Page 1 AX1250S / AX1240S Software Manual Configuration Command Reference For Version 2.2 AX1240S-S003-30X...
Page 2  Relevant products This manual applies to models of the AX1250S and AX1240S models of switches. It also describes the functions of the AX1250S and AX1240S software, version 2.2, which are supported by the OS-LT3, OS-LT2 software, and optional licenses.
Page 3 Table Summary of amendments Location and title Changes Addition of series A description of the AX1250S was added. 1. Reading the Manuals A description of the AX1250S was added. 6. Device Management Descriptions about the following command have been changed: system recovery 8.
Page 4 Location and title Changes Power Saving Timing when the change for the following command is applied has been changed: system fan-control Ethernet The following command has been added: linkscan-mode VLAN Descriptions about parameters of the following command have been changed: switchport mode Ring Protocol This section was added.
Page 5 Location and title Changes MAC-based Authentication The following commands have been added: aaa accounting mac-authentication mac-authentication authentication Parameters for the following command have been added: mac-authentication radius-server host Notes on the following commands have been changed: mac-authentication interface mac-authentication force-authorized vlan mac-authentication vlan mac-authentication static-vlan force-authorized The following command name has been changed:...
Page 6 Table Summary of amendments Location and title Changes Editing and Working with Response messages output by the following commands have been Configurations added: exit Login Security and RADIUS Descriptions about the following commands have been changed: radius-server dead-interval radius-server host radius-server key radius-server retransmit radius-server timeout...
Page 7 Location and title Changes MLD Snooping Descriptions about the following commands have been changed: ipv6 mld snooping source ipv6 mld snooping mrouter Common to Layer 2 Authentication This section was moved. The following commands have been added: authentication force-authorized enable authentication force-authorized vlan IEEE 802.1X The following commands have been added:...
Page 8 Location and title Changes Multistep Authentication This section was added. Secure Wake-on-LAN [OP-WOL] Notes on the following command have been changed: http-server Uplink Redundancy The following commands have been added: switchport backup mac-address-table update transmit switchport backup mac-address-table update exclude-vlan switchport backup mac-address-table update retransmit Storm Control Parameters for the following command have been added:...
Page 9: Intended Readers
Preface  Applicable products and software versions This manual applies to models of the AX1250S and AX1240S models of switches. It also describes the functions of the AX1250S and AX1240S software, version 2.2, which are supported by the OS-LT3, OS-LT2 software, and optional licenses.
Page 10 Preface  Abbreviations used in the manual Alternating Current ACKnowledge ADSL Asymmetric Digital Subscriber Line Application Level Gateway ANSI American National Standards Institute Address Resolution Protocol Autonomous System Auxiliary Border Gateway Protocol BGP4 Border Gateway Protocol - version 4 BGP4+ Multiprotocol Extensions for Border Gateway Protocol - version 4 bit/s Bits per second (can also appear as bps)
Page 11 Preface BPDU Bridge Protocol Data Unit Basic Rate Interface Continuity Check Cisco Discovery Protocol Connectivity Fault Management CIDR Classless Inter-Domain Routing Committed Information Rate CIST Common and Internal Spanning Tree CLNP ConnectionLess Network Protocol CLNS ConnectionLess Network System CONS Connection Oriented Network System Cyclic Redundancy Check CSMA/CD Carrier Sense Multiple Access with Collision Detection...
Page 12 Preface Link Control Protocol Light Emitting Diode Logical Link Control LLDP Link Layer Discovery Protocol LLQ+3WFQ Low Latency Queueing + 3 Weighted Fair Queueing Label Switched Path Link State PDU Label Switched Router Maintenance Association Media Access Control Memory Card Message Digest 5 Medium Dependent Interface MDI-X...
Page 13 Preface RIPng Routing Information Protocol next generation RMON Remote Network Monitoring MIB Reverse Path Forwarding ReQuest RSTP Rapid Spanning Tree Protocol Source Address Secure Digital Synchronous Digital Hierarchy Service Data Unit NSAP SELector Start Frame Delimiter Small Form factor Pluggable SMTP Simple Mail Transfer Protocol SNAP...
Page 14  Conventions: The terms "Switch" and "switch" The term Switch (upper-case "S") is an abbreviation for any or all of the following models:  AX1250S series switch  AX1240S series switch The term switch (lower-case "s") might refer to a Switch, another type of switch from the...
Page 15: Table Of Contents
Contents Part 1: Reading the Manuals....................1 1. Reading the Manuals ......................1 Command description format..................... 2 Command mode list ......................3 Specifiable values for parameters ..................4 List of character codes ...................... 8 Part 2: Operation and Management of Switches ..............9 2.
Page 16 Contents system port-led ....................... 69 system port-led trigger console ..................71 system port-led trigger interface ..................72 system port-led trigger mc ....................73 Part 3: Network Interface ...................... 74 8. Ethernet..........................74 bandwidth ........................75 description ........................76 duplex ..........................77 flowcontrol........................
Page 17 Contents vlan-protocol ......................... 144 12. Spanning Trees......................146 instance ........................148 name..........................150 revision ......................... 151 spanning-tree bpdufilter ....................152 spanning-tree bpduguard ....................153 spanning-tree cost ......................154 spanning-tree disable ....................156 spanning-tree guard ...................... 157 spanning-tree link-type ....................159 spanning-tree loopguard default ..................
Page 18 Contents mode..........................224 name..........................225 vlan-group ........................226 14. DHCP Snooping......................228 ip arp inspection limit rate ....................229 ip arp inspection trust ....................230 ip arp inspection validate ....................231 ip arp inspection vlan..................... 233 ip dhcp snooping ......................235 ip dhcp snooping database url ..................
Page 19 Contents permit (ip access-list extended) ..................305 permit (ip access-list standard) ..................311 permit (mac access-list extended) ................. 313 remark .......................... 316 Part 8: QoS .......................... 318 20. QoS ..........................318 Names and values that can be specified ................ 319 ip qos-flow-group......................
Page 20 Contents dot1x vlan dynamic ignore-eapol-start ................412 dot1x vlan dynamic max-req ..................414 dot1x vlan dynamic radius-vlan..................415 dot1x vlan dynamic reauthentication ................417 dot1x vlan dynamic supplicant-detection ................ 418 dot1x vlan dynamic timeout quiet-period ................ 420 dot1x vlan dynamic timeout reauth-period..............422 dot1x vlan dynamic timeout server-timeout ..............
Page 21 Contents Correspondence between configuration commands and authentication modes ....508 aaa accounting mac-authentication ................510 aaa authentication mac-authentication................511 mac-authentication access-group .................. 513 mac-authentication authentication ................. 515 mac-authentication auto-logout..................517 mac-authentication force-authorized vlan ..............519 mac-authentication id-format ..................522 mac-authentication interface..................524 mac-authentication max-timer ..................
Page 22 Contents loop-detection threshold ....................591 31. CFM ..........................592 domain name ........................ 593 ethernet cfm cc alarm-priority ..................595 ethernet cfm cc alarm-reset-time ................... 597 ethernet cfm cc alarm-start-time ..................599 ethernet cfm cc enable ....................601 ethernet cfm cc interval ....................603 ethernet cfm domain......................
Page 23 Contents 36.1.6 Ethernet information................661 36.1.7 Link aggregation information ..............661 36.1.8 MAC address table information ............... 662 36.1.9 VLAN information..................663 36.1.10 Spanning tree information ..............666 36.1.11 Ring Protocol information ..............666 36.1.12 DHCP snooping information ..............669 36.1.13 IGMP snooping information ..............
Page 25: Part 1: Reading The Manuals
Part 1: Reading the Manual Reading the Manual Command description format Command mode list Specifiable values for parameters List of character codes...
Page 26: Command Description Format
Command description format Command description format Each command is described in the following format. Function Describes the purpose of the command. Input format Defines the input format of the command. The format is governed by the following rules: Parameters that set values or character strings are enclosed in angle brackets ( <>...
Page 27: Command Mode List
Command mode list Command mode list The following table lists the command modes. Table 1-1 Command mode list Description Mode transition command Item Command mode name (config) > enable Global configuration mode # configure (config-line) (config)# line vty Configures remote login. (config-if) (config)# interface Configures an interface.
Page 28: Specifiable Values For Parameters
Specifiable values for parameters Specifiable values for parameters The following table describes the values that can be specified for parameters. If there are no limitations on parameter names, see Any character string. Table 1-2 Specifiable values for parameters Parameter type Description Input example name...
Page 29 Switch is fixed to zero The following tables list the range of <IF#> values. Table 1-3 Range of <IF#> <IF# list> values for the AX1250S Model Ethernet type Range of values Item AX1250S-24T2C fastethernet 0/1 to 0/24 gigabitethernet...
Page 30 Specifiable values for parameters Table 1-4 Range of <IF#> <IF# list> values for the AX1240S Item Model Ethernet type Range of values AX1240S-24T2C/AX1240S-24P2C fastethernet 0/1 to 0/24 gigabitethernet 0/25 to 0/26 AX1240S-48T2C fastethernet 0/1 to 0/48 gigabitethernet 0/49 to 0/50 How to specify <IF# list>...
Page 31 Specifiable values for parameters Table 1-6 Range of <Channel group#> values Item Model Range of values All models 1 to 8 How to specify <Channel group# list> <Channel group# list> is written in parameter input format, use a hyphen ( ) or commas ) to specify multiple channel group numbers.
Page 32: List Of Character Codes
List of character codes List of character codes The following table lists the character codes. Characters other than alphanumeric characters in the following list of character codes are special characters. Table 1-7 List of character codes Code Code Code Code Code Code Chara...
Page 33: Part 2: Operation And Management Of Switches
Part 2: Operation and Management of Switches Connecting from an Operation Terminal ftp-server line vty transport input...
Page 34: Ftp-Server
ftp-server ftp-server Permits FTP access from remote operation terminals. To set the IPv4 address of a remote operation terminal to permit or deny logging in to a Switch, set a common access list that is shared by Telnet access in config-line mode. Input format To set information: ftp-server...
Page 35: Line Vty
line vty line vty Permits Telnet remote access to the Switch. This command is also used to limit the number of users that can be logged in remotely to a Switch at the same time. Configuration with this command allows remote access using the Telnet protocol from any remote operation terminal to be accepted.
Page 36 line vty Notes Configuration with this command allows remote access using the Telnet protocol from any remote operation terminal to be accepted. To limit access, set ip access-group transport input Related commands transport input ip access-group...
Page 37: Transport Input
transport input transport input Restricts access using multiple protocols from remote terminals. Input format To set or change information: transport input {telnet | all | none} To delete information: no transport input Input mode (config-line) Parameters {telnet | all | none} telnet Accepts remote access that uses the Telnet protocol.
Page 38: Editing And Working With Configurations
Editing and Working with Configurations exit save (write) show...
Page 39: End
Ends configuration command mode and returns you to administrator mode. Input format Parameters None Response messages The following table describes the response messages for the command. Table 3-1 Response messages for the end command Message Description Unsaved changes would be lost when the When the following commands are configured, machine goes to sleep! configuration command mode will end without any...
Page 40: Exit
exit exit Returns to the previous mode. If you are editing data in config mode, configuration command mode ends and administrator mode resumes. If you are editing data in subcommand mode, you are returned to the next higher level. Input format exit Parameters None...
Page 41: Save (Write)
save (write) save (write) Saves the edited configuration to the startup configuration file. Input format save write Parameters None Response messages None Notes Saving the configuration file does not end configuration command mode. To finish editing, you must use the command or the command to exit configuration exit...
Page 42: Show
show show Displays the configuration being edited. Input format show [ <Command> <Parameter> Parameters <Command> Specify the configuration command. <Parameter> Specify a parameter such as <VLAN ID> <ACL ID> that is a filter identifier for limiting displayed items. Notes If there are too many configurations, command execution might take time. In global configuration mode, <Command>...
Page 43: Top
After a switch to configuration command mode, enter this command restores level-1 global configuration mode. Input format Parameters None Notes None Related commands None...
Page 44: Login Security And Radius
Login Security and RADIUS aaa group server radius aaa authentication login ip access-group radius-server attribute station-id capitalize radius-server dead-interval radius-server host radius-server key radius-server retransmit radius-server timeout server...
Page 45: Aaa Group Server Radius
aaa group server radius aaa group server radius Configures a RADIUS server group. Entering this command switches to config-group mode in which the RADIUS server group information can be set. Input format To set or change information: aaa group server radius <Group name>...
Page 46 aaa group server radius Related commands aaa authentication dot1x authentication mac-authentication authentication web-authentication authentication web-authentication user-group...
Page 47: Aaa Authentication Login
aaa authentication login aaa authentication login Sets one or more authentication methods to be used for remote login. If the first specified method fails, the second specified method is used. Input format To set or change information: aaa authentication login default <Method>...
Page 48: Ip Access-Group
ip access-group ip access-group Sets the access list that specifies the IPv4 addresses of the remote operation terminals for which remote login to the Switch is to be permitted or denied is set. This setting is common to all types of remote access (Telnet or FTP). Multiple lines for no more than 16 entries, including those in the access list set by using access-group , can be set.
Page 49 ip access-group Related commands ip access-list standard line vty ftp-server transport input...
Page 50: Radius-Server Attribute Station-Id Capitalize
radius-server attribute station-id capitalize radius-server attribute station-id capitalize Sends the MAC address that is used for sending data to a RADIUS server with the RADIUS attribute in upper case. The applicable RADIUS attribute names are as follows:  Called-Station-Id  Calling-Station-Id Input format To set information:...
Page 51: Radius-Server Dead-Interval
radius-server dead-interval radius-server dead-interval Configures a monitoring timer that operates for automatically restoring a general RADIUS server as the primary general RADIUS server. The primary general RADIUS server is restored when either of the following occurs: The currently operating server (the destination for RADIUS authentication requests) switches to being a valid secondary general RADIUS server, or when all servers are disabled, the monitoring timer starts and the period of time set by this command elapses (the monitoring timer expires).
Page 52 radius-server dead-interval Notes If more than three general RADIUS servers are configured and another general RADIUS server becomes the current server after the monitoring timer starts, the monitoring timer is not reset and continues to run. In general, when the monitoring timer has started, it does not reset until it expires. However, as exceptions, it resets in the following cases: ...
Page 53: Radius-Server Host
radius-server host radius-server host Configures the general RADIUS server used for authentication. Input format To set or change information: radius-server host <IP address> [auth-port <Port> [acct-port <Port> [timeout <Seconds> ] [retransmit <Retries> ] [key <String> To delete information: no radius-server host <IP address>...
Page 54 radius-server host acct-port <Port> Sets the port number for RADIUS server accounting. Default value when this parameter is omitted: Port number 1813 Range of values: 65535 <Retries> retransmit Sets the number of times an authentication request is re-sent to the RADIUS server. Default value when this parameter is omitted: The number of times configured by using radius-server retransmit...
Page 55 radius-server host description about the radius-server dead-interval command. If a RADIUS server with the matching IP address has already been registered in the general RADIUS server configuration, authentication-specific RADIUS server configuration, or the RADIUS server group configuration, all of these parameters are replaced by the new commands that were entered automatically.
Page 56: Radius-Server Key
radius-server key radius-server key Configures the default RADIUS server key used for authentication on a general RADIUS server or an authentication-specific RADIUS server. Input format To set or change information: radius-server key <String> To delete information: no radius-server key Input mode (config) Parameters <String>...
Page 57 radius-server key Related commands aaa authentication dot1x radius-server host mac-authentication radius-server host radius-server host radius-server retransmit radius-server timeout web-authentication radius-server host...
Page 58: Radius-Server Retransmit
radius-server retransmit radius-server retransmit Configures the default number of times an authentication request is re-sent to the general RADIUS server used for authentication or to an authentication-specific RADIUS server. Input format To set or change information: radius-server retransmit <Retries> To delete information: no radius-server retransmit Input mode (config)
Page 59 radius-server retransmit Related commands aaa authentication dot1x radius-server host mac-authentication radius-server host radius-server host radius-server key radius-server timeout web-authentication radius-server host...
Page 60: Radius-Server Timeout
radius-server timeout radius-server timeout Configures the default response timeout value for the general RADIUS server used for authentication or for an authentication-specific RADIS server. Input format To set or change information: radius-server timeout <Seconds> To delete information: no radius-server timeout Input mode (config) Parameters...
Page 61 radius-server timeout Related commands aaa authentication dot1x radius-server host mac-authentication radius-server host radius-server host radius-serve key radius-server retransmit web-authentication radius-server host...
Page 62: Server
server server Configures a RADIUS server host in the RADIUS server group. Input format To set or change information: server <IP address> [auth-port <Port> ] [acct-port <Port> To delete information: no server <IP address> Input mode (config-group) Parameters <IP address> Sets the IPv4 address of the RADIUS server.
Page 63 server When the change is applied The change is applied immediately after setting values are changed. Notes A maximum of four RADIUS servers can be specified for each group. 127.*.*.* cannot be specified as an IPv4 address. The configuration of this command must meet both of the following conditions: ...
Page 64: Time Settings And Ntp
Time Settings and NTP clock timezone ntp client server ntp client broadcast ntp client multicast ntp interval...
Page 65: Clock Timezone
clock timezone clock timezone Sets the time zone. This Switch maintains the date and time internally in Coordinated Universal Time (UTC). Therefore, this setting has an effect only when the time is displayed by using an operation command or when the time is set by using the set clock command.
Page 66 clock timezone When the change is applied The change is applied immediately after setting values are changed. Notes If you change the Switch's time zone, statistics on CPU usage collected by the Switch will be cleared to zero. Related commands set clock...
Page 67: Ntp Client Server
ntp client server ntp client server Sets the address of the NTP server from which time information can be obtained. A maximum of two entries can be set. Input format To set or change information: ntp client server <Server IP> To delete information: no ntp client server <Server IP>...
Page 68: Ntp Client Broadcast
ntp client broadcast ntp client broadcast Sets acceptance of time information broadcast from an NTP server. Input format To set information: ntp client broadcast To delete information: no ntp client broadcast Input mode (config) Parameters None Default behavior The time information broadcast from the NTP server is not accepted. Impact on communication None When the change is applied...
Page 69: Ntp Client Multicast
ntp client multicast ntp client multicast Sets acceptance of time information multicast from an NTP server. Input format To set information: ntp client multicast To delete information: no ntp client multicast Input mode (config) Parameters None Default behavior The time information multicast from the NTP server is not accepted. Impact on communication None When the change is applied...
Page 70: Ntp Interval
ntp interval ntp interval Sets the interval for regularly obtaining time information from an NTP server. Input format To set or change information: ntp interval <Interval> To delete information: no ntp interval Input mode (config) Parameters <Interval> Sets the interval for obtaining time information from the NTP server. The interval is set in seconds in decimal.
Page 71: Device Management
Device Management system function system l2-table mode system recovery...
Page 72: System Function
system function system function Configures the distribution of system functional resources for a Switch. This setting applies to the following:  DHCP snooping  IGMP snooping  MLD snooping  Filters   Extended authentication functionality - Common to all authentication modes: Authentication IPv4 access list - IEEE 802.1X: Port-based authentication (dynamic) - Web authentication: Fixed VLAN mode, dynamic VLAN mode, and Web authentication IP address...
Page 73 system function The QoS functionality is used. Default value when this parameter is omitted: The QoS functionality cannot be used. Range of values: None igmp-snooping The IGMP snooping functionality is used. Default value when this parameter is omitted: The IGMP snooping functionality cannot be used. Range of values: None mld-snooping...
Page 74 system function Notes When this command is entered, the message below appears. Save the configuration and restart the Switch before entering another configuration command. Please execute the reload command after save, because this command becomes effective after reboot. If you enter this command, you cannot omit all of the parameters. At least one parameter must be set.
Page 75: System L2-Table Mode
system l2-table mode system l2-table mode Sets a method for searching the Layer 2 hardware table. Input format To set or change information: system l2-table mode <Mode> To delete information: no system l2-table mode Input mode (config) Parameters <Mode> Selects the method for searching a table used for registration in the hardware table. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 76 system l2-table mode Notes When this command is entered, the message below appears. Save the configuration and restart the Switch before entering another configuration command. Please execute the reload command after save, because this command becomes effective after reboot. Related commands None...
Page 77: System Recovery
system recovery system recovery When the no system recovery form of the command is set and a failure is detected, the Switch is not restarted and remains in the failure state. For details about the entities subject to failure and restoration, see 9 Switch Management in the Configuration Guide Vol.
Page 78: Power Saving
Power Saving power-control port cool-standby schedule-power-control port cool-standby schedule-power-control port-led schedule-power-control shutdown interface schedule-power-control system-sleep schedule-power-control time-range system fan-control system port-led system port-led trigger console system port-led trigger interface system port-led trigger mc...
Page 79: Power-Control Port Cool-Standby
power-control port cool-standby power-control port cool-standby Enables power saving for Fast Ethernet ports and gigabit Ethernet ports in the link-down status. Input format To set information: power-control port cool-standby To delete information: no power-control port cool-standby Input mode (config) Parameters None Default behavior Operation is at normal power consumption.
Page 80: Schedule-Power-Control Port Cool-Standby
schedule-power-control port cool-standby schedule-power-control port cool-standby Configures power saving for a port during scheduled power saving. Input format To set information: schedule-power-control port cool-standby To delete information: no schedule-power-control port cool-standby Input mode (config) Parameters None Default behavior Operation is at normal power consumption when the port is in the link-down state. Impact on communication None When the change is applied...
Page 81: Schedule-Power-Control Port-Led
schedule-power-control port-led schedule-power-control port-led Configures LED operation during scheduled power saving. Input format To set or change information: schedule-power-control port-led { enable | economy | disable } To delete information: no schedule-power-control port-led Input mode (config) Parameters enable Turns on the Switch LED according to the operating status. When the system port-led trigger command is not set:...
Page 82 schedule-power-control port-led Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When the LED has been disabled (turned off), ST1 and ACC (the memory card access LED) turn on with power saving brightness. The PWR LED always on with normal brightness.
Page 83: Schedule-Power-Control Shutdown Interface
schedule-power-control shutdown interface schedule-power-control shutdown interface Sets the port that shuts down while the scheduled power saving functionality is used. Shutting down the port turns off the power, reducing the amount of power consumed. Input format To set information: schedule-power-control shutdown interface <IF# list>...
Page 84 schedule-power-control shutdown interface Default behavior The operating status of a port is a state other than shutdown. For details about port statuses, see the description of the show port show interfaces operation command. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 85: Schedule-Power-Control System-Sleep
schedule-power-control system-sleep schedule-power-control system-sleep Puts a Switch in the sleep state during scheduled power saving. Putting the Switch in the sleep state reduces the amount of power consumed. Input format To set information: schedule-power-control system-sleep To delete information: no schedule-power-control system-sleep Input mode (config) Parameters...
Page 86 schedule-power-control system-sleep  schedule-power-control shutdown interface Related commands schedule-power-control time-range...
Page 87: Schedule-Power-Control Time-Range
schedule-power-control time-range schedule-power-control time-range Sets the time of execution of the scheduled power saving functionality (on a specified date, on a specified day of the week, or daily) and whether a schedule command can be executed. Input format To set or change information: schedule-power-control time-range <Entry number>...
