Page 1
AX1250S / AX1240S Software Manual Configuration Command Reference For Version 2.2 AX1240S-S003-30X...
Page 2
Relevant products This manual applies to models of the AX1250S and AX1240S models of switches. It also describes the functions of the AX1250S and AX1240S software, version 2.2, which are supported by the OS-LT3, OS-LT2 software, and optional licenses.
Page 3
Table Summary of amendments Location and title Changes Addition of series A description of the AX1250S was added. 1. Reading the Manuals A description of the AX1250S was added. 6. Device Management Descriptions about the following command have been changed: system recovery 8.
Page 4
Location and title Changes Power Saving Timing when the change for the following command is applied has been changed: system fan-control Ethernet The following command has been added: linkscan-mode VLAN Descriptions about parameters of the following command have been changed: switchport mode Ring Protocol This section was added.
Page 5
Location and title Changes MAC-based Authentication The following commands have been added: aaa accounting mac-authentication mac-authentication authentication Parameters for the following command have been added: mac-authentication radius-server host Notes on the following commands have been changed: mac-authentication interface mac-authentication force-authorized vlan mac-authentication vlan mac-authentication static-vlan force-authorized The following command name has been changed:...
Page 6
Table Summary of amendments Location and title Changes Editing and Working with Response messages output by the following commands have been Configurations added: exit Login Security and RADIUS Descriptions about the following commands have been changed: radius-server dead-interval radius-server host radius-server key radius-server retransmit radius-server timeout...
Page 7
Location and title Changes MLD Snooping Descriptions about the following commands have been changed: ipv6 mld snooping source ipv6 mld snooping mrouter Common to Layer 2 Authentication This section was moved. The following commands have been added: authentication force-authorized enable authentication force-authorized vlan IEEE 802.1X The following commands have been added:...
Page 8
Location and title Changes Multistep Authentication This section was added. Secure Wake-on-LAN [OP-WOL] Notes on the following command have been changed: http-server Uplink Redundancy The following commands have been added: switchport backup mac-address-table update transmit switchport backup mac-address-table update exclude-vlan switchport backup mac-address-table update retransmit Storm Control Parameters for the following command have been added:...
Preface Applicable products and software versions This manual applies to models of the AX1250S and AX1240S models of switches. It also describes the functions of the AX1250S and AX1240S software, version 2.2, which are supported by the OS-LT3, OS-LT2 software, and optional licenses.
Page 10
Preface Abbreviations used in the manual Alternating Current ACKnowledge ADSL Asymmetric Digital Subscriber Line Application Level Gateway ANSI American National Standards Institute Address Resolution Protocol Autonomous System Auxiliary Border Gateway Protocol BGP4 Border Gateway Protocol - version 4 BGP4+ Multiprotocol Extensions for Border Gateway Protocol - version 4 bit/s Bits per second (can also appear as bps)
Page 11
Preface BPDU Bridge Protocol Data Unit Basic Rate Interface Continuity Check Cisco Discovery Protocol Connectivity Fault Management CIDR Classless Inter-Domain Routing Committed Information Rate CIST Common and Internal Spanning Tree CLNP ConnectionLess Network Protocol CLNS ConnectionLess Network System CONS Connection Oriented Network System Cyclic Redundancy Check CSMA/CD Carrier Sense Multiple Access with Collision Detection...
Page 12
Preface Link Control Protocol Light Emitting Diode Logical Link Control LLDP Link Layer Discovery Protocol LLQ+3WFQ Low Latency Queueing + 3 Weighted Fair Queueing Label Switched Path Link State PDU Label Switched Router Maintenance Association Media Access Control Memory Card Message Digest 5 Medium Dependent Interface MDI-X...
Page 13
Preface RIPng Routing Information Protocol next generation RMON Remote Network Monitoring MIB Reverse Path Forwarding ReQuest RSTP Rapid Spanning Tree Protocol Source Address Secure Digital Synchronous Digital Hierarchy Service Data Unit NSAP SELector Start Frame Delimiter Small Form factor Pluggable SMTP Simple Mail Transfer Protocol SNAP...
Page 14
Conventions: The terms "Switch" and "switch" The term Switch (upper-case "S") is an abbreviation for any or all of the following models: AX1250S series switch AX1240S series switch The term switch (lower-case "s") might refer to a Switch, another type of switch from the...
Contents Part 1: Reading the Manuals....................1 1. Reading the Manuals ......................1 Command description format..................... 2 Command mode list ......................3 Specifiable values for parameters ..................4 List of character codes ...................... 8 Part 2: Operation and Management of Switches ..............9 2.
Page 16
Contents system port-led ....................... 69 system port-led trigger console ..................71 system port-led trigger interface ..................72 system port-led trigger mc ....................73 Part 3: Network Interface ...................... 74 8. Ethernet..........................74 bandwidth ........................75 description ........................76 duplex ..........................77 flowcontrol........................
Page 22
Contents loop-detection threshold ....................591 31. CFM ..........................592 domain name ........................ 593 ethernet cfm cc alarm-priority ..................595 ethernet cfm cc alarm-reset-time ................... 597 ethernet cfm cc alarm-start-time ..................599 ethernet cfm cc enable ....................601 ethernet cfm cc interval ....................603 ethernet cfm domain......................
Page 23
Contents 36.1.6 Ethernet information................661 36.1.7 Link aggregation information ..............661 36.1.8 MAC address table information ............... 662 36.1.9 VLAN information..................663 36.1.10 Spanning tree information ..............666 36.1.11 Ring Protocol information ..............666 36.1.12 DHCP snooping information ..............669 36.1.13 IGMP snooping information ..............
Part 1: Reading the Manual Reading the Manual Command description format Command mode list Specifiable values for parameters List of character codes...
Command description format Command description format Each command is described in the following format. Function Describes the purpose of the command. Input format Defines the input format of the command. The format is governed by the following rules: Parameters that set values or character strings are enclosed in angle brackets ( <>...
Command mode list Command mode list The following table lists the command modes. Table 1-1 Command mode list Description Mode transition command Item Command mode name (config) > enable Global configuration mode # configure (config-line) (config)# line vty Configures remote login. (config-if) (config)# interface Configures an interface.
Specifiable values for parameters Specifiable values for parameters The following table describes the values that can be specified for parameters. If there are no limitations on parameter names, see Any character string. Table 1-2 Specifiable values for parameters Parameter type Description Input example name...
Page 29
Switch is fixed to zero The following tables list the range of <IF#> values. Table 1-3 Range of <IF#> <IF# list> values for the AX1250S Model Ethernet type Range of values Item AX1250S-24T2C fastethernet 0/1 to 0/24 gigabitethernet...
Page 30
Specifiable values for parameters Table 1-4 Range of <IF#> <IF# list> values for the AX1240S Item Model Ethernet type Range of values AX1240S-24T2C/AX1240S-24P2C fastethernet 0/1 to 0/24 gigabitethernet 0/25 to 0/26 AX1240S-48T2C fastethernet 0/1 to 0/48 gigabitethernet 0/49 to 0/50 How to specify <IF# list>...
Page 31
Specifiable values for parameters Table 1-6 Range of <Channel group#> values Item Model Range of values All models 1 to 8 How to specify <Channel group# list> <Channel group# list> is written in parameter input format, use a hyphen ( ) or commas ) to specify multiple channel group numbers.
List of character codes List of character codes The following table lists the character codes. Characters other than alphanumeric characters in the following list of character codes are special characters. Table 1-7 List of character codes Code Code Code Code Code Code Chara...
ftp-server ftp-server Permits FTP access from remote operation terminals. To set the IPv4 address of a remote operation terminal to permit or deny logging in to a Switch, set a common access list that is shared by Telnet access in config-line mode. Input format To set information: ftp-server...
line vty line vty Permits Telnet remote access to the Switch. This command is also used to limit the number of users that can be logged in remotely to a Switch at the same time. Configuration with this command allows remote access using the Telnet protocol from any remote operation terminal to be accepted.
Page 36
line vty Notes Configuration with this command allows remote access using the Telnet protocol from any remote operation terminal to be accepted. To limit access, set ip access-group transport input Related commands transport input ip access-group...
transport input transport input Restricts access using multiple protocols from remote terminals. Input format To set or change information: transport input {telnet | all | none} To delete information: no transport input Input mode (config-line) Parameters {telnet | all | none} telnet Accepts remote access that uses the Telnet protocol.
Ends configuration command mode and returns you to administrator mode. Input format Parameters None Response messages The following table describes the response messages for the command. Table 3-1 Response messages for the end command Message Description Unsaved changes would be lost when the When the following commands are configured, machine goes to sleep! configuration command mode will end without any...
exit exit Returns to the previous mode. If you are editing data in config mode, configuration command mode ends and administrator mode resumes. If you are editing data in subcommand mode, you are returned to the next higher level. Input format exit Parameters None...
save (write) save (write) Saves the edited configuration to the startup configuration file. Input format save write Parameters None Response messages None Notes Saving the configuration file does not end configuration command mode. To finish editing, you must use the command or the command to exit configuration exit...
show show Displays the configuration being edited. Input format show [ <Command> <Parameter> Parameters <Command> Specify the configuration command. <Parameter> Specify a parameter such as <VLAN ID> <ACL ID> that is a filter identifier for limiting displayed items. Notes If there are too many configurations, command execution might take time. In global configuration mode, <Command>...
After a switch to configuration command mode, enter this command restores level-1 global configuration mode. Input format Parameters None Notes None Related commands None...
aaa group server radius aaa group server radius Configures a RADIUS server group. Entering this command switches to config-group mode in which the RADIUS server group information can be set. Input format To set or change information: aaa group server radius <Group name>...
Page 46
aaa group server radius Related commands aaa authentication dot1x authentication mac-authentication authentication web-authentication authentication web-authentication user-group...
aaa authentication login aaa authentication login Sets one or more authentication methods to be used for remote login. If the first specified method fails, the second specified method is used. Input format To set or change information: aaa authentication login default <Method>...
ip access-group ip access-group Sets the access list that specifies the IPv4 addresses of the remote operation terminals for which remote login to the Switch is to be permitted or denied is set. This setting is common to all types of remote access (Telnet or FTP). Multiple lines for no more than 16 entries, including those in the access list set by using access-group , can be set.
Page 49
ip access-group Related commands ip access-list standard line vty ftp-server transport input...
radius-server attribute station-id capitalize radius-server attribute station-id capitalize Sends the MAC address that is used for sending data to a RADIUS server with the RADIUS attribute in upper case. The applicable RADIUS attribute names are as follows: Called-Station-Id Calling-Station-Id Input format To set information:...
radius-server dead-interval radius-server dead-interval Configures a monitoring timer that operates for automatically restoring a general RADIUS server as the primary general RADIUS server. The primary general RADIUS server is restored when either of the following occurs: The currently operating server (the destination for RADIUS authentication requests) switches to being a valid secondary general RADIUS server, or when all servers are disabled, the monitoring timer starts and the period of time set by this command elapses (the monitoring timer expires).
Page 52
radius-server dead-interval Notes If more than three general RADIUS servers are configured and another general RADIUS server becomes the current server after the monitoring timer starts, the monitoring timer is not reset and continues to run. In general, when the monitoring timer has started, it does not reset until it expires. However, as exceptions, it resets in the following cases: ...
radius-server host radius-server host Configures the general RADIUS server used for authentication. Input format To set or change information: radius-server host <IP address> [auth-port <Port> [acct-port <Port> [timeout <Seconds> ] [retransmit <Retries> ] [key <String> To delete information: no radius-server host <IP address>...
Page 54
radius-server host acct-port <Port> Sets the port number for RADIUS server accounting. Default value when this parameter is omitted: Port number 1813 Range of values: 65535 <Retries> retransmit Sets the number of times an authentication request is re-sent to the RADIUS server. Default value when this parameter is omitted: The number of times configured by using radius-server retransmit...
Page 55
radius-server host description about the radius-server dead-interval command. If a RADIUS server with the matching IP address has already been registered in the general RADIUS server configuration, authentication-specific RADIUS server configuration, or the RADIUS server group configuration, all of these parameters are replaced by the new commands that were entered automatically.
radius-server key radius-server key Configures the default RADIUS server key used for authentication on a general RADIUS server or an authentication-specific RADIUS server. Input format To set or change information: radius-server key <String> To delete information: no radius-server key Input mode (config) Parameters <String>...
radius-server retransmit radius-server retransmit Configures the default number of times an authentication request is re-sent to the general RADIUS server used for authentication or to an authentication-specific RADIUS server. Input format To set or change information: radius-server retransmit <Retries> To delete information: no radius-server retransmit Input mode (config)
radius-server timeout radius-server timeout Configures the default response timeout value for the general RADIUS server used for authentication or for an authentication-specific RADIS server. Input format To set or change information: radius-server timeout <Seconds> To delete information: no radius-server timeout Input mode (config) Parameters...
server server Configures a RADIUS server host in the RADIUS server group. Input format To set or change information: server <IP address> [auth-port <Port> ] [acct-port <Port> To delete information: no server <IP address> Input mode (config-group) Parameters <IP address> Sets the IPv4 address of the RADIUS server.
Page 63
server When the change is applied The change is applied immediately after setting values are changed. Notes A maximum of four RADIUS servers can be specified for each group. 127.*.*.* cannot be specified as an IPv4 address. The configuration of this command must meet both of the following conditions: ...
clock timezone clock timezone Sets the time zone. This Switch maintains the date and time internally in Coordinated Universal Time (UTC). Therefore, this setting has an effect only when the time is displayed by using an operation command or when the time is set by using the set clock command.
Page 66
clock timezone When the change is applied The change is applied immediately after setting values are changed. Notes If you change the Switch's time zone, statistics on CPU usage collected by the Switch will be cleared to zero. Related commands set clock...
ntp client server ntp client server Sets the address of the NTP server from which time information can be obtained. A maximum of two entries can be set. Input format To set or change information: ntp client server <Server IP> To delete information: no ntp client server <Server IP>...
ntp client broadcast ntp client broadcast Sets acceptance of time information broadcast from an NTP server. Input format To set information: ntp client broadcast To delete information: no ntp client broadcast Input mode (config) Parameters None Default behavior The time information broadcast from the NTP server is not accepted. Impact on communication None When the change is applied...
ntp client multicast ntp client multicast Sets acceptance of time information multicast from an NTP server. Input format To set information: ntp client multicast To delete information: no ntp client multicast Input mode (config) Parameters None Default behavior The time information multicast from the NTP server is not accepted. Impact on communication None When the change is applied...
ntp interval ntp interval Sets the interval for regularly obtaining time information from an NTP server. Input format To set or change information: ntp interval <Interval> To delete information: no ntp interval Input mode (config) Parameters <Interval> Sets the interval for obtaining time information from the NTP server. The interval is set in seconds in decimal.
system function system function Configures the distribution of system functional resources for a Switch. This setting applies to the following: DHCP snooping IGMP snooping MLD snooping Filters Extended authentication functionality - Common to all authentication modes: Authentication IPv4 access list - IEEE 802.1X: Port-based authentication (dynamic) - Web authentication: Fixed VLAN mode, dynamic VLAN mode, and Web authentication IP address...
Page 73
system function The QoS functionality is used. Default value when this parameter is omitted: The QoS functionality cannot be used. Range of values: None igmp-snooping The IGMP snooping functionality is used. Default value when this parameter is omitted: The IGMP snooping functionality cannot be used. Range of values: None mld-snooping...
Page 74
system function Notes When this command is entered, the message below appears. Save the configuration and restart the Switch before entering another configuration command. Please execute the reload command after save, because this command becomes effective after reboot. If you enter this command, you cannot omit all of the parameters. At least one parameter must be set.
system l2-table mode system l2-table mode Sets a method for searching the Layer 2 hardware table. Input format To set or change information: system l2-table mode <Mode> To delete information: no system l2-table mode Input mode (config) Parameters <Mode> Selects the method for searching a table used for registration in the hardware table. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 76
system l2-table mode Notes When this command is entered, the message below appears. Save the configuration and restart the Switch before entering another configuration command. Please execute the reload command after save, because this command becomes effective after reboot. Related commands None...
system recovery system recovery When the no system recovery form of the command is set and a failure is detected, the Switch is not restarted and remains in the failure state. For details about the entities subject to failure and restoration, see 9 Switch Management in the Configuration Guide Vol.
Power Saving power-control port cool-standby schedule-power-control port cool-standby schedule-power-control port-led schedule-power-control shutdown interface schedule-power-control system-sleep schedule-power-control time-range system fan-control system port-led system port-led trigger console system port-led trigger interface system port-led trigger mc...
power-control port cool-standby power-control port cool-standby Enables power saving for Fast Ethernet ports and gigabit Ethernet ports in the link-down status. Input format To set information: power-control port cool-standby To delete information: no power-control port cool-standby Input mode (config) Parameters None Default behavior Operation is at normal power consumption.
schedule-power-control port cool-standby schedule-power-control port cool-standby Configures power saving for a port during scheduled power saving. Input format To set information: schedule-power-control port cool-standby To delete information: no schedule-power-control port cool-standby Input mode (config) Parameters None Default behavior Operation is at normal power consumption when the port is in the link-down state. Impact on communication None When the change is applied...
schedule-power-control port-led schedule-power-control port-led Configures LED operation during scheduled power saving. Input format To set or change information: schedule-power-control port-led { enable | economy | disable } To delete information: no schedule-power-control port-led Input mode (config) Parameters enable Turns on the Switch LED according to the operating status. When the system port-led trigger command is not set:...
Page 82
schedule-power-control port-led Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When the LED has been disabled (turned off), ST1 and ACC (the memory card access LED) turn on with power saving brightness. The PWR LED always on with normal brightness.
schedule-power-control shutdown interface schedule-power-control shutdown interface Sets the port that shuts down while the scheduled power saving functionality is used. Shutting down the port turns off the power, reducing the amount of power consumed. Input format To set information: schedule-power-control shutdown interface <IF# list>...
Page 84
schedule-power-control shutdown interface Default behavior The operating status of a port is a state other than shutdown. For details about port statuses, see the description of the show port show interfaces operation command. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
schedule-power-control system-sleep schedule-power-control system-sleep Puts a Switch in the sleep state during scheduled power saving. Putting the Switch in the sleep state reduces the amount of power consumed. Input format To set information: schedule-power-control system-sleep To delete information: no schedule-power-control system-sleep Input mode (config) Parameters...
schedule-power-control time-range schedule-power-control time-range Sets the time of execution of the scheduled power saving functionality (on a specified date, on a specified day of the week, or daily) and whether a schedule command can be executed. Input format To set or change information: schedule-power-control time-range <Entry number>...
Page 88
schedule-power-control time-range Range of values: date weekly , or everyday Parameters for specifying a date start-time <YYMMDD> <HHMM> Specify the start date and time. Specify the last two digits of the year (00 to 38). Example: Specify 00 for 2000. Specify the month (01 to 12).
Page 89
schedule-power-control time-range Parameters for specifying weekly start-time {sun | mon | tue | wed | thu | fri | sat} <HHMM> Specify the start day of the week and the time. Sets Sunday. Sets Monday. Sets Tuesday. Sets Wednesday. Sets Thursday. Sets Friday.
Page 90
schedule-power-control time-range Specify the hour (00 to 23). Specify the minute (00 to 59). Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Select , or , and specify a time for <HHMM>. Parameters for specifying everyday <HHMM>...
Page 91
schedule-power-control time-range power-control port cool-standby shutdown Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: enable disable Default behavior None Impact on communication If sleep mode is set for a Switch, all communication stops when the scheduled power saving time arrives.
system fan-control system fan-control Enables the cooling fan control functionality, which operates by monitoring the internal temperature. Input format To set information: system fan-control To delete information: no system fan-control Input mode (config) Parameters None Default behavior The functionality is always enabled. Impact on communication None When the change is applied...
system port-led system port-led Configures a Switch's LED operation. Input format To set or change information: system port-led { enable | economy | disable } To delete information: no system port-led Input mode (config) Parameters enable Turns on the Switch LED according to the operating status. When the system port-led trigger command is not set:...
