610) #show exception Coredump file name......core Coredump filename uses hostname....False Coredump filename uses time-stamp....TRUE Chapter 4: Utility Commands...
Page 271 TFTP server IP......... FTP server IP........FTP user name........FTP password........File path......../. Protocol........none Switch-chip-register......False Compression mode....... TRUE show exception log This command displays core dump traces on the local file system. Default None Format show exception log [previous] Mode Privileged EXEC, Config Mode logging persistent...
Page 272 Mode Global Config Field Description Rising Threshold The percentage of the memory buffer resources that, when exceeded for the configured rising interval, triggers a notification. The range is 1 to 100. The default is 0 (disabled). Falling Threshold The percentage of memory buffer resources that, when usage falls below this level for the configured interval, triggers a notification.
Page 273 show mbuf total Use this command to display memory buffer (MBUF) information. Format show mbuf total Mode Privileged EXEC Field Description Mbufs Total Total number of message buffers in the system. Mbufs Free Number of message buffers currently available. Mbufs Rx Used Number of message buffers currently in use.
Page 274 Field Description Total Rx High Alloc Number of message buffer allocation failures for RX Failures High class of message buffer. Total Tx Alloc Number of message buffer allocation failures for TX Failures class of message buffer. show msg-queue Use this command to display the message queues. Default None Format...
Page 275: Support Mode Commands
Support Mode Commands Support mode is hidden and available when the command techsupport enable is executed. techsupport mode is disabled by default. Configurations related to support mode are shown in the command. They can be show tech-support persisted by using the command in support mode.
Page 276 Mode Support snapshot multicast Use this command in Support mode to dump a set of IP multicast debug information to capture the current state of multicast on the switch. The output is written to the console and can be extensive. Format snapshot multicast Mode...
Page 277: Bcm Shell Command
BCM Shell Command The BCM (SDK) shell is mainly used for debugging the Broadcom SDK. BCM shell commands can be executed directly from the CLI without entering the BCM shell itself by using the keyword before the BCM command. drivshell However, you can also enter the BCM shell to directly execute any of the BCM commands on the shell using the command.
Page 278: Sflow Commands
sFlow Commands sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources. sflow receiver Use this command to configure the sFlow collector parameters (owner string, receiver timeout, max datagram size, IP address, and port).
Page 279 Parameter Description Receiver Max The maximum number of data bytes that can be sent Datagram Size in a single sample datagram. The management entity should set this value to avoid fragmentation of the sFlow datagrams. The allowed range is 200 to 9116). The default is 1400.
Page 280 Field Description Receiver Owner The owner name corresponds to the receiver name. The identity string for the receiver, the entity making use of this sFlowRcvrTable entry. The range is 127 characters. The default is a null string. The empty string indicates that the entry is currently unclaimed and the receiver configuration is reset to the default values.
Page 281 Field Description Receiver Owner The owner name corresponds to the receiver name. The identity string for the receiver, the entity making use of this sFlowRcvrTable entry. The range is 127 characters. The default is a null string. The empty string indicates that the entry is currently unclaimed and the receiver configuration is reset to the default values.
Page 282 Field Description Maxheadersize The maximum number of bytes that should be copied from the sampler packet. The range is 20- 256. The default is 128. When set to zero (0), all the sampler parameters are set to their corresponding default value. Sampling Rate The statistical sampling rate for packet sampling from this source.
Page 283 MIB Version: 1.3, the version of this MIB. ◆ Organization: Broadcom Corp. ◆ Revision: 1.0 IP Address The IP address associated with this agent. The following shows example CLI display output for the command. (CN1610) #show sflow agent sFlow Commands...
Page 284 sFlow Version........1.3;Broadcom Corp;1.0 IP Address........10.131.12.66 show sflow pollers Use this command to display the sFlow polling instances created on the switch. Use “-” for range. Format show sflow pollers Mode Privileged EXEC Field Description Poller Data Source The sFlowDataSource (slot/port) for this sFlow sampler.
Page 285 The sFlow protocol version to be used while sending samples to sFlow receiver. The following shows example CLI display output for the show sflow receivers command. (CN1610) #show sflow receivers 1 Receiver Index......... 1 Owner String........tulasi Time out........0 IP Address:........
Page 286 6343 0.0.0.0 1400 6343 0.0.0.0 1400 6343 0.0.0.0 1400 6343 0.0.0.0 (CN1610) #show sflow receivers 1 Receiver Index......... 1 Owner String........tulasi Time out........No Timeout <= No Timeout string is added IP Address:........0.0.0.0 Address Type........1 Port........... 6343 Datagram Version.......
Page 287: Remote Monitoring Commands
Remote Monitoring Commands Remote Monitoring (RMON) is a method of collecting a variety of data about network traffic. RMON supports 64-bit counters (RFC 3273) and High Capacity Alarm Table (RFC 3434). Note There is no configuration command for ether stats and high capacity ether stats. The data source for ether stats and high capacity ether stats are configured during initialization.
Page 288 The owner string associated with the alarm entry. The default is monitorAlarm. The following shows an example of the command. (CN1610) (Config)# rmon alarm 1 ifInErrors.2 30 absolute rising- threshold 100 1 falling-threshold 10 2 startup rising owner myOwner no rmon alarm This command deletes the RMON alarm entry.
Page 289 rmon hcalarm This command sets the RMON hcalarm entry in the High Capacity RMON alarm MIB group. Format rmon hcalarm alarm number variable sample interval {absolute|delta} rising-threshold high value low value status {positive|negative} [rising-event-index] falling-threshold high value low value status {positive|negative} [falling-event-index] [startup {rising|falling|rising-falling}] [owner string] Mode...
Page 290 Parameter Description High Capacity Alarm This object indicates the validity and sign of the data Absolute Alarm for the high capacity alarm absolute value object Status (hcAlarmAbsValueobject). Possible status types are valueNotAvailable, valuePositive, or valueNegative. The default is valueNotAvailable. High Capacity Alarm High capacity alarm startup alarm that may be sent.
Page 291 This object is read-only. The default is volatile. The following shows an example of the command. (CN1610) (Config)# rmon hcalarm 1 ifInOctets.1 30 absolute rising- threshold high 1 low 100 status positive 1 falling-threshold high 1 low 10 status positive startup rising owner myOwner no rmon hcalarm This command deletes the rmon hcalarm entry.
Page 292 The SNMP community specific by this octet string which is used to send an SNMP trap. The default is public. The following shows an example of the command. (CN1610) (Config)# rmon event 1 log description test no rmon event This command deletes the rmon event entry. Format...
Page 293 History Control The owner string associated with the history control Owner entry. The default is monitorHistoryControl. The following shows an example of the command. (CN1610) (Interface 1/0/1)# rmon collection history 1 buckets 10 interval 30 owner myOwner Remote Monitoring Commands...
Page 294 Mode Config Interface The following shows an example of the command. (CN1610) (Interface 1/0/1-1/0/10)# no rmon collection history 1 show rmon This command displays the entries in the RMON alarm table. Format show rmon {alarms | alarm alarm-index}...
Page 295 The following shows example CLI display output for the command. (CN1610) #show rmon alarms Index Owner ---------------------------------------------- alarmInterval.1 MibBrowser alarmInterval.1 MibBrowser The following shows example CLI display output for the command. (CN1610) #show rmon alarm 1 Alarm 1 ---------- OID: alarmInterval.1 Remote Monitoring Commands...
Page 296 Last Sample Value: 1 Interval: 1 Sample Type: absolute Startup Alarm: rising-falling Rising Threshold: 1 Falling Threshold: 1 Rising Event: 1 Falling Event: 2 Owner: MibBrowser show rmon This command displays the entries in the RMON history control table. collection history Format show rmon collection history [interfaces slot/port] Mode...
Page 297 (CN1610) #show rmon collection history Index Interface Interval Requested Granted Owner Samples Samples ------------------------------------------------------------------ ---- 1/0/1 myowner 1/0/1 1800 monitorHistoryControl 1/0/2 monitorHistoryControl 1/0/2 1800 monitorHistoryControl 1/0/3 monitorHistoryControl 1/0/3 1800 monitorHistoryControl 1/0/4 monitorHistoryControl 1/0/4 1800 monitorHistoryControl 1/0/5 monitorHistoryControl 1/0/5 1800 monitorHistoryControl...
Page 298 (CN1610) #show rmon collection history interfaces 1/0/1 Index Interface Interval Requested Granted Owner Samples Samples ------------------------------------------------------------------ ---- 1/0/1 myowner 1/0/1 1800 monitorHistoryControl show rmon events This command displays the entries in the RMON event table. Format show rmon events Mode...
Page 299 The following shows example CLI display output for the command. (CN1610) # show rmon events Index Description Type Community Owner Last time sent ------------------------------------------------------------------ ------------- test public 0 days 0 h:0 m:0 s show rmon history This command displays the specified entry in the RMON history table.
Page 300 Parameter Description Maximum Table Size Maximum number of entries that the history table can hold. Time Time at which the sample is collected, displayed as period seconds. CRC Align Number of CRC align errors. Undersize Packets Total number of undersize packets. Packets are less than 64 octets long (excluding framing bits, including FCS octets).
Page 301 The following shows example CLI display output for the command. (CN1610) #show rmon history 1 errors Sample set: 1 Owner: myowner Interface: 1/0/1 Interval: 30 Requested Samples: 10 Granted Samples: 10 Maximum table size: 1758 Time CRC Align Undersize Oversize...
Page 302 A comment describing the event entry for which the log is generated. Time Time at which the event is generated. The following shows example CLI display output for the command. (CN1610) #show rmon log Event Description Time ------------------------------------------------ Chapter 4: Utility Commands...
Page 303 The following shows example CLI display output for the command. (CN1610) #show rmon log 1 Maximum table size: 10 Event Description Time ------------------------------------------------ show rmon This command displays the RMON statistics for the given interfaces. statistics interfaces Format show rmon statistics interfaces slot/port...
Page 304 Parameter Description Oversize Pkts Total number of oversize packets. Packets are longer than 1518 octets (excluding framing bits, including FCS octets). Fragments Total number of fragment packets. Packets are not an integral number of octets in length or had a bad Frame Check Sequence (FCS), and are less than 64 octets in length (excluding framing bits, including FCS octets).
Page 305 Total number of HC overflow packets which are 1024 - 1518 Octets between 1024 and 1518 octets in length. The following shows example CLI display output for the command. (CN1610) # show rmon statistics interfaces 1/0/1 Port: 1/0/1 Dropped: 0 Octets: 0...
Page 306 show rmon This command displays the entries in the RMON high-capacity alarm table. hcalarms Format show rmon {hcalarms|hcalarm alarm index} Mode Privileged EXEC Parameter Description High Capacity Alarm An arbitrary integer index value used to uniquely Index identify the high capacity alarm entry. The range is 1 to 65535.
Page 307 Parameter Description High Capacity Alarm The lower 32 bits of the absolute value for threshold Rising-Threshold for the sampled statistic. The range is 0 to Absolute Value Low 4294967295. The default is 1. High Capacity Alarm The upper 32 bits of the absolute value for threshold Rising-Threshold for the sampled statistic.
Page 308 The following shows example CLI display output for the command. (CN1610) #show rmon hcalarms Index Owner ---------------------------------------------- alarmInterval.1 MibBrowser alarmInterval.1 MibBrowser (CN1610) #show rmon hcalarm 1 Alarm 1 ---------- OID: alarmInterval.1 Last Sample Value: 1 Interval: 1 Sample Type: absolute Startup Alarm: rising-falling Rising Threshold High: 0...
Page 309 Remote Monitoring Commands...
Page 310: Chapter 5 Switching Commands
Switching Commands This chapter describes the switching commands available in the FASTPATH CLI. The Switching Commands chapter includes the following sections: ◆ “Port Configuration Commands” on page 309 ◆ “Spanning Tree Protocol Commands” on page 318 ◆ “VLAN Commands” on page 351 ◆...
Page 311 ◆ “LLDP (802.1AB) Commands” on page 546 ◆ “LLDP-MED Commands” on page 557 ◆ “Denial of Service Commands” on page 566 ◆ “MAC Database Commands” on page 579 ◆ “ISDP Commands” on page 583 Note The commands in this chapter are in one of three functional groups: ◆...
Page 312: Port Configuration Commands
{slot/port | slot/port(startrange)- slot/port(endrange)} Mode Global Config The following example enters Interface Config mode for port 1/0/1: (CN1610) #configure (CN1610) (config)#interface 1/0/1 (CN1610) (interface 1/0/1)# The following example enters Interface Config mode for ports 1/0/1 through 1/0/4: (CN1610) #configure (CN1610) (config)#interface 1/0/1-1/0/4...
Page 313 Format no auto-negotiate Mode Interface Config auto-negotiate all This command enables automatic negotiation on all ports. Default enabled Format auto-negotiate all Mode Global Config no auto-negotiate This command disables automatic negotiation on all ports. Format no auto-negotiate all Mode Global Config description Use this command to create an alpha-numeric description of an interface or range of interfaces.
Page 314 Note To receive and process packets, the Ethernet MTU must include any extra bytes that Layer-2 headers might require. To configure the IP MTU size, which is the maximum size of the IP packet (IP Header + IP payload). Default 1518 (untagged) Format mtu 1518-12288...
Page 315 Note You can use the command on physical and port-channel (LAG) shutdown all interfaces, but not on VLAN routing interfaces. Default enabled Format shutdown all Mode Global Config no shutdown all This command enables all ports. Format no shutdown all Mode Global Config speed...
Page 316 show port This command displays port information. Format show port {intf-range | all} Mode Privileged EXEC Parameter Definition Interface slot/port Type If not blank, this field indicates that this port is a special type of port. The possible values are: ◆...
Page 317 The following command shows an example of the command output for all ports. (CN1610) #show port all Admin Physical Physical Link Link LACP Actor Intf Type Mode Mode Status Status Trap Mode Timeout --------- ------ --------- ---------- ---------- ------ ------- ---...
Page 318 --------- ------ --------- ---------- ---------- ------ ------- --- --- -------- Enable Auto 100 Full Enable Enable long Enable Auto 100 Full Enable Enable long Enable Auto Down Enable Enable long Enable Auto 100 Full Enable Enable long Enable Auto 100 Full Enable Enable long Enable...
Page 319 If this command is executed without the optional slot/port parameter, then it displays the Auto-negotiation state and operational Local link advertisement for all the ports. Operational link advertisement will display speed only if it is supported by both local as well as link partner. If auto-negotiation is disabled, then operational local link advertisement is not displayed.
Page 320 Format show port description slot/port Mode Privileged EXEC Term Definition Interface slot/port ifIndex The interface index number associated with the port. Description The alpha-numeric description of the interface created by the command “description” on page 310. MAC address The MAC address of the port. The format is 6 two- digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB.
Page 321: Spanning Tree Protocol Commands
Spanning Tree Protocol Commands This section describes the commands you use to configure Spanning Tree Protocol (STP). STP helps prevent network loops, duplicate messages, and network instability. Note STP is enabled on the switch and on all ports and LAGs by default. Note If STP is disabled, the system does not forward BPDU messages.
Page 322 no spanning-tree This command resets the auto-edge status of the port to the default value. auto-edge Format no spanning-tree auto-edge Mode Interface Config spanning-tree Use this command to enable the detection of indirect link failures and accelerate backbonefast spanning tree convergence on PVSTP configured switches. Backbonefast accelerates finding an alternate path when an indirect link to the root port goes down.
Page 323 A bridge that receives a RLQ request and does not have connectivity to the root (switch bridge ID is different from the root bridge ID in the query) or is the root bridge immediately answers the query with its root bridge ID. RLQ responses are flooded on designated ports.