Page 88 schedule-power-control time-range Range of values: date weekly , or everyday Parameters for specifying a date start-time <YYMMDD> <HHMM> Specify the start date and time. Specify the last two digits of the year (00 to 38). Example: Specify 00 for 2000. Specify the month (01 to 12).
Page 89 schedule-power-control time-range Parameters for specifying weekly start-time {sun | mon | tue | wed | thu | fri | sat} <HHMM> Specify the start day of the week and the time. Sets Sunday. Sets Monday. Sets Tuesday. Sets Wednesday. Sets Thursday. Sets Friday.
Page 90 schedule-power-control time-range Specify the hour (00 to 23). Specify the minute (00 to 59). Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Select , or , and specify a time for <HHMM>. Parameters for specifying everyday <HHMM>...
Page 91 schedule-power-control time-range power-control port cool-standby shutdown Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: enable disable Default behavior None Impact on communication If sleep mode is set for a Switch, all communication stops when the scheduled power saving time arrives.
Page 92: System Fan-Control
system fan-control system fan-control Enables the cooling fan control functionality, which operates by monitoring the internal temperature. Input format To set information: system fan-control To delete information: no system fan-control Input mode (config) Parameters None Default behavior The functionality is always enabled. Impact on communication None When the change is applied...
Page 93: System Port-Led
system port-led system port-led Configures a Switch's LED operation. Input format To set or change information: system port-led { enable | economy | disable } To delete information: no system port-led Input mode (config) Parameters enable Turns on the Switch LED according to the operating status. When the system port-led trigger command is not set:...
Page 94 system port-led Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When the LED has been disabled (turned off), ST1 and ACC (the memory card access LED) turn on with power saving brightness. The PWR LED always on with normal brightness.
Page 95: System Port-Led Trigger Console
system port-led trigger console system port-led trigger console Adds login to and logout from a Switch via a console (RS-232C) connection as a trigger for automatic LED operation. Input format To set information: system port-led trigger console To delete information: no system port-led trigger console Input mode (config)
Page 96: System Port-Led Trigger Interface
system port-led trigger interface system port-led trigger interface Adds link-up and link-down of the specified physical port a trigger for automatic LED operation. Input format To set or change information: system port-led trigger interface <IF# list> To delete information: no system port-led trigger interface Input mode (config) Parameters...
Page 97: System Port-Led Trigger Mc
system port-led trigger mc system port-led trigger mc Adds insertion and removal of a memory card a trigger for automatic LED operation. Input format To set information: system port-led trigger mc To delete information: no system port-led trigger mc Input mode (config) Parameters None...
Page 98: Part 3: Network Interface
Part 3: Network Interface Ethernet bandwidth description duplex flowcontrol interface fastethernet interface gigabitethernet link debounce linkscan-mode mdix auto media-type power inline power inline allocation power inline priority-control disable shutdown speed system mtu...
Page 99: Bandwidth
bandwidth bandwidth Sets the bandwidth of a line. Input format To set or change information: bandwidth <kbit/s> To delete information: no bandwidth Input mode (config-if) Parameters <kbit/s> Sets the line bandwidth in kbit/s. This setting is used for the ifSpeed ifHighSpeed (SNMP MIB) value of the applicable line, and has no impact on communication.
Page 100: Description
description description Sets supplementary information. This command can be used as a comment about the line. Note that when this command is set, information can be checked by using the show interfaces ifDescr (SNMP MIB) operation command. Input format To set or change information: description <String>...
Page 101: Duplex
1000BASE-T full speed 10 speed 100 (when is set) full speed 100 auto 100BASE-FX (when is set) (always full duplex [AX1250S] operation) auto speed auto auto 1000 auto 1000BASE-X (when is set) (always full duplex operation) full speed 1000 (when...
Page 102 duplex Default behavior auto is set. Impact on communication If this command is set for the port in use, the port goes down and communication stops temporarily. Thereafter, the port restarts. When the change is applied The change is applied immediately after setting values are changed. Notes auto or a parameter containing...
Page 103: Flowcontrol
flowcontrol flowcontrol Sets flow control. Input format To set or change information: flowcontrol send {desired | on | off} flowcontrol receive {desired | on | off} To delete information: no flowcontrol send no flowcontrol receive Input mode (config-if) Parameters send {desired | on | off} Sets send operation for the pause packets of the flow control functionality.
Page 104 flowcontrol Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: receive desired receive on receive off Default behavior 10BASE-T, 100BASE-TX, or 100BASE-FX port: Both receive operation and send operation 1000BASE-T or 1000BASE-X port: Receive operation is but send operation is desired Impact on communication...
Page 105: Interface Fastethernet
interface fastethernet interface fastethernet Sets items related to 10BASE-T or 100BASE-TX lines. Entering this command switches to config-if mode in which information about the relevant line can be set. Input format To set or change information: interface fastethernet <IF#> Input mode (config) Parameters <IF#>...
Page 106: Interface Gigabitethernet
interface gigabitethernet interface gigabitethernet Sets items related to 10BASE-T/100BASE-TX/1000BASE-T, 100BASE-FX, and 1000BASE-X lines. Entering this command switches to config-if mode in which information about the relevant line can be set. Input format To set or change information: interface gigabitethernet <IF#> Input mode (config) Parameters...
Page 107: Link Debounce
link debounce link debounce Sets the link-down detection time after a link failure is detected until the actual link-down occurs. When a large value is set for this command, temporary link-downs will not be detected so the link will be prevented from becoming unstable. Input format To set or change information: link debounce [time...
Page 108: Linkscan-Mode
linkscan-mode linkscan-mode Sets the operating mode for monitoring the link status of a Switch. Input format To set information: linkscan-mode <Mode> To delete information: no linkscan-mode <Mode> Input mode (config) Parameters <Mode> Sets the operating mode for monitoring the link status. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 109: Mdix Auto
mdix auto mdix auto Sets the MDI functionality of the port to be used. Input format To set information: no mdix auto To delete information: mdix auto Input mode (config-if) Parameters None Default behavior During auto-negotiation, MDI and MDI-X are switched automatically. Impact on communication None When the change is applied...
Page 110: Media-Type
media-type media-type Selects the type of port to be used as a port on which 10BASE-T/100BASE-TX/1000BASE-T (RJ45) and 100BASE-FX/1000BASE-X (SFP) can be switched. Input format To set or change information: media-type {rj45 | sfp | auto} To delete information: no media-type Input mode (config-if) Parameters...
Page 111 media-type Notes This command cannot be set for non-gigabit interfaces. is changed, the settings of the following commands return to the media-type default state: duplex mdix auto , and speed media-type auto is set, the following commands cannot be set. Use the default value.
Page 112: Mtu
Sets the MTU for ports. With this configuration, jumbo frames can be used to improve the throughput of data transfers. As a result, the usability of a network and devices connected to the network improves. Input format To set or change information: <Length>...
Page 113 Notes The table below describes the MTU of the applicable port and the frame length that can be sent or received (the maximum length of frames in Ethernet V2 format#, excluding the FCS). #: For details about the frame format, see 12.1.3 Control on the MAC and LLC sublayers in Configuration Guide Vol.
Page 114: Power Inline
power inline power inline Sets the port priority. Setting the power priority for each port ensures that power is supplied to the appropriate ports. Input format To set or change information: power inline {critical | high | low | never } To delete information: no power inline Input mode...
Page 115 power inline If the inactivate activate operation command is executed, the supply of power continues. If you execute the activate power inline operation command for a port with never set, power is not supplied. If more than one port has the same setting, the port with the lower port number has priority.
Page 116: Power Inline Allocation
power inline allocation power inline allocation Sets power allocation for each port either based on its class or manually. Input format To set or change information: power inline allocation {auto | limit <Threshold>} To delete information: no power inline allocation Input mode (config-if) Parameters...
Page 117 power inline allocation Impact on communication When the change is applied The change is applied immediately after setting values are changed. Notes When specifying manual allocation settings, read the documentation for the power-receiving device. The customer performs the operation at the customer's own risk.
Page 118: Power Inline Priority-Control Disable
power inline priority-control disable power inline priority-control disable Assigns priority to a powered port. Input format To set information: power inline priority-control disable To delete information: no power inline priority-control disable Input mode (config) Parameters None Default behavior The priority setting for ports is enabled. Impact on communication Power to all ports is temporarily stopped.
Page 119: Shutdown
shutdown shutdown Places the port in the shutdown state. If a port with the PoE functionality is shut down, power is no longer supplied. Input format To set information: shutdown To delete information: no shutdown Input mode (config-if) Parameters None Default behavior None Impact on communication...
Page 120: Speed
speed speed Sets the port speed. Input format To set or change information: speed { 10 | 100 | 1000 | auto | auto {10 | 100 | 1000 | 10 100 | 10 100 1000} } To delete information: no speed Input mode (config-if)
Page 121 100BASE-TX/ auto 1000BASE-T auto 10 auto 100 auto 1000 auto 10 100 auto 10 100 1000 auto 100BASE-FX [AX1250S] 1000 auto 1000BASE-X auto auto 1000 Default value when this parameter is omitted: This parameter cannot be omitted. Range of values:...
Page 122 speed Related commands duplex media-type...
Page 123: System Mtu
system mtu system mtu Sets MTU of all ports. With this configuration, jumbo frames can be used to improve the throughput of data transfers. As a result, the usability of a network and devices connected to the network improves. Input format To set or change information: system mtu <Length>...
Page 124 system mtu Line type setting system mtu Length of a frame Line setting that can be sent or MTU (in received (in octets) octets) 10BASE-T (full and Not related Not related Tagged 1518 1500 half-duplex), 100BASE-TX Untagged 1514 (half-duplex) All other cases Not related Tagged M1 Untagged M1...
Page 125: Link Aggregation
Link Aggregation channel-group lacp system-priority channel-group max-active-port channel-group mode channel-group periodic-timer description interface port-channel lacp port-priority lacp system-priority shutdown...
Page 126: Channel-Group Lacp System-Priority
channel-group lacp system-priority channel-group lacp system-priority Sets the LACP system priority of a channel group for link aggregation. Input format To set or change information: channel-group lacp system-priority <Priority> To delete information: no channel-group lacp system-priority Input mode (config-if) Parameters <Priority>...
Page 127: Channel-Group Max-Active-Port
channel-group max-active-port channel-group max-active-port Sets the maximum number of ports actually used in a channel group for link aggregation. Input format To set or change information: channel-group max-active-port <Number> [no-link-down] To delete information: no channel-group max-active-port Input mode (config-if) Parameters <Number>...
Page 128 channel-group max-active-port Notes Use this command in static link aggregation mode. If you set the command, match its settings to the settings of the max-active-port commands on the destination device. max-active-port lacp port-priority To change link-down or no-link-down for the standby link mode, first delete the parameter, and then set it again.
Page 129: Channel-Group Mode
channel-group mode channel-group mode Creates a channel group for link aggregation. Input format To set or change information: channel-group <Channel group#> mode {on | {active | passive}} To delete information: no channel-group Input mode (config-if) Parameters <Channel group#> Sets the channel group number for link aggregation. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 130 channel-group mode When the change is applied The change is applied immediately after setting values are changed. Notes To change static link aggregation to LACP-based link aggregation, or vice versa, delete this command, change the mode, and then set the command again. When channel-group mode is set, the...
Page 131: Channel-Group Periodic-Timer
channel-group periodic-timer channel-group periodic-timer Sets the LACPDU sending interval. Input format To set or change information: channel-group periodic-timer {long | short} To delete information: no channel-group periodic-timer Input mode (config-if) Parameters { long | short } Sets the interval at which the remote device sends LACPDUs to a Switch. long : 30 seconds : one second...
Page 132: Description
description description Sets supplementary information. Input format To set or change information: description <String> To delete information: no description Input mode (config-if) Parameters <String> Sets supplementary information for the applicable channel group for link aggregation. Use this command to create a note related to the interface. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 133: Interface Port-Channel
interface port-channel interface port-channel Sets an item related to a port channel interface. Entering this command switches to config-if mode, which allows you to set the configuration command for specifying the channel group number. A port channel interface is automatically generated when the channel-group mode command is set.
Page 134: Lacp Port-Priority
lacp port-priority lacp port-priority Sets the port priority. Input format To set or change information: lacp port-priority <Priority> To delete information: no lacp port-priority Input mode (config-if) Parameters <Priority> Sets the port priority. The lower the priority value, the higher the priority. When is set for the command...
Page 135 lacp port-priority Related commands interface fastethernet interface gigabitethernet channel-group mode channel-group max-active-port...
Page 136: Lacp System-Priority
lacp system-priority lacp system-priority Sets the effective LACP system priority for a Switch. Input format To set or change information: lacp system-priority <Priority> To delete information: no lacp system-priority Input mode (config) Parameters <Priority> Sets the LACP system priority. The lower the priority value, the higher the priority. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 137: Shutdown
shutdown shutdown Always disables the applicable channel group for link aggregation, and stops communication. Input format To set information: shutdown To delete information: no shutdown Input mode (config-if) Parameters None Default behavior None Impact on communication If the priority is set for an operating channel group, the channel group goes down. When the change is applied The change is applied immediately after setting values are changed.
Page 138: Part 4: Layer 2 Switching
Part 4: Layer 2 Switching MAC Address Table mac-address-table aging-time mac-address-table static...
Page 139: Mac-Address-Table Aging-Time
mac-address-table aging-time mac-address-table aging-time Sets the aging conditions for MAC address table entries. Input format To set or change information: mac-address-table aging-time <Seconds> To delete information: no mac-address-table aging-time Input mode (config) Parameters <Seconds> Sets the aging time in seconds. If is set, aging is not performed.
Page 140 mac-address-table aging-time Related commands None...
Page 141: Mac-Address-Table Static
mac-address-table static mac-address-table static Sets the static MAC address table information. Input format To set or change information: mac-address-table static <MAC> vlan <VLAN ID> interface {fastethernet <IF#> | gigabitethernet <IF#> | port-channel <Channel group#>} To delete information: no mac-address-table static <MAC>...
Page 142 mac-address-table static Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If you set a static entry for the default VLAN (VLAN ID = 1), explicitly set vlan 1 for the output destination interface.
Page 143: Vlan
VLAN interface vlan l2protocol-tunnel eap l2protocol-tunnel stp mac-address name protocol state switchport access switchport isolation switchport mac switchport mode switchport protocol switchport trunk vlan vlan-protocol...
Page 144: Interface Vlan
interface vlan interface vlan Sets a VLAN interface. Setting the VLAN interface allows you to set IP addresses for VLANs. Input format To set or change information: interface vlan <VLAN ID> To delete information: no interface vlan <VLAN ID> Input mode (config) Parameters <VLAN ID>...
Page 145: L2Protocol-Tunnel Eap
l2protocol-tunnel eap l2protocol-tunnel eap Enables the EAPOL forwarding functionality and sets it for a Switch. Input format To set information: l2protocol-tunnel eap To delete information: no l2protocol-tunnel eap Input mode (config) Parameters None Default behavior The EAPOL forwarding functionality is invalid. Impact on communication None When the change is applied...
Page 146: L2Protocol-Tunnel Stp
l2protocol-tunnel stp l2protocol-tunnel stp Enables the BPDU forwarding functionality and sets it for a Switch. Input format To set information: l2protocol-tunnel stp To delete information: no l2protocol-tunnel stp Input mode (config) Parameters None Default behavior The BPDU forwarding functionality is invalid. Impact on communication None When the change is applied...
Page 147: Mac-Address
mac-address mac-address Sets the MAC address used to identify a MAC VLAN. Input format To set or change information: mac-address <MAC> To delete information: no mac-address <MAC> Input mode (config-vlan) (MAC VLAN only) Parameters <MAC> Sets the MAC address that will be set for the MAC VLAN. The mac-address command can be set only when the applicable VLAN is a MAC VLAN.
Page 148: Name
name name Sets a VLAN name. Input format To set or change information: name <String> To delete information: no name Input mode (config-vlan) Parameters <String> Sets the VLAN name. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Specify a character string that is no more than 32 characters.
Page 149 name Related commands None...
Page 150: Protocol
protocol protocol Sets for protocol VLANs a protocol that distinguishes the VLANs. Input format To set or change information: protocol <Protocol name> To delete information: no protocol <Protocol name> Input mode (config-vlan) Parameters <Protocol name> Sets the protocol name of a protocol VLAN. The protocol command can be set only when the applicable VLAN is a protocol VLAN.
Page 151: State
state state Sets the VLAN status. Input format To set or change information: state {suspend | active} To delete information: no state Input mode (config-vlan) Parameters {suspend | active} suspend Sets disable as the VLAN status and stops the sending and receiving of all frames.
Page 152: Switchport Access
switchport access switchport access Sets the access port information. Input format To set or change information: switchport access vlan <VLAN ID> To delete information: no switchport access vlan Input mode (config-if) Parameters <VLAN ID> vlan Sets a VLAN for an access port. Specifiable VLANs are port VLANs or MAC VLANs. A protocol VLAN cannot be set.
Page 153: Switchport Isolation
switchport isolation switchport isolation Configures the inter-port relay isolation functionality. Input format To set information: switchport isolation interface fastethernet <IF# list> switchport isolation interface gigabitethernet <IF# list> To change information: switchport isolation interface {fastethernet <IF# list> | gigabitethernet <IF# list> | add {fastethernet <IF# list>...
Page 154 switchport isolation Default behavior Forwarding between ports is not isolated. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes The functionality for suppressing inter-port forwarding is entered from the port set by interface of the switchport isolation...
Page 155: Switchport Mac
switchport mac switchport mac Sets the MAC port information. Input format To set information: swtichport mac vlan <VLAN ID list> swtichport mac native vlan <VLAN ID> switchport mac dot1q vlan <VLAN ID list> To change information: switchport mac {vlan <VLAN ID list> | vlan add <VLAN ID list>...
Page 156 switchport mac Specifiable VLANs are port VLANs or MAC VLANs. A VLAN set by using the switchport mac vlan command cannot be set. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: For details about how to set <VLAN ID list>...
Page 157 switchport mac Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If no effective MAC VLANs are set, the port operates as an access port. setting takes effect when switchport mac dot1q vlan switchport mode mac is set.
Page 158: Switchport Mode
switchport mode switchport mode Configures the Layer 2 interface attribute (port type). Input format To set or change information: switchport mode {access | trunk | protocol-vlan | mac-vlan } To delete information: no switchport mode Input mode (config-if) Parameters access Sets the applicable interface as an access port.
Page 159 switchport mode Notes If the applicable interface is set as a trunk port, set by using the allowed vlan command. If an interface is set as a trunk port and switchport trunk allowed vlan is not set, all frames on the applicable interface are discarded. If the applicable interface is set as a protocol port, set the protocol VLAN by using the switchport protocol command.
Page 160: Switchport Protocol
switchport protocol switchport protocol Sets the protocol port information. Input format To set information: switchport protocol vlan <VLAN ID list> switchport protocol native vlan <VLAN ID> To change information: switchport protocol {vlan <VLAN ID list> | vlan add <VLAN ID list> | vlan remove <VLAN ID list>...
Page 161 switchport protocol vlan remove <VLAN ID list> Removes an effective protocol VLAN on the port from the VLAN list. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: For details about how to set <VLAN ID list>...
Page 162: Switchport Trunk
switchport trunk switchport trunk Sets the trunk port information. Input format To set information: switchport trunk allowed vlan <VLAN ID list> switchport trunk native vlan <VLAN ID> To change information: switchport trunk native vlan <VLAN ID> switchport trunk allowed vlan { <VLAN ID list>...
Page 163 switchport trunk Range of values: For details about how to set <VLAN ID list> and the specifiable values, see Specifiable values for parameters. remove <VLAN ID list> Removes a VLAN from the VLAN list that is set. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 164: Vlan
vlan vlan Sets VLAN-related items. Input format To set or change information: vlan <VLAN ID> vlan <VLAN ID list> vlan <VLAN ID> protocol-based vlan <VLAN ID list> protocol-based vlan <VLAN ID> mac-based <VLAN ID list> vlan mac-based To delete information: <VLAN ID>...
Page 165 vlan Notes on using this parameter: - When configuring protocol VLANs, you must set protocol-based - You cannot specify this parameter for VLANs you have already created as port VLANs and MAC VLANs. mac-based Set this parameter for MAC VLANs. Default value when this parameter is omitted: The VLANs become port VLANs.
Page 166 vlan cannot be deleted. As the initial state of the default VLAN, all ports are access ports. The following table explains the parameter items that can be set for the default VLAN and behavior specific to the default VLAN. vlan command: The following table applies to the vlan...
Page 167 vlan Related commands None...
Page 168: Vlan-Protocol
vlan-protocol vlan-protocol Sets the protocol name and protocol value for a protocol VLAN. Input format To set or change information: vlan-protocol <Protocol name> [ethertype <HEX enum> ] [llc <HEX enum> [snap-ethertype <HEX enum> To delete information: no vlan protocol <Protocol name> Input mode (config) Parameters...
Page 169 vlan-protocol Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Note, however, that for protocols that have not been set by the protocol command for the protocol VLAN, the change is applied when the protocol name is set by the protocol command.
Page 170: Spanning Trees
Spanning Trees instance name revision spanning-tree bpdufilter spanning-tree bpduguard spanning-tree cost spanning-tree disable spanning-tree guard spanning-tree link-type spanning-tree loopguard default spanning-tree mode spanning-tree mst configuration spanning-tree mst cost spanning-tree mst forward-time spanning-tree mst hello-time spanning-tree mst max-age spanning-tree mst max-hops spanning-tree mst port-priority spanning-tree mst root priority spanning-tree mst transmission-limit...
Page 171 vlan-protocol spanning-tree vlan forward-time spanning-tree vlan hello-time spanning-tree vlan max-age spanning-tree vlan mode spanning-tree vlan pathcost method spanning-tree vlan port-priority spanning-tree vlan priority spanning-tree vlan transmission-limit...
Page 172: Instance
instance instance Sets the VLANs that will participate in the MST instances of multiple spanning trees. Input format To set or change information: instance <MSTI ID> vlans <VLAN ID list> To delete information: no instance <MSTI ID> Input mode (config-mst) Parameters <MSTI ID>...
Page 173 instance When the change is applied The change is applied immediately after setting values are changed. Notes show command does not display the information about MST instance ID0. Related commands spanning-tree mst configuration...
Page 174: Name
name name Sets a string that identifies the regions of multiple spanning trees. Input format To set or change information: name <Name> To delete information: no name Input mode (config-mst) Parameters <Name> Sets the character string used to identify a region. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 175: Revision
revision revision Sets a revision number for identifying the regions of multiple spanning trees. Input format To set or change information: revision <Version> To delete information: no revision Input mode (config-mst) Parameters <Version> Sets the revision number for identifying a region. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 176: Spanning-Tree Bpdufilter
spanning-tree bpdufilter spanning-tree bpdufilter Sets the BPDU filter functionality for the applicable ports. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports. Input format To set information: spanning-tree bpdufilter enable To delete information: no spanning-tree bpdufilter Input mode (config-if) Parameters None...
Page 177: Spanning-Tree Bpduguard
spanning-tree bpduguard spanning-tree bpduguard Sets the BPDU guard functionality for the applicable ports. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports, and operates on ports on which the PortFast functionality has been set. Input format To set or change information: spanning-tree bpduguard { enable | disable } To delete information: no spanning-tree bpduguard...
Page 178: Spanning-Tree Cost
spanning-tree cost spanning-tree cost Sets the path cost of the applicable port. This command is applied to PVST+, single spanning trees, and multiple spanning trees. Input format To set or change information: spanning-tree cost <Cost> To delete information: no spanning-tree cost Input mode (config-if) Parameters...
Page 179 spanning-tree cost single pathcost method command is set, the value of the spanning-tree pathcost method command is not applied. Related commands spanning-tree pathcost method spanning-tree vlan pathcost method spanning-tree vlan cost spanning-tree single pathcost method spanning-tree single cost spanning-tree mst cost...
Page 180: Spanning-Tree Disable
spanning-tree disable spanning-tree disable Stops operation of the spanning tree functionality for PVST+, single spanning trees, and multiple spanning trees. Input format To set information: spanning-tree disable To delete information: no spanning-tree disable Input mode (config) Parameters None Default behavior The spanning tree functionality is enabled.