Page 94
system port-led Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When the LED has been disabled (turned off), ST1 and ACC (the memory card access LED) turn on with power saving brightness. The PWR LED always on with normal brightness.
system port-led trigger console system port-led trigger console Adds login to and logout from a Switch via a console (RS-232C) connection as a trigger for automatic LED operation. Input format To set information: system port-led trigger console To delete information: no system port-led trigger console Input mode (config)
system port-led trigger interface system port-led trigger interface Adds link-up and link-down of the specified physical port a trigger for automatic LED operation. Input format To set or change information: system port-led trigger interface <IF# list> To delete information: no system port-led trigger interface Input mode (config) Parameters...
system port-led trigger mc system port-led trigger mc Adds insertion and removal of a memory card a trigger for automatic LED operation. Input format To set information: system port-led trigger mc To delete information: no system port-led trigger mc Input mode (config) Parameters None...
Part 3: Network Interface Ethernet bandwidth description duplex flowcontrol interface fastethernet interface gigabitethernet link debounce linkscan-mode mdix auto media-type power inline power inline allocation power inline priority-control disable shutdown speed system mtu...
bandwidth bandwidth Sets the bandwidth of a line. Input format To set or change information: bandwidth <kbit/s> To delete information: no bandwidth Input mode (config-if) Parameters <kbit/s> Sets the line bandwidth in kbit/s. This setting is used for the ifSpeed ifHighSpeed (SNMP MIB) value of the applicable line, and has no impact on communication.
description description Sets supplementary information. This command can be used as a comment about the line. Note that when this command is set, information can be checked by using the show interfaces ifDescr (SNMP MIB) operation command. Input format To set or change information: description <String>...
1000BASE-T full speed 10 speed 100 (when is set) full speed 100 auto 100BASE-FX (when is set) (always full duplex [AX1250S] operation) auto speed auto auto 1000 auto 1000BASE-X (when is set) (always full duplex operation) full speed 1000 (when...
Page 102
duplex Default behavior auto is set. Impact on communication If this command is set for the port in use, the port goes down and communication stops temporarily. Thereafter, the port restarts. When the change is applied The change is applied immediately after setting values are changed. Notes auto or a parameter containing...
flowcontrol flowcontrol Sets flow control. Input format To set or change information: flowcontrol send {desired | on | off} flowcontrol receive {desired | on | off} To delete information: no flowcontrol send no flowcontrol receive Input mode (config-if) Parameters send {desired | on | off} Sets send operation for the pause packets of the flow control functionality.
Page 104
flowcontrol Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: receive desired receive on receive off Default behavior 10BASE-T, 100BASE-TX, or 100BASE-FX port: Both receive operation and send operation 1000BASE-T or 1000BASE-X port: Receive operation is but send operation is desired Impact on communication...
interface fastethernet interface fastethernet Sets items related to 10BASE-T or 100BASE-TX lines. Entering this command switches to config-if mode in which information about the relevant line can be set. Input format To set or change information: interface fastethernet <IF#> Input mode (config) Parameters <IF#>...
interface gigabitethernet interface gigabitethernet Sets items related to 10BASE-T/100BASE-TX/1000BASE-T, 100BASE-FX, and 1000BASE-X lines. Entering this command switches to config-if mode in which information about the relevant line can be set. Input format To set or change information: interface gigabitethernet <IF#> Input mode (config) Parameters...
link debounce link debounce Sets the link-down detection time after a link failure is detected until the actual link-down occurs. When a large value is set for this command, temporary link-downs will not be detected so the link will be prevented from becoming unstable. Input format To set or change information: link debounce [time...
linkscan-mode linkscan-mode Sets the operating mode for monitoring the link status of a Switch. Input format To set information: linkscan-mode <Mode> To delete information: no linkscan-mode <Mode> Input mode (config) Parameters <Mode> Sets the operating mode for monitoring the link status. Default value when this parameter is omitted: This parameter cannot be omitted.
mdix auto mdix auto Sets the MDI functionality of the port to be used. Input format To set information: no mdix auto To delete information: mdix auto Input mode (config-if) Parameters None Default behavior During auto-negotiation, MDI and MDI-X are switched automatically. Impact on communication None When the change is applied...
media-type media-type Selects the type of port to be used as a port on which 10BASE-T/100BASE-TX/1000BASE-T (RJ45) and 100BASE-FX/1000BASE-X (SFP) can be switched. Input format To set or change information: media-type {rj45 | sfp | auto} To delete information: no media-type Input mode (config-if) Parameters...
Page 111
media-type Notes This command cannot be set for non-gigabit interfaces. is changed, the settings of the following commands return to the media-type default state: duplex mdix auto , and speed media-type auto is set, the following commands cannot be set. Use the default value.
Sets the MTU for ports. With this configuration, jumbo frames can be used to improve the throughput of data transfers. As a result, the usability of a network and devices connected to the network improves. Input format To set or change information: <Length>...
Page 113
Notes The table below describes the MTU of the applicable port and the frame length that can be sent or received (the maximum length of frames in Ethernet V2 format#, excluding the FCS). #: For details about the frame format, see 12.1.3 Control on the MAC and LLC sublayers in Configuration Guide Vol.
power inline power inline Sets the port priority. Setting the power priority for each port ensures that power is supplied to the appropriate ports. Input format To set or change information: power inline {critical | high | low | never } To delete information: no power inline Input mode...
Page 115
power inline If the inactivate activate operation command is executed, the supply of power continues. If you execute the activate power inline operation command for a port with never set, power is not supplied. If more than one port has the same setting, the port with the lower port number has priority.
power inline allocation power inline allocation Sets power allocation for each port either based on its class or manually. Input format To set or change information: power inline allocation {auto | limit <Threshold>} To delete information: no power inline allocation Input mode (config-if) Parameters...
Page 117
power inline allocation Impact on communication When the change is applied The change is applied immediately after setting values are changed. Notes When specifying manual allocation settings, read the documentation for the power-receiving device. The customer performs the operation at the customer's own risk.
power inline priority-control disable power inline priority-control disable Assigns priority to a powered port. Input format To set information: power inline priority-control disable To delete information: no power inline priority-control disable Input mode (config) Parameters None Default behavior The priority setting for ports is enabled. Impact on communication Power to all ports is temporarily stopped.
shutdown shutdown Places the port in the shutdown state. If a port with the PoE functionality is shut down, power is no longer supplied. Input format To set information: shutdown To delete information: no shutdown Input mode (config-if) Parameters None Default behavior None Impact on communication...
speed speed Sets the port speed. Input format To set or change information: speed { 10 | 100 | 1000 | auto | auto {10 | 100 | 1000 | 10 100 | 10 100 1000} } To delete information: no speed Input mode (config-if)
Page 121
100BASE-TX/ auto 1000BASE-T auto 10 auto 100 auto 1000 auto 10 100 auto 10 100 1000 auto 100BASE-FX [AX1250S] 1000 auto 1000BASE-X auto auto 1000 Default value when this parameter is omitted: This parameter cannot be omitted. Range of values:...
Page 122
speed Related commands duplex media-type...
system mtu system mtu Sets MTU of all ports. With this configuration, jumbo frames can be used to improve the throughput of data transfers. As a result, the usability of a network and devices connected to the network improves. Input format To set or change information: system mtu <Length>...
Page 124
system mtu Line type setting system mtu Length of a frame Line setting that can be sent or MTU (in received (in octets) octets) 10BASE-T (full and Not related Not related Tagged 1518 1500 half-duplex), 100BASE-TX Untagged 1514 (half-duplex) All other cases Not related Tagged M1 Untagged M1...
channel-group lacp system-priority channel-group lacp system-priority Sets the LACP system priority of a channel group for link aggregation. Input format To set or change information: channel-group lacp system-priority <Priority> To delete information: no channel-group lacp system-priority Input mode (config-if) Parameters <Priority>...
channel-group max-active-port channel-group max-active-port Sets the maximum number of ports actually used in a channel group for link aggregation. Input format To set or change information: channel-group max-active-port <Number> [no-link-down] To delete information: no channel-group max-active-port Input mode (config-if) Parameters <Number>...
Page 128
channel-group max-active-port Notes Use this command in static link aggregation mode. If you set the command, match its settings to the settings of the max-active-port commands on the destination device. max-active-port lacp port-priority To change link-down or no-link-down for the standby link mode, first delete the parameter, and then set it again.
channel-group mode channel-group mode Creates a channel group for link aggregation. Input format To set or change information: channel-group <Channel group#> mode {on | {active | passive}} To delete information: no channel-group Input mode (config-if) Parameters <Channel group#> Sets the channel group number for link aggregation. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 130
channel-group mode When the change is applied The change is applied immediately after setting values are changed. Notes To change static link aggregation to LACP-based link aggregation, or vice versa, delete this command, change the mode, and then set the command again. When channel-group mode is set, the...
channel-group periodic-timer channel-group periodic-timer Sets the LACPDU sending interval. Input format To set or change information: channel-group periodic-timer {long | short} To delete information: no channel-group periodic-timer Input mode (config-if) Parameters { long | short } Sets the interval at which the remote device sends LACPDUs to a Switch. long : 30 seconds : one second...
description description Sets supplementary information. Input format To set or change information: description <String> To delete information: no description Input mode (config-if) Parameters <String> Sets supplementary information for the applicable channel group for link aggregation. Use this command to create a note related to the interface. Default value when this parameter is omitted: This parameter cannot be omitted.
interface port-channel interface port-channel Sets an item related to a port channel interface. Entering this command switches to config-if mode, which allows you to set the configuration command for specifying the channel group number. A port channel interface is automatically generated when the channel-group mode command is set.
lacp port-priority lacp port-priority Sets the port priority. Input format To set or change information: lacp port-priority <Priority> To delete information: no lacp port-priority Input mode (config-if) Parameters <Priority> Sets the port priority. The lower the priority value, the higher the priority. When is set for the command...
lacp system-priority lacp system-priority Sets the effective LACP system priority for a Switch. Input format To set or change information: lacp system-priority <Priority> To delete information: no lacp system-priority Input mode (config) Parameters <Priority> Sets the LACP system priority. The lower the priority value, the higher the priority. Default value when this parameter is omitted: This parameter cannot be omitted.
shutdown shutdown Always disables the applicable channel group for link aggregation, and stops communication. Input format To set information: shutdown To delete information: no shutdown Input mode (config-if) Parameters None Default behavior None Impact on communication If the priority is set for an operating channel group, the channel group goes down. When the change is applied The change is applied immediately after setting values are changed.
mac-address-table aging-time mac-address-table aging-time Sets the aging conditions for MAC address table entries. Input format To set or change information: mac-address-table aging-time <Seconds> To delete information: no mac-address-table aging-time Input mode (config) Parameters <Seconds> Sets the aging time in seconds. If is set, aging is not performed.
Page 140
mac-address-table aging-time Related commands None...
mac-address-table static mac-address-table static Sets the static MAC address table information. Input format To set or change information: mac-address-table static <MAC> vlan <VLAN ID> interface {fastethernet <IF#> | gigabitethernet <IF#> | port-channel <Channel group#>} To delete information: no mac-address-table static <MAC>...
Page 142
mac-address-table static Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If you set a static entry for the default VLAN (VLAN ID = 1), explicitly set vlan 1 for the output destination interface.
interface vlan interface vlan Sets a VLAN interface. Setting the VLAN interface allows you to set IP addresses for VLANs. Input format To set or change information: interface vlan <VLAN ID> To delete information: no interface vlan <VLAN ID> Input mode (config) Parameters <VLAN ID>...
l2protocol-tunnel eap l2protocol-tunnel eap Enables the EAPOL forwarding functionality and sets it for a Switch. Input format To set information: l2protocol-tunnel eap To delete information: no l2protocol-tunnel eap Input mode (config) Parameters None Default behavior The EAPOL forwarding functionality is invalid. Impact on communication None When the change is applied...
l2protocol-tunnel stp l2protocol-tunnel stp Enables the BPDU forwarding functionality and sets it for a Switch. Input format To set information: l2protocol-tunnel stp To delete information: no l2protocol-tunnel stp Input mode (config) Parameters None Default behavior The BPDU forwarding functionality is invalid. Impact on communication None When the change is applied...
mac-address mac-address Sets the MAC address used to identify a MAC VLAN. Input format To set or change information: mac-address <MAC> To delete information: no mac-address <MAC> Input mode (config-vlan) (MAC VLAN only) Parameters <MAC> Sets the MAC address that will be set for the MAC VLAN. The mac-address command can be set only when the applicable VLAN is a MAC VLAN.
name name Sets a VLAN name. Input format To set or change information: name <String> To delete information: no name Input mode (config-vlan) Parameters <String> Sets the VLAN name. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Specify a character string that is no more than 32 characters.
protocol protocol Sets for protocol VLANs a protocol that distinguishes the VLANs. Input format To set or change information: protocol <Protocol name> To delete information: no protocol <Protocol name> Input mode (config-vlan) Parameters <Protocol name> Sets the protocol name of a protocol VLAN. The protocol command can be set only when the applicable VLAN is a protocol VLAN.
state state Sets the VLAN status. Input format To set or change information: state {suspend | active} To delete information: no state Input mode (config-vlan) Parameters {suspend | active} suspend Sets disable as the VLAN status and stops the sending and receiving of all frames.
switchport access switchport access Sets the access port information. Input format To set or change information: switchport access vlan <VLAN ID> To delete information: no switchport access vlan Input mode (config-if) Parameters <VLAN ID> vlan Sets a VLAN for an access port. Specifiable VLANs are port VLANs or MAC VLANs. A protocol VLAN cannot be set.
switchport isolation switchport isolation Configures the inter-port relay isolation functionality. Input format To set information: switchport isolation interface fastethernet <IF# list> switchport isolation interface gigabitethernet <IF# list> To change information: switchport isolation interface {fastethernet <IF# list> | gigabitethernet <IF# list> | add {fastethernet <IF# list>...
Page 154
switchport isolation Default behavior Forwarding between ports is not isolated. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes The functionality for suppressing inter-port forwarding is entered from the port set by interface of the switchport isolation...
switchport mac switchport mac Sets the MAC port information. Input format To set information: swtichport mac vlan <VLAN ID list> swtichport mac native vlan <VLAN ID> switchport mac dot1q vlan <VLAN ID list> To change information: switchport mac {vlan <VLAN ID list> | vlan add <VLAN ID list>...
Page 156
switchport mac Specifiable VLANs are port VLANs or MAC VLANs. A VLAN set by using the switchport mac vlan command cannot be set. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: For details about how to set <VLAN ID list>...
Page 157
switchport mac Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If no effective MAC VLANs are set, the port operates as an access port. setting takes effect when switchport mac dot1q vlan switchport mode mac is set.
switchport mode switchport mode Configures the Layer 2 interface attribute (port type). Input format To set or change information: switchport mode {access | trunk | protocol-vlan | mac-vlan } To delete information: no switchport mode Input mode (config-if) Parameters access Sets the applicable interface as an access port.
Page 159
switchport mode Notes If the applicable interface is set as a trunk port, set by using the allowed vlan command. If an interface is set as a trunk port and switchport trunk allowed vlan is not set, all frames on the applicable interface are discarded. If the applicable interface is set as a protocol port, set the protocol VLAN by using the switchport protocol command.
switchport protocol switchport protocol Sets the protocol port information. Input format To set information: switchport protocol vlan <VLAN ID list> switchport protocol native vlan <VLAN ID> To change information: switchport protocol {vlan <VLAN ID list> | vlan add <VLAN ID list> | vlan remove <VLAN ID list>...
Page 161
switchport protocol vlan remove <VLAN ID list> Removes an effective protocol VLAN on the port from the VLAN list. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: For details about how to set <VLAN ID list>...
switchport trunk switchport trunk Sets the trunk port information. Input format To set information: switchport trunk allowed vlan <VLAN ID list> switchport trunk native vlan <VLAN ID> To change information: switchport trunk native vlan <VLAN ID> switchport trunk allowed vlan { <VLAN ID list>...
Page 163
switchport trunk Range of values: For details about how to set <VLAN ID list> and the specifiable values, see Specifiable values for parameters. remove <VLAN ID list> Removes a VLAN from the VLAN list that is set. Default value when this parameter is omitted: This parameter cannot be omitted.
vlan vlan Sets VLAN-related items. Input format To set or change information: vlan <VLAN ID> vlan <VLAN ID list> vlan <VLAN ID> protocol-based vlan <VLAN ID list> protocol-based vlan <VLAN ID> mac-based <VLAN ID list> vlan mac-based To delete information: <VLAN ID>...
Page 165
vlan Notes on using this parameter: - When configuring protocol VLANs, you must set protocol-based - You cannot specify this parameter for VLANs you have already created as port VLANs and MAC VLANs. mac-based Set this parameter for MAC VLANs. Default value when this parameter is omitted: The VLANs become port VLANs.
Page 166
vlan cannot be deleted. As the initial state of the default VLAN, all ports are access ports. The following table explains the parameter items that can be set for the default VLAN and behavior specific to the default VLAN. vlan command: The following table applies to the vlan...
vlan-protocol vlan-protocol Sets the protocol name and protocol value for a protocol VLAN. Input format To set or change information: vlan-protocol <Protocol name> [ethertype <HEX enum> ] [llc <HEX enum> [snap-ethertype <HEX enum> To delete information: no vlan protocol <Protocol name> Input mode (config) Parameters...
Page 169
vlan-protocol Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Note, however, that for protocols that have not been set by the protocol command for the protocol VLAN, the change is applied when the protocol name is set by the protocol command.
instance instance Sets the VLANs that will participate in the MST instances of multiple spanning trees. Input format To set or change information: instance <MSTI ID> vlans <VLAN ID list> To delete information: no instance <MSTI ID> Input mode (config-mst) Parameters <MSTI ID>...
Page 173
instance When the change is applied The change is applied immediately after setting values are changed. Notes show command does not display the information about MST instance ID0. Related commands spanning-tree mst configuration...
name name Sets a string that identifies the regions of multiple spanning trees. Input format To set or change information: name <Name> To delete information: no name Input mode (config-mst) Parameters <Name> Sets the character string used to identify a region. Default value when this parameter is omitted: This parameter cannot be omitted.
revision revision Sets a revision number for identifying the regions of multiple spanning trees. Input format To set or change information: revision <Version> To delete information: no revision Input mode (config-mst) Parameters <Version> Sets the revision number for identifying a region. Default value when this parameter is omitted: This parameter cannot be omitted.
spanning-tree bpdufilter spanning-tree bpdufilter Sets the BPDU filter functionality for the applicable ports. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports. Input format To set information: spanning-tree bpdufilter enable To delete information: no spanning-tree bpdufilter Input mode (config-if) Parameters None...
spanning-tree bpduguard spanning-tree bpduguard Sets the BPDU guard functionality for the applicable ports. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports, and operates on ports on which the PortFast functionality has been set. Input format To set or change information: spanning-tree bpduguard { enable | disable } To delete information: no spanning-tree bpduguard...
spanning-tree cost spanning-tree cost Sets the path cost of the applicable port. This command is applied to PVST+, single spanning trees, and multiple spanning trees. Input format To set or change information: spanning-tree cost <Cost> To delete information: no spanning-tree cost Input mode (config-if) Parameters...
Page 179
spanning-tree cost single pathcost method command is set, the value of the spanning-tree pathcost method command is not applied. Related commands spanning-tree pathcost method spanning-tree vlan pathcost method spanning-tree vlan cost spanning-tree single pathcost method spanning-tree single cost spanning-tree mst cost...
spanning-tree disable spanning-tree disable Stops operation of the spanning tree functionality for PVST+, single spanning trees, and multiple spanning trees. Input format To set information: spanning-tree disable To delete information: no spanning-tree disable Input mode (config) Parameters None Default behavior The spanning tree functionality is enabled.
spanning-tree guard spanning-tree guard Sets the guard functionality for the applicable ports. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports. Input format To set or change information: spanning-tree guard { loop | none | root } To delete information: no spanning-tree guard Input mode...
Page 182
spanning-tree guard Notes When the spanning-tree portfast default command or the spanning-tree portfast command is set, the loop guard setting is not applied. Instead, the root guard setting is applied. Related commands spanning-tree loopguard default...
spanning-tree link-type spanning-tree link-type Sets the link type of the applicable port. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports. If you change the high-speed topology when rapid-pvst is set for the spanning-tree mode command, and rapid-pvst is set for the spanning-tree vlan mode...