Page 324 spanning-tree Use this command to enable BPDU Filter on all the edge port interfaces. bpdufilter default Default disabled Format spanning-tree bpdufilter default Mode Global Config no spanning-tree Use this command to disable BPDU Filter on all the edge port interfaces. bpdufilter default Default disabled...
Page 325 Mode Global Config no spanning-tree Use this command to disable BPDU Guard on the switch. bpduguard Default disabled Format no spanning-tree bpduguard Mode Global Config spanning-tree Use this command to force a transmission of rapid spanning tree (RSTP) and bpdumigrationchec multiple spanning tree (MSTP) BPDUs.
Page 326 spanning-tree This command sets the Configuration Identifier Revision Level for use in configuration identifying the configuration that this switch is currently using. The revision Configuration Identifier Revision Level is a number in the range of 0 to 65535. Default Format spanning-tree configuration revision 0-65535 Mode Global Config...
Page 327 spanning-tree This command specifies that an interface (or range of interfaces) is an Edge Port edgeport within the common and internal spanning tree. This allows this port to transition to Forwarding State without delay. Format spanning-tree edgeport Mode Interface Config no spanning-tree This command specifies that this port is not an Edge Port within the common and edgeport...
Page 328 spanning-tree This command sets the Bridge Forward Delay parameter to a new value for the forward-time common and internal spanning tree. The forward-time value is in seconds within a range of 4 to 30, with the value being greater than or equal to “(Bridge Max Age / 2) + 1”.
Page 329 spanning-tree max- This command sets the Bridge Max Age parameter to a new value for the common and internal spanning tree. The max-age value is in seconds within a range of 6 to 40, with the value being less than or equal to 2 x (Bridge Forward Delay - 1).
Page 330 When PVSTP or rapid PVSTP (PVRSTP) is enabled, MSTP/RSTP/STP is operationally disabled. To reenable MSTP/RSTP/STP, disable PVSTP/PVRSTP. By default, FASTPATH has MSTP enabled. In PVSTP or PVRSTP mode, BPDUs contain per-VLAN information instead of the common spanning-tree information (MST/RSTP). PVSTP maintains independent spanning tree information about each configured VLAN.
Page 331 tree instance, the configurations are done for that multiple spanning tree instance. If you specify 0 (defined as the default CIST ID) as the , the configurations mstid are done for the common and internal spanning tree instance. If you specify the cost option, the command sets the path cost for this port within a multiple spanning tree instance or the common and internal spanning tree instance, depending on the parameter.
Page 332 spanning-tree mst This command adds a multiple spanning tree instance to the switch. The instance parameter is a number within a range of 1 to 4094, that corresponds to the mstid new instance ID to be added. The maximum number of multiple instances supported by the switch is 4.
Page 333 no spanning-tree This command sets the bridge priority for a specific multiple spanning tree mst priority instance to the default value. The parameter is a number that corresponds mstid to the desired existing multiple spanning tree instance. If 0 (defined as the default CIST ID) is passed as the , this command sets mstid the Bridge Priority parameter for the common and internal spanning tree to the...
Page 334 Default enabled Format spanning-tree port mode Mode Interface Config no spanning-tree This command sets the Administrative Switch Port State for this port to disabled, port mode disabling the port for use by spanning tree. Format no spanning-tree port mode Mode Interface Config spanning-tree port This command sets the Administrative Switch Port State for all ports to enabled.
Page 335 Default enabled Format spanning-tree port-priority 0-240 Mode Interface Config spanning-tree Use this command to enable TCN guard on the interface. When enabled, TCN tcnguard Guard restricts the interface from propagating any topology change information received through that interface. Default Enabled Format spanning-tree tcnguard Mode...
Page 336 spanning-tree Use this command to configure the rate at which gratuitous frames are sent (in uplinkfast packets per second) after switchover to an alternate port on PVSTP configured switches and enables uplinkfast on PVSTP switches. The range is 0-32000; the default is 150.
Page 337 ◆ Mode Privileged EXEC ◆ User EXEC Term Definition Bridge Priority Specifies the bridge priority for the Common and Internal Spanning tree (CST). The value lies between 0 and 61440. It is displayed in multiples of 4096. Bridge Identifier The bridge identifier for the CST. It is made up using the bridge priority and the base MAC address of the bridge.
Page 338 Associated VLANs List of VLAN IDs currently associated with this instance. The following shows example CLI display output for the command. (CN1610) #show spanning-tree Bridge Priority........ 32768 Bridge Identifier......80:00:00:10:18:48:FC:07 Time Since Topology Change..... 8 day 3 hr 22 min 37 sec Topology Change Count......
Page 339 RLQ response PDUs The number of RLQ response PDUs sent on all sent (all VLANs) VLANs. The following shows example output from the command. (CN1610)#show spanning-tree backbonefast Backbonefast Statistics ----------------------- Transitions via Backbonefast (all VLANs) Inferior BPDUs received (all VLANs)
Page 340 Configured value. Bridge Hold Time Minimum time between transmission of Configuration Bridge Protocol Data Units (BPDUs). The following shows example CLI display output for the command. (CN1610) #show spanning-tree brief Bridge Priority........ 32768 Bridge Identifier......80:00:00:10:18:48:FC:07 Bridge Max Age......... 20 Bridge Max Hops........
Page 341 show spanning-tree This command displays the settings and parameters for a specific switch port interface within the common and internal spanning tree. The slot/port is the desired switch port. Instead of slot/port can be used as an alternate way to , lag lag-intf-num specify the LAG interface.
Page 342 RSTP BPDUs Transmitted......0 RSTP BPDUs Received......0 MSTP BPDUs Transmitted......0 MSTP BPDUs Received......0 (CN1610) > The following shows example CLI display output for the command. (CN1610) >show spanning-tree interface lag 1 Hello Time........Not Configured Chapter 5: Switching Commands...
Page 343 Description mstid A multiple spanning tree instance identifier. The value is 0–4094. The following shows example CLI display output for the command. (CN1610) >show spanning-tree mst detailed 0 MST Instance ID........ 0 MST Bridge Priority......32768 MST Bridge Identifier......80:00:00:10:18:48:FC:07 Time Since Topology Change.....
Page 344 Root Port Identifier......00:00 Associated FIDs Associated VLANs --------------- ---------------- (CN1610) > show spanning-tree This command displays the detailed settings and parameters for a specific switch mst port detailed port within a particular multiple spanning tree instance. The parameter mstid a number that corresponds to the desired existing multiple spanning tree instance.
Page 345 Term Definition Port Role Each enabled MST Bridge Port receives a Port Role for each spanning tree. The port role is one of the following values: Root Port, Designated Port, Alternate Port, Backup Port, Master Port or Disabled Port Auto-Calculate Port Indicates whether auto calculation for port path cost Path Cost is enabled.
Page 346 Term Definition Port Identifier The port identifier for this port within the CST. Port Priority The priority of the port within the CST. Port Forwarding State The forwarding state of the port within the CST. Port Role The role of the specified interface within the CST. Auto-Calculate Port Indicates whether auto calculation for port path cost Path Cost...
Page 347 State The following shows example CLI display output for the command in slot/port format. (CN1610) >show spanning-tree mst port detailed 0 0/1 Port Identifier........ 80:01 Port Priority........128 Port Forwarding State......Disabled Port Role........Disabled Auto-calculate Port Path Cost....
Page 348 Transitions Out Of Loop Inconsistent State..0 The following shows example CLI display output for the command using a LAG interface number. (CN1610) >show spanning-tree mst port detailed 0 lag 1 Port Identifier........ 60:42 Port Priority........96 Port Forwarding State......Disabled Port Role........
Page 349 This field is blank if the loop guard feature is not available. The following shows example CLI display output for the command in slot/port format. (CN1610) >show spanning-tree mst port summary 0 0/1 MST Instance ID........ CST Spanning Tree Protocol Commands...
Page 350 --------- -------- ------- ----------------- ---------- ---------- Enabled Disabled Disabled The following shows example CLI display output for the command using a LAG interface number. (CN1610) >show spanning-tree mst port summary 0 lag 1 MST Instance ID........ CST Port Interface Mode Type...
Page 351 Indicates whether the port is in loop inconsistent state or not. This field is blank if the loop guard feature is not available. The following shows example CLI display output for the command. (CN1610) >show spanning-tree mst port summary 0 active Port Interface Mode...
Page 352 MST Instances List of all multiple spanning tree instances configured on the switch. The following shows example CLI display output for the command. (CN1610) >show spanning-tree summary Spanning Tree Adminmode... Enabled Spanning Tree Version..... IEEE 802.1s BPDU Guard Mode....Disabled BPDU Filter Mode....
Page 353 The number of proxy multicast addresses addresses transmitted transmitted on all VLANs. (all VLANs) The following shows example output from the command. (CN1610) #show spanning-tree uplinkfast Uplinkfast is enabled. BPDU update rate : 150 packets/sec Uplinkfast Statistics --------------------- Uplinkfast transitions (all VLANs)....0 Proxy multicast addresses transmitted (all VLANs)..
Page 354: Vlan Commands
VLAN Commands This section describes the commands you use to configure VLAN settings. vlan database This command gives you access to the VLAN Config mode, which allows you to configure VLAN characteristics Format vlan database Mode Privileged EXEC network mgmt_vlan This command configures the Management VLAN ID.
Page 355 no vlan This command deletes an existing VLAN. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). The VLAN range is 2-4093. Format no vlan 2-4093 Mode VLAN Config vlan acceptframe This command sets the frame acceptance mode on an interface or range of interfaces.
Page 356 no vlan ingressfilter This command disables ingress filtering. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.
Page 357 Format vlan participation {exclude | include | auto} 1-4093 Mode Interface Config Participation options are: Options Definition include The interface is always a member of this VLAN. This is equivalent to registration fixed. exclude The interface is never a member of this VLAN. This is equivalent to registration forbidden.
Page 358 Participation Options Definition auto The interface is dynamically registered in this VLAN by GVRP. The interface will not participate in this VLAN unless a join request is received on this interface. This is equivalent to registration normal. vlan port This command sets the frame acceptance mode for all interfaces. acceptframe all Default Format...
Page 359 Format no vlan port acceptframe all Mode Global Config vlan port This command enables ingress filtering for all ports. If ingress filtering is ingressfilter all disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.
Page 360 Mode Global Config vlan port tagging all This command configures the tagging behavior for all interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.
Page 361 no vlan protocol This command removes the name from the group identified by groupid group name Format no vlan protocol group name groupid Mode Global Config vlan protocol group This command adds the to the protocol-based VLAN identified by protocol add protocol .
Page 362 Mode VLAN Config no protocol group This command removes the from this protocol-based VLAN group that vlanid is identified by this groupid Format no protocol group groupid vlanid Mode VLAN Config protocol vlan group This command adds a physical interface or a range of interfaces to the protocol- based VLAN identified by .
Page 363 Default none Format protocol vlan group all groupid Mode Global Config no protocol vlan This command removes all interfaces from this protocol-based VLAN group that group all is identified by this groupid Format no protocol vlan group all groupid Mode Global Config show port protocol This command displays the Protocol-Based VLAN information for either the...
Page 364 Default Format vlan pvid 1-4093 Mode Interface Config Interface Range Config no vlan pvid This command sets the VLAN ID on an interface or range of interfaces to 1. Format no vlan pvid Mode Interface Config vlan tagging This command configures the tagging behavior for a specific interface or range of interfaces in a VLAN to enabled.
Page 365 no vlan association This command removes association of a specific IP-subnet to a VLAN. subnet Format no vlan association subnet ipaddr netmask Mode VLAN Config vlan association This command associates a MAC address to a VLAN. Format vlan association mac macaddr vlanid Mode VLAN database no vlan association...
Page 366 Term Definition Primary Primary VLAN identifier. The range of the VLAN ID is 1 to 4093. Secondary Secondary VLAN identifier. Type Secondary VLAN type (community, isolated, or primary). Ports Ports which are associated with a private VLAN. VLAN ID The VLAN identifier (VID) associated with each VLAN.
Page 367 Term Definition Current The degree of participation of this port in this VLAN. The permissible values are: ◆ Include - This port is always a member of this VLAN. This is equivalent to registration fixed in the IEEE 802.1Q standard. ◆...
Page 368 Format show vlan brief ◆ Mode Privileged EXEC ◆ User EXEC Term Definition VLAN ID There is a VLAN Identifier (vlanid) associated with each VLAN. The range of the VLAN ID is 1 to 4093. VLAN Name A string associated with this VLAN as a convenience.
Page 369 Term Definition Port VLAN ID The current VLAN ID that this port assigns to Current untagged frames or priority tagged frames received on this port. The factory default is 1. Acceptable Frame The types of frames that may be received on this Types port.
Page 370 Term Definition Static configuration The static configuration for the port, including the VLAN, name, and egress rule. Forbidden VLANs The forbidden VLAN configuration for the port, including the VLAN and name. show vlan This command displays the VLAN associated with a specific configured IP- association subnet Address and net mask.
Page 371 Term Definition Mac Address A MAC address for which the switch has forwarding and or filtering information. The format is 6 or 8 two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address will be displayed as 8 bytes.
Page 372: Double Vlan Commands
Double VLAN Commands This section describes the commands you use to configure double VLAN (DVLAN). Double VLAN tagging is a way to pass VLAN traffic from one customer domain to another through a Metro Core in a simple and cost effective manner.
Page 373 mode dot1q-tunnel This command is used to enable Double VLAN Tunneling on the specified interface. Default disabled Format mode dot1q-tunnel Mode Interface Config no mode dot1q- This command is used to disable Double VLAN Tunneling on the specified tunnel interface. By default, Double VLAN Tunneling is disabled. Format no mode dot1q-tunnel Mode...
Page 374 show dot1q-tunnel Use this command without the optional parameters to display all interfaces enabled for Double VLAN Tunneling. Use the optional parameters to display detailed information about Double VLAN Tunneling for the specified interface or all interfaces. Format show dot1q-tunnel [interface {slot/port | all}] ◆...
Page 375 The following shows examples of the CLI display output for the commands. (CN1610) #show dvlan-tunnel Primary TPID........0x8100 Secondary TPIDs Configured..... Interfaces Enabled for DVLAN Tunneling..None (CN1610)#show dvlan-tunnel interface 0/1 Interface Mode EtherType --------- ------- ------------ Disable 0x88a8 Double VLAN Commands...
Page 376: Private Vlan Commands
Private VLAN Commands This section describes the commands you use for private VLANs. Private VLANs provides Layer 2 isolation between ports that share the same broadcast domain. In other words, it allows a VLAN broadcast domain to be partitioned into smaller point-to-multipoint subdomains. The ports participating in a private VLAN can be located anywhere in the Layer 2 network.
Page 377 no switchport This command removes the private-VLAN association or mapping from the port. private-vlan Format no switchport private-vlan {host-association|mapping} Mode Interface Config switchport mode This command configures a port as a promiscuous or host private VLAN port. private-vlan Note that the properties of each mode can be configured even when the switch is not in that mode.
Page 378 Format private-vlan {association [add|remove] secondary-vlan- list|community|isolated|primary} Mode VLAN Config Parameter Description association Associates the primary and secondary VLAN. secondary-vlan-list A list of secondary VLANs to be mapped to a primary VLAN. community Designates a VLAN as a community VLAN. isolated Designates a VLAN as the isolated VLAN.
Page 379: Switch Ports
Switch Ports This section describes the commands used for switch port mode. switchport mode Use this command to configure the mode of a switch port as access, trunk or general. In Trunk mode, the port becomes a member of all VLANs on switch unless specified in the allowed list in the command.
Page 380 switchport trunk Use this command to configure the list of allowed VLANs that can receive and allowed vlan send traffic on this interface in tagged format when in trunking mode. The default is all. The VLANs list can be modified using the add or remove options or replaced with another list using the vlan-list, all, or except options.