Page 181: Spanning-Tree Guard
spanning-tree guard spanning-tree guard Sets the guard functionality for the applicable ports. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports. Input format To set or change information: spanning-tree guard { loop | none | root } To delete information: no spanning-tree guard Input mode...
Page 182 spanning-tree guard Notes When the spanning-tree portfast default command or the spanning-tree portfast command is set, the loop guard setting is not applied. Instead, the root guard setting is applied. Related commands spanning-tree loopguard default...
Page 183: Spanning-Tree Link-Type
spanning-tree link-type spanning-tree link-type Sets the link type of the applicable port. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports. If you change the high-speed topology when rapid-pvst is set for the spanning-tree mode command, and rapid-pvst is set for the spanning-tree vlan mode...
Page 184 spanning-tree link-type Related commands spanning-tree mode spanning-tree vlan mode spanning-tree single mode...
Page 185: Spanning-Tree Loopguard Default
spanning-tree loopguard default spanning-tree loopguard default Sets the loop guard functionality that is used by default. This command is valid for PVST+ and single-spanning-tree ports. Input format To set information: spanning-tree loopguard default To delete information: no spanning-tree loopguard default Input mode (config) Parameters...
Page 186: Spanning-Tree Mode
spanning-tree mode spanning-tree mode Sets the operating mode of a spanning tree. This command is applied to PVST+ other than for single spanning trees, and to multiple spanning trees. If the spanning-tree vlan mode command is set in a PVST+ operating mode, the settings for that command are used. Input format To set or change information: spanning-tree mode { pvst | rapid-pvst | mst }...
Page 187: Spanning-Tree Mst Configuration
spanning-tree mst configuration spanning-tree mst configuration Switches to config-mst mode in which you can set the information necessary for forming the regions of multiple spanning trees. If this setting is deleted, all information necessary for forming regions that has already been set is deleted. Input format To set information: spanning-tree mst configuration...
Page 188: Spanning-Tree Mst Cost
spanning-tree mst cost spanning-tree mst cost Sets the path cost for the applicable multiple-spanning-tree ports. Input format To set or change information: spanning-tree mst <MSTI ID list> cost <Cost> To delete information: no spanning-tree mst <MSTI ID list> cost Input mode (config-if) Parameters <MSTI ID list>...
Page 189 spanning-tree mst cost Related commands spanning-tree cost...
Page 190: Spanning-Tree Mst Forward-Time
spanning-tree mst forward-time spanning-tree mst forward-time Sets the time required for a multiple-spanning-tree status transition. Input format To set or change information: spanning-tree mst forward-time <Seconds> To delete information: no spanning-tree mst forward-time Input mode (config) Parameters <Seconds> Specify the time in seconds required for the state of a port to change. For ports in stp-compatible mode, only the listening and the learning states can be maintained for the specified period of time.
Page 191: Spanning-Tree Mst Hello-Time
spanning-tree mst hello-time spanning-tree mst hello-time Sets the interval for sending BPDUs in multiple spanning trees. Input format To set or change information: spanning-tree mst hello-time <Hello time> To delete information: no spanning-tree mst hello-time Input mode (config) Parameters <Hello time> Specify the interval in seconds for sending BPDUs that are sent regularly from a Switch.
Page 192: Spanning-Tree Mst Max-Age
spanning-tree mst max-age spanning-tree mst max-age Sets the maximum enabled time for BPDUs to be sent using multiple spanning trees. Input format To set or change information: spanning-tree mst-age <Seconds> To delete information: no spanning-tree mst max-age Input mode (config) Parameters <Seconds>...
Page 193: Spanning-Tree Mst Max-Hops
spanning-tree mst max-hops spanning-tree mst max-hops Sets the maximum number of hop counts for BPDUs in multiple spanning trees. Input format To set or change information: spanning-tree mst-hops <Hop number> spanning-tree mst <MST1 ID list> max-hops <Hop number> To delete information: no spanning-tree mst max-hops no spanning-tree mst <MSTI ID list>...
Page 194 spanning-tree mst max-hops Related commands None...
Page 195: Spanning-Tree Mst Port-Priority
spanning-tree mst port-priority spanning-tree mst port-priority Sets the priority of the applicable multiple-spanning-tree ports for each MST instance. Input format To set or change information: spanning-tree mst <MSTI ID list> port-priority <Priority> To delete information: no spanning-tree mst <MSTI ID list> port-priority Input mode (config-if)
Page 196 spanning-tree mst port-priority Notes None Related commands spanning-tree port-priority...
Page 197: Spanning-Tree Mst Root Priority
spanning-tree mst root priority spanning-tree mst root priority Sets the bridge priority for each MST instance in multiple spanning trees. Input format To set or change information: spanning-tree mst <MSTI ID list> root priority <Priority> To delete information: no spanning-tree mst <MSTI ID list>...
Page 198 spanning-tree mst root priority Related commands None...
Page 199: Spanning-Tree Mst Transmission-Limit
spanning-tree mst transmission-limit spanning-tree mst transmission-limit Sets the maximum number of BPDUs that can be sent for each hello-time period for multiple spanning trees. Input format To set or change information: spanning-tree mst transmission-limit <Counts> To delete information: no spanning-tree mst transmission-limit Input mode (config) Parameters...
Page 200: Spanning-Tree Pathcost Method
spanning-tree pathcost method spanning-tree pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost of a port. This command is applied to PVST+ and single spanning trees, but not to multiple spanning trees. When the spanning-tree vlan pathcost method command or the...
Page 201 spanning-tree pathcost method Default behavior short is set for path cost mode. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When is set for the spanning-tree mode command, the multiple spanning tree operates using a 32-bit value.
Page 202: Spanning-Tree Port-Priority
spanning-tree port-priority spanning-tree port-priority Sets the port priority of the applicable ports. This command is applied to PVST+, single spanning trees, and multiple spanning trees. Input format To set or change information: spanning-tree port-priority <Priority> To delete information: no spanning-tree port-priority Input mode (config-if) Parameters...
Page 203: Spanning-Tree Portfast
spanning-tree portfast spanning-tree portfast Sets the PortFast functionality for the applicable ports. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports. Input format To set or change information: spanning-tree portfast [{ trunk | disable }] To delete information: no spanning-tree portfast Input mode (config-if)
Page 204: Spanning-Tree Portfast Bpduguard Default
spanning-tree portfast bpduguard default spanning-tree portfast bpduguard default Sets the BPDU guard functionality to be used by default. This command is valid for all ports on which the PortFast functionality of PVST+, single spanning trees, and multiple spanning trees is set. Input format To set information: spanning-tree portfast bpduguard default...
Page 205: Spanning-Tree Portfast Default
spanning-tree portfast default spanning-tree portfast default Sets the PortFast functionality to be used by default. This command is valid on the access, protocol, and MAC ports of PVST+, single spanning trees, and multiple spanning trees. Input format To set information: spanning-tree portfast default To delete information: no spanning-tree portfast default...
Page 206: Spanning-Tree Single
spanning-tree single spanning-tree single Starts calculation of the topology for single spanning trees. If the spanning-tree operating mode is PVST+, VLAN 1 becomes subject to a single spanning tree. Input format To set information: spanning-tree single To delete information: no spanning-tree single Input mode (config) Parameters...
Page 207: Spanning-Tree Single Cost
spanning-tree single cost spanning-tree single cost Sets the path cost for the applicable single-spanning-tree ports. Input format To set or change information: spanning-tree single cost <Cost> To delete information: no spanning-tree single cost Input mode (config-if) Parameters <Cost> Specify the path cost value. The lower the <Cost>...
Page 208 spanning-tree single cost Related commands spanning-tree cost spanning-tree pathcost method spanning-tree single pathcost method...
Page 209: Spanning-Tree Single Forward-Time
spanning-tree single forward-time spanning-tree single forward-time Sets the time required for the state of a single spanning tree to change. Input format To set or change information: spanning-tree single forward-time <Seconds> To delete information: no spanning-tree single forward-time Input mode (config) Parameters <Seconds>...
Page 210: Spanning-Tree Single Hello-Time
spanning-tree single hello-time spanning-tree single hello-time Sets the interval for sending single-spanning-tree BPDUs. Input format To set or change information: spanning-tree single hello-time <Hello time> To delete information: no spanning-tree single hello-time Input mode (config) Parameters <Hello time> Specify the interval in seconds for sending BPDUs that are sent regularly from a Switch.
Page 211: Spanning-Tree Single Max-Age
spanning-tree single max-age spanning-tree single max-age Sets the maximum enabled time for BPDUs to be sent using spanning trees. Input format To set or change information: spanning-tree single max-age <Seconds> To delete information: no spanning-tree single max-age Input mode (config) Parameters <Seconds>...
Page 212: Spanning-Tree Single Mode
spanning-tree single mode spanning-tree single mode Sets the operating mode of single spanning trees. Input format To set or change information: spanning-tree single mode { stp | rapid-stp } To delete information: no spanning-tree single mode Input mode (config) Parameters { stp | rapid-stp } Sets the protocol to be used.
Page 213: Spanning-Tree Single Pathcost Method
spanning-tree single pathcost method spanning-tree single pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost for single-spanning-tree ports. If the spanning-tree single cost command setting is omitted, the following values are applied to the path cost according to the interface speed and the setting of the spanning-tree single pathcost method command.
Page 214 spanning-tree single pathcost method Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands None...
Page 215: Spanning-Tree Single Port-Priority
spanning-tree single port-priority spanning-tree single port-priority Sets the priority for the applicable single-spanning-tree ports. Input format To set or change information: spanning-tree single port-priority <Priority> To delete information: no spanning-tree single port-priority Input mode (config-if) Parameters <Priority> Sets the port priority. Use a multiple of 16 as the port priority. The lower the priority value, the higher the priority.
Page 216: Spanning-Tree Single Priority
spanning-tree single priority spanning-tree single priority Sets the bridge priority for single spanning trees. Input format To set or change information: spanning-tree single priority <Priority> To delete information: no spanning-tree single priority Input mode (config) Parameters <Priority> Sets the bridge priority. The lower the priority value, the higher the priority. Use a multiple of 4096 as the bridge priority.
Page 217: Spanning-Tree Single Transmission-Limit
spanning-tree single transmission-limit spanning-tree single transmission-limit Sets the maximum number of BPDUs that can be sent for the hello-time period of single spanning trees. Input format To set or change information: spanning-tree single transmission-limit <Counts> To delete information: no spanning-tree single transmission-limit Input mode (config) Parameters...
Page 218: Spanning-Tree Vlan
spanning-tree vlan spanning-tree vlan Configures PVST+. If the no spanning-tree vlan command is set when the spanning-tree single command has been set, the applicable VLAN operates subject to a single spanning tree. Input format To set or change information: no spanning-tree vlan <VLAN ID list>...
Page 219: Spanning-Tree Vlan Cost
spanning-tree vlan cost spanning-tree vlan cost Sets the path cost for the applicable PVST+ ports. Input format To set or change information: spanning-tree vlan <VLAN ID list> cost <Cost> To delete information: no spanning-tree vlan <VLAN ID list> cost Input mode (config-if) Parameters <VLAN ID list>...
Page 220 spanning-tree vlan cost When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands spanning-tree cost spanning-tree pathcost method spanning-tree vlan pathcost method...
Page 221: Spanning-Tree Vlan Forward-Time
spanning-tree vlan forward-time spanning-tree vlan forward-time Sets the time required for PVST+ state transition. Input format To set or change information: spanning-tree vlan <VLAN ID list> forward-time <Seconds> To delete information: no spanning-tree vlan <VLAN ID list> forward-time Input mode (config) Parameters <VLAN ID list>...
Page 222 spanning-tree vlan forward-time Notes None Related commands spanning-tree mode spanning-tree vlan mode...
Page 223: Spanning-Tree Vlan Hello-Time
spanning-tree vlan hello-time spanning-tree vlan hello-time Sets the interval for sending PVST+ BPDUs. Input format To set or change information: spanning-tree vlan <VLAN ID list> hello-time <Hello time> To delete information: no spanning-tree vlan <VLAN ID list> hello-time Input mode (config) Parameters <VLAN ID list>...
Page 224 spanning-tree vlan hello-time Related commands None...
Page 225: Spanning-Tree Vlan Max-Age
spanning-tree vlan max-age spanning-tree vlan max-age Sets the maximum enabled time for BPDUs to be sent using PVST+. Input format To set or change information: spanning-tree vlan <VLAN ID list> max-age <Seconds> To delete information: no spanning-tree vlan <VLAN ID list> max-age Input mode (config)
Page 226 spanning-tree vlan max-age Related commands None...
Page 227: Spanning-Tree Vlan Mode
spanning-tree vlan mode spanning-tree vlan mode Sets the PVST+ operating mode. Input format To set or change information: spanning-tree vlan <VLAN ID list> mode { pvst | rapid-pvst } To delete information: no spanning-tree vlan <VLAN ID list> mode Input mode (config) Parameters <VLAN ID list>...
Page 228 spanning-tree vlan mode Related commands spanning-tree mode...
Page 229: Spanning-Tree Vlan Pathcost Method
spanning-tree vlan pathcost method spanning-tree vlan pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost for a PVST+ port. If the spanning-tree vlan cost command setting is omitted, the following values are applied to the path cost according to the interface speed and the spanning-tree vlan pathcost method...
Page 230 spanning-tree vlan pathcost method - When 65536 or a larger value is set for the path cost, you cannot change the parameter to short Default behavior The setting of the command is used. spanning-tree pathcost method Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 231: Spanning-Tree Vlan Port-Priority
spanning-tree vlan port-priority spanning-tree vlan port-priority Sets the priority for the applicable PVST+ ports. Input format To set or change information: spanning-tree vlan <VLAN ID list> port-priority <Priority> To delete information: no spanning-tree vlan <VLAN ID list> port-priority Input mode (config-if) Parameters <VLAN ID list>...
Page 232 spanning-tree vlan port-priority Notes None Related commands spanning-tree port-priority...
Page 233: Spanning-Tree Vlan Priority
spanning-tree vlan priority spanning-tree vlan priority Sets the PVST+ bridge priority. Input format To set or change information: spanning-tree vlan <VLAN ID list> priority <Priority> To delete information: no spanning-tree vlan <VLAN ID list> priority Input mode (config) Parameters <VLAN ID list> Starts configuration of PVST+ for the specified VLAN.
Page 234 spanning-tree vlan priority Notes None Related commands None...
Page 235: Spanning-Tree Vlan Transmission-Limit
spanning-tree vlan transmission-limit spanning-tree vlan transmission-limit Sets the maximum number of BPDUs that can be sent with the PVST+ hello-time. Input format To set or change information: spanning-tree vlan <VLAN ID list> transmission-limit <Counts> To delete information: no spanning-tree vlan <VLAN ID list>...
Page 236 spanning-tree vlan transmission-limit Notes None Related commands spanning-tree mode spanning-tree vlan mode spanning-tree vlan hello-time...
Page 237: Ring Protocol
Ring Protocol axrp axrp vlan-mapping axrp-ring-port control-vlan disable forwarding-shift-time mode name vlan-group...
Page 238: Axrp
axrp axrp Sets a ring ID. In addition, the Switch enters config-axrp mode in which the information necessary for the Ring Protocol functionality can be set. A maximum of four ring IDs can be set for a Switch. If the settings are removed, the ring information already set for ring IDs is deleted. Input format To set information: axrp...
Page 239: Axrp Vlan-Mapping
axrp vlan-mapping axrp vlan-mapping Sets the VLAN mapping to be applied to a VLAN group and the VLANs participating in the VLAN mapping. Input format To set information: axrp vlan-mapping <Mapping ID> vlan <VLAN ID list> To change information: axrp vlan-mapping <Mapping ID>...
Page 240 axrp vlan-mapping shorter after the addition of VLANs, an axrp vlan-mapping command that consisted of multiple lines might be consolidated and displayed as the configuration. <VLAN ID list> vlan remove Sets the VLANs to be removed from the VLAN list you have configured. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 241: Axrp-Ring-Port
axrp-ring-port axrp-ring-port Sets an interface that operates as the ring port for the Ring Protocol. The interfaces that can be set are Ethernet interfaces and port channel interfaces. Input format To set information: axrp-ring-port <Ring ID> [shared] To delete information: no axrp-ring-port <Ring ID>...
Page 242 axrp-ring-port Notes Two ring ports can be set for one ring ID. A ring port cannot be set for an Ethernet interface that is set for a channel group. Also, an Ethernet interface set for a ring port cannot be set for a channel group. Set the ring port for a port channel interface to which the applicable Ethernet interface belongs.
Page 243: Control-Vlan
control-vlan control-vlan Sets the VLAN to be used as the control VLAN. You can use the VLANs set by using this command to send and receive control frames that monitor the ring status. Setting the forwarding-delay-time parameter allows you to set the time required to change the status of the control VLAN to Forwarding during initial operation.
Page 244 control-vlan Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes A VLAN that is a control VLAN for which another ring ID is used cannot be set. A VLAN that is used in a VLAN group cannot be set. If a change or deletion is executed while the Ring Protocol is operating, the Ring Protocol functionality is temporarily disabled.
Page 245: Disable
disable disable Disables the Ring Protocol functionality. Input format To set information: disable To delete information: no disable Input mode (config-axrp) Parameters None Default behavior The Ring Protocol functionality is enabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 246: Forwarding-Shift-Time
forwarding-shift-time forwarding-shift-time Sets the reception hold time for flush control frames in transit node. When the reception hold time passes, if no flush control frames are received, the status of a ring port changes from Blocking Forwarding Input format To set information: forwarding-shift-time { <Seconds>...
Page 247 forwarding-shift-time Related commands None...
Page 248: Mode
mode mode Sets the operating mode of the Switch used for the ring. Input format To set information: mode transit To delete information: no mode Input mode (config-axrp) Parameters transit The Switch operates as a transit node. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 249: Name
name name Sets the name that will be used to identify the ring. Input format To set information: name <Name> To delete information: no name Input mode (config-axrp) Parameters <Name> Sets the name that will be used to identify the ring. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 250: Vlan-Group
vlan-group vlan-group Sets the VLAN group that will be used for the Ring Protocol and the mapping IDs of the VLANs participating in the VLAN groups. A maximum of two VLAN groups can be set for the ring. Input format To set or change information: vlan-group <Group ID>...
Page 251 vlan-group Notes If the same VLAN mapping is assigned to VLAN groups in different rings, the same port cannot be set as the ring port in those rings. Note, however, that it is possible to set the same ring port if the port is a shared link (ring port for which shared is set).
Page 252: Dhcp Snooping
DHCP Snooping ip arp inspection limit rate ip arp inspection trust ip arp inspection validate ip arp inspection vlan ip dhcp snooping ip dhcp snooping database url ip dhcp snooping database write-delay ip dhcp snooping information option allow-untrusted ip dhcp snooping limit rate ip dhcp snooping trust ip dhcp snooping verify mac-address ip dhcp snooping vlan...
Page 253: Ip Arp Inspection Limit Rate
ip arp inspection limit rate ip arp inspection limit rate Sets the ARP packet reception rate (the number of ARP packets that can be received per second) on the applicable port when the DHCP snooping functionality is enabled on a Switch.
Page 254: Ip Arp Inspection Trust
ip arp inspection trust ip arp inspection trust Sets the applicable interface as a trusted port where no dynamic ARP inspection is performed when the DHCP snooping functionality is enabled on a Switch. Input format To set information: ip arp inspection trust To delete information: no ip arp inspection trust Input mode...
Page 255: Ip Arp Inspection Validate
ip arp inspection validate ip arp inspection validate Sets inspection items to be added to improve the accuracy of the dynamic ARP inspection when the dynamic ARP inspection functionality is enabled on a Switch. Input format To set or change information: ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip ] To delete information: no ip arp inspection validate...
Page 256 ip arp inspection validate Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If you enter this command, you cannot omit all of the parameters. At least one parameter must be set.
Page 257: Ip Arp Inspection Vlan
ip arp inspection vlan ip arp inspection vlan Sets the VLAN used for dynamic ARP inspection when the DHCP snooping functionality is enabled on a Switch. Input format To set or change information: ip arp inspection vlan { <VLAN ID list> | add <VLAN ID list>...
Page 258 ip arp inspection vlan Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes Set a VLAN ID set by using the ip dhcp snooping vlan command. If this command is set, the binding database entries registered by using the source binding command are also subject to dynamic ARP inspection.
Page 259: Ip Dhcp Snooping
ip dhcp snooping ip dhcp snooping Enables the DHCP snooping functionality on a Switch. Input format To set information: ip dhcp snooping To delete information: no ip dhcp snooping Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 260: Ip Dhcp Snooping Database Url
ip dhcp snooping database url ip dhcp snooping database url Sets the save location for the binding database. Input format To set or change information: ip dhcp snooping database url { flash | mc <File name> To delete information: no ip dhcp snooping database url Input mode (config) Parameters...
Page 261 ip dhcp snooping database url Notes For the wait-to-write time set by using the ip dhcp snooping database write-delay command, any of the save events below causes the timer to start. When the timer expires, the binding database is saved. ...
Page 262: Ip Dhcp Snooping Database Write-Delay
ip dhcp snooping database write-delay ip dhcp snooping database write-delay Sets the wait-to-write time used when a binding database is saved. Input format To set or change information: ip dhcp snooping database write-delay <Seconds> To delete information: no ip dhcp snooping database write-delay Input mode (config) Parameters...
Page 263 ip dhcp snooping database write-delay Related commands ip dhcp snooping ip dhcp snooping database url ip dhcp snooping vlan...
Page 264: Ip Dhcp Snooping Information Option Allow-Untrusted
ip dhcp snooping information option allow-untrusted ip dhcp snooping information option allow-untrusted Set this command to allow DHCP packets that have option [82] information to be received on an untrusted port. If this setting is omitted, DHCP packets that have option [82] information are discarded.
Page 265: Ip Dhcp Snooping Limit Rate
ip dhcp snooping limit rate ip dhcp snooping limit rate Sets the DHCP packet reception rate (the number of DHCP packets that can be received per second) on the applicable port. DHCP packets exceeding the reception rate are discarded. Input format To set or change information: ip dhcp snooping limit rate <Packet/s>...
Page 266: Ip Dhcp Snooping Trust
ip dhcp snooping trust ip dhcp snooping trust Sets whether the interface is a trusted port or an untrusted port. Input format To set information: ip dhcp snooping trust To delete information: no ip dhcp snooping trust Input mode (config-if) Parameters None Default behavior...
Page 267: Ip Dhcp Snooping Verify Mac-Address
ip dhcp snooping verify mac-address ip dhcp snooping verify mac-address Sets whether to check if the source MAC address of DHCP packets received from an untrusted port matches the client hardware addresses in the DHCP packet. Input format To set information: no ip dhcp snooping verify mac-address To delete information: ip dhcp snooping verify mac-address...
Page 268: Ip Dhcp Snooping Vlan
ip dhcp snooping vlan ip dhcp snooping vlan Enables DHCP snooping in a VLAN. DHCP snooping is disabled if it is not set by using this command. A maximum of 32 VLANs can be set with this command. Input format To set or change information: ip dhcp snooping vlan <VLAN ID list>...
Page 269: Ip Source Binding
ip source binding ip source binding Sets static for the binding database. Input format To set information: ip source binding <MAC> vlan <VLAN ID> <IP address> interface {fastethernet <IF#> | gigabitethernet <IF#> | port-channel <Channel group#> To delete information: no ip source binding <MAC>...
Page 270 ip source binding See Specifiable values for parameters. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes A maximum of 64 entries can be set. Note, however, that no entries can be set if, when entries are set, the number of binding database entries, including dynamic entries, exceeds the maximum number of entries.
Page 271: Ip Verify Source
ip verify source ip verify source Set this command to use the terminal filter based on the DHCP snooping binding database. (The terminal filter is functionality used to filter the packets of unregistered source IP and MAC addresses.) Input format To set or change information: ip verify source [ { port-security | mac-only } ] To delete information:...
Page 272 ip verify source Related commands ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust ip source binding...
Page 273: Igmp Snooping
IGMP Snooping ip igmp snooping (global ip igmp snooping (interface ip igmp snooping mrouter ip igmp snooping querier...
Page 274: Ip Igmp Snooping (Global)
ip igmp snooping (global) ip igmp snooping (global) Suppresses the IGMP snooping functionality on a Switch. Input format To set information: no ip igmp snooping To delete information: ip igmp snooping Input mode (config) Parameters None Default behavior The IGMP snooping functionality is enabled on a Switch. Impact on communication The IGMP snooping functionality stops.
Page 275: Ip Igmp Snooping (Interface)
ip igmp snooping (interface) ip igmp snooping (interface) Enables the IGMP snooping functionality on a VLAN interface. Input format To set information: ip igmp snooping To delete information: no ip igmp snooping Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied...
Page 276: Ip Igmp Snooping Mrouter
ip igmp snooping mrouter ip igmp snooping mrouter Sets a multicast router port for the VLAN interface. Input format To set or change information: ip igmp snooping mrouter interface {fastethernet <IF#> | gigabitethernet <IF#> | port-channel <Channel group#> To delete information: no ip igmp snooping mrouter interface {fastethernet <IF#>...
Page 277 ip igmp snooping mrouter Related commands ip igmp snooping...
Page 278: Ip Igmp Snooping Querier
ip igmp snooping querier ip igmp snooping querier Enables the IGMP querier functionality in a VLAN interface. Input format To set information: ip igmp snooping querier To delete information: no ip igmp snooping querier Input mode (config-if) Parameters None Default behavior None Impact on communication None...
Page 279: Mld Snooping