Page 184
spanning-tree link-type Related commands spanning-tree mode spanning-tree vlan mode spanning-tree single mode...
spanning-tree loopguard default spanning-tree loopguard default Sets the loop guard functionality that is used by default. This command is valid for PVST+ and single-spanning-tree ports. Input format To set information: spanning-tree loopguard default To delete information: no spanning-tree loopguard default Input mode (config) Parameters...
spanning-tree mode spanning-tree mode Sets the operating mode of a spanning tree. This command is applied to PVST+ other than for single spanning trees, and to multiple spanning trees. If the spanning-tree vlan mode command is set in a PVST+ operating mode, the settings for that command are used. Input format To set or change information: spanning-tree mode { pvst | rapid-pvst | mst }...
spanning-tree mst configuration spanning-tree mst configuration Switches to config-mst mode in which you can set the information necessary for forming the regions of multiple spanning trees. If this setting is deleted, all information necessary for forming regions that has already been set is deleted. Input format To set information: spanning-tree mst configuration...
spanning-tree mst cost spanning-tree mst cost Sets the path cost for the applicable multiple-spanning-tree ports. Input format To set or change information: spanning-tree mst <MSTI ID list> cost <Cost> To delete information: no spanning-tree mst <MSTI ID list> cost Input mode (config-if) Parameters <MSTI ID list>...
Page 189
spanning-tree mst cost Related commands spanning-tree cost...
spanning-tree mst forward-time spanning-tree mst forward-time Sets the time required for a multiple-spanning-tree status transition. Input format To set or change information: spanning-tree mst forward-time <Seconds> To delete information: no spanning-tree mst forward-time Input mode (config) Parameters <Seconds> Specify the time in seconds required for the state of a port to change. For ports in stp-compatible mode, only the listening and the learning states can be maintained for the specified period of time.
spanning-tree mst hello-time spanning-tree mst hello-time Sets the interval for sending BPDUs in multiple spanning trees. Input format To set or change information: spanning-tree mst hello-time <Hello time> To delete information: no spanning-tree mst hello-time Input mode (config) Parameters <Hello time> Specify the interval in seconds for sending BPDUs that are sent regularly from a Switch.
spanning-tree mst max-age spanning-tree mst max-age Sets the maximum enabled time for BPDUs to be sent using multiple spanning trees. Input format To set or change information: spanning-tree mst-age <Seconds> To delete information: no spanning-tree mst max-age Input mode (config) Parameters <Seconds>...
spanning-tree mst max-hops spanning-tree mst max-hops Sets the maximum number of hop counts for BPDUs in multiple spanning trees. Input format To set or change information: spanning-tree mst-hops <Hop number> spanning-tree mst <MST1 ID list> max-hops <Hop number> To delete information: no spanning-tree mst max-hops no spanning-tree mst <MSTI ID list>...
Page 194
spanning-tree mst max-hops Related commands None...
spanning-tree mst port-priority spanning-tree mst port-priority Sets the priority of the applicable multiple-spanning-tree ports for each MST instance. Input format To set or change information: spanning-tree mst <MSTI ID list> port-priority <Priority> To delete information: no spanning-tree mst <MSTI ID list> port-priority Input mode (config-if)
spanning-tree mst root priority spanning-tree mst root priority Sets the bridge priority for each MST instance in multiple spanning trees. Input format To set or change information: spanning-tree mst <MSTI ID list> root priority <Priority> To delete information: no spanning-tree mst <MSTI ID list>...
Page 198
spanning-tree mst root priority Related commands None...
spanning-tree mst transmission-limit spanning-tree mst transmission-limit Sets the maximum number of BPDUs that can be sent for each hello-time period for multiple spanning trees. Input format To set or change information: spanning-tree mst transmission-limit <Counts> To delete information: no spanning-tree mst transmission-limit Input mode (config) Parameters...
spanning-tree pathcost method spanning-tree pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost of a port. This command is applied to PVST+ and single spanning trees, but not to multiple spanning trees. When the spanning-tree vlan pathcost method command or the...
Page 201
spanning-tree pathcost method Default behavior short is set for path cost mode. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When is set for the spanning-tree mode command, the multiple spanning tree operates using a 32-bit value.
spanning-tree port-priority spanning-tree port-priority Sets the port priority of the applicable ports. This command is applied to PVST+, single spanning trees, and multiple spanning trees. Input format To set or change information: spanning-tree port-priority <Priority> To delete information: no spanning-tree port-priority Input mode (config-if) Parameters...
spanning-tree portfast spanning-tree portfast Sets the PortFast functionality for the applicable ports. This command is applied to the applicable PVST+, single-spanning-tree, and multiple-spanning-tree ports. Input format To set or change information: spanning-tree portfast [{ trunk | disable }] To delete information: no spanning-tree portfast Input mode (config-if)
spanning-tree portfast bpduguard default spanning-tree portfast bpduguard default Sets the BPDU guard functionality to be used by default. This command is valid for all ports on which the PortFast functionality of PVST+, single spanning trees, and multiple spanning trees is set. Input format To set information: spanning-tree portfast bpduguard default...
spanning-tree portfast default spanning-tree portfast default Sets the PortFast functionality to be used by default. This command is valid on the access, protocol, and MAC ports of PVST+, single spanning trees, and multiple spanning trees. Input format To set information: spanning-tree portfast default To delete information: no spanning-tree portfast default...
spanning-tree single spanning-tree single Starts calculation of the topology for single spanning trees. If the spanning-tree operating mode is PVST+, VLAN 1 becomes subject to a single spanning tree. Input format To set information: spanning-tree single To delete information: no spanning-tree single Input mode (config) Parameters...
spanning-tree single cost spanning-tree single cost Sets the path cost for the applicable single-spanning-tree ports. Input format To set or change information: spanning-tree single cost <Cost> To delete information: no spanning-tree single cost Input mode (config-if) Parameters <Cost> Specify the path cost value. The lower the <Cost>...
Page 208
spanning-tree single cost Related commands spanning-tree cost spanning-tree pathcost method spanning-tree single pathcost method...
spanning-tree single forward-time spanning-tree single forward-time Sets the time required for the state of a single spanning tree to change. Input format To set or change information: spanning-tree single forward-time <Seconds> To delete information: no spanning-tree single forward-time Input mode (config) Parameters <Seconds>...
spanning-tree single hello-time spanning-tree single hello-time Sets the interval for sending single-spanning-tree BPDUs. Input format To set or change information: spanning-tree single hello-time <Hello time> To delete information: no spanning-tree single hello-time Input mode (config) Parameters <Hello time> Specify the interval in seconds for sending BPDUs that are sent regularly from a Switch.
spanning-tree single max-age spanning-tree single max-age Sets the maximum enabled time for BPDUs to be sent using spanning trees. Input format To set or change information: spanning-tree single max-age <Seconds> To delete information: no spanning-tree single max-age Input mode (config) Parameters <Seconds>...
spanning-tree single mode spanning-tree single mode Sets the operating mode of single spanning trees. Input format To set or change information: spanning-tree single mode { stp | rapid-stp } To delete information: no spanning-tree single mode Input mode (config) Parameters { stp | rapid-stp } Sets the protocol to be used.
spanning-tree single pathcost method spanning-tree single pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost for single-spanning-tree ports. If the spanning-tree single cost command setting is omitted, the following values are applied to the path cost according to the interface speed and the setting of the spanning-tree single pathcost method command.
Page 214
spanning-tree single pathcost method Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands None...
spanning-tree single port-priority spanning-tree single port-priority Sets the priority for the applicable single-spanning-tree ports. Input format To set or change information: spanning-tree single port-priority <Priority> To delete information: no spanning-tree single port-priority Input mode (config-if) Parameters <Priority> Sets the port priority. Use a multiple of 16 as the port priority. The lower the priority value, the higher the priority.
spanning-tree single priority spanning-tree single priority Sets the bridge priority for single spanning trees. Input format To set or change information: spanning-tree single priority <Priority> To delete information: no spanning-tree single priority Input mode (config) Parameters <Priority> Sets the bridge priority. The lower the priority value, the higher the priority. Use a multiple of 4096 as the bridge priority.
spanning-tree single transmission-limit spanning-tree single transmission-limit Sets the maximum number of BPDUs that can be sent for the hello-time period of single spanning trees. Input format To set or change information: spanning-tree single transmission-limit <Counts> To delete information: no spanning-tree single transmission-limit Input mode (config) Parameters...
spanning-tree vlan spanning-tree vlan Configures PVST+. If the no spanning-tree vlan command is set when the spanning-tree single command has been set, the applicable VLAN operates subject to a single spanning tree. Input format To set or change information: no spanning-tree vlan <VLAN ID list>...
spanning-tree vlan cost spanning-tree vlan cost Sets the path cost for the applicable PVST+ ports. Input format To set or change information: spanning-tree vlan <VLAN ID list> cost <Cost> To delete information: no spanning-tree vlan <VLAN ID list> cost Input mode (config-if) Parameters <VLAN ID list>...
Page 220
spanning-tree vlan cost When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands spanning-tree cost spanning-tree pathcost method spanning-tree vlan pathcost method...
spanning-tree vlan forward-time spanning-tree vlan forward-time Sets the time required for PVST+ state transition. Input format To set or change information: spanning-tree vlan <VLAN ID list> forward-time <Seconds> To delete information: no spanning-tree vlan <VLAN ID list> forward-time Input mode (config) Parameters <VLAN ID list>...
spanning-tree vlan hello-time spanning-tree vlan hello-time Sets the interval for sending PVST+ BPDUs. Input format To set or change information: spanning-tree vlan <VLAN ID list> hello-time <Hello time> To delete information: no spanning-tree vlan <VLAN ID list> hello-time Input mode (config) Parameters <VLAN ID list>...
Page 224
spanning-tree vlan hello-time Related commands None...
spanning-tree vlan max-age spanning-tree vlan max-age Sets the maximum enabled time for BPDUs to be sent using PVST+. Input format To set or change information: spanning-tree vlan <VLAN ID list> max-age <Seconds> To delete information: no spanning-tree vlan <VLAN ID list> max-age Input mode (config)
Page 226
spanning-tree vlan max-age Related commands None...
spanning-tree vlan mode spanning-tree vlan mode Sets the PVST+ operating mode. Input format To set or change information: spanning-tree vlan <VLAN ID list> mode { pvst | rapid-pvst } To delete information: no spanning-tree vlan <VLAN ID list> mode Input mode (config) Parameters <VLAN ID list>...
Page 228
spanning-tree vlan mode Related commands spanning-tree mode...
spanning-tree vlan pathcost method spanning-tree vlan pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost for a PVST+ port. If the spanning-tree vlan cost command setting is omitted, the following values are applied to the path cost according to the interface speed and the spanning-tree vlan pathcost method...
Page 230
spanning-tree vlan pathcost method - When 65536 or a larger value is set for the path cost, you cannot change the parameter to short Default behavior The setting of the command is used. spanning-tree pathcost method Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
spanning-tree vlan port-priority spanning-tree vlan port-priority Sets the priority for the applicable PVST+ ports. Input format To set or change information: spanning-tree vlan <VLAN ID list> port-priority <Priority> To delete information: no spanning-tree vlan <VLAN ID list> port-priority Input mode (config-if) Parameters <VLAN ID list>...
spanning-tree vlan priority spanning-tree vlan priority Sets the PVST+ bridge priority. Input format To set or change information: spanning-tree vlan <VLAN ID list> priority <Priority> To delete information: no spanning-tree vlan <VLAN ID list> priority Input mode (config) Parameters <VLAN ID list> Starts configuration of PVST+ for the specified VLAN.
Page 234
spanning-tree vlan priority Notes None Related commands None...
spanning-tree vlan transmission-limit spanning-tree vlan transmission-limit Sets the maximum number of BPDUs that can be sent with the PVST+ hello-time. Input format To set or change information: spanning-tree vlan <VLAN ID list> transmission-limit <Counts> To delete information: no spanning-tree vlan <VLAN ID list>...
axrp axrp Sets a ring ID. In addition, the Switch enters config-axrp mode in which the information necessary for the Ring Protocol functionality can be set. A maximum of four ring IDs can be set for a Switch. If the settings are removed, the ring information already set for ring IDs is deleted. Input format To set information: axrp...
axrp vlan-mapping axrp vlan-mapping Sets the VLAN mapping to be applied to a VLAN group and the VLANs participating in the VLAN mapping. Input format To set information: axrp vlan-mapping <Mapping ID> vlan <VLAN ID list> To change information: axrp vlan-mapping <Mapping ID>...
Page 240
axrp vlan-mapping shorter after the addition of VLANs, an axrp vlan-mapping command that consisted of multiple lines might be consolidated and displayed as the configuration. <VLAN ID list> vlan remove Sets the VLANs to be removed from the VLAN list you have configured. Default value when this parameter is omitted: This parameter cannot be omitted.
axrp-ring-port axrp-ring-port Sets an interface that operates as the ring port for the Ring Protocol. The interfaces that can be set are Ethernet interfaces and port channel interfaces. Input format To set information: axrp-ring-port <Ring ID> [shared] To delete information: no axrp-ring-port <Ring ID>...
Page 242
axrp-ring-port Notes Two ring ports can be set for one ring ID. A ring port cannot be set for an Ethernet interface that is set for a channel group. Also, an Ethernet interface set for a ring port cannot be set for a channel group. Set the ring port for a port channel interface to which the applicable Ethernet interface belongs.
control-vlan control-vlan Sets the VLAN to be used as the control VLAN. You can use the VLANs set by using this command to send and receive control frames that monitor the ring status. Setting the forwarding-delay-time parameter allows you to set the time required to change the status of the control VLAN to Forwarding during initial operation.
Page 244
control-vlan Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes A VLAN that is a control VLAN for which another ring ID is used cannot be set. A VLAN that is used in a VLAN group cannot be set. If a change or deletion is executed while the Ring Protocol is operating, the Ring Protocol functionality is temporarily disabled.
disable disable Disables the Ring Protocol functionality. Input format To set information: disable To delete information: no disable Input mode (config-axrp) Parameters None Default behavior The Ring Protocol functionality is enabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
forwarding-shift-time forwarding-shift-time Sets the reception hold time for flush control frames in transit node. When the reception hold time passes, if no flush control frames are received, the status of a ring port changes from Blocking Forwarding Input format To set information: forwarding-shift-time { <Seconds>...
Page 247
forwarding-shift-time Related commands None...
mode mode Sets the operating mode of the Switch used for the ring. Input format To set information: mode transit To delete information: no mode Input mode (config-axrp) Parameters transit The Switch operates as a transit node. Default value when this parameter is omitted: This parameter cannot be omitted.
name name Sets the name that will be used to identify the ring. Input format To set information: name <Name> To delete information: no name Input mode (config-axrp) Parameters <Name> Sets the name that will be used to identify the ring. Default value when this parameter is omitted: This parameter cannot be omitted.
vlan-group vlan-group Sets the VLAN group that will be used for the Ring Protocol and the mapping IDs of the VLANs participating in the VLAN groups. A maximum of two VLAN groups can be set for the ring. Input format To set or change information: vlan-group <Group ID>...
Page 251
vlan-group Notes If the same VLAN mapping is assigned to VLAN groups in different rings, the same port cannot be set as the ring port in those rings. Note, however, that it is possible to set the same ring port if the port is a shared link (ring port for which shared is set).
DHCP Snooping ip arp inspection limit rate ip arp inspection trust ip arp inspection validate ip arp inspection vlan ip dhcp snooping ip dhcp snooping database url ip dhcp snooping database write-delay ip dhcp snooping information option allow-untrusted ip dhcp snooping limit rate ip dhcp snooping trust ip dhcp snooping verify mac-address ip dhcp snooping vlan...
ip arp inspection limit rate ip arp inspection limit rate Sets the ARP packet reception rate (the number of ARP packets that can be received per second) on the applicable port when the DHCP snooping functionality is enabled on a Switch.
ip arp inspection trust ip arp inspection trust Sets the applicable interface as a trusted port where no dynamic ARP inspection is performed when the DHCP snooping functionality is enabled on a Switch. Input format To set information: ip arp inspection trust To delete information: no ip arp inspection trust Input mode...
ip arp inspection validate ip arp inspection validate Sets inspection items to be added to improve the accuracy of the dynamic ARP inspection when the dynamic ARP inspection functionality is enabled on a Switch. Input format To set or change information: ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip ] To delete information: no ip arp inspection validate...
Page 256
ip arp inspection validate Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If you enter this command, you cannot omit all of the parameters. At least one parameter must be set.
ip arp inspection vlan ip arp inspection vlan Sets the VLAN used for dynamic ARP inspection when the DHCP snooping functionality is enabled on a Switch. Input format To set or change information: ip arp inspection vlan { <VLAN ID list> | add <VLAN ID list>...
Page 258
ip arp inspection vlan Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes Set a VLAN ID set by using the ip dhcp snooping vlan command. If this command is set, the binding database entries registered by using the source binding command are also subject to dynamic ARP inspection.
ip dhcp snooping ip dhcp snooping Enables the DHCP snooping functionality on a Switch. Input format To set information: ip dhcp snooping To delete information: no ip dhcp snooping Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
ip dhcp snooping database url ip dhcp snooping database url Sets the save location for the binding database. Input format To set or change information: ip dhcp snooping database url { flash | mc <File name> To delete information: no ip dhcp snooping database url Input mode (config) Parameters...
Page 261
ip dhcp snooping database url Notes For the wait-to-write time set by using the ip dhcp snooping database write-delay command, any of the save events below causes the timer to start. When the timer expires, the binding database is saved. ...
ip dhcp snooping database write-delay ip dhcp snooping database write-delay Sets the wait-to-write time used when a binding database is saved. Input format To set or change information: ip dhcp snooping database write-delay <Seconds> To delete information: no ip dhcp snooping database write-delay Input mode (config) Parameters...
Page 263
ip dhcp snooping database write-delay Related commands ip dhcp snooping ip dhcp snooping database url ip dhcp snooping vlan...
ip dhcp snooping information option allow-untrusted ip dhcp snooping information option allow-untrusted Set this command to allow DHCP packets that have option [82] information to be received on an untrusted port. If this setting is omitted, DHCP packets that have option [82] information are discarded.
ip dhcp snooping limit rate ip dhcp snooping limit rate Sets the DHCP packet reception rate (the number of DHCP packets that can be received per second) on the applicable port. DHCP packets exceeding the reception rate are discarded. Input format To set or change information: ip dhcp snooping limit rate <Packet/s>...
ip dhcp snooping trust ip dhcp snooping trust Sets whether the interface is a trusted port or an untrusted port. Input format To set information: ip dhcp snooping trust To delete information: no ip dhcp snooping trust Input mode (config-if) Parameters None Default behavior...
ip dhcp snooping verify mac-address ip dhcp snooping verify mac-address Sets whether to check if the source MAC address of DHCP packets received from an untrusted port matches the client hardware addresses in the DHCP packet. Input format To set information: no ip dhcp snooping verify mac-address To delete information: ip dhcp snooping verify mac-address...
ip dhcp snooping vlan ip dhcp snooping vlan Enables DHCP snooping in a VLAN. DHCP snooping is disabled if it is not set by using this command. A maximum of 32 VLANs can be set with this command. Input format To set or change information: ip dhcp snooping vlan <VLAN ID list>...
ip source binding ip source binding Sets static for the binding database. Input format To set information: ip source binding <MAC> vlan <VLAN ID> <IP address> interface {fastethernet <IF#> | gigabitethernet <IF#> | port-channel <Channel group#> To delete information: no ip source binding <MAC>...
Page 270
ip source binding See Specifiable values for parameters. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes A maximum of 64 entries can be set. Note, however, that no entries can be set if, when entries are set, the number of binding database entries, including dynamic entries, exceeds the maximum number of entries.
ip verify source ip verify source Set this command to use the terminal filter based on the DHCP snooping binding database. (The terminal filter is functionality used to filter the packets of unregistered source IP and MAC addresses.) Input format To set or change information: ip verify source [ { port-security | mac-only } ] To delete information:...
Page 272
ip verify source Related commands ip dhcp snooping ip dhcp snooping vlan ip dhcp snooping trust ip source binding...
ip igmp snooping (global) ip igmp snooping (global) Suppresses the IGMP snooping functionality on a Switch. Input format To set information: no ip igmp snooping To delete information: ip igmp snooping Input mode (config) Parameters None Default behavior The IGMP snooping functionality is enabled on a Switch. Impact on communication The IGMP snooping functionality stops.
ip igmp snooping (interface) ip igmp snooping (interface) Enables the IGMP snooping functionality on a VLAN interface. Input format To set information: ip igmp snooping To delete information: no ip igmp snooping Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied...
ip igmp snooping mrouter ip igmp snooping mrouter Sets a multicast router port for the VLAN interface. Input format To set or change information: ip igmp snooping mrouter interface {fastethernet <IF#> | gigabitethernet <IF#> | port-channel <Channel group#> To delete information: no ip igmp snooping mrouter interface {fastethernet <IF#>...