Page 381 Parameter Description vlan-list Either a single VLAN number from 1 to 4093 or a continuous range of VLANs described by two VLAN numbers, the lesser one first, separated by a hyphen. no switchport trunk This command resets the list of allowed VLANs on the trunk port to its default allowed vlan value.
Page 382: No Switchport Access Vlan
Format show interfaces switchport slot/port Mode Privileged EXEC (CN1610) #show interfaces switchport 1/0/1 Port: 1/0/1 VLAN Membership Mode: General Access Mode VLAN: 1 (default) General Mode PVID: 1 (default) General Mode Ingress Filtering: Disabled General Mode Acceptable Frame Type: Admit all...
Page 383 (CN1610) #show interfaces switchport Port: 1/0/1 VLAN Membership Mode: General Access Mode VLAN: 1 (default) General Mode PVID: 1 (default) General Mode Ingress Filtering: Disabled General Mode Acceptable Frame Type: Admit all General Mode Dynamically Added VLANs: General Mode Untagged VLANs: 1...
Page 384 Filtering Frame Type Vlans Vlans Vlans Vlans --------- ----- ---------- ---------- --------- --------- -------- - --------- 1/0/5 Enabled Admit All 10-50,55 9,100-200 88,96 (Switching) # show interfaces switchport general Intf PVID Ingress Acceptable Untagged Tagged Forbidden Dynamic Filtering Frame Type Vlans Vlans Vlans Vlans...
Page 385: Voice Vlan Commands
Voice VLAN Commands This section describes the commands you use for Voice VLAN. Voice VLAN enables switch ports to carry voice traffic with defined priority so as to enable separation of voice and data traffic coming onto the port. The benefits of using Voice VLAN is to ensure that the sound quality of an IP phone could be safeguarded from deteriorating when the data traffic on the port is high.
Page 386 You can configure Voice VLAN in one of four different ways: Parameter Description vlan-id Configure the IP phone to forward all voice traffic through the specified VLAN. Valid VLAN ID’s are from 1 to 4093 (the max supported by the platform). dot1p Configure the IP phone to use 802.1p priority tagging for voice traffic and to use the default native...
Page 387 When the parameter is not specified, only the global mode of the interface Voice VLAN is displayed. Term Definition Administrative Mode The Global Voice VLAN mode. When the is specified: interface Term Definition Voice VLAN Mode The admin mode of the Voice VLAN on the interface.
Page 388: Provisioning (Ieee 802.1P) Commands
Provisioning (IEEE 802.1p) Commands This section describes the commands you use to configure provisioning (IEEE 802.1p,) which allows you to prioritize ports. vlan port priority all This command configures the port priority assigned for untagged packets for all ports presently plugged into the device. The range for the priority is 0-7. Any subsequent per port configuration will override this configuration setting.
Page 389: Asymmetric Flow Control
Asymmetric Flow Control When in asymmetric flow control mode, the switch responds to PAUSE frames received from a peer by stopping packet transmission, but the switch does not initiate MAC control PAUSE frames. When you configure the switch in asymmetric flow control (or no flow control mode), the device is placed in egress drop mode.
Page 390 Flow Control RxPause TxPause Oper ------ ------------ -------- --------- Active Inactive The following shows example CLI display output for the command. (CN1610)#show flowcontrol interface 0/1 Admin Flow Control: Symmetric Port Flow Control RxPause TxPause Oper --------- ------- -------- ------- Active...
Page 391: Protected Ports Commands
Protected Ports Commands This section describes commands you use to configure and view protected ports on a switch. Protected ports do not forward traffic to each other, even if they are on the same VLAN. However, protected ports can forward traffic to all unprotected ports in their group.
Page 392 switchport Use this command to add an interface to a protected port group. The groupid protected (Interface parameter identifies the set of protected ports to which this interface is assigned. Config) You can only configure an interface as protected in one group. Note Port protection occurs within a single switch.
Page 393 Term Definition List of Physical Ports List of ports, which are configured as protected for the group identified with . If no port is groupid configured as protected for this group, this field is blank. show interfaces This command displays the status of the interface (protected/unprotected) under switchport the groupid.
Page 394: Garp Commands
GARP Commands This section describes the commands you use to configure Generic Attribute Registration Protocol (GARP) and view GARP status. The commands in this section affect both GARP VLAN Registration Protocol (GVRP) and GARP Multicast Registration Protocol (GMRP). GARP is a protocol that allows client stations to register with the switch for membership in VLANS (by using GVMP) or multicast groups (by using GVMP).
Page 395 maintain uninterrupted service. The leave time is 20 to 600 (centiseconds). The value 60 centiseconds is 0.6 seconds. The leave time must be greater than or equal to three times the join time. Default Format set garp timer leave 20-600 ◆...
Page 396 no set garp timer This command sets how frequently Leave All PDUs are generated the default and leaveall only has an effect when GVRP is enabled. Format no set garp timer leaveall ◆ Mode Interface Config ◆ Global Config show garp This command displays GARP information.
Page 397: Gvrp Commands
GVRP Commands This section describes the commands you use to configure and view GARP VLAN Registration Protocol (GVRP) information. GVRP-enabled switches exchange VLAN configuration information, which allows GVRP to provide dynamic VLAN creation on trunk ports and automatic VLAN pruning. Note If GVRP is disabled, the system does not forward GVRP messages.
Page 398 no set gvrp This command disables GVRP on a single port (Interface Config mode) or all interfacemode ports (Global Config mode). If GVRP is disabled, Join Time, Leave Time and Leave All Time have no effect. Format no set gvrp interfacemode ◆...
Page 399 Term Definition Leave Timer The period of time to wait after receiving an unregister request for an attribute before deleting the attribute. Current attributes are a VLAN or multicast group. This may be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service.
Page 400: Gmrp Commands
GMRP Commands This section describes the commands you use to configure and view GARP Multicast Registration Protocol (GMRP) information. Like IGMP snooping, GMRP helps control the flooding of multicast packets.GMRP-enabled switches dynamically register and de-register group membership information with the MAC networking devices attached to the same segment.
Page 401 Default disabled Format set gmrp interfacemode ◆ Mode Interface Config ◆ Global Config no set gmrp This command disables GARP Multicast Registration Protocol on a single interfacemode interface or all interfaces. If an interface which has GARP enabled is enabled for routing or is enlisted as a member of a port-channel (LAG), GARP functionality is disabled.
Page 402 Term Definition Join Timer The interval between the transmission of GARP PDUs registering (or reregistering) membership for an attribute. Current attributes are a VLAN or multicast group. There is an instance of this timer on a per-port, per-GARP participant basis. Permissible values are 10 to 100 centiseconds (0.1 to 1.0 seconds).
Page 403 show mac-address- This command displays the GMRP entries in the Multicast Forwarding Database table gmrp (MFDB) table. Format show mac-address-table gmrp Mode Privileged EXEC Term Definition VLAN ID The VLAN in which the MAC Address is learned. MAC Address A unicast MAC address for which the switch has forwarding and or filtering information.
Page 404: Port-Based Network Access Control Commands
The following is an example of the command. Broadcom FASTPATH Routing) # (CN1610) #configure (CN1610) (Config)#aaa authentication dot1x default ias none (CN1610) (Config)#aaa authentication dot1x default ias local radius none clear dot1x This command resets the 802.1X statistics for the specified port or for all ports.
Page 405 clear dot1x This command clears the authentication history table captured during successful authentication- and unsuccessful authentication on all interface or the specified interface. history Format clear dot1x authentication-history [slot/port] Mode Privileged EXEC clear radius This command is used to clear all RADIUS statistics. statistics Format clear radius statistics...
Page 406 no dot1x dynamic- Use this command to prevent the switch from creating VLANs when a RADIUS- vlan enable assigned VLAN does not exist in the switch. Format no dot1x dynamic-vlan enable Mode Global Config dot1x guest-vlan This command configures VLAN as guest vlan on an interface or a range of interfaces.
Page 407 dot1x max-req This command sets the maximum number of times the authenticator state machine on an interface or range of interfaces will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant. The value must count be in the range 1 - 10. Default Format dot1x max-req count...
Page 408 dot1x port-control This command sets the authentication mode to use on the specified interface or range of interfaces. Use the parameter to specify that the force-unauthorized authenticator PAE unconditionally sets the controlled port to unauthorized. Use parameter to specify that the authenticator PAE force-authorized unconditionally sets the controlled port to authorized.
Page 409 no dot1x port- This command sets the authentication mode on all ports to the default value. control all Format no dot1x port-control all Mode Global Config dot1x mac-auth- If the 802.1X mode on the interface is mac-based, you can optionally use this bypass command to enable MAC Authentication Bypass (MAB) on an interface.
Page 410 Format dot1x re-authentication Mode Interface Config no dot1x re- This command disables reauthentication of the supplicant for the specified port. authentication Format no dot1x re-authentication Mode Interface Config dot1x system-auth- Use this command to enable the dot1x authentication support on the switch. control While disabled, the dot1x configuration is retained and can be changed, but is not activated.
Page 411 Mode Global Config no dot1x system- This command disables the 802.1X Monitor mode on the switch. auth-control monitor Format no dot1x system-auth-control monitor Mode Global Config dot1x timeout This command sets the value, in seconds, of the timer used by the authenticator state machine on an interface or range of interfaces.
Page 412 Tokens Definition tx-period The value, in seconds, of the timer used by the authenticator state machine on this port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The quiet-period must be a value in the range 1 - 65535. supp-timeout The value, in seconds, of the timer used by the authenticator state machine on this port to timeout...
Page 413 Mode Interface Config dot1x Use this command to configure the unauthenticated VLAN associated with the unauthenticated- specified interface or range of interfaces. The unauthenticated VLAN ID can be a vlan valid VLAN ID from 0-Maximum supported VLAN ID (4093 for FASTPATH). The unauthenticated VLAN must be statically configured in the VLAN database to be operational.
Page 414 authentication This command globally enables the Authentication Manager. Interface enable configuration takes effect only if the Authentication Manager is enabled with this command. Default disabled Format authentication enable Mode Global Config no authentication This command disables the Authentication Manager. enable Format no authentication enable Mode...
Page 415 authentication This command sets the priority for the authentication methods used on a port. priority The available authentication methods are Dot1x, MAB, and captive portal. The authentication priority decides if a previously authenticated client is reauthenticated with a higher-priority method when the same is received. Captive portal is always the last method in the list.
Page 416 show Use this command to display information about the authentication history for a authentication specified interface. authentication- history Format show authentication authentication-history slot/port Mode Privileged EXEC Term Definition Time Stamp The time of the authentication. Interface The interface. MAC-Address The MAC address for the interface. Auth Status Method The authentication method and status for the interface.
Page 417 If the authentication was successful. Auth Status The current authentication status. The following example displays the authentication interface information for all interfaces. (CN1610) #show authentication interface all Interface........1/0/1 Authentication Restart timer....300 Configured method order......dot1x mab captive- portal Enabled method order......
Page 418: Show Authentication
Configured method priority..... undefined undefined undefined Enabled method priority......undefined undefined undefined Number of authenticated clients....0 Interface........1/0/3 Authentication Restart timer....300 Configured method order......dot1x mab captive- portal Enabled method order......dot1x mab undefined Configured method priority..... undefined undefined undefined Enabled method priority......
Page 419 Term Definition Method 3 The third method in the specified authentication login list, if any. The following example displays the authentication configuration. (CN1610) #show authentication methods Login Authentication Method Lists --------------------------------- defaultList local networkList local Enable Authentication Method Lists ----------------------------------...
Page 420 Captive-portal failed The number of failed captive portal authentication attempts attempts for the port. (CN1610) #show authentication statistics 1/0/1 Port........... 1/0/1 802.1X attempts........ 0 802.1X failed attempts......0 Mab attempts........0 Mab failed attempts......0 Captive-portal attempts......
Page 421 show dot1x This command is used to show a summary of the global dot1x configuration, summary information of the dot1x configuration for a specified port or all ports, the detailed dot1x configuration for a specified port and the dot1x statistics for a specified port - depending on the tokens used.
Page 422 Term Definition Operating Control The control mode under which this port is operating. Mode Possible values are authorized | unauthorized. Reauthentication Indicates whether reauthentication is enabled on this Enabled port. Port Status Indicates whether the port is authorized or unauthorized. Possible values are authorized | unauthorized.
Page 423 Term Definition Authenticator PAE Current state of the authenticator PAE state machine. State Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized. When MAC-based authentication is enabled on the port, this parameter is deprecated. Backend Current state of the backend authentication state Authentication State machine.
Page 424 Term Definition Supplicant Timeout The timer used by the authenticator state machine on this port to timeout the supplicant. The value is expressed in seconds and will be in the range of 1 and 65535. Server Timeout The timer used by the authenticator on this port to timeout the authentication server.
Page 425 This value is valid for the port only when the port control mode is not MAC-based. The following shows example CLI display output for the command. (CN1610) #show dot1x detail 1/0/3 Port-Based Network Access Control Commands...
Page 426 Port........... 1/0/1 Protocol Version....... 1 PAE Capabilities....... Authenticator Control Mode........auto Authenticator PAE State......Initialize Backend Authentication State....Initialize Quiet Period (secs)......60 Transmit Period (secs)......30 Guest VLAN ID........0 Guest VLAN Period (secs)....... 90 Supplicant Timeout (secs)...... 30 Server Timeout (secs)......
Page 427 Term Definition VLAN-Assigned The VLAN assigned to the client by the radius server. Logical Port The logical port number associated with the client. If you use the optional parameter slot/port, the following dot1x statistics statistics for the specified port appear. Term Definition Port...
Page 428 Term Definition EAP Request Frames The number of EAP request frames (other than Transmitted request/identity frames) that have been transmitted by this authenticator. Invalid EAPOL The number of EAPOL frames that have been Frames Received received by this authenticator in which the frame type is not recognized.
Page 429 show dot1x clients This command displays 802.1X client information. This command also displays information about the number of clients that are authenticated using Monitor mode and using 802.1X. Format show dot1x clients {slot/port | all} Mode Privileged EXEC Term Definition Clients Authenticated Indicates the number of the Dot1x clients using Monitor Mode...
Page 430 Term Definition Session Timeout This value indicates the time for which the given session is valid. The time period in seconds is returned by the RADIUS server on authentication of the port. This value is valid for the port only when the port-control mode is not MAC-based.
Page 431: X Supplicant Commands
802.1X Supplicant Commands FASTPATH supports 802.1X (“dot1x”) supplicant functionality on point-to-point ports. The administrator can configure the user name and password used in authentication and capabilities of the supplicant port. dot1x pae This command sets the port’s dot1x role. The port can serve as either a supplicant or an authenticator.
Page 432 no dot1x supplicant This command sets the port-control mode to the default, auto. port-control Default auto Format no dot1x supplicant port-control Mode Interface Config dot1x supplicant This command configures the number of attempts that the supplicant makes to max-start find the authenticator before the supplicant assumes that there is no authenticator. Default Format dot1x supplicant max-start <1-10>...
Page 433 dot1x supplicant This command configures the held period timer interval to wait for the next timeout held-period authentication on previous authentication fail. Default 60 seconds Format dot1x supplicant timeout held-period <1-65535 seconds> Mode Interface Config no dot1x supplicant This command sets the held-period value to the default value. timeout held-period Format no dot1x supplicant timeout held-period...
Page 434 show dot1x This command displays the dot1x port statistics in detail. statistics Format show dot1x statistics slot/port ◆ Mode Privileged EXEC ◆ User EXEC Term Definition EAPOL Frames Displays the number of valid EAPOL frames Received received on the port. EAPOL Frames Displays the number of EAPOL frames transmitted Transmitted...