MLD Snooping ipv6 mld snooping (global) ipv6 mld snooping (interface) ipv6 mld snooping source ipv6 mld snooping mrouter ipv6 mld snooping querier...
Page 280: Ipv6 Mld Snooping (Global)
ipv6 mld snooping (global) ipv6 mld snooping (global) Suppresses the MLD snooping functionality on a Switch. Input format To set information: no ipv6 mld snooping To delete information: ipv6 mld snooping Input mode (config) Parameters None Default behavior Enables the MLD snooping functionality on a Switch. Impact on communication The MLD snooping functionality stops.
Page 281: Ipv6 Mld Snooping (Interface)
ipv6 mld snooping (interface) ipv6 mld snooping (interface) Enables the MLD snooping functionality on a VLAN interface. Input format To set information: ipv6 mld snooping To delete information: no ipv6 mld snooping Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied...
Page 282: Ipv6 Mld Snooping Source
ipv6 mld snooping source ipv6 mld snooping source Sets the source IPv6 address of the MLD snooping functionality to be used on a VLAN interface. Input format To set or change information: ipv6 mld snooping source <IPv6 address> To delete information: no ipv6 mld snooping source Input mode (config-if)
Page 283: Ipv6 Mld Snooping Mrouter
ipv6 mld snooping mrouter ipv6 mld snooping mrouter Sets a multicast router port for the VLAN interface. Input format To set or change information: ipv6 mld snooping mrouter interface {fastethernet <IF#> gigabitethernet <IF#> | port-channel <Channel group#> To delete information: no ipv6 mld snooping mrouter interface {fastethernet <IF#>...
Page 284 ipv6 mld snooping mrouter Related commands ipv6 mld snooping...
Page 285: Ipv6 Mld Snooping Querier
ipv6 mld snooping querier ipv6 mld snooping querier Enables the MLD querier functionality on a VLAN interface. Input format To set information: ipv6 mld snooping querier To delete information: no ipv6 mld snooping querier Input mode (config-if) Parameters None Default behavior None Impact on communication None...
Page 286: Part 5: Ipv4 Packet Forwarding
Part 5: IPv4 Packet Forwarding IPv4, ARP, and ICMP ip address ip route ip mtu...
Page 287: Ip Address
ip address ip address Sets the local IPv4 address. Input format To set or change information: ip address <IP address> <Subnet-Mask> To delete information: no ip address <IP address> Input mode (config-if) Parameters <IP address> Sets the local IPv4 address. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 288 ip address Notes 127.*.*.* cannot be specified as an IPv4 address. Related commands interface vlan...
Page 289: Ip Route
ip route ip route Sets a static route IPv4 address. Input format To set or change information: ip route <IP address> <Mask> <Next hop> To delete information: no ip route <IP address> <<Mask> <Next hop> Input mode (config) Parameters <IP address> Sets the destination IPv4 address for a static route.
Page 290 ip route Notes None Related commands None...
Page 291: Ip Mtu
ip mtu ip mtu Sets the send IP MTU length for an interface. Input format To set or change information: ip mtu <Length> To delete information: no ip mtu Input mode (config-if) Parameters <Length> Sets the send IP MTU length for an interface. In actuality, the frame length set in port MTU information and this parameter value are compared, and the smaller value is used as the IP MTU length of the interface.
Page 292 ip mtu Related commands interface vlan...
Page 293: Part 6: Common To Filtering And Qos
Part 6: Common to Filtering and QoS Flow Detection Mode flow detection mode...
Page 294: Flow Detection Mode
flow detection mode flow detection mode Sets the flow detection mode for the filtering and QoS functionality. This command changes the distribution pattern for the maximum number of entries in a hardware table. By changing the distribution pattern according to the operating mode, you can collect hardware resources in the necessary tables and use them.
Page 295 flow detection mode Legend Y: Can be set; N: Cannot be set For details about the flow detection modes, see 1.1.3 Flow detection modes in the Configuration Guide Vol.2 and 3.1.1 Flow detection modes in the Configuration Guide Vol.2. Default behavior Flow detection operates as Layer 2-2 flow detection.
Page 296: Part 7: Filters
Part 7: Filters Access Lists Names that can be specified deny (ip access-list extended deny (ip access-list standard deny (mac access-list extended ip access-group ip access-list extended ip access-list resequence ip access-list standard mac access-group mac access-list extended mac access-list resequence permit (ip access-list extended permit (ip access-list standard permit (mac access-list extended...
Page 297: Names That Can Be Specified
Names that can be specified Names that can be specified Protocol names (IPv4) The following table lists the names that can be specified as IPv4 protocol names. Table 19-1 Protocol names that can be specified (IPv4) Protocol name Applicable protocol number icmp igmp All IP protocols...
Page 298 Names that can be specified Port names (TCP) The following table lists the port names that can be specified for TCP. Table 19-2 Port names that can be specified for TCP Port name Applicable port name and number Border Gateway Protocol version 4 (179) chargen Character generator (19) daytime...
Page 299 Names that can be specified Port name Applicable port name and number pop3 Post Office Protocol v3 (110) pop3s POP3 over TLS/SSL (995) Printer PDL Data Stream (9100) shell Remote commands (514) smtp Simple Mail Transfer Protocol (25) smtps SMTP over TLS/SSL (465) Secure Shell Remote Login Protocol (22) sunrpc Sun Remote Procedure Call (111)
Page 300 Names that can be specified Port names (UDP) The following table lists the port names that can be specified for UDP. Table 19-3 Port names that can be specified for UDP (IPv4) Port name Applicable port name and number biff Biff (512) bootpc Bootstrap Protocol (BOOTP) client (68)
Page 301 Names that can be specified TOS name The following table lists the TOS names that can be specified. Table 19-4 TOS names that can be specified TOS name TOS value max-reliability max-throughput min-delay min-monetary-cost normal Precedence name The following table lists the precedence names that can be specified. Table 19-5 Precedence names that can be specified Precedence name Precedence value...
Page 302 Names that can be specified DSCP name The following table lists the DSCP names that can be specified. Table 19-6 DSCP names that can be specified DSCP name DSCP value af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 default...
Page 303 Names that can be specified Ethernet type name The following table lists the Ethernet type names that can be specified. Table 19-7 Ethernet type names that can be specified Ethernet type name Ethernet value Remarks appletalk 0x809b 0x0806 eapol 0x888e gsrp Filters GSRP control packets.
Page 304: Deny (Ip Access-List Extended)
deny (ip access-list extended) deny (ip access-list extended) Sets the conditions for rejecting access in IPv4 packet filtering. Input format To set or change information:  When upper-layer protocols are other than TCP and UDP <Seq> ] deny {ip | <Protocol>...
Page 305 deny (ip access-list extended) Range of values: <Protocol>: Set 0 to 5, 7 to 16, or 18 to 255 (in decimal), or a protocol name. See Table 19-1 Protocol names that can be specified (IPv4). <Src IPv4> <Src IPv4 wildcard> | host <Src IPv4>...
Page 306 deny (ip access-list extended) sets bits that permit an arbitrary value in an IPv4 address. host <Dst IPv4> specification: The filter condition is a perfect match of <Dst IPv4>. specification: The destination IPv4 address is not included as a filter condition. IPv4 address (nnn.nnn.nnn.nnn): 0.0.0.0 to 255.255.255.255 <Dst port>...
Page 307 deny (ip access-list extended) Precedence names that can be specified. dscp <DSCP> This parameter sets the DSCP value, which is the first six bits in the ToS field. Its value is compared with the first six bits in the ToS field of the received packet. Default value when this parameter is omitted: None.
Page 308 deny (ip access-list extended) None Sets detection of packets whose SYN flag in the TCP header is 1. This parameter is an option available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Sets detection of packets whose URG flag in the TCP header is 1.
Page 309 deny (ip access-list extended) Notes When 255.255.255.255 is entered for the source address wildcard and the destination address wildcard, is displayed. nnn.nnn.nnn.nnn 0.0.0.0 is entered as the sender address and the destination address, host nnn.nnn.nnn.nnn is displayed. precedence , and dscp cannot be set at the same time.
Page 310: Deny (Ip Access-List Standard)
deny (ip access-list standard) deny (ip access-list standard) Sets the conditions for rejecting access in IPv4 address filtering. Input format To set or change information: <Seq> ] deny { <Src IPv4> <Src IPv4 wildcard> ] | host <Src IPv4> | any} To delete information: <Seq>...
Page 311 deny (ip access-list standard) Default behavior None Impact on communication If any entry is added when an access list with no entries set is being applied to an interface, the IP packets received on the applicable interface are discarded temporarily until the entry is applied to the interface.
Page 312: Deny (Mac Access-List Extended)
deny (mac access-list extended) deny (mac access-list extended) Sets the conditions for rejecting access in MAC filtering. Input format To set or change information: <Seq> ] deny { <Src MAC> <Src MAC mask> | host <Src MAC> | any} { <Dst MAC>...
Page 313 deny (mac access-list extended) MAC address (nnnn.nnnn.nnnn): 0000.0000.0000 to ffff.ffff.ffff (hexadecimal) <Dst MAC> <Dst MAC mask> | host <Dst MAC> | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu } Sets the destination MAC address. To set all destination MAC addresses, set Default value when this parameter is omitted: This parameter cannot be omitted.
Page 314 deny (mac access-list extended) vlan <VLAN ID> Sets the VLAN ID. This parameter is effective only when it is applied to an Ethernet interface. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: See Specifiable values for parameters.
Page 315: Ip Access-Group
ip access-group ip access-group Applies an IPv4 access list to an Ethernet interface or a VLAN interface, and enables the IPv4 filtering functionality. Input format To set information: ip access-group <ACL ID> To delete information: no ip access-group <ACL ID> Input mode (config-if) Parameters...
Page 316 ip access-group Notes filter was not set when the system function command was set, this command cannot be set. (This command can be set if the system function command was not set.) One IPv4 filter can be set for one interface. A maximum of 128 filters can be applied to an Ethernet interface or a VLAN interface.
Page 317: Ip Access-List Extended
ip access-list extended ip access-list extended Sets the access list that operates as an IPv4 filter. There are two types of access lists that operate as IPv4 filters. One type is an IPv4 address filter and the other type is an IPv4 packet filter.
Page 318 ip access-list extended Notes None Related commands ip access-group ip access-list resequence deny (ip access-list extended) permit (ip access-list extended) remark...
Page 319: Ip Access-List Resequence
ip access-list resequence ip access-list resequence Resets the sequence numbers of the sequence in which filter conditions are applied in IPv4 address filtering or IPv4 packet filtering. Input format To set or change information: ip access-list resequence <ACL ID> <Starting seq> <Increment seq>...
Page 320 ip access-list resequence Notes None Related commands ip access-list standard ip access-list extended...
Page 321: Ip Access-List Standard
ip access-list standard ip access-list standard Sets the access list that operates as an IPv4 filter. There are two types of access lists that operate as IPv4 filters. One type is an IPv4 address filter and the other type is an IPv4 packet filter.
Page 322 ip access-list standard Notes None Related commands ip access-group ip access-list resequence deny (ip access-list standard) permit (ip access-list standard) remark...
Page 323: Mac Access-Group
mac access-group mac access-group Applies a MAC access list to an Ethernet interface or a VLAN interface and enables the MAC filtering functionality. Input format To set information: mac access-group <ACL ID> To delete information: no mac access-group <ACL ID> Input mode (config-if) Parameters...
Page 324 mac access-group Notes filter was not set when the system function command was set, this command cannot be set. (This command can be set if the system function command was not set.) One MAC filter can be set for one interface. A maximum of 128 filters can be applied to an Ethernet interface or a VLAN interface.
Page 325: Mac Access-List Extended
mac access-list extended mac access-list extended Sets the access list to be used as a MAC filter. An access list used for a MAC filter filters packets based on source MAC address, destination MAC address, Ethernet type number, VLAN ID, and user priority. Multiple filter conditions can be set by using a single access list ID.
Page 326 mac access-list extended Related commands mac access-group mac access-list resequence deny (mac access-list extended) permit (mac access-list extended) remark...
Page 327: Mac Access-List Resequence
mac access-list resequence mac access-list resequence Resets the sequence numbers of the sequence in which filter conditions are applied in MAC filtering. Input format To set or change information: mac access-list resequence <ACL ID> <Starting seq> <Increment seq> Input mode (config) Parameters <ACL ID>...
Page 328 mac access-list resequence Notes None Related commands mac access-list extended...
Page 329: Permit (Ip Access-List Extended)
permit (ip access-list extended) permit (ip access-list extended) Sets the conditions for permitting access in IPv4 packet filtering. Input format To set or change information:  When upper-layer protocols are other than TCP and UDP <Seq> ] permit {ip | <Protocol>...
Page 330 permit (ip access-list extended) Range of values: <Protocol>: Set 0 to 5, 7 to 16, or 18 to 255 (in decimal), or a protocol name. See Table 19-1 Protocol names that can be specified (IPv4). <Src IPv4> <Src IPv4 wildcard> | host <Src IPv4>...
Page 331 permit (ip access-list extended) sets bits that permit an arbitrary value in an IPv4 address. host <Dst IPv4> specification: The filter condition is a perfect match of <Dst IPv4>. specification: The destination IPv4 address is not included as a filter condition. IPv4 address (nnn.nnn.nnn.nnn): 0.0.0.0 to 255.255.255.255 <Dst port>...
Page 332 permit (ip access-list extended) Precedence names that can be specified. dscp <DSCP> This parameter sets the DSCP value, which is the first six bits in the ToS field. Its value is compared with the first six bits in the ToS field of the received packet. Default value when this parameter is omitted: None.
Page 333 permit (ip access-list extended) None Sets detection of packets whose SYN flag in the TCP header is 1. This parameter is an option available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Sets detection of packets whose URG flag in the TCP header is 1.
Page 334 permit (ip access-list extended) Notes When 255.255.255.255 is entered for the source address wildcard and the destination address wildcard, is displayed. nnn.nnn.nnn.nnn 0.0.0.0 is entered as the sender address and the destination address, host nnn.nnn.nnn.nnn is displayed. precedence , and dscp cannot be set at the same time.
Page 335: Permit (Ip Access-List Standard)
permit (ip access-list standard) permit (ip access-list standard) Sets the conditions for permitting access in IPv4 address filtering. Input format To set or change information: <Seq> ] permit { <Src IPv4> <Src IPv4 wildcard> ] | host <Src IPv4> | any} To delete information: <Seq>...
Page 336 permit (ip access-list standard) Default behavior None Impact on communication If any entry is added when an access list with no entries set is being applied to an interface, the IP packets received on the applicable interface are discarded temporarily until the entry is applied to the interface.
Page 337: Permit (Mac Access-List Extended)
permit (mac access-list extended) permit (mac access-list extended) Sets the conditions for permitting access in MAC filtering. Input format To set or change information: <Seq> ] permit { <Src MAC> <Src MAC mask> | host <Src-MAC> | any} { <Dst MAC>...
Page 338 permit (mac access-list extended) MAC address (nnnn.nnnn.nnnn): 0000.0000.0000 to ffff.ffff.ffff (hexadecimal) <Dst MAC> <Dst MAC mask> | host <Dst MAC> | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu } Sets the destination MAC address. To set all destination MAC addresses, set Default value when this parameter is omitted: This parameter cannot be omitted.
Page 339 permit (mac access-list extended) vlan <VLAN ID> Sets the VLAN ID. This parameter is effective only when it is applied to an Ethernet interface. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: See Specifiable values for parameters.
Page 340: Remark
remark remark Sets supplementary information for an access list. Access lists are available for IPv4 address filtering, IPv4 packet filtering, and MAC filtering. A maximum of 512 items can be set for a Switch. Input format To set or change information: remark <Remark>...
Page 341 remark Related commands ip access-list standard ip access-list extended mac access-list extended...
Page 342: Part 8: Qos
Part 8: QoS Names and values that can be specified ip qos-flow-group ip qos-flow-list ip qos-flow-list resequence limit-queue-length mac qos-flow-group mac qos-flow-list mac qos-flow-list resequence qos (ip qos-flow-list) qos (mac qos-flow-list) qos-queue-group qos-queue-list remark traffic-shape rate control-packet user-priority...
Page 343: Names And Values That Can Be Specified
Names and values that can be specified Names and values that can be specified Protocol names (IPv4) The following table lists the names that can be specified as IPv4 protocol names. Table 20-1 Protocol names that can be specified (IPv4) Protocol name Applicable protocol number icmp...
Page 344 Names and values that can be specified Port names (TCP) The following table lists the port names that can be specified for TCP. Table 20-2 Port names that can be specified for TCP Port name Applicable port name and number Border Gateway Protocol version 4 (179) chargen Character generator (19)
Page 345 Names and values that can be specified Port name Applicable port name and number pop3 Post Office Protocol v3 (110) pop3s POP3 over TLS/SSL (995) Printer PDL Data Stream (9100) shell Remote commands (514) smtp Simple Mail Transfer Protocol (25) smtps SMTP over TLS/SSL (465) Secure Shell Remote Login Protocol (22)
Page 346 Names and values that can be specified Port name Applicable port name and number mobile-ip Mobile IP registration (434) nameserver Host Name Server (42) Network Time Protocol (123) radius Remote Authentication Dial In User Service (1812) radius-acct RADIUS Accounting (1813) Routing Information Protocol (520) snmp Simple Network Management Protocol...
Page 347 Names and values that can be specified Precedence name The following table lists the precedence names that can be specified. Table 20-5 Precedence names that can be specified Precedence name Precedence value critical flash flash-override immediate internet network priority routine DSCP name The following table lists the DSCP names that can be specified.
Page 348 Names and values that can be specified DSCP name DSCP value default Ethernet type name The following table lists the Ethernet type names that can be specified. Table 20-7 Ethernet type names that can be specified Ethernet value Remarks Ethernet type name appletalk 0x809b...
Page 349 Names and values that can be specified Destination MAC address names The following table lists the destination MAC address names that can be specified. Table 20-8 Destination MAC address names that can be specified Destination address Destination Destination address address mask specification bpdu...
Page 350: Ip Qos-Flow-Group
ip qos-flow-group ip qos-flow-group Enables the QoS filtering functionality by applying an IPv4 QoS flow list to an Ethernet interface or a VLAN interface. Input format To set information: ip qos-flow-group <QoS flow list name> To delete information: no ip qos-flow-group <QoS flow list name>...
Page 351 ip qos-flow-group set.) One IPv4 QoS flow list can be set for one interface. A maximum of 64 filters can be applied to an Ethernet interface or a VLAN interface. If a non-existent IPv4 QoS flow list name is set, no operation is performed. The IPv4 QoS flow list name is registered.
Page 352: Ip Qos-Flow-List
ip qos-flow-list ip qos-flow-list Creates an IPv4 QoS flow list to be used to set QoS flow detection and operation settings. A maximum of 1024 IPv4 and MAC QoS flow lists can be created for a Switch. A maximum of 1024 entries can be created for flow detection and operation settings.
Page 353: Ip Qos-Flow-List Resequence
ip qos-flow-list resequence ip qos-flow-list resequence Resets the sequence numbers of the application sequence in the IPv4 QoS flow list. Input format To set or change information: ip qos-flow-list resequence <QoS flow list name> <Starting seq> <Increment seq> Input mode (config-ip-qos) Parameters <QoS flow list name>...
Page 354 ip qos-flow-list resequence Notes None Related commands ip qos-flow-list...
Page 355: Limit-Queue-Length
limit-queue-length limit-queue-length Sets for a Switch the maximum send queue length of a physical port. If this command is omitted or if setting information is deleted, the send queue length is set to This command is used to set basic operating conditions for the hardware. You must restart the Switch after you change the settings.
Page 356 limit-queue-length This also applies when 32 is set as the send queue length. If information is deleted by using the command, there will be no scheduling mode limitations. When 32 has been set as the send queue length by using the limit-queue-length command, the send queue length is as follows: Queues 1 to 8: 32...
Page 357: Mac Qos-Flow-Group
mac qos-flow-group mac qos-flow-group Enables the QoS functionality by applying a MAC QoS flow list to an Ethernet interface or a VLAN interface. Input format To set information: mac qos-flow-group <QoS flow list name> To delete information: no mac qos-flow-group <QoS flow list name>...
Page 358 mac qos-flow-group Notes was not set when the command was set, this command system function cannot be set. (This command can be set if the command was not system function set.) One MAC QoS flow list can be set for one interface. A maximum of 64 filters can be applied to an Ethernet interface or a VLAN interface.
Page 359: Mac Qos-Flow-List
mac qos-flow-list mac qos-flow-list Creates the MAC QoS flow list used to set QoS flow detection and operation settings. A maximum of 1024 IPv4 and MAC QoS flow lists can be created for a Switch. A maximum of 1024 entries can be created for flow detection and operation settings. Input format To set or change information: mac qos-flow-list...
Page 360: Mac Qos-Flow-List Resequence
mac qos-flow-list resequence mac qos-flow-list resequence Resets the sequence numbers of the application sequence in the MAC QoS flow list. Input format To set or change information: mac qos-flow-list resequence <QoS flow list name> <Starting seq> <Increment seq> Input mode (config-mac-qos) Parameters <QoS flow list name>...
Page 361 mac qos-flow-list resequence Notes None Related commands mac qos-flow-list...
Page 362: Qos (Ip Qos-Flow-List)
qos (ip qos-flow-list) qos (ip qos-flow-list) Sets flow detection conditions and operation settings in an IPv4 QoS flow list. Input format To set or change information: <Seq> ] qos { <Flow detection conditions> <Operation settings>  <Flow detection conditions> When upper-layer protocols are other than TCP and UDP {ip | <Protocol>...
Page 363 qos (ip qos-flow-list) {ip | <Protocol> | icmp | igmp | tcp | udp} Sets the upper-layer protocol condition of IPv4 packets. Note that if all protocols are applicable, is set. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: <Protocol>: Set 0 to 255 (in decimal) or a protocol name.
Page 364 qos (ip qos-flow-list) Range of values: Specify <Dst IPv4>, <Dst IPv4 wildcard>, host <Dst IPv4>, or <Dst IPv4> <Dst IPv4 wildcard> specification: Specify the destination IPv4 address for <Dst IPv4>. <Dst IPv4 wildcard>, specify a wildcard in IPv4 address format that sets bits that permit an arbitrary value in an IPv4 address.
Page 365 qos (ip qos-flow-list) Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Set 0 to 7 (in decimal) or the precedence name. For details about the Precedence names that can be set, see Table 20-5 Precedence names that can be specified.
Page 366 qos (ip qos-flow-list) Range of values: None Sets detection of packets whose RST flag in the TCP header is 1. This parameter is an option available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Sets detection of packets whose SYN flag in the TCP header is 1.
Page 367 qos (ip qos-flow-list) beginning of the operation parameter. Default value when this parameter is omitted: None. (This parameter cannot be omitted if an operation is set.) Range of values: None <COS> Sets an index (CoS) indicating the priority on a Switch. Default value when this parameter is omitted: The default CoS values are set.
Page 368 qos (ip qos-flow-list) Notes When is entered for the source address wildcard and the 255.255.255.255 destination address wildcard, is displayed. is entered as the sender address and the destination nnn.nnn.nnn.nnn 0.0.0.0 address, host nnn.nnn.nnn.nnn is displayed. precedence , and dscp cannot be set at the same time.
Page 369: Qos (Mac Qos-Flow-List)
qos (mac qos-flow-list) qos (mac qos-flow-list) Sets flow detection conditions and operation settings in the MAC QoS flow list. Input format To set or change information: <Seq> ] qos { <Flow detection conditions> <Operation settings>  <Flow detection conditions> {<Src MAC> <Src MAC mask> | host <Src MAC>...
Page 370 qos (mac qos-flow-list) The flow detection condition is a perfect match of <Src MAC>. specification: The source MAC address is not included as a flow detection condition. MAC address (nnnn.nnnn.nnnn): 0000.0000.0000 to ffff.ffff.ffff (hexadecimal) <Dst MAC> <Dst MAC mask> > | host <Dst MAC>...
Page 371 qos (mac qos-flow-list) Note, however, that 0x0000 is set for a value equal to or smaller than 0x05ff. For details about the Ethernet type names that can be set, see Table 20-7 Ethernet type names that can be specified. vlan <VLAN ID>...
Page 372 qos (mac qos-flow-list) Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes nnnn.nnnn.nnnn ffff.ffff.ffff is entered as the source address and the destination address, is displayed. If a protocol name is set for the destination address or if the address of a protocol name that can be set is set, the protocol name is displayed.
Page 373: Qos-Queue-Group
qos-queue-group qos-queue-group Sets QoS queue list information for an interface (physical port). Input format To set information: qos-queue-group <QoS queue list name> To delete information: no qos-queue-group Input mode (config-if) Parameters <QoS queue list name> Specify the QoS queue list name. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 374 qos-queue-group Related commands qos-queue-list interface fastethernet interface gigabitethernet...
Page 375: Qos-Queue-List
qos-queue-list qos-queue-list Sets the scheduling mode for QoS queue list information. A maximum of 52 lists can be created for a Switch. Input format To set or change information: qos-queue-list <QoS queue list name> { pq | wrr [ <Packet1> <Packet2> <Packet3>...
Page 376 qos-queue-list Regardless of the queue length, the number of packets is controlled so that packets are distributed evenly. When <Packet> is set, weighted (number of packets) round robin is used. If there are packets in multiple queues, packets are sent according to the number of packets set for <Packet>...
Page 377 qos-queue-list Line speed Bandwidth Setting range Step value Item In kbit/s 1000 to 10000 100 k 64 to 960 64 k auto 64 kbit/s to 1 Gbit/s In Mbit/s 1 M to 1000 M Negotiation In kbit/s 1000 to 1000000 100 k 64 to 960 64 k...
Page 378 qos-queue-list If the line status is half duplex and WFQ is set, WFQ is not used for operation. Instead, PQ is used. If WFQ is set, there might be a maximum error of 10% between the set minimum bandwidth and the actual value. To use port bandwidth control and scheduling of QoS queue list information at the same time, set PQ as the scheduling mode.
Page 379: Remark
remark remark Sets supplementary information for a QoS flow list. IPv4 QoS flow list and MAC QoS flow list are available as QoS flow list. A maximum of 512 items can be set for a Switch. Input format To set or change information: remark <Remark>...
Page 380: Traffic-Shape Rate
traffic-shape rate traffic-shape rate Sets the bandwidth by setting port bandwidth control for an interface (physical port) to limit the send bandwidth. Input format To set or change information: traffic-shape rate { <kbit/s> <Mbit/s> To delete information: no traffic-shape rate Input mode (config-if) Parameters...
Page 381 traffic-shape rate #1: 1 M = 1000 k. #2: Set values that are 1000 k or greater in 100 k increments (1000 k, 1100 k, 1200 k...10000000 k). #3: Set values that are less than 1000 k in 64 k increments (64 k, 128 k, 192 k...960 k). Default behavior The send bandwidth is not limited.