Page 277
ip igmp snooping mrouter Related commands ip igmp snooping...
ip igmp snooping querier ip igmp snooping querier Enables the IGMP querier functionality in a VLAN interface. Input format To set information: ip igmp snooping querier To delete information: no ip igmp snooping querier Input mode (config-if) Parameters None Default behavior None Impact on communication None...
ipv6 mld snooping (global) ipv6 mld snooping (global) Suppresses the MLD snooping functionality on a Switch. Input format To set information: no ipv6 mld snooping To delete information: ipv6 mld snooping Input mode (config) Parameters None Default behavior Enables the MLD snooping functionality on a Switch. Impact on communication The MLD snooping functionality stops.
ipv6 mld snooping (interface) ipv6 mld snooping (interface) Enables the MLD snooping functionality on a VLAN interface. Input format To set information: ipv6 mld snooping To delete information: no ipv6 mld snooping Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied...
ipv6 mld snooping source ipv6 mld snooping source Sets the source IPv6 address of the MLD snooping functionality to be used on a VLAN interface. Input format To set or change information: ipv6 mld snooping source <IPv6 address> To delete information: no ipv6 mld snooping source Input mode (config-if)
ipv6 mld snooping mrouter ipv6 mld snooping mrouter Sets a multicast router port for the VLAN interface. Input format To set or change information: ipv6 mld snooping mrouter interface {fastethernet <IF#> gigabitethernet <IF#> | port-channel <Channel group#> To delete information: no ipv6 mld snooping mrouter interface {fastethernet <IF#>...
ipv6 mld snooping querier ipv6 mld snooping querier Enables the MLD querier functionality on a VLAN interface. Input format To set information: ipv6 mld snooping querier To delete information: no ipv6 mld snooping querier Input mode (config-if) Parameters None Default behavior None Impact on communication None...
ip address ip address Sets the local IPv4 address. Input format To set or change information: ip address <IP address> <Subnet-Mask> To delete information: no ip address <IP address> Input mode (config-if) Parameters <IP address> Sets the local IPv4 address. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 288
ip address Notes 127.*.*.* cannot be specified as an IPv4 address. Related commands interface vlan...
ip route ip route Sets a static route IPv4 address. Input format To set or change information: ip route <IP address> <Mask> <Next hop> To delete information: no ip route <IP address> <<Mask> <Next hop> Input mode (config) Parameters <IP address> Sets the destination IPv4 address for a static route.
Page 290
ip route Notes None Related commands None...
ip mtu ip mtu Sets the send IP MTU length for an interface. Input format To set or change information: ip mtu <Length> To delete information: no ip mtu Input mode (config-if) Parameters <Length> Sets the send IP MTU length for an interface. In actuality, the frame length set in port MTU information and this parameter value are compared, and the smaller value is used as the IP MTU length of the interface.
Page 292
ip mtu Related commands interface vlan...
flow detection mode flow detection mode Sets the flow detection mode for the filtering and QoS functionality. This command changes the distribution pattern for the maximum number of entries in a hardware table. By changing the distribution pattern according to the operating mode, you can collect hardware resources in the necessary tables and use them.
Page 295
flow detection mode Legend Y: Can be set; N: Cannot be set For details about the flow detection modes, see 1.1.3 Flow detection modes in the Configuration Guide Vol.2 and 3.1.1 Flow detection modes in the Configuration Guide Vol.2. Default behavior Flow detection operates as Layer 2-2 flow detection.
Part 7: Filters Access Lists Names that can be specified deny (ip access-list extended deny (ip access-list standard deny (mac access-list extended ip access-group ip access-list extended ip access-list resequence ip access-list standard mac access-group mac access-list extended mac access-list resequence permit (ip access-list extended permit (ip access-list standard permit (mac access-list extended...
Names that can be specified Names that can be specified Protocol names (IPv4) The following table lists the names that can be specified as IPv4 protocol names. Table 19-1 Protocol names that can be specified (IPv4) Protocol name Applicable protocol number icmp igmp All IP protocols...
Page 298
Names that can be specified Port names (TCP) The following table lists the port names that can be specified for TCP. Table 19-2 Port names that can be specified for TCP Port name Applicable port name and number Border Gateway Protocol version 4 (179) chargen Character generator (19) daytime...
Page 299
Names that can be specified Port name Applicable port name and number pop3 Post Office Protocol v3 (110) pop3s POP3 over TLS/SSL (995) Printer PDL Data Stream (9100) shell Remote commands (514) smtp Simple Mail Transfer Protocol (25) smtps SMTP over TLS/SSL (465) Secure Shell Remote Login Protocol (22) sunrpc Sun Remote Procedure Call (111)
Page 300
Names that can be specified Port names (UDP) The following table lists the port names that can be specified for UDP. Table 19-3 Port names that can be specified for UDP (IPv4) Port name Applicable port name and number biff Biff (512) bootpc Bootstrap Protocol (BOOTP) client (68)
Page 301
Names that can be specified TOS name The following table lists the TOS names that can be specified. Table 19-4 TOS names that can be specified TOS name TOS value max-reliability max-throughput min-delay min-monetary-cost normal Precedence name The following table lists the precedence names that can be specified. Table 19-5 Precedence names that can be specified Precedence name Precedence value...
Page 302
Names that can be specified DSCP name The following table lists the DSCP names that can be specified. Table 19-6 DSCP names that can be specified DSCP name DSCP value af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 default...
Page 303
Names that can be specified Ethernet type name The following table lists the Ethernet type names that can be specified. Table 19-7 Ethernet type names that can be specified Ethernet type name Ethernet value Remarks appletalk 0x809b 0x0806 eapol 0x888e gsrp Filters GSRP control packets.
deny (ip access-list extended) deny (ip access-list extended) Sets the conditions for rejecting access in IPv4 packet filtering. Input format To set or change information: When upper-layer protocols are other than TCP and UDP <Seq> ] deny {ip | <Protocol>...
Page 305
deny (ip access-list extended) Range of values: <Protocol>: Set 0 to 5, 7 to 16, or 18 to 255 (in decimal), or a protocol name. See Table 19-1 Protocol names that can be specified (IPv4). <Src IPv4> <Src IPv4 wildcard> | host <Src IPv4>...
Page 306
deny (ip access-list extended) sets bits that permit an arbitrary value in an IPv4 address. host <Dst IPv4> specification: The filter condition is a perfect match of <Dst IPv4>. specification: The destination IPv4 address is not included as a filter condition. IPv4 address (nnn.nnn.nnn.nnn): 0.0.0.0 to 255.255.255.255 <Dst port>...
Page 307
deny (ip access-list extended) Precedence names that can be specified. dscp <DSCP> This parameter sets the DSCP value, which is the first six bits in the ToS field. Its value is compared with the first six bits in the ToS field of the received packet. Default value when this parameter is omitted: None.
Page 308
deny (ip access-list extended) None Sets detection of packets whose SYN flag in the TCP header is 1. This parameter is an option available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Sets detection of packets whose URG flag in the TCP header is 1.
Page 309
deny (ip access-list extended) Notes When 255.255.255.255 is entered for the source address wildcard and the destination address wildcard, is displayed. nnn.nnn.nnn.nnn 0.0.0.0 is entered as the sender address and the destination address, host nnn.nnn.nnn.nnn is displayed. precedence , and dscp cannot be set at the same time.
deny (ip access-list standard) deny (ip access-list standard) Sets the conditions for rejecting access in IPv4 address filtering. Input format To set or change information: <Seq> ] deny { <Src IPv4> <Src IPv4 wildcard> ] | host <Src IPv4> | any} To delete information: <Seq>...
Page 311
deny (ip access-list standard) Default behavior None Impact on communication If any entry is added when an access list with no entries set is being applied to an interface, the IP packets received on the applicable interface are discarded temporarily until the entry is applied to the interface.
deny (mac access-list extended) deny (mac access-list extended) Sets the conditions for rejecting access in MAC filtering. Input format To set or change information: <Seq> ] deny { <Src MAC> <Src MAC mask> | host <Src MAC> | any} { <Dst MAC>...
Page 313
deny (mac access-list extended) MAC address (nnnn.nnnn.nnnn): 0000.0000.0000 to ffff.ffff.ffff (hexadecimal) <Dst MAC> <Dst MAC mask> | host <Dst MAC> | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu } Sets the destination MAC address. To set all destination MAC addresses, set Default value when this parameter is omitted: This parameter cannot be omitted.
Page 314
deny (mac access-list extended) vlan <VLAN ID> Sets the VLAN ID. This parameter is effective only when it is applied to an Ethernet interface. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: See Specifiable values for parameters.
ip access-group ip access-group Applies an IPv4 access list to an Ethernet interface or a VLAN interface, and enables the IPv4 filtering functionality. Input format To set information: ip access-group <ACL ID> To delete information: no ip access-group <ACL ID> Input mode (config-if) Parameters...
Page 316
ip access-group Notes filter was not set when the system function command was set, this command cannot be set. (This command can be set if the system function command was not set.) One IPv4 filter can be set for one interface. A maximum of 128 filters can be applied to an Ethernet interface or a VLAN interface.
ip access-list extended ip access-list extended Sets the access list that operates as an IPv4 filter. There are two types of access lists that operate as IPv4 filters. One type is an IPv4 address filter and the other type is an IPv4 packet filter.
Page 318
ip access-list extended Notes None Related commands ip access-group ip access-list resequence deny (ip access-list extended) permit (ip access-list extended) remark...
ip access-list resequence ip access-list resequence Resets the sequence numbers of the sequence in which filter conditions are applied in IPv4 address filtering or IPv4 packet filtering. Input format To set or change information: ip access-list resequence <ACL ID> <Starting seq> <Increment seq>...
Page 320
ip access-list resequence Notes None Related commands ip access-list standard ip access-list extended...
ip access-list standard ip access-list standard Sets the access list that operates as an IPv4 filter. There are two types of access lists that operate as IPv4 filters. One type is an IPv4 address filter and the other type is an IPv4 packet filter.
Page 322
ip access-list standard Notes None Related commands ip access-group ip access-list resequence deny (ip access-list standard) permit (ip access-list standard) remark...
mac access-group mac access-group Applies a MAC access list to an Ethernet interface or a VLAN interface and enables the MAC filtering functionality. Input format To set information: mac access-group <ACL ID> To delete information: no mac access-group <ACL ID> Input mode (config-if) Parameters...
Page 324
mac access-group Notes filter was not set when the system function command was set, this command cannot be set. (This command can be set if the system function command was not set.) One MAC filter can be set for one interface. A maximum of 128 filters can be applied to an Ethernet interface or a VLAN interface.
mac access-list extended mac access-list extended Sets the access list to be used as a MAC filter. An access list used for a MAC filter filters packets based on source MAC address, destination MAC address, Ethernet type number, VLAN ID, and user priority. Multiple filter conditions can be set by using a single access list ID.
Page 326
mac access-list extended Related commands mac access-group mac access-list resequence deny (mac access-list extended) permit (mac access-list extended) remark...
mac access-list resequence mac access-list resequence Resets the sequence numbers of the sequence in which filter conditions are applied in MAC filtering. Input format To set or change information: mac access-list resequence <ACL ID> <Starting seq> <Increment seq> Input mode (config) Parameters <ACL ID>...
Page 328
mac access-list resequence Notes None Related commands mac access-list extended...
permit (ip access-list extended) permit (ip access-list extended) Sets the conditions for permitting access in IPv4 packet filtering. Input format To set or change information: When upper-layer protocols are other than TCP and UDP <Seq> ] permit {ip | <Protocol>...
Page 330
permit (ip access-list extended) Range of values: <Protocol>: Set 0 to 5, 7 to 16, or 18 to 255 (in decimal), or a protocol name. See Table 19-1 Protocol names that can be specified (IPv4). <Src IPv4> <Src IPv4 wildcard> | host <Src IPv4>...
Page 331
permit (ip access-list extended) sets bits that permit an arbitrary value in an IPv4 address. host <Dst IPv4> specification: The filter condition is a perfect match of <Dst IPv4>. specification: The destination IPv4 address is not included as a filter condition. IPv4 address (nnn.nnn.nnn.nnn): 0.0.0.0 to 255.255.255.255 <Dst port>...
Page 332
permit (ip access-list extended) Precedence names that can be specified. dscp <DSCP> This parameter sets the DSCP value, which is the first six bits in the ToS field. Its value is compared with the first six bits in the ToS field of the received packet. Default value when this parameter is omitted: None.
Page 333
permit (ip access-list extended) None Sets detection of packets whose SYN flag in the TCP header is 1. This parameter is an option available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Sets detection of packets whose URG flag in the TCP header is 1.
Page 334
permit (ip access-list extended) Notes When 255.255.255.255 is entered for the source address wildcard and the destination address wildcard, is displayed. nnn.nnn.nnn.nnn 0.0.0.0 is entered as the sender address and the destination address, host nnn.nnn.nnn.nnn is displayed. precedence , and dscp cannot be set at the same time.
permit (ip access-list standard) permit (ip access-list standard) Sets the conditions for permitting access in IPv4 address filtering. Input format To set or change information: <Seq> ] permit { <Src IPv4> <Src IPv4 wildcard> ] | host <Src IPv4> | any} To delete information: <Seq>...
Page 336
permit (ip access-list standard) Default behavior None Impact on communication If any entry is added when an access list with no entries set is being applied to an interface, the IP packets received on the applicable interface are discarded temporarily until the entry is applied to the interface.
permit (mac access-list extended) permit (mac access-list extended) Sets the conditions for permitting access in MAC filtering. Input format To set or change information: <Seq> ] permit { <Src MAC> <Src MAC mask> | host <Src-MAC> | any} { <Dst MAC>...
Page 338
permit (mac access-list extended) MAC address (nnnn.nnnn.nnnn): 0000.0000.0000 to ffff.ffff.ffff (hexadecimal) <Dst MAC> <Dst MAC mask> | host <Dst MAC> | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu } Sets the destination MAC address. To set all destination MAC addresses, set Default value when this parameter is omitted: This parameter cannot be omitted.
Page 339
permit (mac access-list extended) vlan <VLAN ID> Sets the VLAN ID. This parameter is effective only when it is applied to an Ethernet interface. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: See Specifiable values for parameters.
remark remark Sets supplementary information for an access list. Access lists are available for IPv4 address filtering, IPv4 packet filtering, and MAC filtering. A maximum of 512 items can be set for a Switch. Input format To set or change information: remark <Remark>...
Page 341
remark Related commands ip access-list standard ip access-list extended mac access-list extended...
Part 8: QoS Names and values that can be specified ip qos-flow-group ip qos-flow-list ip qos-flow-list resequence limit-queue-length mac qos-flow-group mac qos-flow-list mac qos-flow-list resequence qos (ip qos-flow-list) qos (mac qos-flow-list) qos-queue-group qos-queue-list remark traffic-shape rate control-packet user-priority...
Names and values that can be specified Names and values that can be specified Protocol names (IPv4) The following table lists the names that can be specified as IPv4 protocol names. Table 20-1 Protocol names that can be specified (IPv4) Protocol name Applicable protocol number icmp...
Page 344
Names and values that can be specified Port names (TCP) The following table lists the port names that can be specified for TCP. Table 20-2 Port names that can be specified for TCP Port name Applicable port name and number Border Gateway Protocol version 4 (179) chargen Character generator (19)
Page 345
Names and values that can be specified Port name Applicable port name and number pop3 Post Office Protocol v3 (110) pop3s POP3 over TLS/SSL (995) Printer PDL Data Stream (9100) shell Remote commands (514) smtp Simple Mail Transfer Protocol (25) smtps SMTP over TLS/SSL (465) Secure Shell Remote Login Protocol (22)
Page 346
Names and values that can be specified Port name Applicable port name and number mobile-ip Mobile IP registration (434) nameserver Host Name Server (42) Network Time Protocol (123) radius Remote Authentication Dial In User Service (1812) radius-acct RADIUS Accounting (1813) Routing Information Protocol (520) snmp Simple Network Management Protocol...
Page 347
Names and values that can be specified Precedence name The following table lists the precedence names that can be specified. Table 20-5 Precedence names that can be specified Precedence name Precedence value critical flash flash-override immediate internet network priority routine DSCP name The following table lists the DSCP names that can be specified.
Page 348
Names and values that can be specified DSCP name DSCP value default Ethernet type name The following table lists the Ethernet type names that can be specified. Table 20-7 Ethernet type names that can be specified Ethernet value Remarks Ethernet type name appletalk 0x809b...
Page 349
Names and values that can be specified Destination MAC address names The following table lists the destination MAC address names that can be specified. Table 20-8 Destination MAC address names that can be specified Destination address Destination Destination address address mask specification bpdu...
ip qos-flow-group ip qos-flow-group Enables the QoS filtering functionality by applying an IPv4 QoS flow list to an Ethernet interface or a VLAN interface. Input format To set information: ip qos-flow-group <QoS flow list name> To delete information: no ip qos-flow-group <QoS flow list name>...
Page 351
ip qos-flow-group set.) One IPv4 QoS flow list can be set for one interface. A maximum of 64 filters can be applied to an Ethernet interface or a VLAN interface. If a non-existent IPv4 QoS flow list name is set, no operation is performed. The IPv4 QoS flow list name is registered.
ip qos-flow-list ip qos-flow-list Creates an IPv4 QoS flow list to be used to set QoS flow detection and operation settings. A maximum of 1024 IPv4 and MAC QoS flow lists can be created for a Switch. A maximum of 1024 entries can be created for flow detection and operation settings.
ip qos-flow-list resequence ip qos-flow-list resequence Resets the sequence numbers of the application sequence in the IPv4 QoS flow list. Input format To set or change information: ip qos-flow-list resequence <QoS flow list name> <Starting seq> <Increment seq> Input mode (config-ip-qos) Parameters <QoS flow list name>...
Page 354
ip qos-flow-list resequence Notes None Related commands ip qos-flow-list...
limit-queue-length limit-queue-length Sets for a Switch the maximum send queue length of a physical port. If this command is omitted or if setting information is deleted, the send queue length is set to This command is used to set basic operating conditions for the hardware. You must restart the Switch after you change the settings.
Page 356
limit-queue-length This also applies when 32 is set as the send queue length. If information is deleted by using the command, there will be no scheduling mode limitations. When 32 has been set as the send queue length by using the limit-queue-length command, the send queue length is as follows: Queues 1 to 8: 32...
mac qos-flow-group mac qos-flow-group Enables the QoS functionality by applying a MAC QoS flow list to an Ethernet interface or a VLAN interface. Input format To set information: mac qos-flow-group <QoS flow list name> To delete information: no mac qos-flow-group <QoS flow list name>...
Page 358
mac qos-flow-group Notes was not set when the command was set, this command system function cannot be set. (This command can be set if the command was not system function set.) One MAC QoS flow list can be set for one interface. A maximum of 64 filters can be applied to an Ethernet interface or a VLAN interface.
mac qos-flow-list mac qos-flow-list Creates the MAC QoS flow list used to set QoS flow detection and operation settings. A maximum of 1024 IPv4 and MAC QoS flow lists can be created for a Switch. A maximum of 1024 entries can be created for flow detection and operation settings. Input format To set or change information: mac qos-flow-list...
mac qos-flow-list resequence mac qos-flow-list resequence Resets the sequence numbers of the application sequence in the MAC QoS flow list. Input format To set or change information: mac qos-flow-list resequence <QoS flow list name> <Starting seq> <Increment seq> Input mode (config-mac-qos) Parameters <QoS flow list name>...
Page 361
mac qos-flow-list resequence Notes None Related commands mac qos-flow-list...
qos (ip qos-flow-list) qos (ip qos-flow-list) Sets flow detection conditions and operation settings in an IPv4 QoS flow list. Input format To set or change information: <Seq> ] qos { <Flow detection conditions> <Operation settings> <Flow detection conditions> When upper-layer protocols are other than TCP and UDP {ip | <Protocol>...
Page 363
qos (ip qos-flow-list) {ip | <Protocol> | icmp | igmp | tcp | udp} Sets the upper-layer protocol condition of IPv4 packets. Note that if all protocols are applicable, is set. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: <Protocol>: Set 0 to 255 (in decimal) or a protocol name.