Page 435 The following shows example CLI display output for the command. (CN1610) #show dot1x statistics 0/1 Port........... 0/1 EAPOL Frames Received......0 EAPOL Frames Transmitted....... 0 EAPOL Start Frames Transmitted....3 EAPOL Logoff Frames Received....0 EAP Resp/Id frames transmitted....0 EAP Response frames transmitted....
Page 436: Storm-Control Commands
Storm-Control Commands This section describes commands you use to configure storm-control and view storm-control configuration information. A traffic storm is a condition that occurs when incoming packets flood the LAN, which creates performance degradation in the network. The Storm-Control feature protects against this condition.
Page 437 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of broadcast traffic will be limited to the configured threshold. Default disabled Format storm-control broadcast ◆ Mode Global Config ◆ Interface Config no storm-control Use this command to disable broadcast storm recovery mode for all interfaces broadcast...
Page 438 Format no storm-control broadcast level ◆ Mode Global Config ◆ Interface Config storm-control Use this command to configure the broadcast storm recovery threshold for all broadcast rate interfaces (Global Config mode) or one or more interfaces (Interface Config mode) in packets per second. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped.
Page 439 Format storm-control multicast ◆ Mode Global Config ◆ Interface Config no storm-control This command disables multicast storm recovery mode for all interfaces (Global multicast Config mode) or one or more interfaces (Interface Config mode). Format no storm-control multicast ◆ Mode Global Config ◆...
Page 440 storm-control Use this command to configure the multicast storm recovery threshold for all multicast rate interfaces (Global Config mode) or one or more interfaces (Interface Config mode) in packets per second. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped.
Page 441 no storm-control This command disables unicast storm recovery mode for all interfaces (Global unicast Config mode) or one or more interfaces (Interface Config mode). Format no storm-control unicast ◆ Mode Global Config ◆ Interface Config storm-control This command configures the unicast storm recovery threshold for all interfaces unicast level (Global Config mode) or one or more interfaces (Interface Config mode) as a percentage of link speed, and enables unicast storm recovery.
Page 442 active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of unicast traffic is limited to the configured threshold. Default Format storm-control unicast rate 0-14880000 ◆...
Page 443 Multicast Storm Control Mode....Disable Multicast Storm Control Level....5 percent Unicast Storm Control Mode..... Disable Unicast Storm Control Level....5 percent The following shows example CLI display output for the command. (CN1610) #show storm-control 0/1 Bcast Bcast Mcast Mcast...
Page 444 Intf Mode Level Mode Level Mode Level ------ ------- -------- ------- -------- ------- -------- Disable 5% Disable 5% Disable Disable 5% Disable 5% Disable Disable 5% Disable 5% Disable Disable 5% Disable 5% Disable Disable 5% Disable 5% Disable Chapter 5: Switching Commands...
Page 445: Link Local Protocol Filtering Commands
Link Local Protocol Filtering Commands Link Local Protocol Filtering (LLPF) allows the switch to filter out multiple proprietary protocol PDUs, such as Port Aggregation Protocol (PAgP), if the problems occur with proprietary protocols running on standards-based switches. If certain protocol PDUs cause unexpected results, LLPF can be enabled to prevent those protocol PDUs from being processed by the switch.
Page 446 Term Definition Block DTP Shows whether the port blocks DTP PDUs. Block UDLD Shows whether the port blocks UDLD PDUs. Block PAGP Shows whether the port blocks PAgP PDUs. Block SSTP Shows whether the port blocks SSTP PDUs. Block All Shows whether the port blocks all proprietary PDUs available for the LLDP feature.
Page 447: Port-Channel/Lag (802.3Ad) Commands
Port-Channel/LAG (802.3ad) Commands This section describes the commands you use to configure port-channels, which is defined in the 802.3ad specification, and that are also known as link aggregation groups (LAGs). Link aggregation allows you to combine multiple full-duplex Ethernet links into a single logical link. Network devices treat the aggregation as if it were a single link, which increases fault tolerance and provides load sharing.
Page 448 addport This command adds one port to the port-channel (LAG). The first interface is a logical slot/port number of a configured port-channel. You can add a range of ports by specifying the port range when you enter Interface Config mode (for example: Instead of slot/port, can be...
Page 449 lacp admin key Use this command to configure the administrative value of the key for the port- channel. The value range of is 0 to 65535. This command can be used to configure a single interface or a range of interfaces. Default 0x8000 Format...
Page 450 lacp actor admin Use this command to configure the administrative value of the LACP actor admin key on an interface or range of interfaces. The valid range for is 0-65535. Default Internal Interface Number of this Physical Port Format lacp actor admin key key Mode Interface Config Note...
Page 451 Mode Interface Config Note This command is applicable only to physical interfaces. no lacp actor admin Use this command to set the LACP actor admin state to short timeout. state longtimeout Format no lacp actor admin state longtimeout Mode Interface Config Note This command is applicable only to physical interfaces.
Page 452 Default 0x07 Format lacp actor admin state {individual|longtimeout|passive} Mode Interface Config Note This command is applicable only to physical interfaces. no lacp actor admin Use this command the configure the default administrative values of actor state as state transmitted by the Actor in LACPDUs. Note Both the and the...
Page 453 no lacp actor port Use this command to configure the default priority value assigned to the priority Aggregation Port. Format no lacp actor port priority Mode Interface Config lacp partner admin Use this command to configure the administrative value of the Key for the protocol partner.
Page 454 no lacp partner Use this command to set the LACP partner admin state to aggregation. admin state individual Format no lacp partner admin state individual Mode Interface Config lacp partner admin Use this command to set LACP partner admin state to longtimeout. state longtimeout Format lacp partner admin state longtimeout...
Page 455 no lacp partner Use this command to set the LACP partner admin state to active. admin state passive Format no lacp partner admin state passive Mode Interface Config lacp partner port id Use this command to configure the LACP partner port id. This command can be used to configure a single interface or a range of interfaces.
Page 456 no lacp partner port Use this command to configure the default LACP partner port priority. priority Format no lacp partner port priority Mode Interface Config lacp partner Use this command to configure the 6-octet MAC Address value representing the system-id administrative value of the Aggregation Port’s protocol Partner’s System ID.
Page 457 Note This command is applicable only to physical interfaces. no lacp partner Use this command to configure the default administrative value of priority system priority associated with the Partner’s System ID. Format no lacp partner system priority Mode Interface Config interface lag Use this command to enter Interface configuration mode for the specified LAG.
Page 458 port lacpmode This command enables Link Aggregation Control Protocol (LACP) on a port or range of ports. Default enabled Format port lacpmode Mode Interface Config no port lacpmode This command disables Link Aggregation Control Protocol (LACP) on a port. Format no port lacpmode Mode Interface Config...
Page 459 no port lacptimeout This command sets the timeout back to its default value on a physical interface of a particular device type (actor or partner). Format no port lacptimeout {actor | partner} Mode Interface Config Note Both the and the commands no portlacptimeout no lacp actor admin state...
Page 460 Mode Global Config no port-channel This command disables all configured port-channels with the same adminmode administrative mode setting. Format no port-channel adminmode all Mode Global Config port-channel This command enables link trap notifications for the port-channel (LAG). The linktrap interface is a logical slot/port for a configured port-channel. The option sets every configured port-channel with the same administrative mode setting.
Page 461 This command can be configured for a single interface, a range of interfaces, or all interfaces. Instead of slot/port can be used as an , lag lag-intf-num alternate way to specify the LAG interface. can also be used lag lag-intf-num to specify the LAG interface where is the LAG port number.
Page 462 Mode Interface Config Global Config Term Definition slot/port| all Global Config Mode only: The interface is a logical slot/port number of a configured port-channel. All applies the command to all currently configured port-channels. port-channel min- This command configures the port-channel’s minimum links for lag interfaces. links Default Format...
Page 463 no port-channel Use this command to configure the default port-channel system priority value. system priority Format no port-channel system priority Mode Global Config show lacp actor Use this command to display LACP actor attributes. Instead of slot/port , lag can be used as an alternate way to specify the LAG interface. lag-intf-num can also be used to specify the LAG interface where lag-intf-num...
Page 464 Parameter Description System-ID Represents the administrative value of the Aggregation Port’s protocol Partner’s System ID. Admin Key The administrative value of the Key for the protocol Partner. Port Priority The administrative value of the Key for protocol Partner. Port-ID The administrative value of the port number for the protocol Partner.
Page 465 show port-channel This command displays an overview of all port-channels (LAGs) on the switch. Instead of slot/port, can be used as an alternate way to lag lag-intf-num specify the LAG interface. can also be used to specify the lag lag-intf-num LAG interface where is the LAG port number.
Page 466 Active Ports This field lists ports that are actively participating in the port-channel (LAG). The following shows example CLI display output for the command. (CN1610) #show port-channel 0/3/1 Local Interface........ 0/3/1 Channel Name........ch1 Link State........Up Admin Mode........Enabled Type...........
Page 467 The number of times a port member is inactive, either because the link is down, or the admin state is disabled. The following shows example CLI display output for the command. (CN1610) #show port-channel 3/1 counters Local Interface........ 3/1 Channel Name........ch1 Link State........Down Admin Mode........
Page 468 clear port-channel Use this command to clear and reset specified port-channel and member flap counters counters for the specified interface. Format clear port-channel {lag-intf-num | slot/port} counters Mode Privileged EXEC clear port-channel Use this command to clear and reset all port-channel and member flap counters all counters for the specified interface.
Page 469: Port Mirroring Commands
Port Mirroring Commands Port mirroring, which is also known as port monitoring, selects network traffic that you can analyze with a network analyzer, such as a SwitchProbe device or other Remote Monitoring (RMON) probe. monitor session This command configures a probe port and a monitored port for monitor session (port monitoring).
Page 470 Format monitor session session-id {source {interface slot/port vlan vlan-id | remote vlan vlan-id }[{rx | tx}] | destination {interface slot/port |remote vlan vlan-id reflector-port unit/slot/port}| mode | filter {ip access-group acl-id/aclname |mac access-group acl-name}} Mode Global Config To configure the RSPAN VLAN source: monitor session session-id source {interface unit/slot/port | vlan vlan-id | remote vlan vlan-id }[rx/tx] To the configure RSPAN VLAN destination:...
Page 471 no monitor This command removes all the source ports and a destination port for the and restores the default value for mirroring session mode for all the configured sessions. Note This is a stand-alone “no” command. This command does not have a “normal” form.
Page 472 This command displays the configured RSPAN VLAN. span Format show vlan remote-span Mode Privileged EXEC Mode The following shows example output for the command. (CN1610)# show vlan remote-span Remote SPAN VLAN ------------------------------------------------------------------ ------ Chapter 5: Switching Commands...
Page 473 Port Mirroring Commands...
Page 474: Static Mac Filtering Commands
Static MAC Filtering Commands The commands in this section describe how to configure static MAC filtering. Static MAC filtering allows you to configure destination ports for a static multicast MAC filter irrespective of the platform. macfilter This command adds a static MAC filter entry for the MAC address macaddr the VLAN .
Page 475 parameter must identify a valid VLAN. vlanid Format no macfilter macaddr vlanid Mode Global Config macfilter adddest Use this command to add the interface or range of interfaces to the destination filter set for the MAC filter with the given and VLAN of .
Page 476 Mode Global Config no macfilter This command removes all ports from the destination filter set for the MAC filter adddest all with the given and VLAN of . The parameter must macaddr vlanid macaddr be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. parameter must identify a valid VLAN.
Page 477 Mode Global Config no macfilter addsrc This command removes all interfaces to the source filter set for the MAC filter with the MAC address of and VLAN of . You must specify the macaddr vlanid parameter as a 6-byte hexadecimal number in the format of macaddr b1:b2:b3:b4:b5:b6.
Page 478 show mac-address- This command displays the Static Filtering entries in the Multicast Forwarding table staticfiltering Database (MFDB) table. Format show mac-address-table staticfiltering Mode Privileged EXEC Term Definition VLAN ID The VLAN in which the MAC Address is learned. MAC Address A unicast MAC address for which the switch has forwarding and or filtering information.
Page 479: Dhcp L2 Relay Agent Commands
DHCP L2 Relay Agent Commands You can enable the switch to operate as a DHCP Layer 2 relay agent to relay DHCP requests from clients to a Layer 3 relay agent or server. The Circuit ID and Remote ID can be added to DHCP requests relayed from clients to a DHCP server.
Page 480 Mode Interface Config no dhcp l2relay This command resets the Option-82 Circuit ID for a given service subscription circuit-id identified by on a given interface. The subscription-string subscription is a character string which needs to be matched with a subscription-string configured DOT1AD subscription string for correct operation.
Page 481 dhcp l2relay This command sets the Option-82 Remote-ID string for a given service remote-id subscription identified by on a given interface or range subscription-string subscription of interfaces. The is a character string which needs to subscription-string be matched with a configured DOT1AD subscription string for correct operation. is a character string.
Page 482 Parameter Description vlan–list The VLAN ID. The range is 1–4093. Separate nonconsecutive IDs with a comma (,) no spaces and no zeros in between the range. Use a dash (–) for the range. no dhcp l2relay This parameter clears the DHCP Option-82 Remote ID for a VLAN and remote-id vlan subscribed service (based on subscription-name).
Page 483 Format dhcp l2relay vlan vlan-list Mode Global Config Parameter Description vlan–list The VLAN ID. The range is 1–4093. Separate nonconsecutive IDs with a comma (,) no spaces and no zeros in between the range. Use a dash (–) for the range.
Page 484 Enabled Disabled --NULL-- Enabled Disabled --NULL-- Enabled Disabled --NULL-- show dhcp l2relay This command displays DHCP circuit-id vlan configuration. circuit-id vlan Format show dhcp l2relay circuit-id vlan vlan-list Mode Privileged EXEC Parameter Description vlan-list Enter VLAN IDs in the range 1–4093. Use a dash (– ) to specify a range or a comma (,) to separate VLAN IDs in a list.
Page 485 Parameter Description vlan-list Enter VLAN IDs in the range 1–4093. Use a dash (– ) to specify a range or a comma (,) to separate VLAN IDs in a list. Spaces and zeros are not permitted. show dhcp l2relay This command displays statistics specific to DHCP L2 Relay configured stats interface interface.
Page 486 Format show dhcp l2relay agent-option vlan vlan-range Mode Privileged EXEC The following shows example CLI display output for the command. (Broadcom FASTPATH Switching) #show dhcp l2relay agent-option vlan 5-10 DHCP L2 Relay is Enabled. VLAN Id L2 Relay CircuitId RemoteId --------- ---------- ----------- ------------ Enabled...
Page 487 Mode Privileged EXEC DHCP L2 Relay Agent Commands...
Page 488: Dhcp Client Commands
DHCP Client Commands FASTPATH can include vendor and configuration information in DHCP client requests relayed to a DHCP server. This information is included in DHCP Option 60, Vendor Class Identifier. The information is a string of 128 octets. dhcp client vendor- This command enables the inclusion of DHCP Option-60, Vendor Class id-option Identifier included in the requests transmitted to the DHCP server by the DHCP...
Page 489 show dhcp client This command displays the configured administration mode of the vendor-id- vendor-id-option option and the vendor-id string to be included in Option-43 in DHCP requests. Format show dhcp client vendor-id-option Mode Privileged EXEC The following shows example CLI display output for the command. (Broadcom FASTPATH Switching) #show dhcp client vendor-id-option DHCP Client Vendor Identifier Option is Enabled DHCP Client Vendor Identifier Option string is FastpathClient.
Page 490: Dhcp Snooping Configuration Commands
DHCP Snooping Configuration Commands This section describes commands you use to configure DHCP Snooping. ip dhcp snooping Use this command to enable DHCP Snooping globally. Default disabled Format ip dhcp snooping Mode Global Config no ip dhcp Use this command to disable DHCP Snooping globally. snooping Format no ip dhcp snooping...