Page 382: Control-Packet User-Priority
control-packet user-priority control-packet user-priority Sets the user priority in the VLAN tags of frames spontaneously sent by a Switch. If this command is not set or if information is deleted, 7 is used as the user priority of frames spontaneously sent. Input format To set or change information: control-packet user-priority { layer-2...
Page 383: Part 9: Layer 2 Authentication
Part 9: Layer 2 Authentication Common to Layer 2 Authentication authentication arp-relay authentication force-authorized enable authentication force-authorized vlan authentication ip access-group...
Page 384: Authentication Arp-Relay
authentication arp-relay authentication arp-relay When the Layer 2 authentication functionality is used, set this command to output ARP packets destined for another device sent from an unauthenticated terminal to a non-authenticating port. This command can be used in the following authentication modes: ...
Page 385 authentication arp-relay depending on the authentication functionality.  IEEE 802.1X port-based authentication (static) can be set for Ethernet interfaces and port channel interfaces.  IEEE 802.1X port-based authentication (dynamic), Web authentication, and MAC-based authentication can be set only for Ethernet interfaces. Related commands dot1x system-auth-control dot1x port-control...
Page 386: Authentication Force-Authorized Enable
authentication force-authorized enable authentication force-authorized enable When the following state exists for all Layer 2 authentications, a terminal subject to authentication that requested authentication is forcibly changed to the authenticated state.  The set RADIUS server does not respond when RADIUS authentication is specified. Input format To set information: authentication force-authorized enable...
Page 387 authentication force-authorized enable This functionality is not subject to legacy mode. Related commands aaa authentication dot1x default aaa authentication mac-authentication default aaa authentication web-authentication default dot1x port-control dot1x system-auth-control dot1x radius-server radius-server mac-authentication port mac-authentication system-auth-control mac-authentication radius-server web-authentication port web-authentication system-auth-control web-authentication radius-server...
Page 388: Authentication Force-Authorized Vlan
authentication force-authorized vlan authentication force-authorized vlan In dynamic VLAN mode of Web authentication and MAC-based authentication, and port-based authentication (dynamic) for IEEE 802.1X authentication, set this command to allocate a post-authentication VLAN when forced authentication is performed on the applicable port. Input format To set or change information: <VLAN ID>...
Page 389 authentication force-authorized vlan Related commands authentication force-authorized enable vlan mac-based...
Page 390: Authentication Ip Access-Group
authentication ip access-group authentication ip access-group When the Layer 2 authentication functionality is used, set this command to output only the packets specified by applying the IPv4 access list of the IP packets destined for another device sent from an unauthenticated terminal to a non-authenticating port. This command can be used in the following authentication modes: ...
Page 391 authentication ip access-group Impact on communication Regardless of the configuration of this command, the following packets are able to pass through even before authentication.  IP packets destined for the Web authentication IP address  DHCP packets destined for the internal DHCP server used in Web authentication dynamic VLAN mode Other packets are handled according to the access list conditions set by using this command.
Page 392: Ieee 802.1X
IEEE 802.1X Correspondence between configuration commands and authentication modes aaa accounting dot1x aaa authentication dot1x aaa authorization network default dot1x authentication dot1x auto-logout dot1x force-authorized dot1x force-authorized eapol dot1x force-authorized vlan dot1x ignore-eapol-start dot1x max-req dot1x multiple-authentication dot1x port-control dot1x radius-server dead-interval dot1x radius-server host dot1x reauthentication dot1x supplicant-detection...
Page 393: Correspondence Between Configuration Commands And Authentication Modes
Correspondence between configuration commands and authentication modes Correspondence between configuration commands and authentication modes The following table describes IEEE 802.1X authentication modes in which IEEE 802.1X configuration commands can be set. Table 22-1 Configuration commands and IEEE 802.1X authentication modes IEEE 802.1X authentication modes Port-based authentication VLAN-based...
Page 394 Correspondence between configuration commands and authentication modes IEEE 802.1X authentication modes Port-based authentication VLAN-based authentication Command name (static) (dynamic) (dynamic) dot1x timeout quiet-period dot1x timeout reauth-period dot1x timeout server-timeout dot1x timeout supp-timeout dot1x timeout tx-period dot1x vlan dynamic enable dot1x vlan dynamic ignore-eapol-start dot1x vlan dynamic max-req dot1x vlan dynamic radius-vlan dot1x vlan dynamic reauthentication...
Page 395: Aaa Accounting Dot1X
aaa accounting dot1x aaa accounting dot1x Sends IEEE 802.1X accounting information to the accounting server. Input format To set information: aaa accounting dot1x default start-stop group radius To delete information: no aaa accounting dot1x default Input mode (config) Parameters default Sets the default accounting method of a Switch.
Page 396: Aaa Authentication Dot1X
aaa authentication dot1x aaa authentication dot1x Sets an IEEE 802.1X authentication method group. default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set. Input format To set or change information: aaa authentication dot1x default <Method>...
Page 397 aaa authentication dot1x Default behavior None Impact on communication When the device default setting is changed, authentication of terminals that had been authenticated by the corresponding authentication functionality is canceled. When settings for the authentication method list are changed, authentication of terminals on ports specifying the corresponding authentication method list is canceled.
Page 398: Aaa Authorization Network Default
aaa authorization network default aaa authorization network default Set this command to perform VLAN-based authentication (dynamic) according to the VLAN information set by using an authentication method. Input format To set information: aaa authorization network default group radius To delete information: no aaa authorization network default Input mode (config)
Page 399: Dot1X Authentication
dot1x authentication dot1x authentication Sets the name of an authentication method list for the port-based authentication method. Input format To set or change information: dot1x authentication <List name> To delete information: no dot1x authentication Input mode (config-if) Parameters <List name> Sets the authentication method list name set by using the aaa authentication command.
Page 400 dot1x authentication  dot1x vlan dynamic radius-vlan  web-authentication user-group  web-authentication vlan  mac-authentication interface  mac-authentication vlan If the authentication method list name set by using this command does not match the authentication method list name set by using the aaa authentication dot1x command, the default settings of the Switch are used.
Page 401: Dot1X Auto-Logout
dot1x auto-logout dot1x auto-logout no dot1x auto-logout command disables the setting to automatically cancel authentication when no frame is received from a terminal authenticated by IEEE 802.1X for a certain period of time. Input format To set information: no dot1x auto-logout To delete information: dot1x auto-logout Input mode...
Page 402: Dot1X Force-Authorized
dot1x force-authorized dot1x force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
Page 403 dot1x force-authorized dot1x authentication Set commands for the same interface. The following accounting log data is collected when an authentication request is sent to the RADIUS server: No.=82 WARNING:SYSTEM: (<Additional information>) Failed to connect to RADIUS server. <Additional information>: IP You can use the command to check the show dot1x logging...
Page 404: Dot1X Force-Authorized Eapol
dot1x force-authorized eapol dot1x force-authorized eapol Sends according to the IEEE 802.1X forced authentication settings the EAPOL-Success response packet from the Switch to the terminal to be authenticated when its status has been forcibly changed to authentication authorized. Input format To set information: dot1x force-authorized eapol To delete information:...
Page 405: Dot1X Force-Authorized Vlan
dot1x force-authorized vlan dot1x force-authorized vlan When the RADIUS authentication method is used, this command forcibly changes the status of a terminal to authentication authorized and assigns an authenticated VLAN if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure. Input format To set or change information: dot1x force-authorized vlan...
Page 406 dot1x force-authorized vlan  All the following configurations have been set: dot1x system-auth-control radius-server host dot1x radius-server host #1, #4 dot1x port-control auto aaa authorized network default dot1x vlan dynamic enable #2, #3 dot1x vlan dynamic radius-vlan vlan <VLAN ID> mac-based #2, #3, #4 switchport mac vlan...
Page 407 dot1x force-authorized vlan Related commands aaa authentication dot1x aaa authorized network default dot1x port-control dot1x system-auth-control dot1x vlan dynamic enable dot1x vlan dynamic radius-vlan switchport mac switchport mode vlan radius-server host dot1x radius-server host...
Page 408: Dot1X Ignore-Eapol-Start
dot1x ignore-eapol-start dot1x ignore-eapol-start Set this command so that the Switch does not issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Input format To set information: dot1x ignore-eapol-start To delete information: no dot1x ignore-eapol-start Input mode (config-if) Parameters None Default behavior None...
Page 409 dot1x ignore-eapol-start Related commands dot1x reauthentication dot1x supplicant-detection dot1x system-auth-control dot1x port-control...
Page 410: Dot1X Max-Req
dot1x max-req dot1x max-req Sets the maximum number of EAP-Request retransmissions if the value exceeds the supp-timeout value. If the number of retransmissions exceeds this value, authentication is determined to have failed. Input format To set or change information: dot1x max-req <Counts>...
Page 411: Dot1X Multiple-Authentication
dot1x multiple-authentication dot1x multiple-authentication Sets the IEEE 802.1X authentication submode to terminal authentication mode. The command performs authentication processing for each terminal and the authentication result determines whether communication is possible. Accordingly, multiple terminals can be connected. If terminal authentication mode is set as the authentication submode, single mode is used as the submode.
Page 412 dot1x multiple-authentication  When the dot1x multiple-authentication command has not been set (single mode) Communication is impossible as long as a terminal subject to authentication has not been authenticated successfully.  When the dot1x multiple-authentication command has been set (terminal authentication mode) Regardless of the authentication status, if auto...
Page 413: Dot1X Port-Control
dot1x port-control dot1x port-control Sets the port-control status for an interface that has been set. Entry of this command also enables the IEEE 802.1X port-based authentication functionality. Input format To set or change information: dot1x port-control {auto | force-authorized | force-unauthorized} To delete information: no dot1x port-control Input mode...
Page 414 dot1x port-control Notes All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable. When port-based authentication (static) is used, set the following commands for the same interface (these commands can be set for Ethernet interfaces and port channel interface): ...
Page 415: Dot1X Radius-Server Dead-Interval
dot1x radius-server dead-interval dot1x radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary IEEE 802.1X authentication RADIUS server from the IEEE 802.1X authentication RADIUS server. The primary IEEE 802.1X authentication RADIUS server is restored when either of the following occurs: The current server (the destination for RADIUS authentication requests in operation) switches to a valid secondary IEEE 802.1X authentication RADIUS server, or when all servers are disabled, the monitoring timer starts and the period of time set by this...
Page 416 dot1x radius-server dead-interval When the change is applied The change is applied immediately after setting values are changed. If the secondary IEEE 802.1 authentication RADIUS server is operating as the current server, and if the value of the monitoring timer is changed, the progress to that time is used as the judgment value and the result is applied.
Page 417: Dot1X Radius-Server Host
dot1x radius-server host dot1x radius-server host Configures the general RADIUS server used for IEEE 802.1X. Input format To set or change information: dot1x radius-server host <IP address> [auth-port <Port> ] [acct-port <Port> ] [timeout <Seconds> ] [retransmit <Retries> ] [key <String>...
Page 418 dot1x radius-server host retransmit <Retries> Sets the number of times an authentication request is resent to the RADIUS server. Default value when this parameter is omitted: The number of times set by using the radius-server retransmit command is used. If no value is set, the initial value is 3. Range of values: 0 to 15 (times) <String>...
Page 419 dot1x radius-server host RADIUS server is disabled. If multiple IEEE 802.1X authentication RADIUS servers are configured, the address displayed first by using the show radius-server operation command is the address of the primary general RADIUS server. The primary IEEE 802.1X authentication RADIUS server is used as the initial current server (the destination for RADIUS authentication requests during operation).
Page 420: Dot1X Reauthentication
dot1x reauthentication dot1x reauthentication After a successful IEEE 802.1X authentication, this command sets whether a supplicant is to be re-authenticated. When this command is in effect, EAP-Request/Identity packets for re-authentication are sent at the interval set by using the dot1x timeout reauth-period command to a supplicant as a prompt for supplicant re-authentication.
Page 421: Dot1X Supplicant-Detection
dot1x supplicant-detection dot1x supplicant-detection Sets the behavior when a new terminal is detected after the terminal authentication mode has been set to an authentication submode. Input format To set or change information: dot1x supplicant-detection {disable | shortcut | auto} To delete information: no dot1x supplicant-detection Input mode (config-if)
Page 422 dot1x supplicant-detection Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable.
Page 423: Dot1X System-Auth-Control
dot1x system-auth-control dot1x system-auth-control Enables IEEE 802.1X. Input format To set information: dot1x system-auth-control To delete information: no dot1x system-auth-control Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable.
Page 424: Dot1X Timeout Keep-Unauth
dot1x timeout keep-unauth dot1x timeout keep-unauth Sets the period of time (in seconds) for maintaining the communication-disabled state of the interface if two or more terminals are connected to an interface on which the single-mode authentication submode is set. After the time set by using this command elapses, an authenticated terminal must be re-authenticated.
Page 425 dot1x timeout keep-unauth Related commands dot1x system-auth-control dot1x port-control dot1x multiple-authentication...
Page 426: Dot1X Timeout Quiet-Period
dot1x timeout quiet-period dot1x timeout quiet-period Sets the period of time (in seconds) for maintaining the unauthenticated state on the applicable interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication processing is performed.
Page 427: Dot1X Timeout Reauth-Period
dot1x timeout reauth-period dot1x timeout reauth-period Sets the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to a supplicant at the interval set by using this command as a prompt for supplicant re-authentication.
Page 428 dot1x timeout reauth-period dot1x timeout reauth-period command takes effect only if re-authentication has been set by using the dot1x reauthentication command. For the parameter, set a value greater than the value set by using the dot1x timeout tx-period command. Related commands dot1x timeout tx-period dot1x reauthentication dot1x system-auth-control...
Page 429: Dot1X Timeout Server-Timeout
dot1x timeout server-timeout dot1x timeout server-timeout Sets the time (in seconds) to wait for a response includes the time required for retransmitting a response to an authentication server. Input format To set or change information: dot1x timeout server-timeout <Seconds> To delete information: no dot1x timeout server-timeout Input mode (config-if)
Page 430: Dot1X Timeout Supp-Timeout
dot1x timeout supp-timeout dot1x timeout supp-timeout Sets the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received, the EAP-Request packet is retransmitted. Input format To set or change information: dot1x timeout supp-timeout <Seconds>...
Page 431 dot1x timeout supp-timeout Related commands dot1x system-auth-control dot1x max-req dot1x port-control...
Page 432: Dot1X Timeout Tx-Period
dot1x timeout tx-period dot1x timeout tx-period Sets the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X is valid. Input format To set or change information: dot1x timeout tx-period <Seconds> To delete information: no dot1x timeout tx-period Input mode (config-if) Parameters <Seconds>...
Page 433 dot1x timeout tx-period Related commands dot1x timeout reauth-period dot1x system-auth-control dot1x port-control...
Page 434: Dot1X Vlan Dynamic Enable
dot1x vlan dynamic enable dot1x vlan dynamic enable Enables IEEE 802.1X VLAN-based authentication (dynamic). Input format To set information: dot1x vlan dynamic enable To delete information: no dot1x vlan dynamic enable Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 435 dot1x vlan dynamic enable Related commands dot1x system-auth-control aaa authorization network default...
Page 436: Dot1X Vlan Dynamic Ignore-Eapol-Start
dot1x vlan dynamic ignore-eapol-start dot1x vlan dynamic ignore-eapol-start Set this command so that the Switch does not issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Input format To set information: dot1x vlan dynamic ignore-eapol-start To delete information: no dot1x vlan dynamic ignore-eapol-start Input mode (config) Parameters...
Page 437 dot1x vlan dynamic ignore-eapol-start Related commands dot1x vlan dynamic reauthentication dot1x vlan dynamic supplicant-detection dot1x system-auth-control dot1x vlan dynamic enable...
Page 438: Dot1X Vlan Dynamic Max-Req
dot1x vlan dynamic max-req dot1x vlan dynamic max-req Sets the maximum number of EAP-Request retransmissions if the value exceeds the supp-timeout value. If the number of retransmissions exceeds this value, authentication is determined to have failed. Input format To set or change information: dot1x vlan dynamic max-req <Counts>...
Page 439: Dot1X Vlan Dynamic Radius-Vlan
dot1x vlan dynamic radius-vlan dot1x vlan dynamic radius-vlan Sets VLANs to allow dynamic VLAN allocation according to VLAN information sent from the RADIUS server during IEEE 802.1X authentication. Input format To set information: dot1x vlan dynamic radius-vlan <VLAN ID list> To change information: dot1x vlan dynamic radius-vlan { <VLAN ID list>...
Page 440 dot1x vlan dynamic radius-vlan Specifiable values for parameters. Note that the default VLAN ( VLAN ID = 1 cannot be set by using this command. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All IEEE 802.1X settings take effect when the dot1x system-auth-control...
Page 441: Dot1X Vlan Dynamic Reauthentication
dot1x vlan dynamic reauthentication dot1x vlan dynamic reauthentication After a successful IEEE 802.1X authentication, this command sets whether a supplicant is to be re-authenticated. When this command is in effect, EAP-Request/Identity packets for re-authentication are sent to a supplicant at the interval set by using the dot1x vlan dynamic timeout reauth-period command as a prompt for supplicant re-authentication.
Page 442: Dot1X Vlan Dynamic Supplicant-Detection
dot1x vlan dynamic supplicant-detection dot1x vlan dynamic supplicant-detection Sets the behavior when a new terminal is detected. Input format To set or change information: dot1x vlan dynamic supplicant-detection {disable | shortcut} To delete information: no dot1x vlan dynamic supplicant-detection Input mode (config) Parameters {disable | shortcut}...
Page 443 dot1x vlan dynamic supplicant-detection Notes All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable. This command takes effect only if the dot1x vlan dynamic enable command has been set.
Page 444: Dot1X Vlan Dynamic Timeout Quiet-Period
dot1x vlan dynamic timeout quiet-period dot1x vlan dynamic timeout quiet-period Sets the period of time (in seconds) for maintaining the unauthenticated state on the applicable interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication processing is performed.
Page 445 dot1x vlan dynamic timeout quiet-period dot1x vlan dynamic enable...
Page 446: Dot1X Vlan Dynamic Timeout Reauth-Period
dot1x vlan dynamic timeout reauth-period dot1x vlan dynamic timeout reauth-period Sets the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to a supplicant at the interval set by using this command as a prompt for supplicant re-authentication.
Page 447: Dot1X Vlan Dynamic Timeout
dot1x vlan dynamic timeout reauth-period This command takes effect only if re-authentication has been set by using the dot1x vlan dynamic reauthentication command. For the parameter, a value greater than the value set by using the dot1x vlan dynamic timeout tx-period command.
Page 448: Dot1X Vlan Dynamic Timeout Server-Timeout
dot1x vlan dynamic timeout server-timeout dot1x vlan dynamic timeout server-timeout Sets the time (in seconds) to wait for a response includes the time required for retransmitting a response to an authentication server. Input format To set or change information: dot1x vlan dynamic timeout server-timeout <Seconds>...
Page 449 dot1x vlan dynamic timeout server-timeout Related commands dot1x system-auth-control dot1x vlan dynamic enable...
Page 450: Dot1X Vlan Dynamic Timeout Supp-Timeout
dot1x vlan dynamic timeout supp-timeout dot1x vlan dynamic timeout supp-timeout Sets the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received, the EAP-Request packet is retransmitted.
Page 451 dot1x vlan dynamic timeout supp-timeout dot1x vlan dynamic max-req dot1x vlan dynamic enable...
Page 452: Dot1X Vlan Dynamic Timeout Tx-Period
dot1x vlan dynamic timeout tx-period dot1x vlan dynamic timeout tx-period Sets the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X authentication is valid. Input format To set or change information: dot1x vlan dynamic timeout tx-period <Seconds> To delete information: no dot1x vlan dynamic timeout tx-period Input mode (config)
Page 453 dot1x vlan dynamic timeout tx-period Related commands dot1x system-auth-control dot1x vlan dynamic timeout reauth-period dot1x vlan dynamic enable...
Page 454: Web Authentication
Web Authentication Correspondence between configuration commands and authentication modes aaa accounting web-authentication aaa authentication web-authentication web-authentication authentication web-authentication auto-logout web-authentication force-authorized vlan web-authentication html-fileset web-authentication ip address web-authentication jump-url web-authentication logout ping tos-windows web-authentication logout ping ttl web-authentication logout polling count web-authentication logout polling enable web-authentication logout polling interval web-authentication logout polling retry-interval...
Page 455: Correspondence Between Configuration Commands And Authentication Modes
Correspondence between configuration commands and authentication modes The following table describes Web authentication modes in which Web authentication configuration commands can be set. Table 23-1 Configuration commands and Web authentication modes Web authentication modes Command name aaa accounting web-authentication aaa authentication web-authentication authentication arp-relay authentication ip access-group web-authentication authentication...
Page 456: Legend
Correspondence between configuration commands and authentication modes Web authentication modes Command name web-authentication radius-server dead-interval web-authentication radius-server host web-authentication redirect-mode web-authentication redirect enable web-authentication redirect tcp-port web-authentication roaming web-authentication static-vlan force-authorized web-authentication static-vlan max-user web-authentication static-vlan max-user (interface) web-authentication static-vlan roaming web-authentication system-auth-control web-authentication user-group web-authentication user replacement...
Page 457: Y: The Command Operates According To The Settings
Correspondence between configuration commands and authentication modes L: Legacy mode Y: The command operates according to the settings. --: The command can be entered, but it will have no effect. N: The command cannot be entered. For details about command input formats, see 21 Common to Layer 2 Authentication. The specification of this command affects the switching of authentication modes.
Page 458: Aaa Accounting Web-Authentication
aaa accounting web-authentication aaa accounting web-authentication Sends accounting information for Web authentication to the accounting server. Input format To set information: aaa accounting web-authentication default start-stop group radius To delete information: no aaa accounting web-authentication default Input mode (config) Parameters default Sets the default accounting method of a Switch.
Page 459: Aaa Authentication Web-Authentication
aaa authentication web-authentication aaa authentication web-authentication Sets an authentication method group for Web authentication. default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set. Input format To set or change information: aaa authentication web-authentication default <Method>...
Page 460 aaa authentication web-authentication Specify a character string that is no more than 32 characters. For details about the characters that can be specified, see Specifiable values for parameters. Default behavior User authentication is performed by using the internal Web authentication database instead of using the RADIUS server.
Page 461: Web-Authentication Authentication
web-authentication authentication web-authentication authentication Sets the name of an authentication method list for the port-based authentication method. Input format To set or change information: web-authentication authentication <List name> To delete information: no web-authentication authentication Input mode (config-if) Parameters <List name> Specify the authentication method list name set by using the aaa authentication command.
Page 462 web-authentication authentication  dot1x vlan dynamic radius-vlan  web-authentication user-group  web-authentication vlan  mac-authentication interface  mac-authentication vlan If the name of the authentication method list set by using the web-authentication authentication command does not match the name of the authentication method list set by using the aaa authentication web-authentication command, the...
Page 463: Web-Authentication Auto-Logout
web-authentication auto-logout web-authentication auto-logout no web-authentication auto-logout command disables the setting for automatic authentication logout when it is detected that the status that frames have not been received from a terminal authenticated via Web authentication for a certain period of time. Input format To set information: no web-authentication auto-logout...
Page 464: Web-Authentication Force-Authorized Vlan
web-authentication force-authorized vlan web-authentication force-authorized vlan When the RADIUS authentication method is used, this command forcibly changes the status of a terminal to authentication authorized and assigns an authenticated VLAN if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure. Input format To set or change information: web-authentication force-authorized vlan...
Page 465 web-authentication force-authorized vlan See Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. Set a VLAN ID for which mac-based (MAC VLAN) has been set in the vlan command. Be especially careful when using this functionality, as it might pose a security problem.
Page 466 web-authentication force-authorized vlan If either of the following commands has already been set, this command cannot be set:  authentication force-authorized enable  authentication force-authorized vlan Related commands aaa authentication web-authentication radius-server host web-authentication radius-server host switchport mac switchport mode vlan web-authentication port web-authentication system-auth-control...