Page 364
qos (ip qos-flow-list) Range of values: Specify <Dst IPv4>, <Dst IPv4 wildcard>, host <Dst IPv4>, or <Dst IPv4> <Dst IPv4 wildcard> specification: Specify the destination IPv4 address for <Dst IPv4>. <Dst IPv4 wildcard>, specify a wildcard in IPv4 address format that sets bits that permit an arbitrary value in an IPv4 address.
Page 365
qos (ip qos-flow-list) Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Set 0 to 7 (in decimal) or the precedence name. For details about the Precedence names that can be set, see Table 20-5 Precedence names that can be specified.
Page 366
qos (ip qos-flow-list) Range of values: None Sets detection of packets whose RST flag in the TCP header is 1. This parameter is an option available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Sets detection of packets whose SYN flag in the TCP header is 1.
Page 367
qos (ip qos-flow-list) beginning of the operation parameter. Default value when this parameter is omitted: None. (This parameter cannot be omitted if an operation is set.) Range of values: None <COS> Sets an index (CoS) indicating the priority on a Switch. Default value when this parameter is omitted: The default CoS values are set.
Page 368
qos (ip qos-flow-list) Notes When is entered for the source address wildcard and the 255.255.255.255 destination address wildcard, is displayed. is entered as the sender address and the destination nnn.nnn.nnn.nnn 0.0.0.0 address, host nnn.nnn.nnn.nnn is displayed. precedence , and dscp cannot be set at the same time.
qos (mac qos-flow-list) qos (mac qos-flow-list) Sets flow detection conditions and operation settings in the MAC QoS flow list. Input format To set or change information: <Seq> ] qos { <Flow detection conditions> <Operation settings> <Flow detection conditions> {<Src MAC> <Src MAC mask> | host <Src MAC>...
Page 370
qos (mac qos-flow-list) The flow detection condition is a perfect match of <Src MAC>. specification: The source MAC address is not included as a flow detection condition. MAC address (nnnn.nnnn.nnnn): 0000.0000.0000 to ffff.ffff.ffff (hexadecimal) <Dst MAC> <Dst MAC mask> > | host <Dst MAC>...
Page 371
qos (mac qos-flow-list) Note, however, that 0x0000 is set for a value equal to or smaller than 0x05ff. For details about the Ethernet type names that can be set, see Table 20-7 Ethernet type names that can be specified. vlan <VLAN ID>...
Page 372
qos (mac qos-flow-list) Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes nnnn.nnnn.nnnn ffff.ffff.ffff is entered as the source address and the destination address, is displayed. If a protocol name is set for the destination address or if the address of a protocol name that can be set is set, the protocol name is displayed.
qos-queue-group qos-queue-group Sets QoS queue list information for an interface (physical port). Input format To set information: qos-queue-group <QoS queue list name> To delete information: no qos-queue-group Input mode (config-if) Parameters <QoS queue list name> Specify the QoS queue list name. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 374
qos-queue-group Related commands qos-queue-list interface fastethernet interface gigabitethernet...
qos-queue-list qos-queue-list Sets the scheduling mode for QoS queue list information. A maximum of 52 lists can be created for a Switch. Input format To set or change information: qos-queue-list <QoS queue list name> { pq | wrr [ <Packet1> <Packet2> <Packet3>...
Page 376
qos-queue-list Regardless of the queue length, the number of packets is controlled so that packets are distributed evenly. When <Packet> is set, weighted (number of packets) round robin is used. If there are packets in multiple queues, packets are sent according to the number of packets set for <Packet>...
Page 377
qos-queue-list Line speed Bandwidth Setting range Step value Item In kbit/s 1000 to 10000 100 k 64 to 960 64 k auto 64 kbit/s to 1 Gbit/s In Mbit/s 1 M to 1000 M Negotiation In kbit/s 1000 to 1000000 100 k 64 to 960 64 k...
Page 378
qos-queue-list If the line status is half duplex and WFQ is set, WFQ is not used for operation. Instead, PQ is used. If WFQ is set, there might be a maximum error of 10% between the set minimum bandwidth and the actual value. To use port bandwidth control and scheduling of QoS queue list information at the same time, set PQ as the scheduling mode.
remark remark Sets supplementary information for a QoS flow list. IPv4 QoS flow list and MAC QoS flow list are available as QoS flow list. A maximum of 512 items can be set for a Switch. Input format To set or change information: remark <Remark>...
traffic-shape rate traffic-shape rate Sets the bandwidth by setting port bandwidth control for an interface (physical port) to limit the send bandwidth. Input format To set or change information: traffic-shape rate { <kbit/s> <Mbit/s> To delete information: no traffic-shape rate Input mode (config-if) Parameters...
Page 381
traffic-shape rate #1: 1 M = 1000 k. #2: Set values that are 1000 k or greater in 100 k increments (1000 k, 1100 k, 1200 k...10000000 k). #3: Set values that are less than 1000 k in 64 k increments (64 k, 128 k, 192 k...960 k). Default behavior The send bandwidth is not limited.
control-packet user-priority control-packet user-priority Sets the user priority in the VLAN tags of frames spontaneously sent by a Switch. If this command is not set or if information is deleted, 7 is used as the user priority of frames spontaneously sent. Input format To set or change information: control-packet user-priority { layer-2...
authentication arp-relay authentication arp-relay When the Layer 2 authentication functionality is used, set this command to output ARP packets destined for another device sent from an unauthenticated terminal to a non-authenticating port. This command can be used in the following authentication modes: ...
Page 385
authentication arp-relay depending on the authentication functionality. IEEE 802.1X port-based authentication (static) can be set for Ethernet interfaces and port channel interfaces. IEEE 802.1X port-based authentication (dynamic), Web authentication, and MAC-based authentication can be set only for Ethernet interfaces. Related commands dot1x system-auth-control dot1x port-control...
authentication force-authorized enable authentication force-authorized enable When the following state exists for all Layer 2 authentications, a terminal subject to authentication that requested authentication is forcibly changed to the authenticated state. The set RADIUS server does not respond when RADIUS authentication is specified. Input format To set information: authentication force-authorized enable...
Page 387
authentication force-authorized enable This functionality is not subject to legacy mode. Related commands aaa authentication dot1x default aaa authentication mac-authentication default aaa authentication web-authentication default dot1x port-control dot1x system-auth-control dot1x radius-server radius-server mac-authentication port mac-authentication system-auth-control mac-authentication radius-server web-authentication port web-authentication system-auth-control web-authentication radius-server...
authentication force-authorized vlan authentication force-authorized vlan In dynamic VLAN mode of Web authentication and MAC-based authentication, and port-based authentication (dynamic) for IEEE 802.1X authentication, set this command to allocate a post-authentication VLAN when forced authentication is performed on the applicable port. Input format To set or change information: <VLAN ID>...
authentication ip access-group authentication ip access-group When the Layer 2 authentication functionality is used, set this command to output only the packets specified by applying the IPv4 access list of the IP packets destined for another device sent from an unauthenticated terminal to a non-authenticating port. This command can be used in the following authentication modes: ...
Page 391
authentication ip access-group Impact on communication Regardless of the configuration of this command, the following packets are able to pass through even before authentication. IP packets destined for the Web authentication IP address DHCP packets destined for the internal DHCP server used in Web authentication dynamic VLAN mode Other packets are handled according to the access list conditions set by using this command.
Correspondence between configuration commands and authentication modes Correspondence between configuration commands and authentication modes The following table describes IEEE 802.1X authentication modes in which IEEE 802.1X configuration commands can be set. Table 22-1 Configuration commands and IEEE 802.1X authentication modes IEEE 802.1X authentication modes Port-based authentication VLAN-based...
aaa accounting dot1x aaa accounting dot1x Sends IEEE 802.1X accounting information to the accounting server. Input format To set information: aaa accounting dot1x default start-stop group radius To delete information: no aaa accounting dot1x default Input mode (config) Parameters default Sets the default accounting method of a Switch.
aaa authentication dot1x aaa authentication dot1x Sets an IEEE 802.1X authentication method group. default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set. Input format To set or change information: aaa authentication dot1x default <Method>...
Page 397
aaa authentication dot1x Default behavior None Impact on communication When the device default setting is changed, authentication of terminals that had been authenticated by the corresponding authentication functionality is canceled. When settings for the authentication method list are changed, authentication of terminals on ports specifying the corresponding authentication method list is canceled.
aaa authorization network default aaa authorization network default Set this command to perform VLAN-based authentication (dynamic) according to the VLAN information set by using an authentication method. Input format To set information: aaa authorization network default group radius To delete information: no aaa authorization network default Input mode (config)
dot1x authentication dot1x authentication Sets the name of an authentication method list for the port-based authentication method. Input format To set or change information: dot1x authentication <List name> To delete information: no dot1x authentication Input mode (config-if) Parameters <List name> Sets the authentication method list name set by using the aaa authentication command.
Page 400
dot1x authentication dot1x vlan dynamic radius-vlan web-authentication user-group web-authentication vlan mac-authentication interface mac-authentication vlan If the authentication method list name set by using this command does not match the authentication method list name set by using the aaa authentication dot1x command, the default settings of the Switch are used.
dot1x auto-logout dot1x auto-logout no dot1x auto-logout command disables the setting to automatically cancel authentication when no frame is received from a terminal authenticated by IEEE 802.1X for a certain period of time. Input format To set information: no dot1x auto-logout To delete information: dot1x auto-logout Input mode...
dot1x force-authorized dot1x force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
Page 403
dot1x force-authorized dot1x authentication Set commands for the same interface. The following accounting log data is collected when an authentication request is sent to the RADIUS server: No.=82 WARNING:SYSTEM: (<Additional information>) Failed to connect to RADIUS server. <Additional information>: IP You can use the command to check the show dot1x logging...
dot1x force-authorized eapol dot1x force-authorized eapol Sends according to the IEEE 802.1X forced authentication settings the EAPOL-Success response packet from the Switch to the terminal to be authenticated when its status has been forcibly changed to authentication authorized. Input format To set information: dot1x force-authorized eapol To delete information:...
dot1x force-authorized vlan dot1x force-authorized vlan When the RADIUS authentication method is used, this command forcibly changes the status of a terminal to authentication authorized and assigns an authenticated VLAN if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure. Input format To set or change information: dot1x force-authorized vlan...
Page 406
dot1x force-authorized vlan All the following configurations have been set: dot1x system-auth-control radius-server host dot1x radius-server host #1, #4 dot1x port-control auto aaa authorized network default dot1x vlan dynamic enable #2, #3 dot1x vlan dynamic radius-vlan vlan <VLAN ID> mac-based #2, #3, #4 switchport mac vlan...
dot1x ignore-eapol-start dot1x ignore-eapol-start Set this command so that the Switch does not issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Input format To set information: dot1x ignore-eapol-start To delete information: no dot1x ignore-eapol-start Input mode (config-if) Parameters None Default behavior None...
dot1x max-req dot1x max-req Sets the maximum number of EAP-Request retransmissions if the value exceeds the supp-timeout value. If the number of retransmissions exceeds this value, authentication is determined to have failed. Input format To set or change information: dot1x max-req <Counts>...
dot1x multiple-authentication dot1x multiple-authentication Sets the IEEE 802.1X authentication submode to terminal authentication mode. The command performs authentication processing for each terminal and the authentication result determines whether communication is possible. Accordingly, multiple terminals can be connected. If terminal authentication mode is set as the authentication submode, single mode is used as the submode.
Page 412
dot1x multiple-authentication When the dot1x multiple-authentication command has not been set (single mode) Communication is impossible as long as a terminal subject to authentication has not been authenticated successfully. When the dot1x multiple-authentication command has been set (terminal authentication mode) Regardless of the authentication status, if auto...
dot1x port-control dot1x port-control Sets the port-control status for an interface that has been set. Entry of this command also enables the IEEE 802.1X port-based authentication functionality. Input format To set or change information: dot1x port-control {auto | force-authorized | force-unauthorized} To delete information: no dot1x port-control Input mode...
Page 414
dot1x port-control Notes All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable. When port-based authentication (static) is used, set the following commands for the same interface (these commands can be set for Ethernet interfaces and port channel interface): ...
dot1x radius-server dead-interval dot1x radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary IEEE 802.1X authentication RADIUS server from the IEEE 802.1X authentication RADIUS server. The primary IEEE 802.1X authentication RADIUS server is restored when either of the following occurs: The current server (the destination for RADIUS authentication requests in operation) switches to a valid secondary IEEE 802.1X authentication RADIUS server, or when all servers are disabled, the monitoring timer starts and the period of time set by this...
Page 416
dot1x radius-server dead-interval When the change is applied The change is applied immediately after setting values are changed. If the secondary IEEE 802.1 authentication RADIUS server is operating as the current server, and if the value of the monitoring timer is changed, the progress to that time is used as the judgment value and the result is applied.
dot1x radius-server host dot1x radius-server host Configures the general RADIUS server used for IEEE 802.1X. Input format To set or change information: dot1x radius-server host <IP address> [auth-port <Port> ] [acct-port <Port> ] [timeout <Seconds> ] [retransmit <Retries> ] [key <String>...
Page 418
dot1x radius-server host retransmit <Retries> Sets the number of times an authentication request is resent to the RADIUS server. Default value when this parameter is omitted: The number of times set by using the radius-server retransmit command is used. If no value is set, the initial value is 3. Range of values: 0 to 15 (times) <String>...
Page 419
dot1x radius-server host RADIUS server is disabled. If multiple IEEE 802.1X authentication RADIUS servers are configured, the address displayed first by using the show radius-server operation command is the address of the primary general RADIUS server. The primary IEEE 802.1X authentication RADIUS server is used as the initial current server (the destination for RADIUS authentication requests during operation).
dot1x reauthentication dot1x reauthentication After a successful IEEE 802.1X authentication, this command sets whether a supplicant is to be re-authenticated. When this command is in effect, EAP-Request/Identity packets for re-authentication are sent at the interval set by using the dot1x timeout reauth-period command to a supplicant as a prompt for supplicant re-authentication.
dot1x supplicant-detection dot1x supplicant-detection Sets the behavior when a new terminal is detected after the terminal authentication mode has been set to an authentication submode. Input format To set or change information: dot1x supplicant-detection {disable | shortcut | auto} To delete information: no dot1x supplicant-detection Input mode (config-if)
Page 422
dot1x supplicant-detection Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable.
dot1x system-auth-control dot1x system-auth-control Enables IEEE 802.1X. Input format To set information: dot1x system-auth-control To delete information: no dot1x system-auth-control Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable.
dot1x timeout keep-unauth dot1x timeout keep-unauth Sets the period of time (in seconds) for maintaining the communication-disabled state of the interface if two or more terminals are connected to an interface on which the single-mode authentication submode is set. After the time set by using this command elapses, an authenticated terminal must be re-authenticated.
dot1x timeout quiet-period dot1x timeout quiet-period Sets the period of time (in seconds) for maintaining the unauthenticated state on the applicable interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication processing is performed.
dot1x timeout reauth-period dot1x timeout reauth-period Sets the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to a supplicant at the interval set by using this command as a prompt for supplicant re-authentication.
Page 428
dot1x timeout reauth-period dot1x timeout reauth-period command takes effect only if re-authentication has been set by using the dot1x reauthentication command. For the parameter, set a value greater than the value set by using the dot1x timeout tx-period command. Related commands dot1x timeout tx-period dot1x reauthentication dot1x system-auth-control...
dot1x timeout server-timeout dot1x timeout server-timeout Sets the time (in seconds) to wait for a response includes the time required for retransmitting a response to an authentication server. Input format To set or change information: dot1x timeout server-timeout <Seconds> To delete information: no dot1x timeout server-timeout Input mode (config-if)
dot1x timeout supp-timeout dot1x timeout supp-timeout Sets the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received, the EAP-Request packet is retransmitted. Input format To set or change information: dot1x timeout supp-timeout <Seconds>...
dot1x timeout tx-period dot1x timeout tx-period Sets the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X is valid. Input format To set or change information: dot1x timeout tx-period <Seconds> To delete information: no dot1x timeout tx-period Input mode (config-if) Parameters <Seconds>...
dot1x vlan dynamic enable dot1x vlan dynamic enable Enables IEEE 802.1X VLAN-based authentication (dynamic). Input format To set information: dot1x vlan dynamic enable To delete information: no dot1x vlan dynamic enable Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
dot1x vlan dynamic ignore-eapol-start dot1x vlan dynamic ignore-eapol-start Set this command so that the Switch does not issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Input format To set information: dot1x vlan dynamic ignore-eapol-start To delete information: no dot1x vlan dynamic ignore-eapol-start Input mode (config) Parameters...
dot1x vlan dynamic max-req dot1x vlan dynamic max-req Sets the maximum number of EAP-Request retransmissions if the value exceeds the supp-timeout value. If the number of retransmissions exceeds this value, authentication is determined to have failed. Input format To set or change information: dot1x vlan dynamic max-req <Counts>...
dot1x vlan dynamic radius-vlan dot1x vlan dynamic radius-vlan Sets VLANs to allow dynamic VLAN allocation according to VLAN information sent from the RADIUS server during IEEE 802.1X authentication. Input format To set information: dot1x vlan dynamic radius-vlan <VLAN ID list> To change information: dot1x vlan dynamic radius-vlan { <VLAN ID list>...
Page 440
dot1x vlan dynamic radius-vlan Specifiable values for parameters. Note that the default VLAN ( VLAN ID = 1 cannot be set by using this command. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All IEEE 802.1X settings take effect when the dot1x system-auth-control...
dot1x vlan dynamic reauthentication dot1x vlan dynamic reauthentication After a successful IEEE 802.1X authentication, this command sets whether a supplicant is to be re-authenticated. When this command is in effect, EAP-Request/Identity packets for re-authentication are sent to a supplicant at the interval set by using the dot1x vlan dynamic timeout reauth-period command as a prompt for supplicant re-authentication.
dot1x vlan dynamic supplicant-detection dot1x vlan dynamic supplicant-detection Sets the behavior when a new terminal is detected. Input format To set or change information: dot1x vlan dynamic supplicant-detection {disable | shortcut} To delete information: no dot1x vlan dynamic supplicant-detection Input mode (config) Parameters {disable | shortcut}...
Page 443
dot1x vlan dynamic supplicant-detection Notes All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable. This command takes effect only if the dot1x vlan dynamic enable command has been set.
dot1x vlan dynamic timeout quiet-period dot1x vlan dynamic timeout quiet-period Sets the period of time (in seconds) for maintaining the unauthenticated state on the applicable interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication processing is performed.
dot1x vlan dynamic timeout reauth-period dot1x vlan dynamic timeout reauth-period Sets the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to a supplicant at the interval set by using this command as a prompt for supplicant re-authentication.
dot1x vlan dynamic timeout reauth-period This command takes effect only if re-authentication has been set by using the dot1x vlan dynamic reauthentication command. For the parameter, a value greater than the value set by using the dot1x vlan dynamic timeout tx-period command.
dot1x vlan dynamic timeout server-timeout dot1x vlan dynamic timeout server-timeout Sets the time (in seconds) to wait for a response includes the time required for retransmitting a response to an authentication server. Input format To set or change information: dot1x vlan dynamic timeout server-timeout <Seconds>...
dot1x vlan dynamic timeout supp-timeout dot1x vlan dynamic timeout supp-timeout Sets the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received, the EAP-Request packet is retransmitted.
dot1x vlan dynamic timeout tx-period dot1x vlan dynamic timeout tx-period Sets the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X authentication is valid. Input format To set or change information: dot1x vlan dynamic timeout tx-period <Seconds> To delete information: no dot1x vlan dynamic timeout tx-period Input mode (config)
Correspondence between configuration commands and authentication modes The following table describes Web authentication modes in which Web authentication configuration commands can be set. Table 23-1 Configuration commands and Web authentication modes Web authentication modes Command name aaa accounting web-authentication aaa authentication web-authentication authentication arp-relay authentication ip access-group web-authentication authentication...
Correspondence between configuration commands and authentication modes L: Legacy mode Y: The command operates according to the settings. --: The command can be entered, but it will have no effect. N: The command cannot be entered. For details about command input formats, see 21 Common to Layer 2 Authentication. The specification of this command affects the switching of authentication modes.
aaa accounting web-authentication aaa accounting web-authentication Sends accounting information for Web authentication to the accounting server. Input format To set information: aaa accounting web-authentication default start-stop group radius To delete information: no aaa accounting web-authentication default Input mode (config) Parameters default Sets the default accounting method of a Switch.
aaa authentication web-authentication aaa authentication web-authentication Sets an authentication method group for Web authentication. default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set. Input format To set or change information: aaa authentication web-authentication default <Method>...