Page 491 Default enabled Format ip dhcp snooping verify mac-address Mode Global Config no ip dhcp Use this command to disable verification of the source MAC address with the snooping verify client hardware address. mac-address Format no ip dhcp snooping verify mac-address Mode Global Config ip dhcp snooping...
Page 492 Mode Global Config ip dhcp snooping Use this command to configure static DHCP Snooping binding. binding Format ip dhcp snooping binding mac-address vlan vlan id ip address interface interface id Mode Global Config no ip dhcp Use this command to remove the DHCP static entry from the DHCP Snooping snooping binding database.
Page 493 Default disabled (no limit) Format ip dhcp snooping limit {rate pps [burst interval seconds]} Mode Interface Config no ip dhcp Use this command to set the rate at which the DHCP Snooping messages come, snooping limit and the burst level, to the defaults. Format no ip dhcp snooping limit Mode...
Page 494 Mode Interface Config no ip dhcp Use this command to configure the port as untrusted. snooping trust Format no ip dhcp snooping trust Mode Interface Config ip verify source Use this command to configure the IPSG source ID attribute to filter the data traffic in the hardware.
Page 495 If it is enabled, DHCP snooping application logs invalid packets on the specified interface. The following shows example CLI display output for the command. (CN1610) #show ip dhcp snooping DHCP snooping is Disabled DHCP snooping source MAC verification is enabled...
Page 496 Lease (sec) The remaining lease time for the entry. The following shows example CLI display output for the command. (CN1610) #show ip dhcp snooping binding Total number of bindings: 2 MAC Address IP Address VLAN Interface Type Lease time...
Page 497 Interface Trust State Rate LimitBurst Interval (pps) (seconds) ----------- ---------- ---------- -------------- 1/g1No151 1/g2No151 1/g3No151 (CN1610) #show ip dhcp snooping interfaces ethernet 1/g15 Interface Trust State Rate LimitBurst Interval (pps) (seconds) ----------- ---------- ---------- -------------- 1/g15Yes151 show ip dhcp Use this command to list statistics for DHCP Snooping security violations on snooping statistics untrusted ports.
Page 498 DHCP Server Msgs Represents the number of DHCP server messages Rec’d received on Untrusted ports. The following shows example CLI display output for the command. (CN1610) #show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures...
Page 499 clear ip dhcp Use this command to clear all DHCP Snooping bindings on all interfaces or on a snooping binding specific interface. Format clear ip dhcp snooping binding [interface slot/port] ◆ Mode Privileged EXEC ◆ User EXEC clear ip dhcp Use this command to clear all DHCP Snooping statistics.
Page 500 Term Definition VLAN The VLAN for the binding rule. The following shows example CLI display output for the command. (CN1610) #show ip verify source Interface Filter Type IP Address MAC Address Vlan --------- ----------- --------------- ----------------- ----- ip-mac 210.1.1.3 00:02:B3:06:60:80 ip-mac 210.1.1.4...
Page 501 DHCP Snooping. VLAN VLAN for the entry. Interface IP address of the interface in slot/port format. The following shows example CLI display output for the command. (CN1610) #show ip source binding MAC Address IP Address Type Vlan Interface...
Page 502: Dynamic Arp Inspection Commands
Dynamic ARP Inspection Commands Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests or responses mapping another station’s IP address to its own MAC address.
Page 503 Default disabled Format ip arp inspection validate {[src-mac] [dst-mac] [ip]} Mode Global Config no ip arp inspection Use this command to disable the additional validation checks on the received validate ARP packets. Format no ip arp inspection validate {[src-mac] [dst-mac] [ip]} Mode Global Config...
Page 504 Mode Interface Config no ip arp inspection Use this command to configure an interface as untrusted for Dynamic ARP trust Inspection. Format no ip arp inspection trust Mode Interface Config ip arp inspection Use this command to configure the rate limit and burst interval values for an limit interface or range of interfaces.
Page 505 ip arp inspection Use this command to configure the ARP ACL used to filter invalid ARP packets filter on a list of comma-separated VLAN ranges. If the static keyword is given, packets that do not match a permit statement are dropped without consulting the DHCP snooping bindings.
Page 506 Mode ARP Access-list Config no permit ip host Use this command to delete a rule for a valid IP and MAC combination. mac host Format no permit ip host sender-ip mac host sender-mac Mode ARP Access-list Config show ip arp Use this command to display the Dynamic ARP Inspection global configuration inspection and configuration on all the VLANs.
Page 507 The ARP ACL Name, if configured on the VLAN. Static Flag If the ARP ACL is configured static on the VLAN. The following shows example CLI display output for the command. (CN1610) #show ip arp inspection vlan 10-12 Source Mac Validation : Disabled Destination Mac Validation : Disabled...
Page 508 Term Definition DHCP Drops The number of packets dropped due to DHCP snooping binding database match failure. ACL Drops The number of packets dropped due to ARP ACL rule match failure. DHCP Permits The number of packets permitted due to DHCP snooping binding database match.
Page 509 The configured rate limit value in packets per second. Burst Interval The configured burst interval value in seconds. The following shows example CLI display output for the command. (CN1610) #show ip arp inspection interfaces Interface Trust State Rate Limit Burst Interval (pps) (seconds)
Page 510 Privileged EXEC ◆ User EXEC The following shows example CLI display output for the command. (CN1610) #show arp access-list ARP access list H2 permit ip host 1.1.1.1 mac host 00:01:02:03:04:05 permit ip host 1.1.1.2 mac host 00:03:04:05:06:07 ARP access list H3 ARP access list H4 permit ip host 2.1.1.2 mac host 00:03:04:05:06:08...
Page 511: Igmp Snooping Configuration Commands
IGMP Snooping Configuration Commands This section describes the commands you use to configure IGMP snooping. FASTPATH SMB software supports IGMP Versions 1, 2, and 3. The IGMP snooping feature can help conserve bandwidth because it allows the switch to forward IP multicast traffic only to connected hosts that request multicast traffic. IGMPv3 adds source filtering capabilities to IGMP versions 1 and 2.
Page 512 no set igmp This command disables IGMP Snooping on the system, an interface, a range of interfaces, or a VLAN. Format no set igmp [vlan_id] ◆ Mode Global Config ◆ Interface Config ◆ VLAN Config set igmp header- This command enables header validation for IGMP messages. validation When header validation is enabled, IGMP Snooping checks: ◆...
Page 513 that interface. IGMP Snooping functionality is re-enabled if you disable routing or remove port-channel (LAG) membership from an interface that has IGMP Snooping enabled. Default disabled Format set igmp interfacemode Mode Global Config no set igmp This command disables IGMP Snooping on all interfaces. interfacemode Format no set igmp interfacemode...
Page 514 no set igmp fast- This command disables IGMP Snooping fast-leave admin mode on a selected leave interface. Format no set igmp fast-leave [vlan_id] Mode Interface Config Interface Range VLAN Config set igmp This command sets the IGMP Group Membership Interval time on a VLAN, one groupmembership- interface, a range of interfaces, or all interfaces.
Page 515 sending a query on an interface because it did not receive a report for a particular group in that interface. This value must be less than the IGMP Query Interval time value. The range is 1 to 25 seconds. Default 10 seconds Format set igmp maxresponse [vlan_id] 1-25...
Page 516 no set igmp This command sets the Multicast Router Present Expiration time to 0. The time is mcrtrexpiretime set for the system, on a particular interface or a VLAN. Format no set igmp mcrtrexpiretime [vlan_id] ◆ Mode Global Config ◆ Interface Config ◆...
Page 517 no set igmp mrouter This command disables the status of the interface as a statically configured interface multicast router interface. Format no set igmp mrouter interface Mode Interface Config set igmp report- Use this command to suppress the IGMP reports on a given VLAN ID. In order suppression to optimize the number of reports traversing the network with no added benefits, a Report Suppression mechanism is implemented.
Page 518 show This command displays IGMP Snooping information for a given slot/port or igmpsnooping VLAN. Configured information is displayed whether or not IGMP Snooping is enabled. Format show igmpsnooping [slot/port | vlan_id] Mode Privileged EXEC When the optional arguments slot/port or are not used, the command vlan_id displays the following information:...
Page 519 Term Definition Maximum Response The amount of time the switch waits after it sends a Time query on an interface because it did not receive a report for a particular group on that interface. This value may be configured. Multicast Router The amount of time to wait before removing an Expiry Time interface from the list of interfaces with multicast...
Page 520 Term Definition Report Suppression Indicates whether IGMP reports (set by the Mode command “set igmp report-suppression” on page 514) in enabled or not. The following shows example CLI display output for the command. (Broadcom FASTPATH Switching) #show igmpsnooping 1 VLAN ID........1 IGMP Snooping Admin Mode.......
Page 521 Mode Privileged EXEC show mac-address- This command displays the IGMP Snooping entries in the MFDB table. table igmpsnooping Format show mac-address-table igmpsnooping Mode Privileged EXEC Term Definition VLAN ID The VLAN in which the MAC address is learned. MAC Address A multicast MAC address for which the switch has forwarding or filtering information.
Page 522: Igmp Snooping Querier Commands
IGMP Snooping Querier Commands IGMP Snooping requires that one central switch or router periodically query all end-devices on the network to announce their multicast memberships. This central device is the “IGMP Querier”. The IGMP query responses, known as IGMP reports, keep the switch updated with the current multicast group membership on a port-by-port basis.
Page 523 ◆ Mode Global Config ◆ VLAN Mode no set igmp querier Use this command to disable IGMP Snooping Querier on the system. Use the optional parameter to reset the querier address to 0.0.0.0. address Format no set igmp querier [vlan-id] [address] ◆...
Page 524 no set igmp querier Use this command to set the IGMP Querier timer expiration period to its default timer expiry value. Format no set igmp querier timer expiry Mode Global Config set igmp querier Use this command to set the IGMP version of the query that the snooping switch version is going to send periodically.
Page 525 no set igmp querier Use this command to set the Snooping Querier not to participate in querier election participate election but go into non-querier mode as soon as it discovers the presence of another querier in the same VLAN. Format no set igmp querier election participate Mode VLAN Config...
Page 526 When you specify a value for , the following additional information vlanid appears. Field Description VLAN Admin Mode Indicates whether iGMP Snooping Querier is active on the VLAN. VLAN Operational Indicates whether IGMP Snooping Querier is in State “Querier” or “Non-Querier” state. When the switch is in state, it will send out periodic general Querier...
Page 527: Mld Snooping Commands
MLD Snooping Commands This section describes commands used for MLD Snooping. In IPv4, Layer 2 switches can use IGMP Snooping to limit the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded only to those interfaces associated with IP multicast addresses. In IPv6, MLD Snooping performs a similar function.
Page 528 ◆ Mode Global Config ◆ Interface Config ◆ VLAN Mode no set mld Use this command to disable MLD Snooping on the system. Format set mld vlanid ◆ Mode Global Config ◆ Interface Config ◆ VLAN Mode set mld Use this command to enable MLD Snooping on all interfaces. If an interface has interfacemode MLD Snooping enabled and you enable this interface for routing or enlist it as a member of a port-channel (LAG), MLD Snooping functionality is disabled on...
Page 529 set mld fast-leave Use this command to enable MLD Snooping fast-leave admin mode on a selected interface or VLAN. Enabling fast-leave allows the switch to immediately remove the Layer 2 LAN interface from its forwarding table entry upon receiving and MLD done message for that multicast group without first sending out MAC- based general queries to the interface.
Page 530 Format set mld groupmembership-interval vlanid 2-3600 ◆ Mode Interface Config ◆ Global Config ◆ VLAN Mode no set Use this command to set the MLDv2 Group Membership Interval time to the groupmembership- default value. interval Format no set mld groupmembership-interval ◆...
Page 531 ◆ Mode Global Config ◆ Interface Config ◆ VLAN Mode set mld Use this command to set the Multicast Router Present Expiration time. The time mcrtexpiretime is set for the system, on a particular interface or VLAN. This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached.
Page 532 Format no set mld mrouter vlanid Mode Interface Config set mld mrouter Use this command to configure the interface as a multicast router-attached interface interface. When configured as a multicast router interface, the interface is treated as a multicast router-attached interface in all VLANs. Default disabled Format...
Page 533 Term Definition Interfaces Enabled for Interfaces on which MLD Snooping is enabled. MLD Snooping MLD Control Frame Displays the number of MLD Control frames that Count are processed by the CPU. VLANs Enabled for VLANs on which MLD Snooping is enabled. MLD Snooping When you specify the values, the following information...
Page 534 Term Definition VLAN Admin Mode Indicates whether MLD Snooping is active on the VLAN. show mldsnooping Use this command to display information about statically configured multicast mrouter interface router attached interfaces. Format show mldsnooping mrouter interface unit/slot/port Mode Privileged EXEC Term Definition Interface...
Page 535 show mldsnooping Use this command to display the source specific multicast forwarding database ssm entries built by MLD snooping. A given {Source, Group, VLAN} combination can have few interfaces in INCLUDE mode and few interfaces in EXCLUDE mode. In such instances, two rows for the same {Source, Group, VLAN} combinations are displayed.
Page 536 Mode Privileged EXEC Term Definition Total Entries The total number of entries that can possibly be in the MLD snooping’s SSMFDB. Most SSMFDB The largest number of entries that have been present Entries Ever Used in the MLD snooping’s SSMFDB. Current Entries The current number of entries in the MLD snooping’s SSMFDB.
Page 537 show mac-address- Use this command to display the MLD Snooping entries in the Multicast table mldsnooping Forwarding Database (MFDB) table. Format show mac-address-table mldsnooping Mode Privileged EXEC Term Definition VLAN ID The VLAN in which the MAC address is learned. MAC Address A multicast MAC address for which the switch has forwarding or filtering information.
Page 538: Mld Snooping Querier Commands
MLD Snooping Querier Commands In an IPv6 environment, MLD Snooping requires that one central switch or router periodically query all end-devices on the network to announce their multicast memberships. This central device is the MLD Querier. The MLD query responses, known as MLD reports, keep the switch updated with the current multicast group membership on a port-by-port basis.
Page 539 no set mld querier Use this command to disable MLD Snooping Querier on the system. Use the optional parameter to reset the querier address. address Format no set mld querier [vlan-id][address] ◆ Mode Global Config ◆ VLAN Mode set mld querier Use this command to set the MLD Querier Query Interval time.
Page 540 Format no set mld querier timer expiry Mode Global Config set mld querier Use this command to enable the Snooping Querier to participate in the Querier election participate Election process when it discovers the presence of another Querier in the VLAN. When this mode is enabled, if the Snooping Querier finds that the other Querier’s source address is better (less) than the Snooping Querier’s address, it stops sending periodic queries.
Page 541 Field Description Admin Mode Indicates whether or not MLD Snooping Querier is active on the switch. Admin Version Indicates the version of MLD that will be used while sending out the queries. This is defaulted to MLD v1 and it cannot be changed. Querier Address Shows the IP address which will be used in the IPv6 header while sending out MLD queries.
Page 542 Field Description Querier Election Indicates whether the MLD Snooping Querier Participate participates in querier election if it discovers the presence of a querier in the VLAN. Querier VLAN The IP address will be used in the IPv6 header while Address sending out MLD queries on this VLAN.
Page 543: Port Security Commands
Port Security Commands This section describes the command you use to configure Port Security on the switch. Port security, which is also known as port MAC locking, allows you to secure the network by locking allowable MAC addresses on a given port. Packets with a matching source MAC address are forwarded normally, and all other packets are discarded.
Page 544 Mode Interface Config no port-security This command resets the maximum number of dynamically locked MAC max-dynamic addresses allowed on a specific port to its default value. Format no port-security max-dynamic Mode Interface Config port-security max- This command sets the maximum number of statically locked MAC addresses static allowed on a port.