Page 467: Web-Authentication Html-Fileset
web-authentication html-fileset web-authentication html-fileset Sets a custom file name for the Web authentication page displayed for each port. Input format To set or change information: web-authentication html-fileset <Name> To delete information: no web-authentication html-fileset Input mode (config-if) Parameters <Name> Specify the custom file set name registered on the Switch by using the operation command.
Page 468 web-authentication html-fileset Related commands web-authentication port web-authentication system-auth-control...
Page 469: Web-Authentication Ip Address
web-authentication ip address web-authentication ip address Configure an IP address and a domain name to be used exclusively for Web authentication. Setting a dedicated IP address by using this command allows you to log in from and log out from an authenticated terminal by using the same IP address on the Switch. Input format To set or change information: web-authentication ip address...
Page 470 web-authentication ip address Notes All Web authentication settings take effect when the web-authentication system-auth-control command is set. See Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. extended-authentication was not set when the system function command was set, this command cannot be set.
Page 471: Web-Authentication Jump-Url
web-authentication jump-url web-authentication jump-url Configures a URL to be automatically displayed after the Authentication Success page is displayed and the time required before jumping to the URL. Input format To set or change information: web-authentication jump-url <URL> [delay <Seconds> To delete information: no web-authentication jump-url Input mode (config)
Page 472 web-authentication jump-url Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All Web authentication settings take effect when the web-authentication system-auth-control command is set. See Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable.
Page 473: Web-Authentication Logout Ping Tos-Windows
web-authentication logout ping tos-windows web-authentication logout ping tos-windows Sets the TOS value of a special frame used to log out from an authenticated terminal. Input format To set or change information: web-authentication logout ping tos-windows <TOS> To delete information: no web-authentication logout ping tos-windows Input mode (config) Parameters...
Page 474 web-authentication logout ping tos-windows Related commands web-authentication system-auth-control web-authentication logout ping ttl...
Page 475: Web-Authentication Logout Ping Ttl
web-authentication logout ping ttl web-authentication logout ping ttl Sets the TTL value of a special frame used to log out from an authenticated terminal. Input format To set or change information: web-authentication logout ping ttl <TTL> To delete information: no web-authentication logout ping ttl Input mode (config) Parameters...
Page 476 web-authentication logout ping ttl Related commands web-authentication system-auth-control web-authentication logout ping tos-windows...
Page 477: Web-Authentication Logout Polling Count
web-authentication logout polling count web-authentication logout polling count Specifies the number of times a Switch retransmits the monitoring packet when there is no response to a monitoring frame that periodically checks a connection status of authenticated terminals. Input format To set or change information: web-authentication logout polling count <Count>...
Page 478 web-authentication logout polling count If the number of retransmissions when a no-response state is detected is set to the maximum, the number of monitoring frames increases proportionately with the number of authenticated users, overloading the Switch. Set the polling interval by using the following formula as a guide: Polling condition: (1) Polling interval >...
Page 479: Web-Authentication Logout Polling Enable
web-authentication logout polling enable web-authentication logout polling enable no web-authentication logout polling enable command disables the auto logout functionality executed when periodic connection monitoring detects that an authenticated terminal is not connected. Input format To set information: no web-authentication logout polling enable To delete information: web-authentication logout polling enable Input mode...
Page 480 web-authentication logout polling enable If the link for a monitored terminal goes down before periodic monitoring by the functionality that monitors the connection of authenticated terminals arrives, the Switch stops monitoring the terminal and logs it out due to its link-down state. When the specified maximum connection time (set by using the web-authentication max-timer command) expires, the Switch stops monitoring...
Page 481: Web-Authentication Logout Polling Interval
web-authentication logout polling interval web-authentication logout polling interval Specifies the polling interval of a monitoring frame that periodically monitors the connection status of an authenticated terminal. Input format To set or change information: web-authentication logout polling interval <Seconds> To delete information: no web-authentication logout polling interval Input mode (config)
Page 482 web-authentication logout polling interval The polling interval is the time between the receipt of ARP Reply from a target authenticated terminal and the next polling monitoring. If the number of retransmissions when a no-response state is detected is set to the maximum, the number of monitoring frames increases proportionately with the number of authenticated users, overloading the Switch.
Page 483: Web-Authentication Logout Polling Retry-Interval
web-authentication logout polling retry-interval web-authentication logout polling retry-interval Sets the interval between retransmissions of monitoring frames that periodically monitor the connection status of authenticated terminals when a no-response state is detected. Input format To set or change information: web-authentication logout polling retry-interval <Seconds>...
Page 484 web-authentication logout polling retry-interval number of authenticated users, overloading the Switch. Set the polling interval by using the following formula as a guide: Polling condition: (1) Polling interval > (2) Retransmission interval x (3) Number of retransmissions (1): web-authentication logout polling interval (2): web-authentication logout polling retry-interval (3):...
Page 485: Web-Authentication Max-Timer
web-authentication max-timer web-authentication max-timer Sets the maximum connection time. Input format To set or change information: web-authentication max-timer { <Minutes> | infinity} To delete information: no web-authentication max-timer Input mode (config) Parameters <Minute> | infinity} Sets the maximum time (in minutes) that an authenticated user is allowed to be connected.
Page 486 web-authentication max-timer Related commands web-authentication system-auth-control web-authentication vlan web-authentication auto-logout web-authentication port...
Page 487: Web-Authentication Max-User
web-authentication max-user web-authentication max-user Sets the maximum number of users that can be authenticated on a Switch. Input format To set or change information: web-authentication max-user <Count> To delete information: no web-authentication max-user Input mode (config) Parameters <Count> Sets the maximum number of users that can be authenticated on a Switch on which user authentication is performed.
Page 488 web-authentication max-user no more new users can be authenticated on that Switch. If the maximum number of users that can be authenticated is changed so that it is less than the number of users currently authenticated, communication by the current authenticated users can continue, but new users cannot be authenticated.
Page 489: Web-Authentication Max-User (Interface)
web-authentication max-user (interface) web-authentication max-user (interface) Sets the maximum number of users that can be authenticated on the applicable port. Input format To set or change information: web-authentication max-user <Count> To delete information: no web-authentication max-user Input mode (config-if) Parameters <Count>...
Page 490 web-authentication max-user (interface) no more new users can be authenticated on that Switch. If the maximum number of users that can be authenticated is changed so that it is less than the number of users currently authenticated, communication by the current authenticated users can continue, but new users cannot be authenticated.
Page 491: Web-Authentication Port
web-authentication port web-authentication port Sets the authentication mode for ports. Input format To set information: web-authentication port To delete information: no web-authentication port Input mode (config-if) Parameters None Default behavior When Web authentication is valid, the port operates in legacy mode. Impact on communication None When the change is applied...
Page 492: Web-Authentication Radius-Server Dead-Interval
web-authentication radius-server dead-interval web-authentication radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary Web authentication RADIUS server from the Web authentication RADIUS server. The primary Web authentication RADIUS server is restored when either of the following occurs: The current server (the destination for RADIUS authentication requests in operation) switches to a valid secondary Web authentication RADIUS server, or when all servers are disabled, the monitoring timer starts, and the period of time set by this command elapses (when the monitoring timer expires).
Page 493 web-authentication radius-server dead-interval Notes All Web authentication settings take effect when the web-authentication system-auth-control command is set. See Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. If three or more Web authentication RADIUS servers are configured and another Web authentication RADIUS server becomes the current server after the monitoring timer starts, the monitoring timer is not reset and continues to run.
Page 494: Web-Authentication Radius-Server Host
web-authentication radius-server host web-authentication radius-server host Configures the RADIUS server used for Web authentication. Input format To set or change information: web-authentication radius-server host <IP address> [auth-port <Port> [acct-port <Port> ] [timeout <Seconds> ] [retransmit <Retries> ] [key <String> To delete information: no web-authentication radius-server host <IP address>...
Page 495 web-authentication radius-server host 1 to 30 (seconds) retransmit <Retries> Sets the number of times an authentication request is resent to the RADIUS server. Default value when this parameter is omitted: The number of times set by using the command radius-server retransmit is used.
Page 496 web-authentication radius-server host If the parameter is omitted and the radius-server key command is not set, the RADIUS server is disabled. If multiple Web authentication RADIUS servers are configured, the address displayed first by using the show radius-server operation command is the address of the primary Web authentication RADIUS server.
Page 497: Web-Authentication Redirect-Mode
web-authentication redirect-mode web-authentication redirect-mode Sets a protocol to display the Web authentication Login page when the URL redirect functionality is enabled. Input format To set or change information: web-authentication redirect-mode {http | https} To delete information: no web-authentication redirect-mode Input mode (config) Parameters { http | https }...
Page 498 web-authentication redirect-mode web-authentication port web-authentication redirect enable...
Page 499: Web-Authentication Redirect Enable
web-authentication redirect enable web-authentication redirect enable no web-authentication redirect enable command disables the URL redirect functionality. Input format To set information: no web-authentication redirect enable To delete information: web-authentication redirect enable Input mode (config) Parameters None Default behavior The URL redirect functionality is enabled. Impact on communication After the no web-authentication redirect enable...
Page 500: Web-Authentication Redirect Tcp-Port
web-authentication redirect tcp-port web-authentication redirect tcp-port When the URL redirect functionality is enabled, this command sets an additional TCP destination port number for a frame subject to URL redirect on a Switch. Usually, a port number can be added to the standard port number assigned for http (80). Input format To set or change information: web-authentication redirect tcp-port...
Page 501 web-authentication redirect tcp-port A port number that causes the https protocol to be subject to redirection cannot be added by using this command. This command performs the same operation performed by the web-authentication web-port command. If different port numbers are specified for these two commands, each specification becomes valid.
Page 502: Web-Authentication Roaming
web-authentication roaming web-authentication roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Input format To set or change information: web-authentication roaming [action trap] To delete information: no web-authentication roaming Input mode...
Page 503 web-authentication roaming When private traps are issued, use the snmp-server host command to set the destination IP address for traps and web-authentication Related commands web-authentication system-auth-control web-authentication port snmp-server host...
Page 504: Web-Authentication Static-Vlan Force-Authorized
web-authentication static-vlan force-authorized web-authentication static-vlan force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
Page 505 web-authentication static-vlan force-authorized web-authentication port web-authentication static-vlan force-authorized web-authentication system-auth-control aaa authentication web-authentication web-authentication authentication Specify the same Ethernet port. The following accounting log data is collected when an authentication request is sent to the RADIUS server: No=21: NOTICE:LOGIN: <Additional information> Login failed ;...
Page 506: Web-Authentication Static-Vlan Max-User
web-authentication static-vlan max-user web-authentication static-vlan max-user Sets the maximum number of users that can be authenticated on a Switch. Input format To set or change information: web-authentication static-vlan max-user <Count> To delete information: no web-authentication static-vlan max-user Input mode (config) Parameters <Count>...
Page 507 web-authentication static-vlan max-user no more new users can be authenticated on that Switch. If the maximum number of users that can be authenticated is changed so that it is less than the number of users currently authenticated, communication by the current authenticated users can continue, but new users cannot be authenticated.
Page 508: Web-Authentication Static-Vlan Max-User (Interface)
web-authentication static-vlan max-user (interface) web-authentication static-vlan max-user (interface) Sets the maximum number of users that can be authenticated on the applicable port. Input format To set or change information: web-authentication static-vlan max-user <Count> To delete information: no web-authentication static-vlan max-user Input mode (config-if) Parameters...
Page 509 web-authentication static-vlan max-user (interface) no more new users can be authenticated on that Switch. If the maximum number of users that can be authenticated is changed so that it is less than the number of users currently authenticated, communication by the current authenticated users can continue, but new users cannot be authenticated.
Page 510: Web-Authentication Static-Vlan Roaming
web-authentication static-vlan roaming web-authentication static-vlan roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Input format To set or change information: web-authentication static-vlan roaming [action trap] To delete information: no web-authentication static-vlan roaming...
Page 511 web-authentication static-vlan roaming When private traps are issued, use the snmp-server host command to set the destination IP address for traps and web-authentication Related commands web-authentication system-auth-control web-authentication port snmp-server host...
Page 512: Web-Authentication System-Auth-Control
web-authentication system-auth-control web-authentication system-auth-control Enables Web authentication. Note that if the no web-authentication system-auth-control command is executed, Web authentication stops. Input format To set information: web-authentication system-auth-control To delete information: no web-authentication system-auth-control Input mode (config) Parameters None Default behavior Web authentication is not performed.
Page 513: Web-Authentication User-Group
web-authentication user-group web-authentication user-group Enables the user ID-based authentication method. To handle IDs in the forms <User ID> <Authentication method list name> , use the at mark ( ) to separate the entered user IDs. Input format To set information: web-authentication user-group To delete information: no web-authentication user-group...
Page 514 web-authentication user-group If the authentication method list name separated from entered user IDs does not match the authentication method list name set by using the aaa authentication web-authentication command, the default settings of the Switch are used. Related commands aaa authentication web-authentication web-authentication system-auth-control web-authentication port...
Page 515: Web-Authentication User Replacement
web-authentication user replacement web-authentication user replacement Enables the switch-user option. Enables authentication with a different user ID after successful authentication with the first user ID when several user IDs are used for a terminal. Input format To set information: web-authentication user replacement To delete information: no web-authentication user replacement Input mode...
Page 516: Web-Authentication Vlan
web-authentication vlan web-authentication vlan Sets the VLAN ID to dynamically switch after user authentication. Unless this command is set, no VLANs can be switched after authentication. Input format To set or change information: web-authentication vlan <VLAN ID list> To delete information: no web-authentication vlan <VLAN ID list>...
Page 517 web-authentication vlan  dot1x authentication  mac-authentication authentication  web-authentication authentication  web-authentication user-group Related commands switchport mac vlan web-authentication system-auth-control...
Page 518: Web-Authentication Web-Port
web-authentication web-port web-authentication web-port When the URL redirect functionality is enabled, this command sets an additional TCP destination port number for a frame subject to URL redirect on a Switch. Usually, one port number each can be added to the port number assigned for http (80) and for https (443).
Page 519 web-authentication web-port is one each for the http and https parameters. This command performs the same operation performed by the web-authentication redirect tcp-port command. If different port numbers are specified for these two commands, each specification becomes valid. How the commands are handled if the same port number is specified is described in the following table.
Page 520: Default-Router
default-router default-router Sets the router option that is distributed to clients. A router option is an IP address the client can use as a router IP address over the subnet (default router). Input format To set or change information: default-router <IP address>...
Page 521: Dns-Server
dns-server dns-server Sets the domain name server option that is distributed to clients. The domain name server option is the IP address of a DNS server that a client can use. Input format To set or change information: dns-server <IP address> <IP address>...
Page 522: Ip Dhcp Excluded-Address
ip dhcp excluded-address ip dhcp excluded-address Sets a range of IP addresses that are to be excluded from distribution in the IP address pool specified by using the network command. Input format To set or change information: ip dhcp excluded-address <Low address>...
Page 523: Ip Dhcp Pool
ip dhcp pool ip dhcp pool Configures DHCP address pool information. Input format To set or change information: ip dhcp pool <Pool name> To delete information: no ip dhcp pool <Pool name> Input mode (config) Parameters <Pool name> Specify the name of the DHCP address pool. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 524: Lease
lease lease Sets the default lease time of the IP addresses distributed to clients. Input format To set or change information: lease { <Time day> <Time hour> <Time min> <Time sec> ]]] | infinite} To delete information: no lease Input mode (dhcp-config) Parameters <Time day>...
Page 525 lease Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If a value exceeding the maximum lease time ( max-lease ) is set as the lease time, the maximum lease time has precedence. The shorter the lease time set, the more frequently a client updates the lease.
Page 526: Max-Lease
max-lease max-lease Sets the maximum allowable lease time when a client specifies the lease time and requests an IP address. Input format To set or change information: max-lease { <Time day> <Time hour> <Time min> <Time sec> ]]] | infinite} To delete information: no max-lease Input mode...
Page 527 max-lease Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes The shorter the lease time set, the more frequently a client updates the lease. Therefore, do not specify an extremely short lease time except for a very limited usage such as a temporary IP address.
Page 528: Network
network network Sets the subnet of the network in which IP addresses are dynamically distributed via DHCP. Only the subnets whose host bits in the IP address host part are all 0s or 1s are actually registered in the DHCP address pool. Input format To set or change information: network...
Page 529 network Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When this command is set, all IP addresses excluding those in which the bits in the host part of the target subnet are all 1s or all 0s are secured as the IP address pool.
Page 530: Service Dhcp
service dhcp service dhcp Sets the interface on which a DHCP server is enabled. Only the interface specified by using this command receives DHCP packets. Input format To set or change information: service dhcp vlan <VLAN ID> To delete information: no service dhcp vlan <VLAN ID>...
Page 531: Mac-Based Authentication
MAC-based Authentication Correspondence between configuration commands and authentication modes aaa accounting mac-authentication aaa authentication mac-authentication mac-authentication access-group mac-authentication authentication mac-authentication auto-logout mac-authentication force-authorized vlan mac-authentication id-format mac-authentication interface mac-authentication max-timer mac-authentication max-user mac-authentication max-user (interface) mac-authentication password mac-authentication port mac-authentication radius-server dead-interval mac-authentication radius-server host mac-authentication roaming mac-authentication static-vlan force-authorized...
Page 532: Correspondence Between Configuration Commands And Authentication Modes
Correspondence between configuration commands and authentication modes Correspondence between configuration commands and authentication modes The following table describes MAC-based authentication modes in which MAC-based authentication configuration commands can be set. Table 24-1 Configuration commands and MAC-based authentication modes MAC-based authentication modes Command name aaa accounting mac-authentication aaa authentication mac-authentication...
Page 533 Correspondence between configuration commands and authentication modes MAC-based authentication modes Command name mac-authentication static-vlan max-user (interface) mac-authentication static-vlan roaming mac-authentication system-auth-control mac-authentication timeout quiet-period mac-authentication timeout reauth-period mac-authentication vlan mac-authentication vlan-check Legend F: Fixed VLAN mode D: Dynamic VLAN mode L: Legacy mode Y: The command operates according to the settings.
Page 534: Aaa Accounting Mac-Authentication
aaa accounting mac-authentication aaa accounting mac-authentication Sends accounting information for MAC-based authentication to an accounting server. Input format To set information: aaa accounting mac-authentication default start-stop group radius To delete information: no aaa accounting mac-authentication default Input mode (config) Parameters default Sets the default accounting method of a Switch.
Page 535: Aaa Authentication Mac-Authentication
aaa authentication mac-authentication aaa authentication mac-authentication Sets an authentication method group for MAC-based authentication. default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set. Input format To set or change information: aaa authentication mac-authentication default <Method>...
Page 536 aaa authentication mac-authentication Specify a character string that is no more than 32 characters. For details about the characters that can be specified, see Specifiable values for parameters. Default behavior Authentication is performed by using the internal MAC-based authentication database instead of using the RADIUS server.
Page 537: Mac-Authentication Access-Group
mac-authentication access-group mac-authentication access-group By applying the MAC access list to MAC-based authentication ports, sets whether terminals are to be authenticated or not by using MAC addresses. Input format To set or change information: mac-authentication access-group <ACL ID> To delete information: no mac-authentication access-group Input mode (config)
Page 538 mac-authentication access-group Related commands mac-authentication system-auth-control mac access-list extended...
Page 539: Mac-Authentication Authentication
mac-authentication authentication mac-authentication authentication Sets the name of an authentication method list for the port-based authentication method. Input format To set or change information: mac-authentication authentication <List name> To delete information: no mac-authentication authentication Input mode (config-if) Parameters <List name> Sets the authentication method list name set by using the aaa authentication command.
Page 540 mac-authentication authentication  dot1x vlan dynamic radius-vlan  web-authentication user-group  web-authentication vlan  mac-authentication interface  mac-authentication vlan If the authentication method list name set by using this command does not match the authentication method list name set by using the aaa authentication mac-authentication command, the default settings of the Switch are used.
Page 541: Mac-Authentication Auto-Logout
mac-authentication auto-logout mac-authentication auto-logout no mac-authentication auto-logout command disables automatic cancellation of authentication if no frames are received from a terminal authenticated by MAC-based authentication for a certain period of time. Setting delay-time changes the time, but the actual operation varies according to the authentication mode.
Page 542 mac-authentication auto-logout Default value when this parameter is omitted: After an aging timeout, authentication is not canceled for 3600 seconds. Range of values: 0, 60 to 86400 Default behavior  Fixed VLAN mode, dynamic VLAN mode After authentication in either of these authentication modes, if no frames are received from a terminal for the applicable MAC-based authentication entry when 3600 seconds has passed, the applicable MAC-based authentication entry is deleted from the MAC table automatically and authentication is canceled.
Page 543: Mac-Authentication Force-Authorized Vlan
mac-authentication force-authorized vlan mac-authentication force-authorized vlan When the RADIUS authentication method is used, this command forcibly changes the status of a terminal to authentication authorized and assigns an authenticated VLAN if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure. Input format To set or change information: mac-authentication force-authorized vlan...
Page 544 mac-authentication force-authorized vlan See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable. Set a VLAN ID for which mac-based (MAC VLAN) has been set in the vlan command. Be especially careful when using this functionality, as it can pose a security problem. This command is enabled when the following condition exists: ...
Page 545 mac-authentication force-authorized vlan Before issuing private traps, you must use the snmp-server host command to set the destination IP address for traps and mac-authentication If either of the following commands has already been set, this command cannot be set:  authentication force-authorized enable ...
Page 546: Mac-Authentication Id-Format
mac-authentication id-format mac-authentication id-format When using RADIUS authentication, specifies MAC address format for authentication requests to the RADIUS server. Input format To set or change information: mac-authentication id-format <Type> [capitals] To delete information: no mac-authentication id-format Input mode (config) Parameters <Type>...