Page 460
aaa authentication web-authentication Specify a character string that is no more than 32 characters. For details about the characters that can be specified, see Specifiable values for parameters. Default behavior User authentication is performed by using the internal Web authentication database instead of using the RADIUS server.
web-authentication authentication web-authentication authentication Sets the name of an authentication method list for the port-based authentication method. Input format To set or change information: web-authentication authentication <List name> To delete information: no web-authentication authentication Input mode (config-if) Parameters <List name> Specify the authentication method list name set by using the aaa authentication command.
Page 462
web-authentication authentication dot1x vlan dynamic radius-vlan web-authentication user-group web-authentication vlan mac-authentication interface mac-authentication vlan If the name of the authentication method list set by using the web-authentication authentication command does not match the name of the authentication method list set by using the aaa authentication web-authentication command, the...
web-authentication auto-logout web-authentication auto-logout no web-authentication auto-logout command disables the setting for automatic authentication logout when it is detected that the status that frames have not been received from a terminal authenticated via Web authentication for a certain period of time. Input format To set information: no web-authentication auto-logout...
web-authentication force-authorized vlan web-authentication force-authorized vlan When the RADIUS authentication method is used, this command forcibly changes the status of a terminal to authentication authorized and assigns an authenticated VLAN if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure. Input format To set or change information: web-authentication force-authorized vlan...
Page 465
web-authentication force-authorized vlan See Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. Set a VLAN ID for which mac-based (MAC VLAN) has been set in the vlan command. Be especially careful when using this functionality, as it might pose a security problem.
Page 466
web-authentication force-authorized vlan If either of the following commands has already been set, this command cannot be set: authentication force-authorized enable authentication force-authorized vlan Related commands aaa authentication web-authentication radius-server host web-authentication radius-server host switchport mac switchport mode vlan web-authentication port web-authentication system-auth-control...
web-authentication html-fileset web-authentication html-fileset Sets a custom file name for the Web authentication page displayed for each port. Input format To set or change information: web-authentication html-fileset <Name> To delete information: no web-authentication html-fileset Input mode (config-if) Parameters <Name> Specify the custom file set name registered on the Switch by using the operation command.
Page 468
web-authentication html-fileset Related commands web-authentication port web-authentication system-auth-control...
web-authentication ip address web-authentication ip address Configure an IP address and a domain name to be used exclusively for Web authentication. Setting a dedicated IP address by using this command allows you to log in from and log out from an authenticated terminal by using the same IP address on the Switch. Input format To set or change information: web-authentication ip address...
Page 470
web-authentication ip address Notes All Web authentication settings take effect when the web-authentication system-auth-control command is set. See Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. extended-authentication was not set when the system function command was set, this command cannot be set.
web-authentication jump-url web-authentication jump-url Configures a URL to be automatically displayed after the Authentication Success page is displayed and the time required before jumping to the URL. Input format To set or change information: web-authentication jump-url <URL> [delay <Seconds> To delete information: no web-authentication jump-url Input mode (config)
Page 472
web-authentication jump-url Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All Web authentication settings take effect when the web-authentication system-auth-control command is set. See Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable.
web-authentication logout ping tos-windows web-authentication logout ping tos-windows Sets the TOS value of a special frame used to log out from an authenticated terminal. Input format To set or change information: web-authentication logout ping tos-windows <TOS> To delete information: no web-authentication logout ping tos-windows Input mode (config) Parameters...
web-authentication logout ping ttl web-authentication logout ping ttl Sets the TTL value of a special frame used to log out from an authenticated terminal. Input format To set or change information: web-authentication logout ping ttl <TTL> To delete information: no web-authentication logout ping ttl Input mode (config) Parameters...
web-authentication logout polling count web-authentication logout polling count Specifies the number of times a Switch retransmits the monitoring packet when there is no response to a monitoring frame that periodically checks a connection status of authenticated terminals. Input format To set or change information: web-authentication logout polling count <Count>...
Page 478
web-authentication logout polling count If the number of retransmissions when a no-response state is detected is set to the maximum, the number of monitoring frames increases proportionately with the number of authenticated users, overloading the Switch. Set the polling interval by using the following formula as a guide: Polling condition: (1) Polling interval >...
web-authentication logout polling enable web-authentication logout polling enable no web-authentication logout polling enable command disables the auto logout functionality executed when periodic connection monitoring detects that an authenticated terminal is not connected. Input format To set information: no web-authentication logout polling enable To delete information: web-authentication logout polling enable Input mode...
Page 480
web-authentication logout polling enable If the link for a monitored terminal goes down before periodic monitoring by the functionality that monitors the connection of authenticated terminals arrives, the Switch stops monitoring the terminal and logs it out due to its link-down state. When the specified maximum connection time (set by using the web-authentication max-timer command) expires, the Switch stops monitoring...
web-authentication logout polling interval web-authentication logout polling interval Specifies the polling interval of a monitoring frame that periodically monitors the connection status of an authenticated terminal. Input format To set or change information: web-authentication logout polling interval <Seconds> To delete information: no web-authentication logout polling interval Input mode (config)
Page 482
web-authentication logout polling interval The polling interval is the time between the receipt of ARP Reply from a target authenticated terminal and the next polling monitoring. If the number of retransmissions when a no-response state is detected is set to the maximum, the number of monitoring frames increases proportionately with the number of authenticated users, overloading the Switch.
web-authentication logout polling retry-interval web-authentication logout polling retry-interval Sets the interval between retransmissions of monitoring frames that periodically monitor the connection status of authenticated terminals when a no-response state is detected. Input format To set or change information: web-authentication logout polling retry-interval <Seconds>...
Page 484
web-authentication logout polling retry-interval number of authenticated users, overloading the Switch. Set the polling interval by using the following formula as a guide: Polling condition: (1) Polling interval > (2) Retransmission interval x (3) Number of retransmissions (1): web-authentication logout polling interval (2): web-authentication logout polling retry-interval (3):...
web-authentication max-timer web-authentication max-timer Sets the maximum connection time. Input format To set or change information: web-authentication max-timer { <Minutes> | infinity} To delete information: no web-authentication max-timer Input mode (config) Parameters <Minute> | infinity} Sets the maximum time (in minutes) that an authenticated user is allowed to be connected.
web-authentication max-user web-authentication max-user Sets the maximum number of users that can be authenticated on a Switch. Input format To set or change information: web-authentication max-user <Count> To delete information: no web-authentication max-user Input mode (config) Parameters <Count> Sets the maximum number of users that can be authenticated on a Switch on which user authentication is performed.
Page 488
web-authentication max-user no more new users can be authenticated on that Switch. If the maximum number of users that can be authenticated is changed so that it is less than the number of users currently authenticated, communication by the current authenticated users can continue, but new users cannot be authenticated.
web-authentication max-user (interface) web-authentication max-user (interface) Sets the maximum number of users that can be authenticated on the applicable port. Input format To set or change information: web-authentication max-user <Count> To delete information: no web-authentication max-user Input mode (config-if) Parameters <Count>...
Page 490
web-authentication max-user (interface) no more new users can be authenticated on that Switch. If the maximum number of users that can be authenticated is changed so that it is less than the number of users currently authenticated, communication by the current authenticated users can continue, but new users cannot be authenticated.
web-authentication port web-authentication port Sets the authentication mode for ports. Input format To set information: web-authentication port To delete information: no web-authentication port Input mode (config-if) Parameters None Default behavior When Web authentication is valid, the port operates in legacy mode. Impact on communication None When the change is applied...
web-authentication radius-server dead-interval web-authentication radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary Web authentication RADIUS server from the Web authentication RADIUS server. The primary Web authentication RADIUS server is restored when either of the following occurs: The current server (the destination for RADIUS authentication requests in operation) switches to a valid secondary Web authentication RADIUS server, or when all servers are disabled, the monitoring timer starts, and the period of time set by this command elapses (when the monitoring timer expires).
Page 493
web-authentication radius-server dead-interval Notes All Web authentication settings take effect when the web-authentication system-auth-control command is set. See Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. If three or more Web authentication RADIUS servers are configured and another Web authentication RADIUS server becomes the current server after the monitoring timer starts, the monitoring timer is not reset and continues to run.
web-authentication radius-server host web-authentication radius-server host Configures the RADIUS server used for Web authentication. Input format To set or change information: web-authentication radius-server host <IP address> [auth-port <Port> [acct-port <Port> ] [timeout <Seconds> ] [retransmit <Retries> ] [key <String> To delete information: no web-authentication radius-server host <IP address>...
Page 495
web-authentication radius-server host 1 to 30 (seconds) retransmit <Retries> Sets the number of times an authentication request is resent to the RADIUS server. Default value when this parameter is omitted: The number of times set by using the command radius-server retransmit is used.
Page 496
web-authentication radius-server host If the parameter is omitted and the radius-server key command is not set, the RADIUS server is disabled. If multiple Web authentication RADIUS servers are configured, the address displayed first by using the show radius-server operation command is the address of the primary Web authentication RADIUS server.
web-authentication redirect-mode web-authentication redirect-mode Sets a protocol to display the Web authentication Login page when the URL redirect functionality is enabled. Input format To set or change information: web-authentication redirect-mode {http | https} To delete information: no web-authentication redirect-mode Input mode (config) Parameters { http | https }...
Page 498
web-authentication redirect-mode web-authentication port web-authentication redirect enable...
web-authentication redirect enable web-authentication redirect enable no web-authentication redirect enable command disables the URL redirect functionality. Input format To set information: no web-authentication redirect enable To delete information: web-authentication redirect enable Input mode (config) Parameters None Default behavior The URL redirect functionality is enabled. Impact on communication After the no web-authentication redirect enable...
web-authentication redirect tcp-port web-authentication redirect tcp-port When the URL redirect functionality is enabled, this command sets an additional TCP destination port number for a frame subject to URL redirect on a Switch. Usually, a port number can be added to the standard port number assigned for http (80). Input format To set or change information: web-authentication redirect tcp-port...
Page 501
web-authentication redirect tcp-port A port number that causes the https protocol to be subject to redirection cannot be added by using this command. This command performs the same operation performed by the web-authentication web-port command. If different port numbers are specified for these two commands, each specification becomes valid.
web-authentication roaming web-authentication roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Input format To set or change information: web-authentication roaming [action trap] To delete information: no web-authentication roaming Input mode...
Page 503
web-authentication roaming When private traps are issued, use the snmp-server host command to set the destination IP address for traps and web-authentication Related commands web-authentication system-auth-control web-authentication port snmp-server host...
web-authentication static-vlan force-authorized web-authentication static-vlan force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
Page 505
web-authentication static-vlan force-authorized web-authentication port web-authentication static-vlan force-authorized web-authentication system-auth-control aaa authentication web-authentication web-authentication authentication Specify the same Ethernet port. The following accounting log data is collected when an authentication request is sent to the RADIUS server: No=21: NOTICE:LOGIN: <Additional information> Login failed ;...
web-authentication static-vlan max-user web-authentication static-vlan max-user Sets the maximum number of users that can be authenticated on a Switch. Input format To set or change information: web-authentication static-vlan max-user <Count> To delete information: no web-authentication static-vlan max-user Input mode (config) Parameters <Count>...
Page 507
web-authentication static-vlan max-user no more new users can be authenticated on that Switch. If the maximum number of users that can be authenticated is changed so that it is less than the number of users currently authenticated, communication by the current authenticated users can continue, but new users cannot be authenticated.
web-authentication static-vlan max-user (interface) web-authentication static-vlan max-user (interface) Sets the maximum number of users that can be authenticated on the applicable port. Input format To set or change information: web-authentication static-vlan max-user <Count> To delete information: no web-authentication static-vlan max-user Input mode (config-if) Parameters...
Page 509
web-authentication static-vlan max-user (interface) no more new users can be authenticated on that Switch. If the maximum number of users that can be authenticated is changed so that it is less than the number of users currently authenticated, communication by the current authenticated users can continue, but new users cannot be authenticated.
web-authentication static-vlan roaming web-authentication static-vlan roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Input format To set or change information: web-authentication static-vlan roaming [action trap] To delete information: no web-authentication static-vlan roaming...
Page 511
web-authentication static-vlan roaming When private traps are issued, use the snmp-server host command to set the destination IP address for traps and web-authentication Related commands web-authentication system-auth-control web-authentication port snmp-server host...
web-authentication system-auth-control web-authentication system-auth-control Enables Web authentication. Note that if the no web-authentication system-auth-control command is executed, Web authentication stops. Input format To set information: web-authentication system-auth-control To delete information: no web-authentication system-auth-control Input mode (config) Parameters None Default behavior Web authentication is not performed.
web-authentication user-group web-authentication user-group Enables the user ID-based authentication method. To handle IDs in the forms <User ID> <Authentication method list name> , use the at mark ( ) to separate the entered user IDs. Input format To set information: web-authentication user-group To delete information: no web-authentication user-group...
Page 514
web-authentication user-group If the authentication method list name separated from entered user IDs does not match the authentication method list name set by using the aaa authentication web-authentication command, the default settings of the Switch are used. Related commands aaa authentication web-authentication web-authentication system-auth-control web-authentication port...
web-authentication user replacement web-authentication user replacement Enables the switch-user option. Enables authentication with a different user ID after successful authentication with the first user ID when several user IDs are used for a terminal. Input format To set information: web-authentication user replacement To delete information: no web-authentication user replacement Input mode...
web-authentication vlan web-authentication vlan Sets the VLAN ID to dynamically switch after user authentication. Unless this command is set, no VLANs can be switched after authentication. Input format To set or change information: web-authentication vlan <VLAN ID list> To delete information: no web-authentication vlan <VLAN ID list>...
web-authentication web-port web-authentication web-port When the URL redirect functionality is enabled, this command sets an additional TCP destination port number for a frame subject to URL redirect on a Switch. Usually, one port number each can be added to the port number assigned for http (80) and for https (443).
Page 519
web-authentication web-port is one each for the http and https parameters. This command performs the same operation performed by the web-authentication redirect tcp-port command. If different port numbers are specified for these two commands, each specification becomes valid. How the commands are handled if the same port number is specified is described in the following table.
default-router default-router Sets the router option that is distributed to clients. A router option is an IP address the client can use as a router IP address over the subnet (default router). Input format To set or change information: default-router <IP address>...
dns-server dns-server Sets the domain name server option that is distributed to clients. The domain name server option is the IP address of a DNS server that a client can use. Input format To set or change information: dns-server <IP address> <IP address>...
ip dhcp excluded-address ip dhcp excluded-address Sets a range of IP addresses that are to be excluded from distribution in the IP address pool specified by using the network command. Input format To set or change information: ip dhcp excluded-address <Low address>...
ip dhcp pool ip dhcp pool Configures DHCP address pool information. Input format To set or change information: ip dhcp pool <Pool name> To delete information: no ip dhcp pool <Pool name> Input mode (config) Parameters <Pool name> Specify the name of the DHCP address pool. Default value when this parameter is omitted: This parameter cannot be omitted.
lease lease Sets the default lease time of the IP addresses distributed to clients. Input format To set or change information: lease { <Time day> <Time hour> <Time min> <Time sec> ]]] | infinite} To delete information: no lease Input mode (dhcp-config) Parameters <Time day>...
Page 525
lease Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If a value exceeding the maximum lease time ( max-lease ) is set as the lease time, the maximum lease time has precedence. The shorter the lease time set, the more frequently a client updates the lease.
max-lease max-lease Sets the maximum allowable lease time when a client specifies the lease time and requests an IP address. Input format To set or change information: max-lease { <Time day> <Time hour> <Time min> <Time sec> ]]] | infinite} To delete information: no max-lease Input mode...
Page 527
max-lease Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes The shorter the lease time set, the more frequently a client updates the lease. Therefore, do not specify an extremely short lease time except for a very limited usage such as a temporary IP address.
network network Sets the subnet of the network in which IP addresses are dynamically distributed via DHCP. Only the subnets whose host bits in the IP address host part are all 0s or 1s are actually registered in the DHCP address pool. Input format To set or change information: network...
Page 529
network Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When this command is set, all IP addresses excluding those in which the bits in the host part of the target subnet are all 1s or all 0s are secured as the IP address pool.
service dhcp service dhcp Sets the interface on which a DHCP server is enabled. Only the interface specified by using this command receives DHCP packets. Input format To set or change information: service dhcp vlan <VLAN ID> To delete information: no service dhcp vlan <VLAN ID>...
Correspondence between configuration commands and authentication modes Correspondence between configuration commands and authentication modes The following table describes MAC-based authentication modes in which MAC-based authentication configuration commands can be set. Table 24-1 Configuration commands and MAC-based authentication modes MAC-based authentication modes Command name aaa accounting mac-authentication aaa authentication mac-authentication...
Page 533
Correspondence between configuration commands and authentication modes MAC-based authentication modes Command name mac-authentication static-vlan max-user (interface) mac-authentication static-vlan roaming mac-authentication system-auth-control mac-authentication timeout quiet-period mac-authentication timeout reauth-period mac-authentication vlan mac-authentication vlan-check Legend F: Fixed VLAN mode D: Dynamic VLAN mode L: Legacy mode Y: The command operates according to the settings.
aaa accounting mac-authentication aaa accounting mac-authentication Sends accounting information for MAC-based authentication to an accounting server. Input format To set information: aaa accounting mac-authentication default start-stop group radius To delete information: no aaa accounting mac-authentication default Input mode (config) Parameters default Sets the default accounting method of a Switch.
aaa authentication mac-authentication aaa authentication mac-authentication Sets an authentication method group for MAC-based authentication. default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set. Input format To set or change information: aaa authentication mac-authentication default <Method>...
Page 536
aaa authentication mac-authentication Specify a character string that is no more than 32 characters. For details about the characters that can be specified, see Specifiable values for parameters. Default behavior Authentication is performed by using the internal MAC-based authentication database instead of using the RADIUS server.
mac-authentication access-group mac-authentication access-group By applying the MAC access list to MAC-based authentication ports, sets whether terminals are to be authenticated or not by using MAC addresses. Input format To set or change information: mac-authentication access-group <ACL ID> To delete information: no mac-authentication access-group Input mode (config)
Page 538
mac-authentication access-group Related commands mac-authentication system-auth-control mac access-list extended...
mac-authentication authentication mac-authentication authentication Sets the name of an authentication method list for the port-based authentication method. Input format To set or change information: mac-authentication authentication <List name> To delete information: no mac-authentication authentication Input mode (config-if) Parameters <List name> Sets the authentication method list name set by using the aaa authentication command.
Page 540
mac-authentication authentication dot1x vlan dynamic radius-vlan web-authentication user-group web-authentication vlan mac-authentication interface mac-authentication vlan If the authentication method list name set by using this command does not match the authentication method list name set by using the aaa authentication mac-authentication command, the default settings of the Switch are used.
mac-authentication auto-logout mac-authentication auto-logout no mac-authentication auto-logout command disables automatic cancellation of authentication if no frames are received from a terminal authenticated by MAC-based authentication for a certain period of time. Setting delay-time changes the time, but the actual operation varies according to the authentication mode.
Page 542
mac-authentication auto-logout Default value when this parameter is omitted: After an aging timeout, authentication is not canceled for 3600 seconds. Range of values: 0, 60 to 86400 Default behavior Fixed VLAN mode, dynamic VLAN mode After authentication in either of these authentication modes, if no frames are received from a terminal for the applicable MAC-based authentication entry when 3600 seconds has passed, the applicable MAC-based authentication entry is deleted from the MAC table automatically and authentication is canceled.
mac-authentication force-authorized vlan mac-authentication force-authorized vlan When the RADIUS authentication method is used, this command forcibly changes the status of a terminal to authentication authorized and assigns an authenticated VLAN if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure. Input format To set or change information: mac-authentication force-authorized vlan...
Page 544
mac-authentication force-authorized vlan See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable. Set a VLAN ID for which mac-based (MAC VLAN) has been set in the vlan command. Be especially careful when using this functionality, as it can pose a security problem. This command is enabled when the following condition exists: ...