Page 545 Mode Global Config ◆ Interface Config The following shows an example of the command. (CN1610)(Config)# port-security mac-address sticky (CN1610)(Interface)# port-security mac-address sticky (CN1610)(Interface)# port-security mac-address sticky 00:00:00:00:00:01 2 no port-security The no form removes the sticky mode. The sticky MAC address can be deleted mac-address sticky by using the command “no port-security mac-address <mac-address>...
Page 546 Violation Trap Mode Whether violation traps are enabled. Sticky Mode The administrative mode of the port security Sticky Mode feature on the interface. The following shows example CLI display output for the command. (CN1610) #show port-security 0/1 Chapter 5: Switching Commands...
Page 547 Admin Dynamic Static Violation Sticky Intf Mode Limit Limit Trap Mode Mode ------ ------- ---------- --------- --------- -------- Disabled 1 Disabled Enabled show port-security This command displays the dynamically locked MAC addresses for the port. dynamic Instead of slot/port can be used as an alternate way to , lag lag-intf-num specify the LAG interface.
Page 548 The following shows example CLI display output for the command. (CN1610) #show port-security static 1/0/1 Number of static MAC addresses configured: 2 Statically configured MAC Address VLAN ID Sticky --------------------------------- ------- ------ 00:00:00:00:00:01 00:00:00:00:00:02 show port-security This command displays the source MAC address of the last packet discarded on a violation locked port.
Page 549: Lldp (802.1Ab) Commands
LLDP (802.1AB) Commands This section describes the command you use to configure Link Layer Discovery Protocol (LLDP), which is defined in the IEEE 802.1AB specification. LLDP allows stations on an 802 LAN to advertise major capabilities and physical descriptions. The advertisements allow a network management system (NMS) to access and display this information.
Page 550 Mode Interface Config lldp timers Use this command to set the timing parameters for local data transmission on ports enabled for LLDP. The determines the number of interval-seconds seconds to wait between transmitting local data LLDPDUs. The range is 1-32768 seconds.
Page 551 no lldp transmit-tlv Use this command to remove an optional TLV from the LLDPDUs. Use the command without parameters to remove all optional TLVs from the LLDPDU. Format no lldp transmit-tlv [sys-desc] [sys-name] [sys-cap] [port-desc] Mode Interface Config lldp transmit-mgmt Use this command to include transmission of the local system management address information in the LLDPDUs.
Page 552 Format no lldp notification Mode Interface Config lldp notification- Use this command to configure how frequently the system sends remote data interval change notifications. The parameter is the number of seconds to wait interval between sending notifications. The valid interval range is 5-3600 seconds. Default Format lldp notification-interval interval...
Page 553 show lldp Use this command to display a summary of the current LLDP configuration. Format show lldp Mode Privileged EXEC Term Definition Transmit Interval How frequently the system transmits local data LLDPDUs, in seconds. Transmit Hold The multiplier on the transmit interval that sets the Multiplier TTL in local data LLDPDUs.
Page 554 Term Definition TLVs Shows whether the interface sends optional TLVs in the LLDPDUs. The TLV codes can be 0 (Port Description), 1 (System Name), 2 (System Description), or 3 (System Capability). Mgmt Shows whether the interface transmits system management address information in the LLDPDUs. show lldp statistics Use this command to display the current LLDP traffic and remote table statistics for a specific interface or for all interfaces.
Page 555 Term Definition TX Total Total number of LLDP packets transmitted on the port. RX Total Total number of LLDP packets received on the port. Discards Total number of LLDP frames discarded on the port for any reason. Errors The number of invalid LLDP frames received on the port.
Page 556 Term Definition Local Interface The interface that received the LLDPDU from the remote device. RemID An internal identifier to the switch to mark each remote device to the system. Chassis ID The ID that is sent by a remote device as part of the LLDP message, it is usually a MAC address of the device.
Page 557 show lldp remote- Use this command to display detailed information about remote devices that device detail transmit current LLDP data to an interface on the system. Format show lldp remote-device detail slot/port Mode Privileged EXEC Term Definition Local Interface The interface that received the LLDPDU from the remote device.
Page 558 Term Definition Time To Live The amount of time (in seconds) the remote device's information received in the LLDPDU should be treated as valid information. The following shows example CLI display output for the command. (FASTPATH Switching) #show lldp remote-device detail 0/7 LLDP Remote Device Detail Local Interface: 0/7 Remote Identifier: 2...
Page 559 show lldp local- Use this command to display detailed information about the LLDP data a specific device detail interface transmits. Format show lldp local-device detail slot/port Mode Privileged EXEC Term Definition Interface The interface that sends the LLDPDU. Chassis ID Subtype The type of identification used in the Chassis ID field.
Page 560: Lldp-Med Commands
LLDP-MED Commands Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) (ANSI-TIA-1057) provides an extension to the LLDP standard. Specifically, LLDP-MED provides extensions for network configuration and policy, device location, Power over Ethernet (PoE) management and inventory management. lldp med Use this command to enable MED on an interface or a range of interfaces.
Page 561 lldp med transmit- Use this command to specify which optional Type Length Values (TLVs) in the LLDP MED set will be transmitted in the Link Layer Discovery Protocol Data Units (LLDPDUs) from this interface or a range of interfaces. Default By default, the capabilities and network policy TLVs are included.
Page 562 lldp med Use this command to configure all the ports to send the topology change confignotification notification. Format lldp med confignotification all Mode Global Config lldp med Use this command to set the value of the fast start repeat count. is the [count] faststartrepeatcoun...
Page 563 Format show lldp med Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) #show lldp med LLDP MED Global Configuration Fast Start Repeat Count: 3 Device Class: Network Connectivity (CN1610) # show lldp med...
Page 564 Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) #show lldp med interface all Interface Link configMED operMED ConfigNotify TLVsTx --------- ------ --------- -------- ------------ ----------- 1/0/1 Down Disabled Disabled Disabled 1/0/2 Disabled Disabled Disabled...
Page 565 Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) #show lldp med local-device detail 1/0/8 LLDP MED Local Device Detail Interface: 1/0/8 Network Policies Media Policy Application Type : voice Vlan ID: 10 Priority: 5...
Page 566 An internal identifier to the switch to mark each remote device to the system. Device Class Device classification of the remote device. The following shows example CLI display output for the command. (CN1610) #show lldp med remote-device all LLDP MED Remote Device Summary Local Interface Remote ID...
Page 567 Format show lldp med remote-device detail slot/port Mode Privileged EXEC The following shows example CLI display output for the command. (CN1610) #show lldp med remote-device detail 1/0/8 LLDP MED Remote Device Detail Local Interface: 1/0/8 Remote Identifier: 18 Capabilities MED Capabilities Supported: capabilities, networkpolicy, location,...
Page 568 Subtype: elin Info: xxx xxx xxx Extended POE Device Type: pseDevice Extended POE PSE Available: 0.3 Watts Source: primary Priority: critical Extended POE PD Required: 0.2 Watts Source: local Priority: low Chapter 5: Switching Commands...
Page 569: Denial Of Service Commands
Denial of Service Commands This section describes the commands you use to configure Denial of Service (DoS) Control. FASTPATH software provides support for classifying and blocking specific types of Denial of Service attacks. You can configure your system to monitor and block these types of attacks: ◆...
Page 570 Mode Global Config no dos-control all This command disables Denial of Service prevention checks globally. Format no dos-control all Mode Global Config dos-control sipdip This command enables Source IP address = Destination IP address (SIP = DIP) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack.
Page 571 Mode Global Config no dos-control This command sets Minimum TCP Header Size Denial of Service protection to firstfrag the default value of disabled Format no dos-control firstfrag Mode Global Config dos-control tcpfrag This command enables TCP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack and packets that have a TCP payload in which the IP payload length minus the IP header size is less than the minimum allowed TCP header size are dropped.
Page 572 Mode Global Config no dos-control This command sets disables TCP Flag Denial of Service protections. tcpflag Format no dos-control tcpflag Mode Global Config dos-control l4port This command enables L4 Port Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having Source TCP/UDP Port Number equal to Destination TCP/UDP Port Number, the packets will be dropped if the mode is enabled.
Page 573 Format dos-control smacdmac Mode Global Config no dos-control This command disables Source MAC address = Destination MAC address smacdmac (SMAC = DMAC) DoS protection. Format no dos-control smacdmac Mode Global Config dos-control tcpport This command enables TCP L4 source = destination port number (Source TCP Port = Destination TCP Port) Denial of Service protection.
Page 574 Default disabled Format dos-control udpport Mode Global Config no dos-control This command disables UDP L4 source = destination port number (Source UDP udpport Port = Destination UDP Port) Denial of Service protection. Format no dos-control udpport Mode Global Config dos-control This command enables TCP Flag and Sequence Denial of Service protections.
Page 575 dos-control This command enables TCP Offset Denial of Service protection. If the mode is tcpoffset enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP Header Offset equal to one (1), the packets will be dropped if the mode is enabled.
Page 576 dos-control This command enables TCP SYN and FIN Denial of Service protection. If the tcpsynfin mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP flags SYN and FIN set, the packets will be dropped if the mode is enabled.
Page 577 dos-control icmpv4 This command enables Maximum ICMPv4 Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMPv4 Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.
Page 578 dos-control This command enables ICMP Fragment Denial of Service protection. If the mode icmpfrag is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having fragmented ICMP packets, the packets will be dropped if the mode is enabled.
Page 579 Term Definition Max ICMPv4 Payload The maximum ICMPv4 payload size to accept when Size ICMPv4 DoS protection is enabled. ICMPv6 Mode The administrative mode of ICMPv6 DoS prevention. When enabled, this causes the switch to drop ICMP packets that have a type set to ECHO_REQ (ping) and a size greater than the configured ICMPv6 Payload Size.
Page 580 Term Definition Max ICMPv4 Payload The maximum ICMPv4 payload size to accept when Size ICMPv4 DoS protection is enabled. ICMPv6 Mode The administrative mode of ICMPv6 DoS prevention. When enabled, this causes the switch to drop ICMP packets that have a type set to ECHO_REQ (ping) and a size greater than the configured ICMPv6 Payload Size.
Page 581 Term Definition TCP Flag & Sequence The administrative mode of TCP Flag DoS Mode prevention. Enabling this causes the switch to drop packets that have TCP control flags set to 0 and TCP sequence number set to 0. TCP SYN Mode The administrative mode of TCP SYN DoS prevention.
Page 582: Mac Database Commands
MAC Database Commands This section describes the commands you use to configure and view information about the MAC databases. bridge aging-time This command configures the forwarding database address aging timeout in seconds. The parameter must be within the range of 10 to 1,000,000 seconds seconds.
Page 583 Term Definition Address Aging Displays the system's address aging timeout value in Timeout seconds. show mac-address- This command displays the Multicast Forwarding Database (MFDB) table multicast information. If you enter the command with no parameter, the entire table is displayed. You can display the table entry for one MAC Address by specifying the MAC address as an optional parameter.
Page 584 If one or more entries exist in the multicast forwarding table, the command output looks similar to the following: (CN1610) #show mac-address-table multicast VLAN ID MAC Address Source Type Description...
Page 585 Format show mac-address-table stats Mode Privileged EXEC Term Definition Total Entries The total number of entries that can possibly be in the Multicast Forwarding Database table. Most MFDB Entries The largest number of entries that have been present Ever Used in the Multicast Forwarding Database table.
Page 586: Isdp Commands
ISDP Commands This section describes the commands you use to configure the industry standard Discovery Protocol (ISDP). isdp run This command enables ISDP on the switch. Default Enabled Format isdp run Mode Global Config no isdp run This command disables ISDP on the switch. Format no isdp run Mode...
Page 587 isdp advertise-v2 This command enables the sending of ISDP version 2 packets from the device. Default Enabled Format isdp advertise-v2 Mode Global Config no isdp advertise- This command disables the sending of ISDP version 2 packets from the device. Format no isdp advertise-v2 Mode Global Config...
Page 588 clear isdp table This command clears entries in the ISDP table. Format clear isdp table Mode Privileged EXEC show isdp This command displays global ISDP settings. Format show isdp Mode Privileged EXEC Term Definition Timer The frequency with which this device sends ISDP packets.
Page 589 For example, ASCII string contains serialNumber appended/prepended with system name. The following shows example CLI display output for the command. (CN1610) #show isdp Timer.......... 30 Hold Time........180 Version 2 Advertisements....... Enabled Neighbors table time since last change..0 days 00:00:00 Device ID........
Page 590 The following shows example CLI display output for the command. (CN1610) #show isdp interface 0/1 Interface Mode --------------- ---------- Enabled The following shows example CLI display output for the command. (Switching) #show isdp interface all Interface Mode --------------- ---------- Enabled...
Page 591 Term Definition Capability ISDP Functional Capabilities advertised by the neighbor. Platform The hardware platform advertised by the neighbor. Interface The interface (slot/port) on which the neighbor's advertisement was received. Port ID The port ID of the interface from which the neighbor sent the advertisement.
Page 592 Version The software version that the neighbor is running. The following shows example CLI display output for the command. (CN1610) #show isdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge, S - Switch, H - Host, I - IGMP, r - Repeater...
Page 593 Switch cisco WS-C4948 GigabitEthernet1/1 The following shows example CLI display output for the command. (CN1610) #show isdp neighbors detail Device ID 0001f45f1bc0 Address(es): IP Address: 10.27.7.57 Capability Router Trans Bridge Switch IGMP Platform SecureStack C2 Interface 0/48 Port ID ge.3.14...
Page 594 Displays the number of times a neighbor entry was Table Full added to the table without an IP address. The following shows example CLI display output for the command. (CN1610) #show isdp traffic ISDP Packets Received......4253 ISDP Packets Transmitted....... 127 ISDPv1 Packets Received......0 ISDPv1 Packets Transmitted.....
Page 595 no debug isdp This command disables tracing of ISDP packets on the receive or the transmit packet sides or on both sides. Format no debug isdp packet [{receive | transmit}] Mode Privileged EXEC ISDP Commands...
Page 596: Chapter 6 Ipv6 Ipv6 Management Commands
IPv6 IPv6 Management Commands This chapter describes the IPv6 commands available in the FASTPATH SMB CLI. Note The commands in this chapter are in one of three functional groups: ◆ Show commands display switch settings, statistics, and other information. ◆ Configuration commands configure features and options of the switch.
Page 597: Ipv6 Management Commands
IPv6 Management Commands IPv6 Management commands allow a device to be managed via an IPv6 address in a switch or IPv4 routing (i.e., independent from the IPv6 Routing package). For Routing/IPv6 builds of FASTPATH dual IPv4/IPv6 operation over the service port is enabled.
Page 598 no network ipv6 Use this command to disable IPv6 operation on the network port. enable Format no network ipv6 enable Mode Privileged EXEC serviceport ipv6 Use the options of this command to manually configure IPv6 global address, address enable/disable stateless global address autoconfiguration and to enable/disable dhcpv6 client protocol information on the service port.
Page 599 Use the command with the dhcp option to disable the dhcpv6 client protocol on the service port. Format no serviceport ipv6 address {address/prefix-length [eui64] | autoconfig | dhcp} Mode Privileged EXEC serviceport ipv6 Use this command to configure IPv6 gateway (i.e. Default routers) information gateway for the service port.
Page 600 neighbor discovery process. They are, however, treated the same for IPv6 forwarding. Static IPv6 neighbor entries are applied to the kernel stack and to the hardware when the corresponding interface is operationally active. Format serviceport ipv6 neighbor ipv6-address macaddr Mode Privileged EXEC Parameter Description...
Page 601 Parameter Description autoconfig Configure stateless global address autoconfiguration capability. dhcp Configure dhcpv6 client protocol. no network ipv6 The command removes all configured IPv6 prefixes. no network ipv6 address address Use this command with the address option to remove the manually configured IPv6 global address on the network port interface.