Page 547 mac-authentication id-format When the change is applied The change is applied immediately after setting values are changed. Notes All MAC-based authentication settings take effect when the mac-authentication command is set. system-auth-control See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable.
Page 548: Mac-Authentication Interface
mac-authentication interface mac-authentication interface Sets the applicable interface ports in MAC-based authentication legacy mode. Input format To set or change information: mac-authentication interface fastethernet <IF# list> mac-authentication interface gigabitethernet <IF# list> To delete information: no mac-authentication interface fastethernet no mac-authentication interface gigabitethernet Input mode (config) Parameters...
Page 549 mac-authentication interface  mac-authentication authentication  web-authentication authentication  web-authentication user-group Related commands mac-authentication system-auth-control...
Page 550: Mac-Authentication Max-Timer
mac-authentication max-timer mac-authentication max-timer Sets the maximum connection time. Input format To set or change information: mac-authentication max-timer { <Minutes> | infinity} To delete information: no mac-authentication max-timer Input mode (config) Parameters <Minutes> | infinity} Sets the maximum time (in minutes) an authenticated terminal is allowed to be connected.
Page 551 mac-authentication max-timer Related commands mac-authentication system-auth-control...
Page 552: Mac-Authentication Max-User
mac-authentication max-user mac-authentication max-user Sets the maximum number of terminals that can be authenticated on a Switch. Input format To set or change information: mac-authentication max-user <Count> To delete information: no mac-authentication max-user Input mode (config) Parameters <Count> Sets the maximum number of terminals that can be authenticated on a Switch. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 553 mac-authentication max-user Switch, no more terminals can be authenticated on that Switch. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated. If the port to which an authenticated terminal is connected is moved, the number of actually connected terminals might be different from the number of authenticated terminals.
Page 554: Mac-Authentication Max-User (Interface)
mac-authentication max-user (interface) mac-authentication max-user (interface) Sets the maximum number of authentication terminals that can be authenticated on the applicable port. Input format To set or change information: mac-authentication max-user <Count> To delete information: no mac-authentication max-user Input mode (config-if) Parameters <Count>...
Page 555 mac-authentication max-user (interface) authenticated on the applicable port.  If the number of authenticated terminals reaches the maximum number for a Switch, no more terminals can be authenticated on that Switch. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated.
Page 556: Mac-Authentication Password
mac-authentication password mac-authentication password When the RADIUS authentication method is used, this command sets the password used for sending authentication requests to the RADIUS server. Input format To set or change information: mac-authentication password <Password> To delete information: no mac-authentication password Input mode (config) Parameters...
Page 557 mac-authentication password authentication RADIUS authentication terminals. Related commands mac-authentication system-auth-control mac-authentication id-format aaa authentication mac-authentication...
Page 558: Mac-Authentication Port
mac-authentication port mac-authentication port Sets the authentication mode for ports. Input format To set information: mac-authentication port To delete information: no mac-authentication port Input mode (config-if) Parameters None Default behavior When MAC-based authentication is valid, the port operates in legacy mode. Impact on communication If a port subject to authentication is deleted by using this command, authentication is canceled on all applicable ports.
Page 559: Mac-Authentication Radius-Server Dead-Interval
mac-authentication radius-server dead-interval mac-authentication radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary MAC-based authentication RADIUS server from the MAC-based authentication RADIUS server. The primary MAC-based authentication RADIUS server is restored when either of the following occurs: The current server (the destination for RADIUS authentication requests in operation) switches to a valid secondary MAC-based authentication RADIUS server, or when all servers are disabled, the monitoring timer starts, and the period of time set by this command elapses (when the monitoring timer expires).
Page 560 mac-authentication radius-server dead-interval monitoring timer counter continues without being reset and runs for 10 minutes (default value). Notes All MAC-based authentication settings take effect when the mac-authentication system-auth-control command is set. See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable.
Page 561: Mac-Authentication Radius-Server Host
mac-authentication radius-server host mac-authentication radius-server host Configures the RADIUS server used for MAC-based authentication. Input format To set or change information: mac-authentication radius-server host <IP address> [auth-port <Port> [acct-port <Port> ] [timeout <Seconds> ] [retransmit <Retries> ] [key <String> To delete information: no mac-authentication radius-server host <IP address>...
Page 562 mac-authentication radius-server host 1 to 30 (seconds) retransmit <Retries> Sets the number of times an authentication request is resent to the RADIUS server. Default value when this parameter is omitted: The number of times set by using the command radius-server retransmit is used.
Page 563 mac-authentication radius-server host If the parameter is omitted and the radius-server key command is not set, the RADIUS server is disabled. If multiple MAC-based authentication RADIUS servers are configured, the address displayed first by using the show radius-server operation command is the primary MAC-based authentication RADIUS server.
Page 564: Mac-Authentication Roaming
mac-authentication roaming mac-authentication roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Input format To set or change information: mac-authentication roaming [action trap] To delete information: no mac-authentication roaming Input mode...
Page 565 mac-authentication roaming Before issuing private traps, you must use the snmp-server host command to set the destination IP address for traps and mac-authentication Related commands mac-authentication system-auth-control mac-authentication port snmp-server host...
Page 566: Mac-Authentication Static-Vlan Force-Authorized
mac-authentication static-vlan force-authorized mac-authentication static-vlan force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
Page 567 mac-authentication static-vlan force-authorized mac-authentication static-vlan force-authorized mac-authentication system-auth-control aaa authentication mac-authentication mac-authentication authentication Specify the same Ethernet port. The following accounting log data is collected when an authentication request is sent to the RADIUS server: No=21: NOTICE:LOGIN: ( <Additional information> ) Login failed ;...
Page 568: Mac-Authentication Static-Vlan Max-User
mac-authentication static-vlan max-user mac-authentication static-vlan max-user Sets the maximum number of terminals that can be authenticated on a Switch. Input format To set or change information: mac-authentication static-vlan max-user <Count> To delete information: no mac-authentication static-vlan max-user Input mode (config) Parameters <Count>...
Page 569 mac-authentication static-vlan max-user Switch, no more terminals can be authenticated on that Switch. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated. If the DHCP snooping functionality is also used, the maximum number of terminals is limited to 246.
Page 570: Mac-Authentication Static-Vlan Max-User (Interface)
mac-authentication static-vlan max-user (interface) mac-authentication static-vlan max-user (interface) Sets the maximum number of authentication terminals that can be authenticated on the applicable port. Input format To set or change information: mac-authentication static-vlan max-user <Count> To delete information: no mac-authentication static-vlan max-user Input mode (config-if) Parameters...
Page 571 mac-authentication static-vlan max-user (interface) authenticated on the applicable port.  If the number of authenticated terminals reaches the maximum number for a Switch, no more terminals can be authenticated on that Switch. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated.
Page 572: Mac-Authentication Static-Vlan Roaming
mac-authentication static-vlan roaming mac-authentication static-vlan roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Input format To set or change information: mac-authentication static-vlan roaming [action trap] To delete information: no mac-authentication...
Page 573 mac-authentication static-vlan roaming Before issuing private traps, you must use the snmp-server host command to set the destination IP address for traps and mac-authentication Related commands mac-authentication system-auth-control mac-authentication port snmp-server host...
Page 574: Mac-Authentication System-Auth-Control
mac-authentication system-auth-control mac-authentication system-auth-control Enables MAC-based authentication. Note that if the no mac-authentication system-auth-control command is executed, MAC-based authentication stops. Input format To set information: mac-authentication system-auth-control To delete information: no mac-authentication system-auth-control Input mode (config) Parameters None Default behavior MAC-based authentication is not performed.
Page 575: Mac-Authentication Timeout Quiet-Period
mac-authentication timeout quiet-period mac-authentication timeout quiet-period Sets the time during which re-authentication will not be attempted (re-authentication delay timer) for the same terminal (MAC address) when authentication fails. No authentication processing is performed during this period. Input format To set or change information: mac-authentication timeout quiet-period <Seconds>...
Page 576 mac-authentication timeout quiet-period Notes All MAC-based authentication settings take effect when the mac-authentication command is set. system-auth-control See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable. When multistep authentication is used, a value other than 0 must be set for this command.
Page 577: Mac-Authentication Timeout Reauth-Period
mac-authentication timeout reauth-period mac-authentication timeout reauth-period Sets the interval for re-authenticating terminals after an authentication has been successful. Input format To set or change information: mac-authentication timeout reauth-period <Seconds> To delete information: no mac-authentication timeout reauth-period Input mode (config) Parameters <Seconds>...
Page 578 mac-authentication timeout reauth-period Related commands mac-authentication system-auth-control...
Page 579: Mac-Authentication Vlan
mac-authentication vlan mac-authentication vlan Sets the VLAN IDs of VLANs to be switched dynamically after legacy mode authentication. If this command is not set, no VLANs are switched after legacy-mode authentication. Input format To set or change information: mac-authentication vlan <VLAN ID list>...
Page 580 mac-authentication vlan  dot1x authentication  mac-authentication authentication  web-authentication authentication  web-authentication user-group Related commands mac-authentication system-auth-control switchport mac...
Page 581: Mac-Authentication Vlan-Check
mac-authentication vlan-check mac-authentication vlan-check Checks the VLAN ID when checking a MAC address during authentication processing. For the RADIUS authentication method, the MAC address string and the string set by using this command ( %VLAN is set by default), and the VLAN ID are combined and used as the user ID for sending an authentication request to the RADIUS server.
Page 582 mac-authentication vlan-check See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable. Related commands mac-authentication system-auth-control mac-authentication port aaa authentication mac-authentication...
Page 583: Multistep Authentication
Multistep Authentication authentication multi-step...
Page 584: Authentication Multi-Step
authentication multi-step authentication multi-step Configure a multistep authentication port. Input format To set or change information: authentication multi-step [{permissive | dot1x}] To delete information: no authentication multi-step Input mode (config-if) Parameters {permissive | dot1x} permissive Permits both Web authentication and IEEE 802.1X authentication for a terminal on which the first step (MAC-based authentication) has failed.
Page 585 authentication multi-step Notes If at least one of the following commands is set for a Switch, the authentication multi-step command cannot be set:  dot1x vlan dynamic enable  dot1x vlan dynamic radius-vlan  mac-authentication interface  mac-authentication vlan  web-authentication vlan This command can be set only for Ethernet interfaces.
Page 586: Secure Wake-On-Lan [Op-Wol]
Secure Wake-on-LAN [OP-WOL] http-server [OP-WOL]...
Page 587: Http-Server [Op-Wol]
http-server [OP-WOL] http-server [OP-WOL] Enables the HTTP server functionality. Input format To set information: http-server To delete information: no http-server Input mode (config) Parameters None Default behavior When the web-authentication system-auth-control command is set: Enabled When the web-authentication system-auth-control command is not set: Disabled Impact on communication None...
Page 588 http-server [OP-WOL] Configuration settings Secure Wake-on-LAN Web authentication http-server Functionality Login page Functionality web-authenticati User authenticatio system-auth-co n screen ntrol Not set Not set Not displayed. Not displayed. Does not Does not operate. operate. Operates. Operates. Can be Can be displayed.
Page 589: Part 10: High Reliability Based On Redundant Configurations
Part 10: High Reliability Based on Redundant Configurations Uplink Redundancy switchport backup interface switchport backup flush request transmit switchport backup mac-address-table update exclude-vlan switchport backup mac-address-table update retransmit switchport backup mac-address-table update transmit switchport-backup startup-active-port-selection...
Page 590: Switchport Backup Interface
switchport backup interface switchport backup interface Specifies primary and secondary ports and automatic or timer preemption wait time. Input format To set or change information: switchport backup interface {{fastethernet | gigabitethernet} <IF#> port-channel <Channel group#> } [ preemption delay <Seconds> To delete information: no switchport backup interface Input mode...
Page 591 switchport backup interface Notes When spanning trees are used at the higher-level switch, the status will be listening learning after recovering from the link-down state and communication cannot be restored immediately. In this case, we recommend that you set the timer preemption wait time to 30 seconds or longer.
Page 592: Switchport Backup Flush Request Transmit
switchport backup flush request transmit switchport backup flush request transmit Enables the sending of flush control frames to request that the upstream switches clear their MAC address tables. Input format To set or change information: switchport backup flush request transmit [vlan <VLAN ID>...
Page 593: Switchport Backup Mac-Address-Table Update Exclude-Vlan
switchport backup mac-address-table update exclude-vlan switchport backup mac-address-table update exclude-vlan Sets the VLAN to be excluded when sending MAC address update frames. Input format To set or change information: switchport backup mac-address-table update exclude-vlan <VLAN ID list> To delete information: no switchport backup mac-address-table update exclude-vlan Input mode (config-if)
Page 594 switchport backup mac-address-table update exclude-vlan Related commands switchport backup interface switchport backup mac-address-table update transmit...
Page 595: Switchport Backup Mac-Address-Table Update Retransmit
switchport backup mac-address-table update retransmit switchport backup mac-address-table update retransmit Specifies the number of re-transmissions of MAC address update frames. Input format To set or change information: switchport backup mac-address-table update retransmit <Count> To delete information: no switchport backup mac-address-table update retransmit Input mode (config-if) Parameters...
Page 596: Switchport Backup Mac-Address-Table Update Transmit
switchport backup mac-address-table update transmit switchport backup mac-address-table update transmit Enables the sending of MAC address update frames to request that the upstream switches update their MAC address tables. Input format To set information: switchport backup mac-address-table update transmit To delete information: no switchport backup mac-address-table update transmit Input mode (config-if)
Page 597: Switchport-Backup Startup-Active-Port-Selection
switchport-backup startup-active-port-selection switchport-backup startup-active-port-selection Enables active port locking at Switch startup. Input format To set information: switchport-backup startup-active-port-selection primary-only To delete information: no switchport-backup startup-active-port-selection Input mode (config) Parameters primary-only Sets only the primary port as the active port at Switch startup. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 598: Related Commands
switchport-backup startup-active-port-selection Related commands None...
Page 599: Part 11: High Reliability Based On Network Failure Detection
Part 11: High Reliability Based on Network Failure Detection IEEE 802.3ah/UDLD efmoam active efmoam disable efmoam udld-detection-count...
Page 600: Efmoam Active
efmoam active efmoam active Sets the port to be monitored by the IEEE 802.3ah/OAM functionality to active mode. Input format To set or change information: efmoam active [udld] To delete information: no efmoam active Input mode (config-if) Parameters udld Sets the applicable port as the port to be monitored by the IEEE 802.3ah/UDLD functionality and enables the unidirectional link failure detection functionality.
Page 601: Efmoam Disable
efmoam disable efmoam disable Enables or disables the IEEE 802.3ah/OAM functionality on a Switch. To disable the IEEE 802.3ah/OAM functionality, set the efmoam disable command. To enable the IEEE 802.3ah/OAM functionality again, set the no efmoam disable command. In passive mode, the send process starts when an OAMPDU from the active mode is received.
Page 602: Efmoam Udld-Detection-Count
efmoam udld-detection-count efmoam udld-detection-count Sets the number of OAMPDU response timeouts that must occur to recognize a failure. (The OAMPDU is a monitoring packet of the IEEE 802.3ah/UDLD functionality.) Input format To set or change information: efmoam udld-detection-count <Count> To delete information: no efmoam udld-detection-count Input mode (config)
Page 603: Storm Control
Storm Control storm-control...
Page 604: Storm-Control
storm-control storm-control Configures the storm control functionality. This functionality sets the threshold of frames to be flooded and received by a Switch. When a broadcast storm or another problem occurs, the flooded frames exceeding the threshold are discarded. As a result, network load and Switch load decrease.
Page 605 storm-control Parameters broadcast Sets broadcast frames as subject to storm control. Default value when this parameter is omitted: The storm control functionality is not set. multicast Sets multicast frames as subject to storm control. Default value when this parameter is omitted: The storm control functionality is not set.
Page 606 storm-control Default value when this parameter is omitted: If a storm is detected, no SNMP traps are issued. action log Outputs operation log data when a storm or the end of a storm is detected. Default value when this parameter is omitted: Operation log data is not output when a storm is detected.
Page 607 storm-control Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes Storm control is controlled by the number of received frames. Frame length is irrelevant. When received frames exceed the storm detection threshold, control frames are also discarded.
Page 608: L2 Loop Detection
L2 Loop Detection loop-detection loop-detection auto-restore-time loop-detection enable loop-detection hold-time loop-detection interval-time loop-detection threshold...
Page 609: Loop-Detection
loop-detection loop-detection Sets the port type for the L2 loop detection functionality. Input format To set or change information: loop-detection {send-inact-port | send-port | uplink-port | exception-port} To delete information: no loop-detection Input mode (config-if) Parameters {send-inact-port | send-port | uplink-port | exception-port} send-inact-port Sets a port as a detecting and blocking port.
Page 610 loop-detection When the change is applied The change is applied immediately after setting values are changed. Notes Changing the port type clears the following information:  - The number of L2 loop detections until the port is blocked  - The time from blocking of the port until automatic recovery occurs. If the port type is changed, the statistics for sending and receiving L2 loop detection frames for each port are not cleared.
Page 611: Loop-Detection Auto-Restore-Time
loop-detection auto-restore-time loop-detection auto-restore-time Sets the time required for automatic activation of a blocked port. Input format To set or change information: loop-detection auto-restore-time <Seconds> To delete information: no loop-detection auto-restore-time Input mode (config) Parameters <Seconds> Sets the time (in seconds) required for automatic activation of a blocked port. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 612: Loop-Detection Enable
loop-detection enable loop-detection enable Enables L2 loop detection. Input format To set information: loop-detection enable To delete information: no loop-detection enable Input mode (config) Parameters None Default behavior L2 loop detection is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 613: Loop-Detection Hold-Time
loop-detection hold-time loop-detection hold-time Sets the time for holding the number of L2 loop detections before a port is blocked. If the period of time for holding the number of L2 loop detections elapses without an L2 loop detection frame being received since the last L2 loop detection frame was received, the number of L2 loop detections held on the port is cleared.
Page 614: Loop-Detection Interval-Time
loop-detection interval-time loop-detection interval-time Sets the interval for sending L2 loop detection frames. Input format To set or change information: loop-detection interval-time <Seconds> To delete information: no loop-detection interval-time Input mode (config) Parameters <Seconds> Sets the interval (in seconds) for sending L2 loop detection frames. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 615: Loop-Detection Threshold
loop-detection threshold loop-detection threshold Sets the number of L2 loop detections before a port is blocked. If the number of detections becomes equal to or greater than the specified number, the port is blocked. Input format To set or change information: loop-detection threshold <Count>...
Page 616: Cfm
domain name ethernet cfm cc alarm-priority ethernet cfm cc alarm-reset-time ethernet cfm cc alarm-start-time ethernet cfm cc enable ethernet cfm cc interval ethernet cfm domain ethernet cfm enable (global) ethernet cfm enable (interface) ethernet cfm mep ethernet cfm mip ma name ma vlan-group...
Page 617: Domain Name
domain name domain name Sets the name used for a target domain. Input format To set or change information: domain name {no-present | str <Strings> | dns <Name> | mac <MAC> <ID>} To delete information: no domain name Input mode (config-ether-cfm) Parameters <Strings>...
Page 618 domain name Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain...
Page 619: Ethernet Cfm Cc Alarm-Priority
ethernet cfm cc alarm-priority ethernet cfm cc alarm-priority Sets the failure level to be detected by CC. Failure levels equal to or higher than the parameter you set are detected. Input format To set or change information: ethernet cfm cc level <Level>...
Page 620 ethernet cfm cc alarm-priority Table 31-1 Levels detected by CC and failures descriptions Setting Failure type Command Failure description level display DefXconCCM OtherCCM A CCM with a different domain and MA was received. DefErrorCCM ErrorCCM A CCM with an incorrect MEP ID or transmission interval was received.
Page 621: Ethernet Cfm Cc Alarm-Reset-Time
ethernet cfm cc alarm-reset-time ethernet cfm cc alarm-reset-time Sets the time interval for identifying re-detection when CC repeatedly detects failures. If a failure is detected within the time set by using this command after a failure has been detected, the failure is treated as a re-detection and no trap is sent. Note, however, that if a failure with a failure level higher than the currently detected failure level is detected, a trap is sent.
Page 622 ethernet cfm cc alarm-reset-time Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If higher level MAs are not included as lower level MAs, a communication overload might occur. Related commands ethernet cfm domain ma name...
Page 623: Ethernet Cfm Cc Alarm-Start-Time
ethernet cfm cc alarm-start-time ethernet cfm cc alarm-start-time Sets the time after CC detects a failure until a trap is sent. Input format To set or change information: ethernet cfm cc level <Level> <No.> alarm-start-time <Time> To delete information: no ethernet cfm cc level <Level>...
Page 624 ethernet cfm cc alarm-start-time When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain ma name ma vlan-group...
Page 625: Ethernet Cfm Cc Enable
ethernet cfm cc enable ethernet cfm cc enable Sets the MA which uses CC in the domain. If the ethernet cfm mep command has already been set, sending from the applicable port to CCM starts. Input format To set information: ethernet cfm cc level <Level>...
Page 626 ethernet cfm cc enable Notes None Related commands ethernet cfm domain ma name ma vlan-group...
Page 627: Ethernet Cfm Cc Interval
ethernet cfm cc interval ethernet cfm cc interval Sets the CCM transmission interval for a target MA. Input format To set or change information: ethernet cfm cc level <Level> <No.> interval {1s | 10s | 1min | 10min} To delete information: no ethernet cfm cc level <Level>...
Page 628 ethernet cfm cc interval 1min , or 10min Note on using this parameter: If a value smaller than the default value is set for this parameter, the Switch CPU becomes overloaded with possible adverse effects on communication. Default behavior 1min is used as the interval for sending CCMs.
Page 629: Ethernet Cfm Domain
ethernet cfm domain ethernet cfm domain Sets a domain. Executing this command switches to config-ether-cfm mode in which the domain name and MA can be set. Input format To set information: ethernet cfm domain level <Level> [direction-up] To delete information: no ethernet cfm domain level <Level>...
Page 630 ethernet cfm domain Notes If any of the following commands references a domain set by using this command, this command cannot be deleted:  ethernet cfm cc enable  ethernet cfm mep  ethernet cfm mip Related commands None...
Page 631: Ethernet Cfm Enable (Global)
ethernet cfm enable (global) ethernet cfm enable (global) Starts CFM. Input format To set information: ethernet cfm enable To delete information: no ethernet cfm enable Input mode (config) Parameters None Default behavior CFM does not operate even if another CFM command has been set. Impact on communication None When the change is applied...
Page 632: Ethernet Cfm Enable (Interface)
ethernet cfm enable (interface) ethernet cfm enable (interface) When no ethernet cfm enable is set, CFM PDU transmission processing on the applicable port or the applicable port channel stops. Input format To set information: no ethernet cfm enable To delete information: ethernet cfm enable Input mode (config-if)
Page 633: Ethernet Cfm Mep
ethernet cfm mep ethernet cfm mep Sets a MEP used in CFM. Input format To set information: ethernet cfm mep level <Level> <No.> mep-id <MEPID> [{down | up}] To delete information: no ethernet cfm mep level <Level> <No.> mep-id <MEPID> Input mode (config-if) Parameters...
Page 634 ethernet cfm mep maintained. Default value when this parameter is omitted: When has been set by using the direction-up ethernet cfm domain command, Up MEP is used. If it has not been set, Down MEP is used. Range of values: down Note on using this parameter: This parameter cannot be changed.
Page 635: Ethernet Cfm Mip
ethernet cfm mip ethernet cfm mip Sets a MIP used in CFM. Input format To set information: ethernet cfm mip level <Level> To delete information: no ethernet cfm mip level <Level> Input mode (config-if) Parameters level <Level> Sets the domain level that has been set by using the ethernet cfm domain command.
Page 636: Ma Name
ma name ma name Sets the name of an MA used in a target domain. Input format To set or change information: <No.> name {str <Strings> | vlan <VLAN ID>} To delete information: no ma <No.> name Input mode (config-ether-cfm) Parameters <No.>...