Page 545
mac-authentication force-authorized vlan Before issuing private traps, you must use the snmp-server host command to set the destination IP address for traps and mac-authentication If either of the following commands has already been set, this command cannot be set: authentication force-authorized enable ...
mac-authentication id-format mac-authentication id-format When using RADIUS authentication, specifies MAC address format for authentication requests to the RADIUS server. Input format To set or change information: mac-authentication id-format <Type> [capitals] To delete information: no mac-authentication id-format Input mode (config) Parameters <Type>...
Page 547
mac-authentication id-format When the change is applied The change is applied immediately after setting values are changed. Notes All MAC-based authentication settings take effect when the mac-authentication command is set. system-auth-control See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable.
mac-authentication max-timer mac-authentication max-timer Sets the maximum connection time. Input format To set or change information: mac-authentication max-timer { <Minutes> | infinity} To delete information: no mac-authentication max-timer Input mode (config) Parameters <Minutes> | infinity} Sets the maximum time (in minutes) an authenticated terminal is allowed to be connected.
Page 551
mac-authentication max-timer Related commands mac-authentication system-auth-control...
mac-authentication max-user mac-authentication max-user Sets the maximum number of terminals that can be authenticated on a Switch. Input format To set or change information: mac-authentication max-user <Count> To delete information: no mac-authentication max-user Input mode (config) Parameters <Count> Sets the maximum number of terminals that can be authenticated on a Switch. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 553
mac-authentication max-user Switch, no more terminals can be authenticated on that Switch. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated. If the port to which an authenticated terminal is connected is moved, the number of actually connected terminals might be different from the number of authenticated terminals.
mac-authentication max-user (interface) mac-authentication max-user (interface) Sets the maximum number of authentication terminals that can be authenticated on the applicable port. Input format To set or change information: mac-authentication max-user <Count> To delete information: no mac-authentication max-user Input mode (config-if) Parameters <Count>...
Page 555
mac-authentication max-user (interface) authenticated on the applicable port. If the number of authenticated terminals reaches the maximum number for a Switch, no more terminals can be authenticated on that Switch. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated.
mac-authentication password mac-authentication password When the RADIUS authentication method is used, this command sets the password used for sending authentication requests to the RADIUS server. Input format To set or change information: mac-authentication password <Password> To delete information: no mac-authentication password Input mode (config) Parameters...
mac-authentication port mac-authentication port Sets the authentication mode for ports. Input format To set information: mac-authentication port To delete information: no mac-authentication port Input mode (config-if) Parameters None Default behavior When MAC-based authentication is valid, the port operates in legacy mode. Impact on communication If a port subject to authentication is deleted by using this command, authentication is canceled on all applicable ports.
mac-authentication radius-server dead-interval mac-authentication radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary MAC-based authentication RADIUS server from the MAC-based authentication RADIUS server. The primary MAC-based authentication RADIUS server is restored when either of the following occurs: The current server (the destination for RADIUS authentication requests in operation) switches to a valid secondary MAC-based authentication RADIUS server, or when all servers are disabled, the monitoring timer starts, and the period of time set by this command elapses (when the monitoring timer expires).
Page 560
mac-authentication radius-server dead-interval monitoring timer counter continues without being reset and runs for 10 minutes (default value). Notes All MAC-based authentication settings take effect when the mac-authentication system-auth-control command is set. See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable.
mac-authentication radius-server host mac-authentication radius-server host Configures the RADIUS server used for MAC-based authentication. Input format To set or change information: mac-authentication radius-server host <IP address> [auth-port <Port> [acct-port <Port> ] [timeout <Seconds> ] [retransmit <Retries> ] [key <String> To delete information: no mac-authentication radius-server host <IP address>...
Page 562
mac-authentication radius-server host 1 to 30 (seconds) retransmit <Retries> Sets the number of times an authentication request is resent to the RADIUS server. Default value when this parameter is omitted: The number of times set by using the command radius-server retransmit is used.
Page 563
mac-authentication radius-server host If the parameter is omitted and the radius-server key command is not set, the RADIUS server is disabled. If multiple MAC-based authentication RADIUS servers are configured, the address displayed first by using the show radius-server operation command is the primary MAC-based authentication RADIUS server.
mac-authentication roaming mac-authentication roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Input format To set or change information: mac-authentication roaming [action trap] To delete information: no mac-authentication roaming Input mode...
Page 565
mac-authentication roaming Before issuing private traps, you must use the snmp-server host command to set the destination IP address for traps and mac-authentication Related commands mac-authentication system-auth-control mac-authentication port snmp-server host...
mac-authentication static-vlan force-authorized mac-authentication static-vlan force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
Page 567
mac-authentication static-vlan force-authorized mac-authentication static-vlan force-authorized mac-authentication system-auth-control aaa authentication mac-authentication mac-authentication authentication Specify the same Ethernet port. The following accounting log data is collected when an authentication request is sent to the RADIUS server: No=21: NOTICE:LOGIN: ( <Additional information> ) Login failed ;...
mac-authentication static-vlan max-user mac-authentication static-vlan max-user Sets the maximum number of terminals that can be authenticated on a Switch. Input format To set or change information: mac-authentication static-vlan max-user <Count> To delete information: no mac-authentication static-vlan max-user Input mode (config) Parameters <Count>...
Page 569
mac-authentication static-vlan max-user Switch, no more terminals can be authenticated on that Switch. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated. If the DHCP snooping functionality is also used, the maximum number of terminals is limited to 246.
mac-authentication static-vlan max-user (interface) mac-authentication static-vlan max-user (interface) Sets the maximum number of authentication terminals that can be authenticated on the applicable port. Input format To set or change information: mac-authentication static-vlan max-user <Count> To delete information: no mac-authentication static-vlan max-user Input mode (config-if) Parameters...
Page 571
mac-authentication static-vlan max-user (interface) authenticated on the applicable port. If the number of authenticated terminals reaches the maximum number for a Switch, no more terminals can be authenticated on that Switch. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated.
mac-authentication static-vlan roaming mac-authentication static-vlan roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Input format To set or change information: mac-authentication static-vlan roaming [action trap] To delete information: no mac-authentication...
Page 573
mac-authentication static-vlan roaming Before issuing private traps, you must use the snmp-server host command to set the destination IP address for traps and mac-authentication Related commands mac-authentication system-auth-control mac-authentication port snmp-server host...
mac-authentication system-auth-control mac-authentication system-auth-control Enables MAC-based authentication. Note that if the no mac-authentication system-auth-control command is executed, MAC-based authentication stops. Input format To set information: mac-authentication system-auth-control To delete information: no mac-authentication system-auth-control Input mode (config) Parameters None Default behavior MAC-based authentication is not performed.
mac-authentication timeout quiet-period mac-authentication timeout quiet-period Sets the time during which re-authentication will not be attempted (re-authentication delay timer) for the same terminal (MAC address) when authentication fails. No authentication processing is performed during this period. Input format To set or change information: mac-authentication timeout quiet-period <Seconds>...
Page 576
mac-authentication timeout quiet-period Notes All MAC-based authentication settings take effect when the mac-authentication command is set. system-auth-control See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable. When multistep authentication is used, a value other than 0 must be set for this command.
mac-authentication timeout reauth-period mac-authentication timeout reauth-period Sets the interval for re-authenticating terminals after an authentication has been successful. Input format To set or change information: mac-authentication timeout reauth-period <Seconds> To delete information: no mac-authentication timeout reauth-period Input mode (config) Parameters <Seconds>...
Page 578
mac-authentication timeout reauth-period Related commands mac-authentication system-auth-control...
mac-authentication vlan mac-authentication vlan Sets the VLAN IDs of VLANs to be switched dynamically after legacy mode authentication. If this command is not set, no VLANs are switched after legacy-mode authentication. Input format To set or change information: mac-authentication vlan <VLAN ID list>...
mac-authentication vlan-check mac-authentication vlan-check Checks the VLAN ID when checking a MAC address during authentication processing. For the RADIUS authentication method, the MAC address string and the string set by using this command ( %VLAN is set by default), and the VLAN ID are combined and used as the user ID for sending an authentication request to the RADIUS server.
Page 582
mac-authentication vlan-check See Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable. Related commands mac-authentication system-auth-control mac-authentication port aaa authentication mac-authentication...
authentication multi-step authentication multi-step Configure a multistep authentication port. Input format To set or change information: authentication multi-step [{permissive | dot1x}] To delete information: no authentication multi-step Input mode (config-if) Parameters {permissive | dot1x} permissive Permits both Web authentication and IEEE 802.1X authentication for a terminal on which the first step (MAC-based authentication) has failed.
Page 585
authentication multi-step Notes If at least one of the following commands is set for a Switch, the authentication multi-step command cannot be set: dot1x vlan dynamic enable dot1x vlan dynamic radius-vlan mac-authentication interface mac-authentication vlan web-authentication vlan This command can be set only for Ethernet interfaces.
http-server [OP-WOL] http-server [OP-WOL] Enables the HTTP server functionality. Input format To set information: http-server To delete information: no http-server Input mode (config) Parameters None Default behavior When the web-authentication system-auth-control command is set: Enabled When the web-authentication system-auth-control command is not set: Disabled Impact on communication None...
Page 588
http-server [OP-WOL] Configuration settings Secure Wake-on-LAN Web authentication http-server Functionality Login page Functionality web-authenticati User authenticatio system-auth-co n screen ntrol Not set Not set Not displayed. Not displayed. Does not Does not operate. operate. Operates. Operates. Can be Can be displayed.
switchport backup interface switchport backup interface Specifies primary and secondary ports and automatic or timer preemption wait time. Input format To set or change information: switchport backup interface {{fastethernet | gigabitethernet} <IF#> port-channel <Channel group#> } [ preemption delay <Seconds> To delete information: no switchport backup interface Input mode...
Page 591
switchport backup interface Notes When spanning trees are used at the higher-level switch, the status will be listening learning after recovering from the link-down state and communication cannot be restored immediately. In this case, we recommend that you set the timer preemption wait time to 30 seconds or longer.
switchport backup flush request transmit switchport backup flush request transmit Enables the sending of flush control frames to request that the upstream switches clear their MAC address tables. Input format To set or change information: switchport backup flush request transmit [vlan <VLAN ID>...
switchport backup mac-address-table update exclude-vlan switchport backup mac-address-table update exclude-vlan Sets the VLAN to be excluded when sending MAC address update frames. Input format To set or change information: switchport backup mac-address-table update exclude-vlan <VLAN ID list> To delete information: no switchport backup mac-address-table update exclude-vlan Input mode (config-if)
switchport backup mac-address-table update retransmit switchport backup mac-address-table update retransmit Specifies the number of re-transmissions of MAC address update frames. Input format To set or change information: switchport backup mac-address-table update retransmit <Count> To delete information: no switchport backup mac-address-table update retransmit Input mode (config-if) Parameters...
switchport backup mac-address-table update transmit switchport backup mac-address-table update transmit Enables the sending of MAC address update frames to request that the upstream switches update their MAC address tables. Input format To set information: switchport backup mac-address-table update transmit To delete information: no switchport backup mac-address-table update transmit Input mode (config-if)
switchport-backup startup-active-port-selection switchport-backup startup-active-port-selection Enables active port locking at Switch startup. Input format To set information: switchport-backup startup-active-port-selection primary-only To delete information: no switchport-backup startup-active-port-selection Input mode (config) Parameters primary-only Sets only the primary port as the active port at Switch startup. Default value when this parameter is omitted: This parameter cannot be omitted.
efmoam active efmoam active Sets the port to be monitored by the IEEE 802.3ah/OAM functionality to active mode. Input format To set or change information: efmoam active [udld] To delete information: no efmoam active Input mode (config-if) Parameters udld Sets the applicable port as the port to be monitored by the IEEE 802.3ah/UDLD functionality and enables the unidirectional link failure detection functionality.
efmoam disable efmoam disable Enables or disables the IEEE 802.3ah/OAM functionality on a Switch. To disable the IEEE 802.3ah/OAM functionality, set the efmoam disable command. To enable the IEEE 802.3ah/OAM functionality again, set the no efmoam disable command. In passive mode, the send process starts when an OAMPDU from the active mode is received.
efmoam udld-detection-count efmoam udld-detection-count Sets the number of OAMPDU response timeouts that must occur to recognize a failure. (The OAMPDU is a monitoring packet of the IEEE 802.3ah/UDLD functionality.) Input format To set or change information: efmoam udld-detection-count <Count> To delete information: no efmoam udld-detection-count Input mode (config)
storm-control storm-control Configures the storm control functionality. This functionality sets the threshold of frames to be flooded and received by a Switch. When a broadcast storm or another problem occurs, the flooded frames exceeding the threshold are discarded. As a result, network load and Switch load decrease.
Page 605
storm-control Parameters broadcast Sets broadcast frames as subject to storm control. Default value when this parameter is omitted: The storm control functionality is not set. multicast Sets multicast frames as subject to storm control. Default value when this parameter is omitted: The storm control functionality is not set.
Page 606
storm-control Default value when this parameter is omitted: If a storm is detected, no SNMP traps are issued. action log Outputs operation log data when a storm or the end of a storm is detected. Default value when this parameter is omitted: Operation log data is not output when a storm is detected.
Page 607
storm-control Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes Storm control is controlled by the number of received frames. Frame length is irrelevant. When received frames exceed the storm detection threshold, control frames are also discarded.
loop-detection loop-detection Sets the port type for the L2 loop detection functionality. Input format To set or change information: loop-detection {send-inact-port | send-port | uplink-port | exception-port} To delete information: no loop-detection Input mode (config-if) Parameters {send-inact-port | send-port | uplink-port | exception-port} send-inact-port Sets a port as a detecting and blocking port.
Page 610
loop-detection When the change is applied The change is applied immediately after setting values are changed. Notes Changing the port type clears the following information: - The number of L2 loop detections until the port is blocked - The time from blocking of the port until automatic recovery occurs. If the port type is changed, the statistics for sending and receiving L2 loop detection frames for each port are not cleared.
loop-detection auto-restore-time loop-detection auto-restore-time Sets the time required for automatic activation of a blocked port. Input format To set or change information: loop-detection auto-restore-time <Seconds> To delete information: no loop-detection auto-restore-time Input mode (config) Parameters <Seconds> Sets the time (in seconds) required for automatic activation of a blocked port. Default value when this parameter is omitted: This parameter cannot be omitted.
loop-detection enable loop-detection enable Enables L2 loop detection. Input format To set information: loop-detection enable To delete information: no loop-detection enable Input mode (config) Parameters None Default behavior L2 loop detection is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
loop-detection hold-time loop-detection hold-time Sets the time for holding the number of L2 loop detections before a port is blocked. If the period of time for holding the number of L2 loop detections elapses without an L2 loop detection frame being received since the last L2 loop detection frame was received, the number of L2 loop detections held on the port is cleared.
loop-detection interval-time loop-detection interval-time Sets the interval for sending L2 loop detection frames. Input format To set or change information: loop-detection interval-time <Seconds> To delete information: no loop-detection interval-time Input mode (config) Parameters <Seconds> Sets the interval (in seconds) for sending L2 loop detection frames. Default value when this parameter is omitted: This parameter cannot be omitted.
loop-detection threshold loop-detection threshold Sets the number of L2 loop detections before a port is blocked. If the number of detections becomes equal to or greater than the specified number, the port is blocked. Input format To set or change information: loop-detection threshold <Count>...
domain name ethernet cfm cc alarm-priority ethernet cfm cc alarm-reset-time ethernet cfm cc alarm-start-time ethernet cfm cc enable ethernet cfm cc interval ethernet cfm domain ethernet cfm enable (global) ethernet cfm enable (interface) ethernet cfm mep ethernet cfm mip ma name ma vlan-group...
domain name domain name Sets the name used for a target domain. Input format To set or change information: domain name {no-present | str <Strings> | dns <Name> | mac <MAC> <ID>} To delete information: no domain name Input mode (config-ether-cfm) Parameters <Strings>...
Page 618
domain name Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain...
ethernet cfm cc alarm-priority ethernet cfm cc alarm-priority Sets the failure level to be detected by CC. Failure levels equal to or higher than the parameter you set are detected. Input format To set or change information: ethernet cfm cc level <Level>...
Page 620
ethernet cfm cc alarm-priority Table 31-1 Levels detected by CC and failures descriptions Setting Failure type Command Failure description level display DefXconCCM OtherCCM A CCM with a different domain and MA was received. DefErrorCCM ErrorCCM A CCM with an incorrect MEP ID or transmission interval was received.
ethernet cfm cc alarm-reset-time ethernet cfm cc alarm-reset-time Sets the time interval for identifying re-detection when CC repeatedly detects failures. If a failure is detected within the time set by using this command after a failure has been detected, the failure is treated as a re-detection and no trap is sent. Note, however, that if a failure with a failure level higher than the currently detected failure level is detected, a trap is sent.
Page 622
ethernet cfm cc alarm-reset-time Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If higher level MAs are not included as lower level MAs, a communication overload might occur. Related commands ethernet cfm domain ma name...
ethernet cfm cc alarm-start-time ethernet cfm cc alarm-start-time Sets the time after CC detects a failure until a trap is sent. Input format To set or change information: ethernet cfm cc level <Level> <No.> alarm-start-time <Time> To delete information: no ethernet cfm cc level <Level>...
Page 624
ethernet cfm cc alarm-start-time When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain ma name ma vlan-group...
ethernet cfm cc enable ethernet cfm cc enable Sets the MA which uses CC in the domain. If the ethernet cfm mep command has already been set, sending from the applicable port to CCM starts. Input format To set information: ethernet cfm cc level <Level>...
Page 626
ethernet cfm cc enable Notes None Related commands ethernet cfm domain ma name ma vlan-group...
ethernet cfm cc interval ethernet cfm cc interval Sets the CCM transmission interval for a target MA. Input format To set or change information: ethernet cfm cc level <Level> <No.> interval {1s | 10s | 1min | 10min} To delete information: no ethernet cfm cc level <Level>...
Page 628
ethernet cfm cc interval 1min , or 10min Note on using this parameter: If a value smaller than the default value is set for this parameter, the Switch CPU becomes overloaded with possible adverse effects on communication. Default behavior 1min is used as the interval for sending CCMs.
ethernet cfm domain ethernet cfm domain Sets a domain. Executing this command switches to config-ether-cfm mode in which the domain name and MA can be set. Input format To set information: ethernet cfm domain level <Level> [direction-up] To delete information: no ethernet cfm domain level <Level>...
Page 630
ethernet cfm domain Notes If any of the following commands references a domain set by using this command, this command cannot be deleted: ethernet cfm cc enable ethernet cfm mep ethernet cfm mip Related commands None...
ethernet cfm enable (global) ethernet cfm enable (global) Starts CFM. Input format To set information: ethernet cfm enable To delete information: no ethernet cfm enable Input mode (config) Parameters None Default behavior CFM does not operate even if another CFM command has been set. Impact on communication None When the change is applied...
ethernet cfm enable (interface) ethernet cfm enable (interface) When no ethernet cfm enable is set, CFM PDU transmission processing on the applicable port or the applicable port channel stops. Input format To set information: no ethernet cfm enable To delete information: ethernet cfm enable Input mode (config-if)
ethernet cfm mep ethernet cfm mep Sets a MEP used in CFM. Input format To set information: ethernet cfm mep level <Level> <No.> mep-id <MEPID> [{down | up}] To delete information: no ethernet cfm mep level <Level> <No.> mep-id <MEPID> Input mode (config-if) Parameters...
Page 634
ethernet cfm mep maintained. Default value when this parameter is omitted: When has been set by using the direction-up ethernet cfm domain command, Up MEP is used. If it has not been set, Down MEP is used. Range of values: down Note on using this parameter: This parameter cannot be changed.
ethernet cfm mip ethernet cfm mip Sets a MIP used in CFM. Input format To set information: ethernet cfm mip level <Level> To delete information: no ethernet cfm mip level <Level> Input mode (config-if) Parameters level <Level> Sets the domain level that has been set by using the ethernet cfm domain command.
ma name ma name Sets the name of an MA used in a target domain. Input format To set or change information: <No.> name {str <Strings> | vlan <VLAN ID>} To delete information: no ma <No.> name Input mode (config-ether-cfm) Parameters <No.>...
Page 637
ma name Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain...
ma vlan-group ma vlan-group Sets the VLAN belonging to an MA used in a target domain. Input format To set or change information: <No.> vlan-group <VLAN ID List> [primary-vlan <VLAN ID> To delete information: no ma <No.> vlan-group Input mode (config-ether-cfm) Parameters <No.>...