Page 602 Format no network ipv6 gateway Mode Privileged EXEC network ipv6 Use this command to manually add IPv6 neighbors to the IPv6 neighbor table for neighbor this network port. If an IPv6 neighbor already exists in the neighbor table, the entry is automatically converted to a static entry. Static entries are not modified by the neighbor discovery process.
Page 603 The type of neighbor entry. The type is Static if the entry is manually configured and Dynamic if dynamically resolved. The following is an example of the command. (CN1610) #show network ipv6 neighbors Neighbor IPv6 Address MAC Address isRtr State...
Page 604 The type of neighbor entry. The type is Static if the entry is manually configured and Dynamic if dynamically resolved. The following is an example of the command. (CN1610) #show serviceport ipv6 neighbors Neighbor IPv6 Address MAC Address isRtr State...
Page 605 interface or VLAN routing interface. The keyword vlan is used to specify the VLAN ID of the routing VLAN directly instead of a slot/port format. Use the optional keyword to specify the size of the ping packet. size You can utilize the ping or traceroute facilities over the service/network ports when using an IPv6 global address .
Page 606 Keyword Description interface Use the keyword to ping an interface by interface using the link-local address or the global IPv6 address of the interface. size Use the optional keyword to specify the size of size the ping packet. ipv6-address The link local IPv6 address of the device you want to query.
Page 607 IPv6 Management Commands...
Page 608: Chapter 7 Quality Of Service Commands
Quality of Service Commands This chapter describes the Quality of Service (QoS) commands available in the FASTPATH CLI. The QoS Commands chapter contains the following sections: ◆ “Class of Service Commands” on page 606 ◆ “Differentiated Services Commands” on page 616 ◆...
Page 609: Class Of Service Commands
Class of Service Commands This section describes the commands you use to configure and view Class of Service (CoS) settings for the switch. The commands in this section allow you to control the priority and transmission rate of traffic. Note Commands you issue in the Interface Config mode only affect a single interface.
Page 610 no classofservice This command maps each IP DSCP value to its default internal traffic class ip-dscp-mapping value. Format no classofservice ip-dscp-mapping Mode Global Config classofservice trust This command sets the class of service trust mode of an interface or range of interfaces.
Page 611 Format cos-queue min-bandwidth bw-0 bw-1 … bw-n ◆ Modes Global Config ◆ Interface Config no cos-queue min- This command restores the default for each queue's minimum bandwidth value. bandwidth Format no cos-queue min-bandwidth ◆ Modes Global Config ◆ Interface Config cos-queue random- This command activates weighted random early discard (WRED) for each detect...
Page 612 ◆ Modes Global Config ◆ Interface Config cos-queue strict This command activates the strict priority scheduler mode for each specified queue for an interface queue on an interface, a range of interfaces, or all interfaces. Format cos-queue strict queue-id-1 [queue-id-2 … queue-id- ◆...
Page 613 no random-detect Use this command to disable WRED, thereby restoring the default tail drop operation for all queues on the interface. Format no random-detect ◆ Modes Global Config ◆ Interface Config random-detect This command is used to configure the WRED decay exponent for a CoS queue exponential interface.
Page 614 Each parameter is specified for each possible drop precedence (color of TCP traffic). The last precedence applies to all non-TCP traffic. For example, in a 3- color system, four of each parameter specified: green TCP, yellow TCP, red TCP, and non-TCP, respectively. Term Definition min-thresh...
Page 615 ◆ Modes Global Config ◆ Interface Config no traffic-shape This command restores the interface shaping rate to the default value. Format no traffic-shape ◆ Modes Global Config ◆ Interface Config show This command displays the current Dot1p (802.1p) priority mapping to internal classofservice traffic classes for a specific interface.
Page 616 The following information is repeated for each user priority. Term Definition IP DSCP The IP DSCP value. Traffic Class The traffic class internal queue identifier to which the IP DSCP value is mapped. show This command displays the current trust mode setting for a specific interface. If classofservice trust you specify an interface, the command displays the port trust mode of the interface.
Page 617 Term Definition Interface Shaping The global interface shaping rate value. Rate WRED Decay The global WRED decay exponent value. Exponent Queue Id An interface supports n queues numbered 0 to (n-1). Minimum Bandwidth The minimum transmission bandwidth guarantee for the queue, expressed as a percentage. A value of 0 means bandwidth is not guaranteed and the queue operates using best-effort.
Page 618 show interfaces This command displays the global WRED settings for each CoS queue. If you random-detect specify the slot/port, the command displays the WRED settings for each CoS queue on the specified interface. Format show interfaces random-detect [slot/port] Mode Privileged EXEC Term Definition Queue ID...
Page 619: Differentiated Services Commands
Differentiated Services Commands This section describes the commands you use to configure QOS Differentiated Services (DiffServ). You configure DiffServ in several stages by specifying three DiffServ components: 1. Class ❖ Creating and deleting classes. ❖ Defining match criteria for a class. 2.
Page 620 Note The mark possibilities for policing include CoS, IP DSCP, and IP Precedence. While the latter two are only meaningful for IP packet types, CoS marking is allowed for both IP and non-IP packets, since it updates the 802.1p user priority field contained in the VLAN tag of the layer 2 packet header.
Page 621: Diffserv Class Commands
DiffServ Class Commands Use the DiffServ class commands to define traffic classification. To classify traffic, you specify Behavior Aggregate (BA), based on DSCP and Multi-Field (MF) classes of traffic (name, match criteria) This set of commands consists of class creation/deletion and matching, with the class match commands specifying Layer 3, Layer 2, and general match criteria.
Page 622 Note The CLI mode is changed to Class-Map Config or Ipv6-Class-Map Config when this command is successfully executed depending on the [ {ipv4 ipv6} keyword specified. Format class-map match-all class-map-name [{ipv4 | ipv6}] Mode Global Config no class-map This command eliminates an existing DiffServ class. The class-map-name the name of an existing DiffServ class.
Page 623 Format match [not] ethertype {keyword | custom 0x0600- 0xFFFF} Mode Class-Map Config Ipv6-Class-Map Config match any This command adds to the specified class definition a match condition whereby all packets are considered to belong to the class. Use the [not] option to negate the match condition.
Page 624 ◆ Any subsequent changes to the class match criteria must refclassname maintain this validity, or the change attempt fails. ◆ The total number of class rules formed by the complete reference class chain (including both predecessor and successor classes) must not exceed a platform-specific maximum.
Page 625 Format match [not]secondary-cos 0-7 Mode Class-Map Config Ipv6-Class-Map Config match destination- This command adds to the specified class definition a match condition based on address mac the destination MAC address of a packet. The parameter is any layer 2 macaddr MAC address formatted as six, two-digit hexadecimal numbers separated by colons (e.g., 00:11:22:dd:ee:ff).
Page 626 www. Each of these translates into its equivalent port number. To specify the match condition using a numeric notation, one layer 4 port number is required. The port number is an integer from 0 to 65535. Use the [not] option to negate the match condition.
Page 627 Note The IP DSCP, IP Precedence, and IP ToS match conditions are alternative ways to specify a match criterion for the same Service Type field in the IP header, but with a slightly different user notation. Default none Format match [not] ip precedence 0-7 Mode Class-Map Config match ip tos...
Page 628 match protocol This command adds to the specified class definition a match condition based on the value of the IP Protocol field in a packet using a single keyword notation or a numeric value notation. To specify the match condition using a single keyword notation, the value for protocol-name is one of the supported protocol name keywords.
Page 629 match srcip This command adds to the specified class definition a match condition based on the source IP address of a packet. The parameter specifies an IP address. ipaddr parameter specifies an IP address bit mask and must consist of a ipmask contiguous set of leading 1 bits.
Page 630 Mode Class-Map Config Ipv6-Class-Map Config match secondary- This command adds to the specified class definition a match condition based on vlan the value of the layer 2 secondary VLAN Identifier field (the inner 802.1Q tag of a double VLAN tagged packet). The secondary VLAN ID is an integer from 0 to 4093.
Page 631: Diffserv Policy Commands
DiffServ Policy Commands Use the DiffServ policy commands to specify traffic conditioning actions, such as policing and marking, to apply to traffic classes Use the policy commands to associate a traffic class that you define by using the class command set with one or more QoS policy attributes. Assign the class/policy association to an interface to form a service.
Page 632 drop This command specifies that all packets for the associated traffic stream are to be dropped at ingress. Format drop Mode Policy-Class-Map Config Incomp Assign Queue, Mark (all forms), Mirror, Police, Redirect atibilitie mirror This command specifies that all incoming packets for the associated traffic stream are copied to a specific egress interface (physical port or LAG).
Page 633 Note This command may only be used after specifying a police command for the policy-class instance. Format conform-color class-map-name Mode Policy-Class-Map Config class This command creates an instance of a class definition within the specified policy for the purpose of defining treatment of the traffic class through subsequent policy attribute statements.
Page 634 Incomp Drop, Mark IP DSCP, IP Precedence, Police atibilitie The following shows an example of the command. (CN1610) (Config-policy-classmap)#mark cos-as-sec-cos mark ip-dscp This command marks all packets for the associated traffic stream with the specified IP DSCP value. value is specified as either an integer from 0 to 63, or...
Page 635 Mode Policy-Class-Map Config Incomp Drop, Mark CoS, Mark IP Precedence, Police atibilitie mark ip-precedence This command marks all packets for the associated traffic stream with the specified IP Precedence value. The IP Precedence value is an integer from 0 to 7. Note This command may not be used on IPv6 classes.
Page 636 Incomp Drop, Mark (all forms) atibilitie The following shows an example of the command. (CN1610) (Config-policy-classmap)#police-simple 1 128 conform- action transmit violate-action drop police-single-rate This command is the single-rate form of the police command and is used to establish the traffic policing style for the specified class. For each outcome, the only possible actions are drop, set-cos-as-sec-cost, set-cos-transmit, set-sec-cos- transmit, set-dscp-transmit, set-prec-transmit, or transmit.
Page 637 Format police-single-rate {1-4294967295 1-128 1-128 conform-action {drop | set-cos-as-sec-cos | set-cos- transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec- transmit 0-7 | set-dscp-transmit 0-63 | transmit} exceed-action {drop | set-cos-as-sec-cos | set-cos- transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec- transmit 0-7 | set-dscp-transmit 0-63 | transmit} [violate-action {drop | set-cos-as-sec-cos-transmit | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set- prec-transmit 0-7 | set-dscp-transmit 0-63 |...
Page 638 Note The CLI mode is changed to Policy-Map Config when this command is successfully executed. Format policy-map policyname {in|out} Mode Global Config no policy-map This command eliminates an existing DiffServ policy. The policyname parameter is the name of an existing DiffServ policy. This command may be issued at any time.
Page 639: Diffserv Service Commands
DiffServ Service Commands Use the DiffServ service commands to assign a DiffServ traffic conditioning policy, which you specified by using the policy commands, to an interface in the incoming direction The service commands attach a defined policy to a directional interface. You can assign only one policy at any one time to an interface in the inbound direction.
Page 640 no service-policy This command detaches a policy from an interface in the inbound direction as indicated by the parameter, or the outbound direction as indicated by the parameter, respectively. The parameter is the name of an existing policyname DiffServ policy. Note This command causes a service to remove its reference to the policy.
Page 641: Diffserv Show Commands
DiffServ Show Commands Use the DiffServ show commands to display configuration and status information for classes, policies, and services. You can display DiffServ information in summary or detailed formats. The status information is only shown when the DiffServ administrative mode is enabled. show class-map This command displays all configuration information for the specified class.
Page 642 If you do not specify the Class Name, this command displays a list of all defined DiffServ classes. The following fields are displayed: Term Definition Class Name The name of this class. (Note that the order in which classes are displayed is not necessarily the same order in which they were created.) Class Type A class type of all means every match criterion...
Page 643 Term Definition Policy Instance Table The current and maximum number of entries (rows) Size Current/Max in the Policy Instance Table. Policy Instance Table The current and maximum number of entries (rows) Max Current/Max for the Policy Instance Table. Policy Attribute Table The current and maximum number of entries (rows) Max Current/Max for the Policy Attribute Table.
Page 644 Term Definition Class Name The name of this class. Committed Burst Size The committed burst size, used in simple policing. (KB) Committed Rate The committed rate, used in simple policing. (Kbps) Conform Action The current setting for the action taken on a packet considered to conform to the policing parameters.
Page 645 Term Definition Mark CoS The class of service value that is set in the 802.1p header of inbound packets. This is not displayed if the mark cos was not specified. Mark CoS as The secondary 802.1p priority value (second/inner Secondary CoS VLAN tag.
Page 646 Term Definition Peak Rate Guarantees a committed rate for transmission, but also transmits excess traffic bursts up to a user- specified peak rate, with the understanding that a downstream network element (such as the next hop’s policer) might drop this excess traffic. Traffic is held in queue until it is transmitted or dropped (per type of queue depth management.) Peak rate shaping can be configured for the outgoing transmission stream...
Page 647 (CN1610) #show policy-map p1 Policy Name........p1 Policy Type........In Class Name........c1 Mark CoS as Secondary CoS...... Yes The following shows example CLI display output including the mark-cos-as-sec- cos action used in the policing (simple-police, police-single-rate, police two-rate) command.
Page 648 Term Definition Operational Status The current operational status of this DiffServ service interface. Policy Name The name of the policy attached to the interface in the indicated direction. Policy Details Attached policy details, whose content is identical to that described for the show policy-map command (content not repeated policymapname here for brevity).
Page 649 show policy-map This command displays policy-oriented statistics information for the specified interface interface and direction. The slot/port parameter specifies a valid interface for the system. Instead of slot/port can be used as an alternate way , lag lag-intf-num to specify the LAG interface. can also be used to specify the lag lag-intf-num LAG interface where...
Page 650 Mode Privileged EXEC The following information is repeated for each interface and direction (only those interfaces configured with an attached policy are shown): Term Definition Interface slot/port Operational Status The current operational status of this DiffServ service interface. Policy Name The name of the policy attached to the interface.
Page 651: Mac Access Control List Commands
MAC Access Control List Commands This section describes the commands you use to configure MAC Access Control List (ACL) settings. MAC ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources.
Page 652 mac access-list This command changes the name of a MAC Access Control List (ACL). The extended rename parameter is the name of an existing MAC ACL. The parameter name newname is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the MAC access list.
Page 653 Ethertype Keyword Corresponding Value appletalk 0x809B 0x0806 ibmsna 0x80D5 ipv4 0x0800 ipv6 0x86DD 0x8037 mplsmcast 0x8848 mplsucast 0x8847 netbios 0x8191 novell 0x8137, 0x8138 pppoe 0x8863, 0x8864 rarp 0x8035 parameters refer to the VLAN identifier and 802.1p user vlan priority fields, respectively, of the VLAN tag. For packets containing a double VLAN tag, this is the first (or outer) tag.
Page 654 The permit command’s optional attribute rate-limit allows you to permit only the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes. The following shows an example of the command. (CN1610) (Config)#mac access-list extended mac1 (CN1610) (Config-mac-access-list)#permit 00:00:00:00:aa:bb ff:ff:ff:ff:00:00 any rate-limit 32 16 (CN1610) (Config-mac-access-list)#exit...
Page 655 Global Config ◆ Interface Config The following shows an example of the command. (CN1610)(Config)#no mac access-group mac1 control-plane show mac access- This command displays a MAC access list and all of the rules that are defined for lists the MAC ACL. Use the...
Page 656 Format show mac access-lists [name] Mode Privileged EXEC Term Definition Rule Number The ordered rule number identifier defined within the MAC ACL. Action The action associated with each rule. The possible values are Permit or Deny. Source MAC Address The source MAC address for this rule. Source MAC Mask The source MAC mask for this rule.