Page 637 ma name Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain...
Page 638: Ma Vlan-Group
ma vlan-group ma vlan-group Sets the VLAN belonging to an MA used in a target domain. Input format To set or change information: <No.> vlan-group <VLAN ID List> [primary-vlan <VLAN ID> To delete information: no ma <No.> vlan-group Input mode (config-ether-cfm) Parameters <No.>...
Page 639 ma vlan-group Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain...
Page 640: Part 12: Remote Network Management
Part 12: Remote Network Management SNMP hostname rmon alarm rmon collection history rmon event snmp-server community snmp-server contact snmp-server host snmp-server location snmp-server traps snmp trap link-statushostname...
Page 641: Hostname
hostname hostname Sets the identification name of a Switch. Input format To set or change information: hostname <Name> To delete information: no hostname Input mode (config) Parameters <Name> The identification name of a Switch. Set a name that is unique in the network that will be used.
Page 642: Rmon Alarm
rmon alarm rmon alarm Sets the control information for the RMON (RFC 1757) alarm group. A maximum of 128 entries can be configured. Input format To set or change information: rmon alarm <Number> <Variable> <Interval> {delta | absolute} rising-threshold <Value> rising-event-index <Event#>...
Page 643 rmon alarm Table 32-1 The setting range of object identifiers subject to alarm monitoring Object name (setting range from the Object ID (setting value from the SNMP console) manager) ifInOctets.x 1.3.6.1.2.1.2.2.1.10.x ifInUcastPkts.x 1.3.6.1.2.1.2.2.1.11.x ifInNUcastPkts.x 1.3.6.1.2.1.2.2.1.12.x ifInDiscards.x 1.3.6.1.2.1.2.2.1.13.x ifInErrors.x 1.3.6.1.2.1.2.2.1.14.x ifInUnknownProtos.x 1.3.6.1.2.1.2.2.1.15.x ifOutOctets.x 1.3.6.1.2.1.2.2.1.16.x...
Page 644 rmon alarm Object name (setting range from the Object ID (setting value from the SNMP console) manager) etherStatsPkts512to1023Octets.x 1.3.6.1.2.1.16.1.1.1.18.x etherStatsPkts1024to1518Octets.x 1.3.6.1.2.1.16.1.1.1.19.x ifInMulticastPkts.x 1.3.6.1.2.1.31.1.1.1.2.x ifInBroadcastPkts.x 1.3.6.1.2.1.31.1.1.1.3.x ifOutMulticastPkts.x 1.3.6.1.2.1.31.1.1.1.4.x ifOutBroadcastPkts.x 1.3.6.1.2.1.31.1.1.1.5.x : instance number <Interval> Sets the time interval (in seconds) for checking the threshold. This parameter is equivalent to alarmInterval defined in RFC 1757.
Page 645 rmon alarm Range of values: An information identification number from 1 to 65535 in the control information set by using the rmon event command for <Event#>. falling-threshold <Value> Sets the lower threshold value. This parameter is equivalent to alarmFallingThreshold defined in RFC 1757. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 646 rmon alarm Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes To access an alarm group from the SNMP manager, you must register the SNMP manager by using the snmp-server community command.
Page 647: Rmon Collection History
rmon collection history rmon collection history Sets the control information for the RMON (RFC 1757) Ethernet statistics history. A maximum of 32 entries can be configured. Input format To set or change information: rmon collection history controlEntry <Integer> [owner <Owner name> [buckets <Bucket number>...
Page 648 rmon collection history interval <Seconds> Sets the time interval (in seconds) for collecting statistics information. This parameter is equivalent to historyControlInterval defined in RFC 1757. Default value when this parameter is omitted: 1800 (seconds) Range of values: 1 to 3600 (seconds) Default behavior None Impact on communication...
Page 649: Rmon Event
rmon event rmon event Sets the control information for an RMON (RFC 1757) event group. A maximum of 16 entries can be configured. Input format To set or change information: rmon event <Event#> [log] [trap <Community> ] [description <Description string> ] [owner <Owner string>...
Page 650 rmon event Default value when this parameter is omitted: Blank Range of values: Specify a character string that is no more than 79 characters. For details about the characters that can be specified, see Specifiable values for parameters. owner <Owner string> Sets the identification information of the person who specified this setting.
Page 651: Snmp-Server Community
snmp-server community snmp-server community Sets the access list for the SNMP community. A maximum of four entries can be configured. Input format To set or change information: snmp-server community <String> [ {ro|rw} ] [ <ACL ID> To delete information: no snmp-server community <String>...
Page 652 snmp-server community Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ip access-list standard...
Page 653: Snmp-Server Contact
snmp-server contact snmp-server contact Sets the contact information about the Switch. Input format To set or change information: snmp-server contact <Text> To delete information: no snmp-server contact Input mode (config) Parameters <Text> Sets the contact information for the Switch used when a failure occurs on a Switch. This information can be referenced by using the name set in of the [sysContact]...
Page 654: Snmp-Server Host
snmp-server host snmp-server host Registers the network management device (SNMP manager) to which traps are sent. This command can configure a maximum of four entries. Input format To set or change information: snmp-server host <Manager address> traps <Community string> [version { 1 | 2c }] [snmp] [rmon] [air-fan] [login] [temperature] [storm-control] [efmoam] [poe] [dot1x] [web-authentication] [mac-authentication] [loop-detection] [switchport-backup] [cfm]...
Page 655 snmp-server host [snmp] [rmon] [air-fan] [login] [temperature] [storm-control] [efmoam] [poe] [dot1x] [web-authentication] [mac-authentication] [loop-detection] [switchport-backup] [cfm] By setting each parameter, you can select the traps to be sent. The following table describes traps that will be sent when parameters are set. Table 32-2 Correspondence between parameters and traps Parameter Trap...
Page 656 snmp-server host Parameter Trap pethMainPowerUsageOffNotification dot1x ax1240sDot1xFailureTrap ax1240sDot1xEventTrap web-authentication ax1240sWauthFailureTrap ax1240sWauthEventTrap ax1240sWauthSystemTrap mac-authentication ax1240sMauthFailureTrap ax1240sMauthEventTrap ax1240sMauthSystemTrap loop-detection axsL2ldLinkDown axsL2ldLinkUp axsL2ldLoopDetection switchport-backup axsUlrChangeSecondary axsUlrChangePrimary dot1agCfmFaultAlarm snmp coldStart warmStart linkDown linkUp , and authenticationFailure traps are sent. rmon A trap is sent when the value exceeds the upper threshold or drops below the lower threshold of the rmon alarm.
Page 657 snmp-server host A trap is sent when the power status changes or the total power consumption of a Switch exceeds the threshold. dot1x A trap is sent for specific types of authentication accounting log data during IEEE 802.1X authentication. web-authentication A trap is sent for specific types of authentication accounting log data during Web authentication.
Page 658 snmp-server host Related commands None...
Page 659: Snmp-Server Location
snmp-server location snmp-server location Sets the name of the location where the Switch is installed. Input format To set or change information: snmp-server location <Text> To delete information: no snmp-server location Input mode (config) Parameters <Text> Sets the name of the location where the Switch is installed. This information can be referenced by using the name set in of the system group for inquiries [sysLocation]...
Page 660: Snmp-Server Traps
snmp-server traps snmp-server traps Sets a trigger (timing) for issuing a trap. Input format To set or change information: snmp-server traps [{ limited-coldstart-trap | unlimited-coldstart-trap }] [link-trap-bind-info {private | standard} ] [agent-address <Agent address> ] [dot1x-trap {failure | all}] [web-authentication-trap {failure | all}] [mac-authentication-trap {failure | all}] To delete information: no snmp-server traps...
Page 661 snmp-server traps Table 32-4 MIBs to be added when link up/down Trap is issued for each parameter Parameter MIBs to be added when link up/down Trap is issued private (Common to SNMPv1 and SNMPv2C traps) ifIndex, ifDescr, and ifType standard ifIndex (For SNMPv1 traps) (For SNMPv2C traps) ifIndex, ifAdminStatus, and...
Page 662 snmp-server traps failure mac-authentication-trap {failure | all} Sets the trap type for MAC-based authentication. failure Only traps for an authentication failure are issued. Traps for both successful and failed authentication attempts are issued. Default value when this parameter is omitted: failure Range of values: failure...
Page 663: Snmp Trap Link-Status
snmp trap link-status snmp trap link-status Prevents a trap (linkDown and linkUp traps) from being sent when a link-up failure or a link-down failure occurs on a line. Input format To set information: no snmp trap link-status To delete information: snmp trap link-status Input mode (config-if)
Page 664: Log Output Functionality
Log Output Functionality logging event-kind logging facility logging host logging syslog-header logging trap...
Page 665: Logging Event-Kind
logging event-kind logging event-kind Sets the event type of the log information to be sent to the syslog server. Multiple event types can be set. Input format To set or change information: logging event-kind <Event kind> To delete information: no logging event-kind <Event kind>...
Page 666: Logging Facility
logging facility logging facility Sets the facility to output the log information through the syslog interface. Input format To set or change information: logging facility <Facility> To delete information: no logging facility Input mode (config) Parameters <Facility> Sets the facility for syslog. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 667: Logging Host
logging host logging host Sets the output destination of the log information. A maximum of four entries can be configured. Input format To set or change information: logging host <IP address> To delete information: no logging host <IP address> Input mode (config) Parameters <IP address>...
Page 668: Logging Syslog-Header
logging syslog-header logging syslog-header Adds HOSTNAME TIMESTAMP , or a functionality number to the message to be sent to the syslog server. Output from the following commands is not affected:  show dot1x logging  show logging  show web-authentication logging ...
Page 669: Logging Trap
logging trap logging trap Sets the priority of the log information to be sent to the syslog server. Input format To set or change information: logging trap { <Level> <Keyword>} To delete information: no logging trap Input mode (config) Parameters <Level>...
Page 670 logging trap Notes The priority set by using this command is applied to all output destinations set by using the logging host command. Related commands logging host...
Page 671: Part 13: Management Of Neighboring Device Information
Part 13: Management of Neighboring Device Information LLDP lldp enable lldp hold-count lldp interval-time lldp run...
Page 672: Lldp Enable
lldp enable lldp enable Starts operation of LLDP on a port. Input format To set information: lldp enable To delete information: no lldp enable Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 673: Lldp Hold-Count
lldp hold-count lldp hold-count Sets the time that a neighboring device retains an LLDP frame sent from a Switch. Input format To set or change information: lldp hold-count <Count> To delete information: no lldp hold-count Input mode (config) Parameters <Count> Sets the scaling for the value set by the lldp interval-time command as the time...
Page 674: Lldp Interval-Time
lldp interval-time lldp interval-time Sets the transmission interval between LLDP frames sent from a Switch. Input format To set or change information: lldp interval-time <Seconds> To delete information: no lldp interval-time Input mode (config) Parameters <Seconds> Sets the transmission interval between LLDP frames sent from a Switch. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 675: Lldp Run
lldp run lldp run Enables the LLDP functionality. Input format To set information: lldp run To delete information: no lldp run Input mode (config) Parameters None Default behavior The LLDP functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 676: Part 14: Port Mirroring
Part 14: Port Mirroring Port Mirroring monitor session...
Page 677: Monitor Session
35. Port Mirroring monitor session Configures the port mirroring functionality. Input format To set or change information: monitor session <Session#> source interface <IF# list> [{rx | tx | both}] destination interface {fastethernet <IF#> | gigabitethernet <IF#>} To delete information: no monitor session <Session#>...
Page 678 35. Port Mirroring Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: See Specifiable values for parameters. Default behavior None Impact on communication If a line in use is set as the mirror port, communication is no longer possible on the line. If a line is set as the monitor port, communication is not affected.
Page 679 35. Port Mirroring  IEEE 802.3ah/UDLD: UDLD frames  Spanning tree protocol: BPDU frames The spanning tree protocol is enabled by default. To stop sending BPDU frames, set the spanning-tree disable configuration command, or set BPDU filtering on the mirror ports ( spanning-tree bpdufilter configuration command).
Page 680: Part 15: Configuration Error Messages
Part 15: Configuration Error Messages Error Messages Displayed During Configuration Editing 36.1 Error messages displayed during configuration editing...
Page 681: Error Messages Displayed During Configuration Editing
Index 36.1 Error messages displayed during configuration editing 36.1.1 Common Table 36-1 Common error messages Message Explanation Access denied. Access was denied. Ambiguous command. The command cannot be identified uniquely because it can be interpreted in various ways. Ambiguous data. The data cannot be identified uniquely because it can be interpreted in various ways.
Page 682 Index Message Explanation It will be logged out if it You will be logged out if the idle state continues for <min> more remains idle for another <min> minutes. minutes. Log out by the system. You have been logged out by the system. Login incorrect.
Page 683: 36.1.2 Login Security And Radius
Index Message Explanation Too many parameters. There are too many parameters. Unknown user. The specified user name is not registered. Wrong encoding. The encoding method is incorrect. Wrong length. The length is incorrect. Wrong type. The type is incorrect. Wrong value. The value is incorrect.
Page 684: 36.1.4 Switch Management Information
Index 36.1.4 Switch management information Table 36-4 Error messages related to Switch management Message Explanation dhcp-snooping is in use. This setting cannot be changed because the DHCP snooping ip dhcp snooping. functionality is enabled. Delete the setting of extended-authentication is This setting cannot be changed because at least one of the following is in use.
Page 685: 36.1.6 Ethernet Information
Index 36.1.6 Ethernet information Table 36-6 Ethernet error messages Message Explanation Cannot attach the interface The interface port set as a ring port cannot participate in the port specified as a ring-port to the channel. channel-group. To allow the specified interface to participate in the port channel, first delete the ring-related configuration.
Page 686: 36.1.8 Mac Address Table Information
Index Message Explanation Mirror port and port-channel are The port cannot join the port channel because the port is being used inconsistent. as a mirror port. Relations between ip source The specified port cannot join the port channel because the port is binding configuration and ip source binding being used by the...
Page 687: 36.1.9 Vlan Information
Index 36.1.9 VLAN information Table 36-9 VLAN error messages Message Explanation ChGr <Channel group#>: The port channel cannot be deleted because it is being used for Inconsistency is found between IEEE 802.1X authentication or as a switch port. the dot1x port-control and the <Channel group#>: Channel group number switchport mode configuration.
Page 688 Index Message Explanation vlan : Can't change mode from The VLAN types of the specified VLAN modes do not match (VLAN {nothing|protocol-based|mac-ba range specification). sed } to {nothing|protocol-based|mac-ba sed }. vlan : Can't delete vlan The VLAN cannot be deleted because it is the default VLAN. configuration because of default vlan.
Page 689 Index Message Explanation vlan[<VLAN ID>] : Can't set The access VLAN cannot be set because the VLAN does not exist. access-vlan which is not <VLAN ID>: VLAN ID configured to use vlan. vlan[<VLAN ID>] : Can't set mac-address-table cannot be set because the VLAN does not mac-address-table which is not exist.
Page 690: 36.1.10 Spanning Tree Information
Index 36.1.10 Spanning tree information Table 36-10 Spanning tree error messages Message Explanation Can not configure spanning-tree Spanning tree cannot be set because the Ring Protocol functionality when Ring Protocol is is set. configured. Cost is over 65535, please set up cost cost The value for...
Page 691 Index Message Explanation axrp-<Ring ID>: maximum number A maximum of four ring IDs can be used on a Switch. No more than of ring-id are already four ring IDs can be registered. defined. To add a ring ID, you must first delete a registered ring ID. <Ring ID>: Ring ID axrp-<Ring...
Page 692 Index Message Explanation axrp-<Ring ID>-<Group ID>: The specified VLAN mapping has already been set for a VLAN group vlan-mapping <Mapping ID> in the same ring. already configured in another Either delete the VLAN mapping from the other VLAN group or use vlan-group.
Page 693: 36.1.12 Dhcp Snooping Information
Index 36.1.12 DHCP snooping information Table 36-12 DHCP snooping error messages Message Explanation Can't delete it because data is Deletion is not possible because DHCP snooping for the specified not corresponding. VLAN is not enabled or the specified configuration does not exist. Can't delete it vlan ip source binding Deletion is not possible because the...
Page 694: 36.1.13 Igmp Snooping Information
Index Message Explanation inconsistent. Set the applicable port as a port-channel interface. system function isn't set. system function The setting is not possible because the command has not been set. system function Use the command to set DHCP snooping. 36.1.13 IGMP snooping information Table 36-13 IGMP snooping error messages Message Explanation...
Page 695: 36.1.15 Ipv4, Arp, And Icmp Information
Index 36.1.15 IPv4, ARP, and ICMP information Table 36-15 IPv4, ARP, and ICMP error messages Message Explanation ip : Inconsistency has occurred There is an inconsistency between an address set by using IP in a setting of IP address and information and a next-hop network address set by using route route.
Page 696: 36.1.16 Flow Detection Mode Information
Index 36.1.16 Flow detection mode information Table 36-16 Flow mode error messages Message Explanation Cannot change the flow detection The flow detection mode cannot be changed because an access list mode. or a QoS flow list is applied to the interface. To change the flow detection mode, delete all uses of the applied lists.
Page 697: 36.1.18 Qos Information
Index Message Explanation access list. This list cannot be set to VLAN. The access list cannot be applied to the VLAN interface. If the VLAN ID is set as a flow detection condition in an access list, the access list cannot be applied to the VLAN interface. Apply it to an Ethernet interface or delete the VLAN ID from the detection condition.
Page 698 Index Message Explanation Cannot attach this list because If the flow detection mode is Layer 2-2, the QoS flow list cannot be flow detection mode Layer2-2. applied. If the flow detection mode is Layer 2-2, an IPv4 QoS flow list can be applied.
Page 699: 36.1.19 Layer 2 Authentication Common Information
Index Message Explanation This list cannot be set to this The QoS flow list cannot be applied to the applicable Ethernet port. interface. To apply a QoS flow list to an Ethernet interface, the VLAN ID of a flow detection condition in the QoS flow list must be included in the settings of the Ethernet interface to which you want to apply the list.
Page 700 Index Message Explanation interface : Relations between An authentication common command and a channel group command authentication configuration cannot be set at the same time. Delete the settings of the and channel-group channel-group mode command. configuration within same port. interface : Relations between authentication force-authorized vlan cannot be set the switchport mac vlan and...
Page 701: 36.1.20 Ieee 802.1X Information
Index 36.1.20 IEEE 802.1X information Table 36-20 IEEE 802.1X error messages Message Explanation dot1x(xxxxx): Cannot set "dot1x Port-based authentication cannot be set because port mirroring of port-control" because monitor xxxxx interface is enabled. session mode is set now. xxxxx: ethernet <IF#>: Ethernet interface port number dot1x(xxxxx): Cannot set "...
Page 702 Index Message Explanation dot1x(vlan dynamic): Cannot set The terminal detection mode cannot be disabled because the "dot1x vlan dynamic functionality for suppressing the re-authentication of requests from a supplicant-detection disable" terminal for VLAN-based authentication (dynamic) is set. because ignore-eapol-start is set now.
Page 703 Index Message Explanation set. dot1x(xxxxx): Cannot set "dot1x Terminal authentication mode cannot be set because the xxxxx multiple-authentication" interface is in force-unauthorized mode or force-authorized mode. because force-mode is set now. xxxxx: ethernet <IF#>: Ethernet interface port number port-channel <Channel group#>: Port channel number dot1x(xxxxx): Cannot set "dot1x force-unauthorized...
Page 704 Index Message Explanation dot1x(vlan dynamic): Cannot set dot1x vlan dynamic enable command cannot be set "dot1x vlan dynamic enable" because multistep authentication is set. because authentication authentication multi-step Delete the settings of the multi-step is set. command. dot1x(vlan dynamic): Cannot set dot1x vlan dynamic radius-vlan command cannot be "dot1x vlan dynamic...
Page 705: Web Authentication Information (Including Dhcp Server Information)
Index 36.1.21 Web authentication information (including DHCP server information) Table 36-21 Web authentication error messages Message Explanation Duplicate network address. An IP address of the same network address is defined for another VLAN. Set the Web authentication IP address so that it does not duplicate a VLAN network address.
Page 706 Index Message Explanation interface : Relations between The following commands cannot be set for the specified port individual force-authorized and because forced authentication common across to the types of common force-authorized are authentication functionality is set: inconsistent. web-authentication force-authorized vlan web-authentication static-vlan force-authorized Delete the following: authentication force-authorized enable...
Page 707 Index Message Explanation web-auth : Relations between web-authentication vlan command cannot be set user-group or authentication because the authentication method for each user ID or the list configuration(s) and port-based authentication method is set. legacy mode configuration(s) Delete the following: are inconsistent.
Page 708: 36.1.22 Mac-Based Authentication Information
Index 36.1.22 MAC-based authentication information Table 36-23 MAC-based authentication error messages Message Explanation interface : Invalid authentication ip Deletion is not possible because mac-authentication port access-group authentication arp-relay is set for the configuration. applicable port. interface : Relations between MAC-based authentication cannot be set because the specified port the mac-authentication has been set as a protocol port.
Page 709 Index Message Explanation mac-auth : Cannot set the The command cannot be set because an internal error occurred. command because of internal error. (code=x) mac-auth : Maximum number of The maximum number of entries for the authentication method list entries are already defined. has been exceeded.
Page 710: 36.1.23 Multistep Authentication Information
Index 36.1.23 Multistep authentication information Table 36-24 Multistep authentication error messages Message Explanation interface : Relations between An authentication common command and a channel group authentication configuration command cannot be set at the same time. Delete the settings of the and channel-group configuration channel-group mode command.
Page 711: 36.1.25 Storm Control Information
Index this command is different from Participation in the port channel is not possible because the this one in channel-group port. configuration is different. Too many parameters The number of input parameters exceeds the maximum number (exclude-VLAN ). (200). Set a value equal to or smaller than the maximum number. 36.1.25 Storm control information Table 36-26 Storm control error messages Message...
Page 712 Index Message Explanation ethernet : MA is already <No.> The specified MA identification number is already being used by configured in cfm domain. another domain. <No.>: MA identification number ethernet : MA name <Name> The specified MA name is already set in the same domain. already configured in cfm <Name>: MA name domain.
Page 713: 36.1.28 Snmp Information
Index Message Explanation <Level>: Domain level interface : Exceeded the number The number of ports for which MEPs and MIPs can be set has been of the maximum port. exceeded. interface : Maximum number of An attempt is being made to set a configuration that is larger than entries are already defined.
Page 714 Index Message Explanation the command again. rmon : Can not delete it because An attempt has been made to delete a non-existent identification data is not corresponding. number. Check the identification number. rmon : Can't delete this The specified event entry cannot be deleted because it is associated configuration referred by other with an alarm entry.
Page 715: 36.1.29 Port Mirroring Information
Index 36.1.29 Port mirroring information Table 36-30 Port mirroring error messages Message Explanation Mirror port and dot1x are The destination interface cannot be set as a mirror port because the inconsistent. destination interface is being used by dot1x. Mirror port and The destination interface cannot be set as a mirror port because the mac-authentication are destination interface is being used for MAC-based authentication.
Page 716: Index
Index dot1x force-authorized vlan, 381 dot1x ignore-eapol-start, 384 dot1x max-req, 386 aaa accounting dot1x, 371 dot1x multiple-authentication, 387 aaa accounting mac-authentication, 510 dot1x port-control, 389 aaa accounting web-authentication, 434 dot1x radius-server dead-interval, 391 aaa authentication dot1x, 372 dot1x radius-server host, 393 aaa authentication login, 23 dot1x reauthentication, 396 aaa authentication mac-authentication, 511...
Page 717 Index lease, 500 limit-queue-length, 331 hostname, 617 line vty, 11 http-server [OP-WOL], 563 link debounce, 83 linkscan-mode, 84 lldp enable, 648 lldp hold-count, 649 instance, 148 lldp interval-time, 650 interface fastethernet, 81 lldp run, 651 interface gigabitethernet, 82 logging event-kind, 641 interface port-channel, 109 logging facility, 642 interface vlan, 120...
Page 718 Index mac-authentication timeout quiet-period, 551 rmon event, 625 mac-authentication timeout reauth-period, 553 mac-authentication vlan, 555 mac-authentication vlan-check, 557 save(write), 17 max-lease, 502 schedule-power-control port cool-standby, 56 mdix auto, 85 schedule-power-control port-led, 57 media-type, 86 schedule-power-control shutdown interface, 59 mode, 224 schedule-power-control system-sleep, 61 monitor session, 653 schedule-power-control time-range, 63...
Page 719 Index spanning-tree vlan hello-time, 199 spanning-tree vlan max-age, 201 vlan, 140 spanning-tree vlan mode, 203 vlan-group, 226 spanning-tree vlan pathcost method, 205 vlan-protocol, 144 spanning-tree vlan port-priority, 207 spanning-tree vlan priority, 209 spanning-tree vlan transmission-limit, 211 speed (Ethernet), 96 web-authentication authentication, 437 state, 127 web-authentication auto-logout, 439 storm-control, 580...

This manual is also suitable for:

Ax1240s

Alaxala AX1250S Software Manual

Part 1: Reading the Manuals

1 Reading the Manuals

Part 2: Operation and Management of Switches

2 Connecting from an Operation Terminal

3 Editing and Working with Configurations

4 Login Security and RADIUS

5 Time Settings and NTP

6 Device Management

7 Power Saving

Part 3: Network Interface

8 Ethernet

9 Link Aggregation

Part 4: Layer 2 Switching

10 MAC Address Table

11 Vlan

12 Spanning Trees

13 Ring Protocol

14 DHCP Snooping

15 IGMP Snooping

16 MLD Snooping

Part 5: Ipv4 Packet Forwarding

17 Ipv4, ARP, and ICMP

Part 6: Common to Filtering and Qos

18 Flow Detection Mode

Part 7: Filters

19 Access Lists

Part 8: Qos

20 Qos

Part 9: Layer 2 Authentication

21 Common to Layer 2 Authentication

22 Ieee 802.1X

23 Web Authentication

Quick Links

Related Manuals for Alaxala AX1250S

Summary of Contents for Alaxala AX1250S