Page 639
ma vlan-group Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain...
hostname hostname Sets the identification name of a Switch. Input format To set or change information: hostname <Name> To delete information: no hostname Input mode (config) Parameters <Name> The identification name of a Switch. Set a name that is unique in the network that will be used.
rmon alarm rmon alarm Sets the control information for the RMON (RFC 1757) alarm group. A maximum of 128 entries can be configured. Input format To set or change information: rmon alarm <Number> <Variable> <Interval> {delta | absolute} rising-threshold <Value> rising-event-index <Event#>...
Page 643
rmon alarm Table 32-1 The setting range of object identifiers subject to alarm monitoring Object name (setting range from the Object ID (setting value from the SNMP console) manager) ifInOctets.x 1.3.6.1.2.1.2.2.1.10.x ifInUcastPkts.x 1.3.6.1.2.1.2.2.1.11.x ifInNUcastPkts.x 1.3.6.1.2.1.2.2.1.12.x ifInDiscards.x 1.3.6.1.2.1.2.2.1.13.x ifInErrors.x 1.3.6.1.2.1.2.2.1.14.x ifInUnknownProtos.x 1.3.6.1.2.1.2.2.1.15.x ifOutOctets.x 1.3.6.1.2.1.2.2.1.16.x...
Page 644
rmon alarm Object name (setting range from the Object ID (setting value from the SNMP console) manager) etherStatsPkts512to1023Octets.x 1.3.6.1.2.1.16.1.1.1.18.x etherStatsPkts1024to1518Octets.x 1.3.6.1.2.1.16.1.1.1.19.x ifInMulticastPkts.x 1.3.6.1.2.1.31.1.1.1.2.x ifInBroadcastPkts.x 1.3.6.1.2.1.31.1.1.1.3.x ifOutMulticastPkts.x 1.3.6.1.2.1.31.1.1.1.4.x ifOutBroadcastPkts.x 1.3.6.1.2.1.31.1.1.1.5.x : instance number <Interval> Sets the time interval (in seconds) for checking the threshold. This parameter is equivalent to alarmInterval defined in RFC 1757.
Page 645
rmon alarm Range of values: An information identification number from 1 to 65535 in the control information set by using the rmon event command for <Event#>. falling-threshold <Value> Sets the lower threshold value. This parameter is equivalent to alarmFallingThreshold defined in RFC 1757. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 646
rmon alarm Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes To access an alarm group from the SNMP manager, you must register the SNMP manager by using the snmp-server community command.
rmon collection history rmon collection history Sets the control information for the RMON (RFC 1757) Ethernet statistics history. A maximum of 32 entries can be configured. Input format To set or change information: rmon collection history controlEntry <Integer> [owner <Owner name> [buckets <Bucket number>...
Page 648
rmon collection history interval <Seconds> Sets the time interval (in seconds) for collecting statistics information. This parameter is equivalent to historyControlInterval defined in RFC 1757. Default value when this parameter is omitted: 1800 (seconds) Range of values: 1 to 3600 (seconds) Default behavior None Impact on communication...
rmon event rmon event Sets the control information for an RMON (RFC 1757) event group. A maximum of 16 entries can be configured. Input format To set or change information: rmon event <Event#> [log] [trap <Community> ] [description <Description string> ] [owner <Owner string>...
Page 650
rmon event Default value when this parameter is omitted: Blank Range of values: Specify a character string that is no more than 79 characters. For details about the characters that can be specified, see Specifiable values for parameters. owner <Owner string> Sets the identification information of the person who specified this setting.
snmp-server community snmp-server community Sets the access list for the SNMP community. A maximum of four entries can be configured. Input format To set or change information: snmp-server community <String> [ {ro|rw} ] [ <ACL ID> To delete information: no snmp-server community <String>...
Page 652
snmp-server community Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ip access-list standard...
snmp-server contact snmp-server contact Sets the contact information about the Switch. Input format To set or change information: snmp-server contact <Text> To delete information: no snmp-server contact Input mode (config) Parameters <Text> Sets the contact information for the Switch used when a failure occurs on a Switch. This information can be referenced by using the name set in of the [sysContact]...
snmp-server host snmp-server host Registers the network management device (SNMP manager) to which traps are sent. This command can configure a maximum of four entries. Input format To set or change information: snmp-server host <Manager address> traps <Community string> [version { 1 | 2c }] [snmp] [rmon] [air-fan] [login] [temperature] [storm-control] [efmoam] [poe] [dot1x] [web-authentication] [mac-authentication] [loop-detection] [switchport-backup] [cfm]...
Page 655
snmp-server host [snmp] [rmon] [air-fan] [login] [temperature] [storm-control] [efmoam] [poe] [dot1x] [web-authentication] [mac-authentication] [loop-detection] [switchport-backup] [cfm] By setting each parameter, you can select the traps to be sent. The following table describes traps that will be sent when parameters are set. Table 32-2 Correspondence between parameters and traps Parameter Trap...
Page 656
snmp-server host Parameter Trap pethMainPowerUsageOffNotification dot1x ax1240sDot1xFailureTrap ax1240sDot1xEventTrap web-authentication ax1240sWauthFailureTrap ax1240sWauthEventTrap ax1240sWauthSystemTrap mac-authentication ax1240sMauthFailureTrap ax1240sMauthEventTrap ax1240sMauthSystemTrap loop-detection axsL2ldLinkDown axsL2ldLinkUp axsL2ldLoopDetection switchport-backup axsUlrChangeSecondary axsUlrChangePrimary dot1agCfmFaultAlarm snmp coldStart warmStart linkDown linkUp , and authenticationFailure traps are sent. rmon A trap is sent when the value exceeds the upper threshold or drops below the lower threshold of the rmon alarm.
Page 657
snmp-server host A trap is sent when the power status changes or the total power consumption of a Switch exceeds the threshold. dot1x A trap is sent for specific types of authentication accounting log data during IEEE 802.1X authentication. web-authentication A trap is sent for specific types of authentication accounting log data during Web authentication.
Page 658
snmp-server host Related commands None...
snmp-server location snmp-server location Sets the name of the location where the Switch is installed. Input format To set or change information: snmp-server location <Text> To delete information: no snmp-server location Input mode (config) Parameters <Text> Sets the name of the location where the Switch is installed. This information can be referenced by using the name set in of the system group for inquiries [sysLocation]...
snmp-server traps snmp-server traps Sets a trigger (timing) for issuing a trap. Input format To set or change information: snmp-server traps [{ limited-coldstart-trap | unlimited-coldstart-trap }] [link-trap-bind-info {private | standard} ] [agent-address <Agent address> ] [dot1x-trap {failure | all}] [web-authentication-trap {failure | all}] [mac-authentication-trap {failure | all}] To delete information: no snmp-server traps...
Page 661
snmp-server traps Table 32-4 MIBs to be added when link up/down Trap is issued for each parameter Parameter MIBs to be added when link up/down Trap is issued private (Common to SNMPv1 and SNMPv2C traps) ifIndex, ifDescr, and ifType standard ifIndex (For SNMPv1 traps) (For SNMPv2C traps) ifIndex, ifAdminStatus, and...
Page 662
snmp-server traps failure mac-authentication-trap {failure | all} Sets the trap type for MAC-based authentication. failure Only traps for an authentication failure are issued. Traps for both successful and failed authentication attempts are issued. Default value when this parameter is omitted: failure Range of values: failure...
snmp trap link-status snmp trap link-status Prevents a trap (linkDown and linkUp traps) from being sent when a link-up failure or a link-down failure occurs on a line. Input format To set information: no snmp trap link-status To delete information: snmp trap link-status Input mode (config-if)
logging event-kind logging event-kind Sets the event type of the log information to be sent to the syslog server. Multiple event types can be set. Input format To set or change information: logging event-kind <Event kind> To delete information: no logging event-kind <Event kind>...
logging facility logging facility Sets the facility to output the log information through the syslog interface. Input format To set or change information: logging facility <Facility> To delete information: no logging facility Input mode (config) Parameters <Facility> Sets the facility for syslog. Default value when this parameter is omitted: This parameter cannot be omitted.
logging host logging host Sets the output destination of the log information. A maximum of four entries can be configured. Input format To set or change information: logging host <IP address> To delete information: no logging host <IP address> Input mode (config) Parameters <IP address>...
logging syslog-header logging syslog-header Adds HOSTNAME TIMESTAMP , or a functionality number to the message to be sent to the syslog server. Output from the following commands is not affected: show dot1x logging show logging show web-authentication logging ...
logging trap logging trap Sets the priority of the log information to be sent to the syslog server. Input format To set or change information: logging trap { <Level> <Keyword>} To delete information: no logging trap Input mode (config) Parameters <Level>...
Page 670
logging trap Notes The priority set by using this command is applied to all output destinations set by using the logging host command. Related commands logging host...
lldp enable lldp enable Starts operation of LLDP on a port. Input format To set information: lldp enable To delete information: no lldp enable Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
lldp hold-count lldp hold-count Sets the time that a neighboring device retains an LLDP frame sent from a Switch. Input format To set or change information: lldp hold-count <Count> To delete information: no lldp hold-count Input mode (config) Parameters <Count> Sets the scaling for the value set by the lldp interval-time command as the time...
lldp interval-time lldp interval-time Sets the transmission interval between LLDP frames sent from a Switch. Input format To set or change information: lldp interval-time <Seconds> To delete information: no lldp interval-time Input mode (config) Parameters <Seconds> Sets the transmission interval between LLDP frames sent from a Switch. Default value when this parameter is omitted: This parameter cannot be omitted.
lldp run lldp run Enables the LLDP functionality. Input format To set information: lldp run To delete information: no lldp run Input mode (config) Parameters None Default behavior The LLDP functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
35. Port Mirroring monitor session Configures the port mirroring functionality. Input format To set or change information: monitor session <Session#> source interface <IF# list> [{rx | tx | both}] destination interface {fastethernet <IF#> | gigabitethernet <IF#>} To delete information: no monitor session <Session#>...
Page 678
35. Port Mirroring Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: See Specifiable values for parameters. Default behavior None Impact on communication If a line in use is set as the mirror port, communication is no longer possible on the line. If a line is set as the monitor port, communication is not affected.
Page 679
35. Port Mirroring IEEE 802.3ah/UDLD: UDLD frames Spanning tree protocol: BPDU frames The spanning tree protocol is enabled by default. To stop sending BPDU frames, set the spanning-tree disable configuration command, or set BPDU filtering on the mirror ports ( spanning-tree bpdufilter configuration command).
Index 36.1 Error messages displayed during configuration editing 36.1.1 Common Table 36-1 Common error messages Message Explanation Access denied. Access was denied. Ambiguous command. The command cannot be identified uniquely because it can be interpreted in various ways. Ambiguous data. The data cannot be identified uniquely because it can be interpreted in various ways.
Page 682
Index Message Explanation It will be logged out if it You will be logged out if the idle state continues for <min> more remains idle for another <min> minutes. minutes. Log out by the system. You have been logged out by the system. Login incorrect.
Index Message Explanation Too many parameters. There are too many parameters. Unknown user. The specified user name is not registered. Wrong encoding. The encoding method is incorrect. Wrong length. The length is incorrect. Wrong type. The type is incorrect. Wrong value. The value is incorrect.
Index 36.1.4 Switch management information Table 36-4 Error messages related to Switch management Message Explanation dhcp-snooping is in use. This setting cannot be changed because the DHCP snooping ip dhcp snooping. functionality is enabled. Delete the setting of extended-authentication is This setting cannot be changed because at least one of the following is in use.
Index 36.1.6 Ethernet information Table 36-6 Ethernet error messages Message Explanation Cannot attach the interface The interface port set as a ring port cannot participate in the port specified as a ring-port to the channel. channel-group. To allow the specified interface to participate in the port channel, first delete the ring-related configuration.
Index Message Explanation Mirror port and port-channel are The port cannot join the port channel because the port is being used inconsistent. as a mirror port. Relations between ip source The specified port cannot join the port channel because the port is binding configuration and ip source binding being used by the...
Index 36.1.9 VLAN information Table 36-9 VLAN error messages Message Explanation ChGr <Channel group#>: The port channel cannot be deleted because it is being used for Inconsistency is found between IEEE 802.1X authentication or as a switch port. the dot1x port-control and the <Channel group#>: Channel group number switchport mode configuration.
Page 688
Index Message Explanation vlan : Can't change mode from The VLAN types of the specified VLAN modes do not match (VLAN {nothing|protocol-based|mac-ba range specification). sed } to {nothing|protocol-based|mac-ba sed }. vlan : Can't delete vlan The VLAN cannot be deleted because it is the default VLAN. configuration because of default vlan.
Page 689
Index Message Explanation vlan[<VLAN ID>] : Can't set The access VLAN cannot be set because the VLAN does not exist. access-vlan which is not <VLAN ID>: VLAN ID configured to use vlan. vlan[<VLAN ID>] : Can't set mac-address-table cannot be set because the VLAN does not mac-address-table which is not exist.
Index 36.1.10 Spanning tree information Table 36-10 Spanning tree error messages Message Explanation Can not configure spanning-tree Spanning tree cannot be set because the Ring Protocol functionality when Ring Protocol is is set. configured. Cost is over 65535, please set up cost cost The value for...
Page 691
Index Message Explanation axrp-<Ring ID>: maximum number A maximum of four ring IDs can be used on a Switch. No more than of ring-id are already four ring IDs can be registered. defined. To add a ring ID, you must first delete a registered ring ID. <Ring ID>: Ring ID axrp-<Ring...
Page 692
Index Message Explanation axrp-<Ring ID>-<Group ID>: The specified VLAN mapping has already been set for a VLAN group vlan-mapping <Mapping ID> in the same ring. already configured in another Either delete the VLAN mapping from the other VLAN group or use vlan-group.
Index 36.1.12 DHCP snooping information Table 36-12 DHCP snooping error messages Message Explanation Can't delete it because data is Deletion is not possible because DHCP snooping for the specified not corresponding. VLAN is not enabled or the specified configuration does not exist. Can't delete it vlan ip source binding Deletion is not possible because the...
Index Message Explanation inconsistent. Set the applicable port as a port-channel interface. system function isn't set. system function The setting is not possible because the command has not been set. system function Use the command to set DHCP snooping. 36.1.13 IGMP snooping information Table 36-13 IGMP snooping error messages Message Explanation...
Index 36.1.15 IPv4, ARP, and ICMP information Table 36-15 IPv4, ARP, and ICMP error messages Message Explanation ip : Inconsistency has occurred There is an inconsistency between an address set by using IP in a setting of IP address and information and a next-hop network address set by using route route.
Index 36.1.16 Flow detection mode information Table 36-16 Flow mode error messages Message Explanation Cannot change the flow detection The flow detection mode cannot be changed because an access list mode. or a QoS flow list is applied to the interface. To change the flow detection mode, delete all uses of the applied lists.
Index Message Explanation access list. This list cannot be set to VLAN. The access list cannot be applied to the VLAN interface. If the VLAN ID is set as a flow detection condition in an access list, the access list cannot be applied to the VLAN interface. Apply it to an Ethernet interface or delete the VLAN ID from the detection condition.
Page 698
Index Message Explanation Cannot attach this list because If the flow detection mode is Layer 2-2, the QoS flow list cannot be flow detection mode Layer2-2. applied. If the flow detection mode is Layer 2-2, an IPv4 QoS flow list can be applied.
Index Message Explanation This list cannot be set to this The QoS flow list cannot be applied to the applicable Ethernet port. interface. To apply a QoS flow list to an Ethernet interface, the VLAN ID of a flow detection condition in the QoS flow list must be included in the settings of the Ethernet interface to which you want to apply the list.
Page 700
Index Message Explanation interface : Relations between An authentication common command and a channel group command authentication configuration cannot be set at the same time. Delete the settings of the and channel-group channel-group mode command. configuration within same port. interface : Relations between authentication force-authorized vlan cannot be set the switchport mac vlan and...
Index 36.1.20 IEEE 802.1X information Table 36-20 IEEE 802.1X error messages Message Explanation dot1x(xxxxx): Cannot set "dot1x Port-based authentication cannot be set because port mirroring of port-control" because monitor xxxxx interface is enabled. session mode is set now. xxxxx: ethernet <IF#>: Ethernet interface port number dot1x(xxxxx): Cannot set "...
Page 702
Index Message Explanation dot1x(vlan dynamic): Cannot set The terminal detection mode cannot be disabled because the "dot1x vlan dynamic functionality for suppressing the re-authentication of requests from a supplicant-detection disable" terminal for VLAN-based authentication (dynamic) is set. because ignore-eapol-start is set now.
Page 703
Index Message Explanation set. dot1x(xxxxx): Cannot set "dot1x Terminal authentication mode cannot be set because the xxxxx multiple-authentication" interface is in force-unauthorized mode or force-authorized mode. because force-mode is set now. xxxxx: ethernet <IF#>: Ethernet interface port number port-channel <Channel group#>: Port channel number dot1x(xxxxx): Cannot set "dot1x force-unauthorized...
Page 704
Index Message Explanation dot1x(vlan dynamic): Cannot set dot1x vlan dynamic enable command cannot be set "dot1x vlan dynamic enable" because multistep authentication is set. because authentication authentication multi-step Delete the settings of the multi-step is set. command. dot1x(vlan dynamic): Cannot set dot1x vlan dynamic radius-vlan command cannot be "dot1x vlan dynamic...
Index 36.1.21 Web authentication information (including DHCP server information) Table 36-21 Web authentication error messages Message Explanation Duplicate network address. An IP address of the same network address is defined for another VLAN. Set the Web authentication IP address so that it does not duplicate a VLAN network address.
Page 706
Index Message Explanation interface : Relations between The following commands cannot be set for the specified port individual force-authorized and because forced authentication common across to the types of common force-authorized are authentication functionality is set: inconsistent. web-authentication force-authorized vlan web-authentication static-vlan force-authorized Delete the following: authentication force-authorized enable...
Page 707
Index Message Explanation web-auth : Relations between web-authentication vlan command cannot be set user-group or authentication because the authentication method for each user ID or the list configuration(s) and port-based authentication method is set. legacy mode configuration(s) Delete the following: are inconsistent.
Index 36.1.22 MAC-based authentication information Table 36-23 MAC-based authentication error messages Message Explanation interface : Invalid authentication ip Deletion is not possible because mac-authentication port access-group authentication arp-relay is set for the configuration. applicable port. interface : Relations between MAC-based authentication cannot be set because the specified port the mac-authentication has been set as a protocol port.
Page 709
Index Message Explanation mac-auth : Cannot set the The command cannot be set because an internal error occurred. command because of internal error. (code=x) mac-auth : Maximum number of The maximum number of entries for the authentication method list entries are already defined. has been exceeded.
Index 36.1.23 Multistep authentication information Table 36-24 Multistep authentication error messages Message Explanation interface : Relations between An authentication common command and a channel group authentication configuration command cannot be set at the same time. Delete the settings of the and channel-group configuration channel-group mode command.
Index this command is different from Participation in the port channel is not possible because the this one in channel-group port. configuration is different. Too many parameters The number of input parameters exceeds the maximum number (exclude-VLAN ). (200). Set a value equal to or smaller than the maximum number. 36.1.25 Storm control information Table 36-26 Storm control error messages Message...
Page 712
Index Message Explanation ethernet : MA is already <No.> The specified MA identification number is already being used by configured in cfm domain. another domain. <No.>: MA identification number ethernet : MA name <Name> The specified MA name is already set in the same domain. already configured in cfm <Name>: MA name domain.
Index Message Explanation <Level>: Domain level interface : Exceeded the number The number of ports for which MEPs and MIPs can be set has been of the maximum port. exceeded. interface : Maximum number of An attempt is being made to set a configuration that is larger than entries are already defined.
Page 714
Index Message Explanation the command again. rmon : Can not delete it because An attempt has been made to delete a non-existent identification data is not corresponding. number. Check the identification number. rmon : Can't delete this The specified event entry cannot be deleted because it is associated configuration referred by other with an alarm entry.
Index 36.1.29 Port mirroring information Table 36-30 Port mirroring error messages Message Explanation Mirror port and dot1x are The destination interface cannot be set as a mirror port because the inconsistent. destination interface is being used by dot1x. Mirror port and The destination interface cannot be set as a mirror port because the mac-authentication are destination interface is being used for MAC-based authentication.