Page 657 Term Definition Rule Status Status (Active/Inactive) of the MAC ACL rule. The following shows example CLI display output for the command. (CN1610) #show mac access-lists mac1 ACL Name: mac1 Outbound Interface(s): control-plane Rule Number: 1 Action......... permit Source MAC Address......00:00:00:00:AA:BB Source MAC Mask........
Page 658: Ip Access Control List Commands
IP Access Control List Commands This section describes the commands you use to configure IP Access Control List (ACL) settings. IP ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources. The following rules apply to IP ACLs: ◆...
Page 659 Format access-list 100-199 [rule 1-1023] {deny | permit} {every | {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp 0 -255} {srcip srcmask|any|host srcip}[range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0- 65535}{dstip dstmask|any|host dstip}[{range {portkey|startport} {portkey|endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack]...
Page 660 Parameter Description Specifies a source IP address and source netmask srcip srcmask|any|host for match condition of the IP ACL rule. scrip Specifying any specifies as 0.0.0.0 and srcip as 255.255.255.255. srcmask Specifying host specifies A.B.C.D srcip A.B.C.D and as 0.0.0.0. srcmask Chapter 7: Quality of Service Commands...
Page 661 Parameter Description {{range{portkey|start Note port}{portkey|endport This option is available only if the protocol is }|{eq|neq|lt|gt} TCP or UDP. {portkey | 0- 65535}] Specifies the source layer 4 port match condition for the IP ACL rule. You can use the port number, which ranges from 0-65535, or you specify the , which can be one of the...
Page 662 Parameter Description Specifies a destination IP address and netmask dstip dstmask|any|host for match condition of the IP ACL rule. dstip Specifying any implies specifying dstip 0.0.0.0 and as 255.255.255.255. dstmask Specifying host A.B.C.D implies dstip A.B.C.D and as 0.0.0.0. dstmask Specifies the TOS for an IP ACL rule depending [precedence precedence | tos tos...
Page 663 Parameter Description [icmp-type icmp-type Note [icmp-code icmp- This option is available only if the protocol is code] | icmp-message icmp. icmp-message] Specifies a match condition for ICMP packets. When is specified, the IP ACL rule icmp-type matches on the specified ICMP message type, a number from 0 to 255.
Page 664 Parameter Description Allows imposing time limitation on the ACL [time-range time- range-name] rule as defined by the parameter time-range- name. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately.
Page 665 ip access-list This command creates an extended IP Access Control List (ACL) identified by name, consisting of classification fields defined for the IP header of an IPv4 frame. The name parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IP access list.
Page 666 values must be specified. The source and destination IP address fields may be specified using the keyword to indicate a match on any value in that field. The remaining command parameters are all optional, but the most frequently used parameters appear in the same relative order as shown in the command format.
Page 667 with specified name becomes active. The ACL rule is removed when the time- range with specified name becomes inactive. For information about configuring time ranges, see “Time Range Commands for Time-Based ACLs” on page 687. parameter allows specification of a particular hardware queue assign-queue for handling traffic that matches this rule.
Page 668 Parameter Description [{range { portkey Note This option is available only if the protocol is tcp or startport udp. portkey } | {eq | neq | endport lt | gt} { Specifies the layer 4 port match condition for the IP portkey ACL rule.
Page 669 Parameter Description Specifies a destination IP address and netmask for dstip dstmask any | host match condition of the IP ACL rule. dstip Specifying any implies specifying dstip as 0.0.0.0 and dstmask as 255.255.255.255. Specifying host A.B.C.D implies dstip as A.B.C.D and dstmask as 0.0.0.0.
Page 670 Parameter Description [icmp-type icmp- Note [icmp-code This option is available only if the protocol is ICMP. type ] | icmp- icmp-code message icmp- Specifies a match condition for ICMP packets. message When icmp-type is specified, IP ACL rule matches on the specified ICMP message type, a number from 0 to 255.
Page 671 The following shows an example of the command. (CN1610) (Config)#ip access-list ip1 (CN1610) (Config-ipv4-acl)#permit icmp any any rate-limit 32 16 (CN1610) (Config-ipv4-acl)#exit ip access-group This command either attaches a specific IP Access Control List (ACL) identified...
Page 672 A VLAN ID associated with a specific IP ACL in a given direction. name The name of the Access Control List. The following shows an example of the command. (CN1610) (Config)#ip access-group ip1 control-plane no ip access-group This command removes a specified IP ACL from an interface. Default none...
Page 673 ◆ Mode Interface Config ◆ Global Config The following shows an example of the command. (CN1610)(Config)#no ip access-group ip1 control-plane acl-trapflags This command enables the ACL trap mode. Default disabled Format acl-trapflags Mode Global Config no acl-trapflags This command disables the ACL trap mode.
Page 674 Term Definition Direction Shows whether the ACL is applied to traffic coming into the interface (ingress) or leaving the interface (egress). Interface(s) Identifies the interface(s) to which the ACL is applied (ACL interface bindings). VLAN(s) Identifies the VLANs to which the ACL is applied (ACL VLAN bindings).
Page 675 Term Definition Starting Destination The starting destination layer 4 port. L4 port Ending Destination The ending destination layer 4 port. L4 port ICMP Code Note This is shown only if the protocol is ICMP. The ICMP message code for this rule. Fragments If the ACL rule matches on fragmented IP packets.
Page 676 Rule Status Status (Active/Inactive) of the IP ACL rule. The following shows example CLI display output for the command. (CN1610) #show ip access-lists ip1 ACL Name: ip1 Inbound Interface(s): 1/0/30 Rule Number: 1 Action......... permit Match All........
Page 677 ◆ out – Display Access List information for a particular interface and the out direction. The following shows an example of the command. (CN1610) #show access-lists interface control-plane ACL Type ACL ID Sequence Number --------...
Page 678 Format show access-lists vlan vlan-id in|out Mode Privileged EXEC Term Definition ACL Type Type of access list (IP, IPv6, or MAC). ACL ID Access List name for a MAC or IPv6 access list or the numeric identifier for an IP access list. Sequence Number An optional sequence number may be specified to indicate the order of this access list relative to other...
Page 679: Ipv6 Access Control List Commands
IPv6 Access Control List Commands This section describes the commands you use to configure IPv6 Access Control List (ACL) settings. IPv6 ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources.
Page 680 ipv6 access-list This command changes the name of an IPv6 ACL. The parameter is the name rename name of an existing IPv6 ACL. The parameter is a case-sensitive newname alphanumeric string from 1 to 31 characters uniquely identifying the IPv6 access list.
Page 681 Note An implicit deny all IPv6 rule always terminates the access list. parameter allows imposing time limitation on the IPv6 ACL time-range rule as defined by the parameter . If a time range with the time-range-name specified name does not exist and the IPv6 ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately.
Page 682 Parameter Description Specifies a source IPv6 source address and prefix source-ipv6- prefix/prefix- length to match for the IPv6 ACL rule. length | any | Specifying any implies specifying “::/0 “ host source-ipv6- address Specifying implies host source-ipv6-address matching the specified IPv6 address. This argument must be in source-ipv6-address...
Page 683 Parameter Description [{range {portkey Note | startport} This option is available only if the protocol is TCP {portkey | or UDP. endport} | {eq | neq | lt | gt} Specifies the layer 4 port match condition for the {portkey | 0- IPv6 ACL rule.
Page 684 Parameter Description Specifies a destination IPv6 source address and destination-ipv6- prefix/prefix- prefix length to match for the IPv6 ACL rule. length | any | Specifying any implies specifying “::/0 “ host destination- ipv6-address Specifying destination-ipv6-address implies host matching the specified IPv6 address. This -ipv6-address argument must be destination...
Page 685 Parameter Description [icmp-type icmp- Note type [icmp-code This option is available only if the protocol is icmp-code] | icmpv6. icmp-message icmp-message] Specifies a match condition for ICMP packets. When icmp-type is specified, IPv6 ACL rule matches on the specified ICMP message type, a number from 0 to 255.
Page 686 The following shows an example of the command. (CN1610) (Config)#ipv6 access-list ip61 (CN1610) (Config-ipv6-acl)#permit udp any any rate-limit 32 16 (CN1610) (Config-ipv6-acl)#exit ipv6 traffic-filter This command either attaches a specific IPv6 ACL identified by...
Page 687 Format no ipv6 traffic-filter <name{{control-plane | in | out} | vlan <vlan-id> {in|out}} ◆ Modes Global Config ◆ Interface Config The following shows an example of the command. (CN1610) (Config)#no ipv6 traffic-filter ip61 control-plane IPv6 Access Control List Commands...
Page 688 show ipv6 access- This command displays an IPv6 access list and all of the rules that are defined for lists the IPv6 ACL. Use the parameter to identify a specific IPv6 ACL to [name] display. The rate-limit attribute displays committed rate and committed burst size.
Page 689 Rule Status Status (Active/Inactive) of the IPv6 ACL rule. The following shows example CLI display output for the command. (CN1610) #show ipv6 access-lists ip61 ACL Name: ip61 Outbound Interface(s): control-plane Rule Number: 1 Action......... permit Match Every........
Page 690: Time Range Commands For Time-Based Acls
Time Range Commands for Time-Based ACLs Time-based ACLs allow one or more rules within an ACL to be based on time. Each ACL rule within an ACL except for the implicit deny all rule can be configured to be active and operational only during a specific time period. The time range commands allow you to define specific times of the day and week in order to implement time-based ACLs.
Page 691 parameters indicate the time and date at which the [start time date] configuration that referenced the time range starts going into effect. The time is expressed in a 24-hour clock, in the form of hours:minutes. For example, 8:00 is 8:00 am and 20:00 is 8:00 pm. The date is expressed in the format day month year.
Page 692 The first occurrence of the argument is the starting hours:minutes which the time configuration that referenced the time range starts going into effect. The second occurrence is the ending hours:minutes at which the configuration that referenced the time range is no longer in effect. The hours:minutes are expressed in a 24-hour clock.
Page 693 Term Definition Time Range Name Name of the time range. Status Status of the time range (active/inactive) Periodic Entry count The number of periodic entries configured for the time range. Absolute Entry Indicates whether an absolute entry has been configured for the time range (Exists). Time Range Commands for Time-Based ACLs...
Page 694: Command Index
Command Index Symbols {deny | permit} (IP ACL) 662 capture file size 247 {deny | permit} (IPv6) 677 capture file|remote|line 245 {deny | permit} (MAC ACL) 649 capture line wrap 247 capture remote port 247 capture start 244 capture stop 244 aaa accounting 81 class 630 aaa authentication dot1x default 401...
Page 695 client 107 debug transfer 262 clock set 231 delete 143 clock summer-time date 231 deleteport (Global Config) 445 clock summer-time recurring 232 deleteport (Interface Config) 445 clock timezone 234 description 310 configure 38 dhcp client vendor-id-option 485 dhcp client vendor-id-option-string 485 conform-color 629 console 272 dhcp l2relay 476...
Page 696 dot1x re-authenticate 406 dot1x re-authentication 406 interface 309 dot1x supplicant max-start 429 interface lag 454 dot1x supplicant port-control 428 ip access-group 668 dot1x supplicant timeout auth-period 430 ip access-list 662 dot1x supplicant timeout held-period 430 ip access-list rename 662 dot1x supplicant timeout start-period 429 ip address-conflict-detect run 243 dot1x supplicant user 430 ip arp inspection filter 502...
Page 697 logging email from-addr 203 logging email logtime 204 key 127 logging email message-type subject 204 keystring 127 logging email message-type to-addr 203 logging email test message-type 205 logging email urgent 202 logging host 194 lacp actor admin key 447 logging host reconfigure 195 lacp actor admin state 448 logging host remove 196 lacp actor admin state individual 447...
Page 698 match secondary-cos 621 no authorization exec default 59 match secondary-vlan 627 no authorization network radius 107 match signature 625 no auto-negotiate 309 match source-address mac 625 no auto-negotiate all 310 match src port 626 no boot host autoreboot 138 match srcip 626 no boot host autosave 138 no boot host dhcp 137 match srcl4port 626...
Page 699 no dhcp l2relay remote-id subscription 478 no exception dump compression 266 no dhcp l2relay remote-id vlan 479 no exception dump filepath 264 no dhcp l2relay trust 479 no exception dump ftp-server 266 no dhcp l2relay vlan 480 no exception dump nfs 264 no diffserv 617 no exception dump tftp-server 263 no dos-control all 567...
Page 700 no lacp actor admin state passive 448 no macfilter addsrc 473 no lacp actor port priority 450 no macfilter addsrc all 474 no lacp admin key 446 no mail-server 207 no lacp collector max delay 446 no match class-map 621 no lacp partner admin key 450 no mode dot1q-tunnel 370 no lacp partner admin state individual 451...
Page 701 no port-security 540 no set igmp interfacemode 510 no port-security mac-address 541 no set igmp maxresponse 512 no port-security mac-address sticky 542 no set igmp mcrtrexpiretime 513 no port-security max-dynamic 541 no set igmp mrouter 513 no port-security max-static 541 no set igmp mrouter interface 514 no private-vlan 375 no set igmp querier 520...
Page 702 no sntp server 228 no switchport protected (Interface Config) 389 no sntp unicast client poll-interval 226 no switchport trunk allowed vlan 378 no sntp unicast client poll-retry 227 no switchport trunk native vlan 378 no sntp unicast client poll-timeout 227 no tacacs-server host 125 no spanning-tree 318 no tacacs-server key 126...
Page 703 passwords strength exclude-keyword 78 protocol group 358 passwords strength maximum consecutive- protocol vlan group 359 characters 75 protocol vlan group all 359 passwords strength maximum repeated-characters passwords strength minimum character-classes 78 quit 218 passwords strength minimum lowercase-letters 76 passwords strength minimum numeric-characters passwords strength minimum special-characters 77 radius accounting mode 107 passwords strength minimum uppercase-letters 76...
Page 704 serviceport protocol 31 show aaa ias-users 85 serviceport protocol dhcp 31 show access-lists 673 session-limit 43 show access-lists vlan 674 session-timeout 43 show accounting 86 set clibanner 134 show accounting methods 87 set garp timer join 391 show arp access-list 507 show arp switch 145 set garp timer leave 391 set garp timer leaveall 392...
Page 705 show eventlog 145 show isdp entry 587 show exception log 268 show isdp interface 586 show exception 267 show isdp neighbors 589 show fiber-ports optical-transceiver 167 show isdp traffic 590 show fiber-ports optical-transceiver-info 168 show lacp actor 460 show flowcontrol 387 show lacp partner 460 show lldp 550 show forwardingdb agetime 579...
Page 706 show mldsnooping ssm groups 533 show sflow agent 280 show mldsnooping ssm stats 532 show sflow pollers 281 show monitor session 468 show sflow receivers 281 show msg-queue 271 show sflow samplers 283 show network 33 show snmp 101 show network ipv6 neighbors 599 show snmp engineID 103 show snmp filters 103 show passwords configuration 78...
Page 707 show vlan port 365 spanning-tree bpdufilter default 321 show vlan remote-span 469 spanning-tree bpduflood 321 show voice vlan 383 spanning-tree bpduguard 321 show xxx|begin “string” 141 spanning-tree bpdumigrationcheck 322 show xxx|exclude “string” 140 spanning-tree configuration name 322 show xxx|include “string” 140 spanning-tree configuration revision 323 spanning-tree cost 323 show xxx|include “string”...
Page 708 switchport trunk native vlan 378 vlan 351 vlan acceptframe 352 vlan association mac 362 tacacs-server host 125 vlan association subnet 361 tacacs-server key 125 vlan database 351 tacacs-server keystring 126 vlan ingressfilter 352 tacacs-server timeout 126 vlan makestatic 353 techsupport enable 272 vlan name 353 telnet 41 vlan participation 353...

Save PDF